Frida 7.2 Released ∞
release
Some of you may be aware that Frida has two JavaScript runtimes, one based on V8, and another one based on Duktape. We also used to have a runtime based on JavaScriptCore, but it got retired when our Duktape runtime proved better in all of the situations where V8 wasn’t a good fit, e.g. on tiny embedded systems and systems where RWX pages are forbidden.
Anyway, what is pretty neat is that Duktape has an API for compiling to bytecode, allowing you to cache the compiled code and save precious startup time when it’s time to instrument a new process. Starting with this release we now have brand new API for compiling your JavaScript to bytecode, and of course instantiating a script from it. This API is not yet supported in our V8 runtime, but we should be able to implement it there after our next V8 upgrade, by using the WebAssembly infrastructure that started appearing in the latest releases.
So without further ado, let’s take this new API for a spin with the Duktape runtime by forcing Frida to favor Duktape through Session.disable_jit().
From Node.js:
And from Python:
Note that the same caveats as specified in the Duktape documentation apply here, so make sure the code you’re trying to load is well-formed and generated by the same version of Duktape. It may get upgraded when you upgrade to a future version of Frida, but will at least be architecture-neutral; i.e. you can compile to bytecode on a 64-bit x86 desktop and load it just fine in a 32-bit iOS app on ARM.
So that’s bytecode compilation through the API, but you probably want to use the frida-compile CLI tool for this instead:
While developing you can also use it in watch mode by adding -w, which makes it watch the inputs and perform fast incremental builds whenever one of them changes.
Whether you’re using bytecode (-b) or not, frida-compile is highly recommended as it also comes with a number of other benefits, letting you:
- Split your script into multiple .js files by using require().
- Leverage thousands of existing modules from npm, including some that are Frida-specific. For example: frida-trace, frida-uikit, frida-screenshot, etc.
- Use ES6 syntax and have your code compiled to ES5 so it’s compatible with the Duktape runtime.
So in closing, let’s summarize the changes:
7.2.0:
- core: add support for compiling and loading to/from bytecode
- core: include error name and stack trace in RPC error replies
- node: add support for the new bytecode APIs
- node: augment RPC errors with name and stack when available
- node: port examples to ES6
- python: add support for the new bytecode APIs
- python: update to the revised RPC protocol
7.2.1:
- objc: add support for resolving methods on minimal Objective-C proxies
7.2.2:
- objc: fix handling of methods returning structs and floating point values
7.2.3:
- objc: expose the raw handle of Objective-C methods
7.2.4:
- core: fix deadlock that was easily reproducible on iOS 9
- java: improve Java.perform() robustness and handling of non-app processes
7.2.5:
- objc: fix handling of methods returning a struct in registers on x86-64
7.2.6:
- core: port Gum to MIPS
- core: avoid swallowing exception when a Proxy object misbehaves
- objc: add support for accessing Objective-C instance variables
7.2.7:
- core: port .so injector to MIPS
- core: enhance MIPS fuzzy backtracer with more branch-and-link instructions
- core: fix UnixInputStream and UnixOutputStream pollable behavior on TTYs, fixing hang on script unload
- core: remove “0x” prefix from hexdump() offsets
7.2.8:
- objc: fix parsing of type hints
- objc: add support for including type hints
- objc: make ObjC.Block’s types field public
- objc: add support for properly declaring void *
- core: (MIPS) fix stack offset when getting/setting stack arguments
7.2.9:
- core: fix bug preventing registers from being written in the V8 runtime
7.2.10:
- core: add support for attaching to iOS Simulator processes
- core: fix Android class-resolving regression introduced in 7.2.4
7.2.11:
- core: always kill iOS apps through SpringBoard
7.2.12:
- objc: unregister Objective-C classes on unload and GC
7.2.13:
- core: fix application kill logic on iOS 9
7.2.14:
- core: make the Duktape runtime preemptible like the V8 runtime
- core: fix a few locking bugs in the V8 runtime
7.2.15:
- core: implement the Kernel API in the Duktape runtime also
- core: remove the dangerous Kernel.enumerateThreads() API
7.2.16:
- core: improve robustness when quickly reattaching to the same process
- core: fix deadlock when pending calls exist at detach time
- core: fix hooking regression on 32-bit ARM
- core: fix dlsym() deadlock in frida-gadget on Linux
- core: fix Windows build regression
- core: fix iOS 7 regression
7.2.17:
- core: fix session teardown regression
7.2.18:
- core: fix long-standing stability issue on iOS 9, where the injected bootstrap code was not pseudo-signed and caused processes to eventually lose their CS_VALID status
- core: speed up app launching on iOS by eliminating unnecessary disk I/O
- core: fix temporary directory clean-up on iOS
7.2.19:
- core: fix preemption-related lifetime-issue in the Duktape runtime
7.2.20:
- core: rework the V8 runtime to support fully asynchronous unloading
- core: rework the Duktape runtime to support fully asynchronous unloading
- core: make the Duktape runtime fully reentrant
- core: add Script.pin() and Script.unpin() for extending a script’s lifetime in critical moments, e.g. for callbacks expected from external APIs out of one’s control
- core: fix a timer-related leak in both the V8 and the Duktape runtime
- objc: keep script alive until callback scheduled by ObjC.schedule() has been executed
- objc: add a dealloc event to the ObjC proxy API
7.2.21:
- core: fix hang on detach()
7.2.22:
- core: fix hang on script unload
- core: fix hang on abrupt connection loss during detach()
7.2.23:
- core: fix two low-probability crashes during script unload
7.2.24:
- core: fix use-after-free in the Duktape runtime
- core: fix use-after-free bugs in ModuleApiResolver
- core: improve unload-behavior when an exception handler is set
7.2.25:
- core: fix app launching on iOS 9.3.3
- frida-server: fix “hang” on detach when another client is attached to the same process
Enjoy!