Frida：DebugSymbol.fromAddress 生成具有空字段的对象

发布于 2025-01-10 05:53:06 字数 2301 浏览 4 评论 0原文

我使用 Frida 在 iPhone 7 (iOS 14.4) 上运行此命令：

frida-trace -U -S lib.js -m "-[NSMutableURLRequest setValue*]" --decorate -f com.apple. AppStore

lib.js 包含这个简单的辅助函数：

function backtrace() {
    return '\tBacktrace:\n\t' +
            Thread.backtrace(this.context, Backtracer.ACCURATE)
                .map(item => {
                    var symbol = DebugSymbol.fromAddress(item);
                    return JSON.stringify(symbol);
                })
                .join('\n\t');
}

然后在生成的处理程序的 onEnter 中执行以下操作：

log(backtrace());

我在终端中看到的是：

  1400 ms       Backtrace:
        {"address":"0x1069bb294","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069f92c4","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02024","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02f2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02ddc","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a01d2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069f92c4","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02024","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02f2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02f2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a01d2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069afaf8","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069afbf4","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069c0770","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x10695eca0","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x104cd407c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}

为什么会发生这种情况以及如何获取调用堆栈项的模块和方法名称？

原文

I'm using Frida to run this command on my iPhone 7 (iOS 14.4):

frida-trace -U -S lib.js -m "-[NSMutableURLRequest setValue*]" --decorate -f com.apple.AppStore

lib.js contains this simple helper function:

function backtrace() {
    return '\tBacktrace:\n\t' +
            Thread.backtrace(this.context, Backtracer.ACCURATE)
                .map(item => {
                    var symbol = DebugSymbol.fromAddress(item);
                    return JSON.stringify(symbol);
                })
                .join('\n\t');
}

And then in onEnter of the produced handler I do this:

log(backtrace());

And all I see in the terminal is:

  1400 ms       Backtrace:
        {"address":"0x1069bb294","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069f92c4","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02024","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02f2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02ddc","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a01d2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069f92c4","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02024","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02f2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02f2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a01d2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069afaf8","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069afbf4","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069c0770","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x10695eca0","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x104cd407c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}

Why is this happening and how can I get module and method names of the call stack items?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

草莓酥 2025-01-17 05:53:06

根据我的经验，DebugSymbol.fromAddress() 在某些 iOS 应用程序上效果不佳。我什至遇到过在堆栈跟踪上应用此方法会导致应用程序崩溃。不知道为什么它不起作用，可能是一个错误，或者应用程序二进制文件只是错过了调试符号。

或者，为了了解堆栈跟踪，您可以使用 Frida 的 ModuleMap< 将每个地址映射到它所属的模块/a>

var moduleMap = new ModuleMap();
var backtrace = Thread.backtrace(this.context, Backtracer.ACCURATE); 
return backtrace.map(addr => return moduleMap.get(addr).name).join('\n\t');

那么你仍然错过了方法名称，我不知道在这种情况下如何获取它。

In my experience DebugSymbol.fromAddress() does not work very good on some iOS apps. I even encountered that applying this method on a stack trace was causing an app crash. Not sure why it does not work, could be a bug or the app binary just misses debug symbols.

Alternatively for understanding the stack trace you can map each address to the module it belongs to using Frida's ModuleMap

var moduleMap = new ModuleMap();
var backtrace = Thread.backtrace(this.context, Backtracer.ACCURATE); 
return backtrace.map(addr => return moduleMap.get(addr).name).join('\n\t');

Then you still miss the method name, I don't know how to get it in such a situation.

回复收藏 0 原文

~没有更多了~