search

frida / frida-java-bridge

Java runtime interop from Frida
318 stars 118 forks source link

Hooking to Context doesn't work #67

Open afjoseph opened 6 years ago

afjoseph commented 6 years ago

Hey. I ran into a small issue during instrumentation. Hooking into [this function]() of context simply doesn't work. I wanted to know if the issue is on my side.

python script

import frida, sys
import time

jscode = """

Java.perform(function() {
    var context = Java.use("android.content.Context");

    context.openFileOutput.implementation = function(a, b) {
        console.log("Hello world");
        this.openFileOutput(a, b);
    }

});

"""

device = frida.get_usb_device()

pid = device.spawn(["com.whatever.bbb"])
session = device.attach(pid)
script = session.create_script(jscode)

device.resume(pid)
script.load()
print('[*] Running...')
sys.stdin.read()

The app is running and the frida-server is running on the android emulator. I'm sure that this piece of code is being called since I have the source code. The issue is that it is never hooked. Am I doing something wrong here?

jhscheer commented 6 years ago

try:

Java.perform(function() {                                                                                                                                     
    var context = Java.use("android.content.Context");                                                                                                        

    /* FileOutputStream openFileOutput (String name, int mode) */                                                                                             
    context.openFileOutput.overload("java.lang.String","java.lang.Integer").implementation = function(name, mode) {                                           
        this.openFileOutput.overload("java.lang.String","java.lang.Integer").call(this, name, mode);                                                              
    }                                                                                                                                                         

});
afjoseph commented 6 years ago

Same issue. Could be that frida can't hook to native Android code?

eanker commented 5 years ago

I stumbled upon this ticket when I had the same problem. Hope you're not struggling with this anymore, but thought to provide an answer for others struggling with this.

This is caused by the fact that android.content.Context is an interface and therefor you can't hook it. For me I needed to hook android.app.ContextImpl, as that is the implementation used. This is not stated in the imports of the file (there indeed android.content.Context is listed), but I found this by enumerating all classes with Frida.

So then the code would be:

Java.perform(function() {                                                                                                                                     
    var context = Java.use("android.app.ContextImpl");                                                                                                        

    context.openFileOutput.overload("java.lang.String","java.lang.Integer").implementation = function(name, mode) {                    
        console.log("Yes, this method is called correctly!");                       
        this.openFileOutput(name, mode);                                                              
    }                                                                                                                                                         

});
g3rzi commented 5 years ago

You can call the Context with ActivityThread like this: var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext();