Frida - hook native method failure on android-Q

Question

I have a sample app, which have a int add(int a,int b) in native library.

I use below code to hook the add method:

#!/usr/bin/env python3

import frida
import sys

package_name = "com.sample.hello"
apiname = "add"

def get_messages_from_js(message, data):
    if message['type'] == 'send':
        print(message['payload'])
    else:
        print(message)

def instrument_debugger_checks():
    hook_code = """
Interceptor.attach(Module.findExportByName(null, "%s"), {
    onEnter: function(args) {
        console.log("onEnter...");
        //send (Memory.readUtf8String (args [1]));     
    },
    onLeave: function(args) {
        console.log("onLeave...");
    }
});
"""%(apiname)
    return hook_code

process = frida.get_usb_device().attach(package_name)
script = process.create_script(instrument_debugger_checks())
script.on('message',get_messages_from_js)
script.load()
sys.stdin.read()

I use below command to get the function name from so:

$ nm -D libnative2.so |grep add

0000000000082504 T _ZNSt6__ndk114__shared_count12__add_sharedEv
0000000000082574 T _ZNSt6__ndk119__shared_weak_count10__add_weakEv
000000000008255c T _ZNSt6__ndk119__shared_weak_count12__add_sharedEv
0000000000042d8c T add

I have tried all these names, result is the same.

But when I run it, I got below error:

{'type': 'error', 'description': 'Error: expected a pointer', 'stack': 'Error: expected a pointer\n    at frida/runtime/core.js:387\n    at /script1.js:9', 'fileName': 'frida/runtime/core.js', 'lineNumber': 387, 'columnNumber': 1}

What's wrong with my code?

Answer 1

Looks like You have an issue with timing. Try the following Frida script:

Java.perform(function() {
    const System = Java.use("java.lang.System");
    const Runtime = Java.use("java.lang.Runtime");
    const SystemLoad_2 = System.loadLibrary.overload("java.lang.String");
    const VMStack = Java.use("dalvik.system.VMStack");

    SystemLoad_2.implementation = function(library) {
        console.log("Loading dynamic library => " + library);
        try {
            const loaded =     Runtime.getRuntime().loadLibrary0(VMStack.getCallingClassLoader(), library);
            if(library.includes("native2")) {
// here your hook
Interceptor.attach(Module.findExportByName("libnative2.so", "%s"), {
    onEnter: function(args) {
        console.log("onEnter...");
        //send (Memory.readUtf8String (args [1]));     
    },
    onLeave: function(args) {
        console.log("onLeave...");
    }
});


}
            return loaded;
        } catch(ex) {
            console.log(ex);
        }
    };
});