Injected library lifecycle management?

[ajwerner]

How does one detect when an injected library has exited? Looking at the implementation of the injector, it seems like upon exit, at least in theory, the code will deallocate the memory in the target that it allocated.

In practice I never see the code run even though the library does exit. Also, there's not a way as far as I can tell to wait for or detect the state of the injected library. All you're handed is an JD that seems like it can only be used with demonitor (which is not a clear concept to me).

I think I'd want some way to wait for the library to exit and be deallocated.

It's possible that this is a request for new APIs in frida-core. It seems to me that the Vala API has an uninjwcted signal, but I don't know how to use that.

[s1341]

what do you mean by "library exited"? Do you mean when the library is unloaded?

[ajwerner]

what do you mean by "library exited"? Do you mean when the library is unloaded?

I suppose yes, though what I really mean is when the injected loader "agent" exits. I'd love to have better terminology. Imagine I use inject_library_file_sync and that library does not touch stay_resident. frida-core's loader will call dlclose and then send bye back on the control socket. At that point, if frida stays running, the loader will get cleaned up (see https://github.com/frida/frida-core/blob/31188db39a7c9ae24f640a34b3fdf701f4a93bb3/src/linux/frida-helper-backend.vala#L367-L385)

I want some way to synchronize shutdown of frida in my code with these agents being unloaded. I can't figure out what APIs to use to do that.

[hsorbo]

Generally you can use frida_script_load / frida_script_unload. And while it's loaded you can call rpc-methods (WIP in rust).

[ajwerner]

Generally you can use frida_script_load / frida_script_unload. And while it's loaded you can call rpc-methods (WIP in rust).

I think you're talking about something quite different from what I'm talking about. You're talking about the script APIs in Frida where the javascript runtime stays loaded. I'm talking about the lower-level library injection APIs.

[oleavr]

what do you mean by "library exited"? Do you mean when the library is unloaded?

I suppose yes, though what I really mean is when the injected loader "agent" exits. I'd love to have better terminology. Imagine I use inject_library_file_sync and that library does not touch stay_resident. frida-core's loader will call dlclose and then send bye back on the control socket. At that point, if frida stays running, the loader will get cleaned up (see https://github.com/frida/frida-core/blob/31188db39a7c9ae24f640a34b3fdf701f4a93bb3/src/linux/frida-helper-backend.vala#L367-L385)

I want some way to synchronize shutdown of frida in my code with these agents being unloaded. I can't figure out what APIs to use to do that.

What you're looking for is frida-core/lib/pipe -- we should expose this in the Rust bindings.

[ajwerner]

What you're looking for is frida-core/lib/pipe -- we should expose this in the Rust bindings.

Can you say more about how I'd use that if it were exposed? These pipe APIs seem to be about connecting to the injected agent. Let me know if I'm misunderstanding.

As it stands, I'm not using lib anywhere in my "agent" library. I have IPC between the injected library and the injector/control plane set up independently of frida. I can detect when my agent thinks it has exited. What I can't figure out is how to wait until Frida has actually unloaded the loader it injected into the target. If I just add a sleep for a second after my library exits, that works well enough, but is not a very robust solution.

---

I have a follow-up goal to figure out how to recover from a case where the injector process crashes, and still to be able to clean-up the injected state. I've avoided talking about this goal up to this point because it feels certain that it'll need more code/APIs.