Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

android android.os.IBinder how to use ? #1867

Open
rockygsm opened this issue Sep 25, 2021 · 2 comments
Open

android android.os.IBinder how to use ? #1867

rockygsm opened this issue Sep 25, 2021 · 2 comments

Comments

@rockygsm
Copy link

rockygsm commented Sep 25, 2021
edited
Loading

i am using version 15.1.2 frida server on android target for my research.
Android os 10,SDK 29 min support 23 rooted with magisk .
i load server and able to execute script.
apk use few function in init i am not able to find way out.
i started with this.

var client1 = Java.use("com.xx1.android.x2.client.x3Client");
var client2 = client1.$new.overload('android.content.Context').call(client1);

so far this go good.

var client = client2.access$000(client2); //create inst
var client3 = client2.access$102(client2,true); //set accessible

all work fine till here.

problem in this class.

var proxyx1 = Java.use("com.x1.android.x2.client.ICMDService$Stub$Proxy");
var proxyx2 =  proxyx1.$new.overload('android.os.IBinder').call(proxyx1);
var client4 = client2.access$202(client2,proxyx2); //bind both instance to 1 object.

this return no issue but seems Ibinder stay empty so any call we need to do from client2 instance its not working.

now when using function call
console.log('getFactoryVersion = ' + client2.getFactoryVersion());
its give me error
Error: java.lang.NullPointerException: Attempt to invoke interface method 'boolean android.os.IBinder.transact(int, android.os.Parcel, android.os.Parcel, int)' on a null object reference..

How to invoke IBinder with frida and pass it to overload ?

i have search all issue and google also in github no sample found with IBinder at time of posting.

Regards,
@BLuFeNiX
Copy link

@rockygsm this is not a problem with Frida. You may wish to try asking on stackoverflow, or similar.

A hint though: are you sure you want to pass proxy1 into its own constructor? I do not think Stub classes take args in their constructors. You may mean to use asInterface. Furthermore, I think you want an instance of an IBinder, not just the frida wrapper around the class.

@rockygsm
Copy link
Author

@BLuFeNiX
Hello
Thank you for answer.
Exactly i want interface so i can use Ibinder and parcel to make call with parcel object.
I am trying to build over jni c++ was not able to construct.
but i have managed to solve frida with following
`
var context = ActivityThread.currentApplication().getApplicationContext();
var client1 = Java.use("com.xx1.android.x2.client.x3Client");
var client2 = client1.$new.overload('android.content.Context').call(client1,context);
client2.bindService();
now everything work. but i can't build this on jni due to applicationContext not possible in JNI C++ only.
Without bindService and context its not let use IBinder because service is not exist.

`
I understand this is not frida issue but its help me understand basic & testing thank you once again.
I post on stackoverflow to find exact way for NDK jni ways for this testing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BLuFeNiX @rockygsm