@zsa233/frida-analykit-agent 2.0.0 → 2.0.2

package/dist/utils/std.js

@@ -0,0 +1,128 @@
+import { Java } from '../bridges.js';
+import { help, NativePointerObject } from '../helper.js';
+export class StdVector extends NativePointerObject {
+    constructor(handle = NULL) {
+        let shouldDelete = handle.isNull();
+        if (handle.isNull()) {
+            handle = Memory.alloc(3 * Process.pointerSize);
+        }
+        super(handle);
+        this._start = this.$handle;
+        this._finish = this.$handle.add(Process.pointerSize);
+        this._end_of_storage = this.$handle.add(Process.pointerSize * 2);
+        if (shouldDelete) {
+            const weakRef = ptr(handle.toString());
+            Script.bindWeak(this.$handle, () => {
+                Java.api.$delete(weakRef);
+            });
+        }
+    }
+    static cast(handle) {
+        return new StdVector(handle);
+    }
+    get start() {
+        return this._start.readPointer();
+    }
+    set start(val) {
+        this._start.writePointer(val);
+    }
+    get finish() {
+        return this._finish.readPointer();
+    }
+    set finish(val) {
+        this._finish.writePointer(val);
+    }
+    get end_of_storage() {
+        return this._end_of_storage.readPointer();
+    }
+    set end_of_storage(val) {
+        this._end_of_storage.writePointer(val);
+    }
+    get length() {
+        return this.finish.sub(this.start).toUInt32() / Process.pointerSize;
+    }
+    get capacity() {
+        return this.end_of_storage.sub(this.start).toUInt32() / Process.pointerSize;
+    }
+    [Symbol.iterator]() {
+        let nextPtr = this.start;
+        const that = this;
+        return {
+            next() {
+                let done = false;
+                let value = nextPtr;
+                if (value >= that.finish) {
+                    done = true;
+                    value = NULL;
+                }
+                else {
+                    nextPtr = nextPtr.add(Process.pointerSize);
+                }
+                return {
+                    value: value,
+                    done: done,
+                };
+            }
+        };
+    }
+    toArray() {
+        const list = [];
+        for (let v of this) {
+            list.push(v);
+        }
+        return list;
+    }
+}
+const STD_STRING_MEM_BYTE_SIZE = Process.pointerSize === 4 ? 12 : 24;
+const STD_STRING_CAP_LONG_MODE_CAP_MASK = help.androidGetApiLevel() <= 16
+    ? (Process.pointerSize === 4 ? '0x80000000' : '0x8000000000000000')
+    : '0x1';
+export class StdString extends NativePointerObject {
+    constructor(handle = NULL) {
+        if (handle.isNull()) {
+            handle = Memory.alloc(STD_STRING_MEM_BYTE_SIZE);
+        }
+        super(handle);
+        this._cap = this.$handle;
+        this._size = this.$handle.add(Process.pointerSize);
+        this._data = this.$handle.add(Process.pointerSize * 2);
+    }
+    static cast(handle) {
+        return new StdString(handle);
+    }
+    get size() {
+        return this.longMode ? this._size.readU64().toNumber() : this.$handle.add(STD_STRING_MEM_BYTE_SIZE - 1).and(0x7F).toUInt32();
+    }
+    get data() {
+        return this._data.readByteArray(this.size);
+    }
+    get length() {
+        return this.size;
+    }
+    get capacity() {
+        return this.longMode ? this._cap.readU64().toNumber() : this.size;
+    }
+    get longMode() {
+        return !this._cap.readU64().and(STD_STRING_CAP_LONG_MODE_CAP_MASK).equals(0);
+    }
+    get stringPtr() {
+        if (this.longMode) {
+            return this._data.readPointer();
+        }
+        else {
+            return this.$handle.readPointer();
+        }
+    }
+    toString() {
+        return this.stringPtr.readUtf8String(this.size) || '';
+    }
+    toCString() {
+        return this.stringPtr.readCString(this.size) || '';
+    }
+    toUtf8String() {
+        return this.stringPtr.readUtf8String(this.size) || '';
+    }
+    toUtf16String() {
+        return this.stringPtr.readUtf16String(this.size) || '';
+    }
+}

package/dist/utils/text_endec.d.ts

@@ -0,0 +1,8 @@
+export declare class TextEncoder {
+    readonly encoding = "utf-8";
+    encode(input: string): Uint8Array;
+}
+export declare class TextDecoder {
+    readonly encoding = "utf-8";
+    decode(input: ArrayBuffer): string;
+}

package/dist/utils/text_endec.js

@@ -0,0 +1,29 @@
+import { setGlobalProperties } from "../config.js";
+export class TextEncoder {
+    constructor() {
+        this.encoding = 'utf-8';
+    }
+    encode(input) {
+        const strPtr = Memory.allocUtf8String(input);
+        const eosZeros = Memory.scanSync(strPtr, input.length * 4, "00");
+        const blen = eosZeros[0].address.sub(strPtr);
+        return new Uint8Array(strPtr.readByteArray(Number(blen)));
+    }
+}
+export class TextDecoder {
+    constructor() {
+        this.encoding = 'utf-8';
+    }
+    decode(input) {
+        if (typeof (input['unwrap']) === 'function') {
+            return input.unwrap().readUtf8String() || '';
+        }
+        const tmp = Memory.alloc(input.byteLength);
+        tmp.writeByteArray(input);
+        return tmp.readUtf8String() || '';
+    }
+}
+setGlobalProperties({
+    TextDecoder,
+    TextEncoder,
+});

package/dist/utils/utils.d.ts

@@ -0,0 +1,28 @@
+import { ArrayPointer } from "./array_pointer.js";
+export declare function mustType<T>(val: T | null | undefined): T;
+export declare function unwrapArgs(args: InvocationArguments, n: number): (any | NativePointer)[];
+type BianaryBaseReader<T> = (base: NativePointer | ArrayPointer) => T;
+declare function readByteArray(offset: number, length: number): (base: NativePointer | ArrayPointer) => ArrayBuffer;
+declare function binaryReadU8(offset: number): BianaryBaseReader<number>;
+declare function binaryReadU16(offset: number): BianaryBaseReader<number>;
+declare function binaryReadU32(offset: number): BianaryBaseReader<number>;
+declare function binaryReadS32(offset: number): BianaryBaseReader<number>;
+declare function binaryReadU64(offset: number): BianaryBaseReader<number>;
+declare function binaryReadS64(offset: number): BianaryBaseReader<number>;
+declare function binaryReadPointer(offset: number): BianaryBaseReader<NativePointer>;
+declare function binaryPointer(offset: number): BianaryBaseReader<NativePointer>;
+declare function binaryReadPointerStruct(offset: number, structOfs: {
+    B64: {
+        [key: string]: BianaryBaseReader<any>;
+    };
+    B32?: {
+        [key: string]: BianaryBaseReader<any>;
+    };
+}): (base: NativePointer | ArrayPointer) => {
+    [key: string]: any;
+};
+export { readByteArray, binaryReadU8, binaryReadU16, binaryReadU32, binaryReadS32, binaryReadU64, binaryReadS64, binaryReadPointer, binaryPointer, binaryReadPointerStruct, };
+export declare function wrapArgTypes(typ: NativeFunctionArgumentType, length: number): NativeFunctionArgumentType[];
+export declare function arrayBuffer2Hex(buffer: ArrayBuffer, options?: {
+    uppercase?: boolean;
+}): string;

package/dist/utils/utils.js

@@ -0,0 +1,66 @@
+export function mustType(val) {
+    if (!val) {
+        throw new Error(`val不能为null`);
+    }
+    return val;
+}
+export function unwrapArgs(args, n) {
+    const list = [];
+    for (let i = 0; i < n; i++) {
+        list.push(args[i]);
+    }
+    return list;
+}
+function binaryNumberReader(offset, method) {
+    return function (base) {
+        return Number(base.add(offset)[method]());
+    };
+}
+function binaryPointerReader(offset) {
+    return function (base) {
+        return base.add(offset).readPointer();
+    };
+}
+function binaryPointerOffset(offset) {
+    return function (base) {
+        return ptr(base.add(offset).toString());
+    };
+}
+function readByteArray(offset, length) { return (base) => mustType(base.add(offset).readByteArray(length)); }
+function binaryReadU8(offset) { return binaryNumberReader(offset, 'readU8'); }
+function binaryReadU16(offset) { return binaryNumberReader(offset, 'readU16'); }
+function binaryReadU32(offset) { return binaryNumberReader(offset, 'readU32'); }
+function binaryReadS32(offset) { return binaryNumberReader(offset, 'readS32'); }
+function binaryReadU64(offset) { return binaryNumberReader(offset, 'readU64'); }
+function binaryReadS64(offset) { return binaryNumberReader(offset, 'readS64'); }
+function binaryReadPointer(offset) { return binaryPointerReader(offset); }
+function binaryPointer(offset) { return binaryPointerOffset(offset); }
+function binaryReadPointerStruct(offset, structOfs) {
+    return function (base) {
+        const structOf = Process.pointerSize === 4 ? structOfs['B32'] : structOfs['B64'];
+        const structBase = binaryPointerReader(offset)(base);
+        const obj = {};
+        for (let [k, offseter] of Object.entries(structOf)) {
+            Object.defineProperty(obj, k, {
+                value: offseter(structBase),
+                writable: false,
+                enumerable: true,
+            });
+        }
+        return obj;
+    };
+}
+export { readByteArray, binaryReadU8, binaryReadU16, binaryReadU32, binaryReadS32, binaryReadU64, binaryReadS64, binaryReadPointer, binaryPointer, binaryReadPointerStruct, };
+export function wrapArgTypes(typ, length) {
+    return Array.from({ length: length }, () => typ);
+}
+export function arrayBuffer2Hex(buffer, options = {}) {
+    const { uppercase = false } = options;
+    const bytes = new Uint8Array(buffer);
+    return Array.from(bytes)
+        .map(b => {
+        const hex = b.toString(16).padStart(2, '0');
+        return uppercase ? hex.toUpperCase() : hex;
+    })
+        .join(' ');
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zsa233/frida-analykit-agent",
-  "version": "2.0.0",
+  "version": "2.0.2",
   "description": "Frida agent runtime for frida-analykit",
   "keywords": [
     "frida",
@@ -18,17 +18,30 @@
     "directory": "packages/frida-analykit-agent"
   },
   "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
   "files": [
-    "src/**/*",
+    "dist/**/*",
     "README.md",
     "LICENSE"
   ],
   "exports": {
-    ".": "./src/index.ts",
-    "./rpc": "./src/rpc.ts",
-    "./*": "./src/*.ts"
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./rpc": {
+      "types": "./dist/rpc.d.ts",
+      "default": "./dist/rpc.js"
+    },
+    "./*": {
+      "types": "./dist/*.d.ts",
+      "default": "./dist/*.js"
+    }
   },
   "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "prepack": "npm run build",
     "check": "tsc -p tsconfig.json --noEmit"
   },
   "dependencies": {

package/src/api/android.ts

@@ -1,80 +0,0 @@
-
-
-
-export type NP = NativePointer
-
-
-export interface EnvJvmti {
-    handle: NP
-    vm: NP,
-    vtable: NP
-}
-
-
-
-// frida-java-bridge/lib/android.js
-export interface VMApi {
-    vm: NP
-    
-    module: Module
-
-    flavor: 'art' | 'dalvik'
-
-    addLocalRefrence: null
-
-    find(name: string): NativePointer, // export => symbol => null
-
-    artRuntime: NativePointer
-
-    artClassLinker: {
-        address: NativePointer,
-        quickResolutionTrampoline: NativePointer,
-        quickImtConflictTrampoline: NativePointer,
-        quickGenericJniTrampoline: NativePointer,
-        quickToInterpreterBridgeTrampoline: NativePointer,
-    }
-
-    jvmti: EnvJvmti
-
-    $new(size: number): NativePointer
-    $delete(pointer: NativePointer): void
-
-    // jint JNI_GetCreatedJavaVMs(JavaVM** vmBuf, jsize bufLen, jsize* nVMs);
-    JNI_GetCreateJavaVMs(vmBuf: NP, bufLen: number, nVMs: NP): number
-
-    // jobject JavaVMExt::AddGlobalRef(Thread* self, ObjPtr<mirror::Object> obj)
-    ['art::JavaVMExt::AddGlobalRef']: (vm: NP, self: NP, obj: NP) => NP
-
-    // void ReaderWriterMutex::ExclusiveLock(Thread* self)
-    ['art::ReaderWriterMutex::ExclusiveLock']: (lock: NP, self: NP) => void
-
-    // IndirectRef IndirectReferenceTable::Add(IRTSegmentState previous_state, ObjPtr<mirror:: Object> obj, std::string * error_msg)
-    ['art::IndirectReferenceTable::Add']: (table: NP, previous_state: NP, obj: number, error_msg: NP) => NP
-
-    // ObjPtr<mirror::Object> JavaVMExt::DecodeGlobal(IndirectRef ref)
-    // thread: 7 > Android >= 6
-    ['art::JavaVMExt::DecodeGlobal']: (vm: NP, thread: NP, ref: NP) => NP
-
-    // ObjPtr<mirror::Object> Thread::DecodeJObject(jobject obj) const
-    ['art::Thread::DecodeJObject']: (thread: NP, obj: NP) => NP
-
-
-    // TODO: 
-}
-
-
-
-
-declare global {
-    namespace Java {
-        const api: VMApi,
-        Env: {
-            handle: NativePointer
-            vm: Java.VM & {
-                handle: NativePointer
-            }
-            throwIfExceptionPending(): Error
-        }
-    }
-
-}

package/src/bridges.ts

@@ -1,18 +0,0 @@
-import JavaBridge from "frida-java-bridge";
-
-type BridgeGlobals = typeof globalThis & {
-    Java?: typeof JavaBridge;
-    ObjC?: unknown;
-    Swift?: unknown;
-    __FRIDA_ANALYKIT_CONFIG__?: Record<string, unknown>;
-};
-
-const globals = globalThis as BridgeGlobals;
-
-export const Java = globals.Java ?? JavaBridge;
-export const ObjC = globals.ObjC;
-export const Swift = globals.Swift;
-
-if (!("Java" in globals)) {
-    globals.Java = Java;
-}

package/src/cmodule/scan_adrp.c

@@ -1,81 +0,0 @@
-#include <glib.h>
-#include <gum/gummemory.h>
-#include <gum/gumdefs.h>
-
-#define PAGE_SIZE 0x1000
-#define GET_ADDR_PAGE(x) ((uintptr_t)(x) & ~(PAGE_SIZE - 1))
-#define ADRP_IMM_LEN_MASK 0x1fffff
-#define ADRP_FIXED28_24_BITSET_MASK (0b10000 << 24)
-#define ADRP_PAGE_INSTR_MASK 0x9fffffe0
-
-typedef struct _MemoryScanRes MemoryScanRes;
-typedef struct _ScanUserData ScanUserData;
-
-static gboolean on_match_fuzzy_adrp(GumAddress address, gsize size, gpointer user_data);
-
-struct _ScanUserData
-{
-    gpointer target_address;
-    gint align_offset;
-};
-
-
-struct _MemoryScanRes 
-{
-    GArray *results;
-    ScanUserData *user_data;
-};
-
-void _dispose(const MemoryScanRes *res)
-{
-    g_array_free(res->results, TRUE);
-}
-
-static gboolean on_match_fuzzy_adrp(GumAddress address, gsize size, gpointer user_data)
-{
-    MemoryScanRes *scan_res = (MemoryScanRes *)user_data;
-    const guintptr target_page = (guintptr)GET_ADDR_PAGE(scan_res->user_data->target_address);
-    const guintptr align_offset = (guintptr)scan_res->user_data->align_offset;
-    const guintptr addr_val = (guintptr)address - align_offset;
-    const gpointer pc_addr = (gpointer)addr_val;
-    
-    // 4字节指令对齐
-    if ((addr_val & (sizeof(guint32) - 1)) != 0)
-        return TRUE;
-    
-    // 按pc页差进行匹配
-    const guintptr pc_page = (guintptr)GET_ADDR_PAGE(address);
-    const guint32 page_delta = (guint32)((target_page - pc_page) >> 12) & ADRP_IMM_LEN_MASK;
-    const guint32 immlo = page_delta & 0b11;
-    const guint32 immhi = page_delta >> 2;
-    const guint32 op = 0x1;
-    const guint32 adrp_sign =
-        (op << 31) | 
-        (immlo << 29) | 
-        ADRP_FIXED28_24_BITSET_MASK | 
-        (immhi << 5);
-
-    if (((*(guint32 *)pc_addr) & ADRP_PAGE_INSTR_MASK) != (adrp_sign & ADRP_PAGE_INSTR_MASK))
-        return TRUE;
-
-    g_array_append_val(scan_res->results, pc_addr);
-    return TRUE;
-}
-
-gpointer scan(const GumAddress base_address,
-               const gsize size,
-               const gchar *pattern_str,
-               MemoryScanRes *const scan_res)
-{
-    if (scan_res == NULL)
-        return NULL;
-
-    scan_res->results = g_array_new(FALSE, FALSE, sizeof(gpointer));
-
-    const GumMemoryRange range = {base_address, size};
-    const GumMatchPattern *pattern = gum_match_pattern_new_from_string(pattern_str);
-
-    gum_memory_scan(&range, pattern, on_match_fuzzy_adrp, scan_res);
-
-    return scan_res->results;
-}

package/src/config.ts

@@ -1,56 +0,0 @@
-type InjectedConfig = {
-    OnRPC?: boolean
-    OutputDir?: string
-    LogLevel?: number
-    LogCollapse?: boolean
-}
-
-const injectedConfig = ((globalThis as typeof globalThis & {
-    __FRIDA_ANALYKIT_CONFIG__?: InjectedConfig
-}).__FRIDA_ANALYKIT_CONFIG__) || {}
-
-export function setGlobalProperties(keyValues: { [key: string]: any }): void {
-    for (let [k, v] of Object.entries(keyValues)) {
-        if (k in globalThis) {
-            throw new Error(`global property[${k}] exists already`)
-        }
-        ;(globalThis as typeof globalThis & { [key: string]: unknown })[k] = v
-    }
-}
-
-
-export const LogLevel = {
-    DEBUG: 0,
-    INFO: 1,
-    WARN: 2,
-    ERROR: 3,
-    _MUST_LOG: 9999999,
-} as const
-
-export type LogLevel = (typeof LogLevel)[keyof typeof LogLevel]
-
-
-
-declare global {
-    const LogLevel: {
-        DEBUG: number
-        INFO: number
-        WARN: number
-        ERROR: number
-        _MUST_LOG: number
-    }
-}
-
-export class Config {
-    static OnRPC: boolean = injectedConfig.OnRPC ?? false
-    static OutputDir?: string = injectedConfig.OutputDir
-    static LogLevel: number = injectedConfig.LogLevel ?? LogLevel.INFO
-    static LogCollapse: boolean = injectedConfig.LogCollapse ?? true
-}
-
-
-
-setGlobalProperties({
-    'Config': Config,
-    'LogLevel': LogLevel,
-})

package/src/consts.ts

@@ -1,31 +0,0 @@
-
-
-
-
-export const nativeFunctionOptions: NativeABI | NativeFunctionOptions = {
-    exceptions: 'propagate',
-}
-
-
-
-
-export enum SYM_INFO_BIND {
-    STB_LOCAL = 0x0,
-    STB_GLOBAL = 0x1,
-    STB_WEAK = 0x2,
-    STB_GNU_UNIQUE = 0x3,
-}
-
-
-export enum SYM_INFO_TYPE {
-    STT_NOTYPE = 0x0,
-    STT_OBJECT = 0x1,
-    STT_FUNC = 0x2,
-    STT_SECTION = 0x3,
-    STT_FILE = 0x4,
-}
-
-export enum SYM_SHNDX {
-    SHN_UNDEF = 0,
-    SHN_ABS = 0xfff1,
-}

package/src/elf/insn.ts

@@ -1,61 +0,0 @@
-import { setGlobalProperties } from "../config.js"
-import { NativePointerObject } from "../helper.js"
-
-
-
-export class InstructionSequence extends NativePointerObject {
-    protected readonly entryInsn: Arm64Instruction
-    protected readonly insns: Arm64Instruction[] = []
-    protected eoi?: Arm64Instruction
-
-    constructor(entry: Arm64Instruction) {
-        const handle = entry.address
-        super(handle)
-        this.entryInsn = entry
-        this.insns = [entry]
-    }
-
-    static loadFromPointer<T extends InstructionSequence>(
-        this: new (insn: Arm64Instruction) => T,
-        handle: NativePointer
-    ): T {
-        const insn = Instruction.parse(handle) as Arm64Instruction
-        return new this(insn)
-    }
-
-    *[Symbol.iterator]() {
-        let insns = this.insns
-        let insn: Arm64Instruction = this.entryInsn
-        let inc = 0
-        const that = this
-
-        let value: Arm64Instruction | undefined
-
-        while (true) {
-            value = insns[inc]
-            if (value === undefined && that.eoi === undefined) {
-                try {
-                    insn = Instruction.parse(insns[inc - 1].next) as Arm64Instruction
-                    insns.push(insn)
-                } catch (error) {
-                    that.eoi = insn
-                    break
-                }
-            }
-            inc++
-            yield insn
-        }
-
-    }
-
-    clearCache() {
-        this.insns.length = 0
-    }
-
-
-}
-
-
-setGlobalProperties({
-    InstructionSequence,
-})