frida-dexdump is an Android memory forensics tool that recovers Dalvik Executable (DEX) files from running application processes using the Frida dynamic instrumentation framework. It functions as a Frida-based runtime analyzer and DEX memory dumper, capable of extracting obfuscated or packed DEX files without modifying the Android system.
The tool distinguishes itself through its ability to repair corrupted or missing DEX file headers using heuristic analysis and fuzzy matching techniques. It employs fuzzy boundary detection to identify DEX file boundaries in memory even when headers are damaged, and uses memory-scanning byte matching to locate executable binary blobs across process heap and mapped memory regions. This enables recovery of packed DEX files that standard tools would miss.
The tool operates by injecting a JavaScript agent into a running Android process via Frida, communicating scan results and extracted data over a bidirectional RPC channel. It scans process memory for Dalvik Executable magic bytes and structural markers, then reconstructs headers by matching internal data layout patterns against known byte-sequence signatures. The deployment approach uses dynamic instrumentation to run without system modifications, enabling simple installation and removal.
