Frida client v12.11.11 on Ubuntu 18.06
Frida Server v12.11.17 on Android Studio emulator (Android 9.0 Google X86_ARM)
I am trying to hook the onCreate method of a subclass that implements a service running in a private process. This is the manifest declaration:
<service android:enabled="true" android:name="my_subclass_to_hook" android:process=":my_process">
In order to perform the hook I followed the example reported here: https://www.programmersought.com/article/97331588304/
I'am able to detect when the process is being called since the spawn_added event is correctly working inside the jscode code. But the hooking implementation function is not being called.
I am sure that the original function is being called since I can see the logcat prints.
Can anyone help me please? I've got stuck for weeks on this issue. Am I missing anything or is there an alternative way to achieve this?
Following is the Python code I am using. As I said I am able to catch when the service process "my_app_package:my_process" is created since the jscode is correctly called and I can see the "Script called..." print. Problem is that the hooked function my_subclass_to_hook.onCreate is not being attached since I cannot see the "Hooked!!" print. By the way I am sure that the function my_subclass_to_hook.onCreate is being called since I can see the prints in the logcat. Hoping this can clarify my problem:
import codecs
import frida
import time
import sys
import threading
device = frida.get_device_manager().enumerate_devices()[-1]
print(device)
pending = []
sessions = []
scripts = []
event = threading.Event()
jscode = """
console.log("Script called...");
Java.perform(function x() {
var my_class = Java.use("my_subclass_to_hook");
my_class.onCreate.implementation = function (a) {
console.log("Hooked!!");
var ret_value = this.onCreate(a);
return ret_value;
}
"""
def on_spawned(spawn):
print('on_spawned:', spawn)
pending.append(spawn)
event.set()
def spawn_added(spawn):
print('spawn_added:', spawn)
event.set()
if(spawn.identifier.startswith('my_app_package:my_process')):
session = device.attach(spawn.pid)
script = session.create_script(jscode)
script.on('message', on_message)
script.load()
device.resume(spawn.pid)
print('Resumed')
def spawn_removed(spawn):
print('spawn_removed:', spawn)
event.set()
def on_message(spawn, message, data):
print('on_message:', spawn, message, data)
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
def child_added(spawn):
print('child_added:', spawn)
device.on('spawn-added', spawn_added)
device.on('spawn-removed', spawn_removed)
device.on('child-added', child_added)
device.on('child-removed', on_spawned)
device.on('process-crashed', on_spawned)
device.on('output', on_spawned)
device.on('uninjected', on_spawned)
device.on('lost', on_spawned)
device.enable_spawn_gating()
event = threading.Event()
print('Enabled spawn gating')
pid = device.spawn(["my_app_package"])
session = device.attach(pid)
device.resume(pid)
sys.stdin.read()
You're missing the overload.
should be
That's a very jank way of calling a frida script. You should have a sleep(1) between the script.load() and script.resume()