frida / frida-java-bridge Goto Github PK

View Code? Open in Web Editor NEW

318.0 318.0 115.0 1.94 MB

Java runtime interop from Frida

JavaScript 82.87% Makefile 1.31% C++ 0.01% Java 12.48% C 3.33%

frida-java-bridge's Introduction

Frida

Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Learn more at frida.re.

Two ways to install

1. Install from prebuilt binaries

This is the recommended way to get started. All you need to do is:

pip install frida-tools # CLI tools
pip install frida       # Python bindings
npm install frida       # Node.js bindings

You may also download pre-built binaries for various operating systems from Frida's releases page on GitHub.

2. Build your own binaries

Run:

make

You may also invoke ./configure first if you want to specify a --prefix, or any other options.

CLI tools

For running the Frida CLI tools, e.g. frida, frida-ls-devices, frida-ps, frida-kill, frida-trace, frida-discover, etc., you need a few packages:

pip install colorama prompt-toolkit pygments

Apple OSes

First make a trusted code-signing certificate. You can use the guide at https://sourceware.org/gdb/wiki/PermissionsDarwin in the sections “Create a certificate in the System Keychain” and “Trust the certificate for code signing”. You can use the name frida-cert instead of gdb-cert if you'd like.

Next export the name of the created certificate to relevant environment variables, and run make:

export MACOS_CERTID=frida-cert
export IOS_CERTID=frida-cert
export WATCHOS_CERTID=frida-cert
export TVOS_CERTID=frida-cert
make

To ensure that macOS accepts the newly created certificate, restart the taskgated daemon:

sudo killall taskgated

Learn more

Have a look at our documentation.

frida-java-bridge's People

Contributors

Stargazers

Watchers

Forkers

iamahuman hedger giantpune olifozzy plumpmath jason-chen-2017 shuixi2013 frankspierings appknox guywithface mexuzf silviupopescu rxbit xfoolhardyx yuknight marksduan 0x3430d stjoannou xtftbwvfp st-rnd viniciusmarangoni zhuangshao amesianx deathmemory jonforshort xrosen rakhithjk aeonlucid eagle518 igio90 eugenekolo 5z1punch foxundermoon freemanzyq junorouse nis-spiir miaouplop h4ok3 dormzz iddoeldor ilovechocolate 309746069 stantoxt abdawoud hazyone brinedfish 0xra 5l1v3r1 deroko enovella kingsun0 pkm1118 aemmitt-ns ndl1302732 tigerwood dxcyber409 liu12151407 xsren shophelper spiderhacker965 lvyitian happyholic1203 liuyufei muhzii abcd567 p-sc gergesh lizeju ouddddw reverse-dusk nasdaqgodzilla pengzhangdev yotamn lloves ckandroidproject pandasauce eybisi gouchy xiajun325 mgaic mistial-dev jpstotz roee-by boshijingang fc777888 bleuzen wang-jiushijiu sh4dowb lgq2015 tringuyenhoaiphuong stevezhou6 zbx911 jaisonerick hutianqi yimian oriori1703 depblu madsu gsingh93 xyxdaily

frida-java-bridge's Issues

"TypeError: cannot read property '$handle' of undefined." issue

Hello,

I have been working on analyzing an obfuscated Android malware. When I try to call a function, I receive an error called "TypeError: cannot read property '$handle' of undefined." Any idea what is wrong with it ?

Caller function

....
if (str3.getBytes(com.android.mobile.r.i.iIIiiIIiiI("ypj)4")).length > this.iiiIiiiIii.length) {
...

Callee function

...
public class i {
public static String iIIiiIIiiI(String str) {
StackTraceElement stackTraceElement = new CloneNotSupportedException().getStackTrace()[1];
String stringBuffer = new StringBuffer(stackTraceElement.getMethodName()).insert(0, stackTraceElement.getClassName()).toString();
int length = stringBuffer.length() - 1;
int length2 = str.length();
char[] cArr = new char[length2];
length2--;
int i = length2;
int i2 = length;
while (length2 >= 0) {
int i3 = i - 1;
cArr[i] = (char) ((str.charAt(i) ^ stringBuffer.charAt(i2)) ^ 69);
if (i3 < 0) {
break;
}
i = i3 - 1;
length2 = i2 - 1;
cArr[i3] = (char) ((str.charAt(i3) ^ stringBuffer.charAt(i2)) ^ 77);
if (length2 < 0) {
length2 = length;
}
i2 = length2;
length2 = i;
}
return new String(cArr);
}
....

Command line

frida.exe -U -l call.js "com.android.xyz" --no-pause

call.js

Java.perform(function() {
var decoder = Java.use("com.android.mobile.r.i");
var y = "ypj)4";
var z = decoder.iIIiiIIiiI.overload("java.lang.String").call(y);
console.log(z);
});

Frida error (10.2.0)

TypeError: cannot read property '$handle' of undefined
at [anon] (duk_hobject_props.c:2323)
at frida/node_modules/frida-java/lib/class-factory.js:1909
at call (native)
at iIIiiIIiiI (input:1)
at call (native)
at [anon] (repl1.js:4)
at frida/node_modules/frida-java/lib/vm.js:39
at y (frida/node_modules/frida-java/index.js:325)
at frida/node_modules/frida-java/index.js:297
at frida/node_modules/frida-java/lib/vm.js:39
at java.js:2208
[...]

Emulator crashes on x86_64

Version: Frida-server 10.1.6

When launching the application through frida, the emulator crashes. This may be related to the modification to fix #29

frida -U -f com.mwr.dz

07-11` 15:04:09.443 25859 26502 I ActivityManager: START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10000000 pkg=com.mwr.dz cmp=com.mwr.dz/.activities.MainActivity} from uid 10021 on display 0
--------- beginning of crash
07-11 15:04:09.453 25761 25761 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x2008 in tid 25761 (main)
07-11 15:04:09.454 21698 21698 W         : debuggerd: handling request: pid=25761 uid=0 gid=0 tid=25761
07-11 15:04:09.460 27365 27365 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
07-11 15:04:09.460 27365 27365 F DEBUG   : Build fingerprint: 'Android/sdk_google_phone_x86_64/generic_x86_64:7.1.1/NYC/3756122:userdebug/test-keys'
07-11 15:04:09.460 27365 27365 F DEBUG   : Revision: '0'
07-11 15:04:09.460 27365 27365 F DEBUG   : ABI: 'x86'
07-11 15:04:09.461 27365 27365 F DEBUG   : pid: 25761, tid: 25761, name: main  >>> zygote <<<
07-11 15:04:09.461 27365 27365 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2008
07-11 15:04:09.461 27365 27365 F DEBUG   :     eax 00000001  ebx e8fa9958  ecx e50834b4  edx e508305c
07-11 15:04:09.461 27365 27365 F DEBUG   :     esi db91f960  edi db8d7b80
07-11 15:04:09.461 27365 27365 F DEBUG   :     xcs 00000023  xds 0000002b  xes 0000002b  xfs 0000006b  xss 0000002b
07-11 15:04:09.461 27365 27365 F DEBUG   :     eip e8f96516  ebp 00002000  esp ffd846e0  flags 00000246
07-11 15:04:09.461 27365 27365 F DEBUG   : 
07-11 15:04:09.461 27365 27365 F DEBUG   : backtrace:
07-11 15:04:09.461 27365 27365 F DEBUG   :     #00 pc 00027516  /system/lib/libjavacore.so
07-11 15:04:09.510  1330  1378 D gralloc_ranchu: gralloc_alloc: format 1 and usage 0x933 imply creation of host color buffer
07-11 15:04:09.513 25859 25905 D         : HostConnection::get() New Host Connection established 0x7adb5d946d00, tid 25905
07-11 15:04:09.580 25859 26096 W NativeCrashListener: Couldn't find ProcessRecord for pid 25761
07-11 15:04:09.584 25859 25900 I BootReceiver: Copying /data/tombstones/tombstone_00 to DropBox (SYSTEM_TOMBSTONE)
07-11 15:04:09.585 21698 21698 W         : debuggerd: resuming target 25761
07-11 15:04:09.641 25859 27196 E Process : Starting VM process through Zygote failed
07-11 15:04:09.642 25859 27196 E ActivityManager: Failure starting process com.mwr.dz
07-11 15:04:09.642 25859 27196 E ActivityManager: java.lang.RuntimeException: Starting VM process through Zygote failed
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at android.os.Process.start(Process.java:527)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at com.android.server.am.ActivityManagerService.startProcessLocked(ActivityManagerService.java:3798)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at com.android.server.am.ActivityManagerService.startProcessLocked(ActivityManagerService.java:3655)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at com.android.server.am.ActivityManagerService.startProcessLocked(ActivityManagerService.java:3536)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at com.android.server.am.ActivityStackSupervisor.startSpecificActivityLocked(ActivityStackSupervisor.java:1419)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at com.android.server.am.ActivityStack.resumeTopActivityInnerLocked(ActivityStack.java:2577)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at com.android.server.am.ActivityStack.resumeTopActivityUncheckedLocked(ActivityStack.java:2127)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at com.android.server.am.ActivityStackSupervisor.resumeFocusedStackTopActivityLocked(ActivityStackSupervisor.java:1829)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at com.android.server.am.ActivityStack.completePauseLocked(ActivityStack.java:1332)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at com.android.server.am.ActivityStack.activityPausedLocked(ActivityStack.java:1212)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at com.android.server.am.ActivityManagerService.activityPaused(ActivityManagerService.java:6919)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at android.app.ActivityManagerNative.onTransact(ActivityManagerNative.java:571)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2795)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at android.os.Binder.execTransact(Binder.java:565)
07-11 15:04:09.642 25859 27196 E ActivityManager: Caused by: android.os.ZygoteStartFailedEx: java.io.IOException: Connection reset by peer
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at android.os.Process.zygoteSendArgsAndGetResult(Process.java:618)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at android.os.Process.startViaZygote(Process.java:737)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at android.os.Process.start(Process.java:521)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	... 13 more
07-11 15:04:09.642 25859 27196 E ActivityManager: Caused by: java.io.IOException: Connection reset by peer
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at android.net.LocalSocketImpl.readba_native(Native Method)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at android.net.LocalSocketImpl.-wrap1(LocalSocketImpl.java)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at android.net.LocalSocketImpl$SocketInputStream.read(LocalSocketImpl.java:110)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at java.io.DataInputStream.readFully(DataInputStream.java:198)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at java.io.DataInputStream.readInt(DataInputStream.java:389)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	at android.os.Process.zygoteSendArgsAndGetResult(Process.java:609)
07-11 15:04:09.642 25859 27196 E ActivityManager: 	... 15 more
07-11 15:04:09.642 25859 27196 I ActivityManager: Force stopping com.mwr.dz appid=10072 user=0: start failure
07-11 15:04:09.642 25859 27196 I ActivityManager:   Force finishing activity ActivityRecord{16bc084 u0 com.mwr.dz/.activities.MainActivity t31}
07-11 15:04:09.645 25859 27196 W ActivityManager: Slow operation: 192ms so far, now at startProcess: done starting proc!
07-11 15:04:09.645 25859 25882 I ActivityManager: Exiting empty application process 0:com.mwr.dz/u0a72 (null)
07-11 15:04:09.645 25859 25882 D ActivityManager: cleanUpApplicationRecord -- 0

String array type inside variable arguments

On a rooted nexus5x with android 6.0 I'm hooking the java.lang.reflect.Method invoke method. When the invoke is of a java.lang.Runtime.exec I am unable to log the value of the String array parameter.

The hook is as follows:

    var juarrays = Java.use("java.util.Arrays")
    var javastringarray = Java.use("[Ljava.lang.String;")

    var jlrmethod = Java.use("java.lang.reflect.Method")
    jlrmethod.invoke.implementation = function(object, parameters){

        var retvalue = this.invoke(object, parameters)

        var type = Object.prototype.toString.call(parameters)
        if(type == '[object Array]'){
            var arrayLength = parameters.length;
            // console.log(arrayLength)
            for (var i = 0; i < arrayLength; i++) {
                var parameter = parameters[i]
                var paramstring = String(parameter)
                if(paramstring.startsWith("[Ljava.lang.String;@")){
                    console.log("------------")
                    console.log("string array")
                    console.log(type + JSON.stringify(parameter))

                    // // TODO XXX FIXME does not work. Casting also does not work
                    // use java arrays to parse the array string
                    // var casted = java.cast(parameter, javastringarray)
                    // var result = juarrays.toString(casted)
                    var result = parameter
                    console.log(type + result)
                    console.log("------------")
                }
                else{
                    console.log(type + parameter)
                }
            }
        }
        else{
            console.log(type + parameters)
        }
        console.log("Method.invoke(object, parameters): '" + this + "' = '" + object + "', '" + parameters + "' = '" + retvalue + "'")
        return retvalue
    }

The parameter object is not picked up as a String array and I am not successful converting it. The call works normally though.

The console output:

------------
string array
[object Array]{"$classHandle":"0x101bc2","$handle":"0x101bc6","$weakRef":344}
[object Array][Ljava.lang.String;@2b0cd6b
------------
[object Array]null
[object Array]null
Method.invoke(object, parameters): 'public java.lang.Process java.lang.Runtime.exec(java.lang.String[],java.lang.String[],java.io.File) throws java.io.IOException' = 'java.lang.Runtime@aec987', '[Ljava.lang.String;@2b0cd6b,,' = 'Process[pid=7604]'

I'm not sure if I'm doing something wrong or if there is a problem with frida getting the correct type of a string array inside variable/array arguments.

Java reflection does not get correct result

(Continuation of frida/frida-gum#143.)

As described by @3asm:

Testing on Android emulator ARM 4.4.2 with latest frida-server. The following sample code crashes silently:

        send("element: " + element);
        send("element.getClass: " + element.getClass());
        send("element.getClass.getDeclaredFields: " + element.getClass().getDeclaredFields());

Giving the following results:

[+] element: android.content.UriMatcher@b1d01c28
[+] element.getClass: class android.content.UriMatcher

element.getClass() is supposed to return an instance of java.lang.Class.

Intercept OutputStream functions

I can not intercept OutputStream functions, what is the problem?
write.overload('int') - does not intercept
write.overload('[B','int','int') - does not intercept
write.overload('[B') - intercepts, working

jscode = """
setImmediate(function() {
    console.log("[*] Starting script");
    Java.perform(function() {
      bClass = Java.use("java.io.OutputStream");
	  bClass.write.overload('int').implementation = function(x) { 
         console.log("[*] rS print data int "+x);
      }
	  bClass.write.overload('[B').implementation = function(x) { 
         console.log("[*] rS print data int "+x); //Working
      }
	     bClass.write.overload('[B','int','int').implementation = function(b,y,z) { 
         console.log("[*] rS print data otvet "+b);
      }
      console.log("[*]  Running sniffer")

    })
})
"""

java.io.OutputStream source - https://github.com/frohoff/jdk8u-jdk/blob/master/src/share/classes/java/io/OutputStream.java
Android 7.1.1
Frida 10.5.15
Thank you in advance.

Error: access violation accessing 0x10 Error: access violation accessing 0x22

MainActivity.onClick.overload('android.view.View').implementation = function(a){
console.log('onClick === >>>' + a.getId());
//this.onClick(a);
this.onClick.overload('android.view.View').call(this, a);
};

Error: access violation accessing 0x10
at onClick (input:1)
at call (native)
at repl1.js:27
at call (native)
at onClick (input:1)

if use this.onClick(a);

Error: access violation accessing 0x22
at onClick (input:1)
at apply (native)
at r (frida/node_modules/frida-java/lib/class-factory.js:1053)
at repl1.js:26
at call (native)
at onClick (input:1)

——————————————————————————————————————
Shared Name 'libc.so'
ARM architecture: ARMv8

File Name : D:\frida-helper-32
ARM architecture: ARMv7

Error enumerating loaded classes (9.1.14)

Hi,

I'm trying to enumerate loaded classes using Android 5.0.1 emulator with the following script:
if (Java.available) { Java.enumerateLoadedClasses({ onMatch: function(className) { send(className); } }); } else { send("Not available Java"); }

Using Frida 9.1.7 it give me the following error:
{u'columnNumber': 1, u'description': u'Error: Enumerating loaded classes is only supported on Dalvik for now', u'fileName': u'frida/node_modules/frida-java/index.js', u'lineNumber': 87, u'type': u'error', u'stack': u'Error: Enumerating loaded classes is only supported on Dalvik for now\n at c (frida/node_modules/frida-java/index.js:87)\n at frida/node_modules/frida-java/index.js:143\n at script1.js:7'}

Seeing that the above error had already been notified, I try a newer Frida versions (9.1.14 and 9.1.13) and it give me a different error:
{u'columnNumber': 1, u'description': u'Error: VM::GetEnv failed: -2', u'fileName': u'frida/node_modules/frida-java/lib/result.js', u'lineNumber': 7, u'type': u'error', u'stack': u'Error: VM::GetEnv failed: -2\n at e (frida/node_modules/frida-java/lib/result.js:7)\n at frida/node_modules/frida-java/lib/vm.js:53\n at h (frida/node_modules/frida-java/index.js:166)\n at frida/node_modules/frida-java/index.js:105\n at script1.js:7'}

To discard that the error was provoked by the Android version, I also tried to use Android 6.0 but the same error message was disclosed.emulator and have the same error.

I hope that all the information help you to find the error more quickly. Thanks for the great open source project that is Frida.

Ferran Obiols.

There is any way to access instance variable within a hooked method ?

Java class Example:

public class TestClass {
      public int a;
      private int c;
      protected int d;

      public void methodTest() {
            ......
      }
}

Javacript Hooker:

if (Java.available) {
	Java.perform(function () {
        var module = Java.use("com.package.TestClass");
        module.TesteClass.implementation = function() {
        	send("vars => " + this.a + " " + this.b + " " + this.d );	
        };   
    });
}
else {
	send("Not ready")
}

Java.enumerateLoadedClasses() returns different mangling depending on Android version

As reported by @doegox:

On Android 4.4, Frida server 10.6.21

Java.enumerateLoadedClasses |grep java.lang.String
'[[Ljava/lang/String;'
'[Ljava/lang/String;'
'Ljava/lang/String;'

On Android 5.0.2, Frida server 10.6.21

Java.enumerateLoadedClasses |grep java.lang.String
'[[Ljava.lang.String;'
'[Ljava.lang.String;'
'java.lang.String'

Note the change of the separator "/" -> "." and the stripping of "L...;" on base classes.

Could the behavior be unified and return the lists with the same mangling in both cases?

When using spawn, Java.Perform doesn't work before resume.

I tried both using Node app, and REPL.
Agent code :

send('> Agent Start');
Java.perform(function () {
    send('>> Java perform');
    var Activity = Java.use("android.app.Activity");
    Activity.onResume.implementation = function () {
        send("onResume() got called! Let's call the original implementation");
        this.onResume();
    };
});
send('< Agent End');

I do see the "Agent Start" and "Agent End", but no "Java perform" message.

firda-server 9.1.20
frida repl 9.1.20

Performance impact on android app when you hook a lot of methods

Hello,
I am hooking 84 methods. I am also using frida-compile to compile the agent. I noticed that apps become very slow with all these hooks. Probably, the reduction in performance is amplified by an already slow android emulator. Does anyone else facing similar issues?
Happy to provide more information if needed.

Waqar

SIGABRT on android 4.4 x86

vm aborting because of wrong jniarginfo value (0x80000000)
frida must realize computeJniArgInfo to calculate jniarginfo

Hooks are broken on 9.1.4

I can't hook any method on latest frida.

> frida -U com.android.terminal -l java.js

Attaching...
Loaded.
Error: expected a pointer
    at i (frida/node_modules/frida-java/lib/android.js:315)
    at frida/node_modules/frida-java/lib/android.js:301
    at frida/node_modules/frida-java/lib/vm.js:35
    at o (frida/node_modules/frida-java/lib/android.js:311)
    at apply (native)
    at frida/node_modules/frida-java/lib/android.js:368
    at replaceArtImplementation (frida/node_modules/frida-java/lib/class-factory.js:1064)
    at frida/node_modules/frida-java/lib/class-factory.js:847
    at [anon] (repl1.js:24)
    [...]

java.js:

function onLoad() {
    console.log("Loaded.")

    Java.perform( function() { 
      var URL = Java.use('java.net.URL');
      URL.getHost.implementation = function () {
        console.log("inside hook!");
        return this.getHost();
      };
    });
}
onLoad();

toString() overwrite can't call member functions

Calling a member function of a Java Pojo inside its overridden toString() implementation raises an exception:

'TypeError: undefined not callable', 'stack': 'TypeError: undefined not callable\n    at [anon] (duk_js_call.c:842)\n    at script1.js:18\n    at call (native)\n    at toString (input:1)', 'fileName': 'script1.js', 'lineNumber': 18, 'columnNumber': 1}

Calling the same member function from a user defined method asString() works fine.

Java Pojo:

public class Pojo {

	private String str;
	private long num;

	public Pojo(String str, long num) {
		this.str = str;
		this.num = num;
	}

	public String getStr() {
		return str;
	}

	public long getNum() {
		return num;
	}

	public String asString() {
		return "Pojo[str=" + str + ", num=" + num + "]";
	}
}

Activity:

public class MainActivity extends Activity {

	static {
		System.loadLibrary("frida-gadget-10.5.14-android-x86");
	}

	@Override
	protected void onCreate(Bundle savedInstanceState) {
		super.onCreate(savedInstanceState);
		setContentView(R.layout.activity_main);
		findViewById(R.id.btn).setOnClickListener(new OnClickListener() {
			@Override
			public void onClick(View view) {
				printPojo(new Pojo("demo", System.currentTimeMillis()));
			}
		});
	}

	public void printPojo(Pojo pojo) {
		Log.d("FRIDA-android", pojo.asString());
	}
}

excerpt of frida script:

	Java.perform(function() {
		log("    hooking java");
		var pojo = Java.use('com.example.myapplication.Pojo');
		pojo['toString'].implementation = function() {
			log("toString() called");
			var i = this.getNum();
			log('num=' + i);
		  	return 'Pojo[num=' + i + ']';
		};
		pojo['asString'].implementation = function() {
			log("asString() called");
			var i = this.getNum();
			log('num=' + i);
		  	return 'Pojo[num=' + i + ']';
		};

		var hook = Java.use('com.example.myapplication.MainActivity');
		hook['printPojo'].implementation = function() {
			var pojo = arguments[0];
			log('hook num=' + pojo.getNum());
			log('\ncalling asString');
			log('asString() result: ' + pojo.asString());
			log('\ncalling toString');
			log('toString() result: ' + pojo.toString());
		}
	});

stdout output:

java available: true
    hooking java
java done
hook num=1505470146320

calling asString
asString() called
num=1505470146320
asString() result: Pojo[num=1505470146320]

calling toString
toString() called
{'type': 'error', 'description': 'TypeError: undefined not callable', 'stack': 'TypeError: undefined not callable\n    at [anon] (duk_js_call.c:842)\n    at script1.js:18\n    at call (native)\n    at toString (input:1)', 'fileName': 'script1.js', 'lineNumber': 18, 'columnNumber': 1}
None
toString() result: null

Process Crash when replacing the implementation of any Java method using ART

(Continuation of frida/frida#193.)

As described by @EquiFox:

Tests were made using a Samsung Galaxy S6 on 5.1.1 (ART).

I've been using XPosed for a while, but I decided to spend a few hours learning how Frida works and everything, I can do many cool stuff on the native side. However when ever I try to replace the implementation of a Java method in Java.perform, the process dies.

Java.perform(function() {
       var classDef = Java.use("com.package.myClass");

       classDef.isAdmin.implementation = () => {
            return true;
       };
});

Something as basic as this fails, even a empty implementation fails.

However I can call Java methods correctly and create new classes instances. I also noticed that using, lets say, Java.cast to map an address to Java.lang.String object crash the process too (It works 1-2 times, then others call will crash the process)

I would use XPosed for Java related stuff and frida for native, but if Xposed is installed on my device, Frida tells me that Java Api isnt available when I try to spawn process.

Error: access violation accessing 0x1b

If I run the following script:

import frida, sys
import subprocess


def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)


hook_code = """
    Java.perform(function () {

        var FileObserver = Java.use("android.os.FileObserver");
	var ContentResolver = Java.use("android.app.ContextImpl$ApplicationContentResolver");

        FileObserver.startWatching.implementation = function () {
            send("startWatching");
        };

	ContentResolver.registerContentObserver.overload("android.net.Uri", "boolean", "android.database.ContentObserver").implementation = function(uri, notifyForDescendants, observer) {
		send("registerContentObserver");
	};

    });
"""

package = sys.argv[1]
try:
    subprocess.call(['adb', 'shell', 'am', 'force-stop', package])
    subprocess.call(['adb', 'shell', 'monkey', '-p', package, '-c', 'android.intent.category.LAUNCHER', '1'])
    process = frida.get_usb_device(10).attach(package)
    script = process.create_script(hook_code)
    script.on('message', on_message)
    print('[*] Running...')
    script.load()
    sys.stdin.read()
except KeyboardInterrupt:
    subprocess.call(['adb', 'shell', 'am', 'force-stop', package])

the following error occurs:

Events injected: 1
## Network stats: elapsed time=80ms (0ms mobile, 0ms wifi, 80ms not connected)
[*] Running...
{u'columnNumber': 1, u'description': u'Error: access violation accessing 0x1b', u'fileName': u'frida/node_modules/frida-java/lib/env.js', u'lineNumber': 206, u'type': u'error', u'stack': u'Error: access violation accessing 0x1b\n    at frida/node_modules/frida-java/lib/env.js:206\n    at apply (native)\n    at frida/node_modules/frida-java/lib/env.js:200\n    at frida/node_modules/frida-java/lib/class-factory.js:113\n    at frida/node_modules/frida-java/lib/class-factory.js:1621\n    at call (native)\n    at getPackageInfoNoCheck (input:1)\n    at apply (native)\n    at r (frida/node_modules/frida-java/lib/class-factory.js:842)\n    [...]'}

Logcat output:

04-02 00:13:55.139 30266-30266/? I/art: Late-enabling -Xcheck:jni
04-02 00:13:55.286 30266-30266/de.selfmade4u.antipiracy W/art: Failed execv(/system/bin/dex2oat --runtime-arg -classpath --runtime-arg  --instruction-set=arm --instruction-set-features=smp,div,-atomic_ldrd_strd --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=cortex-a7 --instruction-set-features=default --dex-file=/data/app/de.selfmade4u.antipiracy-1/split_lib_dependencies_apk.apk --oat-file=/data/dalvik-cache/arm/data@[email protected]@[email protected]) because non-0 exit status
04-02 00:13:55.769 30266-30266/de.selfmade4u.antipiracy W/art: Failed execv(/system/bin/dex2oat --runtime-arg -classpath --runtime-arg  --instruction-set=arm --instruction-set-features=smp,div,-atomic_ldrd_strd --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=cortex-a7 --instruction-set-features=default --dex-file=/data/app/de.selfmade4u.antipiracy-1/split_lib_slice_0_apk.apk --oat-file=/data/dalvik-cache/arm/data@[email protected]@[email protected]) because non-0 exit status
04-02 00:13:55.853 30266-30266/de.selfmade4u.antipiracy W/art: Failed execv(/system/bin/dex2oat --runtime-arg -classpath --runtime-arg  --instruction-set=arm --instruction-set-features=smp,div,-atomic_ldrd_strd --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=cortex-a7 --instruction-set-features=default --dex-file=/data/app/de.selfmade4u.antipiracy-1/split_lib_slice_1_apk.apk --oat-file=/data/dalvik-cache/arm/data@[email protected]@[email protected]) because non-0 exit status
04-02 00:13:55.935 30266-30266/de.selfmade4u.antipiracy W/art: Failed execv(/system/bin/dex2oat --runtime-arg -classpath --runtime-arg  --instruction-set=arm --instruction-set-features=smp,div,-atomic_ldrd_strd --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=cortex-a7 --instruction-set-features=default --dex-file=/data/app/de.selfmade4u.antipiracy-1/split_lib_slice_2_apk.apk --oat-file=/data/dalvik-cache/arm/data@[email protected]@[email protected]) because non-0 exit status
04-02 00:13:56.013 30266-30266/de.selfmade4u.antipiracy W/art: Failed execv(/system/bin/dex2oat --runtime-arg -classpath --runtime-arg  --instruction-set=arm --instruction-set-features=smp,div,-atomic_ldrd_strd --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=cortex-a7 --instruction-set-features=default --dex-file=/data/app/de.selfmade4u.antipiracy-1/split_lib_slice_3_apk.apk --oat-file=/data/dalvik-cache/arm/data@[email protected]@[email protected]) because non-0 exit status
04-02 00:13:56.097 30266-30266/de.selfmade4u.antipiracy W/art: Failed execv(/system/bin/dex2oat --runtime-arg -classpath --runtime-arg  --instruction-set=arm --instruction-set-features=smp,div,-atomic_ldrd_strd --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=cortex-a7 --instruction-set-features=default --dex-file=/data/app/de.selfmade4u.antipiracy-1/split_lib_slice_4_apk.apk --oat-file=/data/dalvik-cache/arm/data@[email protected]@[email protected]) because non-0 exit status
04-02 00:13:56.183 30266-30266/de.selfmade4u.antipiracy W/art: Failed execv(/system/bin/dex2oat --runtime-arg -classpath --runtime-arg  --instruction-set=arm --instruction-set-features=smp,div,-atomic_ldrd_strd --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=cortex-a7 --instruction-set-features=default --dex-file=/data/app/de.selfmade4u.antipiracy-1/split_lib_slice_5_apk.apk --oat-file=/data/dalvik-cache/arm/data@[email protected]@[email protected]) because non-0 exit status
04-02 00:13:56.261 30266-30266/de.selfmade4u.antipiracy W/art: Failed execv(/system/bin/dex2oat --runtime-arg -classpath --runtime-arg  --instruction-set=arm --instruction-set-features=smp,div,-atomic_ldrd_strd --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=cortex-a7 --instruction-set-features=default --dex-file=/data/app/de.selfmade4u.antipiracy-1/split_lib_slice_6_apk.apk --oat-file=/data/dalvik-cache/arm/data@[email protected]@[email protected]) because non-0 exit status
04-02 00:13:56.345 30266-30266/de.selfmade4u.antipiracy W/art: Failed execv(/system/bin/dex2oat --runtime-arg -classpath --runtime-arg  --instruction-set=arm --instruction-set-features=smp,div,-atomic_ldrd_strd --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=cortex-a7 --instruction-set-features=default --dex-file=/data/app/de.selfmade4u.antipiracy-1/split_lib_slice_7_apk.apk --oat-file=/data/dalvik-cache/arm/data@[email protected]@[email protected]) because non-0 exit status
04-02 00:13:56.425 30266-30266/de.selfmade4u.antipiracy W/art: Failed execv(/system/bin/dex2oat --runtime-arg -classpath --runtime-arg  --instruction-set=arm --instruction-set-features=smp,div,-atomic_ldrd_strd --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=cortex-a7 --instruction-set-features=default --dex-file=/data/app/de.selfmade4u.antipiracy-1/split_lib_slice_8_apk.apk --oat-file=/data/dalvik-cache/arm/data@[email protected]@[email protected]) because non-0 exit status
04-02 00:13:56.515 30266-30266/de.selfmade4u.antipiracy W/art: Failed execv(/system/bin/dex2oat --runtime-arg -classpath --runtime-arg  --instruction-set=arm --instruction-set-features=smp,div,-atomic_ldrd_strd --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=cortex-a7 --instruction-set-features=default --dex-file=/data/app/de.selfmade4u.antipiracy-1/split_lib_slice_9_apk.apk --oat-file=/data/dalvik-cache/arm/data@[email protected]@[email protected]) because non-0 exit status
04-02 00:13:56.521 30266-30266/de.selfmade4u.antipiracy D/ActivityThread: BIND_APPLICATION handled : 0 / AppBindData{appInfo=ApplicationInfo{b69439b de.selfmade4u.antipiracy}}
04-02 00:13:56.674 30266-30266/de.selfmade4u.antipiracy A/art: art/runtime/art_method.cc:214] Failed to find Dex offset for PC offset 0x8d5dffd3(PC 0x0, entry_point=0x72a2002d current entry_point=0x72a2002d) in android.app.LoadedApk android.app.ActivityThread.getPackageInfoNoCheck(android.content.pm.ApplicationInfo, android.content.res.CompatibilityInfo)
04-02 00:19:06.922 30266-30276/de.selfmade4u.antipiracy E/art: Unexpected time out during dump checkpoint.
04-02 00:19:06.922 30266-30276/de.selfmade4u.antipiracy W/art: Attempted to destroy barrier with non zero count 1
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] Thread suspend timeout
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] mutator lock level=54 owner=18446744073709551615 state=1 num_pending_writers=0 num_pending_readers=0 
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] DALVIK THREADS (11):
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] "JDWP" prio=5 tid=3 Runnable
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | group="" sCount=0 dsCount=0 obj=0x12cd60a0 self=0xab4ad500
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | sysTid=30276 nice=0 cgrp=default sched=0/0 handle=0xb3e6c930
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | state=R schedstat=( 5687001 142000 13 ) utm=0 stm=0 core=0 HZ=100
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | stack=0xb3d70000-0xb3d72000 stackSize=1014KB
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | held mutexes= "mutator lock"(shared held)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #00 pc 0035ca5f  /system/lib/libart.so (_ZN3art15DumpNativeStackERNSt3__113basic_ostreamIcNS0_11char_traitsIcEEEEiPKcPNS_9ArtMethodEPv+126)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #01 pc 0033da5b  /system/lib/libart.so (_ZNK3art6Thread4DumpERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEE+138)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #02 pc 0034704d  /system/lib/libart.so (_ZN3art14DumpCheckpoint3RunEPNS_6ThreadE+424)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #03 pc 00347bb1  /system/lib/libart.so (_ZN3art10ThreadList13RunCheckpointEPNS_7ClosureE+200)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #04 pc 003480b5  /system/lib/libart.so (_ZN3art10ThreadList4DumpERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEE+124)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #05 pc 00349073  /system/lib/libart.so (_ZN3artL40UnsafeLogFatalForThreadSuspendAllTimeoutEv+210)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #06 pc 00349949  /system/lib/libart.so (_ZN3art10ThreadList10SuspendAllEPKcb+2120)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #07 pc 001a5af7  /system/lib/libart.so (_ZNK3art2gc4Heap19GetObjectsAllocatedEv+322)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #08 pc 00148ad3  /system/lib/libart.so (_ZN3art3Dbg15DdmSendHeapInfoENS0_8HpifWhenE+854)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #09 pc 00148ea5  /system/lib/libart.so (_ZN3art3Dbg18DdmHandleHpifChunkENS0_8HpifWhenE+88)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #10 pc 0021dcf5  /system/framework/arm/boot.oat (Java_org_apache_harmony_dalvik_ddmc_DdmVmInternal_heapInfoNotify__I+80)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at org.apache.harmony.dalvik.ddmc.DdmVmInternal.heapInfoNotify!(Native method)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at android.ddm.DdmHandleHeap.handleHPIF(DdmHandleHeap.java:118)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at android.ddm.DdmHandleHeap.handleChunk(DdmHandleHeap.java:85)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at org.apache.harmony.dalvik.ddmc.DdmServer.dispatch(DdmServer.java:171)
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] 
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] "Signal Catcher" prio=5 tid=2 WaitingInMainSignalCatcherLoop
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | group="" sCount=2 dsCount=0 obj=0x12cd40a0 self=0xaf78e000
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | sysTid=30275 nice=0 cgrp=default sched=0/0 handle=0xb3f6b930
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | state=S schedstat=( 1499154 0 2 ) utm=0 stm=0 core=2 HZ=100
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | stack=0xb3e6f000-0xb3e71000 stackSize=1014KB
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | held mutexes=
04-02 00:19:06.923 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #00 pc 00041b90  /system/lib/libc.so (__rt_sigtimedwait+12)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #01 pc 0001ce47  /system/lib/libc.so (sigwait+22)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #02 pc 0032878f  /system/lib/libart.so (_ZN3art13SignalCatcher13WaitForSignalEPNS_6ThreadERNS_9SignalSetE+62)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #03 pc 0032985f  /system/lib/libart.so (_ZN3art13SignalCatcher3RunEPv+202)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #04 pc 0004064b  /system/lib/libc.so (_ZL15__pthread_startPv+30)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #05 pc 0001a025  /system/lib/libc.so (__start_thread+6)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   (no managed stack frames)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] 
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] "ReferenceQueueDaemon" prio=5 tid=4 Waiting
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | group="" sCount=2 dsCount=0 obj=0x12cccee0 self=0xab4ae900
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | sysTid=30277 nice=0 cgrp=default sched=0/0 handle=0xb3d69930
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | state=S schedstat=( 832998 101155 12 ) utm=0 stm=0 core=1 HZ=100
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | stack=0xb3c67000-0xb3c69000 stackSize=1038KB
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | held mutexes=
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #00 pc 00017688  /system/lib/libc.so (syscall+28)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #01 pc 000f6371  /system/lib/libart.so (_ZN3art17ConditionVariable4WaitEPNS_6ThreadE+80)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #02 pc 002b1007  /system/lib/libart.so (_ZN3art7Monitor4WaitEPNS_6ThreadExibNS_11ThreadStateE+1114)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #03 pc 002b1cc3  /system/lib/libart.so (_ZN3art7Monitor4WaitEPNS_6ThreadEPNS_6mirror6ObjectExibNS_11ThreadStateE+110)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #04 pc 002c2b25  /system/lib/libart.so (_ZN3artL11Object_waitEP7_JNIEnvP8_jobject+32)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #05 pc 00000387  /system/framework/arm/boot.oat (Java_java_lang_Object_wait__+74)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.Object.wait!(Native method)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   - waiting on <0x02ca0f11> (a java.lang.Class<java.lang.ref.ReferenceQueue>)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.Daemons$ReferenceQueueDaemon.run(Daemons.java:164)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   - locked <0x02ca0f11> (a java.lang.Class<java.lang.ref.ReferenceQueue>)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.Thread.run(Thread.java:818)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] 
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] "FinalizerDaemon" prio=5 tid=5 Waiting
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | group="" sCount=2 dsCount=0 obj=0x12cccf40 self=0xab4aee00
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | sysTid=30278 nice=0 cgrp=default sched=0/0 handle=0xb3c5f930
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | state=S schedstat=( 704384 8308 11 ) utm=0 stm=0 core=0 HZ=100
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | stack=0xb3b5d000-0xb3b5f000 stackSize=1038KB
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | held mutexes=
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #00 pc 00017688  /system/lib/libc.so (syscall+28)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #01 pc 000f6371  /system/lib/libart.so (_ZN3art17ConditionVariable4WaitEPNS_6ThreadE+80)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #02 pc 002b1007  /system/lib/libart.so (_ZN3art7Monitor4WaitEPNS_6ThreadExibNS_11ThreadStateE+1114)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #03 pc 002b1cc3  /system/lib/libart.so (_ZN3art7Monitor4WaitEPNS_6ThreadEPNS_6mirror6ObjectExibNS_11ThreadStateE+110)
04-02 00:19:06.924 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #04 pc 002c2b51  /system/lib/libart.so (_ZN3artL13Object_waitJIEP7_JNIEnvP8_jobjectxi+36)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #05 pc 00000585  /system/framework/arm/boot.oat (Java_java_lang_Object_wait__JI+96)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.Object.wait!(Native method)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   - waiting on <0x008e7e77> (a java.lang.ref.ReferenceQueue)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.Object.wait(Object.java:423)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:101)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   - locked <0x008e7e77> (a java.lang.ref.ReferenceQueue)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:72)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.Daemons$FinalizerDaemon.run(Daemons.java:206)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.Thread.run(Thread.java:818)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] 
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] "FinalizerWatchdogDaemon" prio=5 tid=6 Waiting
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | group="" sCount=2 dsCount=0 obj=0x12cccfa0 self=0xab4af300
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | sysTid=30279 nice=0 cgrp=default sched=0/0 handle=0xb3b55930
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | state=S schedstat=( 855154 0 9 ) utm=0 stm=0 core=1 HZ=100
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | stack=0xb3a53000-0xb3a55000 stackSize=1038KB
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | held mutexes=
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #00 pc 00017688  /system/lib/libc.so (syscall+28)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #01 pc 000f6371  /system/lib/libart.so (_ZN3art17ConditionVariable4WaitEPNS_6ThreadE+80)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #02 pc 002b1007  /system/lib/libart.so (_ZN3art7Monitor4WaitEPNS_6ThreadExibNS_11ThreadStateE+1114)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #03 pc 002b1cc3  /system/lib/libart.so (_ZN3art7Monitor4WaitEPNS_6ThreadEPNS_6mirror6ObjectExibNS_11ThreadStateE+110)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #04 pc 002c2b25  /system/lib/libart.so (_ZN3artL11Object_waitEP7_JNIEnvP8_jobject+32)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #05 pc 00000387  /system/framework/arm/boot.oat (Java_java_lang_Object_wait__+74)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.Object.wait!(Native method)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   - waiting on <0x0e3e4ae4> (a java.lang.Daemons$FinalizerWatchdogDaemon)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.Daemons$FinalizerWatchdogDaemon.waitForObject(Daemons.java:297)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   - locked <0x0e3e4ae4> (a java.lang.Daemons$FinalizerWatchdogDaemon)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.Daemons$FinalizerWatchdogDaemon.run(Daemons.java:266)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.Thread.run(Thread.java:818)
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] 
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] "HeapTaskDaemon" prio=5 tid=7 Blocked
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | group="" sCount=2 dsCount=0 obj=0x12cd80a0 self=0xab4af800
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | sysTid=30280 nice=0 cgrp=default sched=0/0 handle=0xa397f930
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | state=S schedstat=( 590539 0 5 ) utm=0 stm=0 core=0 HZ=100
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | stack=0xa387d000-0xa387f000 stackSize=1038KB
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | held mutexes=
04-02 00:19:06.925 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #00 pc 00017688  /system/lib/libc.so (syscall+28)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #01 pc 000f6371  /system/lib/libart.so (_ZN3art17ConditionVariable4WaitEPNS_6ThreadE+80)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #02 pc 001cd57f  /system/lib/libart.so (_ZN3art2gc13TaskProcessor7GetTaskEPNS_6ThreadE+102)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #03 pc 001cda53  /system/lib/libart.so (_ZN3art2gc13TaskProcessor11RunAllTasksEPNS_6ThreadE+26)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #04 pc 00000387  /system/framework/arm/boot.oat (Java_dalvik_system_VMRuntime_runHeapTasks__+74)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at dalvik.system.VMRuntime.runHeapTasks(Native method)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   - waiting to lock an unknown object
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.Daemons$HeapTaskDaemon.run(Daemons.java:437)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   at java.lang.Thread.run(Thread.java:818)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] 
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] "Binder_1" prio=5 tid=8 Native
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | group="" sCount=2 dsCount=0 obj=0x12cde0a0 self=0xaf78f400
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | sysTid=30281 nice=0 cgrp=default sched=0/0 handle=0xa377c930
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | state=S schedstat=( 5660540 526923 20 ) utm=0 stm=0 core=1 HZ=100
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | stack=0xa3680000-0xa3682000 stackSize=1014KB
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | held mutexes=
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #00 pc 00042ee8  /system/lib/libc.so (__ioctl+8)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #01 pc 00048625  /system/lib/libc.so (ioctl+14)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #02 pc 0001e7d9  /system/lib/libbinder.so (_ZN7android14IPCThreadState14talkWithDriverEb+132)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #03 pc 0001ecc7  /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+6)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #04 pc 0001ed65  /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #05 pc 000236bb  /system/lib/libbinder.so (???)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #06 pc 00010071  /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #07 pc 0006044b  /system/lib/libandroid_runtime.so (_ZN7android14AndroidRuntime15javaThreadShellEPv+70)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #08 pc 0004064b  /system/lib/libc.so (_ZL15__pthread_startPv+30)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #09 pc 0001a025  /system/lib/libc.so (__start_thread+6)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   (no managed stack frames)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] 
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] "Binder_2" prio=5 tid=9 Native
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | group="" sCount=2 dsCount=0 obj=0x12ce10a0 self=0xab4afd00
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | sysTid=30282 nice=0 cgrp=default sched=0/0 handle=0xa367d930
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | state=S schedstat=( 3375540 1231462 18 ) utm=0 stm=0 core=3 HZ=100
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | stack=0xa3581000-0xa3583000 stackSize=1014KB
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | held mutexes=
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #00 pc 00042ee8  /system/lib/libc.so (__ioctl+8)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #01 pc 00048625  /system/lib/libc.so (ioctl+14)
04-02 00:19:06.926 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #02 pc 0001e7d9  /system/lib/libbinder.so (_ZN7android14IPCThreadState14talkWithDriverEb+132)
04-02 00:19:06.927 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #03 pc 0001ecc7  /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+6)
04-02 00:19:06.927 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #04 pc 0001ed65  /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
04-02 00:19:06.927 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #05 pc 000236bb  /system/lib/libbinder.so (???)
04-02 00:19:06.927 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #06 pc 00010071  /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
04-02 00:19:06.927 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #07 pc 0006044b  /system/lib/libandroid_runtime.so (_ZN7android14AndroidRuntime15javaThreadShellEPv+70)
04-02 00:19:06.927 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #08 pc 0004064b  /system/lib/libc.so (_ZL15__pthread_startPv+30)
04-02 00:19:06.927 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #09 pc 0001a025  /system/lib/libc.so (__start_thread+6)
04-02 00:19:06.927 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   (no managed stack frames)
04-02 00:19:06.927 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] 
04-02 00:19:06.947 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] "Binder_3" prio=5 tid=10 Native
04-02 00:19:06.947 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | group="" sCount=2 dsCount=0 obj=0x12d4b0a0 self=0xaf790800
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | sysTid=30320 nice=0 cgrp=default sched=0/0 handle=0xa1b46930
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | state=S schedstat=( 2002769 594846 8 ) utm=0 stm=0 core=1 HZ=100
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | stack=0xa1a4a000-0xa1a4c000 stackSize=1014KB
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | held mutexes=
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #00 pc 00042ee8  /system/lib/libc.so (__ioctl+8)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #01 pc 00048625  /system/lib/libc.so (ioctl+14)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #02 pc 0001e7d9  /system/lib/libbinder.so (_ZN7android14IPCThreadState14talkWithDriverEb+132)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #03 pc 0001ecc7  /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+6)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #04 pc 0001ed65  /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #05 pc 000236bb  /system/lib/libbinder.so (???)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #06 pc 00010071  /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #07 pc 0006044b  /system/lib/libandroid_runtime.so (_ZN7android14AndroidRuntime15javaThreadShellEPv+70)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #08 pc 0004064b  /system/lib/libc.so (_ZL15__pthread_startPv+30)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #09 pc 0001a025  /system/lib/libc.so (__start_thread+6)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   (no managed stack frames)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] 
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] "Binder_4" prio=5 tid=11 Native
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | group="" sCount=2 dsCount=0 obj=0x12d4f0a0 self=0xab4b1100
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | sysTid=30323 nice=0 cgrp=default sched=0/0 handle=0xa19a7930
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | state=S schedstat=( 1420309 866384 7 ) utm=0 stm=0 core=2 HZ=100
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | stack=0xa18ab000-0xa18ad000 stackSize=1014KB
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   | held mutexes=
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #00 pc 00042ee8  /system/lib/libc.so (__ioctl+8)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #01 pc 00048625  /system/lib/libc.so (ioctl+14)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #02 pc 0001e7d9  /system/lib/libbinder.so (_ZN7android14IPCThreadState14talkWithDriverEb+132)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #03 pc 0001ecc7  /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+6)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #04 pc 0001ed65  /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #05 pc 000236bb  /system/lib/libbinder.so (???)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #06 pc 00010071  /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #07 pc 0006044b  /system/lib/libandroid_runtime.so (_ZN7android14AndroidRuntime15javaThreadShellEPv+70)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #08 pc 0004064b  /system/lib/libc.so (_ZL15__pthread_startPv+30)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   native: #09 pc 0001a025  /system/lib/libc.so (__start_thread+6)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]   (no managed stack frames)
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236] 
04-02 00:19:06.948 30266-30276/de.selfmade4u.antipiracy A/art: art/runtime/thread_list.cc:236]

Error

{
    onEnter: function (log, args, state) {
        this.b = args[1];
    },
    onLeave: function (log, retval, state) {
	rlen = Memory.readShort(this.b)/8;
        uint8arr = new Uint8Array(Memory.readByteArray(this.b.add(0x11), rlen));
        var hexStr = '';
        for (var i = 0; i < uint8arr.length; i++) {
            var hex = (uint8arr[i] & 0xff).toString(16);
            hex = (hex.length === 1) ? '0' + hex : hex;
            hexStr += hex;
        }
        log(hexStr);
    }
}

{'type': 'error', 'description': 'Error: access violation accessing 0xc49c3000', 'stack': 'Error: access violation accessing 0xc49c3000\n at input:39\n at call (native)\n at invokeCallback (tracer.js:33)\n at tracer.js:42', 'fileName': 'input', 'lineNumber': 39, 'columnNumber': 1}

How to fix this?

'Error: abort was called' when hooking Android 6.0.0

Frida version: 10.0.10
Nexus 5X, Android 6.0.0, rooted

Error message:

Error: abort was called
    at frida/node_modules/frida-java/lib/vm.js:48
    at frida/node_modules/frida-java/lib/vm.js:35
    at java.js:1369
    at repl1.js:3640
Error: abort was called
    at t (frida/node_modules/frida-java/lib/android.js:274)
    at ensureClass (frida/node_modules/frida-java/lib/class-factory.js:318)
    at frida/node_modules/frida-java/lib/class-factory.js:111
    at [anon] (repl1.js:13)
    at frida/node_modules/frida-java/lib/vm.js:33
    at y (frida/node_modules/frida-java/index.js:322)
    at frida/node_modules/frida-java/index.js:296
    at frida/node_modules/frida-java/lib/vm.js:33
    at java.js:1369
    [...]

Update, I've a smaller reproduce script, only hook android.media.audiofx.AudioEffect will cause the abort, Here is the hook javascript code, and logcat.

Java.available is always false during stage=early when using gadget in script mode

I am trying to load a script onto an android app via wrap method. The frida lib gets injected and is loading the script as intended but Java.available is always false during the initial load.

If the frida config's on_change is set to reload and once the script is reloaded (stage=late) Java.available is true and everything works fine.

I needed the script to be up and running during stage=early.

script content which is compiled using frida-compile.

rpc.exports = {
    init: function (stage, parameters) {
        if(Java.available) {
              require('./hooks');
        }
    }
};

I tried doing a "Observe(setTimeout)" on Java.available waiting for it to be set to true before loading my hooks...but its never set to true even though the app is loaded.

Error: abort was called on Java.enumerateLoadedClasses

Frida version: 10.1.2
Huawei P8 Lite, Android 6.0.0, rooted

Script:

function testEnumerateLoadedClass()
{
	console.log("Starting...");

	while(!Java.available)
	{
	}

	console.log("Available !");

	Java.perform(function(){
		Java.enumerateLoadedClasses({
			onMatch: function(classname){
				console.log(classname);
			},

			onComplete: function (){
			}
		});
	});

}

Error message:

Spawning `sg.vantagepoint.helloworldjni`...               
Starting...                                           
Available !                    
Spawned `sg.vantagepoint.helloworldjni`. Resuming main thread!   
[USB::HUAWEI ALE-L21::['sg.vantagepoint.helloworldjni']]->
Error: abort was called  
    at u (frida/node_modules/frida-java/lib/android.js:512)    
    at p (java.js:2054)                                                                                                                                                   
    at frida/node_modules/frida-java/index.js:105                                                                                                                                      
    at [anon] (repl1.js:125)                                                                       
    at frida/node_modules/frida-java/lib/vm.js:39                                                                               
    at y (frida/node_modules/frida-java/index.js:325)                                               
    at frida/node_modules/frida-java/index.js:305                                                   
    at call (native)                                                                                
    at getPackageInfoNoCheck (input:1)                                            
    [...]

The app spawns but gets unresponsive with a white screen. Quitting frida's console also not possible as it gets unresponsive. Have to kill -9 frida.

Java API not available on Frida 9.1.6

➜  ~ frida -U -p 0
     ____
    / _  |   Frida 9.1.5 - A world-class dynamic instrumentation framework
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at http://www.frida.re/docs/home/
                                                                                
[USB::Xiaomi Redmi Note 3::System]-> Frida.version
"9.1.6"
[USB::Xiaomi Redmi Note 3::System]-> Java.androidVersion
"6.0.1"
[USB::Xiaomi Redmi Note 3::System]-> Java.available
false
[USB::Xiaomi Redmi Note 3::System]-> Java.vm
null
[USB::Xiaomi Redmi Note 3::System]->

Confusing/non-consistent type representation in overload(...)

(Continuation of frida/frida-gum#117.)

As described by @stevielavern:

When using Java.method.overload(...), the full name of native types must be used and not the letters representing these types in Java signatures. For instance int instead of I, byte instead of B, etc.

But when the parameter is an array of a native type, the letter must be used and not the full name.
For instance, if the method is method(int x, int y[]), overload must be used like this: method.overload("int", "[I") and not with [int orint[].

While not a big issue, this can be misleading/counter-intuitive.
A simpler way to avoid any confusion could be to use the signature of the method in overload(), for instance for the previous example I[I.

Hook class initializer

Is there a way to hook a class initializer? For example:

class MainActivity {
    static {  // <=== clinit method that I want to hook
        System.loadLibrary("test");
    }
}

Hook System.loadLibrary

I have the below code to hook System.loadLibrary()

var System = Java.use.('java.lang.System');
System.loadLibrary.implementation = function(name) {
    console.log("System.loadLibrary " + name); // it is ok until this point
    this.loadLibrary(name);
    console.log("loadLibrary"); // <== this does not get printed out
    // code to hook 
};

I want to hook some C native function after the library is loaded. So I must have some code after the original loadLibrary is called. However, as can be seen from my snippet, codes starting from console.log("loadLibrary"); does not get executed.

Did I do anything wrong?

Error: access violation accessing 0x0 when calling Java.enumerateLoadedClasses() or Java.choose()

Hello,

When executing the following simple scripts

Java.perform(function () {   
        Java.enumerateLoadedClasses({
            onMatch: function(className){
                console.log(className)
            },
            onComplete:function(){
            }
    });
});

I get this error:

{'type': 'error', 
'description': 'Error: access violation accessing 0x0', 
'stack': 'Error: access violation accessing 0x0
    at v (frida/node_modules/frida-java/index.js:233)
    at frida/node_modules/frida-java/index.js:105
    at [anon] (script1.js:10)
    at frida/node_modules/frida-java/index.js:266
    at call (native)
    at dispatchMessage (input:1)', 'fileName': 'frida/node_modules/frida-java/index.js', 'lineNumber': 233, 'columnNumber': 1}

I get the same issue when calling Java.choose().

Versions used:

Android 4.3.1 (Cyanogenmod 10.2.1)
Both with Frida version 9.1.28 and 10.5.13

is there any easy way to enum ArtMethods?

I tried to make a script that detecting runtime Method hook(like AndFix), but enum ArtMethods is a little bit complicated, any solution?

Access violation on apply'ing integer argument

(Continuation of frida/frida-gum#165.)

As described by @dpnishant:

The script below

var getSharedPreferences = ContextWrapper.getSharedPreferences.overload("java.lang.String", "int");
getSharedPreferences.implementation = function (spName, spMode) {
  console.log('getSharedPreferences Name: ' + spName);
  return getSharedPreferences.apply(this, arguments);
};

is throwing different types of errors (mostly access violation) in different apps.

Target process crashes on detach/script reload with Java hooks installed (9.1.6)

frida -U -l java.js com.android.terminal
On editing script or detaching from target process it crashes.
Crashes don't happen if I don't set up a hook.

java.js:

function onLoad() {
    console.log("Loaded.")

    Java.perform( function() { 
      URL = Java.use('java.net.URL');
      URL.getHost.implementation = function () {
        console.log("inside hook!");
        return this.getHost();
      };
    });

    Java.perform( function() { 
      url = URL.$new('http://www.ikke.no/');
      host = url.getHost();
      console.log('host=' + host);
    });
}
onLoad();

Android 6.0.1, CM13. Device is Wileyfox Swift.

Too many PopLocalFrame calls

(Continuation of frida/frida-gum#166.)

As described by @dpnishant:

This following script initially works as normal initially

if (ContextWrapper.getCacheDir) {
        // Ref: https://developer.android.com/reference/android/content/ContextWrapper.html#getCacheDir()
        ContextWrapper.getCacheDir.implementation = function() {
            var cache_dir = this.getCacheDir.call(this);
            console.log('Cache Dir: ' + cache_dir.toString());
            return cache_dir;
        };
    }

but after a while (after certain amount of interaction with the app) it throws the following error.

How to get all java class fields/methods in frida?

After dig into source, I finally found the way to get a field which has the same name of a method.

https://github.com/frida/frida-java/blob/82bc59a8389ae62a94e65841b34bb003e03f6518/lib/class-factory.js#L810-L813

public class Test {
    private static int a = 1;
    
    private static int a()
    {
        return 0;
    }
}

'use strict';

if (Java.available) {
    console.log('Java Process!')

    Java.perform(function () {
        var Test = Java.use("Test");

        console.log( Test._a.value );

    });
} else
    console.log("not Java Process!")

My question is:
Is there a way to get all fields/methods of a java class?

Hook String constructor

I have the below script to hook public String(char[] data) method

Java.perform(function () {
    var String = Java.use('java.lang.String');
    String.$init.overload('[C').implementation = function(p0) {
        console.log('String.init');
        return String.$init(p0);
    }
}

It does not work (the log did not get printed out). Is there a reason behind? And is there any work around?

Overload Error: specified argument types do not match any of: (Generics issue?)

Hi,

I am using Frida to instrument Android applications. The methods I have to instruments are chosen from a trace obtained by the Android Tracer tool. I am having an issue with some overloads.
As an example, consider the writeTypedArray method from the android.os.Parcel class:

From the Android Tracer I get its parameters array as (['[Landroid.os.Parcelable;', 'int']), and a getDeclaredMethods confirms it is compatible, as it gives its signature as public final void android.os.Parcel.writeTypedArray(android.os.Parcelable[],int).
However if I try to re-implement it in my script with methodObject.overload.apply(this, parametersTypes).implementation = function () {...} (with parametersTypes equal to (['[Landroid.os.Parcelable;', 'int'])) it gives me the following error:

Error: writeTypedArray(): specified argument types do not match any of: .overload('java.lang.Object', 'int') at throwOverloadError (frida/node_modules/frida-java/lib/class-factory.js:1449) at frida/node_modules/frida-java/lib/class-factory.js:871 at apply (native) at OverloadTEST.js:13 at frida/node_modules/frida-java/lib/vm.js:33 at y (frida/node_modules/frida-java/index.js:322) at frida/node_modules/frida-java/index.js:296 at frida/node_modules/frida-java/lib/vm.js:33 at java.js:1369 at OverloadTEST.js:4 [...]

Just before posting I went to take a look at the documentation and source code of the android.os.Parcel class and found out that it uses a generics and its definition signature is:

public final <T extends Parcelable> void writeTypedArray(T[] val, int parcelableFlags)

Which may easily be the source of my problems, however I have no idea how to bypass it in an automated way, manually change my parameters to ('java.lang.Object', 'int') is not a good solution as I am instrumenting hundreds of different methods.

Is there an way to make it work with the actual class?
Is there a way to at least avoid the abort and crash of the instrumentation tool in case this happens? I would like to by able to recovery in my catch, but It is always stuck after the error.

Here attached a minimal example to reproduce my issue:
OverloadTEST.txt
InstrumentTEST.txt

API level 26 - `android.js`

Frida Java.available will respond with false on Android API level 26. It seems that android.js does not know where the method art::IndirectReferenceTable::Add is. It can be fixed by overwriting (line 51)
'_ZN3art22IndirectReferenceTable3AddEjPNS_6mirror6ObjectE': ['art::IndirectReferenceTable::Add', 'pointer', ['pointer', 'uint', 'pointer']],
with '_ZN3art22IndirectReferenceTable3AddENS_15IRTSegmentStateENS_6ObjPtrINS_6mirror6ObjectEEE': ['art::IndirectReferenceTable::Add', 'pointer', ['pointer', 'uint', 'pointer']],.

Since I don't understand the code in this file completely, I did not issue a pull request.

The way identified the new function name is below:

modules = Process.enumerateModulesSync()
for (i in modules) {
	module = modules[i].name
	// console.log(module)
	symbols = Module.enumerateExportsSync(module)
	for (j in symbols) {
		symbol = symbols[j].name
		// console.log('\t' + symbol)
		if (symbol.match('Indirect.*Ref.*Add')) {
			console.log(module)
			console.log(symbol)
		}
	}
}

Error: access violation accessing 0x6f0056

I've faced with a strange problem. When I try to spawn android app via Frida then I get an error.

frida -U --no-pause -f com.android.chrome -l script.js

Spawned `com.android.chrome`. Resuming main thread!
[USB::LGE Nexus 5::['com.android.chrome']]-> Error: access violation accessing 0x6f0056
    at frida/node_modules/frida-java/lib/env.js:206
    at apply (native)
    at frida/node_modules/frida-java/lib/env.js:201
    at frida/node_modules/frida-java/lib/class-factory.js:113
    at frida/node_modules/frida-java/lib/class-factory.js:1621
    at call (native)
    at getPackageInfoNoCheck (input:1)
    at apply (native)
    at r (frida/node_modules/frida-java/lib/class-factory.js:842)
    [...]

My script.js looks like this

Java.perform(function () {
    var Activity = Java.use("android.app.Activity");
    Activity.onResume.implementation = function () {
        console.log("[*] onResume() got called!");
        this.onResume();
    };
});

Frida version: 9.1.25
Android version: 6.0.1

Get method and class name the are called through reflection in android

Hello everyone,

I am trying to get the class name and method name that are called using reflection in android.
I get the parameters that are passed to the invoke method but those are kind of addresses (sorry new to Frida and android development) and I don't know how to get the corresponding class and method names from it. Here is sample output from one of the reflection call:

{"class":"java.lang.reflect.Method","method":"invoke","args":[{"$handle":"0x10098a","$weakRef":387},[{"$handle":"0x10098e","$weakRef":388}]],"retVal":null}

Above I log the class and method that are hooked along with the parameters to them. Now I need to get Class and method name that were called using the invoke method. Any pointers in the right direction would be highly appreciated.

Cheers.
Waqar

java.lang.ClassNotFoundException when using Java.registerClass

I get the following error when I use Java.registerClass:
The device is an ARMv7 running Android 4.4.4

Error: java.lang.ClassNotFoundException: Didn't find class "com.example.MyRunnable" on path: DexPathList[[],nativeLibraryDirectories=[/vendor/lib, /system/lib]]', u'fileName': u'frida/node_modules/frida-java/lib/env.js', u'lineNumber': 218, u'type': u'error', u'stack': u'Error: java.lang.ClassNotFoundException: Didn't find class "com.example.MyRunnable" on path: DexPathList[[],nativeLibraryDirectories=[/vendor/lib, /system/lib]]
    at frida/node_modules/frida-java/lib/env.js:218
    at ensureClass (frida/node_modules/frida-java/lib/class-factory.js:435)
    at frida/node_modules/frida-java/lib/class-factory.js:119
    at registerClass (frida/node_modules/frida-java/lib/class-factory.js:1637)
    at script1.js:11
    at frida/node_modules/frida-java/lib/vm.js:39
    at frida/node_modules/frida-java/index.js:281
    at script1.js:15'}

Here is the code that produces the error:

Java.perform(function() {
    var Runnable = Java.use('java.lang.Runnable');
    var MyRunnable = Java.registerClass({
        name: 'com.example.MyRunnable',
        implements: [Runnable],
        methods: {
            'run': function() {
                console.log('Hello!!!');
            }
        }
    });

    var runnable = MyRunnable.$new();
    runnable.run();
});

Frida crashes process when loading a script before resuming a spawned application

Frida version 9.1.23, with both frida-server-9.1.23-android-arm64 and frida-server-9.1.23-android-x86_64 (both on a rooted Galaxy S7 phone and the latest Android N emulator from Google)

Used the following command sequence (with associated output):
$ frida -U -f sg.vantagepoint.uncrackable1
Waiting for USB device to appear...
Spawned sg.vantagepoint.uncrackable1. Use %resume to let the main thread start executing!
[USB::Samsung SM-G930F::['sg.vantagepoint.uncrackable1']]-> %load uncrackable_access.js
[USB::Samsung SM-G930F::['sg.vantagepoint.uncrackable1']]-> %resume
[USB::Samsung SM-G930F::['sg.vantagepoint.uncrackable1']]-> Error: access violation accessing 0xebad8082
at Env. (frida/node_modules/frida-java/lib/env.js:206:1)
at ClassFactory.use (frida/node_modules/frida-java/lib/class-factory.js:113:1)
at ActivityThread.fromJni (frida/node_modules/frida-java/lib/class-factory.js:1624:1)
at ActivityThread.getPackageInfoNoCheck (eval at makeMethod (frida/node_modules/frida-java/lib/class-factory.js:1015:1))
at ActivityThread.m.implementation (frida/node_modules/frida-java/index.js:302:1)
at getPackageInfoNoCheck (eval at implement (frida/node_modules/frida-java/lib/class-factory.js:1370:1), :1:)
[USB::Samsung SM-G930F::['sg.vantagepoint.uncrackable1']]->
[USB::Samsung SM-G930F::['sg.vantagepoint.uncrackable1']]-> Process terminated

File uncrackable_access.js contains the following script:
Java.perform(function() { 
        var bclass = Java.use("sg.vantagepoint.uncrackable1.b");
        bclass.onClick.implementation = function(a,b) {
        console.log("Intercepted onClick");
    }
});

App sg.vantagepoint.uncrackable1 can be downloaded here: https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/01_Android/Level_01/UnCrackable-Level1.apk

"stack": TypeError: undefined not callable on calling the original method inside new implementation

I am trying to modify one of the function in a closed apk (no access to source code). After doing my own stuff I call the original method. However, I get an error message "stack": TypeError: undefined not callable

I am using the following script (taken from the tutorial)
Java.perform(function () { var handle = Java.use("com.hulu.physicalplayer.PhysicalPlayer"); handle.pause.implementation = function () { //console.log("pause called") this.pause() } })

Interestingly, I am able to call other methods (example this.play()) of the same class while inside the new implementation of pause function. However call to pause function gives me the above error.

I tried modifying some other functions as well, but similar thing happens i.e. I get an error message when calling the original function inside the new method.

Here is the full error:
{u'columnNumber': 1, u'description': u'TypeError: undefined not callable', u'fileName': u'java.js', u'lineNumber': 2513, u'type': u'error', u'stack': u'TypeError: undefined not callable\n at [anon] (duk_js_call.c:842)\n at v (frida/node_modules/frida-java/lib/android.js:575)\n at resolveArtTargetMethodId (frida/node_modules/frida-java/lib/class-factory.js:1200)\n at pause (input:1)\n at apply (native)\n at r (frida/node_modules/frida-java/lib/class-factory.js:940)\n at script1.js:6\n at call (native)\n at pause (input:1)'}

Fix handling of -Xcheck:jni

Memory.readUtf8String returns error UTF-8 when reading strings from memory

Hi,

When intercepting a Java method that takes an Integer and String as arguments and returns another String (Lpackage/class;->method(Ljava/lang/String;I)Ljava/lang/String;), I got this frida error:

Error: invalid UTF-8
    at frida/node_modules/frida-java/lib/env.js:922
    at frida/node_modules/frida-java/lib/class-factory.js:2020
    at input:1

This seems to be caused by this code snippet: ((https://github.com/frida/frida-java/blob/master/lib/env.js#L922)) and it is triggered when trying to read UTF-8 string as shown below:

Env.prototype.stringFromJni = function (str) {
  const utf = this.getStringUtfChars(str);
  if (utf.isNull()) {
    throw new Error("Can't access the string.");
  }
  try {
    return Memory.readUtf8String(utf);
  } finally {
    this.releaseStringUtfChars(str, utf);
  }
};

Important to mention that try-catch-ing the printing in stdout or the entire hook does not prevent showing the error on screen.

Any idea how to fix this?

NB.- Using latest Frida version

Early instrumentation: Intercepting method onCreate() from MainActivity on Android ART

Hi all,

I have been playing around with some Android crackmes from the OWASP community and found that I was not able to hook the first class loaded that extended from the class Activity. Therefore, I wondered why this was happening.

Target code (decompiled)

First of all lets see the target code to intercept:

public class MainActivity extends Activity
{
    private void a(final String title) {
        final AlertDialog create = new AlertDialog$Builder((Context)this).create();
        create.setTitle((CharSequence)title);
        create.setMessage((CharSequence)"This in unacceptable. The app is now going to exit.");
        create.setButton(-3, (CharSequence)"OK", (DialogInterface$OnClickListener)new b(this));
        create.show();
    }
    
    protected void onCreate(final Bundle bundle) {
        if (c.a() || c.b() || c.c()) {
            this.a("Root detected!");
        }
        if (sg.vantagepoint.a.b.a(this.getApplicationContext())) {
            this.a("App is debuggable!");
        }
        super.onCreate(bundle);
        this.setContentView(2130903040);
    }

The goal is to inject code when entering into onCreate() to defeat the security checks. To achieve early instrumentation, the process was chosen to be spawned instead of attached, and the hook was written as such:

Java.perform(function () {
	send("Starting hooks OWASP uncrackable1...");

	var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
	mainactivity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
	    send("sg.vantagepoint.uncrackable1.MainActivity.onCreate(Landroid/os/Bundle;)V    MainActivity HIT!!!");
	    var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
	};

	send("Hooks installed.");
});

Question

With all that, my question was if Frida is capable of intercepting this early method when the main activity class is instantiated.

Further information

APK: Uncrackable level1
Target class: public class MainActivity extends Activity
Target method: protected void onCreate(final Bundle bundle)
Frida version: 9.1.27
Target Arch: Android 7.1.x ART
Device: Nexus 5x
Host Arch: x64 Ubuntu 16.04.2

Support for enumerating loaded classes on ART

Continuation of frida/frida-core#75. As described by @dpnishant:

Running the following on Android 5.1.1 on Nexus 5

var classes = Java.enumerateLoadedClassesSync();

throws the following error.

Error: Enumerating loaded classes is only supported on Dalvik for now
    at _enumerateLoadedClasses (gumjs-java.js:172:23)

Not compatible with Xposed on ART

(Continuation of frida/frida#220.)

As described by @hedger:

I'm running Frida 9.1 with target device Wileyfox Swift (arch=a64) running Android 6.0.1 (CM13.1.5). It's on stock ROM with Xposed v87.

I can't make anything Java-related work.

[USB::Wileyfox Wileyfox Swift::com.android.phone]-> Java.available
false

I tried debugging what's happening on Java interface initialization, and found out that
_ZN3art6mirror6Object5CloneEPNS_6ThreadE (art::mirror::Object::Clone(art::Thread*))
is missing from libart.so, but instead there's a function called _ZN3art6mirror6Object5CloneEPNS_6ThreadEm, which demangles to art::mirror::Object::Clone(art::Thread*, unsigned long).
File containing initialization code is built into frida-server binary, so I can't easily debug and test it further.

Port withRunnableArtThread() to x86

Error: access violation accessing 0x3a

Error: access violation accessing 0x32
at onClick (input:1)
at apply (native)
at r (frida/node_modules/frida-java/lib/class-factory.js:940)
at repl1.js:24
at call (native)
at onClick (input:1)
Process terminated

Error: access violation accessing 0x3a
at onClick (input:1)
at apply (native)
at r (frida/node_modules/frida-java/lib/class-factory.js:1053)
at repl1.js:24
at call (native)
at onClick (input:1)
Process terminated

android linux 32bit cpu arm64bit frida 32bit output this error
android linux 32bit cpu arm32bit frida 32bit is OK
android linux 64bit cpu arm64bit frida 64bit is OK

Not possible to change implementation of a function called Process

It seems that it is not possible to override implementation of a Java function called Process. For example:

Java.perform(() => {
    const cls = Java.use('com.some.class.here');
    cls.Process.implementation = function () { return false; }
});

After trying to execute the code, you'll get an error in class-factory.js in line 1125 that Process.getCurrentThreadId() is not a function.

This happens because the function is called Process overriding the default Process object in the global namespace.

Perhaps the quick (and dirty) fix is to just make the function anonymous?

Java.enumerateLoadedClasses() throws an error (access violation)

(Continuation of frida/frida-node#22.)

As described by @TelmoNeves:

While trying to use Java.enumerateLoadedClasses I get the following error:

{ type: 'error',
description: 'Error: access violation accessing 0x0',
stack: 'Error: access violation accessing 0x0\n at _enumerateLoadedClasses (frida/node_modules/frida-java/index.js:98:30)\n at Runtime.value [as enumerateLoadedClasses] (frida/node_modules/frida-java/index.js:145:7)\n at agent.js:446:8\n at VM.perform (frida/node_modules/frid
a-java/lib/vm.js:35:7)\n at performPending (frida/node_modules/frida-java/index.js:221:14)\n at frida/node_modules/frida-java/index.js:196:15\n at VM.perform (frida/node_modules/frida-java/lib/vm.js:35:7)\n at Runtime.perform (frida/node_modules/frida-java/index.js:191:14)\n at Object
.1 (agent.js:5:7)\n at s (node_modules/frida-load/node_modules/browserify/node_modules/browser-pack/_prelude.js:1:1)',
fileName: 'frida/node_modules/frida-java/index.js',
lineNumber: 98,
columnNumber: 30 }

I remember using this function at the beginning of the year and it worked.

My device is a Samsung Note 3 rooted running android 4.3

I also tested with an emulator and I got the same error.

Crashes on second session with Java

I compiled a sample agent coming with frida-java (/test/agent/index.js), and it crashes target application on second run.
I build it with frida-compile index -o myjava.js and start it up with frida -U -l myjava.js com.android.terminal
and execute the following code in REPL:

rpc.exports.hookJavaMethod();
for (var i = 0; i < 4; ++i) { rpc.exports.callJavaMethod(); }
console.log(rpc.exports.getHookTriggerCount())

First run always completes without errors, but on the second one it always crashes target application, printing stack traces like

Error: Can't access the string.
    at repl1.js:3416
    at repl1.js:2758
    at getHost (input:1)
    at apply (native)
    at f (repl1.js:1461)
    at repl1.js:5609
    at call (native)
    at getHost (input:1)

Error: java.lang.StackOverflowError: stack size 1013KB
    at repl1.js:2759
    at getHost (input:1)
    at apply (native)
    at f (repl1.js:1461)
    at repl1.js:5609
    at call (native)
    at getHost (input:1)
Process terminated

Field and Method that have same names are collinding.

I'm unable to access a static public method that have the same name as a static public field.

We might need some prefix to prevent fields and method from colliding.

Transient "Error: VM::GetEnv failed: -2"

Android version: 4.3
Frida client version: 10.6.18
Frida server version: frida-server-10.6.18-android-arm

Using Java.choose() directly outputs Error: VM::GetEnv failed: -2, but using it a second time with a small delay works. Here is a snippet of code showing the issue:

function choose(className) {
  Java.perform(function() {
    Java.choose(className, {
      'onMatch': function(instance) {
        console.log('[*] Instance found: ' + instance.toString());
      },
      'onComplete': function() {},
    });
  })
};

choose('android.view.View');

setTimeout(function() {
  choose(className);
}, 100);

Here is the output when run using frida -U 25390 -l script.js

Error: VM::GetEnv failed: -2
    at e (frida/node_modules/frida-java/lib/result.js:7)
    at frida/node_modules/frida-java/lib/vm.js:72
    at frida/node_modules/frida-java/lib/class-factory.js:339
    at frida/node_modules/frida-java/lib/class-factory.js:394
[*] Instance found: android.view.View{4249de38 V.ED.... ........ 0,95-720,96 #7f0e0cd5 app:id/bny}
[*] Instance found: android.view.View{42827d70 V.ED.... ........ 0,93-720,94 #7f0e0ce8 app:id/bog}
[*] Instance found: android.view.View{42bdbba8 I.ED.... ......I. 180,0-360,546}
[*] Instance found: android.view.View{42bdbd40 I.ED.... ......I. 360,0-540,546}
[*] Instance found: android.view.View{42bdbed8 I.ED.... ......I. 540,0-720,546}

The first call to choose() is necessary, else the second call fails with "Error: VM::GetEnv failed: -2". Making the second call directly, without setTimeout(), also gives "Error: VM::GetEnv failed: -2".