frida-java-bridge 6.1.0 → 6.1.1

package/index.js

@@ -233,7 +233,7 @@ class Runtime {
 
     const visitClassLoaders = api['art::ClassLinker::VisitClassLoaders'];
     if (visitClassLoaders === undefined) {
-      throw new Error('This API is only available on Nougat and above');
+      throw new Error('This API is only available on Android >= 7.0');
     }
 
     const ClassLoader = factory.use('java.lang.ClassLoader');

package/lib/android.js

@@ -4,6 +4,7 @@ const {
   jvmtiCapabilities,
   EnvJvmti
 } = require('./jvmti');
+const { parseInstructionsAt } = require('./machine-code');
 const memoize = require('./memoize');
 const { checkJniResult, JNI_OK } = require('./result');
 const VM = require('./vm');
@@ -661,25 +662,12 @@ const instrumentationOffsetParsers = {
 };
 
 function tryDetectInstrumentationOffset (api) {
-  let cur = api['art::Runtime::DeoptimizeBootImage'];
-  if (cur === undefined) {
+  const impl = api['art::Runtime::DeoptimizeBootImage'];
+  if (impl === undefined) {
     return null;
   }
 
-  const tryParse = instrumentationOffsetParsers[Process.arch];
-
-  for (let i = 0; i !== 30; i++) {
-    const insn = Instruction.parse(cur);
-
-    const offset = tryParse(insn);
-    if (offset !== null) {
-      return offset;
-    }
-
-    cur = insn.next;
-  }
-
-  return null;
+  return parseInstructionsAt(impl, instrumentationOffsetParsers[Process.arch], { limit: 30 });
 }
 
 function parsex86InstrumentationOffset (insn) {
@@ -748,27 +736,17 @@ const jniIdsIndirectionOffsetParsers = {
 };
 
 function tryDetectJniIdsIndirectionOffset () {
-  let cur = Module.findExportByName('libart.so', '_ZN3art7Runtime12SetJniIdTypeENS_9JniIdTypeE');
-  if (cur === null) {
+  const impl = Module.findExportByName('libart.so', '_ZN3art7Runtime12SetJniIdTypeENS_9JniIdTypeE');
+  if (impl === null) {
     return null;
   }
 
-  const tryParse = jniIdsIndirectionOffsetParsers[Process.arch];
-
-  let prevInsn = null;
-  for (let i = 0; i !== 20; i++) {
-    const insn = Instruction.parse(cur);
-
-    const offset = tryParse(insn, prevInsn);
-    if (offset !== null) {
-      return offset;
-    }
-
-    cur = insn.next;
-    prevInsn = insn;
+  const offset = parseInstructionsAt(impl, jniIdsIndirectionOffsetParsers[Process.arch], { limit: 20 });
+  if (offset === null) {
+    throw new Error('Unable to determine Runtime.jni_ids_indirection_ offset');
   }
 
-  throw new Error('Unable to determine Runtime.jni_ids_indirection_ offset');
+  return offset;
 }
 
 function parsex86JniIdsIndirectionOffset (insn) {
@@ -1979,31 +1957,29 @@ function validateGetOatQuickMethodHeaderInlinedMatchArm ({ address, size }) {
     targetWhenRuntimeMethod = targetWhenFalse;
   }
 
-  let cursor = targetWhenRegularMethod.or(1);
-  for (let i = 0; i !== 3; i++) {
-    const insn = Instruction.parse(cursor);
-    cursor = insn.next;
+  return parseInstructionsAt(targetWhenRegularMethod.or(1), tryParse, { limit: 3 });
 
+  function tryParse (insn) {
     const { mnemonic } = insn;
     if (!(mnemonic === 'ldr' || mnemonic === 'ldr.w')) {
-      continue;
+      return null;
     }
 
     const { base, disp } = insn.operands[1].value;
-    if (base === methodReg && disp === 0x14) {
-      return {
-        methodReg,
-        scratchReg,
-        target: {
-          whenTrue: targetWhenTrue,
-          whenRegularMethod: targetWhenRegularMethod,
-          whenRuntimeMethod: targetWhenRuntimeMethod
-        }
-      };
+    if (!(base === methodReg && disp === 0x14)) {
+      return null;
     }
-  }
 
-  return null;
+    return {
+      methodReg,
+      scratchReg,
+      target: {
+        whenTrue: targetWhenTrue,
+        whenRegularMethod: targetWhenRegularMethod,
+        whenRuntimeMethod: targetWhenRuntimeMethod
+      }
+    };
+  }
 }
 
 function validateGetOatQuickMethodHeaderInlinedMatchArm64 ({ address, size }) {
@@ -2024,30 +2000,28 @@ function validateGetOatQuickMethodHeaderInlinedMatchArm64 ({ address, size }) {
     targetWhenRuntimeMethod = targetWhenFalse;
   }
 
-  let cursor = targetWhenRegularMethod;
-  for (let i = 0; i !== 3; i++) {
-    const insn = Instruction.parse(cursor);
-    cursor = insn.next;
+  return parseInstructionsAt(targetWhenRegularMethod, tryParse, { limit: 3 });
 
+  function tryParse (insn) {
     if (insn.mnemonic !== 'ldr') {
-      continue;
+      return null;
     }
 
     const { base, disp } = insn.operands[1].value;
-    if (base === methodReg && disp === 0x18) {
-      return {
-        methodReg,
-        scratchReg,
-        target: {
-          whenTrue: targetWhenTrue,
-          whenRegularMethod: targetWhenRegularMethod,
-          whenRuntimeMethod: targetWhenRuntimeMethod
-        }
-      };
+    if (!(base === methodReg && disp === 0x18)) {
+      return null;
     }
-  }
 
-  return null;
+    return {
+      methodReg,
+      scratchReg,
+      target: {
+        whenTrue: targetWhenTrue,
+        whenRegularMethod: targetWhenRegularMethod,
+        whenRuntimeMethod: targetWhenRuntimeMethod
+      }
+    };
+  }
 }
 
 function maybeInstrumentGetOatQuickMethodHeaderInlineCopies () {
@@ -3559,6 +3533,10 @@ function deoptimizeEverything (vm, env) {
 function deoptimizeBootImage (vm, env) {
   const api = getApi();
 
+  if (getAndroidApiLevel() < 26) {
+    throw new Error('This API is only available on Android >= 8.0');
+  }
+
   withRunnableArtThread(vm, env, thread => {
     api['art::Runtime::DeoptimizeBootImage'](api.artRuntime);
   });
@@ -3568,7 +3546,7 @@ function requestDeoptimization (vm, env, kind, method) {
   const api = getApi();
 
   if (getAndroidApiLevel() < 24) {
-    throw new Error('This API is only available on Nougat and above');
+    throw new Error('This API is only available on Android >= 7.0');
   }
 
   withRunnableArtThread(vm, env, thread => {

package/lib/jvm.js

@@ -3,6 +3,7 @@ const {
   jvmtiCapabilities,
   EnvJvmti
 } = require('./jvmti');
+const { parseInstructionsAt } = require('./machine-code');
 const memoize = require('./memoize');
 const { checkJniResult } = require('./result');
 const VM = require('./vm');
@@ -22,6 +23,7 @@ const nativeFunctionOptions = {
 };
 
 const getJvmMethodSpec = memoize(_getJvmMethodSpec);
+const getJvmInstanceKlassSpec = memoize(_getJvmInstanceKlassSpec);
 const getJvmThreadSpec = memoize(_getJvmThreadSpec);
 
 let cachedApi = null;
@@ -57,6 +59,9 @@ function _getApi () {
       _ZN6Method4sizeEb: ['Method::size', 'int', ['int']],
       _ZN6Method19set_native_functionEPhb: ['Method::set_native_function', 'void', ['pointer', 'pointer', 'int']],
       _ZN6Method21clear_native_functionEv: ['Method::clear_native_function', 'void', ['pointer']],
+      // JDK >= 17
+      _ZN6Method24restore_unshareable_infoEP10JavaThread: ['Method::restore_unshareable_info', 'void', ['pointer', 'pointer']],
+      // JDK < 17
       _ZN6Method24restore_unshareable_infoEP6Thread: ['Method::restore_unshareable_info', 'void', ['pointer', 'pointer']],
       _ZN6Method10jmethod_idEv: ['Method::jmethod_id', 'pointer', ['pointer']],
       _ZN6Method10clear_codeEv: function (address) {
@@ -73,8 +78,6 @@ function _getApi () {
         };
       },
 
-      _ZNK5Klass15start_of_vtableEv: ['Klass::start_of_vtable', 'pointer', ['pointer']],
-      _ZNK13InstanceKlass6vtableEv: ['InstanceKlass::vtable', 'pointer', ['pointer']],
       // JDK >= 13
       _ZN18VM_RedefineClasses19mark_dependent_codeEP13InstanceKlass: ['VM_RedefineClasses::mark_dependent_code', 'void', ['pointer', 'pointer']],
       _ZN18VM_RedefineClasses20flush_dependent_codeEv: ['VM_RedefineClasses::flush_dependent_code', 'void', []],
@@ -157,6 +160,16 @@ function _getApi () {
       _ZNK18VM_RedefineClasses14print_on_errorEP12outputStream: function (address) {
         this.redefineClassesOnError = address;
       },
+
+      // JDK >= 17
+      _ZN13InstanceKlass33create_new_default_vtable_indicesEiP10JavaThread: function (address) {
+        this.createNewDefaultVtableIndices = address;
+      },
+      // JDK < 17
+      _ZN13InstanceKlass33create_new_default_vtable_indicesEiP6Thread: function (address) {
+        this.createNewDefaultVtableIndices = address;
+      },
+
       _ZN19Abstract_VM_Version19jre_release_versionEv: function (address) {
         const getVersion = new NativeFunction(address, 'pointer', [], nativeFunctionOptions);
         const versionS = getVersion().readCString();
@@ -167,6 +180,7 @@ function _getApi () {
             : parseInt(versionS.slice(0, 2), 10);
         this.versionS = versionS;
       },
+
       _ZN14NMethodSweeper11_traversalsE: function (address) {
         this.traversals = address;
       },
@@ -178,36 +192,41 @@ function _getApi () {
       }
     },
     optionals: [
+      '_ZN6Method24restore_unshareable_infoEP10JavaThread',
+      '_ZN6Method24restore_unshareable_infoEP6Thread',
+      '_ZN6Method10clear_codeEv',
+      '_ZN6Method10clear_codeEb',
+
       '_ZN18VM_RedefineClasses19mark_dependent_codeEP13InstanceKlass',
       '_ZN18VM_RedefineClasses20flush_dependent_codeEv',
       '_ZN18VM_RedefineClasses20flush_dependent_codeEP13InstanceKlassP6Thread',
       '_ZN18VM_RedefineClasses20flush_dependent_codeE19instanceKlassHandleP6Thread',
 
-      '_ZNK5Klass15start_of_vtableEv',
-      '_ZNK13InstanceKlass6vtableEv',
-
       '_ZN19ResolvedMethodTable21adjust_method_entriesEPb',
       '_ZN15MemberNameTable21adjust_method_entriesEP13InstanceKlassPb',
 
       '_ZN17ConstantPoolCache21adjust_method_entriesEPb',
       '_ZN17ConstantPoolCache21adjust_method_entriesEP13InstanceKlassPb',
 
+      '_ZN20ClassLoaderDataGraph22clean_deallocate_listsEb',
+
+      '_ZN10JavaThread27thread_from_jni_environmentEP7JNIEnv_',
+
+      '_ZN14NMethodSweeper11force_sweepEv',
+      '_ZN14NMethodSweeper17sweep_in_progressEv',
+
       '_ZN18VM_RedefineClasses14_the_class_oopE',
       '_ZN18VM_RedefineClasses10_the_classE',
       '_ZN18VM_RedefineClasses25AdjustCpoolCacheAndVtable8do_klassEP5Klass',
       '_ZN18VM_RedefineClasses22AdjustAndCleanMetadata8do_klassEP5Klass',
-
       '_ZN18VM_RedefineClassesD0Ev',
       '_ZN18VM_RedefineClassesD1Ev',
       '_ZNK18VM_RedefineClasses14print_on_errorEP12outputStream',
 
-      '_ZN6Method10clear_codeEv',
-      '_ZN6Method10clear_codeEb',
+      '_ZN13InstanceKlass33create_new_default_vtable_indicesEiP10JavaThread',
+      '_ZN13InstanceKlass33create_new_default_vtable_indicesEiP6Thread',
 
-      '_ZN20ClassLoaderDataGraph22clean_deallocate_listsEb',
-      '_ZN14NMethodSweeper11force_sweepEv',
-      '_ZN14NMethodSweeper21_sweep_fractions_leftE',
-      '_ZN14NMethodSweeper17sweep_in_progressEv'
+      '_ZN14NMethodSweeper21_sweep_fractions_leftE'
     ]
   }];
 
@@ -292,6 +311,10 @@ function _getApi () {
 
   temporaryApi.jvmti = getEnvJvmti(temporaryApi);
 
+  if (temporaryApi['JavaThread::thread_from_jni_environment'] === undefined) {
+    temporaryApi['JavaThread::thread_from_jni_environment'] = makeThreadFromJniHelper(temporaryApi);
+  }
+
   return temporaryApi;
 }
 
@@ -315,6 +338,44 @@ function getEnvJvmti (api) {
   return env;
 }
 
+const threadOffsetParsers = {
+  x64: parseX64ThreadOffset
+};
+
+function makeThreadFromJniHelper (api) {
+  let offset = null;
+
+  const tryParse = threadOffsetParsers[Process.arch];
+  if (tryParse !== undefined) {
+    const vm = new VM(api);
+    const findClassImpl = vm.perform(env => env.handle.readPointer().add(6 * pointerSize).readPointer());
+    offset = parseInstructionsAt(findClassImpl, tryParse, { limit: 10 });
+  }
+
+  if (offset === null) {
+    return () => {
+      throw new Error('Unable to make thread_from_jni_environment() helper for the current architecture');
+    };
+  }
+
+  return env => {
+    return env.add(offset);
+  };
+}
+
+function parseX64ThreadOffset (insn) {
+  if (insn.mnemonic !== 'lea') {
+    return null;
+  }
+
+  const { base, disp } = insn.operands[1].value;
+  if (!(base === 'rdi' && disp < 0)) {
+    return null;
+  }
+
+  return disp;
+}
+
 function ensureClassInitialized (env, classRef) {
 }
 
@@ -489,13 +550,15 @@ function withJvmThread (fn, fnPrologue, fnEpilogue) {
   const doIt = new NativeCallback(fn, 'void', ['pointer']);
   vtableDup.add(doItOffset).writePointer(doIt);
 
+  let prologue = null;
   if (fnPrologue !== undefined) {
-    const prologue = new NativeCallback(fnPrologue, 'int', ['pointer']);
+    prologue = new NativeCallback(fnPrologue, 'int', ['pointer']);
     vtableDup.add(prologueOffset).writePointer(prologue);
   }
 
+  let epilogue = null;
   if (fnEpilogue !== undefined) {
-    const epilogue = new NativeCallback(fnEpilogue, 'void', ['pointer']);
+    epilogue = new NativeCallback(fnEpilogue, 'void', ['pointer']);
     vtableDup.add(epilogueOffset).writePointer(epilogue);
   }
 
@@ -686,24 +749,19 @@ function readJvmMethod (method, constMethod, constMethodSize) {
   const instanceKlass = constantPool.add(spec.constantPool.instanceKlassOffset).readPointer();
   const cache = constantPool.add(spec.constantPool.cacheOffset).readPointer();
 
-  if (spec.instanceKlass === undefined) {
-    const klassVtable = api['InstanceKlass::vtable'](instanceKlass);
-    const vtableOffset = klassVtable.add(pointerSize).readS32();
-    const klassSpec = getJvmKlassSpec(vtableOffset);
-    spec.instanceKlass = klassSpec;
-  }
+  const instanceKlassSpec = getJvmInstanceKlassSpec();
 
-  const methods = instanceKlass.add(spec.instanceKlass.methodsOffset).readPointer();
+  const methods = instanceKlass.add(instanceKlassSpec.methodsOffset).readPointer();
   const methodsCount = methods.readS32();
   const methodsArray = methods.add(pointerSize);
   const methodIndex = constMethod.add(spec.constMethod.methodIdnumOffset).readU16();
   const vtableIndexPtr = method.add(spec.method.vtableIndexOffset);
   const vtableIndex = vtableIndexPtr.readS32();
-  const vtable = instanceKlass.add(spec.instanceKlass.vtableOffset);
-  const oopMapCache = instanceKlass.add(spec.instanceKlass.oopMapCacheOffset).readPointer();
+  const vtable = instanceKlass.add(instanceKlassSpec.vtableOffset);
+  const oopMapCache = instanceKlass.add(instanceKlassSpec.oopMapCacheOffset).readPointer();
 
   const memberNames = (api.version >= 10)
-    ? instanceKlass.add(spec.instanceKlass.memberNamesOffset).readPointer()
+    ? instanceKlass.add(instanceKlassSpec.memberNamesOffset).readPointer()
     : NULL;
 
   return {
@@ -741,39 +799,48 @@ function revertJvmMethod (method) {
 
 function _getJvmMethodSpec () {
   const api = getApi();
+  const { version } = api;
 
-  const adapterInConstMethod = (api.version > 8) ? 1 : 0;
+  let adapterHandlerLocation;
+  if (version >= 17) {
+    adapterHandlerLocation = 'method:early';
+  } else if (version >= 9 && version <= 16) {
+    adapterHandlerLocation = 'const-method';
+  } else {
+    adapterHandlerLocation = 'method:late';
+  }
 
   const isNative = 1;
   const methodSize = api['Method::size'](isNative) * pointerSize;
   const constMethodOffset = pointerSize;
   const methodDataOffset = 2 * pointerSize;
   const methodCountersOffset = 3 * pointerSize;
-  const accessFlagsOffset = 4 * pointerSize;
+  const adapterInMethodEarlyOffset = 4 * pointerSize;
+  const adapterInMethodEarlySize = (adapterHandlerLocation === 'method:early') ? pointerSize : 0;
+  const accessFlagsOffset = adapterInMethodEarlyOffset + adapterInMethodEarlySize;
   const vtableIndexOffset = accessFlagsOffset + 4;
-  const i2iEntryOffset = vtableIndexOffset + 4 + pointerSize;
+  const i2iEntryOffset = vtableIndexOffset + 4 + 8;
+  const adapterInMethodLateOffset = i2iEntryOffset + pointerSize;
+  const adapterInMethodOffset = (adapterInMethodEarlySize !== 0) ? adapterInMethodEarlyOffset : adapterInMethodLateOffset;
   const nativeFunctionOffset = methodSize - 2 * pointerSize;
   const signatureHandlerOffset = methodSize - pointerSize;
 
-  const constantPoolOffset = pointerSize;
-  const stackmapDataOffset = 2 * pointerSize;
-  const constMethodSizeOffset = (3 + adapterInConstMethod) * pointerSize;
+  const constantPoolOffset = 8;
+  const stackmapDataOffset = constantPoolOffset + pointerSize;
+  const adapterInConstMethodOffset = stackmapDataOffset + pointerSize;
+  const adapterInConstMethodSize = (adapterHandlerLocation === 'const-method') ? pointerSize : 0;
+  const constMethodSizeOffset = adapterInConstMethodOffset + adapterInConstMethodSize;
   const methodIdnumOffset = constMethodSizeOffset + 0xe;
 
   const cacheOffset = 2 * pointerSize;
   const instanceKlassOffset = 3 * pointerSize;
-  let klassSpec;
-  if ('Klass::start_of_vtable' in api) {
-    const vtableOffset = api['Klass::start_of_vtable'](NULL).toInt32();
-    klassSpec = getJvmKlassSpec(vtableOffset);
-  }
 
-  const getAdapterPointer = adapterInConstMethod
+  const getAdapterPointer = (adapterInConstMethodSize !== 0)
     ? function (method, constMethod) {
-      return constMethod.add(constantPoolOffset + 2 * pointerSize);
+      return constMethod.add(adapterInConstMethodOffset);
     }
     : function (method, constMethod) {
-      return method.add(i2iEntryOffset + pointerSize);
+      return method.add(adapterInMethodOffset);
     };
 
   return {
@@ -798,15 +865,28 @@ function _getJvmMethodSpec () {
     constantPool: {
       cacheOffset,
       instanceKlassOffset
-    },
-    instanceKlass: klassSpec
+    }
   };
 }
 
-function getJvmKlassSpec (vtableOffset) {
-  const { version: jvmVersion } = getApi();
+const vtableOffsetParsers = {
+  x64: parseX64VTableOffset
+};
+
+function _getJvmInstanceKlassSpec () {
+  const { version: jvmVersion, createNewDefaultVtableIndices } = getApi();
+
+  const tryParse = vtableOffsetParsers[Process.arch];
+  if (tryParse === undefined) {
+    throw new Error(`Missing vtable offset parser for ${Process.arch}`);
+  }
 
-  const oopMultiplier = (jvmVersion >= 10 && jvmVersion <= 11) ? 17 : 18;
+  const vtableOffset = parseInstructionsAt(createNewDefaultVtableIndices, tryParse, { limit: 32 });
+  if (vtableOffset === null) {
+    throw new Error('Unable to deduce vtable offset');
+  }
+
+  const oopMultiplier = ((jvmVersion >= 10 && jvmVersion <= 11) || jvmVersion >= 15) ? 17 : 18;
 
   const methodsOffset = vtableOffset - (7 * pointerSize);
   const memberNamesOffset = vtableOffset - (17 * pointerSize);
@@ -820,6 +900,31 @@ function getJvmKlassSpec (vtableOffset) {
   };
 }
 
+function parseX64VTableOffset (insn) {
+  if (insn.mnemonic !== 'mov') {
+    return null;
+  }
+
+  const dst = insn.operands[0];
+  if (dst.type !== 'mem') {
+    return null;
+  }
+
+  const { value: dstValue } = dst;
+  if (dstValue.scale !== 1) {
+    return null;
+  }
+
+  const { disp } = dstValue;
+  if (disp < 0x100) {
+    return null;
+  }
+
+  const defaultVtableIndicesOffset = disp;
+
+  return defaultVtableIndicesOffset + 16;
+}
+
 function deoptimizeEverything (vm, env) {
 }
 

package/lib/machine-code.js

@@ -0,0 +1,22 @@
+function parseInstructionsAt (address, tryParse, { limit }) {
+  let cursor = address;
+  let prevInsn = null;
+
+  for (let i = 0; i !== limit; i++) {
+    const insn = Instruction.parse(cursor);
+
+    const value = tryParse(insn, prevInsn);
+    if (value !== null) {
+      return value;
+    }
+
+    cursor = insn.next;
+    prevInsn = insn;
+  }
+
+  return null;
+}
+
+module.exports = {
+  parseInstructionsAt
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "frida-java-bridge",
-  "version": "6.1.0",
+  "version": "6.1.1",
   "description": "Java runtime interop from Frida",
   "main": "index.js",
   "files": [