frida-java-bridge 5.3.0 → 6.0.2

package/lib/android.js

@@ -105,6 +105,7 @@ let thunkPage = null;
 let thunkOffset = 0;
 let taughtArtAboutReplacementMethods = false;
 let taughtArtAboutMethodInstrumentation = false;
+let backtraceModule = null;
 const jdwpSessions = [];
 let socketpair = null;
 
@@ -1199,6 +1200,11 @@ function withRunnableArtThread (vm, env, fn) {
   }
 }
 
+function _getArtThreadStateTransitionImpl (vm, env) {
+  const callback = new NativeCallback(onThreadStateTransitionComplete, 'void', ['pointer']);
+  return makeArtThreadStateTransitionImpl(vm, env, callback);
+}
+
 function onThreadStateTransitionComplete (thread) {
   const id = thread.toString();
 
@@ -1815,87 +1821,510 @@ function translateMethod (methodId) {
   return artController.replacedMethods.translate(methodId);
 }
 
-class BacktraceVisitor extends ArtStackVisitor {
-  constructor (thread, limit) {
-    const api = getApi();
-
-    super(thread, api['art::Thread::GetLongJumpContext'](thread), 'include-inlined-frames');
+function backtrace (vm, options = {}) {
+  const { limit = 16 } = options;
 
-    this.frames = [];
-    this.limit = limit;
+  const env = vm.getEnv();
 
-    this._translateLocation = api['art::Monitor::TranslateLocation'];
+  if (backtraceModule === null) {
+    backtraceModule = makeBacktraceModule(vm, env);
   }
 
-  visitFrame () {
-    this._collectFrame(this.describeLocation());
+  return backtraceModule.backtrace(env, limit);
+}
 
-    return this.frames.length < this.limit;
-  }
+function makeBacktraceModule (vm, env) {
+  const api = getApi();
 
-  _collectFrame (location) {
-    if (location === 'upcall') {
-      return;
-    }
+  const performImpl = Memory.alloc(Process.pointerSize);
 
-    const tokens = location.split(/['"]/, 3);
-    const rawMethodSignature = tokens[1];
-    if (rawMethodSignature.startsWith('<')) {
-      return;
-    }
-    const details = tokens[2];
-
-    const separatorIndex = rawMethodSignature.indexOf(' ');
-    const returnType = rawMethodSignature.substring(0, separatorIndex);
-    const rest = rawMethodSignature.substring(separatorIndex + 1);
-    const argsStartIndex = rest.indexOf('(');
-    const argsEndIndex = rest.indexOf(')', argsStartIndex + 1);
-    const rawArgumentTypes = rest.substring(argsStartIndex + 1, argsEndIndex);
-    const argumentTypes = (rawArgumentTypes !== '') ? rawArgumentTypes.split(', ') : [];
-
-    const classAndMethodName = rest.substring(0, argsStartIndex);
-    const methodNameStartIndex = classAndMethodName.lastIndexOf('.');
-    const className = classAndMethodName.substring(0, methodNameStartIndex);
-    const methodName = classAndMethodName.substring(methodNameStartIndex + 1);
-    let dexPc = parseInt(details.substring(13), 16);
-
-    const actualMethod = this.getMethod();
-    const translatedMethod = translateMethod(actualMethod);
-    if (!translatedMethod.equals(actualMethod)) {
-      dexPc = 0;
+  const cm = new CModule(`
+#include <glib.h>
+#include <stdbool.h>
+#include <string.h>
+#include <gum/gumtls.h>
+#include <json-glib/json-glib.h>
+
+typedef struct _ArtBacktrace ArtBacktrace;
+typedef struct _ArtStackFrame ArtStackFrame;
+
+typedef struct _ArtStackVisitor ArtStackVisitor;
+typedef struct _ArtStackVisitorVTable ArtStackVisitorVTable;
+
+typedef struct _ArtMethod ArtMethod;
+typedef struct _ArtThread ArtThread;
+typedef struct _ArtContext ArtContext;
+
+typedef struct _JNIEnv JNIEnv;
+
+typedef struct _StdString StdString;
+typedef struct _StdTinyString StdTinyString;
+typedef struct _StdLargeString StdLargeString;
+
+typedef enum {
+  STACK_WALK_INCLUDE_INLINED_FRAMES,
+  STACK_WALK_SKIP_INLINED_FRAMES,
+} StackWalkKind;
+
+struct _StdTinyString
+{
+  guint8 unused;
+  gchar data[(3 * sizeof (gpointer)) - 1];
+};
+
+struct _StdLargeString
+{
+  gsize capacity;
+  gsize size;
+  gchar * data;
+};
+
+struct _StdString
+{
+  union
+  {
+    guint8 flags;
+    StdTinyString tiny;
+    StdLargeString large;
+  };
+};
+
+struct _ArtBacktrace
+{
+  GChecksum * id;
+  GArray * frames;
+  gchar * frames_json;
+};
+
+struct _ArtStackFrame
+{
+  ArtMethod * method;
+  gsize dexpc;
+  StdString description;
+};
+
+struct _ArtStackVisitorVTable
+{
+  void (* unused1) (void);
+  void (* unused2) (void);
+  bool (* visit) (ArtStackVisitor * visitor);
+};
+
+struct _ArtStackVisitor
+{
+  ArtStackVisitorVTable * vtable;
+
+  guint8 padding[512];
+
+  ArtStackVisitorVTable vtable_storage;
+
+  ArtBacktrace * backtrace;
+};
+
+extern GumTlsKey current_backtrace;
+
+extern void (* perform_art_thread_state_transition) (JNIEnv * env);
+
+extern ArtContext * art_thread_get_long_jump_context (ArtThread * thread);
+
+extern void art_stack_visitor_init (ArtStackVisitor * visitor, ArtThread * thread, void * context, StackWalkKind walk_kind,
+    size_t num_frames, bool check_suspended);
+extern void art_stack_visitor_walk_stack (ArtStackVisitor * visitor, bool include_transitions);
+extern ArtMethod * art_stack_visitor_get_method (ArtStackVisitor * visitor);
+extern void art_stack_visitor_describe_location (StdString * description, ArtStackVisitor * visitor);
+extern ArtMethod * translate_method (ArtMethod * method);
+extern void translate_location (ArtMethod * method, guint32 pc, const gchar ** source_file, gint32 * line_number);
+extern void cxx_delete (void * mem);
+extern unsigned long strtoul (const char * str, char ** endptr, int base);
+
+extern void _frida_log (const gchar * message);
+
+static bool visit_frame (ArtStackVisitor * visitor);
+static void art_stack_frame_destroy (ArtStackFrame * frame);
+
+static void append_jni_type_name (GString * s, const gchar * name, gsize length);
+
+static void std_string_destroy (StdString * str);
+static gchar * std_string_get_data (StdString * str);
+
+static void frida_log (const char * format, ...);
+
+void
+init (void)
+{
+  current_backtrace = gum_tls_key_new ();
+}
+
+void
+finalize (void)
+{
+  gum_tls_key_free (current_backtrace);
+}
+
+ArtBacktrace *
+_create (JNIEnv * env,
+         guint limit)
+{
+  ArtBacktrace * bt;
+
+  bt = g_new (ArtBacktrace, 1);
+  bt->id = g_checksum_new (G_CHECKSUM_SHA1);
+  bt->frames = (limit != 0)
+      ? g_array_sized_new (FALSE, FALSE, sizeof (ArtStackFrame), limit)
+      : g_array_new (FALSE, FALSE, sizeof (ArtStackFrame));
+  g_array_set_clear_func (bt->frames, (GDestroyNotify) art_stack_frame_destroy);
+  bt->frames_json = NULL;
+
+  gum_tls_key_set_value (current_backtrace, bt);
+
+  perform_art_thread_state_transition (env);
+
+  gum_tls_key_set_value (current_backtrace, NULL);
+
+  return bt;
+}
+
+void
+_on_thread_state_transition_complete (ArtThread * thread)
+{
+  ArtContext * context;
+  ArtStackVisitor visitor = {
+    .vtable_storage = {
+      .visit = visit_frame,
+    },
+  };
+
+  context = art_thread_get_long_jump_context (thread);
+
+  art_stack_visitor_init (&visitor, thread, context, STACK_WALK_SKIP_INLINED_FRAMES, 0, true);
+  visitor.vtable = &visitor.vtable_storage;
+  visitor.backtrace = gum_tls_key_get_value (current_backtrace);
+
+  art_stack_visitor_walk_stack (&visitor, false);
+
+  cxx_delete (context);
+}
+
+static bool
+visit_frame (ArtStackVisitor * visitor)
+{
+  ArtBacktrace * bt = visitor->backtrace;
+  ArtStackFrame frame;
+  const gchar * description, * dexpc_part;
+
+  frame.method = art_stack_visitor_get_method (visitor);
+
+  art_stack_visitor_describe_location (&frame.description, visitor);
+
+  description = std_string_get_data (&frame.description);
+  if (strstr (description, " '<") != NULL)
+    goto skip;
+
+  dexpc_part = strstr (description, " at dex PC 0x");
+  if (dexpc_part == NULL)
+    goto skip;
+  frame.dexpc = strtoul (dexpc_part + 13, NULL, 16);
+
+  g_array_append_val (bt->frames, frame);
+
+  g_checksum_update (bt->id, (guchar *) &frame.method, sizeof (frame.method));
+  g_checksum_update (bt->id, (guchar *) &frame.dexpc, sizeof (frame.dexpc));
+
+  return true;
+
+skip:
+  std_string_destroy (&frame.description);
+  return true;
+}
+
+static void
+art_stack_frame_destroy (ArtStackFrame * frame)
+{
+  std_string_destroy (&frame->description);
+}
+
+void
+_destroy (ArtBacktrace * backtrace)
+{
+  g_free (backtrace->frames_json);
+  g_array_free (backtrace->frames, TRUE);
+  g_checksum_free (backtrace->id);
+  g_free (backtrace);
+}
+
+const gchar *
+_get_id (ArtBacktrace * backtrace)
+{
+  return g_checksum_get_string (backtrace->id);
+}
+
+const gchar *
+_get_frames (ArtBacktrace * backtrace)
+{
+  GArray * frames = backtrace->frames;
+  JsonBuilder * b;
+  guint i;
+  JsonNode * root;
+
+  if (backtrace->frames_json != NULL)
+    return backtrace->frames_json;
+
+  b = json_builder_new_immutable ();
+
+  json_builder_begin_array (b);
+
+  for (i = 0; i != frames->len; i++)
+  {
+    ArtStackFrame * frame = &g_array_index (frames, ArtStackFrame, i);
+    gchar * description, * ret_type, * paren_open, * paren_close, * arg_types, * token, * method_name, * class_name;
+    GString * signature;
+    gchar * cursor;
+    ArtMethod * translated_method;
+    gsize dexpc;
+    const gchar * source_file;
+    gint32 line_number;
+
+    description = std_string_get_data (&frame->description);
+
+    ret_type = strchr (description, '\\'') + 1;
+
+    paren_open = strchr (ret_type, '(');
+    paren_close = strchr (paren_open, ')');
+    *paren_open = '\\0';
+    *paren_close = '\\0';
+
+    arg_types = paren_open + 1;
+
+    token = strrchr (ret_type, '.');
+    *token = '\\0';
+
+    method_name = token + 1;
+
+    token = strrchr (ret_type, ' ');
+    *token = '\\0';
+
+    class_name = token + 1;
+
+    signature = g_string_sized_new (128);
+
+    append_jni_type_name (signature, class_name, method_name - class_name - 1);
+    g_string_append_c (signature, ',');
+    g_string_append (signature, method_name);
+    g_string_append (signature, ",(");
+
+    if (arg_types != paren_close)
+    {
+      for (cursor = arg_types; cursor != NULL;)
+      {
+        gsize length;
+        gchar * next;
+
+        token = strstr (cursor, ", ");
+        if (token != NULL)
+        {
+          length = token - cursor;
+          next = token + 2;
+        }
+        else
+        {
+          length = paren_close - cursor;
+          next = NULL;
+        }
+
+        append_jni_type_name (signature, cursor, length);
+
+        cursor = next;
+      }
     }
-    const fileNamePtr = Memory.alloc(16);
-    const lineNumberPtr = fileNamePtr.add(8);
-    this._translateLocation(translatedMethod, dexPc, fileNamePtr, lineNumberPtr);
-    const fileName = fileNamePtr.readPointer().readUtf8String();
-    const lineNumber = lineNumberPtr.readS32();
-
-    this.frames.push({
-      method: {
-        handle: translatedMethod,
-        name: methodName,
-        returnType,
-        argumentTypes
-      },
-      className,
-      fileName,
-      lineNumber
-    });
+
+    g_string_append_c (signature, ')');
+
+    append_jni_type_name (signature, ret_type, class_name - ret_type - 1);
+
+    translated_method = translate_method (frame->method);
+    dexpc = (translated_method == frame->method) ? frame->dexpc : 0;
+
+    translate_location (translated_method, dexpc, &source_file, &line_number);
+
+    json_builder_begin_object (b);
+
+    json_builder_set_member_name (b, "signature");
+    json_builder_add_string_value (b, signature->str);
+
+    json_builder_set_member_name (b, "className");
+    json_builder_add_string_value (b, class_name);
+
+    json_builder_set_member_name (b, "methodName");
+    json_builder_add_string_value (b, method_name);
+
+    json_builder_set_member_name (b, "fileName");
+    json_builder_add_string_value (b, source_file);
+
+    json_builder_set_member_name (b, "lineNumber");
+    json_builder_add_int_value (b, line_number);
+
+    json_builder_end_object (b);
+
+    g_string_free (signature, TRUE);
   }
+
+  json_builder_end_array (b);
+
+  root = json_builder_get_root (b);
+  backtrace->frames_json = json_to_string (root, FALSE);
+  json_node_unref (root);
+
+  return backtrace->frames_json;
 }
 
-function backtrace (vm, options = {}) {
-  const { limit = 16 } = options;
+static void
+append_jni_type_name (GString * s,
+                      const gchar * name,
+                      gsize length)
+{
+  gchar shorty = '\\0';
+  gsize i;
 
-  let frames = null;
+  switch (name[0])
+  {
+    case 'b':
+      if (strncmp (name, "boolean", length) == 0)
+        shorty = 'Z';
+      else if (strncmp (name, "byte", length) == 0)
+        shorty = 'B';
+      break;
+    case 'c':
+      if (strncmp (name, "char", length) == 0)
+        shorty = 'C';
+      break;
+    case 'd':
+      if (strncmp (name, "double", length) == 0)
+        shorty = 'D';
+      break;
+    case 'f':
+      if (strncmp (name, "float", length) == 0)
+        shorty = 'F';
+      break;
+    case 'i':
+      if (strncmp (name, "int", length) == 0)
+        shorty = 'I';
+      break;
+    case 'l':
+      if (strncmp (name, "long", length) == 0)
+        shorty = 'J';
+      break;
+    case 's':
+      if (strncmp (name, "short", length) == 0)
+        shorty = 'S';
+      break;
+    case 'v':
+      if (strncmp (name, "void", length) == 0)
+        shorty = 'V';
+      break;
+  }
+
+  if (shorty != '\\0')
+  {
+    g_string_append_c (s, shorty);
+
+    return;
+  }
+
+  if (length > 2 && name[length - 2] == '[' && name[length - 1] == ']')
+  {
+    g_string_append_c (s, '[');
+    append_jni_type_name (s, name, length - 2);
+
+    return;
+  }
+
+  g_string_append_c (s, 'L');
+
+  for (i = 0; i != length; i++)
+  {
+    gchar ch = name[i];
+    if (ch != '.')
+      g_string_append_c (s, ch);
+    else
+      g_string_append_c (s, '/');
+  }
+
+  g_string_append_c (s, ';');
+}
+
+static void
+std_string_destroy (StdString * str)
+{
+  bool is_large = (str->flags & 1) != 0;
+  if (is_large)
+    cxx_delete (str->large.data);
+}
 
-  withRunnableArtThread(vm, vm.getEnv(), thread => {
-    const visitor = new BacktraceVisitor(thread, limit);
-    visitor.walkStack(true);
-    frames = visitor.frames;
+static gchar *
+std_string_get_data (StdString * str)
+{
+  bool is_large = (str->flags & 1) != 0;
+  return is_large ? str->large.data : str->tiny.data;
+}
+`, {
+    current_backtrace: Memory.alloc(Process.pointerSize),
+    perform_art_thread_state_transition: performImpl,
+    art_thread_get_long_jump_context: api['art::Thread::GetLongJumpContext'],
+    art_stack_visitor_init: api['art::StackVisitor::StackVisitor'],
+    art_stack_visitor_walk_stack: api['art::StackVisitor::WalkStack'],
+    art_stack_visitor_get_method: api['art::StackVisitor::GetMethod'],
+    art_stack_visitor_describe_location: api['art::StackVisitor::DescribeLocation'],
+    translate_method: artController.replacedMethods.translate,
+    translate_location: api['art::Monitor::TranslateLocation'],
+    cxx_delete: api.$delete,
+    strtoul: Module.getExportByName('libc.so', 'strtoul')
   });
 
-  return frames;
+  const _create = new NativeFunction(cm._create, 'pointer', ['pointer', 'uint'], nativeFunctionOptions);
+  const _destroy = new NativeFunction(cm._destroy, 'void', ['pointer'], nativeFunctionOptions);
+
+  const fastOptions = { exceptions: 'propagate', scheduling: 'exclusive' };
+  const _getId = new NativeFunction(cm._get_id, 'pointer', ['pointer'], fastOptions);
+  const _getFrames = new NativeFunction(cm._get_frames, 'pointer', ['pointer'], fastOptions);
+
+  const performThreadStateTransition = makeArtThreadStateTransitionImpl(vm, env, cm._on_thread_state_transition_complete);
+  cm._performData = performThreadStateTransition;
+  performImpl.writePointer(performThreadStateTransition);
+
+  cm.backtrace = (env, limit) => {
+    const handle = _create(env, limit);
+    const bt = new Backtrace(handle);
+    Script.bindWeak(bt, destroy.bind(null, handle));
+    return bt;
+  };
+
+  function destroy (handle) {
+    _destroy(handle);
+  }
+
+  cm.getId = handle => {
+    return _getId(handle).readUtf8String();
+  };
+
+  cm.getFrames = handle => {
+    return JSON.parse(_getFrames(handle).readUtf8String());
+  };
+
+  return cm;
+}
+
+class Backtrace {
+  constructor (handle) {
+    this.handle = handle;
+  }
+
+  get id () {
+    return backtraceModule.getId(this.handle);
+  }
+
+  get frames () {
+    return backtraceModule.getFrames(this.handle);
+  }
 }
 
 function revertGlobalPatches () {
@@ -2278,7 +2707,7 @@ function writeArtQuickCodePrologueArm64 (target, trampoline, redirectSize) {
 
 const artQuickCodeHookRedirectSize = {
   ia32: 5,
-  x64: 14,
+  x64: 16,
   arm: 8,
   arm64: 16
 };
@@ -2941,7 +3370,7 @@ const threadStateTransitionRecompilers = {
   arm64: recompileExceptionClearForArm64
 };
 
-function _getArtThreadStateTransitionImpl (vm, env) {
+function makeArtThreadStateTransitionImpl (vm, env, callback) {
   const envVtable = env.handle.readPointer();
   const exceptionClearImpl = envVtable.add(ENV_VTABLE_OFFSET_EXCEPTION_CLEAR).readPointer();
   const nextFuncImpl = envVtable.add(ENV_VTABLE_OFFSET_FATAL_ERROR).readPointer();
@@ -2952,7 +3381,6 @@ function _getArtThreadStateTransitionImpl (vm, env) {
   }
 
   let perform = null;
-  const callback = new NativeCallback(onThreadStateTransitionComplete, 'void', ['pointer']);
 
   const threadOffsets = getArtThreadSpec(vm).offset;
 

package/lib/class-factory.js

@@ -1680,6 +1680,8 @@ function handleMethodInvocation (jniArgs, params) {
   env.pushLocalFrame(3);
   let haveFrame = true;
 
+  vm.link(tid, env);
+
   try {
     pendingCalls.add(tid);
 
@@ -1727,6 +1729,8 @@ function handleMethodInvocation (jniArgs, params) {
 
     return retType.defaultValue;
   } finally {
+    vm.unlink(tid);
+
     if (haveFrame) {
       env.popLocalFrame(NULL);
     }

package/lib/vm.js

@@ -6,15 +6,14 @@ const JNI_VERSION_1_6 = 0x00010006;
 const pointerSize = Process.pointerSize;
 
 const jsThreadID = Process.getCurrentThreadId();
-let jsThreadDetachAllowed = true;
-let jsEnv = null;
+const attachedThreads = new Map();
+const activeEnvs = new Map();
 
 function VM (api) {
   const handle = api.vm;
   let attachCurrentThread = null;
   let detachCurrentThread = null;
   let getEnv = null;
-  const attachedThreads = new Map();
 
   function initialize () {
     const vtable = handle.readPointer();
@@ -31,25 +30,29 @@ function VM (api) {
   this.perform = function (fn) {
     const threadId = Process.getCurrentThreadId();
 
-    const isJsThread = threadId === jsThreadID;
-    if (isJsThread && jsEnv !== null) {
-      return fn(jsEnv);
+    const cachedEnv = tryGetCachedEnv(threadId);
+    if (cachedEnv !== null) {
+      return fn(cachedEnv);
     }
 
-    let env = this.tryGetEnv();
+    let env = this._tryGetEnv();
     const alreadyAttached = env !== null;
     if (!alreadyAttached) {
       env = this.attachCurrentThread();
-      if (isJsThread) {
-        jsEnv = env;
-      } else {
-        attachedThreads.set(threadId, true);
-      }
+      attachedThreads.set(threadId, true);
     }
 
+    this.link(threadId, env);
+
     try {
       return fn(env);
     } finally {
+      const isJsThread = threadId === jsThreadID;
+
+      if (!isJsThread) {
+        this.unlink(threadId);
+      }
+
       if (!alreadyAttached && !isJsThread) {
         const allowedToDetach = attachedThreads.get(threadId);
         attachedThreads.delete(threadId);
@@ -74,14 +77,17 @@ function VM (api) {
   this.preventDetachDueToClassLoader = function () {
     const threadId = Process.getCurrentThreadId();
 
-    if (threadId === jsThreadID) {
-      jsThreadDetachAllowed = false;
-    } else if (attachedThreads.has(threadId)) {
+    if (attachedThreads.has(threadId)) {
       attachedThreads.set(threadId, false);
     }
   };
 
   this.getEnv = function () {
+    const cachedEnv = tryGetCachedEnv(Process.getCurrentThreadId());
+    if (cachedEnv !== null) {
+      return cachedEnv;
+    }
+
     const envBuf = Memory.alloc(pointerSize);
     const result = getEnv(handle, envBuf, JNI_VERSION_1_6);
     if (result === -2) {
@@ -92,6 +98,15 @@ function VM (api) {
   };
 
   this.tryGetEnv = function () {
+    const cachedEnv = tryGetCachedEnv(Process.getCurrentThreadId());
+    if (cachedEnv !== null) {
+      return cachedEnv;
+    }
+
+    return this._tryGetEnv();
+  };
+
+  this._tryGetEnv = function () {
     const envBuf = Memory.alloc(pointerSize);
     const result = getEnv(handle, envBuf, JNI_VERSION_1_6);
     if (result !== JNI_OK) {
@@ -108,12 +123,38 @@ function VM (api) {
     };
   };
 
+  this.link = function (tid, env) {
+    const entry = activeEnvs.get(tid);
+    if (entry === undefined) {
+      activeEnvs.set(tid, [env, 1]);
+    } else {
+      entry[1]++;
+    }
+  };
+
+  this.unlink = function (tid) {
+    const entry = activeEnvs.get(tid);
+    if (entry[1] === 1) {
+      activeEnvs.delete(tid);
+    } else {
+      entry[1]--;
+    }
+  };
+
+  function tryGetCachedEnv (threadId) {
+    const entry = activeEnvs.get(threadId);
+    if (entry === undefined) {
+      return null;
+    }
+    return entry[0];
+  }
+
   initialize.call(this);
 }
 
 VM.dispose = function (vm) {
-  if (jsThreadDetachAllowed && jsEnv !== null) {
-    jsEnv = null;
+  if (attachedThreads.get(jsThreadID) === true) {
+    attachedThreads.delete(jsThreadID);
     vm.detachCurrentThread();
   }
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "frida-java-bridge",
-  "version": "5.3.0",
+  "version": "6.0.2",
   "description": "Java runtime interop from Frida",
   "main": "index.js",
   "files": [