You Thought Frida Was Stealth When Not Attached? Dirty Pages Beg to Differ

Frida's classic detection methods like map and thread name checks are outdated. The most effective Frida detection method is now dirty-page detection. This method works globally, even if Frida hasn't attached to the target app. Frida's inline-hooking process creates copy-on-write during its operation on key system libraries. This results in the creation of private dirty pages that remain as a fingerprint. Two main techniques are presented for detecting this fingerprint. The first involves analyzing the `/proc/self/smaps` file, looking for `Private_Dirty` values greater than zero within targeted library mappings. The second and more robust method uses `/proc/self/pagemap`, checking bit 61 of the pagemap entry which indicates a soft-dirty page. Checking the soft-dirty bit on critical functions reveals whether Frida has been present. The examples highlight specifically the fork() system call. For 2025 security, focusing on dirty-page detection is the current standard. This is the new front in the ongoing battle against Frida usage.