frida / frida-swift-bridge Goto Github PK

View Code? Open in Web Editor NEW

112.0 8.0 12.0 430 KB

Frida's finally getting Swifty

License: Apache License 2.0

TypeScript 59.86% JavaScript 0.20% C 35.97% Swift 3.01% Makefile 0.92% Shell 0.05%

frida-swift-bridge's Introduction

frida-swift-bridge

Swift interop from Frida.

Requirements

arm64(e) Darwin platforms
Apps built using Swift 5.0+

Getting started

The bridge comes bundled with Frida as of v15.1.0. That means it's as simple as installing Frida, then:

$ frida <process name>
[Local::<process name>]-> Swift.available
true

Or, preferably, since the bridge isn't at production capacity yet, it might be better to use the latest bridge from git, as there might be fixes or patches that haven't made it to the latest Frida version yet.

$ git clone [email protected]:frida/frida-swift-bridge.git
$ cd frida-swift-bridge
$ npm install
$ npm run watch
$ frida <process name> -l _agent.js # In another terminal

Showcase

The best way to really see the available APIs in action is to have a look at the testsuite. And who doesn't like a good screenshot? See the docs for more flexing.

Notes

Expect this to be alpha-ish quality software. This hasn't been battle-tested yet, and chances are there's some quite weird shit waiting to be surfaced. PRs and issues are very welcome.

License

Apache 2.0

frida-swift-bridge's People

Contributors

Stargazers

Watchers

Forkers

airahc idkwim serek8 karolpiateknet biscuitehh camuffo jpstotz st-rnd nsecho daerduotutu922 kkpan11 p-x9

frida-swift-bridge's Issues

Frida console: typing `Swift.` crashes the app process

Observed on iOS 14.2. Just typing on the Frida console: Swift. crashes the app. It happens on any pre-installed app that belongs to iOS (Messages, App Store, ...).

If I use Twitter app from App Store (I get v9.44 for iOS 14.2) I get a tiny bit further: It crashes after executing the command Swift.available.

frida -U Messages
     ____
    / _  |   Frida 16.0.10 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Apple iPhone (id=00008020-0001695C2EC3002E)

[Apple iPhone::Messages ]-> Swift.Process crashed: SIGABRT

***
Incident Identifier: 38CF3D02-0417-4456-9147-3B47BE1AAEEE
CrashReporter Key:   595f1e4e8d21aa3eadc5f578b8a3de5870f9ef0f
Hardware Model:      iPhone11,8
Process:             MobileSMS [2174]
Path:                /Applications/MobileSMS.app/MobileSMS
Identifier:          com.apple.MobileSMS
Version:             6000 (14.0)
Code Type:           ARM-64 (Native)
Role:                Foreground
Parent Process:      launchd [1]
Coalition:           com.apple.MobileSMS [1038]


Date/Time:           2023-02-24 12:04:47.4189 +0100
Launch Time:         2023-02-24 12:04:24.1619 +0100
OS Version:          iPhone OS 14.2 (18B92)
Release Type:        User
Baseband Version:    3.01.01
Report Version:      104

Exception Type:  EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note:  EXC_CORPSE_NOTIFY
Triggered by Thread:  10

Error from Swift.classes

using frida 15.1.5

spawning with frida like this: frida -U -f x.y.z
and then calling: Swift.classes throws always the following error:

Error: Failed to create symbolicator
at g (frida/node_modules/frida-swift-bridge/dist/lib/symbols.js:91)
at o (frida/node_modules/frida-swift-bridge/dist/lib/symbols.js:12)
at b (frida/node_modules/frida-swift-bridge/dist/lib/macho.js:133)
at N (frida/node_modules/frida-swift-bridge/dist/lib/types.js:354)
at g (frida/node_modules/frida-swift-bridge/dist/lib/types.js:40)
at o (frida/node_modules/frida-swift-bridge/dist/lib/registry.js:18)
at shared (frida/node_modules/frida-swift-bridge/dist/lib/registry.js:44)
at get classes (frida/node_modules/frida-swift-bridge/dist/index.js:38)

[Question or Feature Request] ObjC.choose

hello team,

quick question. Does the Swift Bridge allows similar functionality to ObjC.choose, which allows accessing live instances of Obj-C classes? This is extremely useful, if constructor of a Swift class requires complex parameters (often instances of other classes). Using this functionality we could easily access properties and methods of such Swift class instances without worrying about the correct constructor calls.

thanks

Unhandled context descriptor kind: 30

Hi,

I'm trying to use this for the default macOS SwiftUI app created with Xcode 14 and getting this error:

[Frida CRITICAL] Runtime bundle could not be loaded: Error: Unhandled context descriptor kind: 30 [stack: Error: Unhandled context descriptor kind: 30
    at D (frida/node_modules/frida-swift-bridge/dist/lib/macho.js:81)
    at <anonymous> (frida/node_modules/frida-swift-bridge/dist/lib/macho.js:11)

Running on macOS 13.0.1

Error: Couldn't parse function with signature

Hello @hot3eed ,

thanks for the great extension. However, I am failing miserably with Interceptor. I am getting this error message:

Error: Couldn't parse function with signature: static APP.CFMKeyChain.get(APP.CFMKeyChain.Items) -> Swift.Optional<Swift.String>
here is the function definition in the decompiler:

int _$s15APP11CFMKeyChainC3getySSSgAC5ItemsOFZ(int arg0) {

I am using the following Frida script:

var dummy = Process.getModuleByName('APP');
var symbols = dummy.enumerateSymbols();
symbols = symbols.filter(s => s.name == '$s15APP11CFMKeyChainC3getySSSgAC5ItemsOFZ');
var target = symbols[0].address;
var Int = Swift.structs.Int;
var String = Swift.structs.String;
var getLoadableStruct = Swift.NativeFunction(target, String , [ Int ]);
Swift.Interceptor.attach(getLoadableStruct.address, {
    onLeave: function(retval) {
            console.log("IN2");
            console.log(JSON.stringify(retval));
            console.log(retval.$class);
        }

I am getting the same output if I put 2 Int:

var dummy = Process.getModuleByName('APP');
var symbols = dummy.enumerateSymbols();
symbols = symbols.filter(s => s.name == '$s15APP11CFMKeyChainC3getySSSgAC5ItemsOFZ');
var target = symbols[0].address;
var Int = Swift.structs.Int;
var getLoadableStruct = Swift.NativeFunction(target, Int , [ Int ]);
Swift.Interceptor.attach(getLoadableStruct.address, {
    onLeave: function(retval) {
            console.log("IN2");
            console.log(JSON.stringify(retval));
            console.log(retval.$class);
        }

Any advice? I am losing my head here :(

thanks

Problem with `Getting Started` instructions

At present, the instructions are:

$ npm run install
$ npm run build
$ frida <process name> -l _agent.js

Using the latest version of npm (7.22.0).

Steps:

cd into repo directory
execute npm run install

Output:

npm ERR! Missing script: "install"
npm ERR! 
npm ERR! Did you mean this?
npm ERR!     npm uninstall # Remove a package
npm ERR! 
npm ERR! To see a list of scripts, run:
npm ERR!   npm run

I have tried:

npm install which seemed to install the dependencies.
npm run build
frida -U {app} --no-pause -l _agent.js

Output:

Usage: frida [options] target

frida: error: [Errno 2] No such file or directory: '/Users/xxx/git/frida-swift-bridge/_agent.js'

Error: missing argument

Hey there, Great work. Thanks for the swift bridge. i'm trying to intercept a very basic function and somehow get missing argument, i matched the signature with other interceptors. Am i missing anything?

Here is my js file content.

Swift.Interceptor.attach(Swift.classes['SceneDelegate']['scene'], {
       onEnter: function (args) {
           console.log("Test");
     },
     onLeave: function(retval) {
          console.log("Hey");
    }
  });

    "TestString": {
        "$conformances": [],
        "$methods": [
            {
                "address": "0x102b2c908",
                "name": "TestSwift2.TestString.generateSwiftString() -> Swift.String",
                "type": "Method"
            },
            {
                "address": "0x102b2c944",
                "name": "TestSwift2.TestString.generateObjectiveCString() -> __C.NSString",
                "type": "Method"
            },
            {
                "address": "0x102b2c9dc",
                "name": "TestSwift2.TestString.convertToObjectiveCString(Swift.String) -> __C.NSString",
                "type": "Method"
            },
            {
                "address": "0x102b2ca3c",
                "name": "TestSwift2.TestString.convertToSwiftString(__C.NSString) -> Swift.String",
                "type": "Method"
            },
            {
                "address": "0x102b2caf0",
                "name": "TestSwift2.TestString.__allocating_init() -> TestSwift2.TestString",
                "type": "Init"
            }
        ]
    },

However, when I try to create the object in Frida, I am getting:

[iPhone::TestSwift2 ]-> var class1 = Swift.classes.TestString
[iPhone::TestSwift2 ]-> var ins1 = class1.__allocating_init()
Error: Type not found: __C.NSString
    at untypedMetadataFor (dist/lib/macho.js:38)
    at ObjectInstance (dist/lib/types.js:414)
    at wrapper (dist/lib/callingconvention.js:120)
    at <eval> (<input>:1)

Am I missing something obvious here? Not sure why it complains about NSString, as the constructor has no defintion of it. I am using the latest version of the bridge from GIT.

thanks

frida / frida-swift-bridge Goto Github PK

frida-swift-bridge's Introduction

frida-swift-bridge

Requirements

Getting started

Showcase

Notes

License

frida-swift-bridge's People

Contributors

Stargazers

Watchers

Forkers

frida-swift-bridge's Issues

Recommend Projects

Recommend Topics

Recommend Org