@jshookmcp/jshook 0.2.8 → 0.3.0

package/dist/binary-instrument--V3MAhJ4.mjs

@@ -0,0 +1,971 @@
+import { t as __exportAll } from "./chunk-CjcI7cDX.mjs";
+import { t as logger } from "./logger-Dh_xb7_2.mjs";
+import { Q as FRIDA_TIMEOUT_MS, et as GHIDRA_TIMEOUT_MS, xr as UNIDBG_TIMEOUT_MS } from "./constants-CDZLOoVv.mjs";
+import { t as probeCommand } from "./ToolProbe-DbCFGyrg.mjs";
+import { tmpdir } from "node:os";
+import { randomUUID } from "node:crypto";
+import { basename, dirname, join } from "node:path";
+import { access, mkdtemp, readFile, rm, writeFile } from "node:fs/promises";
+import { execFile } from "node:child_process";
+//#region src/modules/binary-instrument/FridaSession.ts
+const FRIDA_MAX_BUFFER_BYTES = 5 * 1024 * 1024;
+var FridaSession = class {
+	sessions = /* @__PURE__ */ new Map();
+	activeSessionId;
+	fridaProbe;
+	probePromise;
+	async attach(target) {
+		const availability = await this.getAvailability();
+		if (!availability.available) throw new Error(availability.reason ?? "Frida CLI is not available");
+		const probe = await this.runFridaCommand(target, "console.log(\"__frida_attach_ok__\");");
+		if (probe.error) throw new Error(probe.error);
+		const sessionId = randomUUID();
+		const record = {
+			id: sessionId,
+			target,
+			pid: this.resolvePid(target),
+			status: "attached",
+			attachedAt: (/* @__PURE__ */ new Date()).toISOString()
+		};
+		this.sessions.set(sessionId, record);
+		this.activeSessionId = sessionId;
+		return sessionId;
+	}
+	async detach() {
+		const active = this.getActiveSessionRecord();
+		if (!active) return;
+		active.status = "detached";
+		this.activeSessionId = void 0;
+	}
+	async executeScript(script) {
+		const session = this.requireActiveSession();
+		const result = await this.runFridaCommand(session.target, script);
+		if (result.error) {
+			session.status = "error";
+			session.lastError = result.error;
+		}
+		return result;
+	}
+	async enumerateModules() {
+		const session = this.requireActiveSession();
+		const result = await this.runFridaCommand(session.target, "console.log(JSON.stringify(Process.enumerateModules()));");
+		const parsed = this.parseModuleList(result.output);
+		if (parsed.length > 0) return parsed;
+		if (result.error) {
+			session.status = "error";
+			session.lastError = result.error;
+		}
+		return [];
+	}
+	async enumerateFunctions(moduleName) {
+		const session = this.requireActiveSession();
+		const safeModuleName = JSON.stringify(moduleName);
+		const result = await this.runFridaCommand(session.target, [
+			`const entries = Process.getModuleByName(${safeModuleName}).enumerateExports()`,
+			".filter(function (entry) { return entry.type === \"function\"; })",
+			".map(function (entry) {",
+			"  return { name: entry.name, address: String(entry.address), size: 0 };",
+			"});",
+			"console.log(JSON.stringify(entries));"
+		].join(""));
+		const parsed = this.parseFunctionList(result.output);
+		if (parsed.length > 0) return parsed;
+		if (result.error) {
+			session.status = "error";
+			session.lastError = result.error;
+		}
+		return [];
+	}
+	async findSymbols(pattern) {
+		const session = this.requireActiveSession();
+		const trimmedPattern = pattern.trim();
+		const resolvedPattern = trimmedPattern.includes(":") ? trimmedPattern : trimmedPattern.includes("!") ? `exports:${trimmedPattern}` : `exports:*!${trimmedPattern}*`;
+		const matchPattern = JSON.stringify(resolvedPattern);
+		const result = await this.runFridaCommand(session.target, [
+			"const resolver = new ApiResolver(\"module\");",
+			`const matches = resolver.enumerateMatches(${matchPattern});`,
+			"const mapped = matches.map(function (entry) {",
+			"  const resolvedName = typeof entry.name === \"string\" ? entry.name : \"unknown\";",
+			"  const resolvedAddress = entry.address ? String(entry.address) : \"0x0\";",
+			"  return { name: resolvedName, address: resolvedAddress, demangled: resolvedName };",
+			"});",
+			"console.log(JSON.stringify(mapped));"
+		].join(""));
+		const parsed = this.parseSymbolList(result.output);
+		if (parsed.length > 0) return parsed;
+		if (result.error) {
+			session.status = "error";
+			session.lastError = result.error;
+		}
+		return [];
+	}
+	listSessions() {
+		return Array.from(this.sessions.values()).map((session) => ({
+			id: session.id,
+			target: session.target,
+			pid: session.pid,
+			status: session.status
+		}));
+	}
+	async isAvailable() {
+		return (await this.getAvailability()).available;
+	}
+	async getAvailability() {
+		if (this.fridaProbe) return this.fridaProbe;
+		if (!this.probePromise) this.probePromise = probeCommand("frida");
+		const resolved = await this.probePromise;
+		this.fridaProbe = resolved;
+		this.probePromise = void 0;
+		return resolved;
+	}
+	useSession(sessionId) {
+		if (!this.sessions.has(sessionId)) return false;
+		this.activeSessionId = sessionId;
+		return true;
+	}
+	hasSession(sessionId) {
+		return this.sessions.has(sessionId);
+	}
+	getSessionDiagnostics(sessionId) {
+		const session = this.sessions.get(sessionId);
+		if (!session) return;
+		return {
+			status: session.status,
+			lastError: session.lastError
+		};
+	}
+	getActiveSessionRecord() {
+		if (!this.activeSessionId) return;
+		return this.sessions.get(this.activeSessionId);
+	}
+	requireActiveSession() {
+		const session = this.getActiveSessionRecord();
+		if (!session) throw new Error("No active Frida session. Call attach() first.");
+		return session;
+	}
+	resolvePid(target) {
+		if (!/^\d+$/.test(target)) return null;
+		const parsed = Number.parseInt(target, 10);
+		return Number.isNaN(parsed) ? null : parsed;
+	}
+	async runFridaCommand(target, script) {
+		const availability = await this.getAvailability();
+		if (!availability.available) return {
+			output: "",
+			error: availability.reason ?? "Frida CLI is not available"
+		};
+		const command = availability.path ?? "frida";
+		const args = [
+			...this.buildTargetArgs(target),
+			"--runtime=v8",
+			"-q",
+			"-e",
+			script
+		];
+		try {
+			const result = await this.execFileUtf8(command, args, FRIDA_TIMEOUT_MS);
+			const output = result.stdout.trim();
+			const error = result.stderr.trim();
+			return error ? {
+				output,
+				error
+			} : { output };
+		} catch (error) {
+			const message = error instanceof Error ? error.message : String(error);
+			logger.warn("[binary-instrument] Frida command failed", {
+				target,
+				message
+			});
+			return {
+				output: "",
+				error: message
+			};
+		}
+	}
+	buildTargetArgs(target) {
+		if (/^\d+$/.test(target)) return ["-p", target];
+		if (target.includes("/") || target.includes("\\")) return ["-f", target];
+		return ["-n", target];
+	}
+	parseModuleList(output) {
+		const payload = this.extractJsonPayload(output);
+		if (!Array.isArray(payload)) return [];
+		const modules = [];
+		for (const entry of payload) {
+			if (!this.isRecord(entry)) continue;
+			const name = this.readStringField(entry, "name");
+			const path = this.readStringField(entry, "path");
+			const base = this.normalizeHex(entry["base"]);
+			const size = this.readNumberField(entry, "size");
+			if (!name || !path || !base || size === void 0) continue;
+			modules.push({
+				name,
+				base,
+				size,
+				path
+			});
+		}
+		return modules;
+	}
+	parseFunctionList(output) {
+		const payload = this.extractJsonPayload(output);
+		if (!Array.isArray(payload)) return [];
+		const functions = [];
+		for (const entry of payload) {
+			if (!this.isRecord(entry)) continue;
+			const name = this.readStringField(entry, "name");
+			const address = this.normalizeHex(entry["address"]);
+			const size = this.readNumberField(entry, "size") ?? 0;
+			if (!name || !address) continue;
+			functions.push({
+				name,
+				address,
+				size
+			});
+		}
+		return functions;
+	}
+	parseSymbolList(output) {
+		const payload = this.extractJsonPayload(output);
+		if (!Array.isArray(payload)) return [];
+		const symbols = [];
+		for (const entry of payload) {
+			if (!this.isRecord(entry)) continue;
+			const name = this.readStringField(entry, "name");
+			const address = this.normalizeHex(entry["address"]);
+			const demangled = this.readStringField(entry, "demangled");
+			if (!name || !address) continue;
+			if (demangled) symbols.push({
+				name,
+				address,
+				demangled
+			});
+			else symbols.push({
+				name,
+				address
+			});
+		}
+		return symbols;
+	}
+	extractJsonPayload(output) {
+		const candidates = output.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.startsWith("{") || line.startsWith("[")).toReversed();
+		for (const line of candidates) try {
+			return JSON.parse(line);
+		} catch {
+			continue;
+		}
+	}
+	readStringField(record, key) {
+		const value = record[key];
+		return typeof value === "string" && value.length > 0 ? value : void 0;
+	}
+	readNumberField(record, key) {
+		const value = record[key];
+		return typeof value === "number" && Number.isFinite(value) ? value : void 0;
+	}
+	normalizeHex(value) {
+		if (typeof value === "number" && Number.isFinite(value)) return `0x${value.toString(16)}`;
+		if (typeof value === "string" && value.length > 0) return value.startsWith("0x") ? value : `0x${value}`;
+	}
+	isRecord(value) {
+		return typeof value === "object" && value !== null;
+	}
+	execFileUtf8(file, args, timeoutMs) {
+		return new Promise((resolve, reject) => {
+			execFile(file, args, {
+				timeout: timeoutMs,
+				windowsHide: true,
+				maxBuffer: FRIDA_MAX_BUFFER_BYTES,
+				encoding: "utf8"
+			}, (error, stdout, stderr) => {
+				if (error) {
+					reject(error);
+					return;
+				}
+				resolve({
+					stdout: typeof stdout === "string" ? stdout : "",
+					stderr: typeof stderr === "string" ? stderr : ""
+				});
+			});
+		});
+	}
+};
+//#endregion
+//#region src/modules/binary-instrument/GhidraAnalyzer.ts
+const GHIDRA_MAX_BUFFER_BYTES = 16 * 1024 * 1024;
+var GhidraAnalyzer = class {
+	ghidraProbe;
+	probePromise;
+	async analyze(binaryPath, options) {
+		await access(binaryPath);
+		const fileBuffer = await readFile(binaryPath);
+		const strings = this.extractPrintableStrings(fileBuffer);
+		const imports = this.deriveImports(strings);
+		const exports = this.deriveExports(strings);
+		if (!(await this.getAvailability()).available) return {
+			functions: [],
+			imports,
+			exports,
+			strings
+		};
+		const timeoutMs = typeof options?.timeout === "number" && Number.isFinite(options.timeout) ? options.timeout : GHIDRA_TIMEOUT_MS;
+		const scriptDirectory = await mkdtemp(join(tmpdir(), "jshook-ghidra-script-"));
+		const scriptPath = join(scriptDirectory, "BinaryInstrumentDump.py");
+		try {
+			await writeFile(scriptPath, this.buildDefaultScript(), "utf8");
+			const output = await this.headlessAnalyze(scriptPath, binaryPath, timeoutMs);
+			return {
+				functions: this.parseDecompiledOutput(output),
+				imports,
+				exports,
+				strings
+			};
+		} catch (error) {
+			const message = error instanceof Error ? error.message : String(error);
+			logger.warn("[binary-instrument] Ghidra analyze fallback", {
+				binaryPath,
+				message
+			});
+			return {
+				functions: [],
+				imports,
+				exports,
+				strings
+			};
+		} finally {
+			await rm(scriptDirectory, {
+				recursive: true,
+				force: true
+			});
+		}
+	}
+	async headlessAnalyze(scriptPath, binaryPath, timeoutMs = GHIDRA_TIMEOUT_MS) {
+		const availability = await this.getAvailability();
+		if (!availability.available) throw new Error(availability.reason ?? "Ghidra analyzeHeadless is not available");
+		await access(binaryPath);
+		await access(scriptPath);
+		const command = availability.path ?? "analyzeHeadless";
+		const projectDirectory = await mkdtemp(join(tmpdir(), "jshook-ghidra-project-"));
+		const projectName = "binary-instrument";
+		try {
+			const result = await this.execFileUtf8(command, [
+				projectDirectory,
+				projectName,
+				"-import",
+				binaryPath,
+				"-scriptPath",
+				dirname(scriptPath),
+				"-postScript",
+				basename(scriptPath)
+			], timeoutMs);
+			return [result.stdout.trim(), result.stderr.trim()].filter((entry) => entry.length > 0).join("\n");
+		} finally {
+			await rm(projectDirectory, {
+				recursive: true,
+				force: true
+			});
+		}
+	}
+	parseDecompiledOutput(output) {
+		const functions = [];
+		const blockPattern = /FUNCTION_START\s*[\r\n]+NAME:(.+?)\s*[\r\n]+ADDRESS:(.+?)\s*[\r\n]+SIGNATURE:(.+?)\s*[\r\n]+DECOMPILED_START\s*[\r\n]+([\s\S]*?)\s*[\r\n]+DECOMPILED_END\s*[\r\n]+FUNCTION_END/g;
+		let match = blockPattern.exec(output);
+		while (match) {
+			const rawName = match[1] ?? "";
+			const rawAddress = match[2] ?? "";
+			const rawSignature = match[3] ?? "";
+			const rawBody = match[4] ?? "";
+			const name = rawName.trim();
+			const address = this.normalizeHex(rawAddress.trim());
+			const signature = rawSignature.trim();
+			const decompiled = rawBody.trim();
+			if (name.length > 0 && address.length > 0 && signature.length > 0) functions.push({
+				name,
+				address,
+				signature,
+				decompiled
+			});
+			match = blockPattern.exec(output);
+		}
+		return functions;
+	}
+	async isAvailable() {
+		return (await this.getAvailability()).available;
+	}
+	async getAvailability() {
+		if (this.ghidraProbe) return this.ghidraProbe;
+		if (!this.probePromise) this.probePromise = probeCommand("analyzeHeadless", ["-help"]);
+		const resolved = await this.probePromise;
+		this.ghidraProbe = resolved;
+		this.probePromise = void 0;
+		return resolved;
+	}
+	buildDefaultScript() {
+		return [
+			"# @category BinaryInstrument",
+			"from ghidra.app.decompiler import DecompInterface",
+			"",
+			"program = currentProgram",
+			"interface = DecompInterface()",
+			"interface.openProgram(program)",
+			"function_manager = program.getFunctionManager()",
+			"functions = function_manager.getFunctions(True)",
+			"",
+			"for function in functions:",
+			"    print(\"FUNCTION_START\")",
+			"    print(\"NAME:\" + str(function.getName()))",
+			"    print(\"ADDRESS:\" + str(function.getEntryPoint()))",
+			"    try:",
+			"        signature = str(function.getSignature())",
+			"    except:",
+			"        signature = str(function.getName()) + \"()\"",
+			"    print(\"SIGNATURE:\" + signature)",
+			"    print(\"DECOMPILED_START\")",
+			"    try:",
+			"        decompiled = interface.decompileFunction(function, 30, monitor).getDecompiledFunction()",
+			"        if decompiled:",
+			"            print(str(decompiled.getC()))",
+			"        else:",
+			"            print(\"// no decompiled output\")",
+			"    except:",
+			"        print(\"// decompile failed\")",
+			"    print(\"DECOMPILED_END\")",
+			"    print(\"FUNCTION_END\")"
+		].join("\n");
+	}
+	extractPrintableStrings(buffer) {
+		const results = [];
+		let current = "";
+		for (const byte of buffer.values()) {
+			if (byte >= 32 && byte <= 126) {
+				current += String.fromCharCode(byte);
+				continue;
+			}
+			if (current.length >= 4) results.push(current);
+			current = "";
+		}
+		if (current.length >= 4) results.push(current);
+		return Array.from(new Set(results)).slice(0, 1e3);
+	}
+	deriveImports(strings) {
+		return strings.filter((entry) => /(?:\.dll|\.so|\.dylib|kernel32|user32|libc|printf|malloc|LoadLibrary)/i.test(entry)).slice(0, 100);
+	}
+	deriveExports(strings) {
+		return strings.filter((entry) => /^[A-Za-z_][A-Za-z0-9_@?$]{2,}$/.test(entry)).slice(0, 100);
+	}
+	normalizeHex(value) {
+		return value.startsWith("0x") ? value : `0x${value}`;
+	}
+	execFileUtf8(file, args, timeoutMs) {
+		return new Promise((resolve, reject) => {
+			execFile(file, args, {
+				timeout: timeoutMs,
+				windowsHide: true,
+				maxBuffer: GHIDRA_MAX_BUFFER_BYTES,
+				encoding: "utf8"
+			}, (error, stdout, stderr) => {
+				if (error) {
+					reject(error);
+					return;
+				}
+				resolve({
+					stdout: typeof stdout === "string" ? stdout : "",
+					stderr: typeof stderr === "string" ? stderr : ""
+				});
+			});
+		});
+	}
+};
+//#endregion
+//#region src/modules/binary-instrument/HookCodeGenerator.ts
+var HookCodeGenerator = class {
+	generateHooks(input) {
+		const templates = [];
+		for (const fn of input.functions) {
+			const category = this.classifyFunction(fn, input);
+			if (category === "unknown") continue;
+			templates.push({
+				functionName: fn.name,
+				description: this.describeCategory(category, input),
+				hookCode: this.buildHookCode(fn, category),
+				parameters: this.buildParameters(fn)
+			});
+		}
+		return templates;
+	}
+	exportScript(templates, format) {
+		if (format !== "frida") throw new Error("Unsupported export format");
+		const lines = [
+			"// Frida hook script",
+			"// auto-generated by HookCodeGenerator",
+			`// Hook count: ${templates.length}`,
+			""
+		];
+		for (const template of templates) {
+			lines.push(`// ${template.functionName}: ${template.description}`);
+			lines.push(template.hookCode);
+			lines.push("");
+		}
+		return lines.join("\n");
+	}
+	classifyFunction(fn, input) {
+		const name = fn.name.toLowerCase();
+		const imports = input.imports.map((entry) => entry.toLowerCase());
+		const strings = input.strings.map((entry) => entry.toLowerCase());
+		if (fn.name.startsWith("Java_")) return "jni";
+		if (name.includes("aes")) return "aes";
+		if (name.includes("md5")) return "md5";
+		if (name.includes("sha")) return "sha";
+		if (name.includes("rsa")) return "rsa";
+		if (name.includes("base64")) return "base64";
+		if (name.includes("send") || name.includes("recv") || name.includes("socket") || name.includes("http")) return "network";
+		if (name.includes("open") || name.includes("read") || name.includes("write") || name.includes("fopen")) return "file-io";
+		if ((name.includes("decrypt") || name.includes("encrypt")) && strings.some((entry) => entry.includes("obfuscation") || entry.includes("encryption"))) return "obfuscation";
+		if (name.includes("memcpy") || name.includes("strcpy") || name.includes("memmove") || name.includes("string")) return "string";
+		if (imports.some((entry) => entry.includes("aes"))) return "aes";
+		return "unknown";
+	}
+	describeCategory(category, input) {
+		switch (category) {
+			case "jni": return "JNI bridge hook for Java/native boundary inspection";
+			case "aes": return "AES crypto hook for key/plaintext capture";
+			case "md5": return "MD5 crypto hook for digest inspection";
+			case "sha": return "SHA crypto hook for digest inspection";
+			case "rsa": return "RSA crypto hook for key operation tracing";
+			case "base64": return "Base64 transform hook for encoded payload tracing";
+			case "network": return "Network hook for request and payload tracing";
+			case "file-io": return "File I/O hook for filesystem access tracing";
+			case "string": return "String operation hook for buffer tracing";
+			case "obfuscation": return input.strings.some((entry) => entry.toLowerCase().includes("obfuscation")) ? "Potential obfuscation hook for runtime string decryption tracing" : "Potential obfuscation hook";
+			case "unknown": return "Unknown hook";
+		}
+	}
+	buildHookCode(fn, category) {
+		if (category === "jni") return [
+			"Java.perform(function () {",
+			`  const target = ptr("${fn.address}");`,
+			"  Interceptor.attach(target, {",
+			"    onEnter(args) {",
+			`      console.log("[jni] ${fn.name}");`,
+			"    },",
+			"  });",
+			"});"
+		].join("\n");
+		const extraLine = category === "aes" || category === "md5" || category === "sha" || category === "rsa" || category === "base64" ? "      console.log(hexdump(args[0]));" : "      console.log(\"[trace] entering\");";
+		const targetName = fn.name.replace(/[^A-Za-z0-9_]/g, "_");
+		return [
+			`const target_${targetName} = ptr("${fn.address}");`,
+			`Interceptor.attach(target_${targetName}, {`,
+			"  onEnter(args) {",
+			`    console.log("[hook] ${fn.name}");`,
+			extraLine,
+			"  },",
+			"});"
+		].join("\n");
+	}
+	buildParameters(fn) {
+		if (fn.parameters.length > 0) return fn.parameters.map((parameter, index) => ({
+			name: parameter.name || `arg${index}`,
+			type: parameter.type || "pointer",
+			description: `Captured parameter ${index}`
+		}));
+		return [{
+			name: "arg0",
+			type: "pointer",
+			description: "Captured parameter 0"
+		}];
+	}
+};
+//#endregion
+//#region src/modules/binary-instrument/ExtensionBridge.ts
+async function invokePlugin(ctx, config) {
+	const available = getAvailablePlugins(ctx);
+	const normalizedRequested = normalizePluginId(config.pluginId);
+	const actualPluginId = resolvePluginId(normalizedRequested, available);
+	if (!actualPluginId) return {
+		success: false,
+		tool: "binary-instrument",
+		action: config.toolName,
+		error: `Plugin ${normalizedRequested} is not installed`
+	};
+	const runtime = findRuntime(ctx, actualPluginId);
+	if (!runtime?.lifecycleContext) return {
+		success: false,
+		tool: "binary-instrument",
+		action: config.toolName,
+		error: `Plugin ${actualPluginId} is installed but has no runtime`
+	};
+	try {
+		const firstText = (await runtime.lifecycleContext.invokeTool(config.toolName, config.args)).content?.find((item) => item.type === "text")?.text;
+		if (!firstText) return {
+			success: false,
+			tool: "binary-instrument",
+			action: config.toolName,
+			error: "Plugin returned no text content"
+		};
+		try {
+			const parsed = JSON.parse(firstText);
+			if (isResultRecord(parsed)) return {
+				tool: "binary-instrument",
+				action: config.toolName,
+				success: readBoolean(parsed, "success") ?? true,
+				data: parsed["data"],
+				error: readString(parsed, "error")
+			};
+		} catch {
+			return {
+				success: true,
+				tool: "binary-instrument",
+				action: config.toolName,
+				data: firstText
+			};
+		}
+		return {
+			success: true,
+			tool: "binary-instrument",
+			action: config.toolName,
+			data: firstText
+		};
+	} catch (error) {
+		return {
+			success: false,
+			tool: "binary-instrument",
+			action: config.toolName,
+			error: error instanceof Error ? error.message : String(error)
+		};
+	}
+}
+function getAvailablePlugins(ctx) {
+	return Array.from(ctx.extensionPluginsById.keys()).map(normalizePluginId);
+}
+function normalizePluginId(pluginId) {
+	return pluginId.replaceAll("_", "-");
+}
+function resolvePluginId(requested, installed) {
+	const requestedWithoutPrefix = requested.replace(/^plugin-/, "");
+	for (const installedId of installed) {
+		const installedWithoutPrefix = installedId.replace(/^plugin-/, "");
+		if (installedId === requested || installedWithoutPrefix === requestedWithoutPrefix) return installedId;
+	}
+}
+function findRuntime(ctx, normalizedPluginId) {
+	for (const [pluginId, runtime] of ctx.extensionPluginRuntimeById.entries()) if (normalizePluginId(pluginId) === normalizedPluginId) return isPluginRuntime(runtime) ? runtime : void 0;
+}
+function isPluginRuntime(value) {
+	return typeof value === "object" && value !== null;
+}
+function isResultRecord(value) {
+	return typeof value === "object" && value !== null;
+}
+function readBoolean(record, key) {
+	const value = record[key];
+	return typeof value === "boolean" ? value : void 0;
+}
+function readString(record, key) {
+	const value = record[key];
+	return typeof value === "string" ? value : void 0;
+}
+//#endregion
+//#region src/modules/binary-instrument/HookGenerator.ts
+var HookGenerator = class {
+	generateFridaHookScript(symbols, options) {
+		const includeArgs = options?.includeArgs ?? true;
+		const includeRetAddr = options?.includeRetAddr ?? false;
+		const lines = [
+			"'use strict';",
+			"",
+			"function resolveTarget(name) {",
+			"  try {",
+			"    const exported = Module.findExportByName(null, name);",
+			"    if (exported) {",
+			"      return exported;",
+			"    }",
+			"  } catch (error) {}",
+			"  try {",
+			"    const symbol = DebugSymbol.fromName(name);",
+			"    if (symbol && symbol.address) {",
+			"      return symbol.address;",
+			"    }",
+			"  } catch (error) {}",
+			"  return null;",
+			"}",
+			"",
+			"const installedHooks = [];"
+		];
+		for (let index = 0; index < symbols.length; index += 1) {
+			const descriptor = this.toDescriptor(symbols[index]);
+			const varName = `target_${index}`;
+			const label = descriptor.demangled ?? descriptor.name;
+			const addressLine = descriptor.address ? `const ${varName} = ptr("${this.escapeForDoubleQuotes(descriptor.address)}");` : `const ${varName} = resolveTarget("${this.escapeForDoubleQuotes(descriptor.name)}");`;
+			lines.push(addressLine);
+			lines.push(`if (${varName}) {`);
+			lines.push(`  Interceptor.attach(${varName}, {`);
+			lines.push("    onEnter(args) {");
+			if (includeRetAddr) lines.push(`      console.log("[binary-instrument] enter ${this.escapeForDoubleQuotes(label)} ret=" + this.returnAddress);`);
+			else lines.push(`      console.log("[binary-instrument] enter ${this.escapeForDoubleQuotes(label)}");`);
+			if (includeArgs) {
+				lines.push("      const renderedArgs = [];");
+				lines.push("      for (let i = 0; i < 6; i += 1) {");
+				lines.push("        try {");
+				lines.push("          renderedArgs.push(String(args[i]));");
+				lines.push("        } catch (error) {");
+				lines.push("          renderedArgs.push(\"<unreadable>\");");
+				lines.push("        }");
+				lines.push("      }");
+				lines.push("      console.log(\"[binary-instrument] args \" + JSON.stringify(renderedArgs));");
+			}
+			lines.push("    },");
+			lines.push("    onLeave(retval) {");
+			lines.push(`      console.log("[binary-instrument] leave ${this.escapeForDoubleQuotes(label)} retval=" + retval);`);
+			lines.push("    },");
+			lines.push("  });");
+			lines.push(`  installedHooks.push({ name: "${this.escapeForDoubleQuotes(label)}", address: String(${varName}) });`);
+			lines.push("} else {");
+			lines.push(`  console.log("[binary-instrument] unresolved ${this.escapeForDoubleQuotes(label)}");`);
+			lines.push("}");
+			lines.push("");
+		}
+		lines.push("console.log(\"[binary-instrument] hooks=\" + JSON.stringify(installedHooks));");
+		return lines.join("\n");
+	}
+	generateInterceptorScript(targetFuncs) {
+		return this.generateFridaHookScript(targetFuncs, {
+			includeArgs: true,
+			includeRetAddr: false
+		});
+	}
+	toDescriptor(symbol) {
+		if (typeof symbol === "string") return { name: symbol };
+		return symbol;
+	}
+	escapeForDoubleQuotes(value) {
+		return value.replaceAll("\\", "\\\\").replaceAll("\"", "\\\"");
+	}
+};
+//#endregion
+//#region src/modules/binary-instrument/UnidbgRunner.ts
+const UNIDBG_MAX_BUFFER_BYTES = 8 * 1024 * 1024;
+var UnidbgRunner = class {
+	sessions = /* @__PURE__ */ new Map();
+	close() {
+		for (const session of this.sessions.values()) if (session.childProcess) try {
+			process.kill(session.childProcess.pid, "SIGTERM");
+		} catch {}
+		this.sessions.clear();
+	}
+	/**
+	* Launch a .so library in the Unidbg emulator via JVM subprocess.
+	* Returns a sessionId for subsequent call/trace operations.
+	*/
+	async launch(soPath, arch = "arm", jarPath) {
+		const resolvedJar = jarPath ?? process.env["UNIDBG_JAR"];
+		if (!resolvedJar) throw new Error("UNIDBG_JAR is not configured. Set the UNIDBG_JAR env var or pass jarPath.");
+		try {
+			await access(resolvedJar);
+		} catch {
+			throw new Error(`Unidbg JAR not found: ${resolvedJar}`);
+		}
+		try {
+			await access(soPath);
+		} catch {
+			throw new Error(`Shared library not found: ${soPath}`);
+		}
+		const sessionId = randomUUID();
+		const command = this.getJavaCommand();
+		const args = [
+			"-jar",
+			resolvedJar,
+			"--so",
+			soPath,
+			"--arch",
+			arch,
+			"--server"
+		];
+		try {
+			const result = await this.execFileUtf8(command, args, UNIDBG_TIMEOUT_MS);
+			const sessionInfo = this.parseLaunchOutput(result.stdout, sessionId);
+			const session = {
+				id: sessionInfo.id,
+				soPath,
+				arch,
+				startedAt: (/* @__PURE__ */ new Date()).toISOString(),
+				childProcess: sessionInfo.pid ? { pid: sessionInfo.pid } : void 0
+			};
+			this.sessions.set(sessionId, session);
+			return {
+				sessionId,
+				soPath,
+				arch
+			};
+		} catch (error) {
+			const message = error instanceof Error ? error.message : String(error);
+			logger.warn("[binary-instrument] Unidbg launch failed, registering stub session", {
+				soPath,
+				message
+			});
+			const session = {
+				id: sessionId,
+				soPath,
+				arch,
+				startedAt: (/* @__PURE__ */ new Date()).toISOString()
+			};
+			this.sessions.set(sessionId, session);
+			return {
+				sessionId,
+				soPath,
+				arch
+			};
+		}
+	}
+	async callFunction(sessionId, functionName, args = {}) {
+		if (!this.sessions.get(sessionId)) throw new Error(`No unidbg session found for ${sessionId}`);
+		const jarPath = process.env["UNIDBG_JAR"];
+		if (!jarPath) return {
+			sessionId,
+			functionName,
+			args,
+			returnValue: "0x0",
+			stdout: "",
+			stderr: "",
+			trace: ["mock-unidbg-unavailable"],
+			_note: "Unidbg emulation requires UNIDBG_JAR to be configured"
+		};
+		const command = this.getJavaCommand();
+		const callArgs = [
+			"-jar",
+			jarPath,
+			"--session",
+			sessionId,
+			"--call",
+			functionName,
+			"--args",
+			JSON.stringify(args)
+		];
+		try {
+			const result = await this.execFileUtf8(command, callArgs, UNIDBG_TIMEOUT_MS);
+			return {
+				sessionId,
+				functionName,
+				args,
+				returnValue: this.extractReturnValue(result.stdout),
+				stdout: result.stdout.trim(),
+				stderr: result.stderr.trim(),
+				trace: []
+			};
+		} catch (error) {
+			return {
+				sessionId,
+				functionName,
+				args,
+				returnValue: "0x0",
+				stdout: "",
+				stderr: error instanceof Error ? error.message : String(error),
+				trace: ["error"]
+			};
+		}
+	}
+	async trace(sessionId) {
+		if (!this.sessions.get(sessionId)) throw new Error(`No unidbg session found for ${sessionId}`);
+		const jarPath = process.env["UNIDBG_JAR"];
+		if (!jarPath) return {
+			sessionId,
+			trace: ["mock-unidbg-unavailable"],
+			_note: "Unidbg tracing requires UNIDBG_JAR to be configured"
+		};
+		const command = this.getJavaCommand();
+		const traceArgs = [
+			"-jar",
+			jarPath,
+			"--session",
+			sessionId,
+			"--trace"
+		];
+		try {
+			const result = await this.execFileUtf8(command, traceArgs, UNIDBG_TIMEOUT_MS);
+			return {
+				sessionId,
+				trace: this.parseTraceOutput(result.stdout),
+				instructionCount: this.countInstructions(result.stdout)
+			};
+		} catch (error) {
+			return {
+				sessionId,
+				trace: ["error"],
+				error: error instanceof Error ? error.message : String(error)
+			};
+		}
+	}
+	/**
+	* Get info about an active Unidbg session.
+	*/
+	getSessionInfo(sessionId) {
+		return this.sessions.get(sessionId);
+	}
+	/**
+	* List all active Unidbg sessions.
+	*/
+	listSessions() {
+		return Array.from(this.sessions.values()).map((s) => ({
+			id: s.id,
+			soPath: s.soPath,
+			arch: s.arch,
+			startedAt: s.startedAt
+		}));
+	}
+	getJavaCommand() {
+		return process.env["JAVA_HOME"] ? `${process.env["JAVA_HOME"]}/bin/java` : "java";
+	}
+	parseLaunchOutput(stdout, fallbackId) {
+		const lines = stdout.split(/\r?\n/).filter((l) => l.trim().length > 0);
+		for (const line of lines.toReversed()) try {
+			const parsed = JSON.parse(line);
+			if (typeof parsed["id"] === "string") return {
+				id: parsed["id"],
+				pid: typeof parsed["pid"] === "number" ? parsed["pid"] : null
+			};
+		} catch {}
+		return {
+			id: fallbackId,
+			pid: null
+		};
+	}
+	extractReturnValue(stdout) {
+		const match = /return[=:\s]+(0x[0-9a-fA-F]+|-?\d+)/.exec(stdout);
+		if (match?.[1]) return match[1];
+		return "0x0";
+	}
+	parseTraceOutput(stdout) {
+		return stdout.split(/\r?\n/).filter((line) => line.trim().length > 0 && !line.startsWith("{")).slice(0, 1e4);
+	}
+	countInstructions(stdout) {
+		return stdout.split(/\r?\n/).filter((line) => line.trim().length > 0 && !line.startsWith("{") && /\b(ldr|str|mov|bl|b|add|sub)\b/i.test(line)).length;
+	}
+	async execFileUtf8(file, args, timeoutMs) {
+		return new Promise((resolve, reject) => {
+			execFile(file, args, {
+				timeout: timeoutMs,
+				windowsHide: true,
+				maxBuffer: UNIDBG_MAX_BUFFER_BYTES,
+				encoding: "utf8"
+			}, (error, stdout, stderr) => {
+				if (error) {
+					reject(error);
+					return;
+				}
+				resolve({
+					stdout: typeof stdout === "string" ? stdout : "",
+					stderr: typeof stderr === "string" ? stderr : "",
+					exitCode: 0
+				});
+			});
+		});
+	}
+};
+//#endregion
+//#region src/modules/binary-instrument/index.ts
+var binary_instrument_exports = /* @__PURE__ */ __exportAll({
+	GhidraAnalyzer: () => GhidraAnalyzer,
+	HookGenerator: () => HookGenerator
+});
+//#endregion
+export { invokePlugin as a, FridaSession as c, getAvailablePlugins as i, UnidbgRunner as n, HookCodeGenerator as o, HookGenerator as r, GhidraAnalyzer as s, binary_instrument_exports as t };