Skills

phantom-frida

Installation
SKILL.md

Phantom-Frida Builder

Automate the complete workflow of building anti-detection Frida servers using phantom-frida.

Purpose

Phantom-frida is a tool that builds modified Frida servers with anti-detection capabilities. It applies ~90 patches covering 16 detection vectors, including string obfuscation, thread name randomization, SELinux label modification, and binary-level string cleaning. This skill automates the entire build process from repository cloning to producing deployment-ready binaries.

When to Use

Use this skill when the user needs to:

  • Build a Frida server that evades common detection mechanisms
  • Compile phantom-frida with custom or randomized configuration
  • Create stealth instrumentation tools for reverse engineering
  • Generate anti-detection Frida binaries for Android

Workflow

1. Environment Preparation

Check and install required dependencies:

python3 --version  # Requires Python 3.10+
git --version
curl --version
unzip -v
make --version

If any dependencies are missing, install them:

# Debian/Ubuntu
sudo apt-get update && sudo apt-get install -y python3 git curl unzip make

# Other systems - adapt as needed

Check available disk space (requires ~20GB):

df -h /path/to/working/directory

2. Clone Repository

Clone the phantom-frida repository to a clean working directory:

git clone https://github.com/TheQmaks/phantom-frida.git
cd phantom-frida

3. Generate Random Configuration

Generate randomized name and port to maximize stealth:

# Generate random name using namegen.py
RANDOM_NAME=$(python3 namegen.py)

# Generate random port (20000-65000 range)
RANDOM_PORT=$(shuf -i 20000-65000 -n 1)

echo "Configuration: name=$RANDOM_NAME, port=$RANDOM_PORT"

4. Execute Build

Run the build script with extended anti-detection enabled:

python3 build.py \
  --version <latest-version> \
  --name "$RANDOM_NAME" \
  --port "$RANDOM_PORT" \
  --extended \
  --arch android-arm64

Build parameters:

  • --version: Frida version to build (check GitHub releases for latest)
  • --name: Custom name to replace "frida" (randomized for stealth)
  • --port: Custom listening port (randomized to avoid default 27042)
  • --extended: Enable extended anti-detection (binary string cleaning)
  • --arch: Target architecture (default: android-arm64)

Run the build in the background for long compilation times (~20-35 minutes):

python3 build.py --version <version> --name "$RANDOM_NAME" --port "$RANDOM_PORT" --extended

5. Verify Build Output

After compilation completes, verify the output files:

ls -lh output/

Expected artifacts:

  • <name>-server-<version>-android-arm64 - Frida server binary
  • <name>-server-<version>-android-arm64.gz - Compressed server
  • <name>-gadget-<version>-android-arm64.so - Gadget library
  • <name>-gadget-<version>-android-arm64.so.gz - Compressed gadget

6. Provide Deployment Instructions

Generate deployment commands for the user:

# Deployment commands
adb push output/<name>-server-<version>-android-arm64 /data/local/tmp/<name>-server
adb shell chmod 755 /data/local/tmp/<name>-server
adb shell /data/local/tmp/<name>-server &

# Connection command
frida -H 127.0.0.1:<port> -f <package>

Build Process Details

Phantom-frida applies patches in 4 phases:

Phase 1 - Global Source Patches:

  • Replace all "frida" strings with custom name
  • Rename frida-agent, frida-helper, frida-server
  • Modify package names (re.frida.* → re..*)

Phase 2 - Targeted File Patches:

  • Change memfd name to 'jit-cache'
  • Disable certain libc hooks
  • Modify SELinux labels (frida_file → _file)

Phase 3 - Build:

  • Configure with Meson build system
  • Compile with Clang (Android NDK)
  • Generate server and gadget binaries

Phase 4 - Binary Patches:

  • Replace thread names (gmain→amain, gdbus→gdbug, pool-spawner→pool-spoiler)
  • Extended mode: Clean residual "frida" strings in binaries
    • Server: ~14 residual strings
    • Agent: ~162 residual strings
    • Gadget: ~156 residual strings

Extended Anti-Detection

The --extended flag enables additional binary-level string cleaning:

  • Scans compiled binaries for residual "frida", "Frida", "FRIDA" strings
  • Replaces with innocuous alternatives ("libgc", "Xbndl", "XBNDL")
  • Skips protected regions (DEX bytecode) to avoid corruption
  • Provides deeper obfuscation against string-scanning detection

When to use extended mode:

  • Facing advanced detection mechanisms
  • Target apps use memory scanning or string matching
  • Maximum stealth is required
  • Slightly longer build time is acceptable (~13 min vs ~35 min first build)

Output Summary

After successful build, provide the user with:

  1. Configuration used:

    • Name: <random-name>
    • Port: <random-port>
    • Version: <frida-version>
    • Extended: enabled

  2. Output files:

    • Server binary path and size
    • Gadget library path and size
    • Compressed versions

  3. Deployment commands:

    • adb push command
    • chmod command
    • Server launch command
    • frida connection command

  4. Anti-detection features applied:

    • String obfuscation count
    • Thread name modifications
    • SELinux label changes
    • Binary string cleaning (if extended)

Troubleshooting

Build fails with "Permission denied":

  • Check directory permissions
  • Use sudo chown -R $USER:$USER <directory> if needed

"No space left on device":

  • Requires ~20GB free space
  • Clean up old builds or use different partition

NDK download fails:

  • Check internet connection
  • NDK r25c is ~506MB, may take time
  • Retry if interrupted

Compilation errors:

  • Ensure all dependencies installed
  • Check Python version (3.10+ required)
  • Review build log for specific errors

Additional Resources

Reference Files

For detailed information, consult:

  • references/phantom-frida-details.md - Comprehensive anti-detection techniques and patch details

Scripts

Utility scripts available:

  • scripts/check-dependencies.sh - Verify all required dependencies
  • scripts/get-latest-version.sh - Fetch latest Frida version from GitHub

Notes

  • First build downloads Android NDK r25c (~506MB) and takes ~35 minutes
  • Subsequent builds reuse NDK and take ~13-20 minutes
  • Random configuration maximizes stealth by avoiding predictable patterns
  • Extended mode recommended for production use against advanced detection
  • Output binaries are architecture-specific (default: android-arm64)
Installs
1
Repository
killvxk/frida-pp
GitHub Stars
2
First Seen
Apr 8, 2026
Security Audits
Gen Agent Trust HubFail
SocketFail
SnykFail