Struct

GumCloak

Description [src] 

struct GumCloak {
  /* No available fields */
}

Keeps you from seeing yourself during process introspection.

Introspection APIs such as gum_process_enumerate_threads() ensure that cloaked resources are skipped, and things appear as if you were not inside the process being instrumented.

If you use gum_init_embedded() to initialize Gum, any resources created by libffi and GLib will be cloaked automatically. (Assuming that Gum was built with Frida’s versions of these two libraries.)

This means you typically only need to manage cloaked resources if you use a non-GLib API to create a given resource.

Gum’s memory allocation APIs, such as gum_malloc(), are automatically cloaked regardless of how Gum was initialized. These use an internal heap implementation that is cloak-aware. The same implementation is also used by GLib when Gum is initialized as described above.

Using GumCloak

// If the current thread wasn't created by GLib, do the following two steps:

// (1): Ignore the thread ID
gum_cloak_add_thread (gum_process_get_current_thread_id ());

// (2): Ignore the thread's memory ranges (stack space)
GumMemoryRange ranges[2];
guint n = gum_thread_try_get_ranges (&ranges, G_N_ELEMENTS (ranges));
for (guint i = 0; i != n; i++)
  gum_cloak_add_range (&ranges[i]);

// If you create a file-descriptor with a non-GLib API, also do:
gum_cloak_add_file_descriptor (logfile_fd);

Functions

gum_cloak_add_file_descriptor

Updates the registry of cloaked resources so the given fd becomes invisible to cloak-aware APIs.

gum_cloak_add_range

Updates the registry of cloaked resources so the given memory range becomes invisible to cloak-aware APIs, such as gum_process_enumerate_ranges().

gum_cloak_add_thread

Updates the registry of cloaked resources so the given thread id becomes invisible to cloak-aware APIs, such as gum_process_enumerate_threads().

gum_cloak_clip_range

Determines how much of the given memory range is currently visible. May return an empty array if the entire range is cloaked, or NULL if it is entirely visible.

gum_cloak_enumerate_file_descriptors

Enumerates all currently cloaked file descriptors, calling func with each.

gum_cloak_enumerate_ranges

Enumerates all currently cloaked memory ranges, calling func with each.

gum_cloak_enumerate_threads

Enumerates all currently cloaked thread IDs, calling func with each.

gum_cloak_has_file_descriptor

Checks whether the given fd is currently being cloaked.

gum_cloak_has_range_containing

Determines whether a memory range containing address is currently cloaked.

gum_cloak_has_thread

Checks whether the given thread id is currently being cloaked.

gum_cloak_is_locked
No description available.

gum_cloak_remove_file_descriptor

Updates the registry of cloaked resources so the given fd becomes visible to cloak-aware APIs.

gum_cloak_remove_range

Updates the registry of cloaked resources so the given memory range becomes visible to cloak-aware APIs, such as gum_process_enumerate_ranges().

gum_cloak_remove_thread

Updates the registry of cloaked resources so the given thread id becomes visible to cloak-aware APIs, such as gum_process_enumerate_threads().

gum_cloak_with_lock_held

Calls func while holding the cloak lock.