I'm trying to hook JavaScriptCore`JSObjectMake and using code as follows:
const resolver = new ApiResolver('module');
const matches = resolver.enumerateMatches('exports:*!JSObjectMake');
const { address } = matches[0];
console.log(address, ptr(address))
Interceptor.attach(ptr(address), {
onEnter(args) {
var callMessage = new ObjC.Object(args[2]);
console.log('JSObjectMake', callMessage);
}
});
However, it doesn't work. How can I hook ios native apis like JavaScriptCore`JSObjectMake using frida?
Related
I'm trying to hook functions of the OKHttp library by using then following Frida script:
setTimeout(function(){
Java.perform(function (){
console.log("-- Hook OKHttp library --");
try {
var Builder = Java.use('okhttp3.CertificatePinner$Builder');
var Pin = Java.use('okhttp3.CertificatePinner$Pin');
var OkHttpClient = Java.use('okhttp3.OkHttpClient$Builder');
console.log("OkHTTP classes found");
Builder.add.overload.implementation = function(a, b) {
console.log("TEST ADD");
}
Pin.matches.overload.implementation = function (a) {
console.log("TEST matches")
return true;
}
OkHttpClient.certificatePinner.overload.implementation = function (a) {
console.log("TEST certificatePinner");
}
console.log("OkHTTP functions found");
} catch (err) {
// If we dont have a ClassNotFoundException exception, raise the
// problem encountered.
console.log("OkHTTP 3.x classes/functions not Found");
}
});
},0);
And I am executing the following code in my Android application:
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(certificateDNWildcard, certificateHash)
.build();
//Create http client with pinned certificate
OkHttpClient okHttpClient = new OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build();
As you can see I am calling the function .add(certificateDNWildcard, certificateHash) which I am trying to hook. However, nothing is printed in the terminal when I execute this function. Furthermore, the output of my terminal is:
-- Hook OKHttp library --
OkHTTP classes found
OkHTTP functions found
Hence, it does find the classes and functions; however, the hook itself does not work effectively. Could someone help me?
I am using:
* Frida 12.8.11
* Android 10
* ARM64
You should either:
// works if add method has a single implementation
Builder.add.implementation = function(a, b) {
console.log("TEST ADD");
}
or
// always works
Builder.add.overload('java.lang.String', 'java.lang.String').implementation = function(a, b) {
console.log("TEST ADD");
}
(I failed at getting this working in dart2js so I'm trying in dart dev compiler; but I'd happily take an answer for dart2j!).
If I have test.dart:
void activate() {
print("activating...");
}
and run dartdevc --modules node -o test.js test.dart the output is:
(function() {
'use strict';
const dart_sdk = require('dart_sdk');
const core = dart_sdk.core;
const dart = dart_sdk.dart;
const dartx = dart_sdk.dartx;
const __test = Object.create(null);
let VoidTovoid = () => (VoidTovoid = dart.constFn(dart.definiteFunctionType(dart.void, [])))();
__test.activate = function() {
core.print("activating...");
};
dart.fn(__test.activate, VoidTovoid());
// Exports:
exports.__test = __test;
})();
This means my function is exported as __test.activate but what I need is for it just to be activate.
How can I control this? The JS I'm aiming for the equivilent of this:
exports.activate = function() { core.print("activating"); }
This isn't currently possible but I worked around it with a wrapper:
var extension = require('./dartvsjs/extension.js');
exports.activate = extension.__lib__extension.activate;
exports.deactivate = extension.__lib__extension.deactivate;
I need to create an about: page, to display addon options. I have seen ti done before, but there seems to be no option in the SDK that allows you to do that.
Is there another way I could let users type about:pagename and get to my page?
I would prefer not to redirect all tabs with a URL of about:pagename to another options page.
Thanks in advance
This is the index.js file for a restartless add-on developed using jpm:
const { Cc, Ci, Cr, Cu, Cm, components } = require("chrome");
Cm.QueryInterface(Ci.nsIComponentRegistrar);
Cu.import("resource://gre/modules/XPCOMUtils.jsm");
Cu.import("resource://gre/modules/Services.jsm");
// globals
var factory;
const aboutPage_description = 'This is my custom about page';
const aboutPage_id = '6c098a80-9e13-11e5-a837-0800200c9a66'; // make sure you generate a unique id from https://www.famkruithof.net/uuid/uuidgen
const aboutPage_word = 'foobar';
const aboutPage_page = Services.io.newChannel('data:text/html,hi this is the page that is shown when navigate to about:foobar', null, null);
function AboutCustom() {};
AboutCustom.prototype = Object.freeze({
classDescription: aboutPage_description,
contractID: '#mozilla.org/network/protocol/about;1?what=' + aboutPage_word,
classID: components.ID('{' + aboutPage_id + '}'),
QueryInterface: XPCOMUtils.generateQI([Ci.nsIAboutModule]),
getURIFlags: function(aURI) {
return Ci.nsIAboutModule.ALLOW_SCRIPT;
},
newChannel: function(aURI) {
let channel = aboutPage_page;
channel.originalURI = aURI;
return channel;
}
});
function Factory(component) {
this.createInstance = function(outer, iid) {
if (outer) {
throw Cr.NS_ERROR_NO_AGGREGATION;
}
return new component();
};
this.register = function() {
Cm.registerFactory(component.prototype.classID, component.prototype.classDescription, component.prototype.contractID, this);
};
this.unregister = function() {
Cm.unregisterFactory(component.prototype.classID, this);
}
Object.freeze(this);
this.register();
}
exports.main = function() {
factory = new Factory(AboutCustom);
};
exports.onUnload = function(reason) {
factory.unregister();
};
Basically it registers a custom about page that will be loaded when you access about:foobar. The loaded page is just a line of text.
This is how it looks like:
You can see a working example here: https://github.com/matagus/about-foobar-addon
I think this is a better solution if you are using the addons-sdk:
Credit goes here:
https://stackoverflow.com/a/9196046/1038866
var pageMod = require("page-mod");
pageMod.PageMod({
include: data.url("options.html"),
...
});
var tabs = require("tabs");
tabs.open(data.url("options.html"));
But there are other ways. You could take a look at the Scroll to Top addon which implements this: https://addons.mozilla.org/firefox/addon/402816
I'm trying to create HttpService through Action Script and I want to convert this mxml code to my Action Script
mxml code code is here:
<s:HTTPService id="weatherService"
url="{BASE_URL}"
resultFormat="object"
result="weatherService_resultHandler(event)"
fault="weatherService_faultHandler(event)"
showBusyCursor="true">
<s:request xmlns="">
<q>{cityName.text.toString()}</q>
<format>{FORMAT}</format>
<num_of_days>{NUMBER_OF_DAYS}</num_of_days>
<key>{API_KEY}</key>
</s:request>
</s:HTTPService>
How to convert this in actionscript?
This might help you and please note here the following code not using binding
import mx.rpc.http.HTTPService;
private function callService():void
{
var requestObj:Object = {};
requestObj.q = cityName.text.toString();
requestObj.format = FORMAT;
requestObj.num_of_days = cNUMBER_OF_DAYS;
requestObj.key = API_KEY;
var weatherService:HTTPService = new HTTPService();
weatherService.url = BASE_URL;
weatherService.resultFormat = "object";
weatherService.showBusyCursor = true;
weatherService.request = requestObj;
weatherService.addEventListener(ResultEvent.RESULT , weatherService_resultHandler);
weatherService.addEventListener(FaultEvent.FAULT, weatherService_faultHandler);
weatherService.send();
}
protected function weatherService_resultHandler(event:ResultEvent):void
{
trace("got result");
}
protected function weatherService_faultHandler(event:FaultEvent):void
{
trace("got fault");
}
I am trying using code
// This is an active module of the goelvivek (8) Add-on
exports.main = function() {
var httpRequestObserver =
{
observe: function(subject, topic, data)
{
if (topic == "http-on-examine-response") {
if(console)
console.log(data);
}
}
};
var {Cc, Ci, Cr} = require("chrome");
var observer = require("observer-service");
observerService = Components.classes["#mozilla.org/observer-service;1"].
getService(Components.interfaces.nsIObserverService);
observerService.addObserver(httpRequestObserver, "http-on-examine-response", false);
};
but line console.log(data); is not printing any thing in console log. why ?
In addition to the issue noted by Nickolay, an observer needs to implement a QueryInterface() function (typically by means of XPCOMUtils.generateQI()). Here is how one would do it with the Add-on SDK:
var {Cc, Ci, Cr, Cu} = require("chrome");
var {XPCOMUtils} = Cu.import("resource://gre/modules/XPCOMUtils.jsm");
var httpRequestObserver =
{
QueryInterface: XPCOMUtils.generateQI([Ci.nsIObserver, Ci.nsISupportsWeakReference]),
...
};
However, since you already require observer-service package, it would be easier to use it:
var observer = require("observer-service");
observer.add("http-on-examine-response", onHttpRequest);
function onHttpRequest(subject, data)
{
...
}
The downside of this approach is that observer-service is an internal package and its API might change in future Add-on SDK versions.
Is it the real snippet? You should see an error about Components being undefined in the Error Console. Either get it from require('chrome') or use the object from require("observer-service").