Some api only returns ArrayBuffer (like frida-fs). When I have to pass them to ffi, looks like the best way is

const ffi = new NativeFunction(...);
const p = Memory.alloc(bytes.byteLength);
Memory.writeByteArray(p, bytes);
ffi(p, bytes.byteLength, ...);

That is an unnecessary extra memcpy.

Update: What I mean is something like std::string::data in C++.

Besides adding MemoryAccessMonitor to Linux I also fixed a FIXME in the signal handler when reporting memory operation - it was needed for MemoryAccessMonitor to function correctly. Now, it is possible to check if the signal was due to a read or write - using capstone to disassemble the instruction.

Likewise, gum_linux_unparse_ucontext was using pc to set THUMB bit. However, on the signal context CPSR already contains that information plus PC will always be even. Therefore, with the previous logic when resuming after handling the exception it will always return to ARM mode instead of the one that correspond - let me know if that breaks something I am not aware. This should also be added to darwin and other ARM backends. Unfortunately, I don't have devices to test but let me know if you want me to send the same fix for darwin.

When trying to run Stalker on an application that loads up a 64 bit library, I get the following errors:

02-21 15:46:29.758 23245-23432/com.demos.app A/libc: Fatal signal 4 (SIGILL), code 1, fault addr 0x7f5d13e044 in tid 23432 (gum-js-loop)
02-21 15:46:29.853 22891-22891/? I/ServiceManager: Waiting for service AtCmdFwd...
02-21 15:46:29.862 607-607/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
02-21 15:46:29.862 607-607/? A/DEBUG: Build fingerprint: 'google/angler/angler:6.0/MDA89D/2294819:user/release-keys'
02-21 15:46:29.862 607-607/? A/DEBUG: Revision: '0'
02-21 15:46:29.862 607-607/? A/DEBUG: ABI: 'arm64'
02-21 15:46:29.863 607-607/? A/DEBUG: pid: 23245, tid: 23432, name: gum-js-loop  >>> com.demos.app <<<
02-21 15:46:29.863 607-607/? A/DEBUG: signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x7f5d13e808
02-21 15:46:29.879 607-607/? A/DEBUG:     x0   0000007f96ac8980  x1   0000000000000050  x2   0000000000000230  x3   0000007f9b398000
02-21 15:46:29.881 607-607/? A/DEBUG:     x4   0000007f9b398210  x5   0000007f9b398440  x6   0000000000000001  x7   0000007f7dded4f0
02-21 15:46:29.881 607-607/? A/DEBUG:     x8   0000007f7dded440  x9   0000007f7dded670  x10  0000000000000001  x11  00000000000004e1
02-21 15:46:29.881 607-607/? A/DEBUG:     x12  0000007f5d13d000  x13  ffffffffa7536631  x14  0000007f7eab716c  x15  0000007f7eac76b8
02-21 15:46:29.881 607-607/? A/DEBUG:     x16  0000007f7f0e4958  x17  0000007f9b320760  x18  00000000b5000051  x19  0000007f96ac8980
02-21 15:46:29.882 607-607/? A/DEBUG:     x20  0000007f7dded268  x21  0000007f96af2a98  x22  0000000000000000  x23  0000007f7eae1378
02-21 15:46:29.882 607-607/? A/DEBUG:     x24  0000000000000000  x25  0000000000000041  x26  0000007f96af2a60  x27  0000000000000000
02-21 15:46:29.882 607-607/? A/DEBUG:     x28  0000000000000000  x29  0000007f7dded1a0  x30  0000007f7e28f8e8
02-21 15:46:29.882 607-607/? A/DEBUG:     sp   0000007f7ddece20  pc   0000007f5d13e808  pstate 0000000060000000
02-21 15:46:29.884 607-607/? A/DEBUG: backtrace:
02-21 15:46:29.884 607-607/? A/DEBUG:     #00 pc 0000000000001808  <unknown>
02-21 15:46:29.884 607-607/? A/DEBUG:     #01 pc 000000000008c8e4  /data/local/tmp/re.frida.server/frida-agent-64.so (offset 0x118000)
02-21 15:46:30.036 1035-23442/? W/ActivityManager:   Force finishing activity com.demos.app/.acitvities.EnvironmentSelectorActivity
02-21 15:46:30.037 607-607/? A/DEBUG: Tombstone written to: /data/tombstones/tombstone_08
02-21 15:46:30.037 607-607/? E/DEBUG: AM write failed: Broken pipe

Here is the python/JS I used.

"use strict";

console.log("hi");
Stalker.follow(Process.getCurrentThreadId(), {
	events: {
		call: true,
		ret: false,
		exec: false
	},
	onReceive : function (events) {
		console.log("wooo");
	}
});

import frida, sys


with open("inject2.js") as fp:
	jscode = fp.read() 

def on_message(message, data):
	print message, data

aid = "com.demos.app"
process = frida.get_usb_device().attach(aid)
process.enable_jit()


script = process.create_script(jscode)
script.on("message", on_message)
script.load()

This still does not work but the idea is as follows, let me know how it looks like to you or if you think otherwise.

gum_stalker_iterator_keep it emits new code when SVC calls are found to check for clone calls. When this happen, ctx->thread_clone is set with GUM_NEW_THREAD_WHILE_STALKING. Likewise, after encountering a SVC call afterwards is inserted more code to check if the SVC call was clone to get the new thread id of the child - gum_stalker_thread_creation is where child and parent is distinguished. Is here where I would like to return to normal life for the child and within the parent notify with a new event so the user can decide whether or not wants to stalk the new thread. However, I am failing to do so - I dunno how to 'disinfect' the child and leave untouched the parent.

To work around that, I added a few lines within gum_exec_ctx_replace_current_block_with to detect when we are running on the child to return to start_address but does not seem to work either.

The normal disinfect routine and unfollow would not work as long as the child and parent share the ctx and I thought setting cpu_context->pc to the real address would be enough but either that is not enough or I don't know how to do it correctly.

I can't seem to get NativeCallback to work on Windows/x86 with anything other than mscdecl. The stack is not being set up or cleared correctly for the other abis, but I'm not sure if I'm using it wrong, should these examples work?

(I'm just typing these into devtools, but I've tried using it from a script and also can't get it to work)

var cb = new NativeCallback(function () { console.log("hello"); }, "void", [], "mscdecl");
var func = new NativeFunction(cb, "void", [], "mscdecl");
func() // This works

var cb = new NativeCallback(function () { console.log("hello"); }, "void", [], "stdcall");
var func = new NativeFunction(cb, "void", [], "stdcall");
func() // Error: access violation

var cb = new NativeCallback(function () { console.log("hello"); }, "void", [], "thiscall");
var func = new NativeFunction(cb, "void", [], "thiscall");
func() // Error: access violation

var cb = new NativeCallback(function () { console.log("hello"); }, "void", [], "fastcall");
var func = new NativeFunction(cb, "void", [], "fastcall");
func() // Error: access violation

I think there's a documentation bug where it says "You may also specify the abi if not system default", but it seems to assume mscdecl which is not the system default on Windows, and doesn't match what NativeFunction assumes is the system default (stdcall).

Hi there.

I'm currently encountering an issue where I would like to block on a recv() call inside of my main JS script's body directly after a call to send(). I'm doing this to essentially create a JS -> Python RPC service.

The send() message is received by the message handler on the Python side, but it cannot post back a message due to the error only loaded scripts can be posted to. My assumption here is that the Python side has not marked the script as loaded yet because the JS script hasn't fully completed its body, as it is still blocking on recv().

This has been resolved by me wrapping my entire JS script in a setImmediate call, but I am wondering if there's a better way to architect this so that all scripts which want to use my code do not need to wrap themselves in setImmediate. I am also wondering if there is already a solution for creating JS->Python "RPC" services.

Thanks!

I want hook a function,it‘s code is(12bytes head of function):

294e38: 6dc0 ldr r0, [r0, #92] ; 0x5c 294e3a: 2800 cmp r0, #0 294e3c: bf18 it ne 294e3e: f03b b88f bne.w 2cff60 294e42: 4770 bx lr

It generated a trampoline (on_invoke_trampoline), code is: 0xf3b3911c: ldr r0, [r0, #92] ; 0x5c 0xf3b3911e: cmp r0, #0 0xf3b39120: it ne => 0xf3b39122: bne.n 0xf3b39126 ; unpredictable IT:ne 0xf3b39124: b.n 0xf3b39130 0xf3b39126: push {r0} 0xf3b39128: push {r0} 0xf3b3912a: ldr r0, [pc, #12] ; (0xf3b39138) 0xf3b3912c: str r0, [sp, #4] 0xf3b3912e: pop {r0, pc}

it crash at ==>, crash report this “bne.n” is Illegal instrument

report：

signal 4 (SIGILL), code -6 (SI_TKILL), fault addr 0xdbc4e222 I/AEE/AED ( 484): r0 c7c2d3f8 r1 00000010 r2 00000010 r3 ca50dab0 I/AEE/AED ( 484): r4 efe0d300 r5 000334b5 r6 000334b4 r7 ca50dad8 I/AEE/AED ( 484): r8 ca50daac r9 00018f3c sl d6c4226b fp d6d40a71 I/AEE/AED ( 484): ip d59f6e39 sp ca50da68 lr dbc4e209 pc dbc4e222 cpsr a00f1830 I/AEE/AED ( 484): I/AEE/AED ( 484): backtrace: I/AEE/AED ( 484): #00 pc 00000222 I/AEE/AED ( 484): #01 pc 00000205

Hi,

When I use the following build (https://github.com/frida/frida/releases/download/10.6.24/frida-gum-devkit-10.6.24-android-x86_64.tar.xz) and attempt to link libfrida-gum.a against my android application, I get the error

"libfrida-gum.a(unix64.o): requires dynamic R_X86_64_PC32 reloc against '_frida_ffi_closure_unix64_inner' which may overflow at runtime; recompile with -fPIC)"

All the other ABIs for android (arm, arm64 and x86) work fine. I am linking all the libraries the same way. For some reason though, the x86_64 build doesn't link :(

When an executable is loaded using the loader, e.g.:

/usr/arm-linux-gnueabi/lib/ld-2.27.so /bin/myapp

The when querying ModuleMap().values(), the executable /bin/myapp is omitted from the list of modules and the loader (ld-2.27.so) appears in the list twice. This appears to be because gum_process_enumerate_modules_by_using_libc is called by gum_process_enumerate_modules. This function uses the API dl_iterate_phdr to iterate through the shared libraries in the process, this is combined with the data in /proc/self/maps to for the Module entry. This has the advantage over just presenting the raw /proc/pid/maps data that it will not find false positives if an ELF is mapped as a flat file, and it may be more performant than opening each file in the maps to interrogate it.

As this API will omit the executable (it only deals with shared objects), this is then located by interrogating /proc/self/exe to find the main executable and again collecting its information from the map. Since in this case /proc/self/exe is /usr/arm-linux-gnueabi/lib/ld-2.27.so and not /bin/myapp, and the loader has already been added to the ModuleMap through the dl_iterate_phdr mechanism, it appears twice. The executable itself, however, is absent.

Environment: Android 28 (9.0) Google API x86_64 emulator image.

frida latest build

in a specific application after hooking when calling the real constructor, app crashes with :

03-19 13:29:59.813 12420 12499 F com.package: runtime.cc:566] JNI DETECTED ERROR IN APPLICATION: unexpected jboolean value: -1473958912
03-19 13:29:59.814 12420 12499 F com.package: runtime.cc:566]     in call to CallNonvirtualVoidMethod

with example code :

db1.$init.overload(...).implementation = function (){
	return this.$init(...);
}

this is not related to a constructor hook i guess, but a invalid jboolean memory.

constructor contains multiple values with boolean parameters also

see https://github.com/frida/frida-gum/issues/383

Fixed the issue where single instruction was rewritten into multiple instructions in IT instruction; Fixed the problem that the B instruction with condition in the IT instruction condition needs to be removed after “rewrite”; Rewritten IT instruction block “rewrite” logic See test cases for details

Please note that this PR also contains the following:

• https://github.com/frida/frida-gum/pull/704
• https://github.com/frida/frida-gum/pull/703

This is because the RunOnThread functionality is necessary for it to function and there would otherwise be conflict with the ThreadName support.

This PR adds support for including user_time (the time the CPU has spent executing in user-mode in microseconds) in the ThreadDetails on Linux based systems. Similar support for other systems should be relatively straightforward.

...on x86/64.

A complete rework of the original PR. https://github.com/frida/frida-gum/pull/559 This solution instead uses the Stalker backend (and its associated prologues/epilogues) to do any heavy lifting. As such the architecture specific code is tiny (see here https://github.com/MissingFuzz/frida-gum/blob/5590a49c94ee138c0c76cd35e33b953766d46a1e/gum/backend-x86/gumstalker-x86.c#L6642). Almost all of this commit is unit tests.

• so that we can keep using a single instruction to reference data from code even in presence of many hooks / imports
• gum_arm64_writer_put_ldr_reg_u64_ptr is now checked for errors and the error is propagated
• no need to change the ABI because Interceptor is already consuming this correctly

Inspecting binaries generated with an old compiler (gcc 4.7.1), we can observer the following prologue...

cpy r12,sp
stmdb sp!,{r3, r4, r5, r6, r11, r12, lr, pc}

And the corresponding epilogue...

ldmia sp, {r3, r4, r5, r6, r11, sp, pc}

Note, however that the ldmia instruction for the epilogue is missing the !, hence although the value of sp is incremented after the load of the other registers from the stack, it is not written back! The instruction does however, modify sp since it is one of the registers being popped from the stack. The mnemonic here is quite confusing!

Stalker for ARM had a defect whereby it would incorrectly modify the sp when executing such an instruction.

I am trying to implement a tcp server with multiple simultaneous connections. I previously implemented it in python and javascript, but wanted to port it to javascript only. Even with the following implementation, I feel that the first connection is broken after the second access.

https://github.com/frida/frida/issues/814