frida-java-bridge 6.1.1 → 6.2.0

package/index.js

@@ -21,6 +21,19 @@ const jsizeSize = 4;
 const pointerSize = Process.pointerSize;
 
 class Runtime {
+  ACC_PUBLIC       = 0x0001;
+  ACC_PRIVATE      = 0x0002;
+  ACC_PROTECTED    = 0x0004;
+  ACC_STATIC       = 0x0008;
+  ACC_FINAL        = 0x0010;
+  ACC_SYNCHRONIZED = 0x0020;
+  ACC_BRIDGE       = 0x0040;
+  ACC_VARARGS      = 0x0080;
+  ACC_NATIVE       = 0x0100;
+  ACC_ABSTRACT     = 0x0400;
+  ACC_STRICT       = 0x0800;
+  ACC_SYNTHETIC    = 0x1000;
+
   constructor () {
     this.classFactory = null;
     this.ClassFactory = ClassFactory;

package/lib/android.js

@@ -30,6 +30,7 @@ const kAccSkipAccessChecks = 0x00080000;
 const kAccSingleImplementation = 0x08000000;
 const kAccNterpEntryPointFastPathFlag = 0x00100000;
 const kAccNterpInvokeFastPathFlag = 0x00200000;
+const kAccCompileDontBother = 0x01000000;
 const kAccPublicApi = 0x10000000;
 const kAccXposedHookedMethod = 0x10000000;
 
@@ -242,6 +243,9 @@ function _getApi () {
           _ZN3art6mirror5Class13GetDescriptorEPNSt3__112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEE: function (address) {
             this['art::mirror::Class::GetDescriptor'] = address;
           },
+          _ZN3art6mirror5Class11GetLocationEv: function (address) {
+            this['art::mirror::Class::GetLocation'] = makeCxxMethodWrapperReturningStdStringByValue(address, ['pointer']);
+          },
 
           _ZN3art9ArtMethod12PrettyMethodEb: function (address) {
             this['art::ArtMethod::PrettyMethod'] = makeCxxMethodWrapperReturningStdStringByValue(address, ['pointer', 'bool']);
@@ -332,6 +336,7 @@ function _getApi () {
           '_ZNK3art12StackVisitor24GetCurrentQuickFrameInfoEv',
           '_ZN3art6Thread18GetLongJumpContextEv',
           '_ZN3art6mirror5Class13GetDescriptorEPNSt3__112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEE',
+          '_ZN3art6mirror5Class11GetLocationEv',
           '_ZN3art9ArtMethod12PrettyMethodEb',
           '_ZN3art12PrettyMethodEPNS_9ArtMethodEb',
           '_ZN3art3Dbg13ConfigureJdwpERKNS_4JDWP11JdwpOptionsE',
@@ -2062,6 +2067,10 @@ function maybeInstrumentGetOatQuickMethodHeaderInlineCopies () {
     }
   }
 
+  if (impls.length === 0) {
+    return false;
+  }
+
   impls.forEach(handler.instrument);
 
   return true;
@@ -2266,6 +2275,7 @@ typedef struct _ArtStackFrame ArtStackFrame;
 typedef struct _ArtStackVisitor ArtStackVisitor;
 typedef struct _ArtStackVisitorVTable ArtStackVisitorVTable;
 
+typedef struct _ArtClass ArtClass;
 typedef struct _ArtMethod ArtMethod;
 typedef struct _ArtThread ArtThread;
 typedef struct _ArtContext ArtContext;
@@ -2336,6 +2346,12 @@ struct _ArtStackVisitor
   ArtBacktrace * backtrace;
 };
 
+struct _ArtMethod
+{
+  guint32 declaring_class;
+  guint32 access_flags;
+};
+
 extern GumTlsKey current_backtrace;
 
 extern void (* perform_art_thread_state_transition) (JNIEnv * env);
@@ -2349,6 +2365,7 @@ extern ArtMethod * art_stack_visitor_get_method (ArtStackVisitor * visitor);
 extern void art_stack_visitor_describe_location (StdString * description, ArtStackVisitor * visitor);
 extern ArtMethod * translate_method (ArtMethod * method);
 extern void translate_location (ArtMethod * method, guint32 pc, const gchar ** source_file, gint32 * line_number);
+extern void get_class_location (StdString * result, ArtClass * klass);
 extern void cxx_delete (void * mem);
 extern unsigned long strtoul (const char * str, char ** endptr, int base);
 
@@ -2491,6 +2508,7 @@ _get_frames (ArtBacktrace * backtrace)
     GString * signature;
     gchar * cursor;
     ArtMethod * translated_method;
+    StdString location;
     gsize dexpc;
     const gchar * source_file;
     gint32 line_number;
@@ -2555,6 +2573,8 @@ _get_frames (ArtBacktrace * backtrace)
     translated_method = translate_method (frame->method);
     dexpc = (translated_method == frame->method) ? frame->dexpc : 0;
 
+    get_class_location (&location, GSIZE_TO_POINTER (translated_method->declaring_class));
+
     translate_location (translated_method, dexpc, &source_file, &line_number);
 
     json_builder_begin_object (b);
@@ -2562,12 +2582,18 @@ _get_frames (ArtBacktrace * backtrace)
     json_builder_set_member_name (b, "signature");
     json_builder_add_string_value (b, signature->str);
 
+    json_builder_set_member_name (b, "origin");
+    json_builder_add_string_value (b, std_string_get_data (&location));
+
     json_builder_set_member_name (b, "className");
     json_builder_add_string_value (b, class_name);
 
     json_builder_set_member_name (b, "methodName");
     json_builder_add_string_value (b, method_name);
 
+    json_builder_set_member_name (b, "methodFlags");
+    json_builder_add_int_value (b, translated_method->access_flags);
+
     json_builder_set_member_name (b, "fileName");
     json_builder_add_string_value (b, source_file);
 
@@ -2576,6 +2602,7 @@ _get_frames (ArtBacktrace * backtrace)
 
     json_builder_end_object (b);
 
+    std_string_destroy (&location);
     g_string_free (signature, TRUE);
   }
 
@@ -2687,6 +2714,7 @@ std_string_get_data (StdString * str)
     art_stack_visitor_describe_location: api['art::StackVisitor::DescribeLocation'],
     translate_method: artController.replacedMethods.translate,
     translate_location: api['art::Monitor::TranslateLocation'],
+    get_class_location: api['art::mirror::Class::GetLocation'],
     cxx_delete: api.$delete,
     strtoul: Module.getExportByName('libc.so', 'strtoul')
   });
@@ -2782,7 +2810,7 @@ const artQuickCodeReplacementTrampolineWriters = {
   arm64: writeArtQuickCodeReplacementTrampolineArm64
 };
 
-function writeArtQuickCodeReplacementTrampolineIA32 (trampoline, target, redirectSize, vm) {
+function writeArtQuickCodeReplacementTrampolineIA32 (trampoline, target, redirectSize, constraints, vm) {
   const threadOffsets = getArtThreadSpec(vm).offset;
   const artMethodOffsets = getArtMethodSpec(vm).offset;
 
@@ -2845,7 +2873,7 @@ function writeArtQuickCodeReplacementTrampolineIA32 (trampoline, target, redirec
   return offset;
 }
 
-function writeArtQuickCodeReplacementTrampolineX64 (trampoline, target, redirectSize, vm) {
+function writeArtQuickCodeReplacementTrampolineX64 (trampoline, target, redirectSize, constraints, vm) {
   const threadOffsets = getArtThreadSpec(vm).offset;
   const artMethodOffsets = getArtMethodSpec(vm).offset;
 
@@ -2908,7 +2936,7 @@ function writeArtQuickCodeReplacementTrampolineX64 (trampoline, target, redirect
   return offset;
 }
 
-function writeArtQuickCodeReplacementTrampolineArm (trampoline, target, redirectSize, vm) {
+function writeArtQuickCodeReplacementTrampolineArm (trampoline, target, redirectSize, constraints, vm) {
   const artMethodOffsets = getArtMethodSpec(vm).offset;
 
   const targetAddress = target.and(THUMB_BIT_REMOVAL_MASK);
@@ -2995,7 +3023,7 @@ function writeArtQuickCodeReplacementTrampolineArm (trampoline, target, redirect
   return offset;
 }
 
-function writeArtQuickCodeReplacementTrampolineArm64 (trampoline, target, redirectSize, vm) {
+function writeArtQuickCodeReplacementTrampolineArm64 (trampoline, target, redirectSize, { availableScratchRegs }, vm) {
   const artMethodOffsets = getArtMethodSpec(vm).offset;
 
   let offset;
@@ -3064,8 +3092,9 @@ function writeArtQuickCodeReplacementTrampolineArm64 (trampoline, target, redire
     relocator.writeAll();
 
     if (!relocator.eoi) {
-      writer.putLdrRegAddress('x17', target.add(offset));
-      writer.putBrReg('x17');
+      const scratchReg = Array.from(availableScratchRegs)[0];
+      writer.putLdrRegAddress(scratchReg, target.add(offset));
+      writer.putBrReg(scratchReg);
     }
 
     writer.putLabel('invoke_replacement');
@@ -3142,7 +3171,7 @@ class ArtQuickCodeInterceptor {
     this.overwrittenPrologueLength = 0;
   }
 
-  _canRelocateCode (relocationSize) {
+  _canRelocateCode (relocationSize, constraints) {
     const Writer = thunkWriters[Process.arch];
     const Relocator = thunkRelocators[Process.arch];
 
@@ -3152,14 +3181,44 @@ class ArtQuickCodeInterceptor {
     const relocator = new Relocator(quickCodeAddress, writer);
 
     let offset;
-    do {
-      offset = relocator.readOne();
-    } while (offset < relocationSize && !relocator.eoi);
+    if (Process.arch === 'arm64') {
+      let availableScratchRegs = new Set(['x16', 'x17']);
+
+      do {
+        const nextOffset = relocator.readOne();
+
+        const nextScratchRegs = new Set(availableScratchRegs);
+        const { read, written } = relocator.input.regsAccessed;
+        for (const regs of [read, written]) {
+          for (const reg of regs) {
+            let name;
+            if (reg.startsWith('w')) {
+              name = 'x' + reg.substring(1);
+            } else {
+              name = reg;
+            }
+            nextScratchRegs.delete(name);
+          }
+        }
+        if (nextScratchRegs.size === 0) {
+          break;
+        }
+
+        offset = nextOffset;
+        availableScratchRegs = nextScratchRegs;
+      } while (offset < relocationSize && !relocator.eoi);
+
+      constraints.availableScratchRegs = availableScratchRegs;
+    } else {
+      do {
+        offset = relocator.readOne();
+      } while (offset < relocationSize && !relocator.eoi);
+    }
 
     return offset >= relocationSize;
   }
 
-  _createTrampoline () {
+  _allocateTrampoline () {
     if (trampolineAllocator === null) {
       const trampolineSize = (pointerSize === 4) ? 128 : 256;
       trampolineAllocator = makeCodeAllocator(trampolineSize);
@@ -3169,7 +3228,8 @@ class ArtQuickCodeInterceptor {
 
     let redirectSize, spec;
     let alignment = 1;
-    if (pointerSize === 4 || this._canRelocateCode(maxRedirectSize)) {
+    const constraints = {};
+    if (pointerSize === 4 || this._canRelocateCode(maxRedirectSize, constraints)) {
       redirectSize = maxRedirectSize;
 
       spec = {};
@@ -3189,6 +3249,8 @@ class ArtQuickCodeInterceptor {
 
     this.redirectSize = redirectSize;
     this.trampoline = trampolineAllocator.allocateSlice(spec, alignment);
+
+    return constraints;
   }
 
   _destroyTrampoline () {
@@ -3196,12 +3258,12 @@ class ArtQuickCodeInterceptor {
   }
 
   activate (vm) {
-    this._createTrampoline();
+    const constraints = this._allocateTrampoline();
 
     const { trampoline, quickCode, redirectSize } = this;
 
     const writeTrampoline = artQuickCodeReplacementTrampolineWriters[Process.arch];
-    const prologueLength = writeTrampoline(trampoline, quickCode, redirectSize, vm);
+    const prologueLength = writeTrampoline(trampoline, quickCode, redirectSize, constraints, vm);
     this.overwrittenPrologueLength = prologueLength;
 
     this.overwrittenPrologue = Memory.dup(this.quickCodeAddress, prologueLength);
@@ -3269,7 +3331,7 @@ class ArtMethodMangler {
 
     patchArtMethod(replacementMethodId, {
       jniCode: impl,
-      accessFlags: ((originalFlags & ~(kAccCriticalNative | kAccFastNative | kAccNterpEntryPointFastPathFlag)) | kAccNative) >>> 0,
+      accessFlags: ((originalFlags & ~(kAccCriticalNative | kAccFastNative | kAccNterpEntryPointFastPathFlag)) | kAccNative | kAccCompileDontBother) >>> 0,
       quickCode: api.artClassLinker.quickGenericJniTrampoline,
       interpreterCode: api.artInterpreterToCompiledCodeBridge
     }, vm);
@@ -3282,7 +3344,7 @@ class ArtMethodMangler {
     }
 
     patchArtMethod(hookedMethodId, {
-      accessFlags: (originalFlags & ~(hookedMethodRemovedFlags)) >>> 0
+      accessFlags: ((originalFlags & ~(hookedMethodRemovedFlags)) | kAccCompileDontBother) >>> 0
     }, vm);
 
     const quickCode = this.originalMethod.quickCode;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "frida-java-bridge",
-  "version": "6.1.1",
+  "version": "6.2.0",
   "description": "Java runtime interop from Frida",
   "main": "index.js",
   "files": [