frida-java-bridge 6.0.1 → 6.1.1

package/index.js

@@ -233,7 +233,7 @@ class Runtime {
 
     const visitClassLoaders = api['art::ClassLinker::VisitClassLoaders'];
     if (visitClassLoaders === undefined) {
-      throw new Error('This API is only available on Nougat and above');
+      throw new Error('This API is only available on Android >= 7.0');
     }
 
     const ClassLoader = factory.use('java.lang.ClassLoader');

package/lib/android.js

@@ -1,6 +1,12 @@
 const makeCodeAllocator = require('./alloc');
+const {
+  jvmtiVersion,
+  jvmtiCapabilities,
+  EnvJvmti
+} = require('./jvmti');
+const { parseInstructionsAt } = require('./machine-code');
 const memoize = require('./memoize');
-const { checkJniResult } = require('./result');
+const { checkJniResult, JNI_OK } = require('./result');
 const VM = require('./vm');
 
 const jsizeSize = 4;
@@ -99,6 +105,7 @@ const artThreadStateTransitions = {};
 let cachedApi = null;
 let MethodMangler = null;
 let artController = null;
+const inlineHooks = [];
 const patchedClasses = new Map();
 const artQuickInterceptors = [];
 let thunkPage = null;
@@ -330,6 +337,7 @@ function _getApi () {
           '_ZN3art3Dbg13ConfigureJdwpERKNS_4JDWP11JdwpOptionsE',
           '_ZN3art31InternalDebuggerControlCallback13StartDebuggerEv',
           '_ZN3art3Dbg15gDebuggerActiveE',
+          '_ZN3art15instrumentation15Instrumentation20EnableDeoptimizationEv',
           '_ZN3art15instrumentation15Instrumentation20DeoptimizeEverythingEPKc',
           '_ZN3art15instrumentation15Instrumentation20DeoptimizeEverythingEv',
           '_ZN3art7Runtime19DeoptimizeBootImageEv',
@@ -474,6 +482,16 @@ function _getApi () {
     artController = makeArtController(vm);
 
     fixupArtQuickDeliverExceptionBug(temporaryApi);
+
+    let cachedJvmti = null;
+    Object.defineProperty(temporaryApi, 'jvmti', {
+      get () {
+        if (cachedJvmti === null) {
+          cachedJvmti = [tryGetEnvJvmti(vm, this.artRuntime)];
+        }
+        return cachedJvmti[0];
+      }
+    });
   }
 
   const cxxImports = Module.enumerateImports(vmModule.path)
@@ -490,6 +508,39 @@ function _getApi () {
   return temporaryApi;
 }
 
+function tryGetEnvJvmti (vm, runtime) {
+  let env = null;
+
+  vm.perform(() => {
+    const ensurePluginLoaded = new NativeFunction(
+      Module.getExportByName('libart.so', '_ZN3art7Runtime18EnsurePluginLoadedEPKcPNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEE'),
+      'bool',
+      ['pointer', 'pointer', 'pointer']);
+    const errorPtr = Memory.alloc(pointerSize);
+    const success = ensurePluginLoaded(runtime, Memory.allocUtf8String('libopenjdkjvmti.so'), errorPtr);
+    if (!success) {
+      // FIXME: Avoid leaking error
+      return;
+    }
+
+    const kArtTiVersion = jvmtiVersion.v1_2 | 0x40000000;
+    const handle = vm.tryGetEnvHandle(kArtTiVersion);
+    if (handle === null) {
+      return;
+    }
+    env = new EnvJvmti(handle, vm);
+
+    const capaBuf = Memory.alloc(8);
+    capaBuf.writeU64(jvmtiCapabilities.canTagObjects);
+    const result = env.addCapabilities(capaBuf);
+    if (result !== JNI_OK) {
+      env = null;
+    }
+  });
+
+  return env;
+}
+
 function ensureClassInitialized (env, classRef) {
   const api = getApi();
   if (api.flavor !== 'art') {
@@ -530,6 +581,7 @@ function _getArtRuntimeSpec (api) {
    * InternTable* intern_table_;      <--/
    * ClassLinker* class_linker_;      <-/
    * SignalCatcher* signal_catcher_;
+   * SmallIrtAllocator* small_irt_allocator_; <------------ API level >= 33 or Android Tiramisu Developer Preview
    * std::unique_ptr<jni::JniIdManager> jni_id_manager_; <- API level >= 30 or Android R Developer Preview
    * bool use_tombstoned_traces_;     <-------------------- API level 27/28
    * std::string stack_trace_file_;   <-------------------- API level <= 28
@@ -553,7 +605,10 @@ function _getArtRuntimeSpec (api) {
     if (value.equals(vm)) {
       let classLinkerOffset = null;
       let jniIdManagerOffset = null;
-      if (apiLevel >= 30 || getAndroidCodename() === 'R') {
+      if (apiLevel >= 33 || getAndroidCodename() === 'Tiramisu') {
+        classLinkerOffset = offset - (4 * pointerSize);
+        jniIdManagerOffset = offset - pointerSize;
+      } else if (apiLevel >= 30 || getAndroidCodename() === 'R') {
         classLinkerOffset = offset - (3 * pointerSize);
         jniIdManagerOffset = offset - pointerSize;
       } else if (apiLevel >= 29) {
@@ -593,7 +648,7 @@ function _getArtRuntimeSpec (api) {
     throw new Error('Unable to determine Runtime field offsets');
   }
 
-  spec.offset.instrumentation = tryDetectInstrumentationOffset();
+  spec.offset.instrumentation = tryDetectInstrumentationOffset(api);
   spec.offset.jniIdsIndirection = tryDetectJniIdsIndirectionOffset();
 
   return spec;
@@ -606,43 +661,26 @@ const instrumentationOffsetParsers = {
   arm64: parseArm64InstrumentationOffset
 };
 
-function tryDetectInstrumentationOffset () {
-  let cur = Module.findExportByName('libart.so', 'MterpHandleException');
-  if (cur === null) {
+function tryDetectInstrumentationOffset (api) {
+  const impl = api['art::Runtime::DeoptimizeBootImage'];
+  if (impl === undefined) {
     return null;
   }
 
-  const tryParse = instrumentationOffsetParsers[Process.arch];
-
-  for (let i = 0; i !== 20; i++) {
-    const insn = Instruction.parse(cur);
-
-    const offset = tryParse(insn);
-    if (offset !== null) {
-      return offset;
-    }
-
-    cur = insn.next;
-  }
-
-  return null;
+  return parseInstructionsAt(impl, instrumentationOffsetParsers[Process.arch], { limit: 30 });
 }
 
 function parsex86InstrumentationOffset (insn) {
-  const { mnemonic } = insn;
-  if (mnemonic !== 'mov' && mnemonic !== 'add') {
+  if (insn.mnemonic !== 'lea') {
     return null;
   }
 
-  const op1 = insn.operands[1];
-  if (op1.type !== 'imm') {
-    return null;
-  }
-  if (op1.value < 0x100 || op1.value > 0x400) {
+  const offset = insn.operands[1].value.disp;
+  if (offset < 0x100 || offset > 0x400) {
     return null;
   }
 
-  return op1.value;
+  return offset;
 }
 
 function parseArmInstrumentationOffset (insn) {
@@ -673,12 +711,21 @@ function parseArm64InstrumentationOffset (insn) {
     return null;
   }
 
+  if (ops[0].value === 'sp' || ops[1].value === 'sp') {
+    return null;
+  }
+
   const op2 = ops[2];
   if (op2.type !== 'imm') {
     return null;
   }
 
-  return op2.value;
+  const offset = op2.value.valueOf();
+  if (offset < 0x100 || offset > 0x400) {
+    return null;
+  }
+
+  return offset;
 }
 
 const jniIdsIndirectionOffsetParsers = {
@@ -689,27 +736,17 @@ const jniIdsIndirectionOffsetParsers = {
 };
 
 function tryDetectJniIdsIndirectionOffset () {
-  let cur = Module.findExportByName('libart.so', '_ZN3art7Runtime12SetJniIdTypeENS_9JniIdTypeE');
-  if (cur === null) {
+  const impl = Module.findExportByName('libart.so', '_ZN3art7Runtime12SetJniIdTypeENS_9JniIdTypeE');
+  if (impl === null) {
     return null;
   }
 
-  const tryParse = jniIdsIndirectionOffsetParsers[Process.arch];
-
-  let prevInsn = null;
-  for (let i = 0; i !== 20; i++) {
-    const insn = Instruction.parse(cur);
-
-    const offset = tryParse(insn, prevInsn);
-    if (offset !== null) {
-      return offset;
-    }
-
-    cur = insn.next;
-    prevInsn = insn;
+  const offset = parseInstructionsAt(impl, jniIdsIndirectionOffsetParsers[Process.arch], { limit: 20 });
+  if (offset === null) {
+    throw new Error('Unable to determine Runtime.jni_ids_indirection_ offset');
   }
 
-  throw new Error('Unable to determine Runtime.jni_ids_indirection_ offset');
+  return offset;
 }
 
 function parsex86JniIdsIndirectionOffset (insn) {
@@ -902,7 +939,7 @@ function _getArtMethodSpec (vm) {
 
   vm.perform(env => {
     const process = env.findClass('android/os/Process');
-    const setArgV0 = unwrapMethodId(env.getStaticMethodId(process, 'setArgV0', '(Ljava/lang/String;)V'));
+    const getElapsedCpuTime = unwrapMethodId(env.getStaticMethodId(process, 'getElapsedCpuTime', '()J'));
     env.deleteLocalRef(process);
 
     const runtimeModule = Process.getModuleByName('libandroid_runtime.so');
@@ -914,13 +951,13 @@ function _getArtMethodSpec (vm) {
     const entrypointFieldSize = (apiLevel <= 21) ? 8 : pointerSize;
 
     const expectedAccessFlags = kAccPublic | kAccStatic | kAccFinal | kAccNative;
-    const relevantAccessFlagsMask = ~(kAccPublicApi | kAccNterpInvokeFastPathFlag) >>> 0;
+    const relevantAccessFlagsMask = ~(kAccFastInterpreterToInterpreterInvoke | kAccPublicApi | kAccNterpInvokeFastPathFlag) >>> 0;
 
     let jniCodeOffset = null;
     let accessFlagsOffset = null;
     let remaining = 2;
     for (let offset = 0; offset !== 64 && remaining !== 0; offset += 4) {
-      const field = setArgV0.add(offset);
+      const field = getElapsedCpuTime.add(offset);
 
       if (jniCodeOffset === null) {
         const address = field.readPointer();
@@ -1711,6 +1748,7 @@ on_leave_gc_concurrent_copying_copying_phase (GumInvocationContext * ic)
   return {
     handle: cm,
     replacedMethods: {
+      isReplacement: new NativeFunction(cm.is_replacement_method, 'bool', ['pointer'], fastOptions),
       get: new NativeFunction(cm.get_replacement_method, 'pointer', ['pointer'], fastOptions),
       set: new NativeFunction(cm.set_replacement_method, 'void', ['pointer', 'pointer'], fastOptions),
       delete: new NativeFunction(cm.delete_replacement_method, 'void', ['pointer'], fastOptions),
@@ -1785,18 +1823,20 @@ function ensureArtKnowsHowToHandleReplacementMethods (vm) {
   }
   taughtArtAboutReplacementMethods = true;
 
-  const { getOatQuickMethodHeaderImpl } = artController;
-  if (getOatQuickMethodHeaderImpl === null) {
-    return;
-  }
+  if (!maybeInstrumentGetOatQuickMethodHeaderInlineCopies()) {
+    const { getOatQuickMethodHeaderImpl } = artController;
+    if (getOatQuickMethodHeaderImpl === null) {
+      return;
+    }
 
-  try {
-    Interceptor.replace(getOatQuickMethodHeaderImpl, artController.hooks.ArtMethod.getOatQuickMethodHeader);
-  } catch (e) {
-    /*
-     * Already replaced by another script. For now we don't support replacing methods from multiple scripts,
-     * but we'll allow users to try it if they're feeling adventurous.
-     */
+    try {
+      Interceptor.replace(getOatQuickMethodHeaderImpl, artController.hooks.ArtMethod.getOatQuickMethodHeader);
+    } catch (e) {
+      /*
+       * Already replaced by another script. For now we don't support replacing methods from multiple scripts,
+       * but we'll allow users to try it if they're feeling adventurous.
+       */
+    }
   }
 
   const apiLevel = getAndroidApiLevel();
@@ -1813,6 +1853,381 @@ function ensureArtKnowsHowToHandleReplacementMethods (vm) {
   }
 }
 
+const artGetOatQuickMethodHeaderInlinedCopyHandler = {
+  arm: {
+    signatures: [
+      {
+        pattern: [
+          'b0 68', // ldr r0, [r6, #8]
+          '01 30', // adds r0, #1
+          '0c d0', // beq #0x16fcd4
+          '1b 98', // ldr r0, [sp, #0x6c]
+          ':',
+          'c0 ff',
+          'c0 ff',
+          '00 ff',
+          '00 2f'
+        ],
+        validateMatch: validateGetOatQuickMethodHeaderInlinedMatchArm
+      },
+      {
+        pattern: [
+          'd8 f8 08 00', // ldr r0, [r8, #8]
+          '01 30', // adds r0, #1
+          '0c d0', // beq #0x16fcd4
+          '1b 98', // ldr r0, [sp, #0x6c]
+          ':',
+          'f0 ff ff 0f',
+          'ff ff',
+          '00 ff',
+          '00 2f'
+        ],
+        validateMatch: validateGetOatQuickMethodHeaderInlinedMatchArm
+      },
+      {
+        pattern: [
+          'b0 68', // ldr r0, [r6, #8]
+          '01 30', // adds r0, #1
+          '40 f0 c3 80', // bne #0x203bf0
+          '00 25', // movs r5, #0
+          ':',
+          'c0 ff',
+          'c0 ff',
+          'c0 fb 00 d0',
+          'ff f8'
+        ],
+        validateMatch: validateGetOatQuickMethodHeaderInlinedMatchArm
+      }
+    ],
+    instrument: instrumentGetOatQuickMethodHeaderInlinedCopyArm
+  },
+  arm64: {
+    signatures: [
+      {
+        pattern: [
+          /* e8 */ '0a 40 b9', // ldr w8, [x23, #0x8]
+          '1f 05 00 31', // cmn w8, #0x1
+          '40 01 00 54', // b.eq 0x2e4204
+          '88 39 00 f0', // adrp x8, 0xa17000
+          ':',
+          /* 00 */ 'fc ff ff',
+          '1f fc ff ff',
+          '1f 00 00 ff',
+          '00 00 00 9f'
+        ],
+        offset: 1,
+        validateMatch: validateGetOatQuickMethodHeaderInlinedMatchArm64
+      },
+      {
+        pattern: [
+          /* e8 */ '0a 40 b9', // ldr w8, [x23, #0x8]
+          '1f 05 00 31', // cmn w8, #0x1
+          '01 34 00 54', // b.ne 0x3d8e50
+          'e0 03 1f aa', // mov x0, xzr
+          ':',
+          /* 00 */ 'fc ff ff',
+          '1f fc ff ff',
+          '1f 00 00 ff',
+          'e0 ff ff ff'
+        ],
+        offset: 1,
+        validateMatch: validateGetOatQuickMethodHeaderInlinedMatchArm64
+      }
+    ],
+    instrument: instrumentGetOatQuickMethodHeaderInlinedCopyArm64
+  }
+};
+
+function validateGetOatQuickMethodHeaderInlinedMatchArm ({ address, size }) {
+  const ldr = Instruction.parse(address.or(1));
+  const [ldrDst, ldrSrc] = ldr.operands;
+  const methodReg = ldrSrc.value.base;
+  const scratchReg = ldrDst.value;
+
+  const branch = Instruction.parse(ldr.next.add(2));
+  const targetWhenTrue = ptr(branch.operands[0].value);
+  const targetWhenFalse = branch.address.add(branch.size);
+
+  let targetWhenRegularMethod, targetWhenRuntimeMethod;
+  if (branch.mnemonic === 'beq') {
+    targetWhenRegularMethod = targetWhenFalse;
+    targetWhenRuntimeMethod = targetWhenTrue;
+  } else {
+    targetWhenRegularMethod = targetWhenTrue;
+    targetWhenRuntimeMethod = targetWhenFalse;
+  }
+
+  return parseInstructionsAt(targetWhenRegularMethod.or(1), tryParse, { limit: 3 });
+
+  function tryParse (insn) {
+    const { mnemonic } = insn;
+    if (!(mnemonic === 'ldr' || mnemonic === 'ldr.w')) {
+      return null;
+    }
+
+    const { base, disp } = insn.operands[1].value;
+    if (!(base === methodReg && disp === 0x14)) {
+      return null;
+    }
+
+    return {
+      methodReg,
+      scratchReg,
+      target: {
+        whenTrue: targetWhenTrue,
+        whenRegularMethod: targetWhenRegularMethod,
+        whenRuntimeMethod: targetWhenRuntimeMethod
+      }
+    };
+  }
+}
+
+function validateGetOatQuickMethodHeaderInlinedMatchArm64 ({ address, size }) {
+  const [ldrDst, ldrSrc] = Instruction.parse(address).operands;
+  const methodReg = ldrSrc.value.base;
+  const scratchReg = 'x' + ldrDst.value.substring(1);
+
+  const branch = Instruction.parse(address.add(8));
+  const targetWhenTrue = ptr(branch.operands[0].value);
+  const targetWhenFalse = address.add(12);
+
+  let targetWhenRegularMethod, targetWhenRuntimeMethod;
+  if (branch.mnemonic === 'b.eq') {
+    targetWhenRegularMethod = targetWhenFalse;
+    targetWhenRuntimeMethod = targetWhenTrue;
+  } else {
+    targetWhenRegularMethod = targetWhenTrue;
+    targetWhenRuntimeMethod = targetWhenFalse;
+  }
+
+  return parseInstructionsAt(targetWhenRegularMethod, tryParse, { limit: 3 });
+
+  function tryParse (insn) {
+    if (insn.mnemonic !== 'ldr') {
+      return null;
+    }
+
+    const { base, disp } = insn.operands[1].value;
+    if (!(base === methodReg && disp === 0x18)) {
+      return null;
+    }
+
+    return {
+      methodReg,
+      scratchReg,
+      target: {
+        whenTrue: targetWhenTrue,
+        whenRegularMethod: targetWhenRegularMethod,
+        whenRuntimeMethod: targetWhenRuntimeMethod
+      }
+    };
+  }
+}
+
+function maybeInstrumentGetOatQuickMethodHeaderInlineCopies () {
+  if (getAndroidApiLevel() < 31) {
+    return false;
+  }
+
+  const handler = artGetOatQuickMethodHeaderInlinedCopyHandler[Process.arch];
+  if (handler === undefined) {
+    // Not needed on x86 and x64, at least not for now...
+    return false;
+  }
+
+  const signatures = handler.signatures.map(({ pattern, offset = 0, validateMatch = returnEmptyObject }) => {
+    return {
+      pattern: new MatchPattern(pattern.join('')),
+      offset,
+      validateMatch
+    };
+  });
+
+  const impls = [];
+  for (const { base, size } of getApi().module.enumerateRanges('--x')) {
+    for (const { pattern, offset, validateMatch } of signatures) {
+      const matches = Memory.scanSync(base, size, pattern)
+        .map(({ address, size }) => {
+          return { address: address.sub(offset), size: size + offset };
+        })
+        .filter(match => {
+          const validationResult = validateMatch(match);
+          if (validationResult === null) {
+            return false;
+          }
+          match.validationResult = validationResult;
+          return true;
+        });
+      impls.push(...matches);
+    }
+  }
+
+  impls.forEach(handler.instrument);
+
+  return true;
+}
+
+function returnEmptyObject () {
+  return {};
+}
+
+class InlineHook {
+  constructor (address, size, trampoline) {
+    this.address = address;
+    this.size = size;
+    this.originalCode = address.readByteArray(size);
+    this.trampoline = trampoline;
+  }
+
+  revert () {
+    Memory.patchCode(this.address, this.size, code => {
+      code.writeByteArray(this.originalCode);
+    });
+  }
+}
+
+function instrumentGetOatQuickMethodHeaderInlinedCopyArm ({ address, size, validationResult }) {
+  const { methodReg, target } = validationResult;
+
+  const trampoline = Memory.alloc(Process.pageSize);
+  let redirectCapacity = size;
+
+  Memory.patchCode(trampoline, 256, code => {
+    const writer = new ThumbWriter(code, { pc: trampoline });
+
+    const relocator = new ThumbRelocator(address, writer);
+    for (let i = 0; i !== 2; i++) {
+      relocator.readOne();
+    }
+    relocator.writeAll();
+
+    relocator.readOne();
+    relocator.skipOne();
+    writer.putBCondLabel('eq', 'runtime_or_replacement_method');
+
+    const vpushFpRegs = [0x2d, 0xed, 0x10, 0x0a]; /* vpush {s0-s15} */
+    writer.putBytes(vpushFpRegs);
+
+    const savedRegs = ['r0', 'r1', 'r2', 'r3'];
+    writer.putPushRegs(savedRegs);
+
+    writer.putCallAddressWithArguments(artController.replacedMethods.isReplacement, [methodReg]);
+    writer.putCmpRegImm('r0', 0);
+
+    writer.putPopRegs(savedRegs);
+
+    const vpopFpRegs = [0xbd, 0xec, 0x10, 0x0a]; /* vpop {s0-s15} */
+    writer.putBytes(vpopFpRegs);
+
+    writer.putBCondLabel('ne', 'runtime_or_replacement_method');
+    writer.putBLabel('regular_method');
+
+    relocator.readOne();
+
+    const tailIsRegular = relocator.input.address.equals(target.whenRegularMethod);
+
+    writer.putLabel(tailIsRegular ? 'regular_method' : 'runtime_or_replacement_method');
+    relocator.writeOne();
+    while (redirectCapacity < 10) {
+      const offset = relocator.readOne();
+      if (offset === 0) {
+        redirectCapacity = 10;
+        break;
+      }
+      redirectCapacity = offset;
+    }
+    relocator.writeAll();
+    writer.putBranchAddress(address.add(redirectCapacity + 1));
+
+    writer.putLabel(tailIsRegular ? 'runtime_or_replacement_method' : 'regular_method');
+    writer.putBranchAddress(target.whenTrue);
+
+    writer.flush();
+  });
+
+  inlineHooks.push(new InlineHook(address, redirectCapacity, trampoline));
+
+  Memory.patchCode(address, redirectCapacity, code => {
+    const writer = new ThumbWriter(code, { pc: address });
+    writer.putLdrRegAddress('pc', trampoline.or(1));
+    writer.flush();
+  });
+}
+
+function instrumentGetOatQuickMethodHeaderInlinedCopyArm64 ({ address, size, validationResult }) {
+  const { methodReg, scratchReg, target } = validationResult;
+
+  const trampoline = Memory.alloc(Process.pageSize);
+
+  Memory.patchCode(trampoline, 256, code => {
+    const writer = new Arm64Writer(code, { pc: trampoline });
+
+    const relocator = new Arm64Relocator(address, writer);
+    for (let i = 0; i !== 2; i++) {
+      relocator.readOne();
+    }
+    relocator.writeAll();
+
+    relocator.readOne();
+    relocator.skipOne();
+    writer.putBCondLabel('eq', 'runtime_or_replacement_method');
+
+    const savedRegs = [
+      'd0', 'd1',
+      'd2', 'd3',
+      'd4', 'd5',
+      'd6', 'd7',
+      'x0', 'x1',
+      'x2', 'x3',
+      'x4', 'x5',
+      'x6', 'x7',
+      'x8', 'x9',
+      'x10', 'x11',
+      'x12', 'x13',
+      'x14', 'x15',
+      'x16', 'x17'
+    ];
+    const numSavedRegs = savedRegs.length;
+
+    for (let i = 0; i !== numSavedRegs; i += 2) {
+      writer.putPushRegReg(savedRegs[i], savedRegs[i + 1]);
+    }
+
+    writer.putCallAddressWithArguments(artController.replacedMethods.isReplacement, [methodReg]);
+    writer.putCmpRegReg('x0', 'xzr');
+
+    for (let i = numSavedRegs - 2; i >= 0; i -= 2) {
+      writer.putPopRegReg(savedRegs[i], savedRegs[i + 1]);
+    }
+
+    writer.putBCondLabel('ne', 'runtime_or_replacement_method');
+    writer.putBLabel('regular_method');
+
+    relocator.readOne();
+    const tailInstruction = relocator.input;
+
+    const tailIsRegular = tailInstruction.address.equals(target.whenRegularMethod);
+
+    writer.putLabel(tailIsRegular ? 'regular_method' : 'runtime_or_replacement_method');
+    relocator.writeOne();
+    writer.putBranchAddress(tailInstruction.next);
+
+    writer.putLabel(tailIsRegular ? 'runtime_or_replacement_method' : 'regular_method');
+    writer.putBranchAddress(target.whenTrue);
+
+    writer.flush();
+  });
+
+  inlineHooks.push(new InlineHook(address, size, trampoline));
+
+  Memory.patchCode(address, size, code => {
+    const writer = new Arm64Writer(code, { pc: address });
+    writer.putLdrRegAddress(scratchReg, trampoline);
+    writer.putBrReg(scratchReg);
+    writer.flush();
+  });
+}
+
 function makeMethodMangler (methodId) {
   return new MethodMangler(methodId);
 }
@@ -1937,8 +2352,6 @@ extern void translate_location (ArtMethod * method, guint32 pc, const gchar ** s
 extern void cxx_delete (void * mem);
 extern unsigned long strtoul (const char * str, char ** endptr, int base);
 
-extern void _frida_log (const gchar * message);
-
 static bool visit_frame (ArtStackVisitor * visitor);
 static void art_stack_frame_destroy (ArtStackFrame * frame);
 
@@ -1947,8 +2360,6 @@ static void append_jni_type_name (GString * s, const gchar * name, gsize length)
 static void std_string_destroy (StdString * str);
 static gchar * std_string_get_data (StdString * str);
 
-static void frida_log (const char * format, ...);
-
 void
 init (void)
 {
@@ -2334,7 +2745,13 @@ function revertGlobalPatches () {
   });
   patchedClasses.clear();
 
-  artQuickInterceptors.forEach((interceptor) => interceptor.deactivate());
+  for (const interceptor of artQuickInterceptors.splice(0)) {
+    interceptor.deactivate();
+  }
+
+  for (const hook of inlineHooks.splice(0)) {
+    hook.revert();
+  }
 }
 
 function unwrapMethodId (methodId) {
@@ -2707,7 +3124,7 @@ function writeArtQuickCodePrologueArm64 (target, trampoline, redirectSize) {
 
 const artQuickCodeHookRedirectSize = {
   ia32: 5,
-  x64: 14,
+  x64: 16,
   arm: 8,
   arm64: 16
 };
@@ -3116,6 +3533,10 @@ function deoptimizeEverything (vm, env) {
 function deoptimizeBootImage (vm, env) {
   const api = getApi();
 
+  if (getAndroidApiLevel() < 26) {
+    throw new Error('This API is only available on Android >= 8.0');
+  }
+
   withRunnableArtThread(vm, env, thread => {
     api['art::Runtime::DeoptimizeBootImage'](api.artRuntime);
   });
@@ -3125,7 +3546,7 @@ function requestDeoptimization (vm, env, kind, method) {
   const api = getApi();
 
   if (getAndroidApiLevel() < 24) {
-    throw new Error('This API is only available on Nougat and above');
+    throw new Error('This API is only available on Android >= 7.0');
   }
 
   withRunnableArtThread(vm, env, thread => {
@@ -3161,9 +3582,12 @@ function requestDeoptimization (vm, env, kind, method) {
         throw new Error('Unable to find Instrumentation class in ART; please file a bug');
       }
 
-      const deoptimizationEnabled = !!instrumentation.add(getArtInstrumentationSpec().offset.deoptimizationEnabled).readU8();
-      if (!deoptimizationEnabled) {
-        api['art::Instrumentation::EnableDeoptimization'](instrumentation);
+      const enableDeopt = api['art::Instrumentation::EnableDeoptimization'];
+      if (enableDeopt !== undefined) {
+        const deoptimizationEnabled = !!instrumentation.add(getArtInstrumentationSpec().offset.deoptimizationEnabled).readU8();
+        if (!deoptimizationEnabled) {
+          enableDeopt(instrumentation);
+        }
       }
 
       switch (kind) {
@@ -3544,8 +3968,9 @@ function recompileExceptionClearForX86 (buffer, pc, exceptionClearImpl, nextFunc
               if (pointerSize === 4) {
                 writer.putAndRegU32('esp', 0xfffffff0);
               } else {
-                writer.putMovRegU64('rax', uint64('0xfffffffffffffff0'));
-                writer.putAndRegReg('rsp', 'rax');
+                const scratchReg = (threadReg !== 'rdi') ? 'rdi' : 'rsi';
+                writer.putMovRegU64(scratchReg, uint64('0xfffffffffffffff0'));
+                writer.putAndRegReg('rsp', scratchReg);
               }
               writer.putCallAddressWithAlignedArguments(callback, [threadReg]);
               writer.putMovRegReg('xsp', 'xbp');

package/lib/class-factory.js

@@ -485,9 +485,16 @@ class ClassFactory {
     if (flavor === 'jvm') {
       this._chooseObjectsJvm(specifier, env, callbacks);
     } else if (flavor === 'art') {
+      const legacyApiMissing = api['art::gc::Heap::VisitObjects'] === undefined;
+      if (legacyApiMissing) {
+        const preA12ApiMissing = api['art::gc::Heap::GetInstances'] === undefined;
+        if (preA12ApiMissing) {
+          return this._chooseObjectsJvm(specifier, env, callbacks);
+        }
+      }
       android.withRunnableArtThread(vm, env, thread => {
-        if (api['art::gc::Heap::VisitObjects'] === undefined) {
-          this._chooseObjectsArtModern(specifier, env, thread, callbacks);
+        if (legacyApiMissing) {
+          this._chooseObjectsArtPreA12(specifier, env, thread, callbacks);
         } else {
           this._chooseObjectsArtLegacy(specifier, env, thread, callbacks);
         }
@@ -545,7 +552,7 @@ class ClassFactory {
     }
   }
 
-  _chooseObjectsArtModern (className, env, thread, callbacks) {
+  _chooseObjectsArtPreA12 (className, env, thread, callbacks) {
     const classWrapper = this.use(className);
 
     const scope = android.VariableSizedHandleScope.$new(thread, vm);

package/lib/class-model.js

@@ -1176,7 +1176,7 @@ class Model {
 
     const params = query.match(methodQueryPattern);
     if (params === null) {
-      throw new Error('Invalid method query');
+      throw new Error('Invalid query; format is: class!method -- see documentation of Java.enumerateMethods(query) for details');
     }
 
     const classQuery = Memory.allocUtf8String(params[1]);

package/lib/jvm.js

@@ -1,3 +1,9 @@
+const {
+  jvmtiVersion,
+  jvmtiCapabilities,
+  EnvJvmti
+} = require('./jvmti');
+const { parseInstructionsAt } = require('./machine-code');
 const memoize = require('./memoize');
 const { checkJniResult } = require('./result');
 const VM = require('./vm');
@@ -11,17 +17,13 @@ const JVM_ACC_IS_OBSOLETE = 0x00020000;
 const JVM_ACC_NOT_C2_COMPILABLE = 0x02000000;
 const JVM_ACC_NOT_C1_COMPILABLE = 0x04000000;
 const JVM_ACC_NOT_C2_OSR_COMPILABLE = 0x08000000;
-const JVMTI_VERSION_1_0 = 0x30010000;
-
-const jvmtiCapabilities = {
-  canTagObjects: 1
-};
 
 const nativeFunctionOptions = {
   exceptions: 'propagate'
 };
 
 const getJvmMethodSpec = memoize(_getJvmMethodSpec);
+const getJvmInstanceKlassSpec = memoize(_getJvmInstanceKlassSpec);
 const getJvmThreadSpec = memoize(_getJvmThreadSpec);
 
 let cachedApi = null;
@@ -57,6 +59,9 @@ function _getApi () {
       _ZN6Method4sizeEb: ['Method::size', 'int', ['int']],
       _ZN6Method19set_native_functionEPhb: ['Method::set_native_function', 'void', ['pointer', 'pointer', 'int']],
       _ZN6Method21clear_native_functionEv: ['Method::clear_native_function', 'void', ['pointer']],
+      // JDK >= 17
+      _ZN6Method24restore_unshareable_infoEP10JavaThread: ['Method::restore_unshareable_info', 'void', ['pointer', 'pointer']],
+      // JDK < 17
       _ZN6Method24restore_unshareable_infoEP6Thread: ['Method::restore_unshareable_info', 'void', ['pointer', 'pointer']],
       _ZN6Method10jmethod_idEv: ['Method::jmethod_id', 'pointer', ['pointer']],
       _ZN6Method10clear_codeEv: function (address) {
@@ -73,8 +78,6 @@ function _getApi () {
         };
       },
 
-      _ZNK5Klass15start_of_vtableEv: ['Klass::start_of_vtable', 'pointer', ['pointer']],
-      _ZNK13InstanceKlass6vtableEv: ['InstanceKlass::vtable', 'pointer', ['pointer']],
       // JDK >= 13
       _ZN18VM_RedefineClasses19mark_dependent_codeEP13InstanceKlass: ['VM_RedefineClasses::mark_dependent_code', 'void', ['pointer', 'pointer']],
       _ZN18VM_RedefineClasses20flush_dependent_codeEv: ['VM_RedefineClasses::flush_dependent_code', 'void', []],
@@ -157,6 +160,16 @@ function _getApi () {
       _ZNK18VM_RedefineClasses14print_on_errorEP12outputStream: function (address) {
         this.redefineClassesOnError = address;
       },
+
+      // JDK >= 17
+      _ZN13InstanceKlass33create_new_default_vtable_indicesEiP10JavaThread: function (address) {
+        this.createNewDefaultVtableIndices = address;
+      },
+      // JDK < 17
+      _ZN13InstanceKlass33create_new_default_vtable_indicesEiP6Thread: function (address) {
+        this.createNewDefaultVtableIndices = address;
+      },
+
       _ZN19Abstract_VM_Version19jre_release_versionEv: function (address) {
         const getVersion = new NativeFunction(address, 'pointer', [], nativeFunctionOptions);
         const versionS = getVersion().readCString();
@@ -167,6 +180,7 @@ function _getApi () {
             : parseInt(versionS.slice(0, 2), 10);
         this.versionS = versionS;
       },
+
       _ZN14NMethodSweeper11_traversalsE: function (address) {
         this.traversals = address;
       },
@@ -178,36 +192,41 @@ function _getApi () {
       }
     },
     optionals: [
+      '_ZN6Method24restore_unshareable_infoEP10JavaThread',
+      '_ZN6Method24restore_unshareable_infoEP6Thread',
+      '_ZN6Method10clear_codeEv',
+      '_ZN6Method10clear_codeEb',
+
       '_ZN18VM_RedefineClasses19mark_dependent_codeEP13InstanceKlass',
       '_ZN18VM_RedefineClasses20flush_dependent_codeEv',
       '_ZN18VM_RedefineClasses20flush_dependent_codeEP13InstanceKlassP6Thread',
       '_ZN18VM_RedefineClasses20flush_dependent_codeE19instanceKlassHandleP6Thread',
 
-      '_ZNK5Klass15start_of_vtableEv',
-      '_ZNK13InstanceKlass6vtableEv',
-
       '_ZN19ResolvedMethodTable21adjust_method_entriesEPb',
       '_ZN15MemberNameTable21adjust_method_entriesEP13InstanceKlassPb',
 
       '_ZN17ConstantPoolCache21adjust_method_entriesEPb',
       '_ZN17ConstantPoolCache21adjust_method_entriesEP13InstanceKlassPb',
 
+      '_ZN20ClassLoaderDataGraph22clean_deallocate_listsEb',
+
+      '_ZN10JavaThread27thread_from_jni_environmentEP7JNIEnv_',
+
+      '_ZN14NMethodSweeper11force_sweepEv',
+      '_ZN14NMethodSweeper17sweep_in_progressEv',
+
       '_ZN18VM_RedefineClasses14_the_class_oopE',
       '_ZN18VM_RedefineClasses10_the_classE',
       '_ZN18VM_RedefineClasses25AdjustCpoolCacheAndVtable8do_klassEP5Klass',
       '_ZN18VM_RedefineClasses22AdjustAndCleanMetadata8do_klassEP5Klass',
-
       '_ZN18VM_RedefineClassesD0Ev',
       '_ZN18VM_RedefineClassesD1Ev',
       '_ZNK18VM_RedefineClasses14print_on_errorEP12outputStream',
 
-      '_ZN6Method10clear_codeEv',
-      '_ZN6Method10clear_codeEb',
+      '_ZN13InstanceKlass33create_new_default_vtable_indicesEiP10JavaThread',
+      '_ZN13InstanceKlass33create_new_default_vtable_indicesEiP6Thread',
 
-      '_ZN20ClassLoaderDataGraph22clean_deallocate_listsEb',
-      '_ZN14NMethodSweeper11force_sweepEv',
-      '_ZN14NMethodSweeper21_sweep_fractions_leftE',
-      '_ZN14NMethodSweeper17sweep_in_progressEv'
+      '_ZN14NMethodSweeper21_sweep_fractions_leftE'
     ]
   }];
 
@@ -291,6 +310,11 @@ function _getApi () {
   }
 
   temporaryApi.jvmti = getEnvJvmti(temporaryApi);
+
+  if (temporaryApi['JavaThread::thread_from_jni_environment'] === undefined) {
+    temporaryApi['JavaThread::thread_from_jni_environment'] = makeThreadFromJniHelper(temporaryApi);
+  }
+
   return temporaryApi;
 }
 
@@ -299,63 +323,59 @@ function getEnvJvmti (api) {
 
   let env;
   vm.perform(() => {
-    const getEnv = new NativeFunction(vm.handle.readPointer().add(6 * pointerSize).readPointer(), 'int32', ['pointer', 'pointer', 'int32'],
-      nativeFunctionOptions);
-    const envBuf = Memory.alloc(pointerSize);
-    let result = getEnv(vm.handle, envBuf, JVMTI_VERSION_1_0);
-    checkJniResult('getEnvJvmti::GetEnv', result);
-    env = new EnvJvmti(envBuf.readPointer(), vm);
+    const handle = vm.tryGetEnvHandle(jvmtiVersion.v1_0);
+    if (handle === null) {
+      throw new Error('JVMTI not available');
+    }
+    env = new EnvJvmti(handle, vm);
 
     const capaBuf = Memory.alloc(8);
     capaBuf.writeU64(jvmtiCapabilities.canTagObjects);
-    result = env.addCapabilities(capaBuf);
+    const result = env.addCapabilities(capaBuf);
     checkJniResult('getEnvJvmti::AddCapabilities', result);
   });
 
   return env;
 }
 
-function EnvJvmti (handle, vm) {
-  this.handle = handle;
-  this.vm = vm;
-  this.vtable = handle.readPointer();
-}
+const threadOffsetParsers = {
+  x64: parseX64ThreadOffset
+};
 
-EnvJvmti.prototype.deallocate = proxy(47, 'int32', ['pointer', 'pointer'], function (impl, mem) {
-  return impl(this.handle, mem);
-});
-
-EnvJvmti.prototype.getLoadedClasses = proxy(78, 'int32', ['pointer', 'pointer', 'pointer'], function (impl, classCountPtr, classesPtr) {
-  const result = impl(this.handle, classCountPtr, classesPtr);
-  checkJniResult('EnvJvmti::getLoadedClasses', result);
-});
-
-EnvJvmti.prototype.iterateOverInstancesOfClass = proxy(112, 'int32', ['pointer', 'pointer', 'int', 'pointer', 'pointer'], function (impl, klass, objectFilter, heapObjectCallback, userData) {
-  const result = impl(this.handle, klass, objectFilter, heapObjectCallback, userData);
-  checkJniResult('EnvJvmti::iterateOverInstancesOfClass', result);
-});
-
-EnvJvmti.prototype.getObjectsWithTags = proxy(114, 'int32', ['pointer', 'int', 'pointer', 'pointer', 'pointer', 'pointer'], function (impl, tagCount, tags, countPtr, objectResultPtr, tagResultPtr) {
-  const result = impl(this.handle, tagCount, tags, countPtr, objectResultPtr, tagResultPtr);
-  checkJniResult('EnvJvmti::getObjectsWithTags', result);
-});
-
-EnvJvmti.prototype.addCapabilities = proxy(142, 'int32', ['pointer', 'pointer'], function (impl, capabilitiesPtr) {
-  return impl(this.handle, capabilitiesPtr);
-});
-
-function proxy (offset, retType, argTypes, wrapper) {
-  let impl = null;
-  return function () {
-    if (impl === null) {
-      impl = new NativeFunction(this.vtable.add((offset - 1) * pointerSize).readPointer(), retType, argTypes, nativeFunctionOptions);
-    }
-    let args = [impl];
-    args = args.concat.apply(args, arguments);
-    return wrapper.apply(this, args);
+function makeThreadFromJniHelper (api) {
+  let offset = null;
+
+  const tryParse = threadOffsetParsers[Process.arch];
+  if (tryParse !== undefined) {
+    const vm = new VM(api);
+    const findClassImpl = vm.perform(env => env.handle.readPointer().add(6 * pointerSize).readPointer());
+    offset = parseInstructionsAt(findClassImpl, tryParse, { limit: 10 });
+  }
+
+  if (offset === null) {
+    return () => {
+      throw new Error('Unable to make thread_from_jni_environment() helper for the current architecture');
+    };
+  }
+
+  return env => {
+    return env.add(offset);
   };
 }
 
+function parseX64ThreadOffset (insn) {
+  if (insn.mnemonic !== 'lea') {
+    return null;
+  }
+
+  const { base, disp } = insn.operands[1].value;
+  if (!(base === 'rdi' && disp < 0)) {
+    return null;
+  }
+
+  return disp;
+}
+
 function ensureClassInitialized (env, classRef) {
 }
 
@@ -530,13 +550,15 @@ function withJvmThread (fn, fnPrologue, fnEpilogue) {
   const doIt = new NativeCallback(fn, 'void', ['pointer']);
   vtableDup.add(doItOffset).writePointer(doIt);
 
+  let prologue = null;
   if (fnPrologue !== undefined) {
-    const prologue = new NativeCallback(fnPrologue, 'int', ['pointer']);
+    prologue = new NativeCallback(fnPrologue, 'int', ['pointer']);
     vtableDup.add(prologueOffset).writePointer(prologue);
   }
 
+  let epilogue = null;
   if (fnEpilogue !== undefined) {
-    const epilogue = new NativeCallback(fnEpilogue, 'void', ['pointer']);
+    epilogue = new NativeCallback(fnEpilogue, 'void', ['pointer']);
     vtableDup.add(epilogueOffset).writePointer(epilogue);
   }
 
@@ -727,24 +749,19 @@ function readJvmMethod (method, constMethod, constMethodSize) {
   const instanceKlass = constantPool.add(spec.constantPool.instanceKlassOffset).readPointer();
   const cache = constantPool.add(spec.constantPool.cacheOffset).readPointer();
 
-  if (spec.instanceKlass === undefined) {
-    const klassVtable = api['InstanceKlass::vtable'](instanceKlass);
-    const vtableOffset = klassVtable.add(pointerSize).readS32();
-    const klassSpec = getJvmKlassSpec(vtableOffset);
-    spec.instanceKlass = klassSpec;
-  }
+  const instanceKlassSpec = getJvmInstanceKlassSpec();
 
-  const methods = instanceKlass.add(spec.instanceKlass.methodsOffset).readPointer();
+  const methods = instanceKlass.add(instanceKlassSpec.methodsOffset).readPointer();
   const methodsCount = methods.readS32();
   const methodsArray = methods.add(pointerSize);
   const methodIndex = constMethod.add(spec.constMethod.methodIdnumOffset).readU16();
   const vtableIndexPtr = method.add(spec.method.vtableIndexOffset);
   const vtableIndex = vtableIndexPtr.readS32();
-  const vtable = instanceKlass.add(spec.instanceKlass.vtableOffset);
-  const oopMapCache = instanceKlass.add(spec.instanceKlass.oopMapCacheOffset).readPointer();
+  const vtable = instanceKlass.add(instanceKlassSpec.vtableOffset);
+  const oopMapCache = instanceKlass.add(instanceKlassSpec.oopMapCacheOffset).readPointer();
 
   const memberNames = (api.version >= 10)
-    ? instanceKlass.add(spec.instanceKlass.memberNamesOffset).readPointer()
+    ? instanceKlass.add(instanceKlassSpec.memberNamesOffset).readPointer()
     : NULL;
 
   return {
@@ -782,39 +799,48 @@ function revertJvmMethod (method) {
 
 function _getJvmMethodSpec () {
   const api = getApi();
+  const { version } = api;
 
-  const adapterInConstMethod = (api.version > 8) ? 1 : 0;
+  let adapterHandlerLocation;
+  if (version >= 17) {
+    adapterHandlerLocation = 'method:early';
+  } else if (version >= 9 && version <= 16) {
+    adapterHandlerLocation = 'const-method';
+  } else {
+    adapterHandlerLocation = 'method:late';
+  }
 
   const isNative = 1;
   const methodSize = api['Method::size'](isNative) * pointerSize;
   const constMethodOffset = pointerSize;
   const methodDataOffset = 2 * pointerSize;
   const methodCountersOffset = 3 * pointerSize;
-  const accessFlagsOffset = 4 * pointerSize;
+  const adapterInMethodEarlyOffset = 4 * pointerSize;
+  const adapterInMethodEarlySize = (adapterHandlerLocation === 'method:early') ? pointerSize : 0;
+  const accessFlagsOffset = adapterInMethodEarlyOffset + adapterInMethodEarlySize;
   const vtableIndexOffset = accessFlagsOffset + 4;
-  const i2iEntryOffset = vtableIndexOffset + 4 + pointerSize;
+  const i2iEntryOffset = vtableIndexOffset + 4 + 8;
+  const adapterInMethodLateOffset = i2iEntryOffset + pointerSize;
+  const adapterInMethodOffset = (adapterInMethodEarlySize !== 0) ? adapterInMethodEarlyOffset : adapterInMethodLateOffset;
   const nativeFunctionOffset = methodSize - 2 * pointerSize;
   const signatureHandlerOffset = methodSize - pointerSize;
 
-  const constantPoolOffset = pointerSize;
-  const stackmapDataOffset = 2 * pointerSize;
-  const constMethodSizeOffset = (3 + adapterInConstMethod) * pointerSize;
+  const constantPoolOffset = 8;
+  const stackmapDataOffset = constantPoolOffset + pointerSize;
+  const adapterInConstMethodOffset = stackmapDataOffset + pointerSize;
+  const adapterInConstMethodSize = (adapterHandlerLocation === 'const-method') ? pointerSize : 0;
+  const constMethodSizeOffset = adapterInConstMethodOffset + adapterInConstMethodSize;
   const methodIdnumOffset = constMethodSizeOffset + 0xe;
 
   const cacheOffset = 2 * pointerSize;
   const instanceKlassOffset = 3 * pointerSize;
-  let klassSpec;
-  if ('Klass::start_of_vtable' in api) {
-    const vtableOffset = api['Klass::start_of_vtable'](NULL).toInt32();
-    klassSpec = getJvmKlassSpec(vtableOffset);
-  }
 
-  const getAdapterPointer = adapterInConstMethod
+  const getAdapterPointer = (adapterInConstMethodSize !== 0)
     ? function (method, constMethod) {
-      return constMethod.add(constantPoolOffset + 2 * pointerSize);
+      return constMethod.add(adapterInConstMethodOffset);
     }
     : function (method, constMethod) {
-      return method.add(i2iEntryOffset + pointerSize);
+      return method.add(adapterInMethodOffset);
     };
 
   return {
@@ -839,15 +865,28 @@ function _getJvmMethodSpec () {
     constantPool: {
       cacheOffset,
       instanceKlassOffset
-    },
-    instanceKlass: klassSpec
+    }
   };
 }
 
-function getJvmKlassSpec (vtableOffset) {
-  const { version: jvmVersion } = getApi();
+const vtableOffsetParsers = {
+  x64: parseX64VTableOffset
+};
+
+function _getJvmInstanceKlassSpec () {
+  const { version: jvmVersion, createNewDefaultVtableIndices } = getApi();
+
+  const tryParse = vtableOffsetParsers[Process.arch];
+  if (tryParse === undefined) {
+    throw new Error(`Missing vtable offset parser for ${Process.arch}`);
+  }
+
+  const vtableOffset = parseInstructionsAt(createNewDefaultVtableIndices, tryParse, { limit: 32 });
+  if (vtableOffset === null) {
+    throw new Error('Unable to deduce vtable offset');
+  }
 
-  const oopMultiplier = (jvmVersion >= 10 && jvmVersion <= 11) ? 17 : 18;
+  const oopMultiplier = ((jvmVersion >= 10 && jvmVersion <= 11) || jvmVersion >= 15) ? 17 : 18;
 
   const methodsOffset = vtableOffset - (7 * pointerSize);
   const memberNamesOffset = vtableOffset - (17 * pointerSize);
@@ -861,6 +900,31 @@ function getJvmKlassSpec (vtableOffset) {
   };
 }
 
+function parseX64VTableOffset (insn) {
+  if (insn.mnemonic !== 'mov') {
+    return null;
+  }
+
+  const dst = insn.operands[0];
+  if (dst.type !== 'mem') {
+    return null;
+  }
+
+  const { value: dstValue } = dst;
+  if (dstValue.scale !== 1) {
+    return null;
+  }
+
+  const { disp } = dstValue;
+  if (disp < 0x100) {
+    return null;
+  }
+
+  const defaultVtableIndicesOffset = disp;
+
+  return defaultVtableIndicesOffset + 16;
+}
+
 function deoptimizeEverything (vm, env) {
 }
 

package/lib/jvmti.js

@@ -0,0 +1,62 @@
+const { checkJniResult } = require('./result');
+
+const jvmtiVersion = {
+  v1_0: 0x30010000,
+  v1_2: 0x30010200
+};
+
+const jvmtiCapabilities = {
+  canTagObjects: 1
+};
+
+const { pointerSize } = Process;
+const nativeFunctionOptions = {
+  exceptions: 'propagate'
+};
+
+function EnvJvmti (handle, vm) {
+  this.handle = handle;
+  this.vm = vm;
+  this.vtable = handle.readPointer();
+}
+
+EnvJvmti.prototype.deallocate = proxy(47, 'int32', ['pointer', 'pointer'], function (impl, mem) {
+  return impl(this.handle, mem);
+});
+
+EnvJvmti.prototype.getLoadedClasses = proxy(78, 'int32', ['pointer', 'pointer', 'pointer'], function (impl, classCountPtr, classesPtr) {
+  const result = impl(this.handle, classCountPtr, classesPtr);
+  checkJniResult('EnvJvmti::getLoadedClasses', result);
+});
+
+EnvJvmti.prototype.iterateOverInstancesOfClass = proxy(112, 'int32', ['pointer', 'pointer', 'int', 'pointer', 'pointer'], function (impl, klass, objectFilter, heapObjectCallback, userData) {
+  const result = impl(this.handle, klass, objectFilter, heapObjectCallback, userData);
+  checkJniResult('EnvJvmti::iterateOverInstancesOfClass', result);
+});
+
+EnvJvmti.prototype.getObjectsWithTags = proxy(114, 'int32', ['pointer', 'int', 'pointer', 'pointer', 'pointer', 'pointer'], function (impl, tagCount, tags, countPtr, objectResultPtr, tagResultPtr) {
+  const result = impl(this.handle, tagCount, tags, countPtr, objectResultPtr, tagResultPtr);
+  checkJniResult('EnvJvmti::getObjectsWithTags', result);
+});
+
+EnvJvmti.prototype.addCapabilities = proxy(142, 'int32', ['pointer', 'pointer'], function (impl, capabilitiesPtr) {
+  return impl(this.handle, capabilitiesPtr);
+});
+
+function proxy (offset, retType, argTypes, wrapper) {
+  let impl = null;
+  return function () {
+    if (impl === null) {
+      impl = new NativeFunction(this.vtable.add((offset - 1) * pointerSize).readPointer(), retType, argTypes, nativeFunctionOptions);
+    }
+    let args = [impl];
+    args = args.concat.apply(args, arguments);
+    return wrapper.apply(this, args);
+  };
+}
+
+module.exports = {
+  jvmtiVersion,
+  jvmtiCapabilities,
+  EnvJvmti
+};

package/lib/machine-code.js

@@ -0,0 +1,22 @@
+function parseInstructionsAt (address, tryParse, { limit }) {
+  let cursor = address;
+  let prevInsn = null;
+
+  for (let i = 0; i !== limit; i++) {
+    const insn = Instruction.parse(cursor);
+
+    const value = tryParse(insn, prevInsn);
+    if (value !== null) {
+      return value;
+    }
+
+    cursor = insn.next;
+    prevInsn = insn;
+  }
+
+  return null;
+}
+
+module.exports = {
+  parseInstructionsAt
+};

package/lib/vm.js

@@ -107,12 +107,20 @@ function VM (api) {
   };
 
   this._tryGetEnv = function () {
+    const h = this.tryGetEnvHandle(JNI_VERSION_1_6);
+    if (h === null) {
+      return null;
+    }
+    return new Env(h, this);
+  };
+
+  this.tryGetEnvHandle = function (version) {
     const envBuf = Memory.alloc(pointerSize);
-    const result = getEnv(handle, envBuf, JNI_VERSION_1_6);
+    const result = getEnv(handle, envBuf, version);
     if (result !== JNI_OK) {
       return null;
     }
-    return new Env(envBuf.readPointer(), this);
+    return envBuf.readPointer();
   };
 
   this.makeHandleDestructor = function (handle) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "frida-java-bridge",
-  "version": "6.0.1",
+  "version": "6.1.1",
   "description": "Java runtime interop from Frida",
   "main": "index.js",
   "files": [
@@ -36,6 +36,7 @@
       "Instruction",
       "Int64",
       "Interceptor",
+      "MatchPattern",
       "Memory",
       "Module",
       "NULL",