whatisgithub

What is frida-dexdump?

hluwa/frida-dexdump — explained in plain English

Analysis updated 2026-06-26

4,537PythonAudience · developerComplexity · 3/5Setup · moderate

In one sentence

A command-line tool that extracts hidden Android app code from device memory while the app is running, helping security researchers and malware analysts inspect what apps are actually doing.

Mindmap

mindmap
  root((frida-dexdump))
    What it does
      Scan app memory
      Extract DEX files
      Save to disk
    How it works
      Built on Frida
      Runtime inspection
      Deep search mode
    Use Cases
      Malware analysis
      App unpacking
      Security research
    Setup
      pip install
      Frida on device
      One command run
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Extract DEX files from a running Android app to inspect its real code that was hidden or encrypted on disk

USE CASE 2

Analyze packed or obfuscated malware by dumping its decrypted code from memory at runtime

USE CASE 3

Recover DEX files with corrupted or deliberately damaged headers using the deep search mode

What is it built with?

PythonFridaAndroid

How does it compare?

hluwa/frida-dexdumpag2ai/ag2zuruoke/watermark-removal
Stars4,5374,5374,539
LanguagePythonPythonPython
Setup difficultymoderateeasymoderate
Complexity3/53/53/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Frida server running on the Android device over ADB, device must be rooted or have Frida pre-installed.

So what is it?

Frida-dexdump is a command-line tool for security researchers and malware analysts who work with Android applications. Its purpose is to extract compiled Android code from a running app's memory so that the analyst can inspect what the app is actually doing. Android apps are distributed in a format that includes compiled code files called DEX files. Some apps, particularly malicious ones, try to hide their real behavior by packing or encrypting these files so they look different on disk than they do at runtime. When the app runs, it unpacks the real code into memory. Frida-dexdump takes advantage of that moment by scanning the device's memory while the app is running and pulling out the DEX data it finds there, saving it to disk for analysis. The tool is built on top of Frida, which is an established framework for instrumenting running processes on Android and other platforms. Because it runs through Frida, it works on all Android versions that Frida supports and does not require modifying the device's system partition. Installation is a single pip command, and typical usage involves one short command to target the app currently in the foreground. A key feature is a deep search mode, enabled with a flag, that looks for DEX files even when their internal header information is damaged or incomplete. This is useful because some apps deliberately corrupt their DEX headers as an additional obfuscation measure. The deep search takes longer but finds more complete results. The output is saved to a folder named after the target app by default, and the output path can be changed with a command-line option.

Copy-paste prompts

Prompt 1
I extracted DEX files from an Android app using frida-dexdump. Write a Python script that opens each DEX file in the output folder and lists all class names and method signatures using androguard.
Prompt 2
How do I use frida-dexdump's deep search mode to recover DEX files when headers are corrupted? Show the exact command and explain what the flag does.
Prompt 3
Write a bash script that automates frida-dexdump extraction: launch a target Android app, wait 5 seconds, run frida-dexdump on the foreground app, and save output to a timestamped folder.
Prompt 4
I have DEX files extracted with frida-dexdump. Show me how to decompile them back to Java source code using jadx from the command line.
Prompt 5
Explain why packed Android apps that encrypt their DEX files on disk still expose the real DEX data in memory at runtime, and how frida-dexdump exploits that window.

Frequently asked questions

What is frida-dexdump?

A command-line tool that extracts hidden Android app code from device memory while the app is running, helping security researchers and malware analysts inspect what apps are actually doing.

What language is frida-dexdump written in?

Mainly Python. The stack also includes Python, Frida, Android.

How hard is frida-dexdump to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is frida-dexdump for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.