fridax: Export not found: `mono_aot_get_method` in JIT-compiled APK
Hello,
I can’t get the modify_class_function_argument.js script to work.
I’m working with this app: https://github.com/xamarin/xamarin-forms-samples/tree/master/WebServices/TodoREST
I’m trying to intercerpt the GetTasksAsync function of the TodoItemManager:
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
namespace TodoREST
{
public class TodoItemManager
{
IRestService restService;
public TodoItemManager (IRestService service)
{
restService = service;
}
public Task<List<TodoItem>> GetTasksAsync ()
{
return restService.RefreshDataAsync ();
}
public Task SaveTaskAsync (TodoItem item, bool isNewItem = false)
{
return restService.SaveTodoItemAsync (item, isNewItem);
}
public Task DeleteTaskAsync (TodoItem item)
{
return restService.DeleteTodoItemAsync (item.ID);
}
}
}
Source for the class: https://github.com/xamarin/xamarin-forms-samples/blob/master/WebServices/TodoREST/TodoREST/Data/TodoItemManager.cs
I’m using this script:
import { MonoApiHelper, MonoApi } from '../vendors/frida-mono-api'
import ClassHelper from '../libraries/class_helper'
// Intercept settings
var settingClassName = "TodoREST.TodoItemManager";
var settingMethodName = "GetTasksAsync";
var settingMethodArgCount = 0;
// The root AppDomain is the initial domain created by the runtime when it is initialized. Programs execute on this AppDomain.
const domain = MonoApi.mono_get_root_domain()
console.log('domain: ' + classInformation);
// Get a reference to a certain class within the Xamarin application.
var classInformation = ClassHelper.getClassByName(settingClassName);
console.log('classInformation: ' + classInformation);
// Get the pointer to the ahead-of-time (AOT) compiled method
let methodInformation = MonoApiHelper.ClassGetMethodFromName(classInformation, settingMethodName, settingMethodArgCount)
console.log('methodInformation: ' + methodInformation);
// Allocate enough memory for MonoError initialization
let monoErrorMemory = Memory.alloc(32)
// Get the pointer to the method
let nativeMethodPointer = MonoApi.mono_aot_get_method(domain, methodInformation, monoErrorMemory)
// Attach interceptor and fish out the first method argument
Interceptor.attach(nativeMethodPointer, {
onEnter: function(args) {
console.log("Entered " + settingMethodName + " with " + settingMethodArgCount + " argument(s).");
console.log("Value of `string id`: " + MonoApiHelper.StringToUtf8(args[3]));
args[3] = MonoApiHelper.StringNew('This is the replaced value of `string c`.', domain);
},
onLeave: function onLeave(log, retval, state) {
console.log("Left " + settingMethodName + ".");
}
})
console.log(`'modify_function_argument.js' attached and ready.`)
The stacktrace I’m getting:
node fridax.js inject --scripts scripts/todo-modify.js
[*] Awaiting storage initialization.
[*] Awaiting USB device.
[*] Up and running on Android Emulator 5554.
? Which application do you want to inject? TodoREST
[*] Happy hacking.
[*] Attached to application (session: 3803).
[*] Injected a test script (this runs from within the injected application)!
domain: undefined
classInformation: 0x98f63330
methodInformation: 0x84b95058
Error: Export not found: mono_aot_get_method
at vendors/frida-mono-api/mono-api.js:799
at scripts/todo-modify.js:45
at o (node_modules/browser-pack/_prelude.js:1)
at r (node_modules/browser-pack/_prelude.js:1)
at /script2.js:1217
^C[*] Script unloaded.
[*] Script unloaded.```
If you need more info let me know.About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 17 (12 by maintainers)
Commits related to this issue
- Removed redundant `mono_aot_get_method` signature (#3). — committed to NorthwaveSecurity/fridax by tijme 4 years ago
- Add Intercept to MonoApiHelper CF: https://github.com/NorthwaveNL/fridax/issues/3#issuecomment-606567348 — committed to Techbrunch/fridax by Techbrunch 4 years ago
@Techbrunch The blog is live now if you’re still interested in reading it. It showcases how to bypass certificate pinning in Xamarin using Frida.
The work was done before Fridax released, but I added a reference to fridax at the end since I feel like this project’s goal is a superset of what we were trying to achieve.
Cheers!
That’s correct.
Just as a heads up, in the code you merged from my PR, I have included a helper method to hook JITTed/unJITTed (non-AOT) methods. Like @tijme said, AOT must be hooked differently.
I’m not sure if you fully merged it or only took the bits that deal with mono runtime image name, but the PR adds
MonoApiHelper.Interceptwhich behaves likeInterceptorbut takes a mono class definition, a method name and hooks. There’s no documentation as of right now (we have an upcoming blog on hooking managed methods in Mono, but it’s been backlogged since February. Once it’s done I’ll link it to you if interested.)The method is at https://github.com/freehuntx/frida-mono-api/pull/6/files#diff-1620eb23fbd98d7f220961acb8cf39b3R98
Hope this can help a bit!
@tijme @alxbl It works like a charm thanks !
My script:
FYI: I was also able to patch the APK permanantly using Objection (https://github.com/sensepost/objection/pull/329#issuecomment-609438408)
@alxbl Looking forward to read the blog post, I might write one in the meantime.
As I stated, I think you need to use mono_compile_method (source) to JIT-compile the method. This will return a pointer to the native code produced, which you can use to intercept. You can use this script as a reference, since it uses mono_compile_method and I think it does exactly what you want.
When I have the time I will take a look and see if I can make an example script for this. Or just a method which allows you to intercept both JIT and AOT compiled methods. 👍