frida-java-bridge 6.3.6 → 6.3.8

package/index.js

@@ -214,29 +214,23 @@ class Runtime {
     const { vm, api } = this;
     const env = vm.getEnv();
 
-    const classHandles = [];
     const addGlobalReference = api['art::JavaVMExt::AddGlobalRef'];
     const { vm: vmHandle } = api;
     withRunnableArtThread(vm, env, thread => {
       const collectClassHandles = makeArtClassVisitor(klass => {
-        classHandles.push(addGlobalReference(vmHandle, thread, klass));
+        const handle = addGlobalReference(vmHandle, thread, klass);
+        try {
+          const className = env.getClassName(handle);
+          callbacks.onMatch(className, handle);
+        } finally {
+          env.deleteGlobalRef(handle);
+        }
         return true;
       });
 
       api['art::ClassLinker::VisitClasses'](api.artClassLinker.address, collectClassHandles);
     });
 
-    try {
-      classHandles.forEach(handle => {
-        const className = env.getClassName(handle);
-        callbacks.onMatch(className, handle);
-      });
-    } finally {
-      classHandles.forEach(handle => {
-        env.deleteGlobalRef(handle);
-      });
-    }
-
     callbacks.onComplete();
   }
 

package/lib/android.js

@@ -139,13 +139,25 @@ function _getApi () {
 
   const temporaryApi = {
     module: vmModule,
+    find (name) {
+      const { module } = this;
+      let address = module.findExportByName(name);
+      if (address === null) {
+        address = module.findSymbolByName(name);
+      }
+      return address;
+    },
     flavor,
     addLocalReference: null
   };
 
+  temporaryApi.isApiLevel34OrApexEquivalent = isArt && (
+    temporaryApi.find('_ZN3art7AppInfo29GetPrimaryApkReferenceProfileEv') !== null ||
+    temporaryApi.find('_ZN3art6Thread15RunFlipFunctionEPS0_') !== null
+  );
+
   const pending = isArt
-    ? [{
-        module: vmModule.path,
+    ? {
         functions: {
           JNI_GetCreatedJavaVMs: ['JNI_GetCreatedJavaVMs', 'int', ['pointer', 'int', 'pointer']],
 
@@ -312,7 +324,7 @@ function _getApi () {
             this.isDebuggerActive = () => !!address.readU8();
           }
         },
-        optionals: [
+        optionals: new Set([
           'artInterpreterToCompiledCodeBridge',
           '_ZN3art9JavaVMExt12AddGlobalRefEPNS_6ThreadENS_6ObjPtrINS_6mirror6ObjectEEE',
           '_ZN3art9JavaVMExt12AddGlobalRefEPNS_6ThreadEPNS_6mirror6ObjectE',
@@ -360,10 +372,9 @@ function _getApi () {
           '_ZN3art3jni12JniIdManager14DecodeMethodIdEP10_jmethodID',
           '_ZN3art11interpreter18GetNterpEntryPointEv',
           '_ZN3art7Monitor17TranslateLocationEPNS_9ArtMethodEjPPKcPi'
-        ]
-      }]
-    : [{
-        module: vmModule.path,
+        ])
+      }
+    : {
         functions: {
           _Z20dvmDecodeIndirectRefP6ThreadP8_jobject: ['dvmDecodeIndirectRef', 'pointer', ['pointer', 'pointer']],
           _Z15dvmUseJNIBridgeP6MethodPv: ['dvmUseJNIBridge', 'void', ['pointer', 'pointer']],
@@ -380,52 +391,41 @@ function _getApi () {
             this.gDvm = address;
           }
         }
-      }];
+      };
+
+  const {
+    functions = {},
+    variables = {},
+    optionals = new Set()
+  } = pending;
 
   const missing = [];
 
-  pending.forEach(function (api) {
-    const functions = api.functions || {};
-    const variables = api.variables || {};
-    const optionals = new Set(api.optionals || []);
-
-    const exportByName = Module
-      .enumerateExports(api.module)
-      .reduce(function (result, exp) {
-        result[exp.name] = exp;
-        return result;
-      }, {});
-
-    Object.keys(functions)
-      .forEach(function (name) {
-        const exp = exportByName[name];
-        if (exp !== undefined && exp.type === 'function') {
-          const signature = functions[name];
-          if (typeof signature === 'function') {
-            signature.call(temporaryApi, exp.address);
-          } else {
-            temporaryApi[signature[0]] = new NativeFunction(exp.address, signature[1], signature[2], nativeFunctionOptions);
-          }
-        } else {
-          if (!optionals.has(name)) {
-            missing.push(name);
-          }
-        }
-      });
+  for (const [name, signature] of Object.entries(functions)) {
+    const address = temporaryApi.find(name);
+    if (address !== null) {
+      if (typeof signature === 'function') {
+        signature.call(temporaryApi, address);
+      } else {
+        temporaryApi[signature[0]] = new NativeFunction(address, signature[1], signature[2], nativeFunctionOptions);
+      }
+    } else {
+      if (!optionals.has(name)) {
+        missing.push(name);
+      }
+    }
+  }
 
-    Object.keys(variables)
-      .forEach(function (name) {
-        const exp = exportByName[name];
-        if (exp !== undefined && exp.type === 'variable') {
-          const handler = variables[name];
-          handler.call(temporaryApi, exp.address);
-        } else {
-          if (!optionals.has(name)) {
-            missing.push(name);
-          }
-        }
-      });
-  });
+  for (const [name, handler] of Object.entries(variables)) {
+    const address = temporaryApi.find(name);
+    if (address !== null) {
+      handler.call(temporaryApi, address);
+    } else {
+      if (!optionals.has(name)) {
+        missing.push(name);
+      }
+    }
+  }
 
   if (missing.length > 0) {
     throw new Error('Java API only partially available; please file a bug. Missing: ' + missing.join(', '));
@@ -501,9 +501,11 @@ function _getApi () {
     }
     if (temporaryApi['art::interpreter::GetNterpEntryPoint'] !== undefined) {
       temporaryApi.artNterpEntryPoint = temporaryApi['art::interpreter::GetNterpEntryPoint']();
+    } else {
+      temporaryApi.artNterpEntryPoint = temporaryApi.find('ExecuteNterpImpl');
     }
 
-    artController = makeArtController(vm);
+    artController = makeArtController(temporaryApi, vm);
 
     fixupArtQuickDeliverExceptionBug(temporaryApi);
 
@@ -518,7 +520,7 @@ function _getApi () {
     });
   }
 
-  const cxxImports = Module.enumerateImports(vmModule.path)
+  const cxxImports = vmModule.enumerateImports()
     .filter(imp => imp.name.indexOf('_Z') === 0)
     .reduce((result, imp) => {
       result[imp.name] = imp.address;
@@ -536,8 +538,11 @@ function tryGetEnvJvmti (vm, runtime) {
   let env = null;
 
   vm.perform(() => {
-    const ensurePluginLoaded = new NativeFunction(
-      Module.getExportByName('libart.so', '_ZN3art7Runtime18EnsurePluginLoadedEPKcPNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEE'),
+    const ensurePluginLoadedAddr = getApi().find('_ZN3art7Runtime18EnsurePluginLoadedEPKcPNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEE');
+    if (ensurePluginLoadedAddr === null) {
+      return;
+    }
+    const ensurePluginLoaded = new NativeFunction(ensurePluginLoadedAddr,
       'bool',
       ['pointer', 'pointer', 'pointer']);
     const errorPtr = Memory.alloc(pointerSize);
@@ -623,7 +628,7 @@ function _getArtRuntimeSpec (api) {
 
   const apiLevel = getAndroidApiLevel();
   const codename = getAndroidCodename();
-  const isApiLevel34OrApexEquivalent = Module.findExportByName('libart.so', '_ZN3art7AppInfo29GetPrimaryApkReferenceProfileEv') !== null;
+  const { isApiLevel34OrApexEquivalent } = api;
 
   let spec = null;
 
@@ -632,7 +637,7 @@ function _getArtRuntimeSpec (api) {
     if (value.equals(vm)) {
       let classLinkerOffsets;
       let jniIdManagerOffset = null;
-      if (apiLevel >= 33 || codename === 'Tiramisu') {
+      if (apiLevel >= 33 || codename === 'Tiramisu' || isApiLevel34OrApexEquivalent) {
         classLinkerOffsets = [offset - (4 * pointerSize)];
         jniIdManagerOffset = offset - pointerSize;
       } else if (apiLevel >= 30 || codename === 'R') {
@@ -685,7 +690,7 @@ function _getArtRuntimeSpec (api) {
   }
 
   spec.offset.instrumentation = tryDetectInstrumentationOffset(api);
-  spec.offset.jniIdsIndirection = tryDetectJniIdsIndirectionOffset();
+  spec.offset.jniIdsIndirection = tryDetectJniIdsIndirectionOffset(api);
 
   return spec;
 }
@@ -771,8 +776,8 @@ const jniIdsIndirectionOffsetParsers = {
   arm64: parseArm64JniIdsIndirectionOffset
 };
 
-function tryDetectJniIdsIndirectionOffset () {
-  const impl = Module.findExportByName('libart.so', '_ZN3art7Runtime12SetJniIdTypeENS_9JniIdTypeE');
+function tryDetectJniIdsIndirectionOffset (api) {
+  const impl = api.find('_ZN3art7Runtime12SetJniIdTypeENS_9JniIdTypeE');
   if (impl === null) {
     return null;
   }
@@ -828,6 +833,7 @@ function _getArtInstrumentationSpec () {
     '4-28': 212,
     '4-29': 172,
     '4-30': 180,
+    '4-31': 180,
     '8-21': 224,
     '8-22': 224,
     '8-23': 296,
@@ -837,7 +843,8 @@ function _getArtInstrumentationSpec () {
     '8-27': 352,
     '8-28': 392,
     '8-29': 328,
-    '8-30': 336
+    '8-30': 336,
+    '8-31': 336
   };
 
   const deoptEnabledOffset = deoptimizationEnabledOffsets[`${pointerSize}-${getAndroidApiLevel()}`];
@@ -943,6 +950,8 @@ function tryGetArtClassLinkerSpec (runtime, runtimeSpec) {
 
   if (spec !== null) {
     cachedArtClassLinkerSpec = spec;
+  } else {
+    throw new Error('Unable to determine ClassLinker field offsets');
   }
 
   return spec;
@@ -1568,7 +1577,7 @@ function notifyArtMethodHooked (method, vm) {
   ensureArtKnowsHowToHandleReplacementMethods(vm);
 }
 
-function makeArtController (vm) {
+function makeArtController (api, vm) {
   const threadOffsets = getArtThreadSpec(vm).offset;
   const managedStackOffsets = getArtManagedStackSpec().offset;
 
@@ -1776,10 +1785,9 @@ on_leave_gc_concurrent_copying_copying_phase (GumInvocationContext * ic)
   const replacements = methods.add(methodsSize);
   const lastSeenArtMethod = replacements.add(replacementsSize);
 
-  const getOatQuickMethodHeaderImpl = Module.findExportByName('libart.so',
-    (pointerSize === 4)
-      ? '_ZN3art9ArtMethod23GetOatQuickMethodHeaderEj'
-      : '_ZN3art9ArtMethod23GetOatQuickMethodHeaderEm');
+  const getOatQuickMethodHeaderImpl = api.find((pointerSize === 4)
+    ? '_ZN3art9ArtMethod23GetOatQuickMethodHeaderEj'
+    : '_ZN3art9ArtMethod23GetOatQuickMethodHeaderEm');
 
   const cm = new CModule(code, {
     lock,
@@ -1853,19 +1861,31 @@ function instrumentArtQuickEntrypoints (vm) {
 }
 
 function instrumentArtMethodInvocationFromInterpreter () {
+  const api = getApi();
+
   const apiLevel = getAndroidApiLevel();
+  const { isApiLevel34OrApexEquivalent } = api;
 
   let artInterpreterDoCallExportRegex;
   if (apiLevel <= 22) {
     artInterpreterDoCallExportRegex = /^_ZN3art11interpreter6DoCallILb[0-1]ELb[0-1]EEEbPNS_6mirror9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE$/;
-  } else if (apiLevel <= 33) {
+  } else if (apiLevel <= 33 && !isApiLevel34OrApexEquivalent) {
     artInterpreterDoCallExportRegex = /^_ZN3art11interpreter6DoCallILb[0-1]ELb[0-1]EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE$/;
-  } else {
+  } else if (isApiLevel34OrApexEquivalent) {
     artInterpreterDoCallExportRegex = /^_ZN3art11interpreter6DoCallILb[0-1]EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtbPNS_6JValueE$/;
+  } else {
+    throw new Error('Unable to find method invocation in ART; please file a bug');
+  }
+
+  const art = api.module;
+  const entries = [...art.enumerateExports(), ...art.enumerateSymbols()].filter(entry => artInterpreterDoCallExportRegex.test(entry.name));
+
+  if (entries.length === 0) {
+    throw new Error('Unable to find method invocation in ART; please file a bug');
   }
 
-  for (const exp of Module.enumerateExports('libart.so').filter(exp => artInterpreterDoCallExportRegex.test(exp.name))) {
-    Interceptor.attach(exp.address, artController.hooks.Interpreter.doCall);
+  for (const entry of entries) {
+    Interceptor.attach(entry.address, artController.hooks.Interpreter.doCall);
   }
 }
 
@@ -1893,29 +1913,24 @@ function ensureArtKnowsHowToHandleReplacementMethods (vm) {
 
   const apiLevel = getAndroidApiLevel();
 
-  const mayUseCollector = (apiLevel > 28)
-    ? (type) => {
-        const impl = Module.findExportByName('libart.so', '_ZNK3art2gc4Heap15MayUseCollectorENS0_13CollectorTypeE');
-        if (impl === null) {
-          return false;
-        }
-        return new NativeFunction(impl, 'bool', ['pointer', 'int'])(getApi().artHeap, type);
-      }
-    : () => false;
-  const kCollectorTypeCMC = 3;
+  let copyingPhase = null;
+  const api = getApi();
+  if (apiLevel > 28) {
+    copyingPhase = api.find('_ZN3art2gc9collector17ConcurrentCopying12CopyingPhaseEv');
+  } else if (apiLevel > 22) {
+    copyingPhase = api.find('_ZN3art2gc9collector17ConcurrentCopying12MarkingPhaseEv');
+  }
+  if (copyingPhase !== null) {
+    Interceptor.attach(copyingPhase, artController.hooks.Gc.copyingPhase);
+  }
 
-  if (mayUseCollector(kCollectorTypeCMC)) {
-    Interceptor.attach(Module.getExportByName('libart.so', '_ZN3art6Thread15RunFlipFunctionEPS0_b'), artController.hooks.Gc.runFlip);
-  } else {
-    let copyingPhase = null;
-    if (apiLevel > 28) {
-      copyingPhase = Module.findExportByName('libart.so', '_ZN3art2gc9collector17ConcurrentCopying12CopyingPhaseEv');
-    } else if (apiLevel > 22) {
-      copyingPhase = Module.findExportByName('libart.so', '_ZN3art2gc9collector17ConcurrentCopying12MarkingPhaseEv');
-    }
-    if (copyingPhase !== null) {
-      Interceptor.attach(copyingPhase, artController.hooks.Gc.copyingPhase);
-    }
+  let runFlip = null;
+  runFlip = api.find('_ZN3art6Thread15RunFlipFunctionEPS0_');
+  if (runFlip === null) {
+    runFlip = api.find('_ZN3art6Thread15RunFlipFunctionEPS0_b');
+  }
+  if (runFlip !== null) {
+    Interceptor.attach(runFlip, artController.hooks.Gc.runFlip);
   }
 }
 
@@ -3414,7 +3429,7 @@ class ArtMethodMangler {
 
     // Replace Nterp quick entrypoints with art_quick_to_interpreter_bridge to force stepping out
     // of ART's next-generation interpreter and use the quick stub instead.
-    if (artNterpEntryPoint !== undefined && quickCode.equals(artNterpEntryPoint)) {
+    if (artNterpEntryPoint !== null && quickCode.equals(artNterpEntryPoint)) {
       patchArtMethod(hookedMethodId, {
         quickCode: api.artQuickToInterpreterBridge
       }, vm);
@@ -3925,9 +3940,24 @@ const threadStateTransitionRecompilers = {
 };
 
 function makeArtThreadStateTransitionImpl (vm, env, callback) {
+  const api = getApi();
   const envVtable = env.handle.readPointer();
-  const exceptionClearImpl = envVtable.add(ENV_VTABLE_OFFSET_EXCEPTION_CLEAR).readPointer();
-  const nextFuncImpl = envVtable.add(ENV_VTABLE_OFFSET_FATAL_ERROR).readPointer();
+
+  let exceptionClearImpl;
+  const innerExceptionClearImpl = api.find('_ZN3art3JNIILb1EE14ExceptionClearEP7_JNIEnv');
+  if (innerExceptionClearImpl !== null) {
+    exceptionClearImpl = innerExceptionClearImpl;
+  } else {
+    exceptionClearImpl = envVtable.add(ENV_VTABLE_OFFSET_EXCEPTION_CLEAR).readPointer();
+  }
+
+  let nextFuncImpl;
+  const innerNextFuncImpl = api.find('_ZN3art3JNIILb1EE10FatalErrorEP7_JNIEnvPKc');
+  if (innerNextFuncImpl !== null) {
+    nextFuncImpl = innerNextFuncImpl;
+  } else {
+    nextFuncImpl = envVtable.add(ENV_VTABLE_OFFSET_FATAL_ERROR).readPointer();
+  }
 
   const recompile = threadStateTransitionRecompilers[Process.arch];
   if (recompile === undefined) {

package/lib/class-factory.js

@@ -16,6 +16,8 @@ const {
   makeJniObjectTypeName
 } = require('./types');
 
+const kAccStatic = 0x0008;
+
 const CONSTRUCTOR_METHOD = 1;
 const STATIC_METHOD = 2;
 const INSTANCE_METHOD = 3;
@@ -450,6 +452,9 @@ class ClassFactory {
             impl = methodValue;
           }
         } else {
+          if (methodValue.isStatic) {
+            type = STATIC_METHOD;
+          }
           returnType = this._getType(methodValue.returnType || 'void');
           argumentTypes = (methodValue.argumentTypes || []).map(name => this._getType(name));
           impl = methodValue.implementation;
@@ -479,7 +484,7 @@ class ClassFactory {
         const argumentTypeNames = argumentTypes.map(t => t.name);
         const signature = '(' + argumentTypeNames.join('') + ')' + returnTypeName;
 
-        dexMethods.push([name, returnTypeName, argumentTypeNames, thrownTypeNames]);
+        dexMethods.push([name, returnTypeName, argumentTypeNames, thrownTypeNames, (type === STATIC_METHOD) ? kAccStatic : 0]);
         implMethods.push([name, signature, type, returnType, argumentTypes, impl]);
       });
 
@@ -566,15 +571,16 @@ class ClassFactory {
     const JVMTI_HEAP_OBJECT_EITHER = 3;
 
     const h = classWrapper.$borrowClassHandle(env);
+    const tag = int64(h.value.toString());
     try {
       const heapObjectCallback = new NativeCallback((classTag, size, tagPtr, userData) => {
-        tagPtr.writePointer(h.value);
+        tagPtr.writeS64(tag);
         return JVMTI_ITERATION_CONTINUE;
-      }, 'int', ['long', 'long', 'pointer', 'pointer']);
+      }, 'int', ['int64', 'int64', 'pointer', 'pointer']);
       jvmti.iterateOverInstancesOfClass(h.value, JVMTI_HEAP_OBJECT_EITHER, heapObjectCallback, h.value);
 
-      const tagPtr = Memory.alloc(pointerSize);
-      tagPtr.writePointer(h.value);
+      const tagPtr = Memory.alloc(8);
+      tagPtr.writeS64(tag);
       const countPtr = Memory.alloc(jsizeSize);
       const objectsPtr = Memory.alloc(pointerSize);
       jvmti.getObjectsWithTags(1, tagPtr, countPtr, objectsPtr, NULL);

package/lib/mkdex.js

@@ -530,7 +530,7 @@ function computeModel (classes) {
     }
 
     klass.methods.forEach(method => {
-      const [methodName, retType, argTypes, thrownTypes = []] = method;
+      const [methodName, retType, argTypes, thrownTypes = [], accessFlags] = method;
 
       strings.add(methodName);
 
@@ -563,13 +563,13 @@ function computeModel (classes) {
         strings.add('value');
       }
 
-      methods.push([klass.name, protoId, methodName, throwsAnnotationId]);
+      methods.push([klass.name, protoId, methodName, throwsAnnotationId, accessFlags]);
 
       if (methodName === '<init>') {
         superConstructors.add(name + '|' + protoId);
         const superConstructorId = superClass + '|' + protoId;
         if (javaConstructors.has(name) && !superConstructors.has(superConstructorId)) {
-          methods.push([superClass, protoId, methodName, null]);
+          methods.push([superClass, protoId, methodName, null, 0]);
           superConstructors.add(superConstructorId);
         }
       }
@@ -658,12 +658,13 @@ function computeModel (classes) {
   fieldItems.sort(compareFieldItems);
 
   const methodItems = methods.map(method => {
-    const [klass, protoId, name, annotationsId] = method;
+    const [klass, protoId, name, annotationsId, accessFlags] = method;
     return [
       typeToIndex[klass],
       protoToIndex[protoId],
       stringToIndex[name],
-      annotationsId
+      annotationsId,
+      accessFlags
     ];
   });
   methodItems.sort(compareMethodItems);
@@ -719,9 +720,9 @@ function computeModel (classes) {
     const sourceFileIndex = stringToIndex[klass.sourceFileName];
 
     const classMethods = methodItems.reduce((result, method, index) => {
-      const [holder, protoIndex, name, annotationsId] = method;
+      const [holder, protoIndex, name, annotationsId, accessFlags] = method;
       if (holder === classIndex) {
-        result.push([index, name, annotationsId, protoIndex]);
+        result.push([index, name, annotationsId, protoIndex, accessFlags]);
       }
       return result;
     }, []);
@@ -771,8 +772,8 @@ function computeModel (classes) {
       });
     const virtualMethods = compressClassMethodIndexes(classMethods
       .filter(([, name]) => name !== constructorNameIndex)
-      .map(([index]) => {
-        return [index, kAccPublic | kAccNative];
+      .map(([index, , , , accessFlags]) => {
+        return [index, accessFlags | kAccPublic | kAccNative];
       }));
 
     const classData = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "frida-java-bridge",
-  "version": "6.3.6",
+  "version": "6.3.8",
   "description": "Java runtime interop from Frida",
   "main": "index.js",
   "files": [