Reputation: 19
FRIDA Access Violation Error in Intercepting HermesRuntimeImpl::call
I am currently working on intercepting calls to HermesRuntimeImpl::call in a react native Android application using Frida. My goal is to extract arguments passed to this function and perform additional operations. However, I encountered an access violation error while attempting to call a function (valueToString) within the interception.
let libhermesBaseAddress = Module.findBaseAddress("libhermes.so");
let hermesRuntimeImplCallAddress = libhermesBaseAddress.add(0x1f3931 - 0x00100000);
let runtimePtr = Module.findExportByName("libhermes.so", "_ZN8facebook6hermes17makeHermesRuntimeERKN6hermes2vm13RuntimeConfigE");
let valueToStringAddr = Module.findExportByName("libjsi.so", "_ZNK8facebook3jsi5Value8toStringERNS0_7RuntimeE");
Interceptor.attach(hermesRuntimeImplCallAddress, {
onEnter: function (args) {
console.log("HermesRuntimeImpl::call intercepted");
// Extracting arguments
let func = args[1]; // jsi::Function
let jsThis = args[2]; // jsi::Value
let jsArgs = args[3]; // jsi::Value
let count = args[4]; // size_t count
// Logging arguments
console.log(`Function: ${func}`);
console.log(`jsThis: ${jsThis}`);
console.log(`jsArgs: ${jsArgs}`);
console.log(`Count: ${count}`);
console.log(`runtimePtr: ${runtimePtr}`);
console.log(`valueToStringAddr: ${valueToStringAddr}`);
// Get the valueToString function address
let valueToString = new NativeFunction(valueToStringAddr, 'pointer', ['pointer', 'pointer']);
// Call the valueToString function with jsThis and runtimePtr
let resultPtr = valueToString(jsThis, runtimePtr);
// Convert the result pointer to a JavaScript string
let resultString = Memory.readUtf8String(resultPtr);
console.log("Value to String Result:", resultString);
}
});
Error: access violation accessing 0x500000cf0
hook react native function calls by hooking it's call handler on Hermes: jsi::Value HermesRuntimeImpl::call.
Unfortunately this method is not exported, so have to manually open libhermes.so and identify it's address. It is one of two methods that use the string HermesRuntimeImpl::call: Unable to call function: stack overflow so finding it is not too complicated (the other method is for executing constructors, so it may be worth hooking both methods).
So this is my starting point:
Interceptor.attach(Module.findBaseAddress("libhermes.so").add(0x001267d8 - 0x00100000), {
onEnter: function (args) {
let func = args[1]; // jsi::Function
let jsThis = args[2]; // jsi::Value
let jsArgs = args[3]; // jsi::Value
let count; // = args[4]; // size_t count
console.log(`HermesRuntimeImpl::call ${func} ${jsThis} ${jsArgs} ${count}`);
}
});
jsi::Function and jsi::Value seem to be defined in libjsi.so. But for calling them you need a HermesRuntime instance.
I tried to get a string from one of the arguments using jsi::Value::toString(Runtime):
let valueToStringAddr = Module.findExportByName("libjsi.so", "_ZNK8facebook3jsi5Value8toStringERNS0_7RuntimeE");
let valueToString = new NativeFunction(valueToStringAddr, 'pointer', ['pointer']);
But that requires a Runtime (HermesRuntime?) instance. The only way to get one I found so far is hooking the function makeHermesRuntime Module.findExportByName("libhermes.so", "_ZN8facebook6hermes17makeHermesRuntimeERKN6hermes2vm13RuntimeConfigE").
But in my environment it is not called.
Upvotes: 1
Views: 491
Answers (0)
Related Questions
- React Native Error: ENOSPC: System limit for number of file watchers reached
- React-Native Error Regards to React-Native-Vision-Camera and React-Native-Reanimated
- How to Read Arguments in a Function Call with Frida
- React Native Error with app lunch witch expo. It can not be debug
- Hooking native function with android's exit() method
- Hooking a sub native import in frida
- Getting type error :this.props.getMovieTree is not a function