npm - frida-java-bridge - Versions diffs - 7.0.8 → 7.0.10 - Mend

frida-java-bridge 7.0.8 → 7.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/index.d.ts CHANGED Viewed

@@ -415,11 +415,25 @@ declare module "frida-java-bridge" {
                 [name: string]: any;
             };
-        interface MethodDispatcher<Holder extends Members<Holder> = {}> extends Method<Holder> {
+        type IsEmptyArray<T extends any[]> = T extends [] ? true : false;
+        type Overload<Identifiers extends Array<string> = [], Types extends Array<any> = [], Return = any> = [Identifiers, Types, Return];
+        type OverloadsMethods<
+            Holder extends Members<Holder> = {},
+            OLs extends ReadonlyArray<Overload<any, any, any>> = []
+        > = {
+                [K in keyof OLs]:
+                OLs[K] extends Overload<any, infer A extends any[], infer R>
+                ? Method<Holder, A, R>
+                : never
+            };
+        interface MethodDispatcher<Holder extends Members<Holder> = {}, Overloads extends Array<Overload<Array<any>, Array<any>, any>> = []> extends Method<Holder> {
             /**
              * Available overloads.
              */
-            overloads: Array<Method<Holder>>;
+            overloads: IsEmptyArray<Overloads> extends true ? Array<Method<Holder>> : OverloadsMethods<Holder, Overloads>;
             /**
              * Obtains a specific overload.
@@ -430,8 +444,8 @@ declare module "frida-java-bridge" {
             overload(...args: string[]): Method<Holder>;
         }
-        interface Method<Holder extends Members<Holder> = {}> {
-            (...params: any[]): any;
+        interface Method<Holder extends Members<Holder> = {}, Params extends any[] = any[], Return = any> {
+            (...params: Params): Return;
             /**
              * Name of this method.
@@ -458,7 +472,7 @@ declare module "frida-java-bridge" {
              * replace the original implementation. Assign `null` at a future point
              * to revert back to the original implementation.
              */
-            implementation: MethodImplementation<Holder> | null;
+            implementation: MethodImplementation<Holder, Params, Return> | null;
             /**
              * Method return type.
@@ -481,10 +495,10 @@ declare module "frida-java-bridge" {
              * Useful for e.g. setting `traps: "all"` to perform execution tracing
              * in conjunction with Stalker.
              */
-            clone: (options: NativeFunctionOptions) => Method<Holder>;
+            clone: (options: NativeFunctionOptions) => Method<Holder, Params, Return>;
         }
-        type MethodImplementation<This extends Members<This> = {}> = (this: Wrapper<This>, ...params: any[]) => any;
+        type MethodImplementation<This extends Members<This> = {}, Params extends any[] = any[], Return = any> = (this: Wrapper<This>, ...params: Params) => Return;
         interface Field<Value = any, Holder extends Members<Holder> = {}> {
             /**

package/lib/android.js CHANGED Viewed

@@ -88,6 +88,7 @@ const getArtThreadStateTransitionImpl = memoize(_getArtThreadStateTransitionImpl
 export const getAndroidVersion = memoize(_getAndroidVersion);
 const getAndroidCodename = memoize(_getAndroidCodename);
 export const getAndroidApiLevel = memoize(_getAndroidApiLevel);
+export const getArtApexVersion = memoize(_getArtApexVersion);
 const getArtQuickFrameInfoGetterThunk = memoize(_getArtQuickFrameInfoGetterThunk);
 const makeCxxMethodWrapperReturningPointerByValue =
@@ -253,6 +254,7 @@ function _getApi () {
             this['art::StackVisitor::GetCurrentQuickFrameInfo'] = makeArtQuickFrameInfoGetter(address);
           },
+          _ZN3art7Context6CreateEv: ['art::Context::Create', 'pointer', []],
           _ZN3art6Thread18GetLongJumpContextEv: ['art::Thread::GetLongJumpContext', 'pointer', ['pointer']],
           _ZN3art6mirror5Class13GetDescriptorEPNSt3__112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEE: function (address) {
@@ -352,6 +354,7 @@ function _getApi () {
           '_ZNK3art12StackVisitor9GetMethodEv',
           '_ZNK3art12StackVisitor16DescribeLocationEv',
           '_ZNK3art12StackVisitor24GetCurrentQuickFrameInfoEv',
+          '_ZN3art7Context6CreateEv',
           '_ZN3art6Thread18GetLongJumpContextEv',
           '_ZN3art6mirror5Class13GetDescriptorEPNSt3__112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEE',
           '_ZN3art6mirror5Class11GetLocationEv',
@@ -461,6 +464,11 @@ function _getApi () {
     const instrumentationOffset = runtimeOffset.instrumentation;
     temporaryApi.artInstrumentation = (instrumentationOffset !== null) ? artRuntime.add(instrumentationOffset) : null;
+    const instrumentationIsPointer = getArtApexVersion() >= 360_000_000;
+    if (instrumentationIsPointer && temporaryApi.artInstrumentation != null) {
+      temporaryApi.artInstrumentation = temporaryApi.artInstrumentation.readPointer();
+    }
     temporaryApi.artHeap = artRuntime.add(runtimeOffset.heap).readPointer();
     temporaryApi.artThreadList = artRuntime.add(runtimeOffset.threadList).readPointer();
@@ -691,7 +699,11 @@ function _getArtRuntimeSpec (api) {
     throw new Error('Unable to determine Runtime field offsets');
   }
-  spec.offset.instrumentation = tryDetectInstrumentationOffset(api);
+  const instrumentationIsPointer = getArtApexVersion() >= 360_000_000;
+  spec.offset.instrumentation = instrumentationIsPointer
+    ? tryDetectInstrumentationPointer(api)
+    : tryDetectInstrumentationOffset(api);
   spec.offset.jniIdsIndirection = tryDetectJniIdsIndirectionOffset(api);
   return spec;
@@ -771,6 +783,78 @@ function parseArm64InstrumentationOffset (insn) {
   return offset;
 }
+const instrumentationPointerParser = {
+  ia32: parsex86InstrumentationPointer,
+  x64: parsex86InstrumentationPointer,
+  arm: parseArmInstrumentationPointer,
+  arm64: parseArm64InstrumentationPointer
+};
+function tryDetectInstrumentationPointer (api) {
+  const impl = api['art::Runtime::DeoptimizeBootImage'];
+  if (impl === undefined) {
+    return null;
+  }
+  return parseInstructionsAt(impl, instrumentationPointerParser[Process.arch], { limit: 30 });
+}
+function parsex86InstrumentationPointer (insn) {
+  if (insn.mnemonic !== 'mov') {
+    return null;
+  }
+  const ops = insn.operands;
+  const dst = ops[0];
+  if (dst.value !== 'rax') {
+    return null;
+  }
+  const src = ops[1];
+  if (src.type !== 'mem') {
+    return null;
+  }
+  const mem = src.value;
+  if (mem.base !== 'rdi') {
+    return null;
+  }
+  const offset = mem.disp;
+  if (offset < 0x100 || offset > 0x400) {
+    return null;
+  }
+  return offset;
+}
+function parseArmInstrumentationPointer (insn) {
+  return null;
+}
+function parseArm64InstrumentationPointer (insn) {
+  if (insn.mnemonic !== 'ldr') {
+    return null;
+  }
+  const ops = insn.operands;
+  if (ops[0].value === 'x0') {
+    return null;
+  }
+  const mem = ops[1].value;
+  if (mem.base !== 'x0') {
+    return null;
+  }
+  const offset = mem.disp;
+  if (offset < 0x100 || offset > 0x400) {
+    return null;
+  }
+  return offset;
+}
 const jniIdsIndirectionOffsetParsers = {
   ia32: parsex86JniIdsIndirectionOffset,
   x64: parsex86JniIdsIndirectionOffset,
@@ -1364,6 +1448,39 @@ function _getAndroidApiLevel () {
   return parseInt(getAndroidSystemProperty('ro.build.version.sdk'), 10);
 }
+function _getArtApexVersion () {
+  try {
+    const mountInfo = File.readAllText('/proc/self/mountinfo');
+    let artSource = null;
+    const sourceVersions = new Map();
+    for (const line of mountInfo.trimEnd().split('\n')) {
+      const elements = line.split(' ');
+      const mountRoot = elements[4];
+      if (!mountRoot.startsWith('/apex/com.android.art')) {
+        continue;
+      }
+      const mountSource = elements[10];
+      if (mountRoot.includes('@')) {
+        sourceVersions.set(mountSource, mountRoot.split('@')[1]);
+      } else {
+        artSource = mountSource;
+      }
+    }
+    const strVersion = sourceVersions.get(artSource);
+    return (strVersion !== undefined) ? parseInt(strVersion) : computeArtApexVersionFromApiLevel();
+  } catch {
+    return computeArtApexVersionFromApiLevel();
+  }
+}
+function computeArtApexVersionFromApiLevel () {
+  return getAndroidApiLevel() * 10_000_000;
+}
 let systemPropertyGet = null;
 const PROP_VALUE_MAX = 92;
@@ -1749,6 +1866,31 @@ set_replacement_method (gpointer original_method,
   g_mutex_unlock (&lock);
 }
+void
+synchronize_replacement_methods (guint quick_code_offset,
+                                 void * nterp_entrypoint,
+                                 void * quick_to_interpreter_bridge)
+{
+  GHashTableIter iter;
+  gpointer hooked_method, replacement_method;
+  g_mutex_lock (&lock);
+  g_hash_table_iter_init (&iter, methods);
+  while (g_hash_table_iter_next (&iter, &hooked_method, &replacement_method))
+  {
+    void ** quick_code;
+    *((uint32_t *) replacement_method) = *((uint32_t *) hooked_method);
+    quick_code = hooked_method + quick_code_offset;
+    if (*quick_code == nterp_entrypoint)
+      *quick_code = quick_to_interpreter_bridge;
+  }
+  g_mutex_unlock (&lock);
+}
 void
 delete_replacement_method (gpointer original_method)
 {
@@ -1907,6 +2049,7 @@ on_leave_gc_concurrent_copying_copying_phase (GumInvocationContext * ic)
       isReplacement: new NativeFunction(cm.is_replacement_method, 'bool', ['pointer'], fastOptions),
       get: new NativeFunction(cm.get_replacement_method, 'pointer', ['pointer'], fastOptions),
       set: new NativeFunction(cm.set_replacement_method, 'void', ['pointer', 'pointer'], fastOptions),
+      synchronize: new NativeFunction(cm.synchronize_replacement_methods, 'void', ['uint', 'pointer', 'pointer'], fastOptions),
       delete: new NativeFunction(cm.delete_replacement_method, 'void', ['pointer'], fastOptions),
       translate: new NativeFunction(cm.translate_method, 'pointer', ['pointer'], fastOptions),
       findReplacementFromQuickCode: cm.find_replacement_method_from_quick_code
@@ -1940,6 +2083,8 @@ function ensureArtKnowsHowToHandleMethodInstrumentation (vm) {
   instrumentArtQuickEntrypoints(vm);
   instrumentArtMethodInvocationFromInterpreter();
+  instrumentArtGarbageCollection();
+  instrumentArtFixupStaticTrampolines();
 }
 function instrumentArtQuickEntrypoints (vm) {
@@ -1991,6 +2136,52 @@ function instrumentArtMethodInvocationFromInterpreter () {
   }
 }
+function instrumentArtGarbageCollection () {
+  const api = getApi();
+  const art = api.module;
+  const gc = art.findSymbolByName('_ZN3art2gc4Heap22CollectGarbageInternalENS0_9collector6GcTypeENS0_7GcCauseEbj');
+  if (gc === null) {
+    return;
+  }
+  const { artNterpEntryPoint, artQuickToInterpreterBridge } = api;
+  const quickCodeOffset = getArtMethodSpec(api.vm).offset.quickCode;
+  Interceptor.attach(gc, {
+    onLeave () {
+      artController.replacedMethods.synchronize(quickCodeOffset, artNterpEntryPoint, artQuickToInterpreterBridge);
+    }
+  });
+}
+function instrumentArtFixupStaticTrampolines () {
+  const patterns = [
+    ['_ZN3art11ClassLinker26VisiblyInitializedCallback22MarkVisiblyInitializedEPNS_6ThreadE', 'e90340f8 : ff0ff0ff'],
+    ['_ZN3art11ClassLinker26VisiblyInitializedCallback29AdjustThreadVisibilityCounterEPNS_6ThreadEl', '7f0f00f9 : 1ffcffff'],
+  ];
+  const api = getApi();
+  const art = api.module;
+  for (const [name, pattern] of patterns) {
+    const base = art.findSymbolByName(name);
+    if (base === null) {
+      continue;
+    }
+    const matches = Memory.scanSync(base, 8192, pattern);
+    if (matches.length === 0) {
+      return;
+    }
+    const { artNterpEntryPoint, artQuickToInterpreterBridge } = api;
+    const quickCodeOffset = getArtMethodSpec(api.vm).offset.quickCode;
+    Interceptor.attach(matches[0].address, function () {
+      artController.replacedMethods.synchronize(quickCodeOffset, artNterpEntryPoint, artQuickToInterpreterBridge);
+    });
+    return;
+  }
+}
 function ensureArtKnowsHowToHandleReplacementMethods (vm) {
   if (taughtArtAboutReplacementMethods) {
     return;
@@ -2534,7 +2725,7 @@ extern GumTlsKey current_backtrace;
 extern void (* perform_art_thread_state_transition) (JNIEnv * env);
-extern ArtContext * art_thread_get_long_jump_context (ArtThread * thread);
+extern ArtContext * art_make_context (ArtThread * thread);
 extern void art_stack_visitor_init (ArtStackVisitor * visitor, ArtThread * thread, void * context, StackWalkKind walk_kind,
     size_t num_frames, bool check_suspended);
@@ -2600,7 +2791,7 @@ _on_thread_state_transition_complete (ArtThread * thread)
     },
   };
-  context = art_thread_get_long_jump_context (thread);
+  context = art_make_context (thread);
   art_stack_visitor_init (&visitor, thread, context, STACK_WALK_SKIP_INLINED_FRAMES, 0, true);
   visitor.vtable = &visitor.vtable_storage;
@@ -2885,7 +3076,7 @@ std_string_get_data (StdString * str)
 `, {
     current_backtrace: Memory.alloc(Process.pointerSize),
     perform_art_thread_state_transition: performImpl,
-    art_thread_get_long_jump_context: api['art::Thread::GetLongJumpContext'],
+    art_make_context: api['art::Thread::GetLongJumpContext'] ?? api['art::Context::Create'],
     art_stack_visitor_init: api['art::StackVisitor::StackVisitor'],
     art_stack_visitor_walk_stack: api['art::StackVisitor::WalkStack'],
     art_stack_visitor_get_method: api['art::StackVisitor::GetMethod'],

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "frida-java-bridge",
-  "version": "7.0.8",
+  "version": "7.0.10",
   "description": "Java runtime interop from Frida",
   "keywords": [
     "frida-gum",