frida-core icon indicating copy to clipboard operation
frida-core copied to clipboard
verified publisher icon frida

Failure to effectively hook all the methods of a class in newer Android versions

Open Ch0pin opened this issue 2 years ago • 5 comments

In newest Android versions (>= 13) I am facing an issue when I try to hook all the methods of a java class. More specifically, given the following function:

function traceMethod(targetClassMethod){
	var delim = targetClassMethod.lastIndexOf(".");
	if (delim === -1) return;
	var targetClass = targetClassMethod.slice(0, delim)
	var targetMethod = targetClassMethod.slice(delim + 1, targetClassMethod.length)
	var hook = Java.use(targetClass);
	var overloadCount12 = hook[targetMethod].overloads.length;

	for (var i = 0; i < overloadCount12; i++) {
		hook[targetMethod].overloads[i].implementation = function() {
		  console.log("\n[ ▶︎▶︎▶︎] Entering: " + targetClassMethod);
			for (var j = 0; j < arguments.length; j++) {
				console.log("|\t\\_arg[" + j + "]: " + arguments[j]);
			}
			var retval = this[targetMethod].apply(this, arguments); 
			console.log("[ ◀︎◀︎◀︎ ] Exiting " + targetClassMethod);
      
            console.log('\t\\_Returns: '+retval+'\n');
			return retval;
		}
	}
}

and the following calls:

traceMethod('com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.finish');
traceMethod('com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.onActivityResult');
traceMethod('com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.onCreate');
traceMethod('com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.ɻ');
traceMethod('com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.ʕ');
traceMethod('com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.ʖ');

I can effectively hook all the methods of a class in Android 9 and get the correct logs:

Screenshot 2024-03-01 at 10 42 48

Using the traceMethod , same app, in Android 13, yields the following output:

Screenshot 2024-03-01 at 10 45 08

Failing to display the logs of methods called within the onCreate. Subsequently, removing the onCreate hook, displays the log of com.airbnb.android.lib.deeplinks.activities.DeepLinkEntryActivity.ʕ but fails to follow the calls to the class's methods started from within the ʕ method:

Screenshot 2024-03-01 at 10 47 18

My Android 13 device's fingerprint is the following:

[google/barbet/barbet:13/TQ3A.230901.001/10750268:user/release-keys]

While the Android 9 fingerprint is the following:

[samsung/dream2ltexx/dream2lte:9/PPR1.180610.011/G955FXXUCDUD1:user/release-keys]

Ch0pin avatar Mar 01 '24 10:03 Ch0pin

using a simpler example, assuming the following java code:

    public void func(){
        System.out.println("in func");
        func1();
    }

    public void func1(){
        System.out.println("in func1");
    }

the following script:


Java.perform(function() {

    let className1 = Java.use("com.intent.sender.min.MainActivity");

    className1.func.implementation = function(){
    
        console.log("FRIDA: in func");
        this.func();
    
    }

    className1.func1.implementation = function(){
    
        console.log("FRIDA: in func1")
    }
});

logs only : FRIDA: in func

Ch0pin avatar Mar 02 '24 23:03 Ch0pin

I am also affected by this bug!

giorgosioak avatar Mar 04 '24 11:03 giorgosioak

+1 here

LeitaoDeveloper avatar Mar 04 '24 11:03 LeitaoDeveloper

Likewise, affected by this bug

Ginggas avatar Mar 04 '24 12:03 Ginggas