Skip to content

[WIP] Compatibility with frida-server#376

Merged
JingMatrix merged 1 commit intomasterfrom
frida
Aug 1, 2025
Merged

[WIP] Compatibility with frida-server#376
JingMatrix merged 1 commit intomasterfrom
frida

Conversation

@JingMatrix
Copy link
Copy Markdown
Owner

@JingMatrix JingMatrix commented Jul 23, 2025
edited
Loading

A running frida-server changes a lot of Android runtime, and thus ruins the initialization of LSPosed and LSPlant.

In this PR, we aim to solve this problem by avoid touching environment modified by Frida during the LSPosed initialization.

@JingMatrix JingMatrix linked an issue Jul 23, 2025 that may be closed by this pull request
Unable to open the LSPosed manager if frida-server is running #264
Closed
1 task
@JingMatrix
Copy link
Copy Markdown
Owner Author

JingMatrix commented Jul 23, 2025

The in-memory value of art_quick_to_interpreter_bridge is modified due to Frida, which causes the following error:

[ 2025-07-23T09:48:13.279    10307: 11215: 11215 D/LSPosed         ] elf_util.cpp:365#Elf64_Addr SandHook::ElfImg::getSymbOffset(std::string_view, uint32_t, uint32_t) const: found art_quick_to_interpreter_bridge 0x33f5e0 in /apex/com.android.art/lib64/libart.so in symtab by linear lookup
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 D/LSPlant         ] class_linker.cxx:218: art_quick_to_interpreter_bridge = 0x726ef3f5e0
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 D/LSPosed         ] elf_util.cpp:359#Elf64_Addr SandHook::ElfImg::getSymbOffset(std::string_view, uint32_t, uint32_t) const: found _ZN3art16ScopedSuspendAllC2EPKcb 0x40bb3c in /apex/com.android.art/lib64/libart.so in dynsym by gnuhash
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 D/LSPosed         ] elf_util.cpp:359#Elf64_Addr SandHook::ElfImg::getSymbOffset(std::string_view, uint32_t, uint32_t) const: found _ZN3art16ScopedSuspendAllD2Ev 0x40aba0 in /apex/com.android.art/lib64/libart.so in dynsym by gnuhash
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 D/LSPosed         ] elf_util.cpp:359#Elf64_Addr SandHook::ElfImg::getSymbOffset(std::string_view, uint32_t, uint32_t) const: found _ZN3art2gc23ScopedGCCriticalSectionC2EPNS_6ThreadENS0_7GcCauseENS0_13CollectorTypeE 0x49aa38 in /apex/com.android.art/lib64/libart.so in dynsym by gnuhash
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 D/LSPosed         ] elf_util.cpp:359#Elf64_Addr SandHook::ElfImg::getSymbOffset(std::string_view, uint32_t, uint32_t) const: found _ZN3art2gc23ScopedGCCriticalSectionD2Ev 0x3da714 in /apex/com.android.art/lib64/libart.so in dynsym by gnuhash
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 D/LSPosed         ] elf_util.cpp:359#Elf64_Addr SandHook::ElfImg::getSymbOffset(std::string_view, uint32_t, uint32_t) const: found _ZN3art3jit12JitCodeCache18MoveObsoleteMethodEPNS_9ArtMethodES3_ 0x7daf30 in /apex/com.android.art/lib64/libart.so in dynsym by gnuhash
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 D/LSPosed         ] elf_util.cpp:359#Elf64_Addr SandHook::ElfImg::getSymbOffset(std::string_view, uint32_t, uint32_t) const: found _ZN3art3jit12JitCodeCache12DoCollectionEPNS_6ThreadE 0x7dbaf0 in /apex/com.android.art/lib64/libart.so in dynsym by gnuhash
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 I/Dobby           ] ----- [DobbyHook:0x726f3dbaf0] -----
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 I/Dobby           ] [trampoline] use [adrp, add, br]
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 I/Dobby           ] [memory allocator] allocate exec memory at: 0x75c12ac08c, size: 0x1c
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 I/Dobby           ] [insn relocate] origin 0x726f3dbaf0 - 12
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 I/Dobby           ] ff0303d1fd7b06a9fc6f07a9
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 I/Dobby           ] [insn relocate] relocated 0x75c12ac08c - 28
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 I/Dobby           ] ff0303d1fd7b06a9fc6f07a95100005820021fd6fcba3d6f72000000
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 I/Dobby           ] [intercept routing] active
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 D/LSPosed         ] elf_util.cpp:337#Elf64_Addr SandHook::ElfImg::PrefixLookupFirst(std::string_view) const: found prefix _ZN3artL18DexFile_setTrustedEP7_JNIEnvP7_jclassP8_jobject of _ZN3artL18DexFile_setTrustedEP7_JNIEnvP7_jclassP8_jobject.__uniq.325793859780145791435928139633802341359 0x859e2c in /apex/com.android.art/lib64/libart.so in symtab by linear lookup
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 D/LSPlant         ] common.cxx:111: java runtime debuggable false
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 I/LSPosed         ] Hidden API policy is not enforced, skipping workaround.
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 D/LSPosed         ] resources_hook.cpp:56#std::string lspd::GetXResourcesClassName(): thT/wP/S/GAx/bPvqsUAtWD/ources
[ 2025-07-23T09:48:13.279    10307: 11215: 11215 D/LSPosed         ] magisk_loader.cpp:187#void lspd::MagiskLoader::OnNativeForkAndSpecializePost(JNIEnv *, jstring, jstring): Done prepare
[ 2025-07-23T09:48:13.280        0:  1514:  1619 D/LSPosedService  ] LSPApplicationService.onTransact: code=1598968902
[ 2025-07-23T09:48:13.284    10307: 11215: 11215 D/LSPosed         ] deoptimizing public android.app.Application android.app.Instrumentation.newApplication(java.lang.ClassLoader,java.lang.String,android.content.Context) throws java.lang.InstantiationException,java.lang.IllegalAccessException,java.lang.ClassNotFoundException: pkg=null, prc=null
[ 2025-07-23T09:48:13.284    10307: 11215: 11215 F/libc            ] Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x726f44e1ec in tid 11215 (m.spotify.music), pid 11215 (m.spotify.music)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] Build fingerprint: 'google/oriole_beta/oriole:16/BP31.250610.004.A1/13770421:user/release-keys'
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] Kernel Release: '6.1.134-android14-11-ga4b2a2c52a04-ab13615798'
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] Revision: 'MP1.0'
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] ABI: 'arm64'
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] Timestamp: 2025-07-23 09:48:13.323216985+0200
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] Process uptime: 1s
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] Executable: /system/bin/app_process64
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] Cmdline: zygote64
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] pid: 11215, tid: 11215, name: m.spotify.music  >>> zygote64 <<<
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] uid: 10307
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] esr: 0000000082000006 (Instruction Abort Exception 0x20)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x000000726f44e1ec (read)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] Cause: trying to execute non-executable memory.
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]     x0  000000006f3bb408  x1  000000726f44e1ec  x2  b4000074592897b0  x3  00000073392de390
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]     x4  00000072d0f19688  x5  0000007fcfb29b40  x6  00000072d0f45b7c  x7  0000000000000016
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]     x8  00000072d452ad60  x9  0000000000000000  x10 0000000000000011  x11 0000000000000005
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]     x12 0000000000000008  x13 0000007fcfb29a50  x14 0000007fcfb2aff8  x15 00000000ebad6a89
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]     x16 0000000000000001  x17 00000072d44b996c  x18 00000075c1b24000  x19 00000000704c4968
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]     x20 b400007489297af0  x21 0000000000000001  x22 00000072d0ff1506  x23 0000000000001071
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]     x24 0000007305293a00  x25 0000007fcfb2b020  x26 0000000010380009  x27 0000000000000024
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]     x28 0000007fcfb2af10  x29 0000007fcfb2b04c
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]     lr  00000072d44b99cc  sp  0000007fcfb2ae60  pc  000000726f44e1ec  pst 0000000060001000
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]     esr 0000000082000006
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] 47 total frames
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ] backtrace:
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]   NOTE: Function names and BuildId information is missing for some frames due
  NOTE: to unreadable libraries. For unwinds of apps, only shared libraries
  NOTE: found under the lib/ directory are readable.
  NOTE: On this device, run setenforce 0 to make the libraries readable.
  NOTE: Unreadable libraries:
  NOTE:   /data/adb/neozygisk/lib64/libzygisk.so
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #00 pc 000000000084e1ec  /apex/com.android.art/lib64/libart.so (art::mirror::Class::GetClassDef()+0) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #01 pc 000000000008b9c8  /memfd:jit-cache-zygisk (deleted)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #02 pc 000000000007d4b0  /memfd:jit-cache-zygisk (deleted)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #03 pc 000000000033f500  /apex/com.android.art/lib64/libart.so (art_quick_generic_jni_trampoline+144) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #04 pc 0000000000689588  /apex/com.android.art/lib64/libart.so (nterp_helper+152) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #05 pc 00000000000ed506  [anon:dalvik-DEX data] (org.lsposed.lspd.deopt.PrebuiltMethodsDeopter.deoptMethods+194)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #06 pc 0000000000328460  /apex/com.android.art/lib64/libart.so (art_quick_invoke_static_stub+640) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #07 pc 00000000006795d0  /apex/com.android.art/lib64/libart.so (bool art::interpreter::DoCall<false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, bool, art::JValue*)+2088) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #08 pc 00000000005c8690  /apex/com.android.art/lib64/libart.so (void art::interpreter::ExecuteSwitchImplCpp<false>(art::interpreter::SwitchImplContext*)+1280) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #09 pc 0000000000317a88  /apex/com.android.art/lib64/libart.so (ExecuteSwitchImplAsm+8) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #10 pc 00000000000ed424  [anon:dalvik-DEX data] (org.lsposed.lspd.deopt.PrebuiltMethodsDeopter.deoptBootMethods+0)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #11 pc 0000000000317488  /apex/com.android.art/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+412) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #12 pc 00000000006795bc  /apex/com.android.art/lib64/libart.so (bool art::interpreter::DoCall<false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, bool, art::JValue*)+2068) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #13 pc 00000000005c8690  /apex/com.android.art/lib64/libart.so (void art::interpreter::ExecuteSwitchImplCpp<false>(art::interpreter::SwitchImplContext*)+1280) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #14 pc 0000000000317a88  /apex/com.android.art/lib64/libart.so (ExecuteSwitchImplAsm+8) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #15 pc 00000000000ed024  [anon:dalvik-DEX data] (Tla.n.ihcSnxJgYaJz.jB.Startup.initXposed+0)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #16 pc 00000000002d763c  /apex/com.android.art/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.__uniq.112435418011751916792819755956732575238.llvm.2136077108474055675)+332) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #17 pc 00000000002d6e70  /apex/com.android.art/lib64/libart.so (artQuickToInterpreterBridge+888) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #18 pc 000000000033f638  /apex/com.android.art/lib64/libart.so (art_quick_to_interpreter_bridge+88) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #19 pc 0000000000689588  /apex/com.android.art/lib64/libart.so (nterp_helper+152) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #20 pc 00000000000ecf16  [anon:dalvik-DEX data] (Tla.n.ihcSnxJgYaJz.jB.Main.forkCommon+18)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #21 pc 0000000000328460  /apex/com.android.art/lib64/libart.so (art_quick_invoke_static_stub+640) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #22 pc 0000000000327098  /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeWithVarArgs<_jmethodID*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+800) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #23 pc 000000000062b0fc  /apex/com.android.art/lib64/libart.so (art::JNI<false>::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+156) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #24 pc 000000000006a3d4  /memfd:jit-cache-zygisk (deleted)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #25 pc 000000000005a034  /memfd:jit-cache-zygisk (deleted)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #26 pc 000000000006f8e4  /memfd:jit-cache-zygisk (deleted)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #27 pc 000000000009c944  /data/adb/neozygisk/lib64/libzygisk.so
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #28 pc 000000000009e704  /data/adb/neozygisk/lib64/libzygisk.so
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #29 pc 000000000009e9e8  /data/adb/neozygisk/lib64/libzygisk.so
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #30 pc 000000000009eb84  /data/adb/neozygisk/lib64/libzygisk.so
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #31 pc 0000000000092874  /data/adb/neozygisk/lib64/libzygisk.so
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #32 pc 0000000000d53eec  /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (art_jni_trampoline+316)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #33 pc 0000000000689d58  /apex/com.android.art/lib64/libart.so (nterp_helper+2152) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #34 pc 00000000002d5860  /system/framework/framework.jar (offset 0x244f000) (com.android.internal.os.Zygote.specializeAppProcess+0)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #35 pc 0000000000689cd4  /apex/com.android.art/lib64/libart.so (nterp_helper+2020) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #36 pc 00000000002d51f0  /system/framework/framework.jar (offset 0x244f000) (com.android.internal.os.Zygote.childMain+692)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #37 pc 0000000000beac40  /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (com.android.internal.os.ZygoteConnection.processCommand+1440)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #38 pc 0000000000bec960  /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (com.android.internal.os.ZygoteServer.runSelectLoop+2912)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #39 pc 0000000000bfff04  /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (com.android.internal.os.ZygoteInit.main+3124)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #40 pc 0000000000328460  /apex/com.android.art/lib64/libart.so (art_quick_invoke_static_stub+640) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #41 pc 0000000000327098  /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeWithVarArgs<_jmethodID*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+800) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #42 pc 000000000064a850  /apex/com.android.art/lib64/libart.so (art::JNI<true>::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+156) (BuildId: d57befa204d91d200485ace46c3b8814)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #43 pc 0000000000106988  /system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+104) (BuildId: 27780475d9c04308e2aa55ba14433b3b)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #44 pc 0000000000131f3c  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::start(char const*, android::Vector<android::String8> const&, bool)+908) (BuildId: 27780475d9c04308e2aa55ba14433b3b)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #45 pc 000000000000259c  /system/bin/app_process64 (main+1212) (BuildId: 7cca38b9f351962abbd731b2a5521f87)
[ 2025-07-23T09:48:13.424    10307: 11234: 11234 F/DEBUG           ]       #46 pc 00000000000696f8  /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+120) (BuildId: 8dc8afb9a8c98d2a9ecf47561e4816e1)
[ 2025-07-23T09:48:13.440        0:  1514:  1619 D/LSPosedService  ] ProcessInfo{uid=10307, pid=11215, processName='com.spotify.music', heartBeat=android.os.BinderProxy@a2de03b} is dead

@JingMatrix
Copy link
Copy Markdown
Owner Author

JingMatrix commented Jul 23, 2025

Workaround: Using LSPosed and Frida Simultaneously

1. The Problem: A Conflict of Control

Both LSPosed and Frida are powerful frameworks that function by deeply modifying the Android Runtime (ART) and application processes. When used together on the same application, they compete for control over the same low-level structures, such as method entry points and internal runtime objects.

Our analysis shows that Frida's instrumentation is often more invasive—it may replace core runtime pointers and data structures that LSPosed assumes will be stable. This leads to a fundamental conflict:

  • If Frida modifies the environment first, LSPosed's subsequent initialization will fail because its assumptions about the runtime are violated, often resulting in a crash.
  • If LSPosed initializes first, it establishes a stable, near-stock environment. Frida can then attach to this stable process and apply its more aggressive modifications successfully.

Therefore, the key to compatibility is ensuring the correct initialization order.

2. The Golden Rule: LSPosed First, Frida Second

The core principle of this workaround is to ensure that LSPosed's hooks are applied when an application process is first created, and Frida only attaches to the process after it has been stabilized by LSPosed.

An application process is instrumented by LSPosed at the moment of its creation (the "Zygote fork"). In contrast, frida-server detects running processes and attaches to them after they have already started. If frida-server is running, it will immediately attach to any newly created app process, preempting LSPosed and causing the conflict.

This leads us to the practical workaround.

3. Step-by-Step Instructions

To safely use both frameworks on a target application, you must manually control the initialization order.

Let's assume the target application's package name is <package_name> (e.g., com.android.chrome).

  1. Stop Frida Server: Ensure no instance of frida-server is currently running on your device or emulator. You can guarantee this by running:

    adb shell "su -c killall frida-server &> /dev/null; rm /data/local/tmp/frida-server"

  2. Force-Stop the Target App: Ensure no existing process of the target application is running.

    adb shell am force-stop <package_name>

  3. Launch the Target App: Open the application on your device. This action creates a new process where LSPosed can apply its hooks cleanly without any interference. Keep the app running in the foreground or background.

  4. Start Frida Server: Now that the app process is stable and running with LSPosed, you can safely start frida-server.

    # Push and run your frida-server binary
adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "su -c /data/local/tmp/frida-server &"

  5. Attach with Frida: You can now attach Frida to the target application as usual, and both frameworks should coexist.

    frida -U -n <process_name> 
# e.g., frida -U -n "Chrome"

By following these steps, you ensure the app starts in a "pure" LSPosed environment, which is stable enough to then accept Frida's instrumentation.

4. Important Scenarios and Warnings

  • The LSPosed Manager App: LSPosed hooks always apply to the LSPosed Manager. Therefore, never start the LSPosed Manager app while frida-server is running, as it will immediately crash. Stop frida-server before opening the Manager.

  • Application Scope: If an application is not enabled in any active Xposed module's scope, LSPosed will not modify it at all. You can attach Frida to these apps without following any special steps. The workaround is only necessary for apps that are actively being hooked by LSPosed modules.

  • Process Restarts: If the target app crashes or is killed for any reason while frida-server is still running, its new process will be created in a "hostile" environment (Frida will attach first). You must repeat the steps above (stop Frida, stop the app, start the app, then start Frida) to restore stability.

While the long-term goal is to resolve this incompatibility at the source-code level, this workaround provides a stable and reliable method for using these two powerful tools together.

@JingMatrix
Copy link
Copy Markdown
Owner Author

JingMatrix commented Aug 1, 2025

This critical SIGSEGV crash that only occurs during initialization when LSPosed is injected alongside recent versions of Frida (specifically, after frida/frida-gum@638b782).

A detailed investigation into the crash revealed that the root cause is an incorrect base address resolution for libart.so. Based on extensive logging of /proc/self/maps, we have factually established the following sequence:

  1. When both frameworks are active, a mysterious and transient r--p memory mapping for libart.so is temporarily introduced into the process's address space.
  2. This transient block consistently appears at a lower memory address than the library's authentic, OS-loaded segments.
  3. Our previous parsing logic, which stopped at the first match, would incorrectly identify this transient block as the library's base, leading to the crash.
  4. The fact that this block disappears after the initialization phase is complete confirms it is a temporary side-effect of the co-instrumentation, not a permanent change to the process layout.

To solve this, the parsing logic has been fundamentally improved. The new implementation replaces the fragile "find-first" approach with a robust, structurally-aware heuristic. It first filters all memory segments belonging to the target library and then searches this list for the first r--p entry that is immediately followed by an r-xp entry. This r--p -> r-xp sequence is a reliable signature of a correctly loaded ELF library, allowing our parser to distinguish the real module from the transient artifact. For added safety, it falls back to the first r-xp segment if this specific pattern is not found. This change ensures that LSPosed can reliably determine the correct module base address, resolving the compatibility issue and restoring stable operation in co-instrumented environments.

@JingMatrix
Make module base address parsing robust
f96d7d0 
Resolves a `SIGSEGV` crash that occurs when co-instrumenting with recent versions of Frida.

The root cause was that the previous parsing logic would select the first memory mapping matching the library name. When Frida is active, it can temporarily create a transient, read-only mapping at a lower address than the real library. This would cause our parser to select the wrong base address.

This commit refactors the `findModuleBase` function to be structurally aware. It now filters all mappings for the target library and specifically searches for the pattern of a read-only (`r--p`) segment immediately followed by an executable (`r-xp`) segment. This allows it to correctly identify the real library mapping and ignore transient artifacts from other instrumentation frameworks.
@JingMatrix JingMatrix marked this pull request as ready for review August 1, 2025 18:29
@JingMatrix JingMatrix merged commit e75b600 into master Aug 1, 2025
@JingMatrix JingMatrix deleted the frida branch August 1, 2025 19:40
@JingMatrix JingMatrix mentioned this pull request Sep 13, 2025
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unable to open the LSPosed manager if frida-server is running

1 participant

@JingMatrix