I am attempting to trace all Java functions called in an Android application using Frida, but I'm encountering some challenges.
I have already looked into tracing functions by hooking all the application's functions (using class.function.implementation = function(...parameters) {}), but this becomes impractical for mid-sized applications due to scalability issues.
I came across Frida's Stalker API. I know that tracing native functions using Stalker is possible, therefore tried the following code snippet:
var threads = Process.enumerateThreadsSync();
threads.forEach(function (thread) {
Stalker.follow(thread.id,{
events: { call: true },
onReceive: function (events) {
var calls = Stalker.parse(events, { annotate: false });
calls.forEach(function (event) {
var location = event[0];
var target = event[1];
var locationName = DebugSymbol.fromAddress(location).name;
var targetName = DebugSymbol.fromAddress(target).name;
console.log(locationName + " " + targetName);
});
}
});
});
However, I am facing two issues:
(1) The app crashes shortly after it is started (maybe because I "stalk" all threads, including the one Frida runs on?)
(2) No Java methods are logged.
My main question is: Is tracing Java functions generally not possible using Frida's Stalker API, or am I missing something in my approach?