android: Handle correctly the CMC GC strategy

Fixes frida#323.
matbrik · Jul 16, 2024 · 1cf98b7 · 1cf98b7
1 parent 0dd9041
commit 1cf98b7
Showing 1 changed file with 20 additions and 12 deletions.
diff --git a/lib/android.js b/lib/android.js
@@ -645,7 +645,7 @@ function _getArtRuntimeSpec (api) {
         const threadListOffset = internTableOffset - pointerSize;
 
         let heapOffset;
-        if (apiLevel >= 34) {
+        if (Module.findExportByName("libart.so", '_ZN3art7AppInfo29GetPrimaryApkReferenceProfileEv') !== null) {//with apex updates apiLevel!=libart version
           heapOffset = threadListOffset - (9 * pointerSize);
         } else if (apiLevel >= 24) {
           heapOffset = threadListOffset - (8 * pointerSize);
@@ -1807,6 +1807,9 @@ on_leave_gc_concurrent_copying_copying_phase (GumInvocationContext * ic)
       Gc: {
         copyingPhase: {
           onLeave: cm.on_leave_gc_concurrent_copying_copying_phase
+        },
+        runFlip: {
+          onEnter: cm.on_leave_gc_concurrent_copying_copying_phase
         }
       }
     }
@@ -1885,18 +1888,23 @@ function ensureArtKnowsHowToHandleReplacementMethods (vm) {
   const apiLevel = getAndroidApiLevel();
 
   let exportName = null;
-  if (apiLevel > 28) {
-    exportName = '_ZN3art2gc9collector17ConcurrentCopying12CopyingPhaseEv';
-  } else if (apiLevel > 22) {
-    exportName = '_ZN3art2gc9collector17ConcurrentCopying12MarkingPhaseEv';
-  }
-
-  if (exportName !== null) {
-    Interceptor.attach(Module.getExportByName('libart.so', exportName), artController.hooks.Gc.copyingPhase);
+  const api = getApi();
+  const kCollectorTypeCMC = 3;
+  let mayUseCollector = new NativeFunction(Module.findExportByName('libart.so', "_ZNK3art2gc4Heap15MayUseCollectorENS0_13CollectorTypeE"), "int", ["pointer", "int"])
+
+  if (mayUseCollector !== null && mayUseCollector(api.artHeap, 3)) {
+    console.log("hooking runflip");
+    exportName = '_ZN3art6Thread15RunFlipFunctionEPS0_b';
+    Interceptor.attach(Module.getExportByName('libart.so', exportName), artController.hooks.Gc.runFlip);
+  } else {
+    if (apiLevel > 28) {
+      exportName = '_ZN3art2gc9collector17ConcurrentCopying12CopyingPhaseEv';
+    } else if (apiLevel > 22) {
+      exportName = '_ZN3art2gc9collector17ConcurrentCopying12MarkingPhaseEv';
+    }
 
-    const collectorCMC = Module.findExportByName('libart.so', '_ZN3art2gc9collector11MarkCompact15CompactionPhaseEv');
-    if (collectorCMC !== null) {
-      Interceptor.attach(collectorCMC, artController.hooks.Gc.copyingPhase);
+    if (exportName !== null) {
+      Interceptor.attach(Module.getExportByName('libart.so', exportName), artController.hooks.Gc.copyingPhase);
     }
   }
 }