1

I want to instrument a Java program on my Android device via a Frida-Gadget but I am failing to get it to work. Here are the steps i took.

First of all here is the code of a simple Java program:

import java.io.IOException;
import java.io.InputStreamReader;

public class Program{

    public static void main(String[] args) {
        System.load("/data/local/tmp/frida-gadget.so");
        System.out.println("Hello World");
        System.out.println("Press Enter to continue...");
        try {
            new BufferedReader(new InputStreamReader(System.in)).readLine();
        } catch (IOException e) {
            e.printStackTrace();
        }
        test();
    }

    public static void test() {
        System.out.println("Hello World 2");
    }
 }

I compiled this program to a Program.class file and then to a .dex file via d8 Android SDK Tools. I packed the classes.dex file in a jar archive and pushed it to my Android Device (Android 11). I also pushed the frida-gadget.so (arm64 version 16.1.3) to /data/local/tmp as well as the frida-gadget.config and the script.js file.

Here is my frida-gadget.config file:

  "interaction": {
    "type": "script",
    "path": "/data/local/tmp/script.js"
  }
}

and my script file:

console.log("frida stared without issues!");
console.log(Java.available)
console.log(Process.id)
Java.perform(function() {
    console.log("inside Java.perform()")
    try {
        var ProgramClass = Java.use('Program');
        
        ProgramClass.test.implementation = function() {
            console.log("Hooked Hello World 2");
            this.test();  // Call the original function
        };
    } catch(e) {
        console.error("Error during instrumentation: " + e.message);
    }
});

I start my program with the following line: adb shell CLASSPATH=/sdcard/program.jar exec app_process /system/bin/ Program

On the output i can see all lines from the console.log() calls from the script, expect those inside the Java.perform() call. In fact it does not seem that anything inside Java.perform() is executed, since also the instrumentation does not work.

What i have tried so far: I also put

"java": 
{
    "enabled":true
}

inside my config, without any outcome.

What I noticed is that as soon as I am including the System.load("/data/local/tmp/frida-gadget.so") line in my program, it finishes execution but it does return with exit code -1. But anyway i cannot find any meaningful error message in logcat or the console. I also tried wrapping the whole script with a try catch block, without any outcome.

My question now is if anybody has experienced similar issues or if someone knows if there are specific security measures on Android which do not allow to instrument the code here. (I had the intention using Frida-Gadgets is specifically for devices without root).

I am forced to use the app_process for very specific reasons, this is just a test program.

Thanks in Advance!

Improve this question
4
  • The number of users who execute dex code directly outside of an app is very limited and the number of users then try to use frida on that process is next to zero. Therefore I would expect that this is a usage scenario not foreseen by the frida developers, on Android they expect that the process to be hooked is an app. Therefore I suggestion is to try the same using an app, not a dex code snipped executed via adb. Commented Aug 13, 2023 at 14:24
  • @Robert using an App as Wrapper is not working since that would require to request permissions which are only available to system apps. Commented Aug 13, 2023 at 19:46
  • May be you should elaborate Abit more what you are tyfing to do. Because I don't see a point in hooking a program that you already control. You could simply implement what you want to to as Java code and execute it. Why this detour through Frida? Commented Aug 13, 2023 at 20:40
  • @Robert I'm not controlling the Program. In this example im just trying to recreate the task with a simplified Program. In fact i have a jar library consisting of .dex files. It would be possible to decompile it and trying to instrument it by myself, but that would be a lot of work and really a lot more complicated than doing it with frida Commented Aug 13, 2023 at 22:18

1 Answer 1

Reset to default
0

Java.performNow() works as mentioned in this link https://github.com/frida/frida-java-bridge/issues/89 and tried out by me when facing similar problem

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.