objection
objection copied to clipboard
sensepost
Android screenshots fail immediately
Describe the bug Attempting to take a screenshot on Android of any activity fails with a Frida error.
To Reproduce Steps to reproduce the behavior:
- Inject in to an Android application
- Run command
android ui screenshot test.png
Expected behavior PNG format screenshot be created in that directory.
Evidence / Logs / Screenshots
#> objection --gadget "com.android.chrome" explore
Using USB device `Motorola moto g(6)`
Agent injected and responds ok!
[snip]
com.android.chrome on (motorola: 8.0.0) [usb] # android ui screenshot test.png
A Frida agent exception has occurred.
TypeError: cannot read property 'hasOwnProperty' of undefined
at [anon] (duk_hobject_props.c:2384)
at frida/node_modules/frida-java/lib/class-factory.js:736
at /script1.js:5414
at /script1.js:5191
at frida/node_modules/frida-java/lib/vm.js:42
at frida/node_modules/frida-java/index.js:280
at /script1.js:5195
at /script1.js:1329
at /script1.js:5196
at frida/runtime/message-dispatcher.js:45
at o (frida/runtime/message-dispatcher.js:25)
[...]
Python stack trace: Traceback (most recent call last):
File "c:\python37\lib\site-packages\objection\console\repl.py", line 371, in start_repl
self.run_command(document)
File "c:\python37\lib\site-packages\objection\console\repl.py", line 185, in run_command
exec_method(arguments)
File "c:\python37\lib\site-packages\objection\commands\ui.py", line 110, in android_screenshot
data = api.android_ui_screenshot()
File "c:\python37\lib\site-packages\frida\core.py", line 322, in method
return script._rpc_request('call', js_name, args)
File "c:\python37\lib\site-packages\frida\core.py", line 250, in _rpc_request
raise result[2]
frida.core.RPCException: TypeError: cannot read property 'hasOwnProperty' of undefined
at [anon] (duk_hobject_props.c:2384)
at frida/node_modules/frida-java/lib/class-factory.js:736
at /script1.js:5414
at /script1.js:5191
at frida/node_modules/frida-java/lib/vm.js:42
at frida/node_modules/frida-java/index.js:280
at /script1.js:5195
at /script1.js:1329
at /script1.js:5196
at frida/runtime/message-dispatcher.js:45
at o (frida/runtime/message-dispatcher.js:25)
[...]
com.android.chrome on (motorola: 8.0.0) [usb] #
Environment (please complete the following information):
- Device: Moto G6
- OS: Android 8.0.0
- Frida Version 12.4.0
- Objection Version: v1.6.2
Additional context
Connected to frida-server on the device. Appears to affect activities with FLAG_SECURE set or unset.
Running from a Windows host.
@leonjza any ideas what might be causing this? If you have any ideas on where I should be looking, I can dig a bit deeper.
To be honest, I am not sure. It may very well be something that has changed in Android 8 given the age of the hook. I suggest we start by getting a source mapped stack trace from the agent with the --debug flag and working from there.
I don't think the --debug flag gave us much more:
objection --debug --gadget "com.android.chrome" explore
[debug] Agent path is: c:\python37\lib\site-packages\objection\agent.js
[debug] Injecting agent...
Using USB device `Motorola moto g(6)`
[debug] Attempting to attach to process: `com.android.chrome`
[debug] Unable to find process: `com.android.chrome`, attempting spawn
[debug] PID `10049` spawned, attaching...
[debug] Resuming PID `10049`
Agent injected and responds ok!
_ _ _ _
___| |_ |_|___ ___| |_|_|___ ___
| . | . | | | -_| _| _| | . | |
|___|___|_| |___|___|_| |_|___|_|_|
|___|(object)inject(ion) v1.5.2
Runtime Mobile Exploration
by: @leonjza from @sensepost
[tab] for command suggestions
com.android.chrome on (motorola: 8.0.0) [usb] # android ui screenshot test.png
A Frida agent exception has occurred.
TypeError: cannot read property 'hasOwnProperty' of undefined
at [anon] (duk_hobject_props.c:2384)
at frida/node_modules/frida-java/lib/class-factory.js:736
at src/android/userinterface.ts:30
at src/android/lib/libjava.ts:9
at frida/node_modules/frida-java/lib/vm.js:42
at frida/node_modules/frida-java/index.js:280
at /script1.js:5159
at node_modules/core-js/library/modules/es6.promise.js:83
at /script1.js:5160
at frida/runtime/message-dispatcher.js:45
at o (frida/runtime/message-dispatcher.js:25)
[...]
Python stack trace: Traceback (most recent call last):
File "c:\python37\lib\site-packages\objection\console\repl.py", line 371, in start_repl
self.run_command(document)
File "c:\python37\lib\site-packages\objection\console\repl.py", line 185, in run_command
exec_method(arguments)
File "c:\python37\lib\site-packages\objection\commands\ui.py", line 110, in android_screenshot
data = api.android_ui_screenshot()
File "c:\python37\lib\site-packages\frida\core.py", line 322, in method
return script._rpc_request('call', js_name, args)
File "c:\python37\lib\site-packages\frida\core.py", line 250, in _rpc_request
raise result[2]
frida.core.RPCException: TypeError: cannot read property 'hasOwnProperty' of undefined
at [anon] (duk_hobject_props.c:2384)
at frida/node_modules/frida-java/lib/class-factory.js:736
at src/android/userinterface.ts:30
at src/android/lib/libjava.ts:9
at frida/node_modules/frida-java/lib/vm.js:42
at frida/node_modules/frida-java/index.js:280
at /script1.js:5159
at node_modules/core-js/library/modules/es6.promise.js:83
at /script1.js:5160
at frida/runtime/message-dispatcher.js:45
at o (frida/runtime/message-dispatcher.js:25)
[...]
The debug flag now tells us where in the TypeScript agent the crash came from (rather than just saying script.js: 5414) :)
at src/android/userinterface.ts:30
It appears to be this line that is causing the problem. It may be worth it to patch the loop to match what is currently used here as a test.
I quickly looked at this, and fixed up the activity casting. While it does not solve the original problem, it does get us a step closer again.