Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Android screenshots fail immediately #222

Closed
aph3rson opened this issue Apr 4, 2019 · 6 comments
Closed

Android screenshots fail immediately #222

aph3rson opened this issue Apr 4, 2019 · 6 comments
Labels
🐛bug

Comments

@aph3rson
Copy link
Contributor

aph3rson commented Apr 4, 2019

Describe the bug
Attempting to take a screenshot on Android of any activity fails with a Frida error.

To Reproduce
Steps to reproduce the behavior:

  1. Inject in to an Android application
  2. Run command android ui screenshot test.png

Expected behavior
PNG format screenshot be created in that directory.

Evidence / Logs / Screenshots

#> objection --gadget "com.android.chrome" explore
Using USB device `Motorola moto g(6)`
Agent injected and responds ok!
[snip]
com.android.chrome on (motorola: 8.0.0) [usb] # android ui screenshot test.png
A Frida agent exception has occurred.
TypeError: cannot read property 'hasOwnProperty' of undefined
    at [anon] (duk_hobject_props.c:2384)
    at frida/node_modules/frida-java/lib/class-factory.js:736
    at /script1.js:5414
    at /script1.js:5191
    at frida/node_modules/frida-java/lib/vm.js:42
    at frida/node_modules/frida-java/index.js:280
    at /script1.js:5195
    at /script1.js:1329
    at /script1.js:5196
    at frida/runtime/message-dispatcher.js:45
    at o (frida/runtime/message-dispatcher.js:25)
    [...]

Python stack trace: Traceback (most recent call last):
  File "c:\python37\lib\site-packages\objection\console\repl.py", line 371, in start_repl
    self.run_command(document)
  File "c:\python37\lib\site-packages\objection\console\repl.py", line 185, in run_command
    exec_method(arguments)
  File "c:\python37\lib\site-packages\objection\commands\ui.py", line 110, in android_screenshot
    data = api.android_ui_screenshot()
  File "c:\python37\lib\site-packages\frida\core.py", line 322, in method
    return script._rpc_request('call', js_name, args)
  File "c:\python37\lib\site-packages\frida\core.py", line 250, in _rpc_request
    raise result[2]
frida.core.RPCException: TypeError: cannot read property 'hasOwnProperty' of undefined
    at [anon] (duk_hobject_props.c:2384)
    at frida/node_modules/frida-java/lib/class-factory.js:736
    at /script1.js:5414
    at /script1.js:5191
    at frida/node_modules/frida-java/lib/vm.js:42
    at frida/node_modules/frida-java/index.js:280
    at /script1.js:5195
    at /script1.js:1329
    at /script1.js:5196
    at frida/runtime/message-dispatcher.js:45
    at o (frida/runtime/message-dispatcher.js:25)
    [...]

com.android.chrome on (motorola: 8.0.0) [usb] #

Environment (please complete the following information):

  • Device: Moto G6
  • OS: Android 8.0.0
  • Frida Version 12.4.0
  • Objection Version: v1.6.2

Additional context
Connected to frida-server on the device. Appears to affect activities with FLAG_SECURE set or unset.

Running from a Windows host.
@leonjza leonjza added the 🐛bug label Apr 5, 2019
@aph3rson
Copy link
Contributor Author

aph3rson commented Apr 9, 2019

@leonjza any ideas what might be causing this? If you have any ideas on where I should be looking, I can dig a bit deeper.

@leonjza
Copy link
Member

leonjza commented Apr 9, 2019
edited
Loading

To be honest, I am not sure. It may very well be something that has changed in Android 8 given the age of the hook. I suggest we start by getting a source mapped stack trace from the agent with the --debug flag and working from there.

@aph3rson
Copy link
Contributor Author

I don't think the --debug flag gave us much more:

objection --debug --gadget "com.android.chrome" explore
[debug] Agent path is: c:\python37\lib\site-packages\objection\agent.js
[debug] Injecting agent...
Using USB device `Motorola moto g(6)`
[debug] Attempting to attach to process: `com.android.chrome`
[debug] Unable to find process: `com.android.chrome`, attempting spawn
[debug] PID `10049` spawned, attaching...
[debug] Resuming PID `10049`
Agent injected and responds ok!

     _     _         _   _
 ___| |_  |_|___ ___| |_|_|___ ___
| . | . | | | -_|  _|  _| | . |   |
|___|___|_| |___|___|_| |_|___|_|_|
        |___|(object)inject(ion) v1.5.2

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.android.chrome on (motorola: 8.0.0) [usb] # android ui screenshot test.png
A Frida agent exception has occurred.
TypeError: cannot read property 'hasOwnProperty' of undefined
    at [anon] (duk_hobject_props.c:2384)
    at frida/node_modules/frida-java/lib/class-factory.js:736
    at src/android/userinterface.ts:30
    at src/android/lib/libjava.ts:9
    at frida/node_modules/frida-java/lib/vm.js:42
    at frida/node_modules/frida-java/index.js:280
    at /script1.js:5159
    at node_modules/core-js/library/modules/es6.promise.js:83
    at /script1.js:5160
    at frida/runtime/message-dispatcher.js:45
    at o (frida/runtime/message-dispatcher.js:25)
    [...]

Python stack trace: Traceback (most recent call last):
  File "c:\python37\lib\site-packages\objection\console\repl.py", line 371, in start_repl
    self.run_command(document)
  File "c:\python37\lib\site-packages\objection\console\repl.py", line 185, in run_command
    exec_method(arguments)
  File "c:\python37\lib\site-packages\objection\commands\ui.py", line 110, in android_screenshot
    data = api.android_ui_screenshot()
  File "c:\python37\lib\site-packages\frida\core.py", line 322, in method
    return script._rpc_request('call', js_name, args)
  File "c:\python37\lib\site-packages\frida\core.py", line 250, in _rpc_request
    raise result[2]
frida.core.RPCException: TypeError: cannot read property 'hasOwnProperty' of undefined
    at [anon] (duk_hobject_props.c:2384)
    at frida/node_modules/frida-java/lib/class-factory.js:736
    at src/android/userinterface.ts:30
    at src/android/lib/libjava.ts:9
    at frida/node_modules/frida-java/lib/vm.js:42
    at frida/node_modules/frida-java/index.js:280
    at /script1.js:5159
    at node_modules/core-js/library/modules/es6.promise.js:83
    at /script1.js:5160
    at frida/runtime/message-dispatcher.js:45
    at o (frida/runtime/message-dispatcher.js:25)
    [...]

@leonjza
Copy link
Member

leonjza commented Apr 10, 2019

The debug flag now tells us where in the TypeScript agent the crash came from (rather than just saying script.js: 5414) :)

at src/android/userinterface.ts:30

It appears to be this line that is causing the problem. It may be worth it to patch the loop to match what is currently used here as a test.

@leonjza leonjza reopened this Apr 11, 2019
@leonjza
Copy link
Member

leonjza commented Apr 11, 2019

I quickly looked at this, and fixed up the activity casting. While it does not solve the original problem, it does get us a step closer again.

@sdcampbell sdcampbell mentioned this issue Apr 7, 2020
Closed
@IPMegladon
Copy link
Collaborator

Stale issue, feel free to reopen.

@IPMegladon IPMegladon closed this as not planned Won't fix, can't repro, duplicate, stale Jul 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aph3rson @leonjza @IPMegladon