frida-java-bridge 7.0.9 → 7.0.10

package/lib/android.js

@@ -1866,6 +1866,31 @@ set_replacement_method (gpointer original_method,
   g_mutex_unlock (&lock);
 }
 
+void
+synchronize_replacement_methods (guint quick_code_offset,
+                                 void * nterp_entrypoint,
+                                 void * quick_to_interpreter_bridge)
+{
+  GHashTableIter iter;
+  gpointer hooked_method, replacement_method;
+
+  g_mutex_lock (&lock);
+
+  g_hash_table_iter_init (&iter, methods);
+  while (g_hash_table_iter_next (&iter, &hooked_method, &replacement_method))
+  {
+    void ** quick_code;
+
+    *((uint32_t *) replacement_method) = *((uint32_t *) hooked_method);
+
+    quick_code = hooked_method + quick_code_offset;
+    if (*quick_code == nterp_entrypoint)
+      *quick_code = quick_to_interpreter_bridge;
+  }
+
+  g_mutex_unlock (&lock);
+}
+
 void
 delete_replacement_method (gpointer original_method)
 {
@@ -2024,6 +2049,7 @@ on_leave_gc_concurrent_copying_copying_phase (GumInvocationContext * ic)
       isReplacement: new NativeFunction(cm.is_replacement_method, 'bool', ['pointer'], fastOptions),
       get: new NativeFunction(cm.get_replacement_method, 'pointer', ['pointer'], fastOptions),
       set: new NativeFunction(cm.set_replacement_method, 'void', ['pointer', 'pointer'], fastOptions),
+      synchronize: new NativeFunction(cm.synchronize_replacement_methods, 'void', ['uint', 'pointer', 'pointer'], fastOptions),
       delete: new NativeFunction(cm.delete_replacement_method, 'void', ['pointer'], fastOptions),
       translate: new NativeFunction(cm.translate_method, 'pointer', ['pointer'], fastOptions),
       findReplacementFromQuickCode: cm.find_replacement_method_from_quick_code
@@ -2057,6 +2083,8 @@ function ensureArtKnowsHowToHandleMethodInstrumentation (vm) {
 
   instrumentArtQuickEntrypoints(vm);
   instrumentArtMethodInvocationFromInterpreter();
+  instrumentArtGarbageCollection();
+  instrumentArtFixupStaticTrampolines();
 }
 
 function instrumentArtQuickEntrypoints (vm) {
@@ -2108,6 +2136,52 @@ function instrumentArtMethodInvocationFromInterpreter () {
   }
 }
 
+function instrumentArtGarbageCollection () {
+  const api = getApi();
+  const art = api.module;
+
+  const gc = art.findSymbolByName('_ZN3art2gc4Heap22CollectGarbageInternalENS0_9collector6GcTypeENS0_7GcCauseEbj');
+  if (gc === null) {
+    return;
+  }
+
+  const { artNterpEntryPoint, artQuickToInterpreterBridge } = api;
+  const quickCodeOffset = getArtMethodSpec(api.vm).offset.quickCode;
+  Interceptor.attach(gc, {
+    onLeave () {
+      artController.replacedMethods.synchronize(quickCodeOffset, artNterpEntryPoint, artQuickToInterpreterBridge);
+    }
+  });
+}
+
+function instrumentArtFixupStaticTrampolines () {
+  const patterns = [
+    ['_ZN3art11ClassLinker26VisiblyInitializedCallback22MarkVisiblyInitializedEPNS_6ThreadE', 'e90340f8 : ff0ff0ff'],
+    ['_ZN3art11ClassLinker26VisiblyInitializedCallback29AdjustThreadVisibilityCounterEPNS_6ThreadEl', '7f0f00f9 : 1ffcffff'],
+  ];
+  const api = getApi();
+  const art = api.module;
+  for (const [name, pattern] of patterns) {
+    const base = art.findSymbolByName(name);
+    if (base === null) {
+      continue;
+    }
+
+    const matches = Memory.scanSync(base, 8192, pattern);
+    if (matches.length === 0) {
+      return;
+    }
+
+    const { artNterpEntryPoint, artQuickToInterpreterBridge } = api;
+    const quickCodeOffset = getArtMethodSpec(api.vm).offset.quickCode;
+    Interceptor.attach(matches[0].address, function () {
+      artController.replacedMethods.synchronize(quickCodeOffset, artNterpEntryPoint, artQuickToInterpreterBridge);
+    });
+
+    return;
+  }
+}
+
 function ensureArtKnowsHowToHandleReplacementMethods (vm) {
   if (taughtArtAboutReplacementMethods) {
     return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "frida-java-bridge",
-  "version": "7.0.9",
+  "version": "7.0.10",
   "description": "Java runtime interop from Frida",
   "keywords": [
     "frida-gum",