-
Notifications
You must be signed in to change notification settings - Fork 45
Home
Welcome to the interruptor wiki!
"Interruptor" is a human-friendly interrupts hook library based on Frida's Stalker. This tool can perform some basic tasks such as system call tracing, but it is designed to do lot of more with system calls such as context tampering or to generate coverage.
The aim of this library is to be called inside a Frida's script to start to trace or tamper system calls / CPU context at a specific moment such as when another Frida hook is reached or when a library is linked.
Interruptor uses only instruction hooking - not libc/functions hooking
For exemple, you can:
- Hook open/read/write/close syscall only when the linker has opened a specific library and execution jumps inside.
- Tamper a buffer filled by the read syscall before execution resumes
- Start to generate .drcov file when a specific Frida hook is reached
- Trace sockets
- Tamper timers
- Alter error code through a dedicated API: replace an EACCESS by an ENOENT
| Architecture | OS | Syscall names | Args parsing | Struct/ptr args parsing | Error Code | Signals | Descriptors lookup |
|---|---|---|---|---|---|---|---|
| arm64 | Linux/Android | ✔️ | ✔️ | 20% | 30% | 30% | ✔️ |
| arm64 | MacOS | WiP | - | - | - | - | - |
| armv7 | Linux/Android | ✔️ | ✔️ | 0% | 0% | 0% | 0% |
| x64 | Linux/Android | ✔️ | ✔️ | 0% | 0% | 0% | 0% |
| x64 | MacOS | WiP | - | - | - | - | - |
Important : Interruptor behavior highly depends on the moment where the tracing starts :
- If you start to trace lot of system calls early, then it can slow down a lot the application bootstrap and cause a crash or a fatal timeout.
- If you start to late, some calls can be missing or not traced if they are trigged from another thread
- If you start from a terminal thread (a leaf) or a child process, then "follow thread" option will not be able to follow threads spawned by parent thread or processes spawned by the parent.
Prior to trace Android app, you should choose when the tracing/hooking will start :
- At startup of the main process, before Java part, during initializing of the default class loader. Use such block on top of your script.
Java.performNow(()=>{
Interruptor.newAgentTracer({
followThread: true,
exclude : {
syscall: [/clock_gettime/]
}
}).start();
});
- When execution enters into Java part : Application or main activity
Java.perform(()=>{
Interruptor.newAgentTracer({
followThread: true,
exclude : {
syscall: [/clock_gettime/]
}
}).start();
});
- From a Java Hook
let flagTraced = false;
MyMethod.implementation = function(a,b,c){
if(!flagTraced){
flagTraced = true;
Interruptor.newAgentTracer({
followThread: true,
exclude : {
syscall: [/clock_gettime/]
}
}).start();
}
};
-
From a native hook
-
On native library loading (Interruptor hooks the linker). This feature is fully supported by Interruptor, so you just need to replace
start()bystartOnLoad(<MY_LIB_REGEXP>)where MY_LIB_REGEXP is a regulare expression of the name of your library
Interruptor.newAgentTracer({
followThread: true,
exclude : {
syscall: [/clock_gettime/]
}
}).startOnLoad(/libssl\.so/);
WiP
WiP