Cross-platform instrumentation and introspection library written in C

Overview

Gum

Cross-platform instrumentation and introspection library written in C.

This library is consumed by frida-core through its JavaScript bindings, GumJS.

Provides:

Binaries

Download a devkit for statically linking into your own projects from the Frida releases page.

Comments
  • Provide an api to get raw data pointer from ArrayBuffer?

    Provide an api to get raw data pointer from ArrayBuffer?

    Some api only returns ArrayBuffer (like frida-fs). When I have to pass them to ffi, looks like the best way is

    const ffi = new NativeFunction(...);
    const p = Memory.alloc(bytes.byteLength);
    Memory.writeByteArray(p, bytes);
    ffi(p, bytes.byteLength, ...);
    

    That is an unnecessary extra memcpy.


    Update: What I mean is something like std::string::data in C++.

    opened by ChiChou 19
  • Add support for MemoryAccessMonitor to linux

    Add support for MemoryAccessMonitor to linux

    Besides adding MemoryAccessMonitor to Linux I also fixed a FIXME in the signal handler when reporting memory operation - it was needed for MemoryAccessMonitor to function correctly. Now, it is possible to check if the signal was due to a read or write - using capstone to disassemble the instruction.

    Likewise, gum_linux_unparse_ucontext was using pc to set THUMB bit. However, on the signal context CPSR already contains that information plus PC will always be even. Therefore, with the previous logic when resuming after handling the exception it will always return to ARM mode instead of the one that correspond - let me know if that breaks something I am not aware. This should also be added to darwin and other ARM backends. Unfortunately, I don't have devices to test but let me know if you want me to send the same fix for darwin.

    opened by alvarofe 11
  • SIGILL on 64 bit Stalker/Android

    SIGILL on 64 bit Stalker/Android

    When trying to run Stalker on an application that loads up a 64 bit library, I get the following errors:

    02-21 15:46:29.758 23245-23432/com.demos.app A/libc: Fatal signal 4 (SIGILL), code 1, fault addr 0x7f5d13e044 in tid 23432 (gum-js-loop)
    02-21 15:46:29.853 22891-22891/? I/ServiceManager: Waiting for service AtCmdFwd...
    02-21 15:46:29.862 607-607/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
    02-21 15:46:29.862 607-607/? A/DEBUG: Build fingerprint: 'google/angler/angler:6.0/MDA89D/2294819:user/release-keys'
    02-21 15:46:29.862 607-607/? A/DEBUG: Revision: '0'
    02-21 15:46:29.862 607-607/? A/DEBUG: ABI: 'arm64'
    02-21 15:46:29.863 607-607/? A/DEBUG: pid: 23245, tid: 23432, name: gum-js-loop  >>> com.demos.app <<<
    02-21 15:46:29.863 607-607/? A/DEBUG: signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x7f5d13e808
    02-21 15:46:29.879 607-607/? A/DEBUG:     x0   0000007f96ac8980  x1   0000000000000050  x2   0000000000000230  x3   0000007f9b398000
    02-21 15:46:29.881 607-607/? A/DEBUG:     x4   0000007f9b398210  x5   0000007f9b398440  x6   0000000000000001  x7   0000007f7dded4f0
    02-21 15:46:29.881 607-607/? A/DEBUG:     x8   0000007f7dded440  x9   0000007f7dded670  x10  0000000000000001  x11  00000000000004e1
    02-21 15:46:29.881 607-607/? A/DEBUG:     x12  0000007f5d13d000  x13  ffffffffa7536631  x14  0000007f7eab716c  x15  0000007f7eac76b8
    02-21 15:46:29.881 607-607/? A/DEBUG:     x16  0000007f7f0e4958  x17  0000007f9b320760  x18  00000000b5000051  x19  0000007f96ac8980
    02-21 15:46:29.882 607-607/? A/DEBUG:     x20  0000007f7dded268  x21  0000007f96af2a98  x22  0000000000000000  x23  0000007f7eae1378
    02-21 15:46:29.882 607-607/? A/DEBUG:     x24  0000000000000000  x25  0000000000000041  x26  0000007f96af2a60  x27  0000000000000000
    02-21 15:46:29.882 607-607/? A/DEBUG:     x28  0000000000000000  x29  0000007f7dded1a0  x30  0000007f7e28f8e8
    02-21 15:46:29.882 607-607/? A/DEBUG:     sp   0000007f7ddece20  pc   0000007f5d13e808  pstate 0000000060000000
    02-21 15:46:29.884 607-607/? A/DEBUG: backtrace:
    02-21 15:46:29.884 607-607/? A/DEBUG:     #00 pc 0000000000001808  <unknown>
    02-21 15:46:29.884 607-607/? A/DEBUG:     #01 pc 000000000008c8e4  /data/local/tmp/re.frida.server/frida-agent-64.so (offset 0x118000)
    02-21 15:46:30.036 1035-23442/? W/ActivityManager:   Force finishing activity com.demos.app/.acitvities.EnvironmentSelectorActivity
    02-21 15:46:30.037 607-607/? A/DEBUG: Tombstone written to: /data/tombstones/tombstone_08
    02-21 15:46:30.037 607-607/? E/DEBUG: AM write failed: Broken pipe
    

    Here is the python/JS I used.

    "use strict";
    
    console.log("hi");
    Stalker.follow(Process.getCurrentThreadId(), {
    	events: {
    		call: true,
    		ret: false,
    		exec: false
    	},
    	onReceive : function (events) {
    		console.log("wooo");
    	}
    });
    
    
    import frida, sys
    
    
    with open("inject2.js") as fp:
    	jscode = fp.read() 
    
    def on_message(message, data):
    	print message, data
    
    aid = "com.demos.app"
    process = frida.get_usb_device().attach(aid)
    process.enable_jit()
    
    
    script = process.create_script(jscode)
    script.on("message", on_message)
    script.load()
    
    opened by manizzle 11
  • Fix stalking of thread creation on Linux/arm64

    Fix stalking of thread creation on Linux/arm64

    This still does not work but the idea is as follows, let me know how it looks like to you or if you think otherwise.

    gum_stalker_iterator_keep it emits new code when SVC calls are found to check for clone calls. When this happen, ctx->thread_clone is set with GUM_NEW_THREAD_WHILE_STALKING. Likewise, after encountering a SVC call afterwards is inserted more code to check if the SVC call was clone to get the new thread id of the child - gum_stalker_thread_creation is where child and parent is distinguished. Is here where I would like to return to normal life for the child and within the parent notify with a new event so the user can decide whether or not wants to stalk the new thread. However, I am failing to do so - I dunno how to 'disinfect' the child and leave untouched the parent.

    To work around that, I added a few lines within gum_exec_ctx_replace_current_block_with to detect when we are running on the child to return to start_address but does not seem to work either.

    The normal disinfect routine and unfollow would not work as long as the child and parent share the ctx and I thought setting cpu_context->pc to the real address would be enough but either that is not enough or I don't know how to do it correctly.

    opened by alvarofe 10
  • NativeCallback doesn't seem to work on Windows, except for mscdecl

    NativeCallback doesn't seem to work on Windows, except for mscdecl

    I can't seem to get NativeCallback to work on Windows/x86 with anything other than mscdecl. The stack is not being set up or cleared correctly for the other abis, but I'm not sure if I'm using it wrong, should these examples work?

    (I'm just typing these into devtools, but I've tried using it from a script and also can't get it to work)

    var cb = new NativeCallback(function () { console.log("hello"); }, "void", [], "mscdecl");
    var func = new NativeFunction(cb, "void", [], "mscdecl");
    func() // This works
    
    var cb = new NativeCallback(function () { console.log("hello"); }, "void", [], "stdcall");
    var func = new NativeFunction(cb, "void", [], "stdcall");
    func() // Error: access violation
    
    var cb = new NativeCallback(function () { console.log("hello"); }, "void", [], "thiscall");
    var func = new NativeFunction(cb, "void", [], "thiscall");
    func() // Error: access violation
    
    var cb = new NativeCallback(function () { console.log("hello"); }, "void", [], "fastcall");
    var func = new NativeFunction(cb, "void", [], "fastcall");
    func() // Error: access violation
    

    I think there's a documentation bug where it says "You may also specify the abi if not system default", but it seems to assume mscdecl which is not the system default on Windows, and doesn't match what NativeFunction assumes is the system default (stdcall).

    opened by taviso 9
  • Question: On error

    Question: On error "only loaded scripts can be posted to"

    Hi there.

    I'm currently encountering an issue where I would like to block on a recv() call inside of my main JS script's body directly after a call to send(). I'm doing this to essentially create a JS -> Python RPC service.

    The send() message is received by the message handler on the Python side, but it cannot post back a message due to the error only loaded scripts can be posted to. My assumption here is that the Python side has not marked the script as loaded yet because the JS script hasn't fully completed its body, as it is still blocking on recv().

    This has been resolved by me wrapping my entire JS script in a setImmediate call, but I am wondering if there's a better way to architect this so that all scripts which want to use my code do not need to wrap themselves in setImmediate. I am also wondering if there is already a solution for creating JS->Python "RPC" services.

    Thanks!

    opened by Gbps 9
  • a crash report on android(cased by bne.n instrument)

    a crash report on android(cased by bne.n instrument)

    I want hook a function,it‘s code is(12bytes head of function):

    294e38: 6dc0 ldr r0, [r0, #92] ; 0x5c 294e3a: 2800 cmp r0, #0 294e3c: bf18 it ne 294e3e: f03b b88f bne.w 2cff60 294e42: 4770 bx lr

    It generated a trampoline (on_invoke_trampoline), code is: 0xf3b3911c: ldr r0, [r0, #92] ; 0x5c 0xf3b3911e: cmp r0, #0 0xf3b39120: it ne => 0xf3b39122: bne.n 0xf3b39126 ; unpredictable IT:ne 0xf3b39124: b.n 0xf3b39130 0xf3b39126: push {r0} 0xf3b39128: push {r0} 0xf3b3912a: ldr r0, [pc, #12] ; (0xf3b39138) 0xf3b3912c: str r0, [sp, #4] 0xf3b3912e: pop {r0, pc}

    it crash at ==>, crash report this “bne.n” is Illegal instrument

    report:

    signal 4 (SIGILL), code -6 (SI_TKILL), fault addr 0xdbc4e222 I/AEE/AED ( 484): r0 c7c2d3f8 r1 00000010 r2 00000010 r3 ca50dab0 I/AEE/AED ( 484): r4 efe0d300 r5 000334b5 r6 000334b4 r7 ca50dad8 I/AEE/AED ( 484): r8 ca50daac r9 00018f3c sl d6c4226b fp d6d40a71 I/AEE/AED ( 484): ip d59f6e39 sp ca50da68 lr dbc4e209 pc dbc4e222 cpsr a00f1830 I/AEE/AED ( 484): I/AEE/AED ( 484): backtrace: I/AEE/AED ( 484): #00 pc 00000222 I/AEE/AED ( 484): #01 pc 00000205

    opened by bigboysun 9
  • recompile with -fPIC linker error for frida-gum ABI x86_64

    recompile with -fPIC linker error for frida-gum ABI x86_64

    Hi,

    When I use the following build (https://github.com/frida/frida/releases/download/10.6.24/frida-gum-devkit-10.6.24-android-x86_64.tar.xz) and attempt to link libfrida-gum.a against my android application, I get the error

    "libfrida-gum.a(unix64.o): requires dynamic R_X86_64_PC32 reloc against '_frida_ffi_closure_unix64_inner' which may overflow at runtime; recompile with -fPIC)"

    All the other ABIs for android (arm, arm64 and x86) work fine. I am linking all the libraries the same way. For some reason though, the x86_64 build doesn't link :(

    opened by JonForShort 9
  • Gum fails to emit main executable in ModuleMap when alternative loader is used.

    Gum fails to emit main executable in ModuleMap when alternative loader is used.

    When an executable is loaded using the loader, e.g.:

    /usr/arm-linux-gnueabi/lib/ld-2.27.so /bin/myapp

    The when querying ModuleMap().values(), the executable /bin/myapp is omitted from the list of modules and the loader (ld-2.27.so) appears in the list twice. This appears to be because gum_process_enumerate_modules_by_using_libc is called by gum_process_enumerate_modules. This function uses the API dl_iterate_phdr to iterate through the shared libraries in the process, this is combined with the data in /proc/self/maps to for the Module entry. This has the advantage over just presenting the raw /proc/pid/maps data that it will not find false positives if an ELF is mapped as a flat file, and it may be more performant than opening each file in the maps to interrogate it.

    As this API will omit the executable (it only deals with shared objects), this is then located by interrogating /proc/self/exe to find the main executable and again collecting its information from the map. Since in this case /proc/self/exe is /usr/arm-linux-gnueabi/lib/ld-2.27.so and not /bin/myapp, and the loader has already been added to the ModuleMap through the dl_iterate_phdr mechanism, it appears twice. The executable itself, however, is absent.

    opened by WorksButNotTested 8
  • NativeFunction does not promote variadic arguments smaller than sizeof(int)

    NativeFunction does not promote variadic arguments smaller than sizeof(int)

    Environment: Android 28 (9.0) Google API x86_64 emulator image.

    frida latest build

    in a specific application after hooking when calling the real constructor, app crashes with :

    03-19 13:29:59.813 12420 12499 F com.package: runtime.cc:566] JNI DETECTED ERROR IN APPLICATION: unexpected jboolean value: -1473958912
    03-19 13:29:59.814 12420 12499 F com.package: runtime.cc:566]     in call to CallNonvirtualVoidMethod
    

    with example code :

    db1.$init.overload(...).implementation = function (){
    	return this.$init(...);
    }
    

    this is not related to a constructor hook i guess, but a invalid jboolean memory.

    constructor contains multiple values with boolean parameters also

    opened by 0x410c 8
  • fix IT block bug

    fix IT block bug

    see https://github.com/frida/frida-gum/issues/383

    Fixed the issue where single instruction was rewritten into multiple instructions in IT instruction; Fixed the problem that the B instruction with condition in the IT instruction condition needs to be removed after “rewrite”; Rewritten IT instruction block “rewrite” logic See test cases for details

    opened by bigboysun 8
  • Thread time

    Thread time

    Please note that this PR also contains the following:

    • https://github.com/frida/frida-gum/pull/704
    • https://github.com/frida/frida-gum/pull/703

    This is because the RunOnThread functionality is necessary for it to function and there would otherwise be conflict with the ThreadName support.

    This PR adds support for including user_time (the time the CPU has spent executing in user-mode in microseconds) in the ThreadDetails on Linux based systems. Similar support for other systems should be relatively straightforward.

    opened by WorksButNotTested 0
  • Changes to add ability to run a function on a given thread

    Changes to add ability to run a function on a given thread

    ...on x86/64.

    A complete rework of the original PR. https://github.com/frida/frida-gum/pull/559 This solution instead uses the Stalker backend (and its associated prologues/epilogues) to do any heavy lifting. As such the architecture specific code is tiny (see here https://github.com/MissingFuzz/frida-gum/blob/5590a49c94ee138c0c76cd35e33b953766d46a1e/gum/backend-x86/gumstalker-x86.c#L6642). Almost all of this commit is unit tests.

    opened by WorksButNotTested 0
  • gum-graft: Create multiple segments if needed

    gum-graft: Create multiple segments if needed

    • so that we can keep using a single instruction to reference data from code even in presence of many hooks / imports
    • gum_arm64_writer_put_ldr_reg_u64_ptr is now checked for errors and the error is propagated
    • no need to change the ABI because Interceptor is already consuming this correctly
    opened by mrmacete 0
  • Fix ARM Stalker handling of LDMIA without writeback

    Fix ARM Stalker handling of LDMIA without writeback

    Inspecting binaries generated with an old compiler (gcc 4.7.1), we can observer the following prologue...

    cpy r12,sp
    stmdb sp!,{r3, r4, r5, r6, r11, r12, lr, pc}
    

    And the corresponding epilogue...

    ldmia sp, {r3, r4, r5, r6, r11, sp, pc}
    

    Note, however that the ldmia instruction for the epilogue is missing the !, hence although the value of sp is incremented after the load of the other registers from the stack, it is not written back! The instruction does however, modify sp since it is one of the registers being popped from the stack. The mnemonic here is quite confusing!

    Stalker for ARM had a defect whereby it would incorrectly modify the sp when executing such an instruction.

    opened by WorksButNotTested 0
  • Does socket.listen allow multiple simultaneous accesses?

    Does socket.listen allow multiple simultaneous accesses?

    I am trying to implement a tcp server with multiple simultaneous connections. I previously implemented it in python and javascript, but wanted to port it to javascript only. Even with the following implementation, I feel that the first connection is broken after the second access.

    https://github.com/frida/frida/issues/814

    opened by DoranekoSystems 0
Owner
Frida
Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
Frida
Cross-platform Swift library for accessing the public GitHub API.

GoatHerb GoatHerb is a cross-platform Swift library for accessing the GitHub API. Features General Compatible with swift-log. Full concurrency (async/

Brian Drelling 3 Oct 30, 2022
The Outline Client is a cross-platform VPN or proxy client for Windows, macOS, iOS, Android, and ChromeOS

Outline Client The Outline Client is a cross-platform VPN or proxy client for Windows, macOS, iOS, Android, and ChromeOS. The Outline Client is design

Jigsaw 7.3k Dec 31, 2022
Easily generate cross platform Swift framework projects from the command line

SwiftPlate Easily generate cross platform Swift framework projects from the command line. SwiftPlate will generate Xcode projects for you in seconds,

John Sundell 1.8k Dec 27, 2022
Cross-platform, sophisticated frontend for the libretro API.

RetroArch is the reference frontend for the libretro API. Popular examples of implementations for this API includes video game system emulators and game engines as well as more generalized 3D programs. These programs are instantiated as dynamic libraries. We refer to these as "libretro cores".

null 7.4k Dec 27, 2022
Demo of using Metal to render EDR / HDR content on iOS platform

MetalEDR-iOS Demo of using Metal to render EDR/HDR content on iOS platform. How it works This demo uses a hack to activate EDR display on iOS platform

Wutian 38 Oct 24, 2022
nds4ios is a port of the multi-platform Nintendo DS emulator, DeSmuME to iOS.

nds4ios Supports iOS 6 to iOS 9. nds4ios is a port of the multi-platform Nintendo DS emulator, DeSmuME to iOS. Currently, emulation is powered by a th

Kevin 162 Dec 25, 2022
KnockToReact is an iOS library written in Swift and Objective-C that brings an exclusive feature to interact with users just by receiving and recognizing "knocks" in the device.

KnockToReact is an iOS library written in Swift and Objective-C that brings an exclusive feature to interact with users just by receiving and recognizing "knocks" in the device.

Matheus Cavalca 25 Feb 10, 2022
React Native utility library around image and video files for getting metadata like MIME type, timestamp, duration, and dimensions. Works on iOS and Android using Java and Obj-C, instead of Node 🚀.

Qeepsake React Native File Utils Extracts information from image and video files including MIME type, duration (video), dimensions, and timestamp. The

Qeepsake 12 Oct 19, 2022
AuroraEditor is a IDE built by the community, for the community, and written in Swift for the best native performance and feel for macOS.

AuroraEditor AuroraEditor is a IDE built by the community, for the community, and written in Swift for the best native performance and feel for macOS.

Aurora Editor 704 Jan 8, 2023
iOS's Stocks App clone written in React Native for demo purpose (available both iOS and Android).

FinanceReactNative iOS's Stocks App clone written in React Native for demo purpose (available both iOS and Android). Data is pulled from Yahoo Finance

kf 2k Dec 29, 2022
The Bitwarden mobile application is written in C# with Xamarin Android, Xamarin iOS, and Xamarin Forms.

Bitwarden Mobile Application The Bitwarden mobile application is written in C# with Xamarin Android, Xamarin iOS, and Xamarin Forms. Build/Run Require

Bitwarden 4.2k Dec 29, 2022
TTipBoxView is a simple and flexible UI component fully written in Swift

TTipBoxView is a simple and flexible UI component fully written in Swift. It is developed to help you create a hint/prompt view quickly, saving your time and avoiding having to write many lines of codes.

Nguyen Duc Thinh 3 Aug 18, 2022
Blazing⚡️Fast BTC and ETH Wallet Generator library for React Native, Android and iOS

Blazing ⚡️ Fast BTC and ETH Wallet Generator library for React Native, Android and iOS.

Coingrig 3 Feb 21, 2022
A thread safe throttle written in Swift

SwiftThrottle - A thread safe throttle written in Swift licensed under MIT. Introduction This throttle is intended to prevent the program from crashing

Lakr Aream 6 Jan 3, 2023
This project is a minimalistic Pomodoro timer for OS X written in Swift

Minimalistic Pomodoro for OSX This project is a minimalistic Pomodoro timer for OS X written in Swift started by @bengsfort, and substantially enhance

Kushal Shingote 2 Nov 17, 2021
An interpreter for Lox written in Swift.

slox An interpreter for Lox written in Swift. Provided for with an MIT License.

Manuel Werder 1 Nov 8, 2021
Owl is a portable Wayland compositor written in Objective-C, using Cocoa as its backend.

Owl is a portable Wayland compositor written in Objective-C, using Cocoa as its backend. Owl primarily targets Mac OS X, but also supports a varie

Owl compositor 62 Dec 31, 2022
Delightful code generation for OpenAPI specs for Swift written in Swift

Create API Delightful code generation for OpenAPI specs for Swift written in Swi

Alexander Grebenyuk 286 Dec 23, 2022
NetFun-Backend - BFF layer (written in Swift)

NetFun-Backend BFF layer (written in Swift). One can setup BFF using Core Classess (which is already added as a dependency of this package. See Packag

Minhaz Panara 0 Jan 3, 2022