Revive multi-instance support

There could be more than one script using frida-java, so we cannot
assume that:

A) We know of all the hooked methods.
B) GetOatQuickMethodHeader() hasn't already been replaced.

The challenge with A) is that ArtMethod doesn't have any unused bits we
can use to tag the patched instances.

We mitigate A) by detecting the entrypoint of Frida's libffi closures,
which is going to be the same assuming agent and gadget aren't loaded at
the same time and both using frida-java.

For now we gracefully handle B) by assuming that the first script stays
around for as long as the other scripts depending on this. It's not ideal,
but it will have to do for now.

Author: oleavr

lib/android.js

@@ -44,7 +44,6 @@ const artThreadStateTransitions = {};
 let cachedApi = null;
 let thunkPage = null;
 let thunkOffset = 0;
-const hookedArtMethods = new Set();
 let taughtArtAboutHookedMethods = false;
 let jdwpSession = null;
 let socketpair = null;
@@ -1075,14 +1074,19 @@ function makeThunk (size, write) {
 }
 
 function notifyArtMethodHooked (method) {
-  hookedArtMethods.add(method.toString());
-
   ensureArtKnowsHowToHandleHookedMethods();
 }
 
-function notifyArtMethodReverted (method) {
-  hookedArtMethods.delete(method.toString());
-}
+const LIBFFI_CLOSURE_MAGIC_X64 = uint64('0xfffffffff9158d4c');
+const LIBFFI_CLOSURE_MAGIC_ARM = uint64('0xe51ff004e24fc008');
+const LIBFFI_CLOSURE_MAGIC_ARM64 = uint64('0x10fffff158000090');
+
+const libffiClosureEntrypointParsers = {
+  ia32: parseLibffiClosureEntrypointForIA32,
+  x64: parseLibffiClosureEntrypointForX64,
+  arm: parseLibffiClosureEntrypointForArm,
+  arm64: parseLibffiClosureEntrypointForArm64,
+};
 
 const goqmhFilterFuncGenerators = {
   ia32: makeGoqmhFilterFuncForIA32,
@@ -1098,6 +1102,8 @@ function ensureArtKnowsHowToHandleHookedMethods () {
   taughtArtAboutHookedMethods = true;
 
   const api = getApi();
+  const methodOffsets = getArtMethodSpec(api.vm).offset;
+  const jniCodeOffset = methodOffsets.jniCode;
 
   const getOatQuickMethodHeaderImpl = Module.findExportByName('libart.so',
       (pointerSize === 4)
@@ -1111,21 +1117,72 @@ function ensureArtKnowsHowToHandleHookedMethods () {
 
   const original = new NativeFunction(getOatQuickMethodHeaderImpl, ...signature);
 
+  const arch = Process.arch;
+  const parseClosure = libffiClosureEntrypointParsers[arch];
+  const fridaLibffiClosureEntrypoint = parseClosure(new NativeCallback(() => {}, 'void', []));
+
   const replacement = new NativeCallback(function (method, pc) {
-    const isHookedMethod = hookedArtMethods.has(method.toString());
+    const jniImpl = method.add(jniCodeOffset).readPointer();
+    const entrypoint = parseClosure(jniImpl);
+    const isHookedMethod = entrypoint.equals(fridaLibffiClosureEntrypoint);
     if (isHookedMethod) {
       return NULL;
     }
 
     return original(method, pc);
   }, ...signature);
 
-  const generateFilterFunc = goqmhFilterFuncGenerators[Process.arch];
-  const filter = generateFilterFunc(original, replacement, getArtMethodSpec(api.vm).offset.quickCode,
+  const generateFilterFunc = goqmhFilterFuncGenerators[arch];
+  const filter = generateFilterFunc(original, replacement, methodOffsets.quickCode,
       api.artQuickGenericJniTrampoline);
   filter._replacement = replacement;
 
-  Interceptor.replace(original, filter);
+  try {
+    Interceptor.replace(original, filter);
+  } catch (e) {
+    /*
+     * Already replaced by another script. For now we count on the other script
+     * not getting unloaded before ours.
+     */
+  }
+}
+
+function parseLibffiClosureEntrypointForIA32 (closure) {
+  if (closure.readU8() !== 0xb8 || closure.add(5).readU8() !== 0xe9) {
+    return NULL;
+  }
+
+  const offset = closure.add(6).readS32();
+
+  return closure.add(10).add(offset);
+}
+
+function parseLibffiClosureEntrypointForX64 (closure) {
+  if (!closure.readU64().equals(LIBFFI_CLOSURE_MAGIC_X64)) {
+    return NULL;
+  }
+
+  if (closure.add(8).readU8() !== 0x25 || closure.add(9).readS32() !== 3) {
+    return NULL;
+  }
+
+  return closure.add(16).readPointer();
+}
+
+function parseLibffiClosureEntrypointForArm (closure) {
+  if (!closure.readU64().equals(LIBFFI_CLOSURE_MAGIC_ARM)) {
+    return NULL;
+  }
+
+  return closure.add(8).readPointer();
+}
+
+function parseLibffiClosureEntrypointForArm64 (closure) {
+  if (!closure.readU64().equals(LIBFFI_CLOSURE_MAGIC_ARM64)) {
+    return NULL;
+  }
+
+  return closure.add(16).readPointer();
 }
 
 function makeGoqmhFilterFuncForIA32 (original, replacement, quickCodeOffset, quickJniTrampoline) {
@@ -2366,7 +2423,6 @@ module.exports = {
   ArtStackVisitor,
   ArtMethod,
   notifyArtMethodHooked,
-  notifyArtMethodReverted,
   cloneArtMethod,
   HandleVector,
   deoptimizeEverything

lib/class-factory.js

@@ -10,7 +10,6 @@ const {
   getArtThreadSpec,
   withRunnableArtThread,
   notifyArtMethodHooked,
-  notifyArtMethodReverted,
   cloneArtMethod,
   HandleVector
 } = require('./android');