search

synacktiv / frinet

Frida-based tracer for easier reverse-engineering on Android, iOS, Linux, Windows and most related architectures.
MIT License
423 stars 35 forks source link

Thread system error value not preserved when tracing #5

Open HexKitchen opened 3 months ago

HexKitchen commented 3 months ago

When tracing an executable, the tracing code interferes with the thread's system error code, which can cause incorrect execution of the traced process.

Example:

#include <iostream>
#include <Windows.h>

int main()
{
    SetLastError(1337);

    std::cout << "Last error: " << GetLastError() << std::endl;
    std::cout << "Last error: " << GetLastError() << std::endl;
}

Output (without tracing):

Last error: 1337
Last error: 1337

Output (with tracing):

...
2024-04-04 20:15:07,773     INFO | Writing trace data of 1025258 bytes...
STDOUT : Last error: 0
STDOUT :
STDOUT : Last error: 0
STDOUT :
myr-syn commented 1 month ago

Hi ! Thank you for your contribution.

We wonder whether this issue might be linked to Frida itself. We also noticed this commit from the 16.2.2 release:

gumjs: Preserve thread’s system error over NativeCallback invocations. Thanks @HexKitchen!

Have you been able to confirm that the problem is now solved without applying this patch?

HexKitchen commented 1 month ago
Hi! My testing seemed to indicate that the problems in Frida and Frinet are independent of each other – though, I found both issues in the course of the same investigation. Simon From: myr-syn ***@***.***>Date: Monday, June 3, 2024 at 11:54 AMTo: synacktiv/frinet ***@***.***>Cc: Simon Zuckerbraun ***@***.***>, Author ***@***.***>Subject: Re: [synacktiv/frinet] Thread system error value not preserved when tracing (Issue #5)Hi !Thank you for your contribution.We wonder whether this issue might be linked to Frida itself. We also noticed this commit from the 16.2.2 release:gumjs: Preserve thread’s system error over NativeCallback invocations. Thanks @HexKitchen!Have you been able to confirm that the problem is now solved without applying this patch?—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
hexa-synacktiv commented 1 month ago

We tested this pull request on arm64 and it broke the tracer for some reason, the pull request was reverted until we understand the problem better.

It is not 100% clear whether the problem was actually due to this commit or some other variable, but we do not have time to test more extensively at the moment. We will potentially re-merge this later after more testing has been done.