search

frida / frida-core

Frida core library intended for static linking into bindings
https://frida.re
Other
610 stars 193 forks source link

Child gating fails to resume the process after exec() change child process's cpu type #241

Closed gebing closed 5 years ago

gebing commented 5 years ago

I am trying use .enable_child_gating() to solve the frida bug of Android will hangs the thread when call Runtime.exec with invalid shell commands, and frida will throw InvalidArgumentError: invalid PID when i call self._device.resume(child.pid).

Here is my python code for dealing with .enable_child_gating() and resume

self._device.on("child-added", lambda child: self._reactor.schedule(lambda: self._on_child_added(child)))
self._device.on("child-removed", lambda child: self._reactor.schedule(lambda: self._on_child_removed(child)))
self._session.enable_child_gating()
...
def _on_child_added(self, child):
    self._print("Child added: {}".format(child))
    if child.origin != "exec":
        session = self._device.attach(child.pid)
        session.on("detached", lambda reason: self._reactor.schedule(lambda: self._on_child_detached(child.pid, session, reason)))
        session.enable_child_gating()
    self._device.resume(child.pid)

def _on_child_removed(self, child):
    self._print("Child removed: {}".format(child))

def _on_child_detached(self, pid, session, reason):
    self._print("Child detached: pid={}, reason='{}'".format(pid, reason))

and the console output is:

Child added: Child(pid=2597, parent_pid=2546, origin=fork)
Child removed: Child(pid=2597, parent_pid=2546, origin=fork)
Child detached: pid=2597, reason='process-replaced'
Child added: Child(pid=2597, parent_pid=2597, origin=exec, path=u'/system/bin/sh', argv=[u'/system/bin/sh', u'-c', u'getprop'], envp={'LD_PRELOAD': u'libNimsWrap.so', 'EXTERNAL_STORAGE': u'/sdcard', 'CLASSPATH': u'/system/framework/XposedBridge.jar', 'ANDROID_ASSETS': u'/system/app', 'ANDROID_ROOT': u'/system', 'SYSTEMSERVERCLASSPATH': u'/system/framework/services.jar:/system/framework/ethernet-service.jar:/system/framework/wifi-service.jar', 'ANDROID_DATA': u'/data', 'BOOTCLASSPATH': u'/system/framework/core-libart.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/system/framework/apache-xml.jar:/system/framework/org.apache.http.legacy.boot.jar:/system/framework/tcmiface.jar:/system/framework/WfdCommon.jar:/system/framework/com.qti.dpmframework.jar:/system/framework/dpmapi.jar:/system/framework/com.qti.location.sdk.jar:/system/framework/qcom.fmradio.jar:/system/framework/qcmediaplayer.jar:/system/app/miui/miui.apk:/system/app/miuisystem/miuisystem.apk', 'ANDROID_SOCKET_zygote_secondary': u'11', 'ANDROID_PROPERTY_WORKSPACE': u'9,0', 'ASEC_MOUNTPOINT': u'/mnt/asec', 'PATH': u'/su/bin:/sbin:/vendor/bin:/system/sbin:/system/bin:/su/xbin:/system/xbin', 'ANDROID_STORAGE': u'/storage', 'ANDROID_BOOTLOGO': u'1'})
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/local/Cellar/python@2/2.7.16/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/local/Cellar/python@2/2.7.16/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/local/lib/python2.7/site-packages/frida_tools/application.py", line 442, in _run
    work()
  File "/usr/local/lib/python2.7/site-packages/frida_tools/application.py", line 236, in <lambda>
    self._device.on("child-added", lambda child: self._reactor.schedule(lambda: self._on_child_added(child)))
  File "/usr/local/lib/python2.7/site-packages/frida_tools/application.py", line 320, in _on_child_added
    self._device.resume(child.pid)
  File "/usr/local/lib/python2.7/site-packages/frida/core.py", line 104, in resume
    self._impl.resume(self._pid_of(target))
InvalidArgumentError: invalid PID

I re-compile frida-core and add some log output for tracing why it happens, and finally found the reason. it was becaused when child process was created by fork, it was a 32bit process, and it changed to 64 bit process after calling execvp. Below is my debug output:

prepare_to_exec(2597, parent=2597, path=/system/bin/sh)
entry_to_wait_for(PROCESS_REPLACED)
prepare_exec_transition(2597)
obtain_for_pid(2597, type=3)

await_exec_transition(2597)
obtain_for_pid(2597, type=3)

resume(2597)
obtain_for_pid(2597, type=4)

The result of cpu_type_from_pid changed from 3/GUM_CPU_ARM to 4/GUM_CPU_ARM64 after call await_exec_transition, and hence return 64bit helper to caller and throw error of invalid PID for not founding match pid in exec_instances map. @oleavr

oleavr commented 5 years ago

Thanks! This is a great catch. Let's get #242 over the finish line.