Skip to content

alvarofe/frida-stalker-thread

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
lib
lib
 
 
.gitignore
.gitignore
 
 
.npmignore
.npmignore
 
 
README.md
README.md
 
 
index.ts
index.ts
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

Simple module to handle better thread creations when stalking - this only works on arm64 due to https://github.com/frida/frida-gum/commit/82a033066a868e015780c792d77819d54badc4a9. Thanks to that commit, when frida spawn a new thread the child stop being stalked, otherwise it would be stomping on parent's internal state. Therefore, this module intercept pthread_create to detect when new threads are created to stalk them only if the parent was being stalked.

import {PthreadStalker} from "frida-stalker-thread";

const pthreadStalker = PthreadStalker({
  events : {
    call: true
  },
  onReceive(rawEvents) {
    const events = Stalker.parse(rawEvents, {annotate: false}) as StalkerCallEventBare[];
    events.forEach(ev => {
      const location = ev[0] as NativePointer;
      const target = ev[1] as NativePointer;
      if (map.has(location) && map.has(target)) {
      	...
      }
    });
  }
});

function InterceptAndStalk(addr: NativePointer) {
  Interceptor.attach(addr, {
    onEnter(args) {
      pthreadStalker.Follow(this.threadId);
    }
  });
}

InterceptAndStalk(base.add(0x...));

About

Frida module to continue stalking on pthread_create

Resources

Readme
Activity

Stars

19 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages