search

frida / frida-core

Frida core library intended for static linking into bindings
https://frida.re
Other
592 stars 187 forks source link

Failure to effectively hook all the methods of a class in newer Android versions #501

Open Ch0pin opened 4 months ago

Ch0pin commented 4 months ago

In newest Android versions (>= 13) I am facing an issue when I try to hook all the methods of a java class. More specifically, given the following function:

function traceMethod(targetClassMethod){
    var delim = targetClassMethod.lastIndexOf(".");
    if (delim === -1) return;
    var targetClass = targetClassMethod.slice(0, delim)
    var targetMethod = targetClassMethod.slice(delim + 1, targetClassMethod.length)
    var hook = Java.use(targetClass);
    var overloadCount12 = hook[targetMethod].overloads.length;

    for (var i = 0; i < overloadCount12; i++) {
        hook[targetMethod].overloads[i].implementation = function() {
          console.log("\n[ ▶︎▶︎▶︎] Entering: " + targetClassMethod);
            for (var j = 0; j < arguments.length; j++) {
                console.log("|\t\\_arg[" + j + "]: " + arguments[j]);
            }
            var retval = this[targetMethod].apply(this, arguments); 
            console.log("[ ◀︎◀︎◀︎ ] Exiting " + targetClassMethod);

            console.log('\t\\_Returns: '+retval+'\n');
            return retval;
        }
    }
}

and the following calls:

traceMethod('com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.finish');
traceMethod('com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.onActivityResult');
traceMethod('com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.onCreate');
traceMethod('com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.ɻ');
traceMethod('com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.ʕ');
traceMethod('com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.ʖ');

I can effectively hook all the methods of a class in Android 9 and get the correct logs:

Screenshot 2024-03-01 at 10 42 48

Using the traceMethod , same app, in Android 13, yields the following output:

Screenshot 2024-03-01 at 10 45 08

Failing to display the logs of methods called within the onCreate. Subsequently, removing the onCreate hook, displays the log of com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.ʕ but fails to follow the calls to the class's methods started from within the ʕ method:

Screenshot 2024-03-01 at 10 47 18

My Android 13 device's fingerprint is the following:

[google/barbet/barbet:13/TQ3A.230901.001/10750268:user/release-keys]

While the Android 9 fingerprint is the following:

[samsung/dream2ltexx/dream2lte:9/PPR1.180610.011/G955FXXUCDUD1:user/release-keys]

Ch0pin commented 4 months ago

using a simpler example, assuming the following java code:

    public void func(){
        System.out.println("in func");
        func1();
    }

    public void func1(){
        System.out.println("in func1");
    }

the following script:


Java.perform(function() {

    let className1 = Java.use("com.intent.sender.min.MainActivity");

    className1.func.implementation = function(){

        console.log("FRIDA: in func");
        this.func();

    }

    className1.func1.implementation = function(){

        console.log("FRIDA: in func1")
    }
});

logs only : FRIDA: in func

giorgosioak commented 4 months ago

I am also affected by this bug!

LeitaoDeveloper commented 4 months ago

+1 here

Ginggas commented 4 months ago

Likewise, affected by this bug