From 8786e5447822b7f27f2fe174145d9bb8c21e149f Mon Sep 17 00:00:00 2001
From: Iddo <d0dg37h15@gmail.com>
Date: Mon, 23 Apr 2018 19:06:53 +0300
Subject: [PATCH] get stack trace for native invokes

TODO add peek gif & docs
---
 check_for_native_calls.py | 83 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 check_for_native_calls.py

diff --git a/check_for_native_calls.py b/check_for_native_calls.py
new file mode 100644
index 0000000..61f3dfd
--- /dev/null
+++ b/check_for_native_calls.py
@@ -0,0 +1,83 @@
+# Check for native library calls and return a stacktrace
+import sys
+import frida
+from pprint import pprint
+
+
+def on_message(m, _data):
+    if m['type'] == 'send':
+        print(m['payload'])
+    else:
+        if m['type'] == 'error':
+            pprint(m)
+            exit(2)
+
+
+jscode = """
+Java.perform(function() {
+
+    var SystemDef = Java.use('java.lang.System');
+
+    var RuntimeDef = Java.use('java.lang.Runtime');
+
+    var exceptionClass = Java.use('java.lang.Exception');
+
+    var SystemLoad_1 = SystemDef.load.overload('java.lang.String');
+
+    var SystemLoad_2 = SystemDef.loadLibrary.overload('java.lang.String');
+
+    var RuntimeLoad_1 = RuntimeDef.load.overload('java.lang.String');
+
+    var RuntimeLoad_2 = RuntimeDef.loadLibrary.overload('java.lang.String');
+
+    var ThreadDef = Java.use('java.lang.Thread');
+
+    var ThreadObj = ThreadDef.$new();
+
+    SystemLoad_1.implementation = function(library) {
+        send("[1] Loading dynamic library => " + library);
+        stackTrace();
+        return SystemLoad_1.call(this, library);
+    }
+
+    SystemLoad_2.implementation = function(library) {
+        send("[2] Loading dynamic library => " + library);
+        stackTrace();
+        SystemLoad_2.call(this, library);
+        return;
+    }
+
+    RuntimeLoad_1.implementation = function(library) {
+        send("[3] Loading dynamic library => " + library);
+        stackTrace();
+        RuntimeLoad_1.call(this, library);
+        return;
+    }
+
+    RuntimeLoad_2.implementation = function(library) {
+        send("[4] Loading dynamic library => " + library);
+        stackTrace();
+        RuntimeLoad_2.call(this, library);
+        return;
+    }
+
+    function stackTrace() {
+        var stack = ThreadObj.currentThread().getStackTrace();
+        for (var i = 0; i < stack.length; i++) {
+            send(i + " => " + stack[i].toString());
+        }
+        send("--------------------------------------------------------------------------");
+    }
+
+});
+"""
+APP = 'com.app'
+device = frida.get_usb_device()
+pid = device.spawn([APP])
+session = device.attach(pid)
+script = session.create_script(jscode)
+print("[*] Intercepting [{}]".format(pid))
+script.on('message', on_message)
+script.load()
+device.resume(APP)
+sys.stdin.read()