frida-java-bridge 7.0.9 → 7.0.11

package/lib/android.js

@@ -586,8 +586,7 @@ export function ensureClassInitialized (env, classRef) {
     return;
   }
 
-  env.getFieldId(classRef, 'x', 'Z');
-  env.exceptionClear();
+  env.getClassName(classRef);
 }
 
 function getArtVMSpec (api) {
@@ -1866,6 +1865,31 @@ set_replacement_method (gpointer original_method,
   g_mutex_unlock (&lock);
 }
 
+void
+synchronize_replacement_methods (guint quick_code_offset,
+                                 void * nterp_entrypoint,
+                                 void * quick_to_interpreter_bridge)
+{
+  GHashTableIter iter;
+  gpointer hooked_method, replacement_method;
+
+  g_mutex_lock (&lock);
+
+  g_hash_table_iter_init (&iter, methods);
+  while (g_hash_table_iter_next (&iter, &hooked_method, &replacement_method))
+  {
+    void ** quick_code;
+
+    *((uint32_t *) replacement_method) = *((uint32_t *) hooked_method);
+
+    quick_code = hooked_method + quick_code_offset;
+    if (*quick_code == nterp_entrypoint)
+      *quick_code = quick_to_interpreter_bridge;
+  }
+
+  g_mutex_unlock (&lock);
+}
+
 void
 delete_replacement_method (gpointer original_method)
 {
@@ -2024,6 +2048,7 @@ on_leave_gc_concurrent_copying_copying_phase (GumInvocationContext * ic)
       isReplacement: new NativeFunction(cm.is_replacement_method, 'bool', ['pointer'], fastOptions),
       get: new NativeFunction(cm.get_replacement_method, 'pointer', ['pointer'], fastOptions),
       set: new NativeFunction(cm.set_replacement_method, 'void', ['pointer', 'pointer'], fastOptions),
+      synchronize: new NativeFunction(cm.synchronize_replacement_methods, 'void', ['uint', 'pointer', 'pointer'], fastOptions),
       delete: new NativeFunction(cm.delete_replacement_method, 'void', ['pointer'], fastOptions),
       translate: new NativeFunction(cm.translate_method, 'pointer', ['pointer'], fastOptions),
       findReplacementFromQuickCode: cm.find_replacement_method_from_quick_code
@@ -2057,6 +2082,8 @@ function ensureArtKnowsHowToHandleMethodInstrumentation (vm) {
 
   instrumentArtQuickEntrypoints(vm);
   instrumentArtMethodInvocationFromInterpreter();
+  instrumentArtGarbageCollection();
+  instrumentArtFixupStaticTrampolines();
 }
 
 function instrumentArtQuickEntrypoints (vm) {
@@ -2108,6 +2135,52 @@ function instrumentArtMethodInvocationFromInterpreter () {
   }
 }
 
+function instrumentArtGarbageCollection () {
+  const api = getApi();
+  const art = api.module;
+
+  const gc = art.findSymbolByName('_ZN3art2gc4Heap22CollectGarbageInternalENS0_9collector6GcTypeENS0_7GcCauseEbj');
+  if (gc === null) {
+    return;
+  }
+
+  const { artNterpEntryPoint, artQuickToInterpreterBridge } = api;
+  const quickCodeOffset = getArtMethodSpec(api.vm).offset.quickCode;
+  Interceptor.attach(gc, {
+    onLeave () {
+      artController.replacedMethods.synchronize(quickCodeOffset, artNterpEntryPoint, artQuickToInterpreterBridge);
+    }
+  });
+}
+
+function instrumentArtFixupStaticTrampolines () {
+  const patterns = [
+    ['_ZN3art11ClassLinker26VisiblyInitializedCallback22MarkVisiblyInitializedEPNS_6ThreadE', 'e90340f8 : ff0ff0ff'],
+    ['_ZN3art11ClassLinker26VisiblyInitializedCallback29AdjustThreadVisibilityCounterEPNS_6ThreadEl', '7f0f00f9 : 1ffcffff'],
+  ];
+  const api = getApi();
+  const art = api.module;
+  for (const [name, pattern] of patterns) {
+    const base = art.findSymbolByName(name);
+    if (base === null) {
+      continue;
+    }
+
+    const matches = Memory.scanSync(base, 8192, pattern);
+    if (matches.length === 0) {
+      return;
+    }
+
+    const { artNterpEntryPoint, artQuickToInterpreterBridge } = api;
+    const quickCodeOffset = getArtMethodSpec(api.vm).offset.quickCode;
+    Interceptor.attach(matches[0].address, function () {
+      artController.replacedMethods.synchronize(quickCodeOffset, artNterpEntryPoint, artQuickToInterpreterBridge);
+    });
+
+    return;
+  }
+}
+
 function ensureArtKnowsHowToHandleReplacementMethods (vm) {
   if (taughtArtAboutReplacementMethods) {
     return;
@@ -2218,6 +2291,21 @@ const artGetOatQuickMethodHeaderInlinedCopyHandler = {
         offset: 1,
         validateMatch: validateGetOatQuickMethodHeaderInlinedMatchArm64
       },
+      {
+        pattern: [
+          /* e8 */ '0a 40 b9', // ldr w8, [x?, #0x8]
+          '1f 05 00 31', // cmn w8, #0x1
+          '40 01 00 54', // b.eq <target>
+          '00 0e 40 f9', // ldr x?, [x?, #0x18]
+          ':',
+          /* 00 */ 'fc ff ff',
+          '1f fc ff ff',
+          '1f 00 00 ff',
+          '00 fc ff ff'
+        ],
+        offset: 1,
+        validateMatch: validateGetOatQuickMethodHeaderInlinedMatchArm64
+      },
       {
         pattern: [
           /* e8 */ '0a 40 b9', // ldr w8, [x23, #0x8]

package/lib/class-model.js

@@ -85,6 +85,7 @@ struct _JavaFieldApi
 
 struct _JavaApi
 {
+  jvmtiEnv * jvmti;
   JavaClassApi clazz;
   JavaMethodApi method;
   JavaFieldApi field;
@@ -235,6 +236,7 @@ model_new (jclass class_handle,
 {
   Model * model;
   GHashTable * members;
+  jvmtiEnv * jvmti = java_api.jvmti;
   gpointer * funcs = env->functions;
   jmethodID (* from_reflected_method) (JNIEnv *, jobject) = funcs[7];
   jfieldID (* from_reflected_field) (JNIEnv *, jobject) = funcs[8];
@@ -254,7 +256,52 @@ model_new (jclass class_handle,
   members = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, g_free);
   model->members = members;
 
-  if (art_api.available)
+  if (jvmti != NULL)
+  {
+    gpointer * jf = jvmti->functions - 1;
+    jvmtiError (* deallocate) (jvmtiEnv *, void * mem) = jf[47];
+    jvmtiError (* get_class_methods) (jvmtiEnv *, jclass, jint *, jmethodID **) = jf[52];
+    jvmtiError (* get_class_fields) (jvmtiEnv *, jclass, jint *, jfieldID **) = jf[53];
+    jvmtiError (* get_field_name) (jvmtiEnv *, jclass, jfieldID, char **, char **, char **) = jf[60];
+    jvmtiError (* get_field_modifiers) (jvmtiEnv *, jclass, jfieldID, jint *) = jf[62];
+    jvmtiError (* get_method_name) (jvmtiEnv *, jmethodID, char **, char **, char **) = jf[64];
+    jvmtiError (* get_method_modifiers) (jvmtiEnv *, jmethodID, jint *) = jf[66];
+    jint method_count;
+    jmethodID * methods;
+    jint field_count;
+    jfieldID * fields;
+    char * name;
+    jint modifiers;
+
+    get_class_methods (jvmti, class_handle, &method_count, &methods);
+    for (i = 0; i != method_count; i++)
+    {
+      jmethodID method = methods[i];
+
+      get_method_name (jvmti, method, &name, NULL, NULL);
+      get_method_modifiers (jvmti, method, &modifiers);
+
+      model_add_method (model, name, method, modifiers);
+
+      deallocate (jvmti, name);
+    }
+    deallocate (jvmti, methods);
+
+    get_class_fields (jvmti, class_handle, &field_count, &fields);
+    for (i = 0; i != field_count; i++)
+    {
+      jfieldID field = fields[i];
+
+      get_field_name (jvmti, class_handle, field, &name, NULL, NULL);
+      get_field_modifiers (jvmti, class_handle, field, &modifiers);
+
+      model_add_field (model, name, field, modifiers);
+
+      deallocate (jvmti, name);
+    }
+    deallocate (jvmti, fields);
+  }
+  else if (art_api.available)
   {
     gpointer elements;
     guint n, i;
@@ -702,8 +749,7 @@ enumerate_methods_jvm (const gchar * class_query,
                        jboolean include_signature,
                        jboolean ignore_case,
                        jboolean skip_system_classes,
-                       JNIEnv * env,
-                       jvmtiEnv * jvmti)
+                       JNIEnv * env)
 {
   gchar * result;
   GPatternSpec * class_pattern, * method_pattern;
@@ -712,6 +758,7 @@ enumerate_methods_jvm (const gchar * class_query,
   jobject (* new_global_ref) (JNIEnv *, jobject) = ef[21];
   void (* delete_local_ref) (JNIEnv *, jobject) = ef[23];
   jboolean (* is_same_object) (JNIEnv *, jobject, jobject) = ef[24];
+  jvmtiEnv * jvmti = java_api.jvmti;
   gpointer * jf = jvmti->functions - 1;
   jvmtiError (* deallocate) (jvmtiEnv *, void * mem) = jf[47];
   jvmtiError (* get_class_signature) (jvmtiEnv *, jclass, char **, char **) = jf[48];
@@ -1207,10 +1254,10 @@ export default class Model {
     }
 
     let result;
-    if (api.flavor === 'jvm') {
+    if (api.jvmti !== null) {
       const json = cm.enumerateMethodsJvm(classQuery, methodQuery,
         boolToNative(includeSignature), boolToNative(ignoreCase), boolToNative(skipSystemClasses),
-        env, api.jvmti);
+        env);
       try {
         result = JSON.parse(json.readUtf8String())
           .map(group => {
@@ -1273,11 +1320,14 @@ function ensureInitialized (env) {
 }
 
 function compileModule (env) {
+  const api = getApi();
+  const { jvmti } = api;
+
   const { pointerSize } = Process;
 
   const lockSize = 8;
   const modelsSize = pointerSize;
-  const javaApiSize = 6 * pointerSize;
+  const javaApiSize = 7 * pointerSize;
   const artApiSize = (10 * 4) + (5 * pointerSize);
 
   const dataSize = lockSize + modelsSize + javaApiSize + artApiSize;
@@ -1293,6 +1343,7 @@ function compileModule (env) {
   const field = env.javaLangReflectField();
   let j = javaApi;
   [
+    jvmti,
     getDeclaredMethods, getDeclaredFields,
     method.getName, method.getModifiers,
     field.getName, field.getModifiers
@@ -1303,16 +1354,22 @@ function compileModule (env) {
 
   const artApi = javaApi.add(javaApiSize);
   const { vm } = env;
-  const artClass = getArtClassSpec(vm);
-  if (artClass !== null) {
-    const c = artClass.offset;
+  if (api.flavor === 'art') {
+    let artClassOffsets;
+    if (jvmti !== null) {
+      artClassOffsets = [0, 0, 0, 0];
+    } else {
+      const c = getArtClassSpec(vm).offset;
+      artClassOffsets = [c.ifields, c.methods, c.sfields, c.copiedMethodsOffset];
+    }
+
     const m = getArtMethodSpec(vm);
     const f = getArtFieldSpec(vm);
 
     let s = artApi;
     [
       1,
-      c.ifields, c.methods, c.sfields, c.copiedMethodsOffset,
+      ...artClassOffsets,
       m.size, m.offset.accessFlags,
       f.size, f.offset.accessFlags,
       0xffffffff
@@ -1321,7 +1378,6 @@ function compileModule (env) {
         s = s.writeUInt(value).add(4);
       });
 
-    const api = getApi();
     [
       api.artClassLinker.address,
       api['art::ClassLinker::VisitClasses'],
@@ -1349,7 +1405,6 @@ function compileModule (env) {
 
   return {
     handle: cm,
-    mode: (artClass !== null) ? 'full' : 'basic',
     new: new NativeFunction(cm.model_new, 'pointer', ['pointer', 'pointer', 'pointer'], reentrantOptions),
     has: new NativeFunction(cm.model_has, 'bool', ['pointer', 'pointer'], fastOptions),
     find: new NativeFunction(cm.model_find, 'pointer', ['pointer', 'pointer'], fastOptions),
@@ -1357,17 +1412,19 @@ function compileModule (env) {
     enumerateMethodsArt: new NativeFunction(cm.enumerate_methods_art, 'pointer', ['pointer', 'pointer', 'bool', 'bool', 'bool'],
       reentrantOptions),
     enumerateMethodsJvm: new NativeFunction(cm.enumerate_methods_jvm, 'pointer', ['pointer', 'pointer', 'bool', 'bool', 'bool',
-      'pointer', 'pointer'], reentrantOptions),
+      'pointer'], reentrantOptions),
     dealloc: new NativeFunction(cm.dealloc, 'void', ['pointer'], fastOptions)
   };
 }
 
 function makeHandleUnwrapper (cm, vm) {
-  if (cm.mode === 'basic') {
+  const api = getApi();
+
+  if (api.flavor !== 'art') {
     return nullUnwrap;
   }
 
-  const decodeGlobal = getApi()['art::JavaVMExt::DecodeGlobal'];
+  const decodeGlobal = api['art::JavaVMExt::DecodeGlobal'];
 
   return function (handle, env, fn) {
     let result;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "frida-java-bridge",
-  "version": "7.0.9",
+  "version": "7.0.11",
   "description": "Java runtime interop from Frida",
   "keywords": [
     "frida-gum",