spawn gating issue
alvarofe opened this issue · 3 comments
I took this as start point https://gist.github.com/oleavr/ae7bcbbb9179852a4731.
Here is the code
gating.js
'use strict';
const co = require('co');
const frida = require('frida');
const load = require('frida-load');
let target, device;
co(function*() {
device = yield frida.getUsbDevice();
device.events.listen('spawned', onSpawned);
device.enableSpawnGating();
const pending = yield device.enumeratePendingSpawns();
pending.forEach(function(spawn, i) {
console.log('pending[' + i + ']=', spawn, ' Resuming!');
device.resume(spawn.pid);
});
console.log('ready');
})
.catch(function(error) {
console.log('mmm error here');
console.error(error.message);
process.exitCode = 1;
});
function onSpawned(spawn) {
console.log('onSpawned:', spawn);
co(function*() {
if (spawn.identifier === 'com.android.insecurebankv2') {
const session = yield device.attach(spawn.pid);
const source = yield load(require.resolve('./agent.js'));
const script = yield session.createScript(source);
script.events.listen('message', function(message, data) {
onMessage(spawn, message, data);
});
yield script.load();
const exports = yield script.getExports();
yield exports.init();
yield device.resume(spawn.pid);
} else {
yield device.resume(spawn.pid);
}
})
.catch(function(error) {
console.error(error.message);
});
}
function onMessage(spawn, message, data) {
console.log(message);
console.log('onMessage:', spawn, message, data);
}
agent.js
rpc.exports = {
init: function() {
'use strict';
Java.perform(function() {
var javaFile = Java.use("java.io.File");
javaFile.exists.implementation = function() {
console.log('File exists called');
return this.exists.apply(this, arguments);
}
});
}
};
But I am getting this
air:helper alvaro$ node gating.js
ready
onSpawned: Spawn { identifier: 'com.android.insecurebankv2', pid: 17454 }
onMessage: Spawn { identifier: 'com.android.insecurebankv2', pid: 17454 } { type: 'error',
description: 'Error: access violation accessing 0x6f0056',
stack: 'Error: access violation accessing 0x6f0056\n at frida/node_modules/frida-java/lib/env.js:206\n at apply (native)\n at frida/node_modules/frida-java/lib/env.js:201\n at frida/node_modules/frida-java/lib/class-factory.js:113\n at frida/node_modules/frida-java/lib/class-factory.js:1621\n at call (native)\n at getPackageInfoNoCheck (input:1)\n at apply (native)\n at r (frida/node_modules/frida-java/lib/class-factory.js:842)\n [...]',
fileName: 'frida/node_modules/frida-java/lib/env.js',
lineNumber: 206,
columnNumber: 1 } null
FWIW I've not been able to make spawn, attach and resume to work. I am doing the following being spawn-agent.js the same agent without rpc.exports.
'use strict';
const co = require('co');
const frida = require('frida');
const load = require('frida-load');
let session, script;
co(function *() {
const device = yield frida.getUsbDevice();
const pid = yield device.spawn(['com.android.insecurebankv2']);
session = yield device.attach(pid);
const source = yield load(
require.resolve('./spawn-agent.js'));
script = yield session.createScript(source);
script.events.listen('message', message => {
if (message.type === 'send' && message.payload.event === 'ready')
device.resume(pid);
else
console.log(message);
});
yield script.load();
})
.catch(console.error);
Here an asciinema https://asciinema.org/a/539my8j4jrmkghbgrdbtb3pdt
Am i doing it wrong ?
swapping these two lines
yield exports.init();
yield device.resume(spawn.pid);
for
yield device.resume(spawn.pid);
yield exports.init();
load the script correctly. I assume the process is still not created and this.method.apply crash.
Is this really early instrumentation? I would like to apply the scripts before to resume
I am running into the same problem attempting to use one of the cleaned up gating examples:
rpc.exports = {
init: function () {
console.log('entered init');
if (!Java.available) {
console.log('no java sorry');
} else {
console.log('has java!');
Java.perform(function () {
console.log('entered java perform');
const Activity = Java.use("android.app.Activity");
Activity.onResume.implementation = function () {
send("onResume");
this.onResume();
};
});
}
},
}
> python legging.py
Enabled spawn gating
Pending: []
Waiting for data
on_spawned: Spawn(pid=22420, identifier="app_name_sanitized")
Instrumenting: Spawn(pid=22420, identifier="app_name_sanitized")
entered init
has java!
Processed: Spawn(pid=22420, identifier="app_name_sanitized")
Waiting for data
on_message: Spawn(pid=22420, identifier="app_name_sanitized") {'type': 'error', 'description': 'Error: access violation accessing 0x4d008d', 'stack': 'Error: access violation accessing 0x4d008d\n at frida/node_modules/frida-java/lib/env.js:206\n at apply (native)\n at frida/node_modules/frida-java/lib/env.js:201\n at frida/node_modules/frida-java/lib/class-factory.js:113\n at frida/node_modules/frida-java/lib/class-factory.js:1621\n
at call (native)\n at getPackageInfoNoCheck (input:1)\n at apply (native)\n at r (frida/node_modules/frida-java/lib/class-factory.js:842)\n [...]', 'fileName': 'frida/node_modules/frida-java/lib/env.js', 'lineNumber': 206, 'columnNumber': 1} None
Issue was in frida-java, and should be fixed.