frida / frida-core Goto Github PK

Frida core library intended for static linking into bindings

License: Other

Shell 0.23% C 14.24% C++ 0.01% Vala 69.67% Objective-C 6.30% Makefile 0.65% Python 2.51% JavaScript 1.55% Meson 2.11% Assembly 0.35% Java 0.56% TypeScript 1.50% Rust 0.31% Batchfile 0.03%

frida vala instrumentation

frida-core's Introduction

frida-core

Frida core library intended for static linking into bindings.

Lets you inject your own JavaScript instrumentation code into other processes, optionally with your own C code for performance-sensitive bits.
Acts as a logistics layer that packages up GumJS into a shared library.
Provides a two-way communication channel for talking to your scripts, if needed, and later unload them.
Also lets you enumerate installed apps, running processes, and connected devices.
Written in Vala, with OS-specific glue code in C/Objective-C/asm.

Binaries

Typically used through one of the available language bindings:

E.g.:

$ pip install frida-tools # CLI tools
$ pip install frida # Python bindings
$ npm install frida # Node.js bindings

Or, for static linking into your own project written in a C-compatible language, download a devkit from the Frida releases page.

Internals

For a higher level view of the internals, check out the architecture diagram and its links to the different parts of the codebase.

frida-core's People

Contributors

Stargazers

Watchers

Forkers

sangohan pombredanne luiseduardohdbackup idkwim tamerplatform tyilo marc1006 moonight10 trufae riverar s1341 liquidk digideskio gitcollect aonorin shaddy hgldj1966 mrmacete esanfelix zbx91 runelabs stek29 viniciusmarangoni techlord-rce madushan1000 csftech playertuan 0xh0b0 xdcs100 coolboy4me radare knight-ops st-rnd sgnls molongwudi 0x3430d tobypetrice cgy1992 kernullist iephor007 bigfacecat2017 meme smx-smx bransh igio90 rakhithjk dnet57 stevielavern azurda thestr4ng3r studzien nickyrat ii0 5z1punch eugenekolo williamlcobb be286 dutchme333 paulyc hunterli forkkit cbayet manouchehri amoystyle geeksonsecurity kingking888 chaosdata dasraf9 wapiflapi davenpcj5542009 309746069 vgyg xdnice 5l1v3r1 5murfette pachoo hijack2015 burningteng gbps aemmitt-ns httpsgithu doself ohjeongwook aya7hero sowdust louis2014a1 nullfullme skye1989 undeadfu mephi42 tigerwood singularityben tralivali1234 enovella lvyitian liornm 0xxa flewsea muhzii mengzhisuoliu

frida-core's Issues

Android, frida.NotSupportedError: error binding to address

So I tried to play around with Frida on Android and the very first basic snippet of code refuses to work. The device is a rooted S4 Mini. Any ideas?

Code:

import frida,sys

process = frida.get_remote_device().attach("com.android.systemui")
print process.enumerate_modules()

Output:

C:\Code\frida>python client.py
Traceback (most recent call last):
  File "client.py", line 8, in <module>
    device.attach("com.android.systemui")
  File "C:\Compilers\Python27\lib\site-packages\frida-4.4.0-py2.7-win-amd64.egg\
frida\core.py", line 78, in attach
frida.NotSupportedError: error binding to address: No such file or directory

Relevant method in core.py:

    def attach(self, target):
        return Session(self._impl.attach(self._pid_of(target)))

Failed to enumerate processes: no such interface 're.frida.HostSession2' on object at path /re/frida/HostSession

Hi there. Thanks for the effort in the Android X86 binary :)

Im running the new binary on a Genymotion VM. The server runs fine. With the adb connected to it, when I run frida-ps -R I get the error: "Failed to enumerate processes: no such interface 're.frida.HostSession2' on object at path /re/frida/HostSession".

Any ideas why? Am i doing something wrong?

Thanks.

How to print NSString / Dictionary ?

Hey frida team,

I have great fun time playing with frida, thank you guys!
I want to print the parameter, which have a string stored in NSString/NSDictionary, etc.
I tried Memory.readUtf8String and ObjC.selectorAsString, both give me "�sw�".

In objective-C, a simple NSLog(@”%@”, str) does what I want. Is there anything can achieve that?

Add more info in process list

UID
PPID

Frida 6.0.8 cannot spawn or atach on Win7 x64

I have encountered an issue with Frida 6.0.8 on fully patched Win 7 SP1 x64 while trying to instrument any local process.
The spawn or attach command will fail with the same error:

C:\>frida -f %WINDIR%\system32\calc.exe
    _____
   (_____)
    |   |    Frida 6.0.8 - A world-class dynamic instrumentation framework
    |   |
    |`-'|    Commands:
    |   |        help      -> Displays the help system
    |   |        object?   -> Display information about 'object'
    |   |        exit/quit -> Exit
    |   |
    |   |    More info at http://www.frida.re/docs/home/
    `._.'

Failed to attach: error opening named pipe (ConvertStringSecurityDescriptorToSecurityDescriptor returned 0x00000539)

As per MSDN:
0x00000539 = ERROR_INVALID_SID [1337 (0x539) The security ID structure is invalid.]

Getting key and iv from CCCrypt

I am playing with frida and I tried to intercept key and IV of CCCrypt on iOS. I can read the key with

var key = Memory.readUtf8String(args[3]);

if the key is a string. If lets say it is some non ASCII, I can't print it. I tried

var keyDump = Memory.readByteArray(args[3], 32);

but it gives
[object Object]
Using below code gives me first bytes of key in reverse order

var keyPointer = Memory.readPointer(args[3]);

Support for enumerating loaded classes on Android 5.1.1

Running the following on Android 5.1.1 on Nexus 5

var classes = Java.enumerateLoadedClassesSync();

throws the following error.

Error: Enumerating loaded classes is only supported on Dalvik for now
    at _enumerateLoadedClasses (gumjs-java.js:172:23)

Spawning a process should stop before attribute((constructor))

Example code:

#include <stdio.h>

__attribute__((constructor)) void foo(void) {
    puts("hello");
}

int main(void) {
    puts("world");
    return 0;
}

$ clang test.c -o test
$ frida ./test
...
Failed to load script: the connection is closed

This fails on darwin, but it may also fail on other platforms.

The problem on darwin is that we use the executables entrypoint, but we should stop before, while dyld is initializing the binary.

Here's the backtrace from inside the foo function:

* thread #1: tid = 0x16a4de6, 0x0000000100000f20 b`foo, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
  * frame #0: 0x0000000100000f20 b`foo
    frame #1: 0x00007fff5fc12ceb dyld`ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&) + 265
    frame #2: 0x00007fff5fc12e78 dyld`ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 40
    frame #3: 0x00007fff5fc0f871 dyld`ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 305
    frame #4: 0x00007fff5fc0f6f8 dyld`ImageLoader::processInitializers(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 138
    frame #5: 0x00007fff5fc0f969 dyld`ImageLoader::runInitializers(ImageLoader::LinkContext const&, ImageLoader::InitializerTimingList&) + 75
    frame #6: 0x00007fff5fc02245 dyld`dyld::initializeMainExecutable() + 187
    frame #7: 0x00007fff5fc05be1 dyld`dyld::_main(macho_header const*, unsigned long, int, char const**, char const**, char const**, unsigned long*) + 2716
    frame #8: 0x00007fff5fc01276 dyld`dyldbootstrap::start(macho_header const*, int, char const**, long, macho_header const*, unsigned long*) + 512
    frame #9: 0x00007fff5fc01036 dyld`_dyld_start + 54

frida-core fails to build under debian unstable

Linux Bhola 4.0.3 #1 SMP PREEMPT Sun May 17 07:49:58 CEST 2015 x86_64 GNU/Linux

libtool (GNU libtool) 2.4.2
gcc version 4.9.2 (Debian 4.9.2-16)
GNU ld (GNU Binutils for Debian) 2.25
Vala 0.26.1

$ make core-32
.....
.....
make[3]: Leaving directory '/home/jaime/appz/frida/frida/build/tmp-linux-x86_64/frida-core/lib'
make[2]: Leaving directory '/home/jaime/appz/frida/frida/build/tmp-linux-x86_64/frida-core/lib'
mkdir -p build/tmp_stripped-linux-x86_64/frida-core/lib/agent/.libs
cp build/tmp-linux-x86_64/frida-core/lib/agent/.libs/libfrida-agent.so build/tmp_stripped-linux-x86_64/frida-core/lib/agent/.libs/libfrida-agent.so
. build/frida-env-linux-x86_64.rc && $STRIP --strip-all build/tmp_stripped-linux-x86_64/frida-core/lib/agent/.libs/libfrida-agent.so
. build/frida-env-linux-i386.rc && make -C build/tmp-linux-i386/frida-core/src libfrida-helper-types.la frida-helper
make[2]: Entering directory '/home/jaime/appz/frida/frida/build/tmp-linux-i386/frida-core/src'
  VALAC    ../../../../frida-core/src/libfrida_helper_types_la_vala.stamp
  CC       linux/libfrida_helper_types_la-frida-helper-types.lo
  CCLD     libfrida-helper-types.la
/usr/bin/ar: `u' modifier ignored since `D' is the default (see `U')
  VALAC    ../../../../frida-core/src/libfrida_helper_main_la_vala.stamp
  CC       linux/libfrida_helper_main_la-frida-helper.lo
  CCLD     libfrida-helper-main.la
/usr/bin/ar: `u' modifier ignored since `D' is the default (see `U')
  CC       linux/frida-helper-glue.lo
  OBJCLD   libfrida-helper-glue.la
libtool: link: unable to infer tagged configuration
libtool:   error: specify a tag with '--tag'
Makefile:1076: recipe for target 'libfrida-helper-glue.la' failed
make[2]: *** [libfrida-helper-glue.la] Error 1
make[2]: Leaving directory '/home/jaime/appz/frida/frida/build/tmp-linux-i386/frida-core/src'
Makefile.linux.mk:138: recipe for target 'build/tmp-linux-i386/frida-core/src/frida-helper' failed
make[1]: *** [build/tmp-linux-i386/frida-core/src/frida-helper] Error 2
make[1]: Leaving directory '/home/jaime/appz/frida/frida'
Makefile:2: recipe for target 'core-32' failed
make: *** [core-32] Error 2

SELinux policy permissions

Hi, I read all issues concerning SELinux but nothing helped.
My Device: Nexus 5 (hammerhead) - CAF (with cyanogenmod and Android 6.0.1).
However, i set SELinux to permissive and it should be working:

$ getenforce
Permissive

However, when I run the ./frida-server (mod = 777), i get the following error:
Unable to save SELinux policy to the kernel: Permission denied

When i run it with superuser rights, it works and I am able to use
$ frida-ps -U
Waiting for USB device to appear...
PID Name

337 adbd
26721 android.process.acore
30626 android.process.media
281 audiod
[...]

But when i try to attach to a process, i get session timeouts:
$ sudo frida-trace -U -i open com.android.chrome
Waiting for USB device to appear...
Failed to attach: timed out while waiting for session to establish
(It says attaching for something like 5-10 seconds)

Furthermore, with and without sudo I was able to get different errors, depending on how the frida-server was started.
$ frida-trace -U -i open com.android.chrome
Waiting for USB device to appear...
Failed to attach: unexpected error while attaching to process with pid 22398 (PTRACE_ATTACH wait returned 'Permission denied')
$ sudo frida-trace -U -i open com.android.chrome
Waiting for USB device to appear...
Failed to attach: remote_call PTRACE_CONT wait failed: 13

Is there anything I'm not seeing right now? To disable SELinux i used

echo 0 > /sys/fs/selinux/enforce

as well as

setenforce 0

Best regards,
Kevin

Segmentation Fault

When I'm trying to attach to the process "com.github.orangegangsters.lollipin" (https://github.com/OrangeGangsters/LolliPin) I get a segmentation fault.

$ frida -R com.github.orangegangsters.lollipin

Logcat:

--------- beginning of /dev/log/main
F/libc    ( 7588): Fatal signal 11 (SIGSEGV) at 0x00000000 (code=1), thread 8700 (gsters.lollipin)
I/DEBUG   (  179): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   (  179): Build fingerprint: 'google/hammerhead/hammerhead:4.4.4/KTU84P/1227136:user/release-keys'
I/DEBUG   (  179): Revision: '11'
I/DEBUG   (  179): pid: 7588, tid: 8700, name: gsters.lollipin  >>> com.github.orangegangsters.lollipin <<<
I/DEBUG   (  179): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000000
I/DEBUG   (  179):     r0 00000000  r1 0000000a  r2 ffffffff  r3 00000000
I/DEBUG   (  179):     r4 79942902  r5 75af30a8  r6 00000000  r7 773fbc30
I/DEBUG   (  179):     r8 00000000  r9 773fbc00  sl 400cdd8c  fp 773fbc08
I/DEBUG   (  179):     ip 79cbdc8c  sp 773fbbb8  lr 794a2201  pc 400990d4  cpsr 00070030
I/DEBUG   (  179):     d0  62616d643a656472  d1  6e695f6e6f6e6177
I/DEBUG   (  179):     d2  203030306138392d  d3  33352038303a3073
I/DEBUG   (  179):     d4  2020202020203434  d5  6d65747379732f20
I/DEBUG   (  179):     d6  2f726f646e65762f  d7  7362696c2f62696c
I/DEBUG   (  179):     d8  0000000000000000  d9  0000000000000000
I/DEBUG   (  179):     d10 0000000000000000  d11 0000000000000000
I/DEBUG   (  179):     d12 0000000000000000  d13 0000000000000000
I/DEBUG   (  179):     d14 0000000000000000  d15 0000000000000000
I/DEBUG   (  179):     d16 00000bb1af4a8287  d17 0016001500140013
I/DEBUG   (  179):     d18 000e000d000c000b  d19 0010000f000d000e
I/DEBUG   (  179):     d20 007e007d007c007b  d21 0080007f007d007e
I/DEBUG   (  179):     d22 0058005700550056  d23 0059005a005a0059
I/DEBUG   (  179):     d24 0000000000000000  d25 0000000000000000
I/DEBUG   (  179):     d26 0000000000000000  d27 0000000000000000
I/DEBUG   (  179):     d28 0071007200720071  d29 0076007500740073
I/DEBUG   (  179):     d30 0000000000000000  d31 0000000000000000
I/DEBUG   (  179):     scr 60000012
I/DEBUG   (  179): 
I/DEBUG   (  179): backtrace:
I/DEBUG   (  179):     #00  pc 000230d4  /system/lib/libc.so (__strchr_chk+23)
I/DEBUG   (  179):     #01  pc 0006f1fd  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):     #02  pc 0006f143  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):     #03  pc 0006bc11  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):     #04  pc 0007b82f  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):     #05  pc 0007bfbd  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):     #06  pc 0006b0e9  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):     #07  pc 000506cb  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):     #08  pc 00050853  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so (frida_agent_main+122)
I/DEBUG   (  179):     #09  pc 00000089  <unknown>
I/DEBUG   (  179): 
I/DEBUG   (  179): stack:
I/DEBUG   (  179):          773fbb78  00000400  
I/DEBUG   (  179):          773fbb7c  773fbb3c  [stack:8700]
I/DEBUG   (  179):          773fbb80  400cdc28  
I/DEBUG   (  179):          773fbb84  400cdd8c  
I/DEBUG   (  179):          773fbb88  400cdd8c  
I/DEBUG   (  179):          773fbb8c  00000000  
I/DEBUG   (  179):          773fbb90  00000000  
I/DEBUG   (  179):          773fbb94  75af30a8  
I/DEBUG   (  179):          773fbb98  00000043  
I/DEBUG   (  179):          773fbb9c  4008a84b  /system/lib/libc.so (fgets+150)
I/DEBUG   (  179):          773fbba0  79942902  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):          773fbba4  79942902  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):          773fbba8  75af30a8  
I/DEBUG   (  179):          773fbbac  00000000  
I/DEBUG   (  179):          773fbbb0  794a21d5  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):          773fbbb4  79942902  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):     #00  773fbbb8  79942902  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):          773fbbbc  794a2201  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):     #01  773fbbc0  773fbbe8  [stack:8700]
I/DEBUG   (  179):          773fbbc4  773fbc00  [stack:8700]
I/DEBUG   (  179):          773fbbc8  773fbbe0  [stack:8700]
I/DEBUG   (  179):          773fbbcc  773fbbdc  [stack:8700]
I/DEBUG   (  179):          773fbbd0  00000960  
I/DEBUG   (  179):          773fbbd4  7949ed45  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179):          773fbbd8  773fbc78  [stack:8700]
I/DEBUG   (  179):          773fbbdc  0000002a  
I/DEBUG   (  179):          773fbbe0  000014c3  
I/DEBUG   (  179):          773fbbe4  00000000  
I/DEBUG   (  179):          773fbbe8  732d7772  /system/lib/libwebviewchromium.so
I/DEBUG   (  179):          773fbbec  773fbc00  [stack:8700]
I/DEBUG   (  179):          773fbbf0  75a10000  anon_inode:dmabuf
I/DEBUG   (  179):          773fbbf4  00000000  
I/DEBUG   (  179):          773fbbf8  00000000  
I/DEBUG   (  179):          773fbbfc  00000000  
I/DEBUG   (  179):          ........  ........
I/DEBUG   (  179):     #02  773fbc48  00001000  
I/DEBUG   (  179):          773fbc4c  00000000  
I/DEBUG   (  179):          773fbc50  00000007  
I/DEBUG   (  179):          773fbc54  773fbc94  [stack:8700]
I/DEBUG   (  179):          773fbc58  77bdee08  [anon:libc_malloc]
I/DEBUG   (  179):          773fbc5c  7949ec15  /data/local/tmp/.frida-0e921dd17a3cc17f6d511b81049ba149/frida-agent-32.so
I/DEBUG   (  179): 
I/DEBUG   (  179): memory near r4:
I/DEBUG   (  179):     799428e0 616d2f64 67007370 6c5f6d75 78756e69  
I/DEBUG   (  179):     799428f0 756e655f 6172656d 725f6574 65676e61  
I/DEBUG   (  179):     79942900 6c250073 252d786c 20786c6c 20633425  
I/DEBUG   (  179):     79942910 786c6c25 732a2520 6c6c2520 006e2564  
I/DEBUG   (  179):     79942920 3d3d206e 7c203520 206e207c 36203d3d  
I/DEBUG   (  179):     79942930 6d756700 646f6d5f 5f656c75 6d756e65  
I/DEBUG   (  179):     79942940 74617265 78655f65 74726f70 61620073  
I/DEBUG   (  179):     79942950 615f6573 65726464 21207373 414d203d  
I/DEBUG   (  179):     79942960 41465f50 44454c49 6e796400 5f6d7973  
I/DEBUG   (  179):     79942970 74636573 5f6e6f69 657a6973 64202520  
I/DEBUG   (  179):     79942980 79736e79 6e655f6d 5f797274 657a6973  
I/DEBUG   (  179):     79942990 203d3d20 6e550030 70707573 6574726f  
I/DEBUG   (  179):     799429a0 78652064 74756365 656c6261 72702f00  
I/DEBUG   (  179):     799429b0 252f636f 75612f64 47007678 63536d75  
I/DEBUG   (  179):     799429c0 74706972 2f2e2e00 2e2f2e2e 2e2e2f2e  
I/DEBUG   (  179):     799429d0 6972662f 672d6164 672f6d75 672f6d75  
I/DEBUG   (  179): 
I/DEBUG   (  179): memory near r5:
I/DEBUG   (  179):     75af3088 00000000 0000001b 00000000 00000000  
I/DEBUG   (  179):     75af3098 00000000 00000000 00000000 0000140b  
I/DEBUG   (  179):     75af30a8 30613537 30303066 6135372d 30303031  
I/DEBUG   (  179):     75af30b8 77722030 3220732d 61383930 20303030  
I/DEBUG   (  179):     75af30c8 303a3030 33352038 20203531 20202020  
I/DEBUG   (  179):     75af30d8 6f6e6120 6e695f6e 3a65646f 62616d64  
I/DEBUG   (  179):     75af30e8 000a6675 73626900 33612d63 732e7878  
I/DEBUG   (  179):     75af30f8 6900006f 6f732e64 00290000 61676500  
I/DEBUG   (  179):     75af3108 7473676e 2e737265 6c6c6f6c 6e697069  
I/DEBUG   (  179):     75af3118 612e312d 63406b70 7373616c 642e7365  
I/DEBUG   (  179):     75af3128 00007865 00000000 00000000 00000000  
I/DEBUG   (  179):     75af3138 00000000 00000000 00000000 00000000  
I/DEBUG   (  179):     75af3148 00000000 00005e91 00000000 00000000  
I/DEBUG   (  179):     75af3158 00000000 00000000 00000000 00000000  
I/DEBUG   (  179):     75af3168 00000000 00000000 00000000 00000000  
I/DEBUG   (  179):     75af3178 00000000 00000000 00000000 00000000  
I/DEBUG   (  179): 
I/DEBUG   (  179): memory near r7:
I/DEBUG   (  179):     773fbc10 00001000 773fbca0 773fbc08 00000003  
I/DEBUG   (  179):     773fbc20 00000000 773fbc78 7949ed45 00000000  
I/DEBUG   (  179):     773fbc30 773fbc54 773fbca0 77bfc700 75af3028  
I/DEBUG   (  179):     773fbc40 77bdee08 794a2147 00001000 00000000  
I/DEBUG   (  179):     773fbc50 00000007 773fbc94 77bdee08 7949ec15  
I/DEBUG   (  179):     773fbc60 00000000 794a0d95 00000000 00002000  
I/DEBUG   (  179):     773fbc70 00000007 773fbca0 7949ec71 773fbc68  
I/DEBUG   (  179):     773fbc80 75a0f000 00000000 40083218 40083218  
I/DEBUG   (  179):     773fbc90 40083218 773fbcb4 77bfc6f0 794ae833  
I/DEBUG   (  179):     773fbca0 40083218 7fffbfff 40083218 40083218  
I/DEBUG   (  179):     773fbcb0 75af3028 773fbd00 00000000 77bfc6e0  
I/DEBUG   (  179):     773fbcc0 77bdee08 794aefc1 77bdee08 794a0d5b  
I/DEBUG   (  179):     773fbcd0 75af3078 00000010 00000000 773fbcf0  
I/DEBUG   (  179):     773fbce0 77bdee08 794ae54b 75af3078 00000000  
I/DEBUG   (  179):     773fbcf0 40083218 40083218 77bfc708 77bfc6e0  
I/DEBUG   (  179):     773fbd00 773fbd28 00000000 77bfc6e0 75af3028  
I/DEBUG   (  179): 
I/DEBUG   (  179): memory near r9:
I/DEBUG   (  179):     773fbbe0 000014c3 00000000 732d7772 773fbc00  
I/DEBUG   (  179):     773fbbf0 75a10000 00000000 00000000 00000000  
I/DEBUG   (  179):     773fbc00 2098a000 00000000 75a0f000 00000000  
I/DEBUG   (  179):     773fbc10 00001000 773fbca0 773fbc08 00000003  
I/DEBUG   (  179):     773fbc20 00000000 773fbc78 7949ed45 00000000  
I/DEBUG   (  179):     773fbc30 773fbc54 773fbca0 77bfc700 75af3028  
I/DEBUG   (  179):     773fbc40 77bdee08 794a2147 00001000 00000000  
I/DEBUG   (  179):     773fbc50 00000007 773fbc94 77bdee08 7949ec15  
I/DEBUG   (  179):     773fbc60 00000000 794a0d95 00000000 00002000  
I/DEBUG   (  179):     773fbc70 00000007 773fbca0 7949ec71 773fbc68  
I/DEBUG   (  179):     773fbc80 75a0f000 00000000 40083218 40083218  
I/DEBUG   (  179):     773fbc90 40083218 773fbcb4 77bfc6f0 794ae833  
I/DEBUG   (  179):     773fbca0 40083218 7fffbfff 40083218 40083218  
I/DEBUG   (  179):     773fbcb0 75af3028 773fbd00 00000000 77bfc6e0  
I/DEBUG   (  179):     773fbcc0 77bdee08 794aefc1 77bdee08 794a0d5b  
I/DEBUG   (  179):     773fbcd0 75af3078 00000010 00000000 773fbcf0  
I/DEBUG   (  179): 
I/DEBUG   (  179): memory near sl:
I/DEBUG   (  179):     400cdd6c 00000000 00000000 00000000 00000000  
I/DEBUG   (  179):     400cdd7c 00000000 00000000 00000000 00000000  
I/DEBUG   (  179):     400cdd8c 77bccdfc 00000234 00000000 00340484  
I/DEBUG   (  179):     400cdd9c 77bccc30 00000400 00000000 400cdd8c  
I/DEBUG   (  179):     400cddac 4009c287 4009c209 4009c263 4009c22b  
I/DEBUG   (  179):     400cddbc 400cdc28 00000000 00000000 00000000  
I/DEBUG   (  179):     400cddcc 00000000 00000000 00000000 00000400  
I/DEBUG   (  179):     400cdddc 0001a620 00000000 00000000 00000000  
I/DEBUG   (  179):     400cddec 00000000 00000000 00000000 00000000  
I/DEBUG   (  179):     400cddfc 00000000 00000000 00000000 00000000  
I/DEBUG   (  179):     400cde0c 00000000 400cdc38 00000000 00000000  
I/DEBUG   (  179):     400cde1c 00000000 00000000 00000000 00000000  
I/DEBUG   (  179):     400cde2c 00000000 00000000 00000000 00000000  
I/DEBUG   (  179):     400cde3c 00000000 00000000 00000000 00000000  
I/DEBUG   (  179):     400cde4c 00000000 00000000 00000000 00000000  
I/DEBUG   (  179):     400cde5c 00000000 00000000 400cdc48 00000000  
I/DEBUG   (  179): 
I/DEBUG   (  179): memory near fp:
I/DEBUG   (  179):     773fbbe8 732d7772 773fbc00 75a10000 00000000  
I/DEBUG   (  179):     773fbbf8 00000000 00000000 2098a000 00000000  
I/DEBUG   (  179):     773fbc08 75a0f000 00000000 00001000 773fbca0  
I/DEBUG   (  179):     773fbc18 773fbc08 00000003 00000000 773fbc78  
I/DEBUG   (  179):     773fbc28 7949ed45 00000000 773fbc54 773fbca0  
I/DEBUG   (  179):     773fbc38 77bfc700 75af3028 77bdee08 794a2147  
I/DEBUG   (  179):     773fbc48 00001000 00000000 00000007 773fbc94  
I/DEBUG   (  179):     773fbc58 77bdee08 7949ec15 00000000 794a0d95  
I/DEBUG   (  179):     773fbc68 00000000 00002000 00000007 773fbca0  
I/DEBUG   (  179):     773fbc78 7949ec71 773fbc68 75a0f000 00000000  
I/DEBUG   (  179):     773fbc88 40083218 40083218 40083218 773fbcb4  
I/DEBUG   (  179):     773fbc98 77bfc6f0 794ae833 40083218 7fffbfff  
I/DEBUG   (  179):     773fbca8 40083218 40083218 75af3028 773fbd00  
I/DEBUG   (  179):     773fbcb8 00000000 77bfc6e0 77bdee08 794aefc1  
I/DEBUG   (  179):     773fbcc8 77bdee08 794a0d5b 75af3078 00000010  
I/DEBUG   (  179):     773fbcd8 00000000 773fbcf0 77bdee08 794ae54b  
I/DEBUG   (  179): 
I/DEBUG   (  179): memory near ip:
I/DEBUG   (  179):     79cbdc6c 400a16a1 40097f50 4008a929 4008a7b5  
I/DEBUG   (  179):     79cbdc7c 4009c1b9 40098c3d 4008a495 400963f8  
I/DEBUG   (  179):     79cbdc8c 40099283 400963b0 40096390 400aff07  
I/DEBUG   (  179):     79cbdc9c 40098f85 4008ab0d 4009b331 400970c4  
I/DEBUG   (  179):     79cbdcac 40097f2c 40097f3c 40097384 40097298  
I/DEBUG   (  179):     79cbdcbc 4009720c 400972bc 4008e345 40050e21  
I/DEBUG   (  179):     79cbdccc 400964a0 4009781c 400a2b29 400962bc  
I/DEBUG   (  179):     79cbdcdc 400962dc 400891eb 40096abc 40096adc  
I/DEBUG   (  179):     79cbdcec 40096afc 40095eac 400a3ffb 400afe91  
I/DEBUG   (  179):     79cbdcfc 40096b7c 4008b159 40096b1c 4009b1f1  
I/DEBUG   (  179):     79cbdd0c 40094b6f 40095841 40096c00 40096830  
I/DEBUG   (  179):     79cbdd1c 400a36fd 40088029 40096b3c 4008805d  
I/DEBUG   (  179):     79cbdd2c 400880ff 40088077 4008bec1 40089ab9  
I/DEBUG   (  179):     79cbdd3c 40096a14 40096a54 40096a34 40097014  
I/DEBUG   (  179):     79cbdd4c 40089901 4009674c 40096974 4009678c  
I/DEBUG   (  179):     79cbdd5c 40096620 400966ec 40089941 40096e18  
I/DEBUG   (  179): 
I/DEBUG   (  179): memory near sp:
I/DEBUG   (  179):     773fbb98 00000043 4008a84b 79942902 79942902  
I/DEBUG   (  179):     773fbba8 75af30a8 00000000 794a21d5 79942902  
I/DEBUG   (  179):     773fbbb8 79942902 794a2201 773fbbe8 773fbc00  
I/DEBUG   (  179):     773fbbc8 773fbbe0 773fbbdc 00000960 7949ed45  
I/DEBUG   (  179):     773fbbd8 773fbc78 0000002a 000014c3 00000000  
I/DEBUG   (  179):     773fbbe8 732d7772 773fbc00 75a10000 00000000  
I/DEBUG   (  179):     773fbbf8 00000000 00000000 2098a000 00000000  
I/DEBUG   (  179):     773fbc08 75a0f000 00000000 00001000 773fbca0  
I/DEBUG   (  179):     773fbc18 773fbc08 00000003 00000000 773fbc78  
I/DEBUG   (  179):     773fbc28 7949ed45 00000000 773fbc54 773fbca0  
I/DEBUG   (  179):     773fbc38 77bfc700 75af3028 77bdee08 794a2147  
I/DEBUG   (  179):     773fbc48 00001000 00000000 00000007 773fbc94  
I/DEBUG   (  179):     773fbc58 77bdee08 7949ec15 00000000 794a0d95  
I/DEBUG   (  179):     773fbc68 00000000 00002000 00000007 773fbca0  
I/DEBUG   (  179):     773fbc78 7949ec71 773fbc68 75a0f000 00000000  
I/DEBUG   (  179):     773fbc88 40083218 40083218 40083218 773fbcb4  
I/DEBUG   (  179): 
I/DEBUG   (  179): code around pc:
I/DEBUG   (  179):     400990b4 000138ee 0001f03a b2c91882 b5104603  
I/DEBUG   (  179):     400990c4 46184293 e003d009 d1f92c00 bd104620  
I/DEBUG   (  179):     400990d4 3301781c d1f7428c 4802bd10 44782100  
I/DEBUG   (  179):     400990e4 fc96f7ef 0001f016 b508429a e8bdd803  
I/DEBUG   (  179):     400990f4 f0164008 4802bf69 44782100 fc88f7ef  
I/DEBUG   (  179):     40099104 0001f00d b508429a e8bdd803 f0164008  
I/DEBUG   (  179):     40099114 4802bf81 44782100 fc7af7ef 0001f009  
I/DEBUG   (  179):     40099124 460cb510 ff2cf7ff d30442a0 21004802  
I/DEBUG   (  179):     40099134 f7ef4478 bd10fc6d 0001f007 41f0e92d  
I/DEBUG   (  179):     40099144 46884606 4617461c 4619b1e2 f7ff3c01  
I/DEBUG   (  179):     40099154 1835ffe7 24001a20 4284e004 3b01f805  
I/DEBUG   (  179):     40099164 e00bd007 3004f818 d1f62b00 70292100  
I/DEBUG   (  179):     40099174 4807e008 44784905 fc4af7ef 42a73401  
I/DEBUG   (  179):     40099184 e7f3d1f0 e8bd4630 bf0081f0 000138f3  
I/DEBUG   (  179):     40099194 0001efd6 b508429a 4805d904 44784903  
I/DEBUG   (  179):     400991a4 fc36f7ef 4008e8bd be97f016 000138f8  
I/DEBUG   (  179): 
I/DEBUG   (  179): code around lr:
I/DEBUG   (  179):     794a21e0 98089014 43089909 2000d101 9807e00b  
I/DEBUG   (  179):     794a21f0 4428212f ef92f7df 900e210a ef8ef7df  
I/DEBUG   (  179):     794a2200 8000f880 9018a80e f8cd980a f400b058  
I/DEBUG   (  179):     794a2210 b2c1427f f04f2972 f4000100 bf08007f  
I/DEBUG   (  179):     794a2220 f5b22101 bf084fee 0102f041 0ff0f5b0  
I/DEBUG   (  179):     794a2230 f041bf08 ea010104 91170006 d1b042b0  
I/DEBUG   (  179):     794a2240 a8169906 47909a05 d1aa2800 f3854628  
I/DEBUG   (  179):     794a2250 4650f89b ef56f7df e8bdb019 48178ff0  
I/DEBUG   (  179):     794a2260 44784917 4a134b14 91004401 18114403  
I/DEBUG   (  179):     794a2270 f44f2000 f39072ae 480cf895 4478490c  
I/DEBUG   (  179):     794a2280 4a0c4b0d 91004401 18114403 f2402000  
I/DEBUG   (  179):     794a2290 f3901275 bf00f887 0081ba98 ffc84ce1  
I/DEBUG   (  179):     794a22a0 ffc80ddd 0081ba5a ffc84d0a 0081b976  
I/DEBUG   (  179):     794a22b0 ffc84d28 ffc84c17 ffc84cef 0081b992  
I/DEBUG   (  179):     794a22c0 ffc84cb6 4ff0e92d b09daf03 4979460c  
I/DEBUG   (  179):     794a22d0 4a794616 20009016 f10d4479 90190958  
--------- beginning of /dev/log/system

Timeout when attaching to or enumerating processes on iOS

I have tried this many different ways, but yet I still receive error:

processes = frida.get_device_manager().enumerate_devices()[1].enumerate_processes()
File "/Library/Python/2.7/site-packages/frida-1.6.7-py2.7-macosx-10.9-intel.egg/frida/core.py", line 47, in enumerate_processes
SystemError: timed out

Frida fails to attach on iOS ARM64 devices

As the title suggests, I have been unable to get Frida to attach on ARM64 iOS devices. I have tested two separate devices.

To give context, both devices are jailbroken on iOS 8.4 using Taig.

The smoketest worked fine, but attempting to connect to a process with frida-trace fails.
I am using the usb connection and the following syntax:-

frida-trace -U <appName>

I have also tried:
frida-trace -U -p <pid>

I tried Frida on an armv7 device and was successful in attaching at least once (about to open a separate issue).

"connection refused" when connecting to iOS device

I was once successfully got it right for frida-ps -U, when I tried to open an app and hooked up again, the "connection refused" error came up. Subsequent commands failed as well.

> $ frida-ps -U
Failed to enumerate processes: connect failed (connection refused)

My settings:

iPad Mini with iOS 8.1.2
OSX 10.10
Frida 1.6.8

Thanks!

application crashes when attaching Frida 1.4.0

Applications are crashing when Frida 1.4.0 is attaching. I have no idea why.

This is observed with various application. The most famous of them is 7-Zip, and it's open-source, so I this reports will use 7-Zip as example for the crash.

Software: 7-Zip 9.20
OS: Windows 1 SP1 64-bit

Reproducing:

Start 7-Zip GUI (executable 7zfm.exe)
Run command frida-trace.exe -i "*add*" 7zfm.exe

Expected result: frida-trace attach to 7zfm.exe and log calls.
Actual result: frida-trace attach 7zfm.exe and it crash immediately.

Generated Handlers : http://wikisend.com/download/366112/__handlers__.7z (link valid 7 days).

Console output:

 frida-trace.exe -i "*add*" 7zfm.exe

 Attaching...
 Resolving functions...
 Uploading data...
 svn_ra_svn__get_addresses: Loaded handler at XXX\svn_ra_svn__get_addresses.js"
 apr_procattr_addrspace_set: Loaded handler at XXX
 ___unguarded_readlc_active_add_func: Loaded handler at XXX
 ..... LOG CUT HERE .....
 _unloaddll: Loaded handler at XXX
 _FXp_addh: Loaded handler at XXX
 Ready!
 Started tracing 94 functions. Press ENTER to stop.
 Target process terminated.
 Stopping...

7-Zip crash signature:

 Problem signature:
 Problem Event Name: APPCRASH
 Application Name: 7zFM.exe
 Application Version: 9.20.0.0
 Application Timestamp: 4ce55007
 Fault Module Name: frida-agent-64.dll
 Fault Module Version: 0.0.0.0
 Fault Module Timestamp: 53658c45
 Exception Code: 40000015
 Exception Offset: 00000000000e1aaa
 OS Version: 6.1.7601.2.1.0.256.4
 Locale ID: 1033
 Additional Information 1: 6c4c
 Additional Information 2: 6c4ce84510697985dd5daef2daf436b9
 Additional Information 3: da9b
 Additional Information 4: da9beea80fcb265cc2444484cad4e572

Crash callstack:

 ...
 kernel32.dll!BasepReportFault() + 0x1f bytes
 kernel32.dll!UnhandledExceptionFilter() + 0x1fc bytes
 frida-agent-64.dll!frida_agent_main() + 0xe3f1e bytes
 [Frames below may be incorrect and/or missing, no symbols loaded for frida-agent-64.dll]
 frida-agent-64.dll!frida_agent_main() + 0xde9ca bytes
 frida-agent-64.dll!frida_agent_main() + 0x4e37d bytes
 frida-agent-64.dll!frida_agent_main() + 0x940a9 bytes
 frida-agent-64.dll!frida_agent_main() + 0x93dd7 bytes
 frida-agent-64.dll!frida_agent_main() + 0x93e4f bytes
 frida-agent-64.dll!frida_agent_main() + 0x86ae3 bytes
 frida-agent-64.dll!frida_agent_main() + 0x80aac bytes
 frida-agent-64.dll!frida_agent_main() + 0x8f468 bytes
 frida-agent-64.dll!frida_agent_main() + 0x24ce4b bytes
 frida-agent-64.dll!frida_agent_main() + 0x2120fd bytes
 frida-agent-64.dll!frida_agent_main() + 0x2119f5 bytes
 00000000f8a06352()
 00000000f8a44ca1()
 0000000900000000()
 00000000eb38c469()
 0000000003f9f9e8()
 00000000f8a9775e()
 00000000f8a062a1()
 0000000003f9f990()
 00000000f8a062a1()
 0000000003f9f9a0()
 0000000003f9fa38()
 00000000f8a97641()
 000003ff92f8f5a1()
 00000000eb41ed91()
 00000000eb41ecb9()
 00000000eb372b09()
 000003ff92f8f5a1()
 00000000eb3fa961()
 00000000eb3fa961()
 00000000eb3f9d99()
 0000000003f9fa70()
 00000000f8a972f5()
 000003ff92f8c069()
 00000000eb3fa961()
 00000000eb3fa961()
 000003ff92fadeb9()
 000003ff92f6b031()
 0000000003f9faa8()
 00000000f8a44fa6()
 000003ff92f8c069()
 000003ff92fadeb9()
 00000000f8a44ee1()
 0000000800000000()

Frida 6.x crashes com.android.systemui on Android 4.4.4

Frida 6.x fails to spawn/attach and additionally crashes the UI on stock Android 4.4.4 when attaching or spawning any application (native or dalvik). Frida 5.x works fine with the same setup (at least the frida-server v 5.0.1 which I have backed up). Reproduced on multiple Nexus 4 and Nexus 5, Android 4.4.4 with Dalvik runtime.

The process com.android.systemui crashes with a SIGSEGV, the stack is in frida-agent-32.so library (full crash log at http://pastebin.com/K4LEuyXH). This log is with frida-server and frida-trace of Frida v 6.1.1

F/libc    ( 2583): Fatal signal 11 (SIGSEGV) at 0x00000001 (code=1), thread 2703 (ndroid.systemui)
I/DEBUG   (  170): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   (  170): Build fingerprint: 'google/occam/mako:4.4.4/KTU84P/1227136:user/release-keys'
I/DEBUG   (  170): Revision: '11'
I/DEBUG   (  170): pid: 2583, tid: 2703, name: ndroid.systemui  >>> com.android.systemui <<<
I/DEBUG   (  170): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000001
I/DEBUG   (  170):     r0 7a078ec0  r1 ffffffff  r2 000000ff  r3 7a079550
I/DEBUG   (  170): AM write failure (32 / Broken pipe)
I/DEBUG   (  170):     r4 7b1f7938  r5 000006c0  r6 00000000  r7 7b1f76b8
I/DEBUG   (  170):     r8 7a070228  r9 7a070220  sl 00000000  fp 7a063220
I/DEBUG   (  170):     ip 00000000  sp 7b1f76a8  lr 7b6e156f  pc 7b6e158c  cpsr 600f0030
I/DEBUG   (  170):     d0  0000000000000000  d1  0000000000000000
I/DEBUG   (  170):     d2  0000000000000000  d3  0000000000000000
I/DEBUG   (  170):     d4  7b629df500000000  d5  0000000000000002
I/DEBUG   (  170):     d6  0000000000000000  d7  0000000000000000
I/DEBUG   (  170):     d8  00000000437f0000  d9  478d4d1d43870000
I/DEBUG   (  170):     d10 4358000040000000  d11 0000000000000000
I/DEBUG   (  170):     d12 4358000043580000  d13 0000000000000000
I/DEBUG   (  170):     d14 0000000000000000  d15 0000000000000000
I/DEBUG   (  170):     d16 0000000000000000  d17 bcb1a62633145c07
I/DEBUG   (  170):     d18 bda8fae9be8838d4  d19 3fa555555555554c
I/DEBUG   (  170):     d20 be927e4f809c52ad  d21 bf56c16c16c15177
I/DEBUG   (  170):     d22 3e21ee9ebdb4b1c4  d23 3ff0000000000000
I/DEBUG   (  170):     d24 3ff0000000000000  d25 0000000000000000
I/DEBUG   (  170):     d26 b96377ce858a5d48  d27 b96377ce858a5d48
I/DEBUG   (  170):     d28 3ff0000000000000  d29 0000000000000000
I/DEBUG   (  170):     d30 3fc798893c367e3f  d31 3ef99342e0ee5069
I/DEBUG   (  170):     scr 60000013
I/DEBUG   (  170): 
I/DEBUG   (  170): backtrace:
I/DEBUG   (  170):     #00  pc 004e958c  /data/local/tmp/frida-6c1a74dfb03fd092c8686591f4109a20/frida-agent-32.so
I/DEBUG   (  170):     #01  pc 004e887b  /data/local/tmp/frida-6c1a74dfb03fd092c8686591f4109a20/frida-agent-32.so
I/DEBUG   (  170):     #02  pc 00389519  /data/local/tmp/frida-6c1a74dfb03fd092c8686591f4109a20/frida-agent-32.so
I/DEBUG   (  170):     #03  pc 0038941b  /data/local/tmp/frida-6c1a74dfb03fd092c8686591f4109a20/frida-agent-32.so
I/DEBUG   (  170):     #04  pc 003872d7  /data/local/tmp/frida-6c1a74dfb03fd092c8686591f4109a20/frida-agent-32.so
I/DEBUG   (  170):     #05  pc 0038051d  /data/local/tmp/frida-6c1a74dfb03fd092c8686591f4109a20/frida-agent-32.so
I/DEBUG   (  170):     #06  pc 0038076b  /data/local/tmp/frida-6c1a74dfb03fd092c8686591f4109a20/frida-agent-32.so
I/DEBUG   (  170):     #07  pc 00051b2d  /data/local/tmp/frida-6c1a74dfb03fd092c8686591f4109a20/frida-agent-32.so
I/DEBUG   (  170):     #08  pc 0004da6d  /data/local/tmp/frida-6c1a74dfb03fd092c8686591f4109a20/frida-agent-32.so (frida_agent_main+112)
I/DEBUG   (  170):     #09  pc 000000c9  <unknown>

Kernel panic on Mac and iOS

Project lacks a license

Can't seem to find a license.

Frida for Genymotion

Is frida binary available for Genymotion.

Appreciate your support

get_frontmost_application inconsistent between ios and android

On android there's always a frontmost application returned, like the google search box, whereas on ios there isn't (could be springboard).

Is this intentional?

Attaching the same process two or more times makes it crash on OSX

I've got a crash when injecting two times the frida dylib on OSX 10.9.2 (Maverick).
However, I was able to correctly launch it when using it normally.

Here's the plausible reason, given by @oleavr :
"The reason it happens is because Frida's dylib (that's written to a temporary directory) has a fixed UUID, so that should definitely be patched when writing the temporary dylib. (Everything else should just work, as all ids and paths are unique per Frida debugger process)."

Add support for listing Android apps

My guess is that android can reuse firefoxos app loop and just check if /proc/pid/exe points to /system/bin/app_process. This will give us the appid and pid, but i don't see a clear path to retrieve app name without parsing the apk which will require adding more deps to Frida. Is there any other way to make that listing?

Does #49 insue sovled in newest version?

I'm wondering, cause i used newest version ‘android-server’, still have insue. do i have to build the frida by myself?

frida/frida#49

Linux hang on attach

uname -a : Linux Relentless 3.12-1-amd64 #1 SMP Debian 3.12.9-1 (2014-02-01) x86_64 GNU/Linux

the attach blocks on a futex() syscall, the end of an strace output is available here:

http://pastebin.com/dnmWyucc

behaviour occurs using both frida-trace and python bindings.

/usr/bin/ld:.libs/libfrida-gadget-1.0.ver:2: syntax error in VERSION script

Hi, while making frida-core:

[afx237@bright ~/frida/frida-core frida-linux-x86_64]
$ make
make all-recursive
make[1]: Entering directory '/home/afx237/frida/frida-core'
Making all in tools
make[2]: Entering directory '/home/afx237/frida/frida-core/tools'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/home/afx237/frida/frida-core/tools'
Making all in lib
make[2]: Entering directory '/home/afx237/frida/frida-core/lib'
Making all in interfaces
make[3]: Entering directory '/home/afx237/frida/frida-core/lib/interfaces'
make[3]: Nothing to be done for 'all'.
make[3]: Leaving directory '/home/afx237/frida/frida-core/lib/interfaces'
Making all in pipe
make[3]: Entering directory '/home/afx237/frida/frida-core/lib/pipe'
make[3]: Nothing to be done for 'all'.
make[3]: Leaving directory '/home/afx237/frida/frida-core/lib/pipe'
Making all in agent
make[3]: Entering directory '/home/afx237/frida/frida-core/lib/agent'
make[3]: Nothing to be done for 'all'.
make[3]: Leaving directory '/home/afx237/frida/frida-core/lib/agent'
make[3]: Entering directory '/home/afx237/frida/frida-core/lib'
make[3]: Nothing to be done for 'all-am'.
make[3]: Leaving directory '/home/afx237/frida/frida-core/lib'
make[2]: Leaving directory '/home/afx237/frida/frida-core/lib'
Making all in src
make[2]: Entering directory '/home/afx237/frida/frida-core/src'
make all-am
make[3]: Entering directory '/home/afx237/frida/frida-core/src'
make[3]: Nothing to be done for 'all-am'.
make[3]: Leaving directory '/home/afx237/frida/frida-core/src'
make[2]: Leaving directory '/home/afx237/frida/frida-core/src'
Making all in server
make[2]: Entering directory '/home/afx237/frida/frida-core/server'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/home/afx237/frida/frida-core/server'
Making all in gadget
make[2]: Entering directory '/home/afx237/frida/frida-core/gadget'
CCLD libfrida-gadget-1.0.la

*** Warning: Linking the shared library libfrida-gadget-1.0.la against the
*** static library ../lib/agent/.libs/libfrida-agent.a is not portable!
/usr/bin/ld:.libs/libfrida-gadget-1.0.ver:2: syntax error in VERSION script
collect2: error: ld returned 1 exit status
Makefile:490: recipe for target 'libfrida-gadget-1.0.la' failed
make[2]: *** [libfrida-gadget-1.0.la] Error 1
make[2]: Leaving directory '/home/afx237/frida/frida-core/gadget'
Makefile:489: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/home/afx237/frida/frida-core'
Makefile:397: recipe for target 'all' failed
make: *** [all] Error 2

Support to spawn processes with disabled ASLR

Frida crashes the Target Process

Hi, I've installed and used Frida on my Gentoo system, which works fine without any problems, but just lately I've also tried to install and use it on one of the latest 64-bit Ubuntu systems, which resulted in Frida terminating the target process, which was supposed to analyze. The details are attached below.

Start a cat system, which dumps a core after trying to attach to it with Frida:

# cat Segmentation fault (core dumped)

Then we connect with it with frida python:

>>> import frida
>>> session = frida.attach("cat")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/frida/__init__.py", line 55, in attach
    return get_local_device().attach(target)
  File "/usr/local/lib/python2.7/dist-packages/frida/core.py", line 87, in attach
    return Session(self._impl.attach(self._pid_of(target)))
frida.ProcessNotRespondingError: timed out while waiting for session to establish
>>> session = frida.attach("cat")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/frida/__init__.py", line 55, in attach
    return get_local_device().attach(target)
  File "/usr/local/lib/python2.7/dist-packages/frida/core.py", line 87, in attach
    return Session(self._impl.attach(self._pid_of(target)))
frida.ProcessNotRespondingError: timed out while waiting for session to establish

Below, the core dump has been analyzed and useful information printed for debugging purposes and finding the culprit of the problem.

# gdb /bin/cat core
Core was generated by `cat'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f5dc8d6a912 in _dl_lookup_symbol_x (undef_name=0x7f5dc8f7e440 "frida_agent_main", undef_map=0x0, ref=0x7f5dc84b2ee8, symbol_scope=0x388, version=0x0, type_class=0, flags=2, skip_map=0x0) at dl-lookup.c:731
731     dl-lookup.c: No such file or directory.
(gdb) backtrace full
#0  0x00007f5dc8d6a912 in _dl_lookup_symbol_x (undef_name=0x7f5dc8f7e440 "frida_agent_main", undef_map=0x0, ref=0x7f5dc84b2ee8, symbol_scope=0x388, version=0x0, type_class=0, flags=2, skip_map=0x0) at dl-lookup.c:731
        new_hash = 1845031485
        old_hash = 4294967295
        current_value = {s = 0x0, m = 0x0}
        scope = 0x388
        __PRETTY_FUNCTION__ = "_dl_lookup_symbol_x"
        i = 0
        protected = <optimized out>
#1  0x00007f5dc8ad1145 in do_dlsym (ptr=ptr@entry=0x7f5dc84b2ed0) at dl-libc.c:97
        args = 0x7f5dc84b2ed0
#2  0x00007f5dc8d6fff4 in _dl_catch_error (objname=0x7f5dc84b2eb0, errstring=0x7f5dc84b2ec0, mallocedp=0x7f5dc84b2ea0, operate=0x7f5dc8ad1100 <do_dlsym>, args=0x7f5dc84b2ed0) at dl-error.c:187
        errcode = 0
        c = {objname = 0x7f5dc84b2eb0, errstring = 0x7f5dc84b2ec0, malloced = 0x7f5dc84b2ea0, errcode = 0x7f5dc84b2da4, env = {{__jmpbuf = {0, 6355741775290325035, 0, 0, 140040769059264, 140040769058560, 6355741775363725355, 6355740449778980907}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 4294967296, 0, 
                  0, 0, 0, 0, 0, 140040771260656, 0, 140040769058560, 140040769056528, 0, 0, 140040769059264}}}}}
        catchp = 0x7f5dc84b36f8
        old = <optimized out>
#3  0x00007f5dc8ad1249 in dlerror_run (args=0x7f5dc84b2ed0, operate=0x7f5dc8ad1100 <do_dlsym>) at dl-libc.c:46
        objname = 0x7f5dc0002f40 "/usr/lib/x86_64-linux-gnu/libstdc++.so.6"
        last_errstring = 0x0
        malloced = true
        result = <optimized out>
#4  __GI___libc_dlsym (map=<optimized out>, name=<optimized out>) at dl-libc.c:210
        args = {map = 0x0, name = 0x7f5dc8f7e440 "frida_agent_main", loadbase = 0x7f5dc8f7e0ed, ref = 0x0}
#5  0x00007f5dc8f7e10a in ?? ()
No symbol table info available.
#6  0x0000000000000000 in ?? ()
No symbol table info available.
(gdb) info registers
rax            0x388    904
rbx            0x7f5dc84b2ee8   140040769056488
rcx            0xdbc0f6cb154e7de0       -2611816431778628128
rdx            0x7f5dc8f7e450   140040780375120
rsi            0x0      0
rdi            0x7f5dc8f7e440   140040780375104
rbp            0x7f5dc84b2d30   0x7f5dc84b2d30
rsp            0x7f5dc84b2c10   0x7f5dc84b2c10
r8             0x0      0
r9             0x0      0
r10            0x64747362696c2f75       7238537367603916661
r11            0x200    512
r12            0x0      0
r13            0x0      0
r14            0xda9efe816df8f23d       -2693435695271710147
r15            0x0      0
rip            0x7f5dc8d6a912   0x7f5dc8d6a912 <_dl_lookup_symbol_x+178>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) x/16i $pc
=> 0x7f5dc8d6a912 <_dl_lookup_symbol_x+178>:    mov    (%rax),%r9
   0x7f5dc8d6a915 <_dl_lookup_symbol_x+181>:    jne    0x7f5dc8d6ab20 <_dl_lookup_symbol_x+704>
   0x7f5dc8d6a91b <_dl_lookup_symbol_x+187>:    test   %r9,%r9
   0x7f5dc8d6a91e <_dl_lookup_symbol_x+190>:    je     0x7f5dc8d6b159 <_dl_lookup_symbol_x+2297>
   0x7f5dc8d6a924 <_dl_lookup_symbol_x+196>:    mov    %rax,%r10
   0x7f5dc8d6a927 <_dl_lookup_symbol_x+199>:    lea    -0x90(%rbp),%rax
   0x7f5dc8d6a92e <_dl_lookup_symbol_x+206>:    mov    %r10,%r14
   0x7f5dc8d6a931 <_dl_lookup_symbol_x+209>:    mov    %rax,-0xc0(%rbp)
   0x7f5dc8d6a938 <_dl_lookup_symbol_x+216>:    lea    -0xa0(%rbp),%rax
   0x7f5dc8d6a93f <_dl_lookup_symbol_x+223>:    mov    %rax,-0xb8(%rbp)
   0x7f5dc8d6a946 <_dl_lookup_symbol_x+230>:    mov    0x10(%rbp),%eax
   0x7f5dc8d6a949 <_dl_lookup_symbol_x+233>:    mov    -0xc0(%rbp),%r8
   0x7f5dc8d6a950 <_dl_lookup_symbol_x+240>:    mov    (%rbx),%rcx
   0x7f5dc8d6a953 <_dl_lookup_symbol_x+243>:    mov    -0xb8(%rbp),%rdx
   0x7f5dc8d6a95a <_dl_lookup_symbol_x+250>:    mov    -0xb0(%rbp),%rsi
   0x7f5dc8d6a961 <_dl_lookup_symbol_x+257>:    mov    -0xa8(%rbp),%rdi
(gdb) thread apply all backtrace

Thread 2 (Thread 0x7f5dc8f54740 (LWP 15710)):
#0  0x00007f5dc8a86810 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:81
#1  0x0000000000404e46 in ?? ()
#2  0x00000000004024cf in ?? ()
#3  0x00007f5dc89bcec5 in __libc_start_main (main=0x401a40, argc=1, argv=0x7fffea5eae18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffea5eae08) at libc-start.c:287
#4  0x000000000040262b in ?? ()

Thread 1 (Thread 0x7f5dc84b3700 (LWP 15711)):
#0  0x00007f5dc8d6a912 in _dl_lookup_symbol_x (undef_name=0x7f5dc8f7e440 "frida_agent_main", undef_map=0x0, ref=0x7f5dc84b2ee8, symbol_scope=0x388, version=0x0, type_class=0, flags=2, skip_map=0x0) at dl-lookup.c:731
#1  0x00007f5dc8ad1145 in do_dlsym (ptr=ptr@entry=0x7f5dc84b2ed0) at dl-libc.c:97
#2  0x00007f5dc8d6fff4 in _dl_catch_error (objname=0x7f5dc84b2eb0, errstring=0x7f5dc84b2ec0, mallocedp=0x7f5dc84b2ea0, operate=0x7f5dc8ad1100 <do_dlsym>, args=0x7f5dc84b2ed0) at dl-error.c:187
#3  0x00007f5dc8ad1249 in dlerror_run (args=0x7f5dc84b2ed0, operate=0x7f5dc8ad1100 <do_dlsym>) at dl-libc.c:46
#4  __GI___libc_dlsym (map=<optimized out>, name=<optimized out>) at dl-libc.c:210
#5  0x00007f5dc8f7e10a in ?? ()
#6  0x0000000000000000 in ?? ()
(gdb) quit

Does anybody know why this happens and how can it be solved?

Spawning helper process fails on Android when SELinux is in enforcing mode

Hi, I have an issue with Frida.
After encountering a problem with my python using UCS4, and easy_install frida using UCS2, I cloned your git and built Frida from source: both the python bindings and frida-server.
Deployed the frida-server on my phone with adb.
When trying to start frida-server -t -0 (like you showed in the example), got an error that no "-t" option was known, so I just ran it without any option: ./frida-server.
After forwarding the ports frida-ps -R works fine, but when I do frida-trace -R -i open com.android.chrome I get the following error:
Failed to attach: unexpectedly timed out while spawning helper process

Using Ubunutu 15 and Galaxy S3 with Android 4.3
Would appreciate your help! :)

frida ignores callbacks on windows system

Hi, first huge thanks for your effort in creating this toolset.

I was trying to get frida-trace working on WinXP SP3 (x86). I am using the latest version available at the moment (6.0.1). I am trying to hook the PaintMenuBar function of calc.exe or notepad.exe. cmd output shows that it successfully injects the frida-agent dll and started tracing our target function. I have verified with Ollydbg that it successfully replaces the target function's first bytes with jump to frida-agent dll. whenever we activate the target process window PaintMenuBar function is called and it successfully executes frida-agent code. now the problem is that nothing is being logged in the cmd window. I haven't modified auto generated handlers in anyway. I checked with TcpView tool that after the initial communication, injected frida-agent is not sending any messages back to python client whenever our target function is being invoked. I tried to hook several other functions both in calc.exe and notepad.exe but it seems to ignore all of them. I have already tried disabling my security software. any thoughts on what could be the problem and how can i fix it?

Frida is failing with processes running in Low Integrity Level

I'm trying to implement a script in Python to work with a process running in Low Integrity Level under Windows 7 SP0 x86.The specific process is IE, Internet Explorer, the child not the broker. When I run the script (frida-process-low-il-test.py), I get the following error:

{{{
C:\Users\defcon\Documents>python frida-process-low-il-test.py 2892
Traceback (most recent call last):
File "frida-process-low-il-test.py", line 27, in
main(target_process)
File "frida-process-low-il-test.py", line 9, in main
session = frida.attach(target_process)
File "C:\Python27\lib\site-packages\frida__init__.py", line 55, in attach
return get_local_device().attach(target)
File "C:\Python27\lib\site-packages\frida\core.py", line 87, in attach
return Session(self._impl.attach(self._pid_of(target)))
frida.ProcessNotRespondingError: timed out while waiting for session to establish
}}}

But if I run it against other process, for example, notepad, I get the following result:

{{{
C:\Users\defcon\Documents>python frida-process-low-il-test.py 1544
[+] Received msg from process: Hello from my process
[!] Press at any time to detach from instrumented program.
}}}

I was talking with @oleavr and we think it is a problem with the named pipe's permissions. It seems that frida can inject the library into the process running with Low IL but then the process can't write to the pipe. This make sense because the idea to have a process running in Low IL is to isolate it from processes with more privileges to avoid privilege escalations. In fact, if I disable UAC (User Account Control), IE child process will run with High IL and frida client would be able to write to the pipe.

This is considered as the expected behavior according to the "Communication between low-integrity and higher-integrity processes" in this article from MSDN: https://msdn.microsoft.com/en-us/library/bb625960.aspx

However, I'm in a situation where I need to communicate with a process running with Low IL. Even though it is not a good idea to allow a process running in Low IL to write to a named pipe it would be a good idea to add a parameter (for xample: child_could_write_pipe=True) to allow this behavior. I would use it like this:

{{{
session = frida.attach(target_process, child_could_write_pipe=True)
}}}

According to the previous link, in order to allow this behavior over named pipes "the creator explicitly sets the mandatory label on the pipe to allow access to lower-integrity processes".

I was experimenting with the SetLowLabelToFile() function mentioned on that article but without luck.

Looking for some more detailed information, I found this: http://blogs.msdn.com/b/cjacks/archive/2006/10/24/modifying-the-mandatory-integrity-level-for-a-securable-object-in-windows-vista.aspx which takes me to the AddMandatoryAce API which seems to be the answer to the problem.

I'm attaching a script to reproduce the issue. Just run IE or any other process with Low IL and then attach to it like 'python frida-process-low-il-test.py '.

I'm also attaching the pipe-windows.c (this file goes to frida-core\lib\pipe) with the modified SetLowLabelToFile (in my case the function is called SetLowLabelToPipe()) and the compiled _frida.pyd (for Python 2.7 x86).

You can get the files here (github doesn't allow me to upload the files right here): https://www.dropbox.com/s/4tmwofru9hd9kp2/frida-low-il.zip?dl=0

Expose pid if application is running in enumerateApplications()

improve error message for frida version mismatch

currently when frida client and host versions don't match, you get an error like this:

Error: No such interface 're.frida.HostSession7' on object at path /re/frida/HostSession
   at Error (native)

It would be great to special case this error and provide a more helpful message.

Only allow clients using the same API version

It is known that every release fixes many bugs and adds several improvements, this results in many weird problems when trying to connect to a frida-server that is from a different version than the client ones. So imho it will be good that the server verifies client version and rejects the connection with an error message if the version doesn't match. This will probably require a change in the protocol.

Timeout attaching to process on Windows

I'm using Python3.3 on Windows 8 64-bit and frida 1.0.7

When I try to attach to a process (I tried notepad.exe both 64-bit and 32-bit), I get this:
C:\Python33>Scripts\frida-trace.exe -i "Insert*" 8320
Attaching...
Failed to attach: timed out

I tested this running non-elevated (and accepting the UAC prompt), or running elevated (no UAC prompt). In both cases I get the same timeout message.

Later I realized the instance of notepad.exe I was trying to attach to was elevated (launched from an admin cmd console). When I launched a regular non-elevated instance of notepad, I can attach to it fine from a normal cmd console. Trying to attach from an elevated cmd console still fails.

It looks like frida apps launched from elevated consoles have issues attaching (to normal or elevated processes).

double free abort

reproduce with (on mac/linux), frida 6.0.8, node v5.1.0:

var dev; require('frida').getRemoteDevice().then(function (d) { dev = d; return d.enumerateApplications(); }).then(console.log).catch(console.error);

setTimeout(function () {
  dev.enumerateApplications().then(console.log).catch(console.error)
}, 1000);

setTimeout(function () {
  var dev; require('frida').getRemoteDevice().then(function (d) { dev = d; return d.enumerateApplications(); }).then(console.log).catch(console.error);

  setTimeout(function () {
    dev.enumerateApplications().then(console.log).catch(console.error)
    dev.enumerateApplications().then(console.log).catch(console.error)
    dev.enumerateApplications().then(console.log).catch(console.error)
  }, 1000);
}, 3000);

node(76963,0x7fff7456a000) malloc: *** error for object 0x10301dc00: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
[1]    76963 abort      node repro.js

rida_get_regs returned 'I/O error'

When I'm trying to attach to a process the error

Failed to attach: unexpected error while attaching to process with pid 4786 (frida_get_regs returned 'I/O error')

occurs.

For some reasons PTRACE_GETREGSET doesn't work for me.

frida-core/src/linux/frida-helper-glue.c

Line 925 in 9eda2d5

return ptrace (PTRACE_GETREGSET, pid, NT_PRSTATUS, &io);

Maybe also

frida-core/src/linux/frida-helper-glue.c

Line 935 in 9eda2d5

return ptrace (PTRACE_SETREGSET, pid, NT_PRSTATUS, &io);

WIth the old version ret = ptrace (PTRACE_GETREGS, pid, NULL, saved_regs); it works.

SELinux is set to permissive and the OS is Android 4.4.4.

Injection fails on Windows 10 Metro/Modern apps

Metro apps on Windows 10 have more security than regular programs, so the dll injection fails
A possible fix would be to put the dll in system32 (http://blog.nektra.com/main/2013/02/25/injecting-a-dll-in-modernui-metro-app-win8/ )

\cc @riverar

Error binding to address: Address already in use

I'm getting the following error when I try to run it on my Android Phone. Works great on iOS.

C:\WINDOWS\system32>adb shell "/data/local/tmp/frida-server &"
Unable to load SELinux policy from the kernel: Failed to open file '/sys/fs/selinux/policy': Permission denied
Unable to start server: Error binding to address: Address already in use

iOS: Access violation when using args in Interceptor.attach onEnter

Hi,

I am using frida 7.1.4 to modify the behavior of an App on iOS and ran in a problem that I do not understand:

This is what I do:

use Module.enumerateExports to get the address of the method that I want to hook
use Interceptor.attach to hook that address and just print out the args[2](should be the argument passsed to the method). But this gives an Access violation

The method that I am hooking (stringForKey) gets a String as parameter. And I am sure that the method gets called by the code twice with two different String constants as parameter.

I have two questions:
1. Why is it giving this access violation (is on jailbroken iOS version 8.1)
2. Why is the Module.enumerateExports finding two matches, while there is only one method in the code that matches the "stringForKey" (see output for details)?

Code snippet of my hook:

     Module.enumerateExports('<TARGET_APP>', {
        onMatch: function(match) {
            if (match.name.indexOf('stringForKey') > 0) {
                console.log("Hooking " + match.name);
                Interceptor.attach(match.address, {
                    onEnter: function(args) {
                        console.log(args[2]);
                        var param = ObjC.Object(args[2]);                       
                    }
                }); 
            }           
        },
        onComplete: function () {
            send({event: 'ready'});
        }
    });

Structure of the method that I hook

    public class func stringForKey(keyName: String) -> String? {
        let keychainData: NSData? = self.dataForKey(keyName)
        var stringValue: String?
        if let data = keychainData {
            stringValue = NSString(data: data, encoding: NSUTF8StringEncoding) as String?
        }

        return stringValue
    }

Output

Hooking _TZFC14Target_iPhone18Classname12stringForKeyfSSGSqSS_
Hooking _TWoZFC14Target_iPhone18ClassName12stringForKeyfSSGSqSS_
0x40000012
{ type: 'error',
  description: 'Error: access violation accessing 0x68080440',
  stack: 'Error: access violation accessing 0x68080440\n    at Runtime.ObjCObject [as Object] (gumjs-objc.js:414:46)\n    at [object Object].Interceptor.attach.onEnter (script1.js:50:33)',
  fileName: 'gumjs-objc.js',
  lineNumber: 414,
  columnNumber: 46 }
0x40000012
{ type: 'error',
  description: 'Error: access violation accessing 0x68080440',
  stack: 'Error: access violation accessing 0x68080440\n    at Runtime.ObjCObject [as Object] (gumjs-objc.js:414:46)\n    at [object Object].Interceptor.attach.onEnter (script1.js:50:33)',
  fileName: 'gumjs-objc.js',
  lineNumber: 414,
  columnNumber: 46 }

Can't attach to processes on Android > 4.0

I'm using Frida 1.6.0 on Linux x86_64 and I'm experiencing issues trying to remotely trace applications on a rooted Galaxy Nexus running Android 4.3.

I can successfully start frida-server with no issues from a root shell on the device, and I can enumerate processes by running frida-ps -R from my host machine. However, when I try to use frida-trace on a running process I get the following error:

$ frida-trace -R 2782
Failed to attach: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dio_2derror_2dquark.Code0: remote_call PTRACE_CONT wait failed: 0

regardless of which process I attempt to trace. On the other hand, I have no problem tracing applications on the same device running Android 4.0.4.

After some experimentation, I found out that the problem seems to be related to a waitpid() call in frida-server which sets the status as WIFSTOPPED(s) && WSTOPSIG(s) == SIGTRAP while the server is actually expecting SIGBUS. I can't find the source for frida-server, however the part I'm interested in is probably the function frida_remote_call in frida-core/src/linux/linjector-glue.c . I see that there is a #define which sets the macro FRIDA_SIGBKPT as SIGTRAP or SIGBUS depending on the architecture. I then tried to patch the server binary to test the syscall status against SIGTRAP (5) instead of SIGBUS (7) which indeed makes Frida go past the error, but unfortunately also makes the traced application unresponsive and/or crashing shortly after.

Edit: if I change the signal number as described I get no issues when attaching without tracing any function, but I get the following when tracing at least one function: ERROR:../../../../frida-core/src/linux/linjector-glue.c:151:FridaInjectionInstance *frida_injection_instance_new(FridaLinjector *, guint, pid_t, const char *): assertion failed (ret == 0): (-1 == 0) . Of course, this means that the problem is indeed more complex than a simple mismatched signal.

frida-server for Android x86 Emulator. possible?

How can I prepare frida-server for Android x86 (virtualbox/Genymotion based)?

frida-trace crashes android/x86 apps

I'm trying to inject into Clash of Clans on a Genymotion Google Nexus 7 emulator. I'm using the binary from http://build.frida.re/frida-snapshot/android/i386/bin/frida-server. The command I'm using to instrument CoC is:

frida-trace -U -i send -i recv com.supercell.clashofclans

frida-trace outputs "Resolving functions..." and just sits there. It causes CoC to crash and logcat shows the following:

F/libc ( 2031): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x2d in tid 2031 (ll.clashofclans)
I/DEBUG ( 86): *** *** *** *** *** *** *** *** *** *** *** *** *** *** ** ***
I/DEBUG ( 86): Build fingerprint: 'generic/vbox86tp/vbox86tp:5.1/LMY47D/buildbot11172044:userdebug/test-keys'
I/DEBUG ( 86): Revision: '0'
I/DEBUG ( 86): ABI: 'x86'
I/DEBUG ( 86): pid: 2031, tid: 2031, name: ll.clashofclans >>> com.supercell.clashofclans <<<
I/DEBUG ( 86): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2d
I/DEBUG ( 86): eax ffffffff ebx f743398c ecx 00000003 edx ffb7b198
I/DEBUG ( 86): esi ffffffff edi f3efa104
I/DEBUG ( 86): xcs 00000023 xds 0000002b xes 0000002b xfs 00000007 xss 0000002b
I/DEBUG ( 86): eip f74286a8 ebp 00000000 esp ffb7b1e0 flags 00210286
I/DEBUG ( 86):
I/DEBUG ( 86): backtrace:
I/DEBUG ( 86): #00 pc 0001b6a8 /system/lib/libutils.so (android::Looper::pollInner(int)+200)
I/DEBUG ( 86): #1 pc 0001baa7 /system/lib/libutils.so (android::Looper::pollOnce(int, int_, int_, void_)+55)
I/DEBUG ( 86): #2 pc 000c8697 /system/lib/libandroid_runtime.so (android::NativeMessageQueue::pollOnce(JNIEnv, int)+71)
I/DEBUG ( 86): #3 pc 000c86fa /system/lib/libandroid_runtime.so
I/DEBUG ( 86): #4 pc 000db8ae /data/dalvik-cache/x86/system@[email protected]
I/DEBUG ( 86):
I/DEBUG ( 86): Tombstone written to: /data/tombstones/tombstone_02
I/BootReceiver( 571): Copying /data/tombstones/tombstone_02 to DropBox (SYSTEM_TOMBSTONE)
W/ActivityManager( 571): Force finishing activity 1 com.supercell.clashofclans/.GameApp
E/JavaBinder( 571): !!! FAILED BINDER TRANSACTION !!!
E/EGL_emulation( 606): tid 606: eglCreateSyncKHR(1209): error 0x3004 (EGL_BAD_ATTRIBUTE)
D/WifiService( 571): Client connection lost with reason: 4
W/InputDispatcher( 571): channel '2443c6a1 com.supercell.clashofclans/com.supercell.clashofclans.GameApp (server)' ~ Consumer closed input channel or an erroroccurred. events=0x9
E/InputDispatcher( 571): channel '2443c6a1 com.supercell.clashofclans/com.supercell.clashofclans.GameApp (server)' ~ Channel is unrecoverably broken and will be disposed!
I/Zygote ( 306): Process 2031 exited due to signal (11)
D/WifiService( 571): releaseWifiLockLocked: WifiLock{com.supercell.clashofclans type=1 binder=android.os.BinderProxy@26e5fd1c}
I/WindowState( 571): WIN DEATH: Window{2443c6a1 u0 com.supercell.clashofclans/com.supercell.clashofclans.GameApp}
W/InputDispatcher( 571): Attempted to unregister already unregistered input channel '2443c6a1 com.supercell.clashofclans/com.supercell.clashofclans.GameApp (server)'
I/WindowState( 571): WIN DEATH: Window{2d076887 u0 SurfaceView}
W/ActivityManager( 571): Exception thrown during pause
W/ActivityManager( 571): android.os.DeadObjectException
W/ActivityManager( 571): at android.os.BinderProxy.transactNative(Native Method)
W/ActivityManager( 571): at android.os.BinderProxy.transact(Binder.java:496)
W/ActivityManager( 571): at android.app.ApplicationThreadProxy.schedulePauseActivity(ApplicationThreadNative.java:704)
W/ActivityManager( 571): at com.android.server.am.ActivityStack.startPausingLocked(ActivityStack.java:825)
W/ActivityManager( 571): at com.android.server.am.ActivityStack.finishActivityLocked(ActivityStack.java:2726)
W/ActivityManager( 571): at com.android.server.am.ActivityStack.finishTopRunningActivityLocked(ActivityStack.java:2583)
W/ActivityManager( 571): at com.android.server.am.ActivityStackSupervisor.finishTopRunningActivityLocked(ActivityStackSupervisor.java:2497)
W/ActivityManager( 571): at com.android.server.am.ActivityManagerService.handleAppCrashLocked(ActivityManagerService.java:11500)
W/ActivityManager( 571): at com.android.server.am.ActivityManagerService.makeAppCrashingLocked(ActivityManagerService.java:11397)
W/ActivityManager( 571): at com.android.server.am.ActivityManagerService.crashApplication(ActivityManagerService.java:12081)
W/ActivityManager( 571): at com.android.server.am.ActivityManagerService.handleApplicationCrashInner(ActivityManagerService.java:11592)
W/ActivityManager( 571): at com.android.server.am.NativeCrashListener$NativeCrashReporter.run(NativeCrashListener.java:86)
E/lowmemorykiller( 201): Error opening /proc/2031/oom_score_adj; errno=2
E/EGL_emulation( 606): tid 606: eglCreateSyncKHR(1209): error 0x3004 (EGL_BAD_ATTRIBUTE)
D/SurfaceFlinger( 606): setOrientation, mFbdev=0xf68603c0, mFbDev->setOrientation=0xf65aacd0, orientation=0
I/gralloc_vbox86( 606): setOrientation: orientation=0
I/ActivityManager( 571): Config changes=480 {1.0 310mcc260mnc en_US ?layoutDir sw600dp w600dp h888dp 213dpi lrg port finger qwerty/v/v dpad/v s.12}
I/InputReader( 571): Reconfiguring input devices. changes=0x00000004
I/InputReader( 571): Device reconfigured: id=1, name='Genymotion Virtual Input', size 800x1280, orientation 0, mode 1, display id 0
I/ActivityManager( 571): Process com.supercell.clashofclans (pid 2031) has died
W/art ( 571): Long monitor contention event with owner method=void com.android.server.am.ActivityManagerService.crashApplication(com.android.server.am.ProcessRecord, android.app.ApplicationErrorReport$CrashInfo) from ActivityManagerService.java:12027 waiters=2 for 189ms
W/art ( 571): Long monitor contention event with owner method=void com.android.server.am.ActivityManagerService.crashApplication(com.android.server.am.ProcessRecord, android.app.ApplicationErrorReport$CrashInfo) from ActivityManagerService.java:12027 waiters=3 for 143ms
D/OpenGLRenderer( 571): Use EGL_SWAP_BEHAVIOR_PRESERVED: true
D/Atlas ( 571): Validating map...
V/ActivityManager( 571): Display changed displayId=0
I/WindowManager( 571): Screen frozen for +204ms due to Window{3a90d6d u0 Starting com.supercell.clashofclans}
I/OpenGLRenderer( 875): Initialized EGL, version 1.4
I/OpenGLRenderer( 571): Initialized EGL, version 1.4
D/ ( 571): HostConnection::get() New Host Connection established 0xe11adbb0, tid 2191
W/EGL_emulation( 690): eglSurfaceAttrib not implemented
W/OpenGLRenderer( 690): Failed to set EGL_SWAP_BEHAVIOR on surface 0xf3ee92c0, error=EGL_SUCCESS
W/EGL_emulation( 875): eglSurfaceAttrib not implemented
W/OpenGLRenderer( 875): Failed to set EGL_SWAP_BEHAVIOR on surface 0xe24ba280, error=EGL_SUCCESS
D/OpenGLRenderer( 571): Enabling debug mode 0
W/EGL_emulation( 571): eglSurfaceAttrib not implemented
W/OpenGLRenderer( 571): Failed to set EGL_SWAP_BEHAVIOR on surface 0xded13fa0, error=EGL_SUCCESS
W/EGL_emulation( 690): eglSurfaceAttrib not implemented
W/OpenGLRenderer( 690): Failed to set EGL_SWAP_BEHAVIOR on surface 0xf3ee92e0, error=EGL_SUCCESS
W/EGL_emulation( 571): eglSurfaceAttrib not implemented
W/OpenGLRenderer( 571): Failed to set EGL_SWAP_BEHAVIOR on surface 0xded13fa0, error=EGL_SUCCESS
V/RenderScript( 875): 0xf3da6200 Launching thread(s), CPUs 4
W/OpenGLRenderer( 875): Incorrectly called buildLayer on View: ShortcutAndWidgetContainer, destroying layer...
I/art ( 571): Explicit concurrent mark sweep GC freed 21790(1190KB) AllocSpace objects, 10(2MB) LOS objects, 33% free, 8MB/13MB, paused 844us total 16.373ms

I tested instrumenting com.android.browser following the example on the website and it crashes the web browser.

crash android application from attach->enumerate->detach

This script using frida-node will reliably crash any app on my 5.0 device, presumably when detaching from it:

var frida = require('frida');

console.log('get device');
frida.getUsbDevice()
.then(function(device){

  console.log('get frontmost application');
  return device.getFrontmostApplication()
  .then(function(app){
    console.log('attach');
    return device.attach(app.pid)
  })
  .then(function(session){
    console.log('enumerate');
    return session.enumerateRanges('rw-')
    .then(function(){
      console.log('detach');
      return session.detach();
    });
  });
})
.catch(function(err){
  console.error(err);
});

When session.enumerateRanges('rw-') is left out, it doesn't crash.

App crashes on Dalvik.perform on Android Emulator 4.3.1

Hey!

I try to execute the following script on Android Emulator:

process = frida.get_remote_device().attach(processName)
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()

The jscode 'send(Dalvik.available') returns true.

Now, when i try to execute with jscode 'Dalvik.perform(function() {})' or Dalvik.perform(function() {send('1')}) the app gets crashed.

Thanks in advance!

Small tutorial on overwriting methods in Android

Hi,

I stumbled on Frida through this post
http://blog.mdsec.co.uk/2015/04/instrumenting-android-applications-with.html

Here they explain how you can create a new object of a particular class of an Android app:

var LockManager = Dalvik.use("com.github.orangegangsters.lollipin.lib.managers.LockManager");
var LockManagerInstance = LockManager.getInstance();

Would it be possible for you to write a small tutorial on how to overwrite a particular method of some class, i.e., hook a particular class method such that the overwritten method will be used whenever the App creates an object of that class, instead of the intended method that is in the APK code?

If I get it to work, I am very willing to write out a full tutorial to include on the frida.re site :-)

Thanks!

Implement enumerateApplications for all platforms

This meta bug aims to track the support for this API for all the target platforms:

Frida gadget crashes (frida_gadget_memory_range: assertion failed)

Hi,

Environment:
iOS: 9.0.2
iOS frida-server: 7.1.12
Gadget: http://build.frida.re/frida/ios/lib/ (May 19th)
OS X: 7.1.12

I'm launching the application as follows:

IPAD:~ root# FRIDA_GADGET_SCRIPT=/var/root/disable.js FRIDA_GADGET_ENV=development     DYLD_INSERT_LIBRARIES=/var/root/gadget.dylib     /var/mobile/Containers/Bundle/Application/IDENTIFIER/APP.app/APP

However, it immediately gives this error:

2016-05-23 11:30:01.365 APP[692:8209] Frida: frida-   core/lib/gadget/gadget.c:6343:frida_gadget_memory_range: assertion failed: (result != null)

I can't find a frida_gadget_memory_range method in any of the source files, so I have no idea which code is triggering this.

Frida-trace on iOS rarely attaches to a process

When attempting to use frida-trace on an OS X host, via USB to a jailbroken 8.4 device, Frida often fails to attach to the target process.

I am attempting to attach to a given process ID, X and the connection often times out. By often, I mean I've had it work once and then fail every other time. The messages I receive are:-

Failed to attach: unable to connect to remote frida-server: Unable to connect (connection refused)
+
Failed to attach: timeout was reached.

When I'm debugging an app with LLDB or Xcode, the app will actually crash when I attempt to attach using Frida. On my final attempt, the device went into a reboot loop and was stuck in recovery mode. I'm now going to have to restore the device. Thankfully this is not a problem today since the signing window for 8.4 is still open and I can re-jailbreak. The logs when attempting to attach is shown here:-

Aug 19 12:32:25 iOSdevice kernel[0] <Debug>: 
Aug 19 12:32:25 iOSdevice ReportCrash[547] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1145.15)
Aug 19 12:32:25 iOSdevice ReportCrash[547] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 19 12:32:25 iOSdevice ReportCrash[547] <Error>: task_set_exception_ports(B07, 400, F03, 0, 0) failed with error (4: (os/kern) invalid argument)
Aug 19 12:32:25 iOSdevice ReportCrash[547] <Notice>: ReportCrash acting against PID 539
Aug 19 12:32:25 iOSdevice ReportCrash[547] <Notice>: Formulating crash report for process libraryLookup[539]
Aug 19 12:32:26 iOSdevice com.apple.xpc.launchd[1] (UIKitApplication:com.test.libraryLookup[0x23ad][539]) <Notice>: Service exited due to signal: Bus error: 10
Aug 19 12:32:26 iOSdevice SpringBoard[76] <Warning>: Application 'UIKitApplication:com.test.libraryLookup[0x23ad]' crashed.

The crash log also reports:-

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Subtype: KERN_PROTECTION_FAILURE at 0x34f02140

Any ideas what might be up? Possibly something related to iOS 8.4 or the Taig patches?

Frida not working on Android 4.4.2 nexus 5

Hi:

I tried the tutorial at http://www.frida.re/docs/android/, however I couldn't get it working. Running frida-trace -R -i open com.android.chrome just showing

Started tracing 0 functions. Press ENTER to stop.

And no any output. I'm ensured the following conditions:

/data/local/tmp/ is -R 777
getenforce is permissive
frida-server is running as root, and ports are forwarded.

Would you kindly give some hints? Thanks.

Troubles with frida-trace on android emulator 4.3.1 on MacOS

Hey!
First of all, thanks for such a great job! Frida is indeed a wonderful tool.

Now, on topic:
I try to run "frida-trace -p pid" to trace a process on my android emulator. I get the following error:
"Failed to attach: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dio_2derror_2dquark.Code0: task_for_pid() for remote pid failed while trying to make pipe endpoints: (os/kern) failure (5)"

Frida-server is running on the device from /data/local/tmp with 777 rights on this folder. The ports are forwarded.