frida-java-bridge icon indicating copy to clipboard operation
frida-java-bridge copied to clipboard

Published 20 hours ago verified publisher icon frida

Hooking to Context doesn't work

Open afjoseph opened this issue 6 years ago • 4 comments

Hey. I ran into a small issue during instrumentation. Hooking into this function of context simply doesn't work. I wanted to know if the issue is on my side.

python script

import frida, sys
import time

jscode = """

Java.perform(function() {
    var context = Java.use("android.content.Context");

    context.openFileOutput.implementation = function(a, b) {
        console.log("Hello world");
        this.openFileOutput(a, b);
    }

});

"""

device = frida.get_usb_device()

pid = device.spawn(["com.whatever.bbb"])
session = device.attach(pid)
script = session.create_script(jscode)

device.resume(pid)
script.load()
print('[*] Running...')
sys.stdin.read()

The app is running and the frida-server is running on the android emulator. I'm sure that this piece of code is being called since I have the source code. The issue is that it is never hooked. Am I doing something wrong here?

afjoseph avatar Apr 03 '18 08:04 afjoseph

try:

Java.perform(function() {                                                                                                                                     
    var context = Java.use("android.content.Context");                                                                                                        
                                                                                                                                                              
    /* FileOutputStream openFileOutput (String name, int mode) */                                                                                             
    context.openFileOutput.overload("java.lang.String","java.lang.Integer").implementation = function(name, mode) {                                           
        this.openFileOutput.overload("java.lang.String","java.lang.Integer").call(this, name, mode);                                                              
    }                                                                                                                                                         
                                                                                                                                                              
});

jhscheer avatar Apr 05 '18 15:04 jhscheer

Same issue. Could be that frida can't hook to native Android code?

afjoseph avatar Apr 05 '18 16:04 afjoseph

I stumbled upon this ticket when I had the same problem. Hope you're not struggling with this anymore, but thought to provide an answer for others struggling with this.

This is caused by the fact that android.content.Context is an interface and therefor you can't hook it. For me I needed to hook android.app.ContextImpl, as that is the implementation used. This is not stated in the imports of the file (there indeed android.content.Context is listed), but I found this by enumerating all classes with Frida.

So then the code would be:

Java.perform(function() {                                                                                                                                     
    var context = Java.use("android.app.ContextImpl");                                                                                                        
                                                                                                                                                              
    context.openFileOutput.overload("java.lang.String","java.lang.Integer").implementation = function(name, mode) {                    
        console.log("Yes, this method is called correctly!");                       
        this.openFileOutput(name, mode);                                                              
    }                                                                                                                                                         
                                                                                                                                                              
});

eanker avatar Oct 17 '18 07:10 eanker

You can call the Context with ActivityThread like this: var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext();

g3rzi avatar Feb 22 '19 16:02 g3rzi