Frida not hooking function in private process

Question

Frida client v.12.11.11 on Ubuntu 18.06

Frida Server v12.11.17 on Android Studio emulator (Android 9.0 Google X86_ARM)

I am trying to hook the onCreate method of a subclass that implements a service running in a private process. This is the manifest declaration:

<service android:enabled="true" android:name="my_subclass_to_hook" android:process=":my_process">

In order to perform the hook I followed the example reported here: https://www.programmersought.com/article/97331588304/

I'am able to detect when the process is being called since the spawn_added event is correctly working inside the jscode code. But the hooking implementation function is not being called.

I am sure that the original function is being called since I can see the logcat prints.

Can anyone help me please? I've got stuck for weeks on this issue. Am I missing anything or is there an alternative way to achieve this?

Following is the Python code I am using. As I said I am able to catch when the service process "my_app_package:my_process" is created since the jscode is correctly called and I can see the "Script called..." print. Problem is that the hooked function my_subclass_to_hook.onCreate is not being attached since I cannot see the "Hooked!!" print. By the way I am sure that the function my_subclass_to_hook.onCreate is being called since I can see the prints in the logcat. Hoping this can clarify my problem:

import codecs
import frida
import time
import sys
import threading
 
 
device = frida.get_device_manager().enumerate_devices()[-1]
print(device)
  
pending = []
sessions = []
scripts = []
event = threading.Event()
 
jscode = """

console.log("Script called...");

Java.perform(function x() { 

    var my_class = Java.use("my_subclass_to_hook");
        
    my_class.onCreate.implementation = function (a) {        
        console.log("Hooked!!");
        var ret_value = this.onCreate(a);
        return ret_value;
    }
"""
 
def on_spawned(spawn):
    print('on_spawned:', spawn)
    pending.append(spawn)
    event.set()
 
def spawn_added(spawn):
    print('spawn_added:', spawn)
    event.set()
    if(spawn.identifier.startswith('my_app_package:my_process')):        
        session = device.attach(spawn.pid) 
        script = session.create_script(jscode)
        script.on('message', on_message)
        script.load()
        device.resume(spawn.pid)
        print('Resumed')

        
def spawn_removed(spawn):
    print('spawn_removed:', spawn)
    event.set()
 
def on_message(spawn, message, data):
    print('on_message:', spawn, message, data)
    
def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

def child_added(spawn):
    print('child_added:', spawn)

device.on('spawn-added', spawn_added)
device.on('spawn-removed', spawn_removed)
device.on('child-added', child_added)
device.on('child-removed', on_spawned)
device.on('process-crashed', on_spawned)
device.on('output', on_spawned)
device.on('uninjected', on_spawned)
device.on('lost', on_spawned)
device.enable_spawn_gating()
event = threading.Event()
print('Enabled spawn gating')
 
pid = device.spawn(["my_app_package"])
  
session = device.attach(pid)
device.resume(pid)
sys.stdin.read()

Thanks

Answer 1

You're missing the overload.

my_class.onCreate.implementation = function (a) {

}      
   

should be

my_class.onCreate.overload('android.os.Bundle').implementation = function (bundle)
{
 .....
} 

That's a very jank way of calling a frida script. You should have a sleep(1) between the script.load() and script.resume()