弗里达：JVM侵犯（JNI）导致缠扰者崩溃

发布于 2025-02-06 17:24:38 字数 4346 浏览 2 评论 0原文

我正在尝试跟踪一个最小的Java程序，该程序将JNI与Frida一起使用，但是当JVM关闭时，我总是遇到访问违规崩溃。此外，如果stalker.trustthreshold，我似乎只能成功地跟踪JVM进程（即使使用-Xint>）将JVM过程设置为> -1。如果我将stalker.trustthreshold设置为-1以外的任何内容，则JVM不会崩溃，但是缠扰器不会从我的自定义JNI库中覆盖任何BBS 本机。dll（见下文）。

这是我的Java程序：

// Main.java
public class Main {
    static {
        System.loadLibrary("native");
    }

    public static void main(String[] args) throws Exception {
        Thread.sleep(20_000); // Enough time to attach to process...
        new Main().sayHello();
    }

    private native void sayHello();
}

// Main.cpp
#include "Main.h"
#include <iostream>
#include <fstream>
#include <windows.h>

void sayHello() {
    std::ofstream file;
    file.open("output.tmp");
    file << "Hello World\n";
    file.close();
    std::cout << "Current Thread id = " << GetCurrentThreadId() << "\n";
}

JNIEXPORT void JNICALL Java_Main_sayHello
(JNIEnv *, jobject) {
    sayHello();
}

# Compile native library (Windows)
cl.exe /LD /EHsc /I "%JAVA_HOME%\include" /I "%JAVA_HOME%\include\win32" Main.cpp /link /DLL /DEBUG /OUT:native.dll

# Compile Java code
javac Main.java

# Run program
java -cp . -Djava.library.path=%cd% Main

我的frida脚本看起来如下：

# frida-agent.py
import sys
import frida

def on_message(message, data):
    print(str(message))

def main():
    device = frida.get_local_device()
    pid = -1
    for proc in device.enumerate_processes():
        if sys.argv[1] in [str(proc.pid), proc.name]:
            pid = proc.pid
            break
    session = device.attach(pid)
    print("Attaching to PID=" + str(pid))

    script = session.create_script(
        """
Stalker.trustThreshold = -1;
const moduleMap = new ModuleMap();
moduleMap.update();

const createCoverageMap = (events) => {
    moduleMap.update();
    const coverageMap = {};
    for (const event of events) {
        const [start, _] = event;
        const pStart = new NativePointer(start);
        const module = moduleMap.find(pStart);
        if (module) {
            const offset = pStart.sub(module.base).toInt32();
            if (!(module.path in coverageMap)) {
                coverageMap[module.path] = 0;
            }
            coverageMap[module.path] += 1;
        }
    }
    return coverageMap;
};

const stalkThread = (threadId) => {
    Stalker.follow(threadId, {
        events: {
            call: false,
            ret: false,
            exec: false,
            block: false,
            compile: true,
        },
        onReceive: function (events) {
            const bbEvents = Stalker.parse(events, {stringify: false, annotate: false});
            send({coverage: createCoverageMap(bbEvents)});
        }
    });
} 

const currentThreads = Process.enumerateThreads();
for (const thread of currentThreads) {
    console.log("Stalking thread: " + thread.id);
    stalkThread(thread.id);
}
"""
    )
    script.load()
    script.on("message", on_message)
    sys.stdin.read()
    sys.exit(0)

if __name__ == "__main__":
    main()

使用python frida-agent.py 8232生成的输出是：

Current Thread id = 9632
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x00000287f70dae25, pid=8232, tid=0x00000000000025a0
#
# JRE version: OpenJDK Runtime Environment (8.0_292-b10) (build 1.8.0_292-b10)
# Java VM: OpenJDK 64-Bit Server VM (25.292-b10 mixed mode windows-amd64 compressed oops)
# Problematic frame:
# C  0x00000287f70dae25
#
# Failed to write core dump. Minidumps are not enabled by default on client versions of Windows
#
# An error report file with more information is saved as:
# C:\workspace\simple-jni-app\hs_err_pid8232.log
#
# If you would like to submit a bug report, please visit:
#   https://github.com/AdoptOpenJDK/openjdk-support/issues
#

您对（1）如何防止JVM崩溃有任何想法（2）将stalker.trustthreshold设置为-1以外的任何内容，并且仍然涵盖andation.dlation.dll的BB？

帮助非常感谢！谢谢！

原文

I'm trying to stalk a minimal Java program that uses JNI with Frida, but I always run into access violation crashes when the JVM is shut down.
Furthermore, I only seem to ever be able to successfully stalk a JVM process (even if JIT is disabled with -Xint), if Stalker.trustThreshold is set to -1.
If I set the Stalker.trustThreshold to anything other than -1, the JVM does not crash, but the stalker does not cover any BBs from my custom JNI library native.dll (see below).

Here's my Java program:

// Main.java
public class Main {
    static {
        System.loadLibrary("native");
    }

    public static void main(String[] args) throws Exception {
        Thread.sleep(20_000); // Enough time to attach to process...
        new Main().sayHello();
    }

    private native void sayHello();
}

// Main.cpp
#include "Main.h"
#include <iostream>
#include <fstream>
#include <windows.h>

void sayHello() {
    std::ofstream file;
    file.open("output.tmp");
    file << "Hello World\n";
    file.close();
    std::cout << "Current Thread id = " << GetCurrentThreadId() << "\n";
}

JNIEXPORT void JNICALL Java_Main_sayHello
(JNIEnv *, jobject) {
    sayHello();
}

# Compile native library (Windows)
cl.exe /LD /EHsc /I "%JAVA_HOME%\include" /I "%JAVA_HOME%\include\win32" Main.cpp /link /DLL /DEBUG /OUT:native.dll

# Compile Java code
javac Main.java

# Run program
java -cp . -Djava.library.path=%cd% Main

My frida script looks as follows:

# frida-agent.py
import sys
import frida

def on_message(message, data):
    print(str(message))

def main():
    device = frida.get_local_device()
    pid = -1
    for proc in device.enumerate_processes():
        if sys.argv[1] in [str(proc.pid), proc.name]:
            pid = proc.pid
            break
    session = device.attach(pid)
    print("Attaching to PID=" + str(pid))

    script = session.create_script(
        """
Stalker.trustThreshold = -1;
const moduleMap = new ModuleMap();
moduleMap.update();

const createCoverageMap = (events) => {
    moduleMap.update();
    const coverageMap = {};
    for (const event of events) {
        const [start, _] = event;
        const pStart = new NativePointer(start);
        const module = moduleMap.find(pStart);
        if (module) {
            const offset = pStart.sub(module.base).toInt32();
            if (!(module.path in coverageMap)) {
                coverageMap[module.path] = 0;
            }
            coverageMap[module.path] += 1;
        }
    }
    return coverageMap;
};

const stalkThread = (threadId) => {
    Stalker.follow(threadId, {
        events: {
            call: false,
            ret: false,
            exec: false,
            block: false,
            compile: true,
        },
        onReceive: function (events) {
            const bbEvents = Stalker.parse(events, {stringify: false, annotate: false});
            send({coverage: createCoverageMap(bbEvents)});
        }
    });
} 

const currentThreads = Process.enumerateThreads();
for (const thread of currentThreads) {
    console.log("Stalking thread: " + thread.id);
    stalkThread(thread.id);
}
"""
    )
    script.load()
    script.on("message", on_message)
    sys.stdin.read()
    sys.exit(0)

if __name__ == "__main__":
    main()

When attaching with python frida-agent.py 8232 the generated output is:

Current Thread id = 9632
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x00000287f70dae25, pid=8232, tid=0x00000000000025a0
#
# JRE version: OpenJDK Runtime Environment (8.0_292-b10) (build 1.8.0_292-b10)
# Java VM: OpenJDK 64-Bit Server VM (25.292-b10 mixed mode windows-amd64 compressed oops)
# Problematic frame:
# C  0x00000287f70dae25
#
# Failed to write core dump. Minidumps are not enabled by default on client versions of Windows
#
# An error report file with more information is saved as:
# C:\workspace\simple-jni-app\hs_err_pid8232.log
#
# If you would like to submit a bug report, please visit:
#   https://github.com/AdoptOpenJDK/openjdk-support/issues
#

Do you have any idea on (1) how to prevent the JVM to crash and (2) set the Stalker.trustThreshold to anything other than -1 and still cover BBs from native.dll?

Help is very much appreciated! Thanks!

分享到QQ

分享到微博