frida-java-bridge 7.0.8 → 7.0.9

package/index.d.ts

@@ -415,11 +415,25 @@ declare module "frida-java-bridge" {
                 [name: string]: any;
             };
 
-        interface MethodDispatcher<Holder extends Members<Holder> = {}> extends Method<Holder> {
+        type IsEmptyArray<T extends any[]> = T extends [] ? true : false;
+
+        type Overload<Identifiers extends Array<string> = [], Types extends Array<any> = [], Return = any> = [Identifiers, Types, Return];
+
+        type OverloadsMethods<
+            Holder extends Members<Holder> = {},
+            OLs extends ReadonlyArray<Overload<any, any, any>> = []
+        > = {
+                [K in keyof OLs]:
+                OLs[K] extends Overload<any, infer A extends any[], infer R>
+                ? Method<Holder, A, R>
+                : never
+            };
+
+        interface MethodDispatcher<Holder extends Members<Holder> = {}, Overloads extends Array<Overload<Array<any>, Array<any>, any>> = []> extends Method<Holder> {
             /**
              * Available overloads.
              */
-            overloads: Array<Method<Holder>>;
+            overloads: IsEmptyArray<Overloads> extends true ? Array<Method<Holder>> : OverloadsMethods<Holder, Overloads>;
 
             /**
              * Obtains a specific overload.
@@ -430,8 +444,8 @@ declare module "frida-java-bridge" {
             overload(...args: string[]): Method<Holder>;
         }
 
-        interface Method<Holder extends Members<Holder> = {}> {
-            (...params: any[]): any;
+        interface Method<Holder extends Members<Holder> = {}, Params extends any[] = any[], Return = any> {
+            (...params: Params): Return;
 
             /**
              * Name of this method.
@@ -458,7 +472,7 @@ declare module "frida-java-bridge" {
              * replace the original implementation. Assign `null` at a future point
              * to revert back to the original implementation.
              */
-            implementation: MethodImplementation<Holder> | null;
+            implementation: MethodImplementation<Holder, Params, Return> | null;
 
             /**
              * Method return type.
@@ -481,10 +495,10 @@ declare module "frida-java-bridge" {
              * Useful for e.g. setting `traps: "all"` to perform execution tracing
              * in conjunction with Stalker.
              */
-            clone: (options: NativeFunctionOptions) => Method<Holder>;
+            clone: (options: NativeFunctionOptions) => Method<Holder, Params, Return>;
         }
 
-        type MethodImplementation<This extends Members<This> = {}> = (this: Wrapper<This>, ...params: any[]) => any;
+        type MethodImplementation<This extends Members<This> = {}, Params extends any[] = any[], Return = any> = (this: Wrapper<This>, ...params: Params) => Return;
 
         interface Field<Value = any, Holder extends Members<Holder> = {}> {
             /**

package/lib/android.js

@@ -88,6 +88,7 @@ const getArtThreadStateTransitionImpl = memoize(_getArtThreadStateTransitionImpl
 export const getAndroidVersion = memoize(_getAndroidVersion);
 const getAndroidCodename = memoize(_getAndroidCodename);
 export const getAndroidApiLevel = memoize(_getAndroidApiLevel);
+export const getArtApexVersion = memoize(_getArtApexVersion);
 const getArtQuickFrameInfoGetterThunk = memoize(_getArtQuickFrameInfoGetterThunk);
 
 const makeCxxMethodWrapperReturningPointerByValue =
@@ -253,6 +254,7 @@ function _getApi () {
             this['art::StackVisitor::GetCurrentQuickFrameInfo'] = makeArtQuickFrameInfoGetter(address);
           },
 
+          _ZN3art7Context6CreateEv: ['art::Context::Create', 'pointer', []],
           _ZN3art6Thread18GetLongJumpContextEv: ['art::Thread::GetLongJumpContext', 'pointer', ['pointer']],
 
           _ZN3art6mirror5Class13GetDescriptorEPNSt3__112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEE: function (address) {
@@ -352,6 +354,7 @@ function _getApi () {
           '_ZNK3art12StackVisitor9GetMethodEv',
           '_ZNK3art12StackVisitor16DescribeLocationEv',
           '_ZNK3art12StackVisitor24GetCurrentQuickFrameInfoEv',
+          '_ZN3art7Context6CreateEv',
           '_ZN3art6Thread18GetLongJumpContextEv',
           '_ZN3art6mirror5Class13GetDescriptorEPNSt3__112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEE',
           '_ZN3art6mirror5Class11GetLocationEv',
@@ -461,6 +464,11 @@ function _getApi () {
     const instrumentationOffset = runtimeOffset.instrumentation;
     temporaryApi.artInstrumentation = (instrumentationOffset !== null) ? artRuntime.add(instrumentationOffset) : null;
 
+    const instrumentationIsPointer = getArtApexVersion() >= 360_000_000;
+    if (instrumentationIsPointer && temporaryApi.artInstrumentation != null) {
+      temporaryApi.artInstrumentation = temporaryApi.artInstrumentation.readPointer();
+    }
+
     temporaryApi.artHeap = artRuntime.add(runtimeOffset.heap).readPointer();
     temporaryApi.artThreadList = artRuntime.add(runtimeOffset.threadList).readPointer();
 
@@ -691,7 +699,11 @@ function _getArtRuntimeSpec (api) {
     throw new Error('Unable to determine Runtime field offsets');
   }
 
-  spec.offset.instrumentation = tryDetectInstrumentationOffset(api);
+  const instrumentationIsPointer = getArtApexVersion() >= 360_000_000;
+  spec.offset.instrumentation = instrumentationIsPointer
+    ? tryDetectInstrumentationPointer(api)
+    : tryDetectInstrumentationOffset(api);
+
   spec.offset.jniIdsIndirection = tryDetectJniIdsIndirectionOffset(api);
 
   return spec;
@@ -771,6 +783,78 @@ function parseArm64InstrumentationOffset (insn) {
   return offset;
 }
 
+const instrumentationPointerParser = {
+  ia32: parsex86InstrumentationPointer,
+  x64: parsex86InstrumentationPointer,
+  arm: parseArmInstrumentationPointer,
+  arm64: parseArm64InstrumentationPointer
+};
+
+function tryDetectInstrumentationPointer (api) {
+  const impl = api['art::Runtime::DeoptimizeBootImage'];
+  if (impl === undefined) {
+    return null;
+  }
+
+  return parseInstructionsAt(impl, instrumentationPointerParser[Process.arch], { limit: 30 });
+}
+
+function parsex86InstrumentationPointer (insn) {
+  if (insn.mnemonic !== 'mov') {
+    return null;
+  }
+
+  const ops = insn.operands;
+
+  const dst = ops[0];
+  if (dst.value !== 'rax') {
+    return null;
+  }
+
+  const src = ops[1];
+  if (src.type !== 'mem') {
+    return null;
+  }
+
+  const mem = src.value;
+  if (mem.base !== 'rdi') {
+    return null;
+  }
+
+  const offset = mem.disp;
+  if (offset < 0x100 || offset > 0x400) {
+    return null;
+  }
+  return offset;
+}
+
+function parseArmInstrumentationPointer (insn) {
+  return null;
+}
+
+function parseArm64InstrumentationPointer (insn) {
+  if (insn.mnemonic !== 'ldr') {
+    return null;
+  }
+
+  const ops = insn.operands;
+
+  if (ops[0].value === 'x0') {
+    return null;
+  }
+
+  const mem = ops[1].value;
+  if (mem.base !== 'x0') {
+    return null;
+  }
+
+  const offset = mem.disp;
+  if (offset < 0x100 || offset > 0x400) {
+    return null;
+  }
+  return offset;
+}
+
 const jniIdsIndirectionOffsetParsers = {
   ia32: parsex86JniIdsIndirectionOffset,
   x64: parsex86JniIdsIndirectionOffset,
@@ -1364,6 +1448,39 @@ function _getAndroidApiLevel () {
   return parseInt(getAndroidSystemProperty('ro.build.version.sdk'), 10);
 }
 
+function _getArtApexVersion () {
+  try {
+    const mountInfo = File.readAllText('/proc/self/mountinfo');
+
+    let artSource = null;
+    const sourceVersions = new Map();
+    for (const line of mountInfo.trimEnd().split('\n')) {
+      const elements = line.split(' ');
+
+      const mountRoot = elements[4];
+      if (!mountRoot.startsWith('/apex/com.android.art')) {
+        continue;
+      }
+
+      const mountSource = elements[10];
+      if (mountRoot.includes('@')) {
+        sourceVersions.set(mountSource, mountRoot.split('@')[1]);
+      } else {
+        artSource = mountSource;
+      }
+    }
+
+    const strVersion = sourceVersions.get(artSource);
+    return (strVersion !== undefined) ? parseInt(strVersion) : computeArtApexVersionFromApiLevel();
+  } catch {
+    return computeArtApexVersionFromApiLevel();
+  }
+}
+
+function computeArtApexVersionFromApiLevel () {
+  return getAndroidApiLevel() * 10_000_000;
+}
+
 let systemPropertyGet = null;
 const PROP_VALUE_MAX = 92;
 
@@ -2534,7 +2651,7 @@ extern GumTlsKey current_backtrace;
 
 extern void (* perform_art_thread_state_transition) (JNIEnv * env);
 
-extern ArtContext * art_thread_get_long_jump_context (ArtThread * thread);
+extern ArtContext * art_make_context (ArtThread * thread);
 
 extern void art_stack_visitor_init (ArtStackVisitor * visitor, ArtThread * thread, void * context, StackWalkKind walk_kind,
     size_t num_frames, bool check_suspended);
@@ -2600,7 +2717,7 @@ _on_thread_state_transition_complete (ArtThread * thread)
     },
   };
 
-  context = art_thread_get_long_jump_context (thread);
+  context = art_make_context (thread);
 
   art_stack_visitor_init (&visitor, thread, context, STACK_WALK_SKIP_INLINED_FRAMES, 0, true);
   visitor.vtable = &visitor.vtable_storage;
@@ -2885,7 +3002,7 @@ std_string_get_data (StdString * str)
 `, {
     current_backtrace: Memory.alloc(Process.pointerSize),
     perform_art_thread_state_transition: performImpl,
-    art_thread_get_long_jump_context: api['art::Thread::GetLongJumpContext'],
+    art_make_context: api['art::Thread::GetLongJumpContext'] ?? api['art::Context::Create'],
     art_stack_visitor_init: api['art::StackVisitor::StackVisitor'],
     art_stack_visitor_walk_stack: api['art::StackVisitor::WalkStack'],
     art_stack_visitor_get_method: api['art::StackVisitor::GetMethod'],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "frida-java-bridge",
-  "version": "7.0.8",
+  "version": "7.0.9",
   "description": "Java runtime interop from Frida",
   "keywords": [
     "frida-gum",