Just when we thought we had it all figured out, software reminded us how hard it can be! Thanks to @mrmacete, @hsorbo, and [@0xmurphy][], we quickly addressed the issues and present you with the following fixes:

• frida-node: Fix fdn_keep_alive_until() TSFN lifetime issue. We were setting the TSFN to NULL, which led to crashes when other reference-holders tried to schedule cleanup.

• fruity: Fix issue when killing prewarmed targets. Killing a prewarmed process at spawn time resulted in a “connection closed” error. This change catches the error so it’s possible to spawn a fresh instance.

Quick bug-fix release addressing two important issues:

• frida-node: Fix keep-alive ThreadSafeFunction teardown. Use napi_release_threadsafe_function() in keep-alive scenarios so that pending microtasks have time to run before the libuv handle is dropped. This prevents “unsettled top-level await” during teardown. Co-authored by @as0ler, @hsorbo, and @mrmacete.

• barebone: Ensure RustModule C ABI entrypoints survive garbage collection. Newer Rust toolchains use --gc-sections, which strips unused sections. We refactored make_linker_script() to scan the Rust source for symbols intended to be visible, and emit KEEP(*(.text.<symbol>)) directives so those entrypoints are retained.

This time we’re bringing you preliminary iOS 26 support, and a bug-fix for our Node.js bindings:

• fruity: Added support for injecting the gadget on iOS targets where debugger mappings are enforced (iOS 26) and we can’t flip the memory protection back to executable from inside the target process. In such cases, the gadget configuration will have code_signing set to required until Interceptor supports enforced debugger mappings. Thanks @mrmacete!

• device: Fixed an issue where the stdio option wasn’t passed through spawn(), causing child processes to always inherit stdio. Co-authored by @hsorbo.

Quick bug-fix release to address an issue affecting our Windows users:

• package-manager: Fix broken #if on Windows. The incorrect preprocessor directive was causing build failures when compiling on Windows platforms.

We’re excited to announce the release of Frida 17.2.7, featuring significant improvements to our Package Manager.

• package-manager: Improve resolution and hoisting to mimic npm’s behavior more closely. Co-authored with @hsorbo. Thanks for your help!
• package-manager: Add install() option for role, achieving the equivalent of npm install’s --save-* switches.
• package-manager: Add install() option for omits, to achieve the equivalent of npm install’s --omit=x switch.
• package-manager: Improve handling of optional packages.
• package-manager: Handle file modes when extracting on non-Windows systems.
• package-manager: Fix the has_install_script logic to also take preinstall and postinstall scripts into account.
• meson: Clarify Vala build system instructions. The Vala README only mentioned autotools instructions, and when Vala is compiled that way the -frida suffix is not added to the version string, causing the frida-core check for Vala to fail. We now clarify that Vala needs to be built from source with Meson. Thanks to @grimler for pointing this out!

We’re excited to announce Frida 17.2.6, featuring two important fixes:

• buffer: Fix max_length in read_fixed_string().

  The max_length is now properly constrained within both the requested size and the buffer’s size.

  Thanks @mrmacete!

• agent: Disable Exceptor for the emulated realm.

  Exceptor needs to hook signal() and sigaction(), but they are in libc. This leads to gum_mprotect() aborting because it cannot change libc’s read-only mapping. This fix prevents the crash observed when using frida-server or frida-inject on Android 14 and 15 AVDs.

  Thanks @ptrstr!

This release brings important fixes and improvements to Frida. Here are the highlights:

• frida-node: Keep TSFN alive until promise settles, preventing a race condition that could cause Node.js to exit early with a “Detected unsettled top-level await” warning. Kudos to @mrmacete and @hsorbo for helping track this one down.

• frida-node: Simplify findMatchingDevice() (co-authored by @hsorbo).

• package-manager: Only bump if explicitly requested.

• package-manager: Fix the dev logic.

• docs: Fix Mapper URL in README (thanks to @cmdlinescan).

Another quick bug-fix release to improve our package manager, where @hsorbo and I have been hard at work. Here’s what’s new:

• package-manager: Fix dependency install deadlock. A deadlock could occur when a package’s sub-dependency was also a dependency of another package higher up in the installation stack. The sub-dependency would wait for the higher-level package to be physically installed, but that package would not complete its own installation until its sub-dependencies were resolved, creating a circular wait.
• package-manager: Improve manifest handling to get us closer to npm’s behavior. (Co-authored by @hsorbo.)
• package-manager: Improve progress reporting.

Quick bug-fix release focusing on improvements to our package manager:

• package-manager: Fixed handling of scoped specs.

• package-manager: Handle tarballs with root entries.

  This fix ensures that tarballs containing a directory entry for “package/”, or any files at the root level, are correctly processed.

We’re back with a quick bug-fix release:

• package-manager: Fixed the lockfile up-to-date path.
• package-manager: Only report installed packages. The top-level packages that were left untouched are no longer included. Also simplified the install() logic.

Another quick bug-fix release, addressing several issues uncovered since the last release:

• compiler: On Android, made the backend a shared library to avoid dynamic linking issues due to thread-local storage.
• python: Exposed PackageManager.registry property.
• python: Fixed missing toplevel counter logic for Compiler, PackageManager, and FileMonitor, ensuring signal emissions work correctly.
• python: Added __repr__ methods to PackageManager types for better debugging.
• core: Fixed build issue when libsoup is used as a subproject.

I’m thrilled to announce the release of Frida 17.2.0. This release focuses on making package discovery dead-simple.

Here’s how easy it is to discover existing Frida-specific packages:

Consuming any of them is just as easy:

Highlights

• 🔍 frida-pm search – zero-noise results (filters by keywords:frida-gum).
• 📦 One-command install – frida-pm install <pkg> works even without Node.js.
• 🧩 Programmatic API – identical surface from Python, C, etc.

What you see here is the frida-pm CLI tool, introduced in frida-tools 14.2.0. It’s less than 300 lines of Python code, as it’s only a thin wrapper around the underlying Frida.PackageManager implementation.

Power users and package maintainers will still typically use npm/yarn/etc., but I feel like requiring first-time Frida users to also familiarize themselves with the larger JavaScript ecosystem is likely to overwhelm and confuse.

What’s neat about frida-pm / Frida.PackageManager is that searches only surface Frida-specific packages. This is implemented by baking keywords:frida-gum into the search query.

For those of you maintaining Frida-specific packages, make sure you add frida-gum into your package.json’s keywords field. If your package is a language/runtime bridge, also make sure you add frida-gum-bridge as well.

So discoverability is one of the key features here. Another is that it can be run on systems without Node.js + npm. While we do use npm’s registry as our default backend, you can point it at any registry you like.

You also get programmatic access to all of the functionality. For example, if you want to use the Python bindings to make a search:

import frida

pm = frida.PackageManager()
result = pm.search("il2cpp", limit=3)
print(result)
print(result.packages)

You’ll see something like this:

$ python search.py
PackageSearchResult(packages=[<3 packages>], total=13)
[Package(name="frida-il2cpp-bridge", version="0.12.0", description="A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.", url="https://npm.im/frida-il2cpp-bridge"),
 Package(name="frida-objc-bridge", version="8.0.5", description="Objective-C runtime interop from Frida", url="https://npm.im/frida-objc-bridge"),
 Package(name="frida-java-bridge", version="7.0.4", description="Java runtime interop from Frida", url="https://npm.im/frida-java-bridge")]
$

Or perhaps you’d like to install a couple of packages:

import frida

pm = frida.PackageManager()
result = pm.install(specs=["[email protected]", "frida-il2cpp-bridge"])
print(result)
print(result.packages)

Which when run might look something like:

$ python install.py
PackageInstallResult(packages=[<2 packages>])
[Package(name="frida-java-bridge", version="7.0.4", description="Java runtime interop from Frida"),
 Package(name="frida-il2cpp-bridge", version="0.12.0", description="A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.")]
$

Installation progress is also easy to add:

import frida

def on_install_progress(phase, fraction, details):
    print({
        "phase": phase,
        "fraction": fraction,
        "details": details,
    })

pm = frida.PackageManager()
pm.on("install-progress", on_install_progress)
result = pm.install(specs=["frida-java-bridge", "frida-il2cpp-bridge"])
print(result)
print(result.packages)

Which might look something like:

$ python install.py
{'phase': 'initializing', 'fraction': 0.0, 'details': None}
{'phase': 'preparing-dependencies', 'fraction': 0.05, 'details': None}
{'phase': 'resolving-package',
 'fraction': -1.0,
 'details': 'frida-java-bridge@latest'}
…

So now that we’ve looked at the PackageManager API being used from Python, I should probably mention that it is (almost) just as easy to use this API from C:

#include <frida-core.h>

int
main (int argc,
      char * argv[])
{
  GCancellable * cancellable = NULL;
  GError * error = NULL;

  frida_init ();

  FridaPackageManager * manager = frida_package_manager_new ();

  FridaPackageInstallOptions * opts = frida_package_install_options_new ();
  frida_package_install_options_add_spec (opts, "[email protected]");
  frida_package_install_options_add_spec (opts, "frida-il2cpp-bridge");

  frida_package_manager_install_sync (manager, opts, cancellable, &error);
  if (error != NULL)
    g_printerr ("%s\n", error->message);

  return (error == NULL) ? 0 : 1;
}

If you want to give this example a try, grab a frida-core devkit from our releases.

You can build and run it something like this:

$ gcc install.c -o install -I. -L. -lfrida-core -Wl,--gc-sections
$ ./install

(The top of frida-core-example.c has an example command-line tailored to the specific OS/arch that the devkit is for.)

Note that opts can be omitted by passing NULL, in which case the packages defined in package.json will be installed if they aren’t already, or their versions don’t match. And just like with npm, if you don’t have a package.json file and simply go ahead and install some packages, a package.json will be created for you.

This release also includes some other improvements and fixes:

• Compiler:
  • Bump @frida/net to 5.0.0.
  • Fix missing shim assets (thanks to @imlihe).
• frida-node:
  • Change return type of Device.openChannel() to expose the more concrete type with destroy().

To upgrade, go ahead and run:

$ pip install --upgrade frida frida-tools

Enjoy!

Critical bug-fix: restores compatibility with Android 14–15—accidentally broken in the last release while adding Android 16 support. Thanks to @tbodt for the fix.

Excited to announce Frida 17.1.4, which brings several important fixes and improvements — most notably Android 16 support. Here’s what’s new:

• Compiler: Switched esbuild’s platform to node, so package.json main and exports are resolved the Node.js way, restoring compatibility for packages that rely on it. Kudos to @hsorbo for helping track this down.
• Plist: Fixed offsetIntSize for binary property lists, ensuring compatibility with Core Foundation. Thanks to @mrmacete for helping track this down.
• Plist: Empty dicts and arrays in XML output now use self-closing tags (e.g. <dict/>), matching Apple’s encoder.
• Android: Bumped frida-java-bridge to 7.0.3 in the system_server agent, adding Android 16 support. Thanks to @tbodt — and shout-out to @thinhbuzz for contributing an error-handling patch that resolves inoperability on some Android 12 devices.
• Darwin: Bumped frida-objc-bridge to 8.0.5 in internal agents.
• GumJS: Fixed big-endian handling of FFI arguments.

We recommend all users upgrade at their earliest convenience. Make sure you also upgrade to frida-tools 14.1.2, also just released.

This release brings a series of improvements and bug fixes across various components. Here are the highlights:

• Renamed conflicting Go symbols in the Compiler backend to avoid conflicts when linking into a Go binary. This ensures compatibility when integrating with Go projects.
• On Linux, fixed issues related to the thread list anchor to prevent false positives. Previously, the anchor might be incorrectly added to the thread list, leading to incorrect behavior.
• Corrected the QuickJS big-endian bytecode check in both the gadget and GumJS. The previous check was incorrect on big-endian systems.
• Added version defines and macros to the API, providing more explicit version information for developers.

Apparently, software is hard! Just hours after shipping 17.1.1 we’re back with a follow-up that polishes both frida-core and frida-node.

frida-core

• Compiler – The DeviceManager constructor parameter is now optional. It remains in the signature for ABI compatibility but is no longer used.

frida-node (Node.js / N-API bindings)

• Signal handling
  • Handlers now receive GVariant parameters correctly.
  • Exceptions thrown inside handlers propagate instead of being swallowed.
• Compiler – Keeps the runtime alive while any output signal handler is connected, preventing premature exit.

Happy hacking!

With a fresh cup of coffee, I’ve hammered out the following improvements:

• Build System Improvements:
  • Switched bundling to ESBuild for:
    • reportcrash.js on Darwin.
    • osanalytics.js on Darwin.
    • system-server.js on Linux.
    • The runtime in the Barebone backend.
• Barebone Backend Fixes:
  • Fixed ESM-handling where failing to await the returned Promise caused errors to be swallowed. Now, any errors will be properly reported.
  • Removed stale bridge globals.

Big release with several exciting improvements!

Firstly, we’ve switched to ESBuild and typescript-go in the Compiler backend, resulting in massively improved performance, and reduced our maintenance burden by no longer having to maintain a bundler. We also added options to configure the output and bundle format, and support disabling type checks.

Secondly, we now finally ship binaries for Windows/ARM64. This was unblocked by GitHub making Windows ARM64 hosted runners available to the public.

Special thanks to @mrmacete for plugging Interceptor singleton leaks, and to @fesily for implementing Module#enumerateSections() on Windows, as well as improving Module#enumerateImports() so the slot is exposed.

Here’s the full list of changes:

• Compiler improvements:
  • Switched to ESBuild and typescript-go in the Compiler backend.
  • Added options to configure the output and bundle format, and support disabling type checks.
• Windows/ARM64 support:
  • CI updated to publish binaries for Windows/arm64.
• Contributions from our community:
  • Fixed 32-bit ARM breakpoint logic for Thumb addresses.
  • Plugged Interceptor singleton leaks (@mrmacete).
  • Implemented Module#enumerateSections() and wired up import slots on Windows (@fesily).

This release includes a few important fixes:

• device: Allow agent sessions to detach before release, to be robust against scenarios where an out-of-order detach could lead to an indefinite hang at release time. Thanks @mrmacete!
• darwin: Dispose module resolver indexes to avoid leaking native modules in scenarios where short-lived resolvers are used (for example, on different tasks). Thanks @mrmacete!
• stalker: Handle blocks without inline cache entries.

Quick bug-fix release with an important contribution from @londek. In this release, we’ve addressed the following issue:

• darwin: Fixed the launchd agent, which was still using an old GumJS API that has since been removed. This prevented the agent from functioning on jailbroken iOS/iPadOS/tvOS systems.

Quick bug-fix release to fix agents generated by the latest frida-compile. We need to explicitly declare internal agents as ESM now that the TypeScript compiler is more conformant and ends up generating CommonJS glue code. This fixes our Darwin and Android agents, as well as the Barebone backend’s script runtime.

This release brings improvements to the Compiler implementation, underpinning the frida-compile CLI tool, part of frida-tools. Here are the changes:

• Upgraded to frida-compile 18, now with TypeScript 5.8.3, latest frida-fs, etc.
• Fixed asset bundling logic on Windows, where virtual paths were stored with the wrong path separator.

Software is hard, isn’t it? Hot on the heels of the previous release, here’s a quick fix:

• compiler: Updated @frida/rollup-plugin-node-polyfills to address a dependency issue, where it was still depending on the old frida-fs.

This release brings a few bug fixes:

• Compiler: Updated frida-compile and frida-fs to the latest versions.
• gum: Fixed forgotten diet bits related to GObject, now that it’s back to being a required library.
• gumjs: Fixed an assigned-but-not-used warning when building without assertions.

Surprise! We’re back with a quick patch release on the same day as 17.0.0. Turns out software is hard!

This release includes the following fixes:

• Core: Updated interface versions to match the major version.
• Darwin: Bumped frida-objc-bridge to version 8.0.4.
• Android: Bumped frida-java-bridge to version 7.0.1.
• frida-node: Fixed the return type of Device.openChannel() to avoid exposing implementation details that we might want to change in the future.

After countless cups of coffee and fun coding sessions, @hsorbo and I are excited to bring you Frida 17.0.0. After nearly three years since the last major bump, and struggling to find the right time to make breaking changes, we decided it is finally time to do so.

Runtime Bridges

The main thing that’s been bothering us for quite some time was the fact that our runtime bridges, i.e. frida-{objc,swift,java}-bridge, were bundled with Frida’s GumJS runtime. This came with some major pain points:

• Inertia: Being tied to Frida’s release cycle.
• Bloat: For users who don’t need a particular runtime bridge.
• Scalability: We’d like to see bridges for all kinds of runtimes, but the more we add to Frida the more we’ll struggle with inertia and bloat.
• Discoverability: Community-maintained bridges being harder to discover, as they require a different workflow for consumption.

I’ve been hesitant to stop bundling them though, as requiring a build step for custom agents seemed like it would add too much friction. And the thought of breaking examples in books, blog posts, CodeShare etc. didn’t sit well with me either.

The friction aspect is why we introduced the frida.Compiler API back in 15.2, along with frida-tools shipping a CLI tool, frida-compile, built on top of it. Our REPL was also improved to support loading .ts (TypeScript) directly, making use of frida.Compiler behind the scenes.

That’s still an extra step though, which is too much for one-off scripts and early prototyping work using the Frida REPL or frida-trace. And, it would break a lot of examples. To remedy this, the just-released frida-tools 14.0.0 bakes the three bridges into its REPL and frida-trace agents.

Our bridges have also been migrated to ESM, so they can be consumed by the latest versions of frida-compile. (Shout-out to @yotamN for migrating frida-java-bridge ♥️)

Those of you building Frida from source may also notice an improvement in build times. Since we’re no longer bundling the bridges, we could finally get rid of Gum’s frida-compile dependency, and stop depending on Node.js + npm for Gum itself.

We still had GumJS’ own runtime, which implements built-ins such as console.log(), but porting it to ESM and simply baking in each module individually meant we no longer needed a JavaScript bundler. This means faster build times for Gum itself: on a Linux-powered i9-12900K system, builds dropped from ~24s → ~6s.

You can see a quick reference tutorial inside bridges.

Legacy-style enumeration APIs

Back in the day, our synchronous enumeration APIs all looked like this:

Process.enumerateModules({
  onMatch(module) {
    console.log(module.name);
  },
  onComplete() {
  }
});

There was also an equivalent Sync-suffixed method, like Process.enumerateModulesSync() for this particular example. The idea was that the underlying implementation could become asynchronous, but for the time being most of them weren’t, so the Sync-suffixed implementation was just a thin wrapper around the asynchronous-looking API.

Later, as more and more platforms were supported, I realized that all of the pretend asynchronous implementations turned out to always be quick and cheap operations. So offering an asynchronous flavor was going to be pointless. And for the few that were truly asynchronous from the beginning, like Memory.scan(), it still made sense to have them stay that way.

I was hesitant to break the API though, so I opted to add a check to each unsuffixed implementation, so it would behave like its Sync-suffixed counterpart if the callbacks argument was omitted. Wanting to migrate users off the old-style API, I made sure to update our TypeScript bindings so only the modern flavors were included.

The equivalent in modern style would then look like this:

for (const module of Process.enumerateModules()) {
  console.log(module.name);
}

Where Process.enumerateModules() returns an array of Module objects.

These legacy-style APIs are now finally gone. Those of you writing your agents in TypeScript won’t need to do anything, unless you’re using ancient versions of our typings.

Memory read/write APIs

Back in the day, you’d access memory like this:

const playerHealthLocation = ptr('0x1234');
const playerHealth = Memory.readU32(playerHealthLocation);
Memory.writeU32(playerHealthLocation, 100);

The modern equivalent is:

const playerHealthLocation = ptr('0x1234');
const playerHealth = playerHealthLocation.readU32();
playerHealthLocation.writeU32(100);

Where each write-counterpart returns the NativePointer itself, to support chaining:

const playerData = ptr('0x1234');
playerData
    .add(4).writeU32(13)
    .add(4).writeU16(37)
    .add(2).writeU16(42)
    ;

The legacy versions of these are now also gone, and have been gone from our TypeScript bindings for as long as the legacy-style enumeration APIs. So this change should also not be noticable to most of you.

Static Module APIs

Now for the breaking changes that also affect users who were current with the TypeScript bindings, prior to 19.0.0, released together with Frida 17. The following static Module methods are now gone:

• Module.ensureInitialized()
• Module.findBaseAddress()
• Module.getBaseAddress()
• Module.findExportByName()
• Module.getExportByName()
• Module.findSymbolByName()
• Module.getSymbolByName()

These are all straight-forward to migrate away from.

But first, let’s cover the odd one out:

Module.getSymbolByName(null, 'open')

This is now accomplished like this:

Module.getGlobalExportByName('open')

For the rest, you first need to look up the Module, and then access the desired property or method on it. For example, instead of:

Module.getExportByName('libc.so', 'open')

The new way is:

Process.getModuleByName('libc.so').getExportByName('open')

The equivalent for Module.getBaseAddress() is thus:

Process.getModuleByName('libc.so').base

This means there is now only one way to do Module introspection, and the API design is such that we encourage you to write performant code. For example, in the past you might have been tempted to do:

const openImpl = Process.getExportByName('libc.so', 'open');
const readImpl = Process.getExportByName('libc.so', 'read');

But now you’ll probably think twice before doing:

const openImpl = Process.getModuleByName('libc.so').getExportByName('open');
const readImpl = Process.getModuleByName('libc.so').getExportByName('read');

And instead do:

const libc = Process.getModuleByName('libc.so');
const openImpl = libc.getExportByName('open');
const readImpl = libc.getExportByName('read');

Which is both more readable and more performant.

Last but not least, the static enumeration APIs, such as Module.enumerateExports(), are now also gone. These were however removed from the TypeScript bindings way back, so most of you shouldn’t need to deal with these. But if you do, the migration looks exactly the same as above.

EOF

So that’s about it. Happy hacking!

This release improves Linux thread enumeration under glibc and hardens our static OpenSSL build against unintended config loading.

Changes:

• linux: Skip glibc threads with tid = 0 (exited but unjoined) to avoid false “Unsupported Linux system” panics.
• linux: List glibc threads in creation order (oldest first) to mirror real thread lifecycles.
• deps (TLS): Build OpenSSL with OPENSSL_NO_AUTOLOAD_CONFIG to block loading any system config file, preventing crashes when initializing TLS.

Back-to-back releases! Software is hard, and sometimes we need to push quick fixes to keep things running smoothly. Here’s what’s new in this release:

• frida-node Fixed a regression where the Device.openChannel() return type had changed compared to before.
• Fruity backend improvements: Use Apple’s CoreDeviceProxy as fallback, so we can support systems where NCM is problematic. Also retransmit mDNS-SD request every 250 ms, for added robustness.

Happy hacking!

This release brings several improvements and fixes to our Fruity backend, enhancing compatibility and error handling across platforms. Below are the changes included in this release:

• fruity: Initiate pairing on macOS too, if needed.
• fruity: Tweak macOS CreateAssertion error handling. So we provide a clean error message when it fails.
• fruity: Handle OPACK boolean and compact integers. Support for the latter is needed during pairing on iOS 18.4.1.
• fruity: Improve portable tunnel error-handling. When we use lockdown to determine if the iDevice supports tunnels, and that fails due to lack of lockdown-level pairing, simply assume that the OS supports it.
• fruity: Add timeout to the Linux netif wait logic.
• fruity: Handle NetworkManager DISCONNECTED+CARRIER. So we actually wait until the device is ready when it quickly passes through state=DISCONNECTED with reason=CARRIER.

Another quick bug-fix release, because software is hard! This release addresses the following issue:

• node: Fix module resolution when not built from source. Turns out the package.json generated inside our build directory confused the module root detection in the bindings package. This means that our search path was actually wrong, and relied on this being misdetected.

We are excited to announce a major update to our Node.js bindings! They have been rewritten from scratch. Instead of depending on Node.js and V8 APIs that inevitably change between releases, requiring separate builds per ABI, our bindings now target Node-API. This means that a single binary can be used across all modern versions of Node.js, Electron, nw.js, etc. We only need to build one binary per OS/arch/libc combo. Not only that, but our new bindings are also auto-generated, ensuring that API changes in frida-core are instantly reflected, with only customizations needing tweaking if applicable.

This release also contains some other goodies:

• DeviceManager: Fixed crash on early close() in situations where HostSessionService start() gets cancelled.
• Web Service: Fixed handling of TLS connections, as the remote address logic did not take them into account.
• API: Fixed up FridaBase references in the .gir files.
• Bus: Removed the device property, which wasn’t meant to be exposed.

As always, a big thank you to all contributors and users for your support.

This release brings improved support for Google’s latest ART runtime on 32-bit ARM, better error-handling on Linux, and improved support for big-endian ARM architectures.

Here are the highlights:

• Improved frida-java-bridge to support Google’s latest 32-bit ARM binaries. Thanks to @Rwkeith.
• Propagated ptrace errors on failure in the Linux backend. Thanks to @DoranekoSystems.
• Improved support for big-endian ARM architectures (armbe8, arm64be, arm64beilp32).
• Removed redundant hardware breakpoint code in the Linux backend.

As always, we thank our contributors for their valuable efforts in making Frida better.

Quick bug-fix release to address an issue in our ELF parser:

• elf-module: Fix recursion in check_str_bounds() when falling back to live memory. The function assumed a file-backed ELF; falling back to live memory could trigger unbounded recursion. An explicit live-memory check has been added to return an error instead.

This release brings several important improvements and fixes:

• interceptor: Avoid heap allocation during suspend. By storing the suspended thread IDs into a GumMetalArray instead of a GQueue, we prevent deadlocks when a suspended thread is holding the dlmalloc lock. Thanks to @mrmacete for this improvement.
• linux: Fix ModuleRegistry initialization when ELF is missing. When enumerating RTLD notifiers and loaded modules to find a DT_DEBUG entry, we no longer assume the ELF file is present. This fixes issues when the program was loaded from a memfd and spawned without a file.
• elf-module: Use live memory if unable to map file. For modules backed by a memfd, we now utilize the in-memory ELF rather than giving up if we cannot map the file.
• linux: Rework glibc pthread internals detection. Instead of parsing machine code to determine internals, we now start threads to solve the puzzle in a more robust fashion.

Quick bug-fix release bringing improvements to our Fruity backend, and basic support for iOS 18.4:

• darwin: Update injector dyld init detection for iOS 18.4.

• fruity: Update injector dyld init detection for iOS 18.4 (#1154). Thanks to @pachoo for this contribution.

• network-stack: Reduce delay between writes. By flagging as writable as soon as some space is available, without waiting for the low watermark. Thanks to @mrmacete for this improvement.

• network-stack: Fix TCP write chunk length (#1156). Another fix by @mrmacete.

• network-stack: Always send enqueued data. This change ensures pcb.output() is called even when no more space is available on the queue, preventing stalls. Credits to @mrmacete for preventing those pesky stalls.

We’re pleased to announce Frida 16.7.10, bringing several stability improvements. Special thanks to @mrmacete for identifying the root cause of all of them, and fixing a deadlock on Apple OSes.

The following changes are included in this release:

• network-stack: Fixed TcpConnection transmit logic.
• network-stack: Improved VirtualStream locking to enhance batching and avoid unnecessary scheduling on Frida’s thread.
• virtual-stream: Allowed update_pending_io() to be called without holding a lock for convenience when a subclass doesn’t need to update any other state before calling it. One of our subclasses was assuming this to be the case, as that was its behavior before the commonalities were factored out into the VirtualStream base-class. This means that this refactoring made in 16.7.4 introduced a race condition, and this change fixes it.
• darwin: Optimized thread enumeration by avoiding flags. This eliminates heap allocations, reducing the risk of deadlocks in use cases like the Interceptor, where thread enumeration is used to suspend and resume threads by ID. (Contributed by @mrmacete.)

Enjoy!

Turns out software is hard! On the same day as our previous release, we’ve rolled out another quick bug-fix release to address some issues that came up. Huge thanks to @mrmacete for his contribution. Here’s what’s new:

• channel: Break read loop on empty buffer. (Thanks @mrmacete!)
• device-manager: Fix teardown logic, where we would also stop() the HostSessionService in cases where it hadn’t been start()ed.

Quick bug-fix release to fix a crash on Apple OSes.

Thanks to @mrmacete for contributing the following fix:

• darwin: Fix module type in find_module_by_address. This was a type confusion causing subtle crashes.

Well, software is hard, isn’t it? Here’s a quick fix release to address a compilation issue:

• freebsd: Unseal Binjector to fix compilation. The C glue code depends on its fields for now.

Who would’ve thought software was this hard? Here’s another quick fix to keep things running smoothly:

• qnx: Unsealed Qinjector to fix compilation. The C glue code depends on its fields for now.

We’re excited to announce Frida 16.7.5, which brings improvements to our build system and API, as well as critical fixes for Darwin platforms. Here’s what’s new:

• Darwin: Fix double free in find_module_by_address. (Thanks to @mrmacete.)

• Darwin: Update thread list pointer carving to support recent iOS versions. On these versions, the thread list pointer within pthread_from_mach_thread_np() is referenced via ADRP + LDR instead of ADRP + ADD. (Thanks to @mrmacete for the contribution.)

• API: Fix VAPI entries for sealed classes.

• API: Remove some accidentally exposed types.

• API: Seal classes not meant to be subclassed, preventing unintended subclassing.

• Build System: Provide Gio-2.0.gir for convenience, so users won’t need any GObject Introspection packages installed when building language bindings and consuming Frida as a subproject.

• Build System: Fix frida_girdir for the uninstalled case. It now correctly points to the directory containing the refined .gir files, not the raw ones from the Vala compiler.

This release includes several improvements and fixes, including support for remote services and channels, along with various other enhancements:

• Core:
  • Added support for remote services and channels in host sessions, allowing ControlService/frida-server to serve service sessions and channels.
  • Fixed session logic for remote devices in ControlService.
• Compiler:
  • Bumped frida-compile and @types/frida-gum to the latest versions.
• Python Bindings:
  • Fixed IOStream.read_all() end-of-stream handling.

As always, happy hacking!

Well, sometimes software is hard. Here’s a quick update to fix our CI:

• ci: Temporarily drop arm64beilp32 from the package-linux job. Since some components haven’t been ported to this architecture yet, we are suspending its inclusion in our Linux packages until the porting work is complete.

• ci: Bump pypa/gh-action-pypi-publish to latest v1.

Another quick bug-fix release on the same day—it turns out software is hard!

I rolled up my sleeves and fixed the following issue:

• droidy: Fix the MAX_MESSAGE_LENGTH declaration. The new maximum exceeds the range of a uint16.

I am pleased to announce the release of Frida 16.7.1! In this release, we’ve been busy improving support across various architectures and fixing some tricky bugs. A big thank you to @jpstotz and @philippmao for their valuable contributions!

Key highlights include:

• fruity: Fixed Input/Output Error on Windows by skipping devices with an empty UDID. (Thanks to @jpstotz)

• droidy: Added support for more than ~8 ADB-connected devices by increasing the message size limit. (Thanks to @philippmao)

• thumb-relocator: Improved success rate when hooking tiny functions produced by modern toolchains on Android by utilizing LLD alignment padding in can_relocate().

• thumb-relocator: Restricted padding detection by ensuring the last instruction is on a four-byte boundary and is a two-byte instruction.

• module-registry: Fixed hooking of tiny ELF notifiers by populating the registry before hooking, allowing CodeAllocator to locate a nearby ELF-header.

• ci: Added arm64be, armbe8, and armhf-musl to the Linux CI.

• env: Enabled generation of Thumb code on 32-bit ARM for smaller binaries.

• linux: Added pthread probing for musl on 32-bit ARM.

• build: Fixed armhf triplet parsing for musl.

• devkit: Also defined GUM_STATIC for the Gum devkit so the consumer doesn’t have to define it.

• devkit-assets: Modernized the Gum examples.

• compiler: Bumped @types/frida-gum to 18.8.1.

As always, happy hacking!

One challenging aspect when instrumenting software is to deal with the dynamic nature of things, from threads starting and terminating, to modules being loaded and unloaded.

For example, if you’re using Stalker to follow threads as they’re executing, this presents a couple of basic challenges, before even considering the instrumentation itself.

Which threads?

While you can use Interceptor to place an inline hook somewhere, so when a thread does something interesting you then use Stalker to follow its execution, there are times when you would rather call Process.enumerateThreads() and follow the ones that you deem interesting.

Each thread may have a name you can use, but when it doesn’t, you’re typically left with fuzzier options. You might look at its CPU registers provided by the context property, or pass that to Thread.backtrace() to “fingerprint” it, or perhaps you’d look at which threads spend the most CPU time during a certain operation.

But what if you could figure out the thread’s entrypoint routine and parameter? Now you can:

$ frida -p 163431
Local::PID::163431 ]-> Process.enumerateThreads()
[
    …
    {
        "id": 163560,
        "name": "SDLAudioP1",
        "state": "waiting",
        "context": { … },
        "entrypoint": {
            "parameter": "0x561210844900",
            "routine": "0x7fc7781237c0"
        }
    }
]

Future threads

Next there’s the challenge of following threads that haven’t started yet. Up until now this required hooking OS-specific internals. And that’s quite a lot of complexity to maintain for cross-platform agents.

I’m excited to announce that we now provide an API for just this:

const observer = Process.attachThreadObserver({
  onAdded(thread) {
    …
  },
  onRemoved(thread) {
    …
  },
  onRenamed(thread, previousName) {
    …
  }
});

The onAdded callback gets called with all existing threads right away, so the initial state vs. updates can be managed easily without worrying about race conditions. When called with a brand new thread, the call happens synchronously from that new thread. So that’s the perfect spot to Stalker.follow() it, so you won’t miss out on any instructions being executed early on.

Conversely, the onRemoved callback tells you when a thread is about to terminate. The call happens synchronously from that thread, so you still have a chance to execute some final code in the context of the thread.

And last but not least, the onRenamed callback tells you when a thread’s name just changed, along with its previous name, if it had one, or null if not.

All of the callbacks are optional, but at least one must be provided.

Then, if you later want to stop observing, all you need to do is:

observer.detach();

Future modules

Just like threads come and go, so do modules/shared libraries. You might be applying your instrumentation early, so you don’t miss out on early activity. But the earlier you apply your instrumentation, the more likely it is that other parts of the application haven’t been loaded yet.

While unloading may not actually happen, either because the application doesn’t do it, or because the dynamic loader doesn’t support it, it’s another aspect that you might have to deal with.

Handling all of this has up until now required hooking OS-specific internals, with all of the complexity it entails to maintain such code for cross-platform agents.

I’m so excited to share that we now provide an API for this as well:

const observer = Process.attachModuleObserver({
  onAdded(module) {
    …
  },
  onRemoved(module) {
    …
  }
});

Just like with Process.attachThreadObserver(), the onAdded callback gets called with all existing modules right away, so the initial state vs. updates can be managed easily without worrying about race conditions. When called with a brand new module, the call happens synchronously right after that module has been loaded, but before the application has had a chance to use it. This means it’s a good time to apply your instrumentation, using e.g. Interceptor.

Conversely, the onRemoved callback tells you when a module is gone.

Both of the callbacks are optional, but at least one must be provided.

Then, just like with the thread observer API, if you later want to stop observing, all you need to do is:

observer.detach();

Profiling code

One little known feature in Gum, the C library at the heart of Frida, is its library called gum-prof. It provides some lightweight building blocks for profiling code. As of this release, we have finally exposed them to JavaScript.

Let’s start with the main component, the Profiler API. It’s a simple worst-case profiler built on top of Interceptor:

const profiler = new Profiler();
const sampler = new BusyCycleSampler();
for (const e of Process.getModuleByName('app-core.so')
      .enumerateExports()
      .filter(e => e.type === 'function')) {
  profiler.instrument(e.address, sampler);
}

Unlike a conventional profiler, which samples call stacks at a certain frequency, you decide the exact functions that you’re interested in profiling. This is where things get interesting.

When any of those functions gets called, the profiler grabs a sample on entry, and another one upon return. It then subtracts the two to compute how expensive the call was. If the resulting value is greater than what it’s seen previously for the specific function, that value becomes its new worst-case.

Whenever a new worst-case has been discovered, it isn’t necessarily enough to know that most of the time/cycles/etc. was spent by a specific function. That function may only be slow with certain input arguments, for example.

This is a situation where you can pass in a describe() callback for the specific function when calling instrument(). Your callback should capture relevant context from the argument list and/or other state, and return a string that describes the new worst-case that was just discovered.

When you later decide to call generateReport(), you’ll find your computed descriptions embedded in each worst-case entry.

Sampler

As you may have noticed in the Profiler example code that we just touched upon, we now also have the notion of a “sampler”. We actually have six different implementations. What they all have in common is that they implement one method, sample(), which returns a bigint representing the latest measurement. What it denotes depends on the specific sampler, but to the Profiler this doesn’t matter, as it’s only concerned with the amount of change between two points.

However, these samplers are also intended to be used directly for other purposes.

These are the brand new samplers:

• CycleSampler: measures CPU cycles, e.g. using the RDTSC instruction on x86
• BusyCycleSampler: measures CPU cycles only spent by the current thread, e.g. using QueryThreadCycleTime() on Windows
• WallClockSampler: measures passage of time
• UserTimeSampler: measures time spent in user-space by a particular thread
• MallocCountSampler: counts the number of calls to malloc(), calloc(), and realloc()
• CallCountSampler: counts the number of calls to functions of your choosing

One cool example of how you might use UserTimeSampler is constructing it with a thread ID, which means it will measure the time spent in user-space by that particular thread. By constructing one such sampler per thread, and collecting one sample from each, you can then exercise the application in some particular way, like making sure it’s fed a particular network packet. Then you’d collect a second sample from each sampler, subtracting the previous sample to compute the amount of change/delta. This tells you which thread spent the most time in user-space, so you know which thread you might then want to Stalker.follow() to study up close.

EOF

There’s also a slew of other exciting changes, so definitely check out the changelog below.

Shot-out to @hsorbo for the fun and productive pair-programming on random parts of the thread and module observer features! 🙌 Kudos to @mrmacete and @as0ler for helping test and shake out bugs 🥳

Enjoy!

Changelog

• Introduce Process.attachThreadObserver() and ThreadRegistry for monitoring thread creation, termination, and renaming.
• Introduce Process.attachModuleObserver() and ModuleRegistry for monitoring module loading and unloading.
• gumjs: Expose Gum’s Profiler and Sampler APIs to JavaScript.
• gumjs: Add NativePointer#writeVolatile() API. Thanks @DoranekoSystems!
• fruity: Fix a crash in the Linux getifaddrs() logic where interfaces without an address weren’t handled correctly.
• memory-access-monitor: Provide access to the thread ID and registers.
• darwin: Fix racy leakage of memory during teardown.
• linux: Avoid spurious .so ranges during injection.
• linux: Handle compat ranges during injection.
• server: Add –device for serving a specific device.
• compiler: Bump @types/frida-gum to 18.8.0.

This release brings important bug fixes and optimizes volatile memory writes on Linux and Android. Big thanks to @DoranekoSystems for his contribution.

• fruity: Fix regression in lockdown over CoreDevice introduced in the previous release, where RSDCheckin now includes an EscrowBag to support networked lockdown with services such as com.apple.crashreportmover. This turned out to break support for certain services lacking the privilege to talk to AppleKeyStoreUserClient. We now maintain a list of such services to omit the EscrowBag for them. Thanks to @as0ler for reporting and helping troubleshoot.

• darwin: Fix sysroot detection on Apple Silicon so we can resolve modules correctly inside Simulator processes. Kudos to @stacksmashing for reporting.

• linux: Optimize NativePointer#writeVolatile() (JS) / gum_memory_write() (C) for Linux/Android (thanks to @DoranekoSystems). By making use of process_vm_writev() if the kernel supports it, we can avoid parsing memory maps. This means it is now thousands of times faster.

This release brings a set of improvements and fixes in our Linux and Android support, with contributions from @kaftejiman and @DoranekoSystems. We’ve also improved how we talk to Apple devices across the network.

Here’s what’s new:

• linux: Improve injector to avoid risky code swaps with memfd regions (thanks to @kaftejiman). Memfd regions may not be writable, and unlike regular regions, ptrace() won’t help us in case of a missing writable bit.

• linux: Relax injector’s libc matching for Android (thanks to @kaftejiman). This means we can still match them with bind-mounted APEXes.

• linux: Optimize NativePointer#readVolatile() (JS) / gum_memory_read() (C) for Linux/Android (thanks to @DoranekoSystems). By making use of process_vm_readv() if the kernel supports it, we can avoid parsing memory maps. This means instead of being well above 1000x slower compared to direct access, it is now only about 1.45x slower.

• fruity: Support networked lockdown for CoreDevice. We need to provide the remote unlock host key as part of the RSDCheckin. Kudos to @as0ler and @mrmacete for reporting and helping get to the bottom of this one.

This release brings important fixes and improvements:

• objc: Handle extended block type encoding (thanks to @mrmacete).
• module: Reverted the previous optimization of NativeModule lifecycle, as the underlying performance issue in our GLib patch has been addressed.
• darwin: Fixed an issue where Module.load() could fail when provided with an alias. On macOS >= 13, we now use _dyld_get_dlopen_image_header() to resolve modules by address.
• linux: Revived support for ARM BE8, restoring compatibility with big-endian ARM systems.

The main change in this release is the revival of our Windows injector, which was broken by the recent Gum.Module refactoring. Other than that we have also improved the performance of low-level GLib primitives across platforms, specifically in our patch that implements clean-up of static allocations. This is needed due to how a Frida-injected payload may have a shorter lifespan than the process it’s injected into.

Enjoy!

Another round of improvements and fixes to enhance Frida’s stability and performance, thanks to invaluable feedback from @mrmacete. Here’s what’s new in this release:

• gumjs: Fix crash in Module finalizers by deferring unref using an idle source. This avoids issues caused by our QuickJS suspend/resume patch not supporting usage from finalizers, and also avoids the overhead of suspending/resuming JS execution during high-volume module destruction. A better long-term solution will involve introducing a ModuleObserver to manage Module lifecycles and emit signals when modules are added or removed.

• module: Speed up NativeModule lifecycle by using a single lock for all Module objects. This change improves performance and will be revisited once the GLib static allocation cleanup patch is enhanced to use a more suitable data structure for mutex tracking.

A fresh release with some important fixes and improvements:

• gumjs: Relinquish JS lock while unreffing modules. To avoid deadlocking in case dispose() releases a cached handle. Such an operation typically requires acquiring a runtime linker lock. Another thread might already be holding that lock while waiting for the JS lock. A common scenario for that to happen is that the agent registers a callback with the runtime linker, called whenever a module is loaded or unloaded.

  Kudos to @mrmacete for reporting.

• agent: Exclude OS/arch symbols in version script. Newer toolchains, such as the default toolchain on FreeBSD 14.2, don’t like references to symbols that don’t exist. Instead of listing JNI_OnLoad, which is only defined for Android builds, we use a separate version script for Android instead.

• ci: Move CI to FreeBSD 14.2, up from 14.0 which has gone EOL. Our FreeBSD CI broke at some point during the last few weeks, and this went unnoticed until it caused the previous release to not make it out. Oops!

Pleased to announce Frida 16.6.0, featuring significant improvements to module symbol handling, performance enhancements, and bug fixes.

Here are the highlights:

• android: Improve ART compatibility:
  • Look for symbols when exports are missing, now that Frida supports parsing .gnu_debugdata.
  • Handle change of signature of runFlip (thanks to @matbrik).
• android: Fix overflow in enumerateLoadedClasses() (thanks to @123edi10). Create and clean up global references incrementally instead of handling them all at once at the beginning and the end.
• android: Support static methods in registerClass() (thanks to @5andr0).
• java: Fix Java.choose() powered by JVMTI on 32-bit systems.
• module: Turn Module APIs into instance methods, so multiple queries can be performed efficiently. This was previously only modelled as such at the JavaScript (GumJS) level, where such a JS object would have the module’s path as a string, passed to each query, such as enumerateExports(). The underlying C API is now also modelled the same way.
• gumjs: Add findSymbolByName() and getSymbolByName() methods. Provide direct, native lookups for symbols by name instead of enumerating all symbols and filtering them in JavaScript.
• module: Optimize find_symbol_by_name() fallback. When the Module implementation lacks an optimized symbol lookup method, build a sorted index and binary-search it.
• elf-module: Use MiniDebugInfo if no symbols found. When enumerate_symbols() encounters an ELF with no symbols in memory, instantiate an offline ElfModule instance and parse the .gnu_debugdata section. Decompress the embedded ELF and reuse its symbols as a fallback.
• ncm: Improve performance of our userspace USB CDC-NCM driver by capping the per-transfer datagram limit at 16 (thanks for the pair-programming, @hsorbo!).
• Port to the new Gum.Module API. Transitioned to instance methods to allow multiple queries to be performed efficiently.
• Drop support for running without GObject. The footprint savings were minimal and didn’t justify the added complexity and reduced code readability.
• gumjs: Fix V8 NativeCallback use-after-free (non-Interceptor), where the CpuContext was too narrowly scoped.

As always, happy hacking!

Oops, software is hard! Here’s another quick release to address an issue we missed earlier today.

We’ve fixed an issue with our Meson build scripts where the modulemap dependencies were not correctly specified after the latest changes in frida-core. Specifically, core_public_h is now a custom target index, so we can’t use it directly anymore. Instead, we now depend on its parent, core_api.

Special thanks to @hsorbo for co-authoring this fix.

Exciting new release packed with performance enhancements and bug fixes across various components, especially in our Fruity backend. @hsorbo and I collaborated to bring you the following improvements:

• fruity: Boost NCM performance with multi-transfers, improving data transfer efficiency.
• fruity: Improve userspace NCM driver to perform batching, reducing packet loss in bursty situations.
• fruity: Enable lwIP TCP timestamps and SACK to align with the Linux IP stack defaults, enhancing network performance.
• fruity: Bump lwIP TCP Maximum Segment Size (MSS) to 4036 for better TCP tunnel performance.
• fruity: Account for frida-server bind() delay to improve connection establishment reliability.
• fruity: Fix crash on USB operation creation during teardown.
• fruity: Improve USB device handling on non-macOS systems by avoiding unnecessary USB access when kernel NCM is available.
• fruity: Fix direct channel reliability by ensuring connections are established correctly even when conflicting services are running. Kudos to @mrmacete for helping track this one down.

• fruity: Improve TcpTunnelConnection teardown to ensure proper cleanup upon the remote end closing the connection.

• api: Generate a proper GObject Introspection Repository (GIR), including necessary types and omitting internal ones.
• api: Avoid exposing internal types in the API.

• api: Omit APIs involving HostSession.

• build: Modify output logic to avoid redundant writes to output files, speeding up incremental builds.
• build: Avoid parsing API multiple times by leveraging Meson’s custom_target() support for multiple outputs.
• compat: Create relative subproject symlinks so the source tree can be moved without breaking builds.

• compat: Fix error-handling in compat.symlink_to() for subprojects.

• windows: Fix cpu_type_from_pid() for non-existent PIDs.
• windows: Use GetProcessInformation() on Windows 11+ to ensure correct usage of ProcessMachineTypeInfo.

As always, a huge thanks to @hsorbo and @mrmacete for their invaluable contributions in making this release possible.

Exciting new release packed with improvements and new features across platforms. Here’s what’s new:

Fruity Backend Improvements

@hsorbo and I have been working hard to enhance our Fruity backend, and we’re excited to share the following improvements:

• Added support for the TCP tunnel protocol and made it the default to match Apple’s new behavior. The FRIDA_FRUITY_TUNNEL_PROTOCOL environment variable can be used to revert back to QUIC.
• Fixed edge-case in tunnel logic for older OS versions, ensuring reliable operation even when usbmuxd is not available.
• Gracefully closed TunnelConnection to improve stability.
• Fixed a hang that could occur when a USB operation starts during teardown, preventing transfers from getting stuck.
• Fixed QuicTunnelConnection teardown logic, properly handling errors during close operations.
• Relaxed NCM interface presence check, requiring only one operational network interface.
• Adjusted to always try USB transport first, as network transport may be slower or unavailable.
• Improved handling of timeout cases when skipping jailed fallback.
• Now expect networked devices to respond quickly when connecting to the pairing service, improving the user experience when a device has gone to sleep.
• Fixed CoreDevice UDID logic for modern devices.

Android

• Gadget now supports loading assets from APKs when extractNativeLibs is set to false, improving compatibility with modern Android apps (thanks to @gergesh).
• Revived injector’s handling of shared libc ranges, ensuring correct behavior when the target process’s lowest libc.so range is a shared mapping (thanks to @lx866).

Linux

• Improved injector’s compatibility with MUSL, handling differences in the loader string (thanks to @luckycat889).
• Added support for overriding configuration when building helpers, allowing for greater flexibility in builds (thanks to @luckycat889).
• Allocated stack for injector’s remote calls, improving compatibility with programs using small stacks, such as Go applications (thanks to @ajwerner).
• Added CI that rebuilds helper binaries to ensure consistency between source and checked-in binaries (thanks to @ajwerner).
• Picked alternative temporary directories when $TMPDIR is noexec

Cross-platform

• Added support for non-UTF-8 locales in the build system, ensuring better compatibility on systems with various locale settings (thanks to @JunGe-Y).
• Added support for the PowerPC architecture in the build system.
• Added support for binary data handling in frida-inject and RpcClient internals.

Happy hacking!

Quick bug-fix release to further improve our Fruity backend, where @hsorbo and I filled up our coffee cups and hammered out the following fixes:

• fruity: Fix use-after-free in TcpConnection. The error callback might be called at a point where the PCB has already been freed. This meant that us clearing its user data would result in a use-after-free where a NULL pointer was written into the unknown.
• fruity: Fix DTXArgumentList.parse() GValue init, where we were using the wrong setter when encountering an object. This was caught by GLib’s runtime checks, but went unnoticed because we usually build without them.
• payload: Fix an AddressSanitizer build regression.

Turns out a serious stability regression made it into Frida 16.5.3, where frida-server would crash on incoming connections not originating from a CoreDevice tunnel. Kudos to @mrmacete for investigating and fixing this only hours after the problematic releases made it out. 🎉 Enjoy!

Binaries for the previous release did not make it out due to frida-node’s NAN dependency getting bumped by a script that wasn’t meant to bump it, and the latest code breaking Electron support. This release rolls it back, and bumps frida.Compiler’s @types/frida-gum to 18.7.1 while at it.

Excited to bring you another bug-fix release to further improve our Fruity backend, iOS stability, and a fix for memory scanning with regexes.

The changes mentioned without specific attribution were authored by [@hsorbo][] and I in a series of fun pair-programming sessions.

Here’s the long and short of it:

• memory: Make memory scanning regex patterns raw, so searches are reliable across binary regions that are not valid UTF-8. Thanks @mrmacete!
• web-service: Close connections of removed dynamic interfaces, to avoid them sticking around until we run out of file-descriptors.
• network-stack: Handle abrupt disposal of TcpConnection, where we would free the TCP PCB but fail to notify any live TcpIOSource instances and blocked TcpInputStream.read() calls.
• network-stack: Fix racy TCP data loss upon peer closure, where the closure resulted in us letting go of the PCB, and the recv() logic would return early because the PCB was gone. At that point there might still be data left in the RX buffer, but the application wouldn’t see it.
• network-stack: Fix race in TcpInputStream.read(), where the notify::pending-io signal fires after the call to is_readable() but before our signal handler is connected.
• fruity: Use USB product string as transport name.
• fruity: Fix USB mode parsing on iOS < 16, where the mode is a 3 byte blob.
• fruity: Bubble up USB permission errors.
• fruity: Bail on iOS tunnel service versions pre-17, instead of crashing.
• control-service: Fix reliability on CoreDevice systems, where having a single transport broker listening on all interfaces may result in an early TCP RST when trying to communicate with it from inside a tunnel. The exact cause of this is not known, but we have confirmed that having one broker per dynamic interface/tunnel does resolve the issue. We also observed that listening on all interfaces, but restricted to IPv6, also avoids the issue.
• meson: Fix i/tvOS compilation with GLib as a subproject.
• meson: Disable Fruity and friends on FreeBSD, as we now rely on a libusb API that only exists in our libusb. If anyone’s interested in these backends on FreeBSD it shouldn’t be too hard to fix this – PRs are most welcome.

Quick bug-fix release to further improve our Fruity backend, where @hsorbo and I filled up our coffee cups and hammered out the following fixes and tweaks:

• fruity: Reuse NCM peer when tunnel setup fails.
• fruity: Handle iDevice not paired with anyone.
• fruity: Handle USB TunnelConnection dropping.
• fruity: Fix unreliable modeswitch activation.
• fruity: Fix teardown when using our NCM driver.
• fruity: Fix error marshaling in find_tunnel() for non-macOS.
• fruity: Advertise our RemoteXPC protocol support.

Binaries for the previous release did not make it out due to a build regression on watchOS, which was promptly fixed by this release.

Some of you may have found yourself in a situation where a piece of data in memory looks interesting, and you want to locate the code responsible for it. You may have tried Frida’s MemoryAccessMonitor API, but found the page granularity hard to work with. That is, you might have to collect many samples until you get lucky and catch the code that accesses those specific bytes on the page that they’re on. This might be hard enough on systems with 4K pages, and even worse on modern Apple systems with 16K pages.

To address this, @hsorbo and I filled up our coffee cups and got to work, implementing support for hardware breakpoints and watchpoints. The long story short is that thread objects returned by Process.enumerateThreads() now have setHardwareBreakpoint(), setHardwareWatchpoint(), and corresponding methods to unset them at a later point. These are then combined with Process.setExceptionHandler() where you call the unset method and return true to signal that the exception was handled, and execution should be resumed.

Demo time

Let’s take these new APIs for a spin. As our target we’ll pick id Software’s brand new 2024 re-release of DOOM + DOOM II.

The first thing we might want to do is figure out where in memory the number of bullets is stored. Let’s cook up a tiny agent to help us achieve this:

let matches = [];

function scan(pattern) {
  const locations = new Set();
  for (const r of Process.enumerateMallocRanges()) {
    for (const match of Memory.scanSync(r.base, r.size, pattern)) {
      locations.add(match.address.toString());
    }
  }
  matches = Array.from(locations).map(ptr);
  console.log('Found', matches.length, 'matches');
}

function reduce(val) {
  matches = matches.filter(location => location.readU32() === val);
  console.log('Filtered down to:');
  console.log(JSON.stringify(matches));
}

function patternFromU32(val) {
  return new MatchPattern(ptr(val).toMatchPattern().substr(0, 11));
}

And load it into the game:

$ frida -n doom.exe -l demo.js
…
[Local::doom.exe ]->

We know that we have 50 bullets currently, so let’s find all heap allocations containing the value 50, encoded as a native uint32:

[Local::doom.exe ]-> scan(patternFromU32(50))
Found 6947 matches

That’s quite a few. Let’s narrow it down by firing one bullet, and checking which of those locations now contain the value 49:

[Local::doom.exe ]-> reduce(49)
Filtered down to:
["0x1fbf5191884"]

Bingo! Now that we know where in memory the number of bullets is stored, our next step is to find the code that updates the number of bullets when one is fired. Let’s add another helper function to our agent:

function installWatchpoint(address, size, conditions) {
  const thread = Process.enumerateThreads()[0];

  Process.setExceptionHandler(e => {
    console.log(`\n=== Handler got ${e.type} exception at ${e.context.pc}`);

    if (Process.getCurrentThreadId() === thread.id &&
        ['breakpoint', 'single-step'].includes(e.type)) {
      thread.unsetHardwareWatchpoint(0);
      console.log('\tDisabled hardware watchpoint');
      return true;
    }

    console.log('\tPassing to application');
    return false;
  });

  thread.setHardwareWatchpoint(0, address, size, conditions);

  console.log('Ready');
}

And call it:

[Local::doom.exe ]-> installWatchpoint(ptr('0x1fbf5191884'), 4, 'w')
Ready

Next we’ll flip back to the game and fire another bullet:

[Local::doom.exe ]->
=== Handler got system exception at 0x7ffc2bc2fabc
        Passing to application

=== Handler got single-step exception at 0x7ff6f0a21010
        Disabled hardware watchpoint

Yay, that looks promising. Let’s symbolicate that address:

[Local::doom.exe ]-> ammoCode = ptr('0x7ff6f0a21010')
"0x7ff6f0a21010"
[Local::doom.exe ]-> ammoModule = Process.getModuleByAddress(ammoCode)
{
    "base": "0x7ff6f0730000",
    "name": "DOOM.exe",
    "path": "C:\\Program Files (x86)\\Steam\\steamapps\\common\\Ultimate Doom\\rerelease\\DOOM.exe",
    "size": 15495168
}
[Local::doom.exe ]-> offset = ammoCode.sub(ammoModule.base)
"0x2f1010"

Let’s take a closer look using r2:

We can see that the program counter that we observed in our exception handler is on the instruction right after the sub that triggered our watchpoint.

So from here we can set up an inline hook that gets fired whenever a bullet is fired:

Interceptor.attach(Module.getBaseAddress('doom.exe').add(0x2f1010), function () {
  const ammoLeft = this.context.rax.add(4).readU32();
  console.log(`Shots fired! Ammo left: ${ammoLeft}`);
});

[Local::doom.exe ]-> Shots fired! Ammo left: 42
Shots fired! Ammo left: 41
Shots fired! Ammo left: 40
Shots fired! Ammo left: 39
Shots fired! Ammo left: 38

We can just as easily make ourselves a cheat for infinite ammo:

Interceptor.attach(Module.getBaseAddress('doom.exe').add(0x2f100d), function () {
  this.context.rbx = ptr(0);
  console.log(`Shots fired! Pretending no ammo was actually used`);
});

[Local::doom.exe ]-> Shots fired! Pretending no ammo was actually used
Shots fired! Pretending no ammo was actually used
Shots fired! Pretending no ammo was actually used
Shots fired! Pretending no ammo was actually used
Shots fired! Pretending no ammo was actually used

Look ma, infinite ammo!

Note that we could also have achieved this by using Memory.patchCode() to replace the sub with a 3-byte nop, which X86Writer can do for us through putNopPadding(3). The Interceptor hook has the advantage of automatically being rolled back when our script is unloaded, and makes it easy to execute arbitrary code.

Windows on ARM

Another highlight of this release is that we now support Windows on ARM. This means that an arm64 version of Frida can inject into native arm64 processes, as well as emulated x86_64 and x86 processes.

We don’t yet provide binaries however, as we’re waiting for GitHub to provide arm64 runners to OSS projects, which for now is limited to their Team and Enterprise Cloud customers. While it is technically feasible to cross-compile from an x86_64 build machine, we decided to punt on this as we quickly ran into issues with Meson’s MSVC support.

EOF

There’s also a slew of other exciting changes, so definitely check out the changelog below.

Enjoy!

Changelog

• thread: Support hardware breakpoints and watchpoints.
• fruity: Fix deadlock in perform_on_lwip_thread().
• windows: Add support for arm64.
• windows: Migrate Exceptor to Microsoft’s VEH API.
• linux: Handle process gone when detaching. Thanks @ajwerner!
• linux: Fix the clone() wrapper on MIPS.
• java: Handle Android GC cycle handlers not being exported. Thanks @thinhbuzz!
• java: Add preliminary support for OpenJDK 17 on Windows. Thanks @FrankSpierings!
• meson: Add frida-netif to the public frida-core, so frida-core devkits include all needed symbols.
• node: Add Cancellable.withTimeout() convenience factory function. Thanks @hsorbo!
• node: Add Cancellable.combine() convenience method. Thanks @hsorbo!

Quick bug-fix release to further improve our Fruity backend, where @hsorbo and I filled up our coffee cups and hammered out the following fixes:

• tunnel-connection: Wire up missing stream close logic.
• tunnel-connection: Ensure JSON request ends up in its own UDP packet. When opening the tunnel, it seems problematic if a datagram and stream data end up in the same UDP packet. We make our dummy-datagram larger to avoid this.
• tunnel-connection: Consistently avoid writes after connection is gone, which would result in a crash.
• network-stack: Handle perform_on_lwip_thread() from the lwIP thread instead of deadlocking.

Quick bug-fix release to address some issues:

• tunnel-interface-observer: Fix start() crash on i/tvOS, when SCDynamicStoreCopyKeyList() fails. Thanks @mrmacete!
• darwin-mapper: Initialize TLV before constructors. Thanks @jiska!
• darwin-mapper: Fix TLV init runtime code for arm64. Thanks @jiska!
• arm64-writer: Fix encoding of UBFM and LS{L,R}. Thanks @jiska!

Quick bug-fix release to further improve our Fruity backend:

• lockdown-client: Bubble up CONNECTION_CLOSED error. Thanks @hsorbo!
• fruity: Make find_usbmux_device() non-throwing. Thanks @hsorbo!
• fruity: Guard against lockdown open.- ->close loop.
• fruity: Fix invalidation of closed lockdown client. Thanks @hsorbo!

Quick bug-fix release to address a crash on Windows:

• fruity: Fix crash when enumerating network interfaces on Windows. Some don’t have a unicast address, and need to be ignored. Thanks @xiofee!

This release is packing a whole slew of improvements:

• fruity: Use UsbmuxDevice from USB transport if present, so we can reach the loopback interface, and for better performance.
• fruity: Handle devices without tunnel support on non-macOS.
• fruity: Expose name from USB transport if present. It has a more descriptive name in case of UsbmuxTransport.
• gumjs: Ensure Gum .a is built before building devkit. Thanks @Hexploitable!
• gumjs: Generate simpler enum value lookup code.
• spinlock: Consolidate into a single implementation.
• java: Fix art::Thread::DecodeJObject for Android >= 15. Thanks @esauvisky!

Quick bug-fix release to address a few issues:

• xpc-client: Wire up cancellable in request(), to support cancellation of remotepairingd requests in our Fruity macOS CoreDevice backend.
• java: Properly handle the Android ART CMC GC strategy. Thanks @mbricchi!
• java: Fix Java.choose() on newer ART APEXes. Thanks @mbricchi!

This release is packing a whole slew of improvements:

• darwin: Handle dyld restart on macOS Sequoia and iOS 18.
• darwin: Await ObjC init on macOS Sequoia and iOS 18, by making use of notifyObjCInit() if available.
• fruity: Improve CoreDevice pairing support:
  • Fix support for multiple pairing relationships.
  • Keep the in-memory peer store up-to-date, so new pairing relationships don’t require a process restart to be able to match them up with pairing services on the network.
• ncm: Detach all drivers before changing configuration.
• ncm: Avoid using a broken kernel NCM driver.
• darwin: Fix sysroot on simulator. Thanks @CodeColorist!
• darwin-mapper: Locally resolve shared cache symbols, to avoid resolver functions when possible, side-stepping our existing issue where the generated constructor function tries to write the result to a read-only page.
• gumjs: Fix race in recv().wait() on application thread. Thanks @HexKitchen!
• python: Eliminate usage of unstable ref-counting APIs, so extensions built with newer Python headers still work on older Python runtimes.

This release is packing a whole slew of improvements:

• fruity: Add support for networked devices on Windows and Linux.
• ncm: Switch USB device configuration if needed.
• network-stack: Fix TcpConnection use-after-free.
• fruity: Fix the LWIP.NetworkInterface bindings.
• fruity: Remove forgotten .pcap debug output.
• dtx: Fix teardown of DTXConnection vs. DTXChannel.
• buffer: Add content validation to read_string().
• buffer: Add content validation to read_fixed_string().
• java: Fix Java.choose() on Android >= 14. Thanks @mbricchi!
• java: Handle the CMC GC strategy. Thanks @mbricchi!

Quick bug-fix release with a couple of Fruity backend refinements:

• fruity: Handle libusb failing to initialize.
• fruity: Clean up OS-specific bits.

Quick bug-fix release to address a couple of issues:

• device: Fix property getters for id and name.
• socket: Fix Host header logic in negotiate_connection().

This release is packing some exciting new things. Let’s dive right in.

CoreDevice

As mentioned in the 16.3.0 release notes, @hsorbo and I were working on submitting a patch for the Linux kernel’s CDC-NCM driver to make it compatible with Apple’s private network interface. This has since gone upstream, and will be part of Linux 6.11.

In the meantime, and for those of you using Frida on Windows, we have just implemented a minimal user-mode driver that Frida now uses when it detects that the kernel doesn’t provide one. We leveraged lwIP to also do Ethernet and IPv6 entirely in user space. The result is that Frida can support CoreDevice on any platform supported by libusb.

EOF

There’s also a bunch of other exciting changes, so definitely check out the changelog below.

Enjoy!

Changelog

• fruity: Rework to support userspace CDC-NCM.
• fruity: Add support for dyld restart on iOS >= 18.
• fruity: Await ObjC runtime initialization on iOS >= 18.
• fruity: Fix gadget upload when no usbmux connection is available.
• fruity: Improve open_channel() to support tcp:service-name.
• fruity: Retry RSD port lookup on failure.
• fruity: Revive HostChannelProvider implementation.
• fruity: Skip fetching dyld symbols if libSystem is initialized.
• fruity: Wire up MacOSCoreDeviceTransport event handling.
• fruity: Fix the macOS CoreDevice connection type logic.
• fruity: Add os.build and hardware to the exposed system parameters. Thanks @as0ler!
• server and gadget: Listen on Apple’s CoreDevice tunnel network interfaces on iOS and tvOS.
• xpc-service: Fix handling of request() with arrays. Thanks @hsorbo!
• xpc-service: Support type-annotating request parameters.
• python: Support unmarshaling tuples to GVariant.
• python: Fix unmarshaling of bool to GVariant.
• node: Support type-annotations when marshaling to GVariant.
• node: Bump Node.js requirement to >=16 || 14 >=14.17, to match minimatch.
• java: Fix registerClass() field item ordering on Android. Thanks @eybisi!

The previous release didn’t make it out due to a CI issue. The only change in this release is the CI fix needed. (One of the FreeBSD runner images had just been removed by the CI provider, so we had to bump to a newer one.)

It’s time for another bug-fix release. Quite a few goodies in this one:

• darwin: Avoid thread_set_state() during injection, so we don’t get killed by the system on e.g. macOS >= 14.5. Thanks @_saagarjha for contributing the first draft of the fix!
• fruity: Perform RSDCheckin on services that need it. In this way we retain backwards-compatibility for open_channel() of lockdown services when a CoreDevice tunnel is available.
• fruity: Stop caching the LockdownClient, to avoid issues with multiple consumers. Reproducible using frida-ps with a jailed iOS device connected.
• python: Fix the open_service() plist example.
• node: Fix spawn() options logic for undefined values. Kudos to @as0ler for reporting and helping track this one down!
• node: Skip undefined when marshaling aux options to GVariant.
• node: Skip undefined when marshaling object to GVariant.
• node: Handle errors when marshaling to GVariant.
• node: Fix the openService() plist example.

Kudos to @hsorbo for the fun and productive pair-programming on all of the above! 🙌

Note: This release never made it out due to a CI issue, addressed in 16.3.3.

Just a quick bug-fix release to address a packaging issue with our Node.js bindings. The uploaded prebuilds weren’t stripped and exported symbols they weren’t meant to export. Kudos to 0xDC00 for reporting.

Enjoy!

This release is packing some exciting new things. Let’s dive right in.

CoreDevice

Starting with iOS 17, Apple moved to a new way of communicating with services on the iDevice side, including their Developer Disk Image (DDI) services. Their new way of doing things unifies how Apple software talks to other Apple devices, and is known as CoreDevice. It seems to have originated back when Apple introduced their T2 coprocessor. Cisco’s DUO team published some excellent research on this back in 2019.

Like with the T2, the new stack used for iOS also uses RemoteXPC for talking to services. Things are a bit more complex though, because unlike the T2, mobile devices don’t have a persistent connection to macOS, and also have the notion of pairing. Luckily for us, @doronz88 had already done an amazing job reversing and documenting most of what we needed to implement the new protocols, so that saved us a lot of time.

Even so, it was a massive undertaking, but tons of fun – @hsorbo and I had a blast pair-programming on it. Quite a few moving parts are involved, so let’s take a quick walk through them.

With an iDevice plugged in, it exposes a USB CDC-NCM network interface, known as the “private” interface. It also exposes an interface used for tethering, just like it did in the past – except back then it was using a proprietary Apple protocol instead of CDC-NCM.

This is where we hit the first challenges trying to talk to it from a Linux host. First off, the iOS device needs a USB vendor request to mode-switch it into exposing the new interfaces. This part is easy, as the usbmuxd daemon can do this for us if we set the environment variable USBMUXD_DEFAULT_DEVICE_MODE to 3. So far so good.

The next challenge was that the Linux kernel’s CDC-NCM driver failed to bind to the device. After a bit of debugging we discovered that it was due to the private network interface lacking a status endpoint. The status endpoint is how the driver gets notified about whether a network cable is plugged in. Apple’s tethering network interface has such an endpoint, and it makes sense there – if tethering is disabled it’s just as if the cable is unplugged. But the private interface is always there, so understandably Apple chose not to include a status endpoint for it.

We quickly developed a kernel driver patch to lift the requirement for a status endpoint, and this got it working. Later we realized that we should still require a status endpoint for the tethering interface, so we ended up refining our patch a bit further. The plan is to submit that in the next few days.

Anyway, with the network interface up, the host side uses mDNS to locate the IPv6 address where a RemoteServiceDiscovery (RSD) service is listening. The host connects to it and speaks HTTP/2 with RemoteXPC messages going back and forth. This particular service, RSD, tells the host which services are available on the private interface, the port numbers they’re listening on, and details like the protocol each uses to communicate.

Then, knowing which services are listening on which ports, the host looks up the Tunnel service. This service lets the host establish a tunnel to the device, acting as a VPN to allow it to communicate with the services inside that tunnel. Since setting up such a tunnel requires a pairing relationship between the host and the device, it means that the services inside the tunnel allow the host to do a lot more things than the services outside the tunnel.

The base protocol is the same as with RSD, and after some back and forth involving a pairing parameters binary blob and some cryptography, a pairing relationship is either created or verified. At this point the two endpoints are using encrypted communications, and the host asks the Tunnel service to set up a tunnel listener.

Now, assuming the host asked for the default transport, QUIC, the host goes ahead and connects to it. We should note that the the Tunnel service also supports plain TCP. Presumably that is there for older macOS versions that don’t come with a QUIC stack. Another thing worth mentioning is that the Tunnel service provides the host with a keypair, so it uses that as part of the connection setup.

Once connected, the device sends the host some data across a reliable stream. The data starts with an 8 byte magic, “CDTunnel”, followed by a big-endian uint16 that specifies the size of the payload following it. The payload is JSON, and tells the host which IPv6 address the host’s endpoint inside the tunnel has, along with the netmask and MTU. It also tells the host its own IPv6 address inside the tunnel, and the port that the RSD service is listening on.

The host then sets up a TUN device configured as it was just told, and starts feeding it unreliable datagrams as they’re received from the QUIC connection. And for data in the other direction, whenever there’s a new packet from the TUN device, the host feeds that into the QUIC connection.

So at this point the host connects to the RSD endpoint inside the tunnel, and from there it can access all of the services that the device has to offer. The beauty of this new approach is that clients communicating with device-side services don’t have to worry about crypto, nor provide proof of a pairing relationship. They can simply make plaintext TCP connections on the tunnel interface, and QUIC handles the rest transparently.

What’s even cooler is that the host can establish tunnels across both USB and WiFi, and because of QUIC’s native support for multipath, the device can seamlessly move between wired and wireless without disrupting connections to services inside the tunnel.

So, once we got all of this implemented we were feeling excited and optimistic. Only part left was to do the platform integrations. And uhh yeah, that’s where things got a lot harder. The part that got us stuck for a while was on macOS, where we realized we had to piggyback on Apple’s existing tunnel. We discovered that the Tunnel service would refuse to talk to us when there’s already a tunnel open, so we couldn’t simply open up a tunnel next to Apple’s.

While we could ask the user to send SIGSTOP to remoted, allowing us to set up our own tunnel, it wouldn’t be a great user experience. Especially since any Apple software wanting to talk to the device then wouldn’t be able to, making Xcode, Console, etc. a lot less useful.

It didn’t take us long to find private APIs that would allow us to determine the device-side address inside Apple’s tunnel, and also create a so-called “assertion” so that the tunnel is kept open for as long as we need it. But the part we couldn’t figure out was how to discover the device-side RSD port inside the tunnel.

We knew that remotepairingd, running as the local user, knows the RSD port, but we couldn’t find a way to get it to tell us what it is. After lots of brainstorming we could only think of impractical solutions:

• Port-scan the device-side address: Potentially slow, and faster implementations would require root for raw socket access.
• Scan remotepairingd’s address space for the device-side tunnel address, and locate the port stored near it: Wouldn’t work with SIP enabled.
• Rely on a device-side frida-server to figure things out for us: This wouldn’t work on jailed iOS, and would be complex and potentially fragile.
• Grab it from the syslog: Could take a while or require a manual user action, and forcing a reconnection by killing a system daemon would result in disruption.
• Give up on using the tunnel, and move to a higher level abstraction, e.g. use MobileDevice.framework whenever we need to open a service: Would require us to possess entitlements. Exactly which depend on the particular service. So for example if we’d want to talk to com.apple.coredevice.appservice, we’d need the com.apple.private.CoreDevice.canInstallCustomerContent entitlement. But, trying to give ourselves a com.apple.private.* entitlement just wouldn’t fly, as the system would kill us as only Apple-signed programs can use such entitlements.

This was where we decided to take a break and focus on other things for a while, until we finally found a way: The remoted process has a connection to the RSD service inside the tunnel. We finally arrived at a simple solution, using the same API that Apple’s netstat is using:

foreach (var item in XNU.query_active_tcp_connections ()) {
	if (item.family != IPV6)
		continue;
	if (!item.foreign_address.equal (tunnel_device_address))
		continue;
	if (Darwin.XNU.proc_pidpath (item.effective_pid, path_buf) <= 0)
		continue;
	if (path != "/usr/libexec/remoted")
		continue;

	try {
		var connectable = new InetSocketAddress (tunnel_device_address, item.foreign_port);

		var sc = new SocketClient ();
		SocketConnection connection = yield sc.connect_async (connectable, cancellable);
		Tcp.enable_nodelay (connection.socket);

		return yield DiscoveryService.open (connection, cancellable);
	} catch (GLib.Error e) {
	}
}

The Linux side of the story was a lot easier though, as there we are in control and can set up a tunnel ourselves. There was one challenge however: We didn’t want to require elevated privileges to be able to create a tun device. The solution we came up with was to use lwIP to do IPv6 in user-mode. As we had already designed our other building blocks to work with GLib.IOStream, decoupled from sockets and networking, all we had to do was implement an IOStream that uses lwIP to do the heavy lifting. Datagrams from the QUIC connection get fed into an lwIP network interface, and packets emitted by that network interface are fed into the QUIC connection as datagrams.

Next up was the Windows side of things. We did some digging and quickly realized that Apple’s software doesn’t currently set up a tunnel. The official driver also appears to keep the USB device busy, meaning we can’t easily trigger a mode-switch and do things ourselves. There’s probably an elegant solution to the Windows part of the puzzle, but we realized we were already so deep inside the rabbit-hole that it would be wise to leave this for later. So if anyone reading this is interested in helping out, please do get in touch.

Another area that needs future improvement is that we only support cabled connectivity on macOS. This should be easy to improve on once we have updated frida-server and frida-gadget so they listen on tunnel interfaces whenever they appear.

Jailed iOS 17

With the new CoreDevice infrastructure in place, we have also restored support for jailed instrumentation on iOS 17. This means we can once again spawn (debuggable) apps on latest iOS, which is 17.5.1 at the time of writing. We still have the issue where attach() without spawn() doesn’t work, as our jailed injector doesn’t yet support the restartable dyld case when attaching to an already running app. This will be addressed in a future release.

Device.open_service() and the Service API

Given that Frida needs to speak quite a few protocols to interact with Apple’s device-side services, and applications also sometimes need other such services, this presents a challenge. Applications could speak these protocols themselves, e.g. after using the Device.open_channel() API to open an IOStream to a specific service. But this means they have to duplicate the effort of implementing and maintaining the protocol stacks, and for protocols such as DTX they may be wasting time establishing a connection that Frida already established for its own needs.

One possible solution would be to make these service clients public API and expose them in our language bindings. We would also have to implement clients for all of the Apple services that applications might want to talk to. That’s quite a few, and would result in the Frida API becoming massive. It would also make Frida a kitchen sink of sorts, and that’s clearly not a direction we want to be heading in.

After thinking about this for a while, it occurred to me that we could provide a generic abstraction that lets the application talk to any service that they want. So last week @hsorbo and I filled up our coffee cups and got started on just that.

Here’s how easy it is to talk to a RemoteXPC service from Python:

import frida
import pprint

device = frida.get_usb_device()

appservice = device.open_service("xpc:com.apple.coredevice.appservice")
response = appservice.request({
    "CoreDevice.featureIdentifier": "com.apple.coredevice.feature.listprocesses",
    "CoreDevice.action": {},
    "CoreDevice.input": {},
})
pprint.pp(response)

And the same example, from Node.js:

import frida from 'frida';
import util from 'util';

const device = await frida.getUsbDevice();

const appservice = await device.openService('xpc:com.apple.coredevice.appservice');
const response = await appservice.request({
  'CoreDevice.featureIdentifier': 'com.apple.coredevice.feature.listprocesses',
  'CoreDevice.action': {},
  'CoreDevice.input': {},
});
console.log(util.inspect(response, {
  colors: true,
  depth: Infinity,
  maxArrayLength: Infinity
}));

Which results in:

So now that we’ve looked at the new open_service() API being used from Python and Node.js, we should probably mention that it is (almost) just as easy to use this API from C:

#include <frida-core.h>

int
main (int argc,
      char * argv[])
{
  GCancellable * cancellable = NULL;
  GError * error = NULL;

  frida_init ();

  FridaDeviceManager * manager = frida_device_manager_new ();

  FridaDevice * device = frida_device_manager_get_device_by_type_sync (manager, FRIDA_DEVICE_TYPE_USB, -1, cancellable, &error);
  FridaService * service = frida_device_open_service_sync (device, "xpc:com.apple.coredevice.appservice", cancellable, &error);

  GVariant * parameters = g_variant_new_parsed ("{"
    "'CoreDevice.featureIdentifier': <'com.apple.coredevice.feature.listprocesses'>,"
    "'CoreDevice.action': <@a{sv} {}>,"
    "'CoreDevice.input': <@a{sv} {}>"
  "}");
  GVariant * response = frida_service_request_sync (service, parameters, cancellable, &error);

  gchar * str = g_variant_print (response, FALSE);
  g_printerr ("%s\n", str);

  return 0;
}

(Error-handling and cleanup omitted for brevity.)

The string passed into open_service() is the address where the service can be reached, which starts with a protocol identifier followed by colon and the service name. This returns an implementation of the Service interface, which looks like this:

public interface Service : Object {
	public signal void close ();
	public signal void message (Variant message);

	public abstract bool is_closed ();
	public abstract async void activate (Cancellable? cancellable = null) throws Error, IOError;
	public abstract async void cancel (Cancellable? cancellable = null) throws IOError;
	public abstract async Variant request (Variant parameters, Cancellable? cancellable = null) throws Error, IOError;
}

(Synchronous methods omitted for brevity.)

Here, request() is what you call with a Variant, which can be “anything”, a dictionary, array, string, etc. It is up to the specific protocol what is expected. Our language bindings take care of turning a native value, for example a dict in case of Python, into a Variant. Once request() returns, it gives you a Variant with the response. This is then turned into a native value, e.g. a Python dict.

For protocols that support notifications, the message signal is emitted whenever a notification is received. Since Frida’s APIs also offer synchronous versions of all methods, allowing them to be called from an arbitrary thread, this presents a challenge: If a message is emitted as soon as you open a specific service, you might be too late in registering the handler. This is where activate() comes into play. The service object starts out in the inactive state, allowing signal handlers to be registered. Then, once you’re ready for events, you can either call activate(), or make a request(), which moves the service object into active state.

Then, later, to shut things down, cancel() may be called. The close signal is useful to know when a Service is no longer available, e.g. because the device was unplugged or you sent it an invalid message causing it to close the connection.

It’s also easy to talk to DTX services, which is RemoteXPC’s predecessor, still used by many DDI services.

For example, to grab a screenshot:

import frida

device = frida.get_usb_device()

screenshot = device.open_service("dtx:com.apple.instruments.server.services.screenshot")
png = screenshot.request({"method": "takeScreenshot"})
with open("/path/to/outfile.png", "wb") as f:
    f.write(png)

But there’s more. We also support talking to old-style plist services, where you send a plist as the request, and receive one or more plist responses:

import frida

device = frida.get_usb_device()

diag = device.open_service("plist:com.apple.mobile.diagnostics_relay")
diag.request({"type": "query", "payload": {"Request": "Sleep", "WaitForDisconnect": True}})
diag.request({"type": "query", "payload": {"Request": "Goodbye"}})

As you might have already guessed, this example puts the connected iDevice to sleep.

RPC Binary Passing

Those of you using Gum’s JavaScript bindings might be familiar with our RPC API, which makes it easy for an application to call functions on its agent.

One long-standing limitation with this feature was that you couldn’t pass binary data into an exported function – you would have to serialize it somehow. This is now finally supported.

For example given the following agent:

rpc.exports.hello = (name, icon) => {
  console.log(`Name: "${name}"`);
  console.log('Icon:');
  console.log(hexdump(icon, { ansi: true }));
};

You can now call hello() from Python like this:

script.exports_sync.hello("Joe", b"\x13\x37")

Which would output:

Note that only one binary parameter can be passed, and it needs to be the last parameter.

Another improvement in the same area is that you can now return binary data alongside a JSON-serializable JavaScript value. We previously only supported returning one or the other. This is now also finally supported.

For example given the following agent:

rpc.exports.peek = name => {
  const module = Process.getModuleByName(name);
  const header = module.base.readByteArray(64);
  return [module, header];
};

You can call peek() from Python like this:

module, header = script.exports_sync.peek("libSystem.B.dylib")
print("module:", module)
print("header:", header)

Which, if run on a platform where libSystem.B.dylib is present, might output something like:

module: {'name': 'libSystem.B.dylib', 'base': '0x18ec70000', 'size': 8192, 'path': '/usr/lib/libSystem.B.dylib'}
header: b'\xcf\xfa\xed\xfe\x0c\x00\x00\x01\x02\x00\x00\x80\x06\x00\x00\x006\x00\x00\x00\x10\x10\x00\x00\x85\x00\x00\x82\x00\x00\x00\x00\x19\x00\x00\x00(\x02\x00\x00__TEXT\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x0c\x8d\x01\x00\x00\x00'

EOF

There’s also a few other exciting changes, so definitely check out the changelog below.

Enjoy!

Changelog

• Add device.open_service(address), which provides a Service implementation that exposes device-specific services through a uniform interface.
• fruity: Add RemoteXPC support, with open_service() implemented for three protocols IDs: plist, dtx, xpc.
• fruity: Fix spawn() on jailed iOS 17.
• fruity: Improve DTX protocol support.
• python: Add open_service() and Service API.
• python: Add support for new RPC binary data passing.
• python: Improve GVariant marshaling support.
• node: Add openService() and Service API.
• node: Add support for new RPC binary data passing.
• node: Improve GVariant marshaling support.
• exceptor: Add SA_ONSTACK flag in the POSIX backend. Thanks @asabil!
• gumjs: Support receiving binary data in RPC methods.
• gumjs: Support returning value and binary data from RPC methods.
• gumjs: Expose more Memory APIs to CModule. Thanks @hillelpinto!
• plist: Fix support for writing out binary plist with float and double values.

Kudos to @hsorbo for the fun and productive pair-programming on all of the above changes without specific attribution! 🙌

A quick bug-fix release with three improvements:

• ci: Fix the frida-node prebuild loop for macOS, so we generate prebuilds for all targets, not just the first one.
• node: Avoid relying on package-lock.json, to support fallback build when prebuild is missing.
• android: Set DexFile to read-only in Java.registerClass(). As of Android 14, apps with targetSdk >= 34 are not allowed to have writable permissions on dynamically loaded Dex files. Thanks @pandasauce!

Enjoy!

Just a quick bug-fix release to fix a regression in the DebugSymbol API on Windows, where we failed to bundle the DbgHelp and SymSrv libraries. Kudos to 0xDC00 for reporting this so quickly.

Enjoy!

Just a quick bug-fix release to fix a regression affecting iOS users. Kudos to @andyacer and @IhorLeshko for reporting this so quickly.

Enjoy!

It’s release o’clock, and this one comes jam-packed with improvements! 🎉

Build System

After years of being dissatisfied with our build system situation, I have finally worked up the courage to restructure it — in a big way.

User Experience

One of the things that bothered me was that our build system felt very eccentric and complex. You would invoke make and see a menu of things you could build. But that menu would be different depending on the OS you’re running this on. Changing build options meant either editing config.mk or overriding them on the command-line. And if you were on Windows you’d have to use Visual Studio (MSVS).

The MSVS build system is now gone, and you can build Frida the same way you’d build many other OSS projects:

$ ./configure
$ make

The configure step can be skipped if you don’t need to pass any options, such as –prefix. This script is really just a thin wrapper around Meson’s setup command, and you can pass options straight to Meson by adding -- followed by the options. You can also run make install to install things, which supports the DESTDIR environment variable to change where the output goes.

Cross-compilation is easy too; for example if you want to build for iOS/arm64, invoke configure with –host=ios-arm64. If you have a toolchain for an embedded system, pass –host=$triplet, which will look for $triplet-gcc, $triplet-g++, etc. on your PATH. You can also add CFLAGS, LDFLAGS, etc. to the environment to pass in extra flags, just like you’d expect from other build systems.

What’s cool is that our different repos can now be built standalone. You can clone the frida-gum repo and build it, just like you can do with frida-python, frida-tools, etc. The frida repo is no longer as important, it’s only kept around to be able to version a collection of repos, and host the CI used for rolling new releases.

Each repo contains any needed subprojects/*.wrap files that tell Meson where it can find the dependencies. This means if you grab frida-core and try to build it without already having frida-gum on your PKG_CONFIG_PATH, it will grab and build that for you automatically. What’s also neat is that our Python and Node.js bindings now make use of this to build from source if a .whl or prebuild can’t be found or downloaded.

So now that our different components work well as subprojects, this also means anyone can integrate Frida components into their own projects just as easily. All you need to do is add a .wrap-file to subprojects/ in your project’s top source dir, and call dependency() from your meson.build. Meson then looks on your system first, and if it fails to find the dependency it will clone the git repo in subprojects/ and build it as part of your project. It is also possible to tell Meson to force such a fallback without looking on your system.

Here’s what such a .wrap-file could look like for Gum:

[wrap-git]
url = https://github.com/frida/frida-gum.git
revision = 16.2.4
depth = 1

[provide]
dependency_names = frida-gum-1.0, frida-gum-heap-1.0, frida-gum-prof-1.0, frida-gumjs-1.0, frida-gumjs-inspector-1.0

And for frida-core:

[wrap-git]
url = https://github.com/frida/frida-core.git
revision = 16.2.4
depth = 1

[provide]
dependency_names = frida-core-1.0

Our thin Meson wrapper is also easy to get started with, and you can read more about it here.

A bit of history

The reason I chose to maintain a separate build system for Windows was that I previously worked with quite a few experienced Windows developers, and noticed they’d be a lot more excited about an OSS project if they could work on it using their favorite IDE. It was important to them that they could look at a crash in the debugger, jump to a frame belonging to an OSS library, and be able to add some temporary logging code. And then hit the “Run” hotkey to have the IDE incrementally compile and relink everything, for a short and sweet feedback loop.

At the time, Frida’s non-Windows build system was autotools. We later moved to Meson. Although Meson has a backend for MSVS, meaning we could have it generate MSVS project files for us, there was one issue blocking us from doing that. Unlike MSVS, where you can mix projects targeting different machines in the same “solution” (workspace), Meson only supports compiling for one machine at a time, in addition to the build machine. Due to how Frida supports injecting code into e.g. both 32- and 64-bit targets on Windows, we would introduce a usability regression if we were to remove our MSVS build system. So because of this I hesitated to drop the MSVS build system.

We also had the same challenge on non-Windows. I ended up solving it by writing a Makefile that invokes Meson for each architecture, to glue it all together. While this did work, I never got it to the point where incremental builds would also work reliably. However, late March this year I finally settled on a way to solve this locally in frida-core – the only component where we need this kind of multi-arch madness. By recursively invoking Meson from a custom_target() we can build the needed components for the other architectures.

This took a lot of work to get working right, but once there it made things so much more pleasant to work with in the rest of the stack. The frida repo’s Makefiles and shell-scripts could be dropped and replaced with Meson. The CI became simpler and more uniform. Anyone can just clone the frida-core repo and run make, and the resulting binaries would support cross-arch. (Unless explicitly disabled through –disable-compat / -Dfrida-core:compat=disabled.)

Now you might be wondering why we’re still running make, if we’re now only using Meson. I ended up writing a thin wrapper around Meson that automates the downloading of prebuilt dependencies, choosing sensible linker flags for smaller binaries, etc. The new configure and Makefile files in each repo take care of invoking releng/meson_configure.py and releng/meson_make.py, which constitute the thin wrapper around Meson. The releng directory is a submodule, shared by Frida’s repos. The other thing done before invoking the wrapper, is to also make sure the releng submodule has been initialized and updated.

Maintenance

Before this release we were maintaining seven different build systems:

1. Meson (main components, on non-Windows)
2. Visual Studio (main components, on Windows)
3. GNU Make (main components meta build system, on non-Windows)
4. setuptools (Python bindings)
5. GYP (Node.js bindings)
6. Xcode (Swift bindings)
7. QMake (QML bindings)

As of this release, I am excited to announce that we are down to just one build system: Meson.

The main pain point with the previous situation was having to deal with both 1) and 2), since they were involved in all of the main components. This meant that something as simple as adding a source file would require knowledge of two different build systems. Not only that, but contributors on Linux for example, would typically have a hard time testing their Visual Studio build system changes.

Another aspect was that developers would be less inclined to refactor their code if something as simple as adding a new file involves dealing with two build systems. The long-term consequence of this was that it fostered bad habits. “Hmm, I should split this out into a separate file, but uhh… no, that’s too painful, I’m gonna add that code here for now.”

As for the remaining build systems, only used in bindings, it may not seem that bad to maintain those – they’re typically familiar to the folks touching that code anyway. The challenge there was the lack of pkg-config integration in all but one of them (QMake). This meant that include paths, library paths, and libraries to link with would end up being duplicated in multiple places. This is particularly gnarly when linking with a static library that uses other libraries internally, which is how our language bindings typically consume frida-core.

New Features

Quite a few new things to be excited about in this release:

• gumjs: Add Process.runOnThread(), to make it easy to run arbitrary code on a specific thread. Must be used with care to avoid deadlocks/reentrancy issues.
• gumjs: Add limit option to Thread.backtrace(). Thanks @davinci-tech!
• gumjs: Expand CModule glib.h with alternatives to deprecated APIs.
• stalker: Add StalkerIterator.put_chaining_return(). Thanks @s1341!
• stalker: Add run_on_thread() and run_on_thread_sync().
• interceptor: Add support for shadow stacks on x86. Thanks @yjugl!
• cpu-features: Add CET_SS flag and detection logic. Thanks @yjugl!
• x86-writer: Add cpu_features field. Thanks @yjugl!
• spinlock: Add try_acquire(). Thanks @mrmacete!
• cloak: Add with_lock_held() and is_locked(). Thanks @mrmacete!
• interceptor: Add with_lock_held() and is_locked(). Thanks @mrmacete!
• darwin: Hint at macOS boot arguments when helper crashes.
• java: Support instantiating classes without constructors. Thanks @AeonLucid!
• java: Add support for arrays of array. Thanks @histausse!
• python: Make the source distribution buildable fully from source, instead of only supporting building using a devkit.
• python: Drop the MSVS build system.
• node: Add Meson build system, drop prebuild and node-gyp bits.
• node: Support building fully from source when a prebuilt can’t be found.
• clr: Add Meson build system, drop the MSVS build system.
• qml: Add Meson build system, drop the qmake build system.
• qml: Add support for Qt 6. Thanks @zaxo7!
• qml: Drop support for Qt 5.

Bugfixes

Last but not least, we’re also bringing you a long list of quality improvements:

• gumjs: Preserve thread’s system error over NativeCallback invocations. Thanks @HexKitchen!
• gumjs: Always expose thread’s system error to NativeCallback.
• gumjs: Plug leak of Stalker instance.
• stalker: Fix block events disrupting exclusive access on arm64. Thanks @saicao!
• memory: Fix patch_code() protection flipping on RWX systems.
• swift-api-resolver: Fix handling of indirect type entries.
• swift: Work around Module.load() issue on iOS Simulator. Thanks @zydeco!
• base: Fix racy crash in custom GSource implementations.
• base: Fix the p2p AgentSession registration logic.
• buffer: Fix the read_string() size logic. Thanks @hsorbo!
• linux: Fix early instrumentation on certain 32-bit systems.
• linux: Fix inject_library_blob() on modern Android.
• linux: Fix unreliable exec transition logic.
• linux: Fix unreliable injection when libc is absent.
• agent: Fix hang in child-gating fork() scenarios. Reproducible in situations where pidfd_getfd() is available but not permitted, such as inside Docker containers.
• windows: Use RW/RX permissions for injection. This makes Frida injection compatible with more software. In particular, Mozilla Firefox rejects thread startup if the start address is RWX. Thanks @yjugl!
• darwin: Massage libunwind around Frida hooks, to avoid breaking code making use of exceptions, such as through @try/@catch in Objective-C. Thanks @mrmacete!
• darwin: Take Interceptor and Cloak locks in ThreadSuspendMonitor, to extend its scope to prevent deadlock scenarios where threads holding the Cloak or Interceptor lock get suspended. Thanks @mrmacete!
• darwin: Fix racy teardown of InjectInstance dispatch source.
• darwin: Fix racy teardown of SpawnInstance dispatch source.
• android: Fix child-gating of execl() and friends.
• compiler: Bump @types/frida-gum. Thanks @s1341!
• modulate: Gracefully handle missing symbols. Thanks @hsorbo!
• python: Move _frida package inside the frida package.

EOF

And that pretty much sums it up. Enjoy!

Just a quick bug-fix release to deal with an iOS packaging bug affecting users on palera1n (rootless) and Dopamine. Kudos to @miticollo for reporting this so quickly.

Enjoy!

Lots of exciting new things this time around. Let’s dive right in.

Thread Names

The Process.enumerateThreads() API now also exposes thread names when available:

$ frida -U -F
[Pixel 6 Pro::com.google.android.calculator ]-> Process.enumerateThreads()[1]
{
    "id": 9579,
    "name": "Signal Catcher",
    "state": "waiting",
    "context": { … }
}
[Pixel 6 Pro::com.google.android.calculator ]->

Kudos to @Hexploitable for the awesome pull-request that got this ball rolling 🙌

Memory Protection Queries

Sometimes it’s essential to quickly determine the current protection of a page in memory. Thanks to @mrmacete, now you can:

$ frida -p 0
[Local::SystemSession ]-> Memory.queryProtection(Module.getExportByName(null, 'open'))
"r-x"
[Local::SystemSession ]->

QuickJS 2024-01-13

This release also contains the latest QuickJS, released last month. This means there’s almost complete ES2023 support, and even some features from the upcoming ES2024 specification. Plus, quite a few bug-fixes as well. It’s also worth mentioning that top-level await is now supported, making it easier to write portable scripts that work on both of our JavaScript runtimes.

Cloaking

Frida keeps track of its own memory ranges, threads, etc., to keep you from seeing yourself during process introspection. Introspection APIs such as Process.enumerateThreads() ensure that Frida’s own resources are hidden, and things appear as if you were not inside the process being instrumented.

For those of you using Stalker, or other things that expose you to raw memory locations, you might see code not belonging to any loaded module, and wonder where it came from. For example, if you use Stalker.follow() to follow execution into or out of a hooked function, it’s going to execute some trampoline code generated by Interceptor.

Agents using Gum’s C APIs could already query whether a given memory address, thread, etc., is owned by Frida, but this hadn’t yet been exposed to our JavaScript bindings. But now, thanks to another awesome contribution by @mrmacete, this is now supported. For example:

$ frida -p 0
[Local::SystemSession ]-> open = Module.getExportByName(null, 'open')
"0x7f929a325840"
[Local::SystemSession ]-> Interceptor.attach(open, () => {})
{}
[Local::SystemSession ]-> Instruction.parse(open).toString()
"jmp 0x7f928940c408"
[Local::SystemSession ]-> Cloak.hasRangeContaining(ptr('0x7f928940c408'))
true
[Local::SystemSession ]-> pointInsideOpen = open.add(16)
"0x7f929a325850"
[Local::SystemSession ]-> Instruction.parse(pointInsideOpen).toString()
"push rbx"
[Local::SystemSession ]-> Cloak.hasRangeContaining(pointInsideOpen)
false
[Local::SystemSession ]->

Fast Interceptor

One little known and fairly recent feature, now also available from JavaScript, is Interceptor.replaceFast(). What’s different about it is that the target is modified to vector directly to your replacement, which means there is less overhead compared to Interceptor.replace(). This also means that you need to use the returned pointer if you want to call the original implementation. It is also not possible to combine it with Interceptor.attach() for the same target. However, if you’re dealing with a hot target it’s definitely something you want to have in your toolbox, especially when combined with CModule.

ELF Exports Regression

We discovered way late that Frida 16.1.0 broke Module#enumerateExports() on some ELF binaries, and this is now finally fixed. It turned out to be a bug in the bounds-checking that I added when making Gum.ElfModule a cross-platform API, when it got support for offline use-cases like that of our Barebone backend. (Where we use it to dynamically inject Rust code into OS kernels and bare-metal targets.)

ELF Import Slots

Those of you using Frida on Apple platforms may have noticed that Module#enumerateImports() provides you with import objects that always have a slot property. One way you can use this is to write a new pointer to that address, letting you rebind imports on a per-module basis. Super-handy if Interceptor is unable to hook a function, or for scenarios where you want to avoid inline hooks.

As of this release, we now provide the slot property on ELF-based platforms too, so you can also use this feature on Linux, Android, FreeBSD, and QNX. Yay!

Android Stability

Avid users on recent versions of Android may have experienced “soft-loops”, where Frida randomly crashes Zygote and causes a big chunk of user-space to restart. This turned out to be caused by the runtime preparing itself to fork() by polling /proc/self/stat while waiting for the thread count to drop to one, i.e. waiting for the process to become single-threaded.

This has now been solved by subtracting the threads owned by Frida, which we determine by internally using the Cloak API, touched upon earlier in this post. We also make use of the new ELF Import Slots feature, so we can hook read() only for callers in libart.so. Inserting an inline hook in libc.so’s read() is not a great idea in this case, as the process we’re in might use it for a blocking read that blocks indefinitely. This becomes a challenge when wanting to unload, and getting stuck waiting for the chance to roll back our inline hook.

Anyway, quite an interesting bug. Shout-out to @enovella_ for reporting and helping track this one down 🙌

While on the topic of Android, this release also improves Java hooking on Android 14, where a new ART quick entrypoint is being used in case of –enable-optimizations. Kudos to @cr4zyserb for this neat contribution.

Better iOS 16 support

If you ever got hit by Service cannot load in requested session when trying to install Frida on iOS, this is now finally fixed. Kudos to @as0ler for the assist on fixing this.

Jailbroken tvOS

Another exciting development is that we now support jailbroken tvOS, and you can grab a .deb straight from our repo at https://build.frida.re/. Special thanks to @tmm1 for the pull-requests that made this happen.

Misc

This release also has a lot more to offer. The remaining changes are:

• symbolutil-libdwarf: Fix handling of DW_AT_ranges in DWARF 5. This means the DebugSymbol API works properly on binaries built by newer toolchains.
• elf-module: Fix relocation address when online.
• interceptor: Check module prefix when claiming grafts on arm64, for compatibility with Xcode’s new libLogRedirect.dylib interposing on iOS 17. Thanks @mrmacete!
• interceptor: Cloak thunks on arm64. Thanks @mrmacete!
• windows: Ensure that the MSVC source-charset is set to UTF-8, so embedded JavaScript can be parsed correctly at runtime. Thanks @Qfrost911!
• freebsd: Improve allocate-near strategy.
• gumjs: Plug leak during QJS load() w/ ESM.
• objc: Ensure block structure is writable in implementation setter. Thanks @mrmacete!
• compiler: Bump @types/frida-gum to 18.6.0.

Enjoy!

Lots of goodies this time around:

• stalker: Improve stability on multiple fronts. Kudos to @as0ler, @hsorbo, and @mrmacete for the fun and productive mob programming sessions that resulted in these wonderful improvements:
  • stalker: Copy BLR for excluded calls on arm64, instead of replacing them with functionally-equivalent ones, so that any pointer authentication context is used as expected. Thanks @mrmacete!
  • stalker: Abort when allocate_near() fails on arm64, instead of crashing due to the subsequent NULL pointer dereference.
  • gumjs: Fix crash in Stalker.flush() on a stopped sink. This happens if Stalker.garbageCollect() was just called.
  • gumjs: Fix use-after-free in Stalker QuickJS callback logic. We need to keep the callback values alive in case Stalker.garbageCollect() happens in the middle and releases them.
• darwin: Improve symbolicator cache invalidator logic. Thanks @mrmacete!
• swift-api-resolver: Handle signed pointers.
• linux: Improve spawn() to handle partial link maps.
• linux: Improve injector to handle XOM pages.
• linux: Improve injector RTLD API detection.
• linux: Fix injector ELF SYMTAB name parsing.
• node: Link against the inspector library on UNIX, to fix RTLD panic when Script#enableDebugger() is called. Thanks @pandasauce!
• ci: Publish FreeBSD prebuilds for Node.js 20 and Electron 27.

Some neat little bug-fixes, just in time for Christmas:

• server: Add missing entitlements for iOS 16, required to remap binary files in memory. Thanks @as0ler!
• android: Fix Java hooking of interpreter-run methods on Android 14.
• Fix argv[0] shown in CLI tools such as frida-server and frida-inject. Thanks @bet4it!

Quite a few goodies in this release:

• interceptor: Pause cloaked threads too. This prevents random SIGBUS crashes on our own threads while using Interceptor to hook functions residing on the same page as any of the ones potentially used internally. Thanks @mrmacete!
• darwin: Move to our POSIX Exceptor backend. Mach exception handling APIs have become increasingly restrictive in recent Apple OS versions.
• darwin: Resolve import trampolines on arm64, allowing us to hook targets such as sigaction().
• linux: Improve spawn() to handle r_brk being hit again.
• linker: Improve spawn() to consider on-disk ELF for RTLD symbols. This means we might find r_debug on additional Android systems, for example.
• linux: Fix spawn() when DT_INIT_ARRAY contains sentinel values.
• linux: Improve spawn() to use DT_PREINIT_ARRAY if present.
• android: Handle symlinks in RTLD fallback logic.

Three exciting changes this time around:

• process: Add get_main_module(), exposed to JavaScript as Process.mainModule. Useful when needing to know which module represents the main executable of the process. In the past this was typically accomplished by enumerating the loaded modules and assuming that the first one in the list is the one. This is no longer the case on the latest Apple OSes, so we now provide an efficient and portable solution with this new API. Thanks @mrmacete!
• compiler: Bump @types/frida-gum to 18.5.0, now with typings for recent API additions.
• barebone: Fix compatibility with latest Corellium.

Some neat refinements this time around:

• stalker: Allow transformer to skip calls on x86. Thanks @s1341!
• objc: Tolerate mangled Swift class names. Thanks @hsorbo!
• cpu-features: Improve the AVX2 detection. Thanks for the assist, @smx-smx!
• windows: Add support for MinGW. Thanks for the assist, @smx-smx!
• openssl: Upgrade to openssl-3.0.12+quic@b81f0ae.

Just a quick bug-fix release to roll back two of the Interceptor/Relocator arm64 changes that went into the previous release. Turns out that these need some more refinement before they can land, so we will roll them back for now.

Changelog

• Revert “relocator: Improve scratch register strategy on arm64”.
• Revert “interceptor: Relocate tiny targets on arm64”.
• stalker: Allow transformer to skip calls on arm64.

Since our last release, @hsorbo and I had a lot of fun pair-programming on a wide range of exciting tech. Let’s dive right in.

Swift

We’ve introduced a brand new ApiResolver for Swift, which you can use like this:

const r = new ApiResolver('swift');
r.enumerateMatches('functions:*CoreDevice!*RemoteDevice*')
.forEach(({ name, address }) => {
  console.log('Found:', name, 'at:', address);
});

There’s also a new and exciting frida-tools release, 12.3.0, which upgrades frida-trace with Swift tracing support, using the new ApiResolver:

$ frida-trace Xcode -y '*CoreDevice!*RemoteDevice*'

Module

Our Module API now also provides enumerateSections() and enumerateDependencies(). And for when you want to scan loaded modules for specific section names, our existing module ApiResolver now lets you do this with ease:

const r = new ApiResolver('module');
r.enumerateMatches('sections:*!*text*/i')
.forEach(({ name, address }) => {
  console.log('Found:', name, 'at:', address);
});

EOF

There’s also a bunch of other exciting changes, so definitely check out the changelog below.

Enjoy!

Changelog

• swift-api-resolver: Add a brand new Swift API Resolver.
• module-api-resolver: Support resolving sections.
• api-resolver: Add optional size field to matches.
• module: Add enumerate_sections().
• module: Add enumerate_dependencies().
• device: Add unpair(). Only implemented for iOS-devices for now.
• compiler: Bump frida-compile to 16.4.1, and @types/frida-gum to 18.4.5.
• gdb: Handle empty response packets.
• gdb: Handle error reply to feature document request.
• darwin-mapper: Initialize TLV descriptors on load. Thanks @fabianfreyer!
• darwin-module: Add Thread Local Variable APIs. Thanks @fabianfreyer!
• darwin-module: Optimize exports enumeration slightly.
• elf-module: Improve the section ID generation.
• x86-writer: Add reg-reg {fs,gs}-based MOV insns. Thanks @fabianfreyer!
• arm64-writer: Add MRS instruction. Thanks @fabianfreyer!
• arm64-writer: Add UBFM, LSL, and LSR instructions. Thanks @fabianfreyer!
• relocator: Improve scratch register strategy on arm64.
• interceptor: Branch to trampoline using computed scratch register.
• interceptor: Relocate tiny targets on arm64.
• linux: Handle disabled process_vm_{read,write}v(). Thanks @Pyraun!
• server: Use sysroot for temporary files on rootless iOS. Thanks @fabianfreyer!
• gumjs: Fix crash in File and Database when Interceptor is absent. Thanks @mrmacete!
• gumjs: Fix NativePointer from number for 32-bit BE (#752). Thanks @forky2!
• gumjs: Bump frida-swift-bridge to 2.0.7.
• ci: Publish prebuilds for Node.js 20 & 21, and Electron 27.
• ci: Do not publish Swift bindings for now. There’s a long-standing heisenbug that causes the x86_64 slice to randomly end up corrupted, in turn resulting in CI release jobs failing. As I’m not too keen on sinking time into this anytime soon, considering how easy it is to build these bindings locally using a downloaded core devkit, simply dropping the release asset seems like the best solution.

Some exciting improvements this time around:

• ios: Fix spawn() on iOS 17. Thanks @hsorbo!
• ios: Add support for rootless systems. Thanks for the pair-programming, @hsorbo!
• android: Fix dynamic linker compatibility regression. Thanks for the pair-programming, @hsorbo! Kudo to @getorix for reporting.
• gumjs: Add Worker API, so heavy processing can be moved to a background thread, allowing hooks to be handled in a timely manner. Only implemented in the QuickJS runtime for now. Kudos to @mrmacete for tracking down and fixing last-minute bugs in the implementation.
• linux: Improve error-handling when trying to attach to processes that are near death.

Time for a new release, just in time for the weekend:

• server: Add missing entitlement for iOS >= 17. Kudos to @alexhude for helping get to the bottom of this one.
• stalker: Improve exclusive store handling on arm and arm64. Instead of potentially expanding the current block to include instructions beyond where the block would naturally end, we move to a safer approach: Once we encounter an exclusive store, we look back at the previously generated blocks to see if we can find one with an exclusive load. If we do, we mark this range of blocks as using exclusive access. We also invalidate the blocks, so that problematic instrumentation can be omitted upon recompilation. To also allow custom transformers to adapt their generated code, we introduce StalkerIterator.get_memory_access(). Thanks for the fun and productive pair-programming, @hsorbo!
• gumjs: Add StalkerIterator.memoryAccess, allowing a custom transformer to determine what kind of instrumentation is safe to add without disturbing an exclusive store operation. Set to either ‘open’, when “noisy” instrumentation such as callouts are safe, or ‘exclusive’, when such instrumentation is risky and may lead to infinite loops. (Due to an exclusive store failing, and every subsequent retry also failing.)
• gumjs: Fix CModule bindings for Stalker on arm.
• stalker: Fix crash on invalidation in added slabs.
• arm64-writer: Add put_eor_reg_reg_reg(). Thanks for the fun and productive pair-programming, @hsorbo!

Time for a new release to refine a few things:

• darwin: Fix Stalker.follow() regression where ongoing system calls would get brutally interrupted, typically resulting in the target crashing. Thanks for the pair-programming, @hsorbo!
• gumjs: Implement the WeakRef API for QuickJS.
• compiler: Bump @types/frida-gum to 18.4.0.

Only a few changes this time around:

• compiler: Bump frida-compile to 16.3.0, now with TypeScript 5.1.5 and other improvements. Among them is a fix by @hsorbo that changes the default moduleResolution to Node16.
• stalker: Add Iterator.get_capstone(), so transformers can use Capstone APIs that require the Capstone handle.
• node: Fix RPC message array check. Thanks @ZachQin!

For quite some years I’ve been dreaming of taking Frida beyond user-space software, to also support instrumenting OS kernels as well as barebone systems. Perhaps even microcontrollers…

Microcontrollers

Earlier this year my family’s cat door broke down. After some back and forth with the retailer, double-checking the installation and such, it would work for a little while before it eventually started malfunctioning.

This was obviously not much fun for our cats:

It’s also no surprise that they’d end up making a lot of noise, in turn making it hard to get a good night’s sleep when having to get up to let them back in manually.

I ended up buying a second cat door and, lo and behold, no more issues. The old one ended up collecting dust for a while. Something I kept thinking of was whether I could debug it, and perhaps even extend the software to do more useful things.

Feeling the urge to open it up to poke at the electronics inside of it, I eventually gave in:

That looked like an STM32F030C6T6, which is an ARM Cortex M0-based MCU. My first thought was whether I could dump the flash memory to do some static analysis.

After quickly skimming MCU docs, and a little bit of multimeter probing, I figured out the JP12 pads:

This made it easy to pull BOOT0 high, so the MCU boots into its internal bootloader instead of user code.

By hooking up a USB to 3.3V TTL device to the USART1 pads, I could dump the flash:

$ ./stm32flash -r firmware.bin /dev/ttyUSB0
stm32flash 0.7

http://stm32flash.sourceforge.net/

Interface serial_posix: 57600 8E1
Version      : 0x31
Option 1     : 0x00
Option 2     : 0x00
Device ID    : 0x0444 (STM32F03xx4/6)
- RAM        : Up to 4KiB  (2048b reserved by bootloader)
- Flash      : Up to 32KiB (size first sector: 4x1024)
- Option bytes  : 16b
- System memory : 3KiB
Memory read
Read address 0x08008000 (100.00%) Done.

And perform some static analysis:

Seeing as two of the other pads are connected to SWDIO and SWCLK, used for Serial Wire Debug (SWD), the natural next step was to hook up a Raspberry Pi Debug Probe to those. After getting that set up, I fired up OpenOCD:

$ openocd -f interface/cmsis-dap.cfg -f target/stm32f0x.cfg
Open On-Chip Debugger 0.11.0-g8e3c38f7-dirty (2023-05-05-14:25)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "swd". To override use 'transport select <transport>'.
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : Using CMSIS-DAPv2 interface with VID:PID=0x2e8a:0x000c, serial=E6614103E78B482F
Info : CMSIS-DAP: SWD  Supported
Info : CMSIS-DAP: FW Version = 2.0.0
Info : CMSIS-DAP: Interface Initialised (SWD)
Info : SWCLK/TCK = 0 SWDIO/TMS = 0 TDI = 0 TDO = 0 nTRST = 0 nRESET = 0
Info : CMSIS-DAP: Interface ready
Info : clock speed 1000 kHz
Info : SWD DPIDR 0x0bb11477
Info : stm32f0x.cpu: hardware has 4 breakpoints, 2 watchpoints
Info : starting gdb server for stm32f0x.cpu on 3333
Info : Listening on port 3333 for gdb connections

The idea I had been thinking about for a long time was to add a new Frida backend where the only process you can attach to is PID 0. Any scripts loaded there would actually be run locally, and implement the familiar JavaScript API. Any API that accesses memory, such as when dereferencing an int * by doing e.g. ptr(‘0x80000’).readInt(), would end up querying the target, through SWD in the above case.

I initially started sketching this where the backend would talk to the OpenOCD daemon through its telnet interface. But I quickly realized that it would be better to talk to its GDB-compatible remote stub. In this way, Frida will be able to instrument any target with an available remote stub. Whether that’s OpenOCD, Corellium (iOS kernel instrumentation!), QEMU, etc.

As for Interceptor, my thinking was that basic functionality would be implemented using breakpoints. But, only if the user supplies JavaScript callbacks. If function pointers are supplied instead, we could perform inline hooking so the target can run without any traps/ping-pongs with the host. This means it could even be used for observing and modifying hot code inside an OS kernel or MCU firmware.

After some initial sketching, I was able to run the following script:

Interceptor.breakpointKind = 'hard';

const THUMB_BIT = 1;

const initRest = ptr('0x0800306a').or(THUMB_BIT);
Interceptor.attach(initRest, {
  onEnter(args) {
    console.log('>>> init_rest()',
        JSON.stringify(this.context, null, 2));
  },
  onLeave(retval) {
    console.log(`<<< init_rest() retval=${retval}`);
  }
});

Using the Frida REPL:

$ frida -D barebone -p 0 -l demo.js
     ____
    / _  |   Frida 16.1.0 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to GDB Remote Stub (id=barebone)

[Remote::SystemSession ]-> $gdb.continue()
[Remote::SystemSession ]-> >>> init_rest() {
  "r7": "0xffffffff",
  "pc": "0x800306a",
  "r8": "0xffffffff",
  "xPSR": "0x41000000",
  "r9": "0xffffffff",
  "sp": "0x20000578",
  "r0": "0x0",
  "r10": "0xffffffff",
  "lr": "0x8003069",
  "r1": "0x40021008",
  "r11": "0xffffffff",
  "r2": "0xffffffff",
  "r12": "0xffffffff",
  "r3": "0xffffffff",
  "r4": "0xffffffff",
  "r5": "0xffffffff",
  "r6": "0xffffffff"
}
<<< init_rest() retval=0x1

A few things to note here:

• We set Interceptor.breakpointKind to hard, as our target’s code resides in flash, which means software-breakpoints won’t work. This would not have been necessary if I was using a J-Link or similar SWD interface, which transparently reflashes as software-breakpoints are added.
• The backend does not yet automatically resume, so we are doing that manually through $gdb.continue(), part of this internal API, which exposes most of GDB.Client to JavaScript. This is meant to become an internal implementation detail, but will be needed while this new backend matures – it should not yet be considered stable API.
• We set the least significant bit to indicate to Interceptor that the target function uses Thumb instruction encoding. This part may already be familiar to you if you have previously used Frida’s conventional backends on 32-bit ARM.
• The new Barebone backend connects to the GDB-compatible remote stub at 127.0.0.1:3333 by default. This matches what OpenOCD typically defaults to, but can be overridden by setting the FRIDA_BAREBONE_ADDRESS environment variable.

OS kernels

While my fun little cat door side-quest is a great test case for the tiny part of the spectrum, there’s also a lot of potential in supporting larger systems.

One of the cooler use-cases there is definitely Corellium, as it means we can instrument the iOS kernel. Using a Tamarin Cable it should even be possible to get this working on a checkm8-exploitable physical device.

Before we touch on that though, let’s see if we can get things going with QEMU and a live Linux kernel.

Linux

First, we’ll fire up a VM we can play with:

$ pip install arm_now
$ arm_now start aarch64 --add-qemu-options='-gdb tcp::9000'
...
Welcome to arm_now
buildroot login:

Next, we’ll use the Frida REPL to look around:

$ export FRIDA_BAREBONE_ADDRESS=127.0.0.1:9000
$ frida -D barebone -p 0
     ____
    / _  |   Frida 16.1.0 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to GDB Remote Stub (id=barebone)

[Remote::SystemSession ]-> Process.arch
"arm64"
[Remote::SystemSession ]-> Process.enumerateRanges('r-x')
[
    {
        "base": "0xffffff8008080000",
        "protection": "r-x",
        "size": 4259840
    }
]
[Remote::SystemSession ]-> $gdb.state
"stopped"
[Remote::SystemSession ]-> $gdb.exception
{
    "breakpoint": null,
    "signum": 2,
    "thread": {}
}
[Remote::SystemSession ]-> $gdb.exception.thread.readRegisters()
{
    "cpsr": 1610613189,
    "pc": "0xffffff8008096648",
    "sp": "0xffffff80085f3f10",
    "x0": "0x0",
    "x1": "0xffffff80085e6b78",
    "x10": "0x880",
    "x11": "0xffffffc00e877180",
    "x12": "0x0",
    "x13": "0xffffffc00ffe1f30",
    "x14": "0x0",
    "x15": "0xfffffff8",
    "x16": "0xffffffbeff000000",
    "x17": "0x0",
    "x18": "0xffffffc00ffe17e0",
    "x19": "0xffffff80085e0000",
    "x2": "0x40079f5000",
    "x20": "0xffffff80085f892c",
    "x21": "0xffffff80085f88a0",
    "x22": "0xffffff80085ffe80",
    "x23": "0xffffff80085ffe80",
    "x24": "0xffffff80085d5028",
    "x25": "0x0",
    "x26": "0x0",
    "x27": "0x0",
    "x28": "0x405a0018",
    "x29": "0xffffff80085f3f10",
    "x3": "0x30c",
    "x30": "0xffffff800808492c",
    "x4": "0x0",
    "x5": "0x40079f5000",
    "x6": "0x1",
    "x7": "0x1c0",
    "x8": "0x2",
    "x9": "0xffffff80085f3e80"
}
[Remote::SystemSession ]->

You might wonder how we’ve implemented Process.enumerateRanges(). This part is for now only implemented on arm64, and it is accomplished by parsing the page tables. (And if we’re talking to Corellium’s remote stub we use a vendor-specific monitor command to save ourselves a lot of network roundtrips.)

So now that we’re peeking into a running kernel, one of the things we might want to do is find internal functions and data structures. This is where the memory- scanning API comes handy:

for (const r of Process.enumerateRanges('r-x')) {
  console.log(JSON.stringify(r, null, 2));
  const matches = Memory.scanSync(r.base, r.size,
      '7b2000f0 fa03082a 992480d2 : 1f00009f ffffffff 1f00e0ff');
  console.log('Matches:', JSON.stringify(matches, null, 2));
}

Here we’re looking for the Linux kernel’s arm64 syscall handler, matching on its first three instructions. We use the masking feature to mask out the immediates of the ADRP and MOV instructions (first and third instruction).

Let’s take it for a spin:

$ frida -D barebone -p 0 -l scan.js
     ____
    / _  |   Frida 16.1.0 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to GDB Remote Stub (id=barebone)
Attaching...
{
  "base": "0xffffff8008080000",
  "size": 4259840,
  "protection": "r-x"
}
Matches: [
  {
    "address": "0xffffff8008082f00",
    "size": 12
  }
]
[Remote::SystemSession ]->

So now we’ve dynamically detected the kernel’s internal syscall handler! 🚀

Re-implementing the memory scanning feature was one of the highlights for me personally, as @hsorbo and I had a lot of fun pair-programming on it. The implementation is conceptually very similar to what we’re doing in our Fruity backend for jailed iOS, and our new Linux injector: instead of transferring data to the host, and searching that, we can get away with transferring only the search algorithm, to run that on the target.

The memory scanner implementation is written in Rust, and helped prepare the groundwork for a new cool feature I’m going to cover a bit later in this post.

So, now that we know where the Linux kernel’s syscall handler is, we can use Interceptor to install an instruction-level hook:

const el0Svc = ptr('0xffffff8008082f00');
Interceptor.attach(el0Svc, function (args) {
  const { context } = this;
  const scno = context.x8.toUInt32();
  console.log(`syscall! scno=${scno}`);
});

And try that out on our running VM:

$ frida -D barebone -p 0 -l kernhook.js
     ____
    / _  |   Frida 16.1.0 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to GDB Remote Stub (id=barebone)

[Remote::SystemSession ]-> $gdb.continue()
[Remote::SystemSession ]-> syscall! scno=63
syscall! scno=64
syscall! scno=73
syscall! scno=63
syscall! scno=64
syscall! scno=73
syscall! scno=63
syscall! scno=64
syscall! scno=56
syscall! scno=62
syscall! scno=64
syscall! scno=57
syscall! scno=29
syscall! scno=134
...

And that’s it – we are monitoring system calls across the entire system! 💥

Rust

One of the first things you’ll probably notice if you try the previous example is that we slow down the system quite a bit. This is because Interceptor uses breakpoints when a JavaScript function is specified as the callback.

Not to worry though. If we write our callback in machine code and pass a NativePointer instead, Interceptor will pick a different strategy: it will modify the target’s machine code to redirect execution to a trampoline, which in turn calls the function at the address that we specify.

So that’s great. We only need to get our machine code into memory. Some of you may be familiar with our CModule API. We don’t yet implement that one in this new Barebone backend (and we will, eventually!), but we have something even better. Enter RustModule:

const kernBase = ptr('0xffffff8008080000');
const procPidStatus = kernBase.add(0x15e600);

const m = new RustModule(`
#[no_mangle]
pub unsafe extern "C" fn hook(ic: &mut gum::InvocationContext) -> () {
    let regs = &mut ic.cpu_context;
    println!("proc_pid_status() was called with x0={:#x} x1={:#x}",
        regs.x[0],
        regs.x[1],
    );
}
`);

Interceptor.attach(procPidStatus, m.hook);

The RustModule implementation uses a local Rust toolchain, assumed to be on your PATH, to compile the code you provide it into a no_std self-contained ELF. It relocates this ELF and writes it into the target’s memory. As part of this it will also parse the MMU’s page tables and insert new entries there so the uploaded code becomes part of the virtual address space, where the pages are read/write/execute.

In this example we’re hooking proc_pid_status() in our live Linux kernel.

Note that File.readAllText() can be used to avoid having to inline Rust code inside your JavaScript. Here we’re using inline code for the sake of brevity.

Now, with our Rust-powered agent, let’s take it for a spin:

$ frida -D barebone -p 0 -l kernhook2.js
     ____
    / _  |   Frida 16.1.0 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to GDB Remote Stub (id=barebone)

Error: to enable this feature, set FRIDA_BAREBONE_HEAP_BASE to the physical base address to use, e.g. 0x48000000
    at <eval> (/home/oleavr/src/demo/kernhook2.js:13)
    at evaluate (native)
    at <anonymous> (/frida/repl-2.js:1)

[Remote::SystemSession ]->

Oops! That didn’t quite work. There is still one piece missing in our new backend: we don’t yet have any “kernel bridges” in place that automatically fingerprint the internals of known kernels in order to find a suitable internal memory allocator we can use. This will also be needed to implement APIs such as Process.enumerateModules(), which will allow listing the loaded kernel modules/kexts. We could also locate the kernel’s process list and implement enumerate_processes(), so frida-ps works. And those are only a couple of examples… How about injecting frida-gadget into a user-space process? That would be super-useful for an embedded system where we want to avoid modifying the flash. Anyway, I digress 😊

So, on MCUs and unknown kernels you will have to tell Frida where, in physical memory, we may clobber if you want to use intrusive features such as RustModule, Interceptor in its inline hooking mode, Memory.alloc(), etc.

With that in mind, let’s retry our example, but this time we’ll set the FRIDA_BAREBONE_HEAP_BASE environment variable:

$ export FRIDA_BAREBONE_HEAP_BASE=0x48000000
$ frida -D barebone -p 0 -l kernhook2.js
     ____
    / _  |   Frida 16.1.0 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to GDB Remote Stub (id=barebone)

[Remote::SystemSession ]-> m
{
    "hook": "0xffffff80080103e0"
}
[Remote::SystemSession ]-> $gdb.continue()

Yay! 🎉 So now, in the terminal where we have QEMU running, let’s try accessing /proc/$pid/status three times, so the hooked function gets called:

# head -3 /proc/self/status
Name:	head
Umask:	0022
State:	R (running)
# head -3 /proc/self/status
Name:	head
Umask:	0022
State:	R (running)
# head -3 /proc/self/status
Name:	head
Umask:	0022
State:	R (running)

Over in our REPL, we should see our hook() getting hit three times:

proc_pid_status() was called with x0=0xffffffc00d4bca00 x1=0xffffff8008608758
proc_pid_status() was called with x0=0xffffffc00d4bc780 x1=0xffffff8008608758
proc_pid_status() was called with x0=0xffffffc00d4bc780 x1=0xffffff8008608758

It works! 🥳

There’s one important thing to note though: In our example we’re using println!(), and this actually causes the target to hit a breakpoint, so the host can read out the message passed to it, and bubble that up just like a console.log() from JavaScript. This means you should only use this feature for temporary debugging purposes, and throttle how often it’s called if on a hot code-path.

The next thing you might want to do is pass external symbols into your RustModule. For example if you want to call internal kernel functions from your Rust code. This is accomplished by declaring them like this:

extern "C" {
    fn frobnicate(data: *const u8, len: usize);
}

Then when constructing the RustModule, pass it in through the second argument:

const m = new RustModule(source, {
  frobnicate: ptr('0xffffff8008084320'),
});

For those of you familiar with our CModule API, this part is exactly the same. You can also use NativeCallback to implement portions host-side, in JavaScript, but this needs to be handled with care to avoid performance bottlenecks. Going in the opposite direction there is also NativeFunction, which you can use to call into your Rust code from JavaScript.

Last but not least, you may also want to import existing Rust crates from crates.io. This is also supported:

const m = new RustModule(source, {}, {
  dependencies: [
    'cstr_core = { version = "0.2.6", default-features = false }',
  ]
});

Corellium

What’s so exciting is that all of the Linux bits above all “just work” on Corellium as well. All you need to do is point FRIDA_BAREBONE_ADDRESS at the endpoint shown in Corellium’s UI under “Advanced Options” -> “gdb”.

Shout-out to the awesome folks at Corellium for their support while doing this. They even implemented new protocol features to improve interoperability 🔥

Future

This new backend should be considered alpha quality for now, but I think it’s already capable of so many useful things that it would be a shame to keep it sitting on a branch.

You may notice that the JS APIs implemented only cover a subset, and not all features are available on non-arm64 targets yet. But all of this will improve as the backend matures. (Pull-requests are super-welcome!)

And as a fun aside, here’s Frida attached to the BeOS kernel:

EOF

There’s also a bunch of other exciting changes, so definitely check out the changelog below.

Enjoy!

Changelog

• Add Barebone backend. (Covered extensively above.)
• objc: Handle modifiers. This makes type parsing more reliable, especially when dealing with ivars which often times have the “atomic” modifier: exceptions were thrown because the modifiers ended up being treated as unknown types. Thanks @mrmacete!
• android: Fix support for Android 14. Thanks @gsingh93! Also thanks @jayluxferro for contributing a follow-up fix for a mistake I made while merging @gsingh93’s PR.
• gum-graft: Add support for chained imports. Thanks @mrmacete!
• gumjs: Add NativePointer#readVolatile(), to provide a safe way to read from memory that may become unmapped or have its memory protection changed midway through. Thanks @hsorbo!
• darwin: Improve tvOS support to also cover frida-server. Thanks @tmm1!
• darwin: Plug memory leak in fallback kill() logic. Thanks @tmm1!
• fruity: Handle failure to fetch dyld symbols.
• compiler: Bump frida-compile to 16.2.2. Dependencies’ source maps are now also bundled – thanks @vfsfitvnm!
• compiler: Bump @types/frida-gum to 18.3.2, now with improved typings for hexdump().
• gdb: Add GDB.Client, by factoring out the guts of Fruity’s LLDB.Client, with many protocol enhancements and interoperability fixes added on top.
• elf-module: Improve API and make it cross-platform. Support loading from a blob, expose relocations, and improve overall robustness.
• capstone: Fix crash on x86 when building with MSVC.

Some exciting stability improvements this time around:

• darwin: Make spawn() aware of the prewarm feature used on iOS >= 15. What happens is that the most frequently used apps are being spawned ahead of time by dasd and kept suspended until the user attempts to launch them, in order to save some startup time. This was in the way of Frida’s spawn mechanism because:
  • apps launched this way won’t be going through launchd when expected, causing a “timeout was reached” error, or more complex race conditions
  • Frida needs to spawn a fresh process to ensure early instrumentation

  We solve these problems by:

  • ignoring prewarm spawns from the launchd agent (though they’re still emitted as spawn if spawn gating is enabled)
  • killing existing prewarmed apps before attempting to spawn them Thanks @mrmacete!
• glib: Ensure {Input,Output}Stream only g_poll() if pollable. This is essential on Apple OSes and BSDs, where GLib uses kqueue to implement GMainContext, as it may otherwise end up waiting forever when the file-descriptor represents an ordinary file. Thanks @hsorbo!
• android: Fix x86 devkits by improving libffi to avoid problematic relocations.
• gadget: Fix deadlock during Windows process termination. Kudos to @Palacee-hun for reporting!

Just a quick bug-fix release reviving support for Android x86/x86_64 systems with ARM emulation. This is still a blind spot in our CI, and I forgot all about it while working on the new Linux injector. Kudos to @stopmosk for promptly reporting and helping triage this regression.

Time for a bug-fix release with only one change: turns out the ARMv8 BTI interop introduced in 16.0.14 is problematic on Apple A12+ SoCs when running in arm64e mode, i.e. with pointer authentication enabled.

Kudos to @miticollo for reporting and helping triage the cause, and @mrmacete for digging further into it, brainstorming potential fixes, and implementing the fix. You guys rock! ❤️

Seeing as TypeScript 5.0 was released last month, and frida.Compiler was still at 4.9, we figured it’s time to upgrade it. So with this release we’re now shipping 5.0.4. The upgrade also revealed a couple of bugs in our V8-based runtime, and that our embedded frida-gum typings were slightly outdated.

Enjoy!

Changelog

• gumjs: Fix task deadlock during V8 Isolate teardown.
• gumjs: Fix undefined behavior during V8 snapshot creation.
• compiler: Bump frida-compile.
• compiler: Use the proper @types/frida-gum.

Here’s a release fixing two stability issues affecting users on Apple platforms:

• interceptor: Keep thread ports alive between suspend and resume on Darwin. We were borrowing the Mach thread port right names released by enumerate_threads(), assuming that another reference existed to keep each of them alive. When this wasn’t the case we would at best pass an invalid Mach port right name to thread_resume(), and worst-case we would use a totally unrelated port. Regardless, we would leave such threads suspended forever. Thanks @mrmacete!
• agent: Dispose ThreadSuspendMonitor in its own transaction. Since Interceptor relies on ThreadSuspendMonitor passthrough, disposing of it in its own transaction and after all the other components which use Interceptor at destruction time makes sure no Frida thread will attempt executing code on non-executable pages at teardown time. Thanks @mrmacete!

More exciting bug-fixes:

• linux: Fix ProcMapsEntry major/minor number parsing. Thanks @chouex!
• interceptor: Fix ARMv8 BTI interoperability. Thanks @zjw88282740!
• arm64-writer: Add put_ret_reg(). Thanks @zjw88282740!
• compiler: Fix filesystem access on some Linux systems, e.g. Ubuntu 20.04. Kudos to @pancake for reporting and helping track this one down!

Only a few bug-fixes this time around:

• android: Fix dynamic linker probing on older systems.
• android: Limit graceful injection to arm and arm64.
• linux: Fix syscall wait logic on x86 and x86_64.

Lots of goodies this time around. One of them is our brand new Linux injector. This was a lot of fun, especially as it involved lots of pair-programming with @hsorbo.

We’re quite excited about this one. Frida now supports injecting into Linux containers, such as Flatpak apps. Not just that, it can finally inject code into processes without a dynamic linker present.

Another neat improvement is if you’re running Frida on Linux >= 3.17, you may notice that it no longer writes out any temporary files. This is accomplished through memfd and a reworked injector signaling mechanism.

Our new Linux injector has a fully asynchronous design, without any dangerous blocking operations that can result in deadlocks. It is also the first injector to support providing a control channel to the injected payload.

Down the road the plan is to implement this in our other backends as well, and make it part of our cross-platform Injector API. The thinking there is to make it easier to implement custom payloads.

There are also many other goodies in this release, so definitely check out the changelog below.

Enjoy!

Changelog

• linux: Re-engineer injector. Thanks for the productive pair-programming, @hsorbo!
• linux: Fix the libc-based module enumeration.
• linux: Fix query_libc_name() on musl.
• linux: Fix module handle resolver logic on musl.
• linux: Fix Module.ensure_initialized() on musl.
• darwin: Make ThreadSuspendMonitor passthrough if called by Frida, to avoid deadlock scenarios. Thanks @mrmacete!
• darwin: During spawn(), always use PTYs for piped stdio, and enable close-on-exec.
• windows: Use existing DbgHelp instance if present. Thanks @fesily!
• windows: Implement Module.enumerate_symbols(). Thanks @fesily!
• process: Skip cloaked modules in enumerate_modules().
• cloak: Add has_range_containing().
• elf-module: Replace has_interp() with get_interpreter().
• gumjs: Fix runtime serialization unsigned encoding.
• objc: Add symbol property on method as a means for the method object to fully describe itself in a human readable way. Thanks @mrmacete!
• java: Use symbols for unique property names. Thanks @yotamN!
• java: Add toString() method to overloads. Thanks @oriori1703!
• java: Add toString() method to types and field. Thanks @yotamN!
• java: Fix toString() for overloaded methods. Thanks @yotamN!
• server: Support loading as a shared library. Thanks @Yannayli!

Only a few bug-fixes this time around:

• darwin: Fix deadlock while pausing threads on non-RWX systems. Thanks @mrmacete!
• darwin: Fix mapping zero-sized segments. Thanks @comex!
• linux: Improve Gum to support programs without a runtime linker.
• linux: Fix error-propagation from Gum.Linux APIs.

This time we’re bringing you additional iOS 15 improvements, an even better frida.Compiler, brand new support for musl libc, and more. Do check out the changelog below for more details.

Enjoy!

Changelog

• ios: Fix spawn() on lower versions of iOS 15. Thanks @as0ler and @mrmacete!
• ios: Ensure launchd prioritizes our daemon. Kudos to @getorix for investigating and suggesting this fix.
• compiler: Bump frida-compile, frida-fs, and Gum typings. This means that frida.Compiler now also works properly on linux-arm64 and linux-x86.
• linux: Add support for musl libc, including CI that publishes release assets for x86_64 and arm64.
• gumjs: Add console.debug() and console.info(). Thanks @oriori1703!
• gumjs: Fix build when node_modules/@types exists above us.
• gumjs: Ignore tcclib.h symbols when generating runtime. Thanks @milahu!
• build: Improve support for shared builds. Thanks @milahu!

The main theme of this release is improved support for jailbroken iOS. We now support iOS 16.3, including app listing and launching. Also included is improved support for iOS 15, and some regression fixes for older iOS versions.

There are also some other goodies in this release, so definitely check out the changelog below.

Enjoy!

Changelog

• darwin: Fix app listing and launching on iOS >= 16. Thanks for the productive pair-programming, @hsorbo!
• darwin: Fix crash during early instrumentation of modern dylds.
• darwin: Fix breakpoint conflict in early instrumentation, a regression introduced in 16.0.8 as part of improving spawn() performance. Thanks @mrmacete!
• package-server-ios: Force xz compression.
• darwin-grafter: Create multiple segments if needed. Thanks @mrmacete!
• interceptor: Flip page protection on Darwin grafted import activation. Thanks @mrmacete!
• stalker: Fix handling of ARM LDMIA without writeback.
• darwin: Add query_protection(). Thanks @mrmacete!
• darwin: Avoid kernel task port probing in hardened processes. Thanks @as0ler!
• darwin: Fix Process.modify_thread() reliability.
• darwin: Fix query_hardened() on iOS w/ tweaks enabled. Thanks @as0ler!
• darwin: Make Process.modify_thread() less disruptive.
• darwin: Optimize Process.modify_thread().
• darwin: Add modify_thread().
• arm-writer: Add put_ldmia_reg_mask_wb().
• gumjs: Fix runtime serialization not handling unicode. Thanks @milahu!
• python: Add async variant to RPC calls. Thanks @yotamN!
• python: Add specific signals type hinting for core. Thanks @yotamN!

This time we’ve focused on polishing up our macOS and iOS support. For those of you using spawn() and spawn-gating for early instrumentation, things are now in much better shape.

i/macOS spawn() performance

The most exciting change in this release is all about performance. Programs that would previously take a while to start when launched using Frida should now be a lot quicker to start. This long-standing bottleneck was so bad that an app with a lot of libraries could fail to launch due to Frida slowing down its startup too much.

i/macOS and SIGPIPE

Next up we have a fix for a long-standing reliability issue. Turns out our file-descriptors used for IPC did not have SO_NOSIGPIPE set, so we could sometimes end up in a situation where either Frida or the target process terminated abruptly, and the other side would end up getting zapped by SIGPIPE while trying to write().

Sandboxed environments, part two

The previous release introduced some bold new changes to support injecting into hardened targets. Since then @hsorbo and me dug back into our recent GLib kqueue() patch and fixed some rough edges. We also fixed a regression where attaching to hardened processes through usbmuxd would fail with “connection closed”.

Linux

On the Linux and Android side of things, some of you may have noticed that thread enumeration could fail randomly, especially inside busy processes. That issue has now finally been dealt with.

Also, thanks to @drosseau we also have an error-handling improvement that should avoid some confusion when things fail in 32-/64-bit cross-arch builds.

EOF

That is all this time around. Enjoy!

It’s been a busy week. Let’s dive in.

Sandboxed environments

This week @hsorbo and me spent some days trying to get Frida working better in sandboxed environments. Our goal was to be able to get Frida into Apple’s SpringBoard process on iOS. But to make things a little interesting, we figured we’d start with imagent, the daemon that handles the iMessage protocol. It has been hardened quite a bit in recent OS versions, and Frida was no longer able to attach to it.

So we first started out with this daemon on macOS, just to make things easier to debug. After finding the daemon’s sandbox profile at /System/Library/Sandbox/Profiles/com.apple.imagent.sb, it was hard to miss the syscall policy. It disallows all syscalls by default, and carefully enables some groups of syscalls, plus some specific ones that it also needs.

We then discovered that Frida’s use of the pipe() syscall was the first hurdle. This code is not actually in Frida itself, but in GLib, the excellent library that Frida uses for data structures, cross-platform threading primitives, event loop, etc. It uses pipe() to implement a primitive needed for its event loop. More precisely, it uses this primitive to wake up the event loop’s thread in case it is blocking in a poll()-style syscall.

Anyway, we noticed that kqueue() is part of the groups of syscalls explicitly allowed. Given that Apple’s kqueue() supports polling file-descriptors and Mach ports at the same time, among other things, it’s likely to be needed in a lot of places, and thus allowed by a broad range of sandbox profiles. It is also a great fit for us, since EVFILT_USER means there is a way to wake up the event loop’s thread. Not just that, but it doesn’t cost us a single file-descriptor.

After lots of coffee and fun pair-programming, we arrived at a patch that switches GLib’s event loop over to kqueue() on OSes that support it. This got us to the next hurdle: Frida is using socket APIs for file-descriptor passing, part of the child-gating feature used for instrumenting children of the current process. However, since hardened system services aren’t likely to be allowed to do things like fork() and execve(), it is fine to simply degrade this part of our functionality. That was tackled next, and boom… Frida is finally able to attach to imagent. 🎉 Yay!

Next up we moved over to iOS and took it for a spin there. Much to our surprise, Frida could attach to SpringBoard right out of the gate. Later we tried notifyd and profiled, and could attach to those too. Even on latest iOS 16. But, there’s still work to do, as Frida cannot yet attach to imagent and WebContent on iOS. This is exciting progress, though.

Injection on iOS >= 15

While doing all of this we also tracked down a crash on iOS where frida-server would get killed due to EXC_GUARD during injection on iOS >= 15. That has now also been fixed, just in time for the release!

DebugSymbol API

Another exciting piece of news is that @mrmacete improved our DebugSymbol API to consistently provide the full path instead of only the filename. This was a long-standing inconsistency across our different platform backends. While at it he also exposed the column, so you also get that in addition to the line number.

Interceptor.replace(), but fast

Last but not least it’s worth mentioning an exciting new improvement in Interceptor. For those of you using it from C, there’s now replace_fast() to complement replace(). This new fast variant emits an inline hook that vectors directly to your replacement. You can still call the original if you want to, but it has to be called through the function pointer that Interceptor gives you as an optional out-parameter. It also cannot be combined with attach() for the same target. It is a lot faster though, so definitely good to be aware of when needing to hook functions in hot code-paths.

EOF

That’s all this time. Enjoy!

Changelog

• darwin: Disable advanced features in hardened processes.
• darwin: Port GLib’s MainContext to use kqueue() instead of poll().
• darwin: Fix EXC_GUARD during injection on iOS >= 15.
• package-server-ios: Port launchd plist to iOS 16.
• gadget: Do not cloak main thread while loading.
• debug-symbol: Ensure path is absolute and add column field. Thanks @mrmacete!
• darwin: Add query_hardened().
• interceptor: Add replace_fast().
• interceptor: Reduce memory usage per target.

Turns out a serious stability regression made it into Frida 16.0.3, where our out-of-process dynamic linker for Apple OSes could end up crashing the target process. This is especially disastrous when the target process is launchd, as it results in a kernel panic. Thanks to the amazing work of @mrmacete, this embarrassing regression is now fixed. 🎉 Enjoy!

Quick bug-fix release this time around: the Android system_server instrumentation adjustments should now work reliably on all systems.

Here’s a brand new release just in time for the weekend! 🎉 A few critical stability fixes this time around.

Enjoy!

Changelog

• gumjs: Fix use-after-free in the V8 JobState logic. Kudos to @pancake for reporting and helping track this one down!
• android: Fix racy Zygote and system_server instrumentation. Thanks for the fun and productive pair-programming, @hsorbo!
• submodules: Add frida-go. Thanks @lateralusd!

Some cool new things this time. Let’s dive right in.

tvOS and watchOS

One of the exciting contributions this time around came from @tmm1, who opened a whole bunch of pull-requests adding support for tvOS. Yay! As part of landing these I took the opportunity to add support for watchOS as well.

This also turned out to be a great time to simplify the build system, getting rid of complexity introduced to support non-Meson build systems such as autotools. So as part of this clean-up we now have separate binaries for Simulator targets such as the iOS Simulator, tvOS Simulator, etc. Previously we only supported the x86_64 iOS Simulator, and now arm64 is covered as well.

macOS 13 and iOS 16

Earlier this week, @hsorbo and I did some fun and productive pair-programming where we tackled the dynamic linker changes in Apple’s latest OSes. Those of you using Frida on i/macOS may have noticed that spawn() stopped working on macOS 13 and iOS 16.

This was a fun one. It turns out that the dyld binary on the filesystem now looks in the dyld_shared_cache for a dyld with the same UUID as itself, and if found vectors execution there instead. Explaining why this broke Frida’s spawn() functionality needs a little context though, so bear with me.

Part of what Frida does when you call attach() is to inject its agent, if it hasn’t already done this. Before performing the injection however, we check if the process is sufficiently initialized, i.e. whether libSystem has been initialized.

When this isn’t the case, such as after spawn(), where the target is suspended at dyld’s entrypoint, Frida basically advances the main thread’s execution until it reaches a point where libSystem is ready. This is typically accomplished using a hardware breakpoint.

So because the new dyld now chains to another copy of itself, inside the dyld_shared_cache, Frida was placing a breakpoint in the version mapped in from the filesystem, instead of the one in the cache. Obviously that never got hit, so we would end up timing out while waiting for this to happen.

The fix was reasonably straight-forward though, so we managed to squeeze this one into the release in the last minute.

Compiler improvements

The frida.Compiler just got a whole lot better, and now supports additional configuration through tsconfig.json, as well as using local frida-gum typings.

V8 debugger

The V8 debugger integration was knocked out by the move to having one V8 Isolate per script, which was a delicate refactoring needed for V8 snapshot support. This is now back in working order.

Dependency upgrades

One of the heavier lifts this time around was clearly dependency upgrades, where most of our dependencies have now been upgraded: from Capstone supporting ARMv9.2 to latest GLib using PCRE2, etc.

The move to PCRE2 means our Memory.scan() regex support just got upgraded, since GLib was previously using PCRE1. We don’t yet enable PCRE2’s JIT on any platforms though, but this would be an easy thing to improve down the road.

Cross-post: frida-tools 12.0.2

We also have a brand new release of frida-tools, which thanks to @tmm1 has a new and exciting feature. The frida-ls-devices tool now displays higher fidelity device names, with OS name and version displayed in a fourth column:

To upgrade:

$ pip3 install -U frida frida-tools

EOF

There are also some other goodies in this release, so definitely check out the changelog below.

Enjoy!

Changelog

• darwin: Add support for watchOS and tvOS. Thanks @tmm1!
• darwin: Fix early instrumentation on macOS 13 and iOS 16. (Thanks for the pair-programming on this one, @hsorbo!)
• interceptor: Suspend threads while mutating pages on W^X systems such as iOS. This improves stability when instrumenting busy processes.
• system-session: Re-enable Exceptor for now.
• compiler: Allow configuring target, lib, and strict.
• compiler: Fix support for local frida-gum typings.
• compiler: Use latest @types/frida-gum from git.
• ci: Drop prebuilds for Node.js 10.
• ci: Publish prebuilds for Node.js 19.
• ci: Publish prebuilds for Electron 21 instead of 20.
• unw-backtracer: Improve accuracy on 32-bit ARM.
• thread: Add suspend() and resume() to the Gum C API.
• darwin: Improve handling of chained fixups.
• darwin: Fix Objective-C symbol synthesis on arm64e.
• linux: Detect noxsave on Linux.
• linux: Improve injector to handle faux .so mappings. Thanks @lx866!
• module-map: Support lookups with ptrauth bits set.
• gumjs: Add NativeFunction traps: ‘none’ option. Thanks @mrmacete!
• gumjs: Prevent File and SQLite APIs from triggering Interceptor. Thanks @mrmacete!
• gumjs: Hold Isolate lock while performing V8 jobs.
• gumjs: Fix deadlock on V8 script teardown.
• gumjs: Fix V8 debugger not seeing loaded scripts.
• gumjs: Fix CModule external toolchain support on Darwin/arm64e.
• gumjs: Fall back if V8 MAP_JIT fails on Darwin.
• gumjs: Do not freeze V8 flags after init, to avoid issues with hardened processes on Darwin.
• socket: Upgrade to libsoup 3.x for HTTP/2 support.
• devkit: Add .gir to the frida-core kit. Thanks @lateralusd!
• devkit: Update examples to the current Device API.
• python: Support UNIX socket addresses everywhere.
• node: Fix Node.js v19 compatibility.
• deps: Upgrade most of the dependencies to the latest and greatest.
• build: Refactor to get rid of non-Meson cruft.

It’s Friday! Here’s a brand new release with lots of improvements:

• macOS: Fix support for attaching to arm64e system apps and services on macOS >= 12.
• i/macOS: Upgrade support for chained fixups.
• iOS: Fix system session on arm64e devices running iOS < 14.
• system-session: Disable Exceptor and monitors.
  • Exceptor interferes with the signal handling of the hosting process, which is risky and prone to conflict.
  • Monitors aren’t really useful for the system session.
• interceptor: Fix trampolines used in grafted mode on iOS/arm64. Thanks @mrmacete!
• compiler: Fix stability issues on multiple platforms.
• compiler: Fix the @frida/path shim.
• compiler: Speed things up by also making use of snapshot on non-x86/64 Linux.
• devkit: Fix regressions in the Windows, macOS, and Linux devkits.
• v8: Fix heap corruptions caused by our libc-shim failing to implement malloc_usable_size() APIs, which V8 relies on.
• v8: Fix support for scripts using different snapshots, which was broken due to V8 previously being configured to share read-only space across isolates. That option conflicts with multiple snapshots.
• v8: Improve teardown.
• v8: Fix v8::External API contract violations.
• v8: Upgrade to 10.9.42.
• zlib: Upgrade to 1.2.13.
• gum: Fix subproject build for ELF-based OSes.
• python: Fix tags of published Linux wheels.
  • Add legacy platform tags so older versions of pip recognize them.
  • Pretend some of the wheels require glibc >= 2.17, as lower versions aren’t recognized on certain architectures.

Two small but significant bugfixes this time around:

• python: Fix computed sdist version metadata.
• python: Assume non-universal devkit build on macOS.

Hope some of you are enjoying frida.Compiler! In case you have no idea what that is, check out the 15.2.0 release notes.

Performance

Back in 15.2.0 there was something that bothered me about frida.Compiler: it would take a few seconds just to compile a tiny “Hello World”, even on my i9-12900K Linux workstation:

$ time frida-compile explore.ts -o _agent.js

real	0m1.491s
user	0m3.016s
sys	0m0.115s

After a lot of profiling and insane amounts of yak shaving, I finally arrived at this:

$ time frida-compile explore.ts -o _agent.js

real	0m0.325s
user	0m0.244s
sys	0m0.109s

That’s quite a difference! This means on-the-fly compilation use-cases such as frida -l explore.ts are now a lot smoother. More importantly though, it means Frida-based tools can load user scripts this way without making their users suffer through seconds of startup delay.

Snapshots

You might be wondering how we made our compiler so quick to start. If you take a peek under the hood, you’ll see that it uses the TypeScript compiler. This is quite a bit of code to parse and run at startup. Also, loading and processing the .d.ts files that define all of the types involved is actually even more expensive.

The first optimization that we implemented back in 15.2 was to simply use our V8 runtime if it’s available. That alone gave us a nice speed boost. However, after a bit of profiling it was clear that V8 realized that it’s dealing with a heavy workload once we start processing the .d.ts files, and that resulted in it spending a big chunk of time just optimizing the TypeScript compiler’s code.

This reminded me of a really cool V8 feature that I’d noticed a long time ago: custom startup snapshots. Basically if we could warm up the TypeScript compiler ahead of time and also pre-create all of the .d.ts source files when building Frida, we could snapshot the VM’s state at that point and embed the resulting startup snapshot. Then at runtime we can boot from the snapshot and hit the ground running.

As part of implementing this, I extended GumJS so a snapshot can be passed to create_script(), together with the source code of the agent. There is also snapshot_script(), used to create the snapshot in the first place.

For example:

import frida

session = frida.attach(0)

snapshot = session.snapshot_script("const example = { magic: 42 };",
                                   warmup_script="true",
                                   runtime="v8")
print("Snapshot created! Size:", len(snapshot))

This snapshot could then be saved to a file and later loaded like this:

script = session.create_script("console.log(JSON.stringify(example));",
                               snapshot=snapshot,
                               runtime="v8")
script.load()

Note that snapshots need to be created on the same OS/architecture/V8 version as they’re later going to be loaded on.

V8 10.x

Another exciting bit of news is that we’ve upgraded V8 to 10.x, which means we get to enjoy the latest VM refinements and JavaScript language features. Considering that our last upgrade was more than two years ago, it’s definitely a solid upgrade this time around.

The curse of multiple build systems, part two

As you may recall from the 15.1.15 release notes, we were closer than ever to reaching the milestone where all of Frida can be built with a single build system. The only component left at that point was V8, which we used to build using Google’s GN build system. I’m happy to report that we have finally reached that milestone. We now have a brand new Meson build system for V8. Yay!

EOF

There’s also a bunch of other exciting changes, so definitely check out the changelog below.

Enjoy!

Changelog

• compiler: Use snapshot to reduce startup time.
• compiler: Bump frida-compile and other dependencies.
• Add support for JavaScript VM snapshots. This is only implemented by the V8 backend, as QuickJS does not currently support this.
• Move debugger API from Session to Script. This is necessary since V8’s debugger works on a per-Isolate basis, and we now need one Isolate per Script in order to support snapshots.
• server+portal: Fix daemon parent ready fail exit. Thanks @pachoo!
• resource-compiler: Add support for compression. We make use of this for frida.Compiler’s heap snapshot.
• ipc: Bump UNIX socket buffer sizes for improved throughput.
• meson: Promote frida-payload to public API. This allows implementing custom payloads for use-cases where frida-agent and frida-gadget aren’t suitable.
• windows: Move to Visual Studio 2022.
• windows: Move toolchain/SDK logic to use granular SDKs.
• windows: Do not rely on .py file association.
• darwin: Fix compatibility with macOS 13 and iOS >= 15.6.1.
• darwin: Use Apple’s libffi-trampolines.dylib if present, so we can support iOS 15 and beyond. Thanks for the fun pair-programming sessions, @hsorbo!
• fruity: Fix handling of USBMUXD_SOCKET_ADDRESS. Thanks @0x3c3e!
• fruity: Drop support for USBMUXD_SERVER_* envvars. Thanks @as0ler!
• droidy: Improve handling of ADB envvars. Thanks @0x3c3e!
• java: (android) Fix ClassLinker offset detection on Android 11 & 12 (#264). Thanks @sh4dowb!
• java: (android) Fix early instrumentation on Android 13.
• java: Handle methods and fields prefixed with $. Thanks @eybisi!
• android: Move to NDK r25.
• arm64: Optimize memory copy implementation.
• stalker: Ensure EventSink gets stopped on teardown.
• stalker: Fix ARM stack clobbering when branch involves a shift.
• stalker: Handle ARM PC load involving shifted register.
• stalker: Notify ARM observer when backpatches are applied.
• stalker: Apply ARM backpatches when notified.
• stalker: Add ARM support for switch block callback.
• arm-reader: Expose disassemble_instruction_at().
• thumb-reader: Expose disassemble_instruction_at().
• memory: Realign API with current V8 semantics.
• gumjs: Move V8 backend to one Isolate per script.
• gumjs: Support passing V8 flags using an env var: FRIDA_V8_EXTRA_FLAGS.
• gumjs: Use V8 write protection on Darwin/arm*.
• gumjs: Add support for dynamically defined scripts.
• prof: Support old system headers on Linux/MIPS.
• devkit: Improve examples’ compilation docs on UNIX.
• ci: Migrate remainder of the legacy CI to GitHub Actions.
• quickjs: Fix use-after-free on error during module evaluation.
• v8: Upgrade to latest V8 10.x.
• v8: Add Meson build system.
• usrsctp: Lower Windows requirement to XP, like the rest of our components.
• xz: Avoid ANSI-era Windows API.
• libc-shim: Support old system headers on Linux/MIPS.
• glib: Add Linux libc fallbacks for MIPS.
• Add config.mk option to be able to disable emulated agents on Android, to allow building smaller binaries. Thanks @muhzii!
• python: Drop Python 2 support, modernize code, add docstrings, typings, add CI with modern tooling, and many other goodies. Thanks @yotamN!
• python: Build Python wheels instead of eggs. Thanks @oriori1703!
• python: Fix Device.get_bus(). The previous implementation called _Device.get_bus(), which doesn’t exist. Thanks @oriori1703!
• python: Move to the stable Python C API.
• python: Add support for building from source, using a frida-core devkit.
• python: Add support for the new snapshot APIs.
• node: Add support for the new snapshot APIs.
• node: Fix Electron v20 compatibility.

Two more improvements, just in time for the weekend:

• darwin: Always host system session locally. In this way we avoid needing to write our frida-helper to a temporary file and spawn it just to use the system session (PID 0).
• darwin: Rework frida-helper IPC to avoid Mach ports. This means we avoid crashing on recent versions of macOS. Kudos to co-author @hsorbo for the productive pair-programming on this one!

Two small but significant bugfixes this time around:

• compiler: Ignore irrelevant changes during watch().
• darwin: Improve accuracy of memory range file info. By using PROC_PIDREGIONPATHINFO2 when available, so the query is constrained to vnode-backed mappings. Kudos to @i0n1c for discovering and tracking down this long-standing issue.

Super-excited about this one. What I’ve been wanting to do for years is to streamline Frida’s JavaScript developer experience. As a developer I may start out with a really simple agent, but as it grows I start to feel the pain.

Early on I may want to split up the agent into multiple files. I may also want to use some off-the-shelf packages from npm, such as frida-remote-stream. Later I’d want code completion, inline docs, type checking, etc., so I move the agent to TypeScript and fire up VS Code.

Since we’ve been piggybacking on the amazing frontend web tooling that’s already out there, we already have all the pieces of the puzzle. We can use a bundler such as Rollup to combine our source files into a single .js, we can use @frida/rollup-plugin-node-polyfills for interop with packages from npm, and we can plug in @rollup/plugin-typescript for TypeScript support.

That is quite a bit of plumbing to set up over and over though, so I eventually created frida-compile as a simple tool that does the plumbing for you, with configuration defaults optimized for what makes sense in a Frida context. Still though, this does require some boilerplate such as package.json, tsconfig.json, and so forth.

To solve that, I published frida-agent-example, a repo that can be cloned and used as a starting point. That is still a bit of friction, so later frida-tools got a new CLI tool called frida-create. Anyway, even with all of that, we’re still asking the user to install Node.js and deal with npm, and potentially also feel confused by the .json files just sitting there.

Then it struck me. What if we could use frida-compile to compile frida-compile into a self-contained .js that we can run on Frida’s system session? The system session is a somewhat obscure feature where you can load scripts inside of the process hosting frida-core. For example if you’re using our Python bindings, that process would be the Python interpreter.

Once we are able to run that frida-compile agent inside of GumJS, we can communicate with it and turn that into an API. This API can then be exposed by language bindings, and frida-tools can consume it to give the user a frida-compile CLI tool that doesn’t require Node.js/npm to be installed. Tools such as our REPL can seamlessly use this API too if the user asks it to load a script with a .ts extension.

And all of that is precisely what we have done! 🥳

build()

Here’s how easy it is to use it from Python:

import frida

compiler = frida.Compiler()
bundle = compiler.build("agent.ts")

The bundle variable is a string that can be passed to create_script(), or written to a file.

Running that example we might see something like:

Traceback (most recent call last):
  File "/home/oleavr/src/explore.py", line 4, in <module>
    bundle = compiler.build("agent.ts")
  File "/home/oleavr/.local/lib/python3.10/site-packages/frida/core.py", line 76, in wrapper
    return f(*args, **kwargs)
  File "/home/oleavr/.local/lib/python3.10/site-packages/frida/core.py", line 1150, in build
    return self._impl.build(entrypoint, **kwargs)
frida.NotSupportedError: compilation failed

That makes us wonder why it failed, so let’s add a handler for the diagnostics signal:

import frida

def on_diagnostics(diag):
    print("on_diagnostics:", diag)

compiler = frida.Compiler()
compiler.on("diagnostics", on_diagnostics)
bundle = compiler.build("agent.ts")

And suddenly it’s all making sense:

on_diagnostics: [{'category': 'error', 'code': 6053,
    'text': "File '/home/oleavr/src/agent.ts' not "
            "found.\n  The file is in the program "
            "because:\n    Root file specified for"
             " compilation"}]
…

We forgot to actually create the file! Ok, let’s create agent.ts:

console.log("Hello from Frida:", Frida.version);

And let’s also write that script to a file:

import frida

def on_diagnostics(diag):
    print("on_diagnostics:", diag)

compiler = frida.Compiler()
compiler.on("diagnostics", on_diagnostics)
bundle = compiler.build("agent.ts")
with open("_agent.js", "w", newline="\n") as f:
    f.write(bundle)

If we now run it, we should have an _agent.js ready to go:

$ cat _agent.js
📦
175 /explore.js.map
39 /explore.js
✄
{"version":3,"file":"explore.js","sourceRoot":"/home/oleavr/src/","sources":["explore.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,GAAG,CAAC,SAAS,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC"}
✄
console.log(`Hello ${Frida.version}!`);

This weird-looking format is how GumJS’ allows us to opt into the new ECMAScript Module (ESM) format where code is confined to the module it belongs to instead of being evaluated in the global scope. What this also means is we can load multiple modules that import/export values. The .map files are optional and can be omitted, but if left in they allow GumJS to map the generated JavaScript line numbers back to TypeScript in stack traces.

Anyway, let’s take _agent.js for a spin:

$ frida -p 0 -l _agent.js
     ____
    / _  |   Frida 15.2.0 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Local System (id=local)
Attaching...
Hello 15.2.0!
[Local::SystemSession ]->

It works! Now let’s try refactoring it to split the code into two files:

agent.ts

import { log } from "./log.js";

log("Hello from Frida:", Frida.version);

log.ts

export function log(...args: any[]) {
    console.log(...args);
}

If we now run our example compiler script again, it should produce a slightly more interesting-looking _agent.js:

📦
204 /agent.js.map
72 /agent.js
199 /log.js.map
58 /log.js
✄
{"version":3,"file":"agent.js","sourceRoot":"/home/oleavr/src/","sources":["agent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAE/B,GAAG,CAAC,mBAAmB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC"}
✄
import { log } from "./log.js";
log("Hello from Frida:", Frida.version);
✄
{"version":3,"file":"log.js","sourceRoot":"/home/oleavr/src/","sources":["log.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,GAAG,CAAC,GAAG,IAAW;IAC9B,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;AACzB,CAAC"}
✄
export function log(...args) {
    console.log(...args);
}

Loading that into the REPL should yield the exact same result as before.

watch()

Let’s turn our toy compiler into a tool that loads the compiled script, and recompiles whenever a source file changes on disk:

import frida
import sys

session = frida.attach(0)
script = None

def on_output(bundle):
    global script
    if script is not None:
        print("Unloading old bundle...")
        script.unload()
        script = None
    print("Loading bundle...")
    script = session.create_script(bundle)
    script.on("message", on_message)
    script.load()

def on_diagnostics(diag):
    print("on_diagnostics:", diag)

def on_message(message, data):
    print("on_message:", message)

compiler = frida.Compiler()
compiler.on("output", on_output)
compiler.on("diagnostics", on_diagnostics)
compiler.watch("agent.ts")

sys.stdin.read()

And off we go:

$ python3 explore.py
Loading bundle...
Hello from Frida: 15.2.0

If we leave that running and then edit the source code on disk we should see some new output:

Unloading old bundle...
Loading bundle...
Hello from Frida version: 15.2.0

Yay!

frida-compile

We can also use frida-tools’ new frida-compile CLI tool:

$ frida-compile agent.ts -o _agent.js

It also supports watch mode:

$ frida-compile agent.ts -o _agent.js -w

REPL

Our REPL is also powered by the new frida.Compiler:

$ frida -p 0 -l agent.ts
     ____
    / _  |   Frida 15.2.0 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Local System (id=local)
Compiled agent.ts (1428 ms)
Hello from Frida version: 15.2.0
[Local::SystemSession ]->

Shoutout

Shoutout to @hsorbo for the fun and productive pair-programming sessions where we were working on frida.Compiler together! 🙌

EOF

There are also quite a few other goodies in this release, so definitely check out the changelog below.

Enjoy!

Changelog

• core: Add Compiler API. Only exposed by Python bindings for now, but available from C/Vala.
• interceptor: Improve replace() to support returning original. Thanks @aviramha!
• gumjs: Fix typing for pc in the writer options.
• gumjs: Fix V8 ESM crash with circular dependencies.
• gumjs: Handle ESM bundles with multiple aliases per module.
• gumjs: Tighten up the Checksum data argument parsing.
• android: Fix null pointer deref in crash delivery. Thanks @muhzii!
• fruity: Use env variables to find usbmuxd. Thanks @0x3c3e!
• ios: Make Substrate detection logic a bit more resilient. Thanks @lemon4ex!
• meson: Only try to use V8 if available. Thanks @muhzii!
• windows: Add support for building without V8.
• devkit: Fix library dependency hints on Windows. Thanks @nblog!

A couple of exciting new things in this release.

File API

Those of you using our JavaScript File API may have noticed that it supports writing to the given file, but there was no way to read from it. This is now supported.

For example, to read each line of a text-file as a string:

const f = new File('/etc/passwd', 'r');
let line;
while ((line = f.readLine()) !== '') {
  console.log(`Read line: ${line.trimEnd()}`);
}

(Note that this assumes that the text-file is UTF-8-encoded. Other encodings are not currently supported.)

You can also read a certain number of bytes at some offset:

const f = new File('/var/run/utmp', 'rb');
f.seek(0x2c);
const data = f.readBytes(3);
const str = f.readText(3);

The argument may also be omitted to read the rest of the file. But if you’re just looking to read a text file in one go, there’s an easier way:

const text = File.readAllText('/etc/passwd');

Reading a binary file is just as easy:

const bytes = File.readAllBytes('/var/run/utmp');

(Where bytes is an ArrayBuffer.)

Sometimes you may also want to dump a string into a text file:

File.writeAllText('/tmp/secret.txt', 'so secret');

Or perhaps dump an ArrayBuffer:

const data = args[0].readByteArray(256);
File.writeAllBytes('/tmp/mystery.bin', data);

Going back to the example earlier, seek() also supports relative offsets:

f.seek(7, File.SEEK_CUR);
f.seek(-3, File.SEEK_END);

Retrieving the current file offset is just as easy:

const offset = f.tell();

Checksum API

The other JavaScript API addition this time around is for when you want to compute checksums. While this could be implemented in JavaScript entirely in “userland”, we do get it fairly cheap since Frida depends on GLib, and it already provides a Checksum API out of the box. All we needed to do was expose it.

Putting it all together, this means we can read a file and compute its SHA-256:

const utmp = File.readAllBytes('/var/run/utmp');
const str = Checksum.compute('sha256', utmp);

Or, for more control:

const checksum = new Checksum('sha256');
checksum.update(File.readAllText('/etc/hosts'));
checksum.update(File.readAllBytes('/var/run/utmp'));
console.log('Result:', checksum.getString());
console.log(hexdump(checksum.getDigest(), { ansi: true }));

(You can learn more about this API from our TypeScript bindings.)

EOF

There are also a few other goodies in this release, so definitely check out the changelog below.

Enjoy!

Changelog

• gumjs: Extend the File API.
• gumjs: Add Checksum API.
• gumjs: Fix handling of relative ESM imports from root.
• glib: (win32) Add Input/OutputStream support for plain files.
• build: Make XP SDK optional on Windows.
• node: Target Electron 19.0.0 instead of 19.0.0-alpha.1.
• node: Define openssl_fips to work around node-gyp issue.

It appears I should have had some more coffee this morning, so here’s another release to actually fix this broken fix back in 15.1.25:

• java: (android) Prevent ART from compiling replaced methods

Turns out the kAccCompileDontBother constant changed in Android 8.1. It also didn’t exist before 7.0. Oops! This release fixes it, for real this time 😊

Only one change this time around, related to this fix in the previous release:

• java: (android) Prevent ART from compiling replaced methods

Well, turns out the kAccCompileDontBother constant was incorrect. This release fixes it. (Spoiler from the future: it didn’t.)

Quite a few exciting bits in this release. Let’s dive right in.

FPU/vector register access

Some great news for those of you using Frida on 32- and 64-bit ARM. Up until now, we have only exposed the CPU’s integer registers, but as of this release, FPU/vector registers are also available! 🎉

For 32-bit ARM this means q0 through q15, d0 through d31, and s0 through s31. As for 64-bit ARM they’re q0 through q31, d0 through d31, and s0 through s31. If you’re accessing these from JavaScript, the vector properties are represented using ArrayBuffer, whereas for the others we’re using the number type.

Java.backtrace()

Our existing Java.backtrace() API now provides a couple of new properties in the returned frames, which now also expose methodFlags and origin.

Quality

I finally plugged a memory leak in our RPC server-side code. This was introduced by me in 15.1.10 when implementing an optimization in the Vala compiler’s code generation for DBus reply handling. Shoutout to @rev1si0n for reporting and helping track down this regression!

EOF

There are also some other goodies in this release, so definitely check out the changelog below.

Enjoy!

Changelog

• vala: Plug leak in server-side GDBus reply handling. This affected all server-side implementations in Frida.
• glib: Disable support for “charset.alias”. This means we no longer try to open this file, which could cause sandbox violations on some systems, such as iOS.
• java: (android) Add methodFlags to Java.backtrace() frames.
• java: (android) Add origin to Java.backtrace() frames.
• java: (android) Prevent ART from compiling replaced methods. Kudos to @s1341 for figuring this one out!
• cpu-context: Add ARM FPU/vector registers and NZCV.
• cpu-features: Add VFPD32 flag and detection logic.
• stalker: Fix VFP D32 detection in the arm backend.
• gumjs: Add vector regs to arm_reg bindings.
• x86-writer: Add put_fx{save,rstor}_reg_ptr().
• arm-writer: Add load/store variants without offset.
• arm-writer: Add put_v{push,pop}_range().
• arm-writer: Remove noop check from put_ands_reg_reg_imm().
• arm-writer: Rename *_registers() to *_regs().
• arm-writer: Support vector push/pop with Q regs.
• thumb-writer: Add put_v{push,pop}_range().
• thumb-writer: Support vector push/pop with Q regs.
• arm64-writer: Add load/store variants without offset.
• arm64-writer: Add put_mov_{reg_nzcv,nzcv_reg}().
• libc-shim: Support old system headers on Linux/ARM.
• node: Bump dependencies.
• node: Publish prebuilds for Electron 19 instead of 18.

Only one change this time, but it’s an important one for those of you using Frida on Android: Our Java method hooking implementation was crashing in some cases, where we would pick a scratch register that conflicted with the generated code. This is now fixed.

Enjoy!

The main theme of this release is OS support, where we’ve fixed some rough edges on Android 12, and introduced preliminary support for Android 13. While working on frida-java-bridge I also found myself needing some of the JVMTI code in the JVM-specific backend. Those bits are now shared, and the JVM-specific code is in better shape, with brand new support for JDK 17.

We have also improved stability in several places, and made it easier to use the CodeWriter APIs safely. Portability has also been improved, where our QuickJS-based JavaScript runtime finally works when cross-compiled for big-endian from a little-endian build machine, and vice versa.

To learn more, be sure to check out the changelog below.

Enjoy!

Changelog

• linux: Handle spurious signals during ptrace().
• android: Add missing SELinux rule for system_server on Android 12+.
• android: Fix Android 13 detection on real devices.
• android: Handle new linker internals in Android 13.
• java: Improve the Java.enumerateMethods() error message. Thanks @jpstotz!
• java: (android) Handle inlined GetOatQuickMethodHeader().
• java: (android) Improve support for non-Google Android 12+ ROMs.
• java: (android) Fix Java.choose() on Android >= 12.
• java: (android) Add support for Android 13.
• java: (android) Fix threadReg clobber in the x64 recompilation logic.
• java: (android) Explain why Java.deoptimizeBootImage() is unavailable.
• java: (android) Expose JVMTI through api.jvmti.
• java: (android) Improve error messages about OS features.
• java: (jvm) Add basic support for JDK 17.
• java: (jvm) Add fallback for thread_from_jni_environment().
• java: (jvm) Fix UAF in withJvmThread() prologue/epilogue logic.
• java: (jvm) Improve InstanceKlass offset detection.
• code-writer: Add flush_on_destroy option.
• gumjs: Disable the CodeWriter flush_on_destroy option. In this way, the writers are safer to use as they won’t be writing to memory once they’re garbage-collected. At that point the target memory may no longer be writable, or might be owned by other code.
• gumjs: Embed byteswapped QuickJS bytecode when needed. This means GumJS can be cross-compiled across endians.
• gumjs: Fix double free in the Instruction copy logic.
• gumjs: Fix Relocator instruction accessors.
• gumjs: Flush CodeWriter on reset() and dispose().
• gumjs: Improve NativePointer#strip() to support ARM TBI.
• gumjs: Make Instruction wrapper safer in zero-copy mode.
• gumjs: Plug Relocator leak in the QuickJS runtime.
• quickjs: Fix support for byteswapped output. Also upgrade QuickJS to latest upstream version with Unicode 14 updates.

Turns out the major surgery that Gum went through in 15.1.15 introduced some error-handling regressions. Errors thrown vs. actually expected by the Vala code in frida-core did not match, which resulted in the process crashing instead of a friendly error bubbling up to e.g. the Python bindings. That is now finally taken care of. I wish we had noticed it sooner, though — we’re clearly lacking test coverage in this area.

Beside the error-handling fixes, we’re also including a build system fix for incremental build issues. Kudos to Londek for this nice contribution.

Enjoy!