百度對instrumentation的解釋是：

個人感覺，這個翻譯總差點什么，于是就保留原文了，不翻譯了。 關(guān)于Frida中Instrumentation主要包含以下內(nèi)容：

本問主要講解前面沒有提到過Stalker、WeakRef和ObjC。

Stalker

Introduction

Stalker is Frida’s code tracing engine. It allows threads to be followed, capturing every function, every block, even every instruction which is executed.

具體內(nèi)容，后續(xù)在講解Frida工作原理的時候會詳細講解。由于Stalker功能過于強大，在高級篇部分會重點講解。高級篇內(nèi)容均是付費內(nèi)容，大家有興趣歡迎訂閱支持。

API

• Stalker.exclude(range): marks the specified memory range as excluded, which is an object with base and size properties – like the properties in an object returned by e.g. Process.getModuleByName().?Useful to improve performance and reduce noise.

• Stalker.follow([threadId, options]): start stalking threadId (or the current thread if omitted), optionally with options for enabling events.

• Stalker.flush(): flush out any buffered events. Useful when you don’t want to wait until the next Stalker.queueDrainInterval tick.

• Stalker.garbageCollect(): free accumulated memory at a safe point after Stalker#unfollow. This is needed to avoid race-conditions where the thread just unfollowed is executing its last instructions.

• Stalker.addCallProbe(address, callback[, data]): call callback (see Interceptor#attach#onEnter for signature) synchronously when a call is made to address. Returns an id that can be passed to Stalker#removeCallProbe later. It is also possible to implement callback in C using CModule.

• Stalker.removeCallProbe: remove a call probe added by Stalker#addCallProbe.

• Stalker.trustThreshold: an integer specifying how many times a piece of code needs to be executed before it is assumed it can be trusted to not mutate. Specify -1 for no trust (slow), 0 to trust code from the get-go, and N to trust code after it has been executed N times. Defaults to 1.

• Stalker.queueCapacity: an integer specifying the capacity of the event queue in number of events. Defaults to 16384 events.

• Stalker.queueDrainInterval: an integer specifying the time in milliseconds between each time the event queue is drained. Defaults to 250 ms, which means that the event queue is drained four times per second. You may also set this property to zero to disable periodic draining, and instead call Stalker.flush() when you would like the queue to be drained.

實施跟蹤cpu指令

這里是實時跟蹤cpu指令，關(guān)于如何修改cpu指令流程會在高級篇介紹。

1. "use strict"

2. 
   

3. console.log("Hello world");

4. 
   

5. const mainThread = Process.enumerateThreads()[0];

6. 
   

7. Stalker.follow(mainThread.id, {

8. ?events: {

9. ? ?call: true, // CALL instructions: yes please

10. 
    

11. ? ?// Other events:

12. ? ?ret: false, // RET instructions

13. ? ?exec: false, // all instructions: not recommended as it's

14. ? ? ? ? ? ? ? ? // ? ? ? ? ? ? ? ? ? a lot of data

15. ? ?block: false, // block executed: coarse execution trace

16. ? ?compile: false // block compiled: useful for coverage

17. ?},

18. ?onReceive: function (events) {

19. ? ?var parsedEvent = Stalker.parse(events);

20. ? ?//console.log("buring"+parsedEvent);

21. ?},

22. ?transform: function (iterator) {

23. ? ?let instruction = iterator.next();

24. ? ?do {

25. ? ? ?console.log("instruction:"+instruction);

26. ? ? ?iterator.keep();

27. ? ?} while ((instruction = iterator.next()) !== null);

28. ?}

29. })

運行上面的程序(在Win10系統(tǒng)下)，使用腳本 frida-l hello.jsCalculator.exe運行， 結(jié)果如下，每一步運行過程中都有相應(yīng)的指令輸出。這個需要對匯編有一定了解。

WeakRef

WeakRef.bind(value, fn): monitor value and call the fn callback as soon as value has been garbage-collected, or the script is about to get unloaded. Returns an id that you can pass to WeakRef.unbind() for explicit cleanup.

This API is useful if you’re building a language-binding, where you need to free native resources when a JS value is no longer needed.

WeakRef.unbind(id): stop monitoring the value passed to WeakRef.bind(value, fn), and call the fn callback immediately.

關(guān)于引用

強引用和弱引用

1. JS的垃圾回收機制，如果我們持有對一個對象的引用，那么這個對象就不會被垃圾回收。這里的引用，指的是強引用。

2. 一個對象若只被弱引用所引用，則被認為是不可訪問（或弱可訪問）的，并因此可能在任何時刻被回收。

JavaScript的WeakMap是弱引用使用的典型。 WeakMap是一組鍵/值對的集合，其中的鍵是弱引用的。其鍵必須是對象，而值可以是任意的。WeakMap是對對象的弱引用。

監(jiān)測引用

本例使用的是WeakMap，成功監(jiān)視到引用對象的變化。即使是強引用，也會被監(jiān)測到。

1. "use strict"

2. Java.perform(function(){

3. ? ?const wm = new WeakMap();

4. ? ?let obj = { b: 2 };

5. ? ?wm.set(obj, '2');

6. ? ?obj = null;

7. ? ?gc();

8. ? ?var id = WeakRef.bind(wm, function(){

9. ? ? ? ?console.log("finish gc");

10. ? ? ? ?WeakRef.unbind(id);

11. ? ?}

12. )

13. })

運行腳本，結(jié)果如下：

ObjC

主要用在 蘋果電腦和蘋果手機，這里不做過多說明，直接看幾個重要的API。

ObjC.available: a boolean specifying whether the current process has an Objective-C runtime loaded. Do not invoke any other ObjC properties or methods unless this is the case.

ObjC.api: an object mapping function names to NativeFunction instances for direct access to a big portion of the Objective-C runtime API.

ObjC.classes: an object mapping class names to ObjC.Object JavaScript bindings for each of the currently registered classes. You can interact with objects by using dot notation and replacing colons with underscores, i.e.: [NSString stringWithString:@"Hello World"] becomes const { NSString } = ObjC.classes; NSString.stringWithString_("Hello World");. Note the underscore after the method name. Refer to iOS Examples section for more details.

在Android手機上面運行ObjC.available返回false，顯然Android是沒有Object-C運行時的。

寫在最后

Frida API進階到這里基本結(jié)束了。接下來會寫Frida的一些高級用法，更多內(nèi)容，歡迎關(guān)注我的微信公眾號：無情劍客。