Javascript

api | fs | thread

Global

we expose a set of api which are mainly short hands wrappers of frida api, functions to exchange data with the ui and perform operations while scripting.


addWatcher

addWatcher(0xc4d8ff30);

Add a memory watcher which will trigger dwarf ui and break the thread when a memory address got read or write



breakpoint

breakpoint();

In a standard hook it has no effect but, if you want to go outside the context (i.e tracer) you could find it useful to break the thread and control through ui


deleteHook

deleteHook(key);

Remove an hook by key. Could be a pointer if the hook is native, a module if it’s OnLoad or a string pointer or a string java class method etc


enumerateExports

enumerateExports(moduleName);

Enumerate exports for the given module name


enumerateImports

enumerateImports(moduleName);

Enumerate imports for the given module name


enumerateJavaClasses

enumerateJavaClasses();

Start enumeration of java classes async and send data to the ui


enumerateJavaMethods

enumerateJavaMethods();

Start enumeration of java methods async and send data to the ui


enumerateModules

enumerateModules();

Enumerate loaded modules


enumerateRanges

enumerateRanges();

Enumerate mapped ranges with all permissions


enumerateSymbols

enumerateSymbols(moduleName);

Enumerate symbols for the given module name


findExport

findExport('target_function');
findExport('target_function', 'target_module.so');

shortcut of frida api Module.findExportByName with the advantage to accept only 1 argument. if module is not set, default will be ‘libc’ on android and ‘libSystem.b.dylib’ for ios


findModule

findModule('target_module.so');

shortcut of frida api Process.findModuleBy|Name|Address


getAddressTs

getAddressTs(0xdb884dc2);

Check the data pointed by a pointer. ptr is an integer or an hexadecimal numeric string “0x1000”.

return an array with 2 values. First one representing the type of the data: 0: string, 1: pointer, 2: int, -1: error. Second one is the data


getRange

getRange(0xdb884dc2);

return a frida range object for the given address


getSymbolByAddress

getSymbolByAddress(0xdb884dc2);

return debug symbol for the given address


hookAllJavaMethods

hookAllJavaMethods('com.android.targetClass');

hook all the java methods of the given class


hookJava

hookJava('com.android.targetClass');
hookJava('com.android.targetClass.myMethod');

a shortcut to hook either a java constructor or method (all overloads)


hookJavaOnLoad

hookJavaOnLoad('com.android.targetClass');

breakpoint during loading cycle of the given class


hookNative

// breakpoint open
hookNative(api.findExport('open'));

a shortcut to frida api Interceptor.attach() which pause the thread and let you debug through dwarf. Eventually, a logic (function()) can be added as second argument to perform additional stuffs and prevent the thread to be sleeped


hookNativeOnLoad

// breakpoint on open
hookNativeOnLoad('libtarget.so');

hook a native module before initialization (works only on Android)


isAddressWatched

isAddressWatched(0xd6c8fd9a);

Return a boolean indicating if the address is currently watched


injectBlob

injectBlob(name, blobAsHex);

Uses syscall memfd create to map an fd in memory which can be dlopened. Provide a custom name for the fd and the bytes as hex string of the binary to inject


javaBacktrace

javaBacktrace();

A shortcut for java backtrace


nativeBacktrace

nativeBacktrace();

release

release();
release(1274);

Release a thread id and resume execution. (basically, unpause the thread after an hook is hit). Release all of them if no arg is specified


removeWatcher

removeWatcher(0xcfd4aab4);

Remove memory watcher from the given pointer


restart

restart();

Restart the application from main. This logic is only built for Android at the moment


setData

setData(key, value);

An api suggested by a friend to send data straight to the UI. You can check an example usage here


startJavaTracer

startJavaTracer(classes, callbacks);

const classes = ['com.targerclass.first', 'com.targetclass.second'];

// use ui
startJavaTracer(classes);

// use custom callbacks
startJavaTracer(classes, {
    onEnter: function(args) {
    },
    onLeave: function(ret) {
       return 'patched';
    }
});

Start tracing the given java classes


startNativeTracer

startNativeTracer(callback);

startNativeTracer(function() {
    console.log(this.context);
    console.log(this.instruction);
    if (this.instruction.mnemonic === 'svc') {
        breakpoint();
    } else if (this.context.pc === 0x10000) {
        this.stop();
    }
});

Start a native tracer which receive a callback each time an instruction got executed with context and instruction available in this object


stopJavaTracer

stopJavaTracer();

Stop the java tracer

fs

fs class exposes functions from wrapped libc api, such as popen etc. and allows file manipulation.


fclose

fgets

fileno

fputs

fopen

getline

popen

pclose

// real example from base library
// both fopen/popen accept path and perm as string in params
var f = fs.fopen('/path/to/my_file', 'r');
var buf = fs.allocateRw(Process.pointerSize);
var len = fs.allocateRw(Process.pointerSize);
var read;
var lines = "";
while ((read = fs.getline(buf, len, f)) !== -1) {
    lines += Memory.readUtf8String(Memory.readPointer(buf));
}
fs.fclose(f);

allocateRw

var buf = fs.allocateRw(1024);

allocate memory in the heap with read and write perm


readStringFromFile

var available_options = fs.readStringFromFile(this.PATH_OPTIONS).split('\n');

read the whole content of a file path and return it’s content as string


readStringFromFp

read the whole content of a file pointer (from fopen i.e) and return it’s content as string


writeStringToFile

fs.writeStringToFile("/path/to/file", "content");

write the content of arg1 in the path specified in arg0. Eventually, you can pass a third param boolean to append the content to an existing file

Thread

all functions from frida Thread are available.


new

Thread.new(function() {
    // do stuffs
});

spawn a new thread using posix C api pthread_create


onCreate

Thread.onCreate(function(targetFunction) {
    // do stuffs
});

get notified whenever a thread is being started with target function, so you can attach it