Node.js Inject: How to Conduct and Why to Use

Today, I would like to show you how to execute custom JS code in another Node.js process and to get a proper result. These are relatively simple code examples, which demonstrate basic ideas of native code calls with the help of framework. Frida Frida Framework Frida by itself already has an example of code injection for Node.js, but it seems that it is a bit outdated and could work only with a certain Node.js version – . It uses V8 to execute a JS string. I have updated the code to Node.js v8.16.0 x64, but I will not elaborate on injection details here. You can easily find out more , so instead, let’s go to the injected code. GUIDE embed code via the following link At first, let’s see, which Frida code we will use (you can get more details ). here – it finds C exported function by its name. There is one little caveat – so-called . In short, when we are trying to investigate C++ compiled code, we could see a lot of names like ?GetCurrent@Isolate@v8@@SAPEAV12@XZ. First of our points is to find all required function names in a disassembler like IDA or OllyDbg and to get the memory address of it. Module.findExportByName “mangled names” – this function is used to define in-js bindings for a native function. Here, we need to describe correct arguments count and return values to call these functions later. NativeFunction(POINTER, RETURN_VALUE, ARGUMENTS) – a code that will be executed after a native function call. NativeCallback is used to monitor specified pointer and the callback when it gets garbage-collected or on Frida detach. WeakRef.bind – allocates N bytes in memory and returns pointer for this memory region. Memory.alloc(N) Concepts and Functions Used Here, I want to define some concepts that I am going to use: represents an isolated instance of the engine. V8 isolates have completely separate states. Objects from one isolate cannot be used in another isolate. When V8 is initialized, a default isolate is implicitly created and entered. The embedder can create additional isolates and use them in parallel in multiple threads. An isolate can be entered by at most one thread at any given point in time. The Locker/Unlocker API must be used to synchronize. In short, it is a kind of sandbox, which contains its own states. Isolate V8 stands for a sandboxed execution context with its own set of built-in objects and functions. Context is a stack-allocated class, which governs a number of local handles. After a handle scope has been created, all local handles will be allocated within that handle scope until either the handle scope is deleted or another handle scope is created. If there is already a handle scope and a new one is created, all allocations will take place in the new handle scope until it is deleted. After that, new handles will again be allocated in the original handle scope. After the handle scope of a local handle has been deleted, the garbage collector will no longer track the object stored in the handle and may deallocate it. The behavior of accessing a handle for which the handle scope has been deleted is undefined. HandleScope stands for a compiled JavaScript script. Script is a JS string value. String is a superclass of all JavaScript values and objects. Value Next, I describe the functions of libuv that we will use – a lib that allows using an async, event-driven style of programming: – initializes handle, specifies the callback that will be executed inside the event loop; uv_async_init – takes default event loop; uv_default_loop – calls the callback; uv_async_send – destroys the object created; uv_unref – requests handle to be closed. uv_close We will also use some V8 functions (formatted as real method name --> name of binded js function). In particular: – takes the instance of a current Isolate. V8::Isolate::GetCurrent(v8_Isolate_GetCurrent) – gets context from the current Isolate. V8::Isolate::GetCurrentContext(v8_Isolate_GetCurrentContext) – enters this context. After entering a context, all code compiled and run is compiled and run in this context. If another context is already entered, this old context is saved so it can be restored when the new context is exited. V8::Context::Enter(v8_Context_Enter) – initializes HandleScope. V8::HandleScope::Init(v8_HandleScope_init) – gets JS string from const char *. V8::String::NewFromUtf8(v8_String_NewFromUtf8) – compiles the specified script (bound to current context). V8::Script::Compile(v8_Script_Compile) – runs the script returning the resulting value. If the script is context-independent (created using ::New), it will be run in the currently entered context. If it is context-specific (created using ::Compile), it will be run in the context in which it was compiled. V8::Script::Run(v8_Script_Run) – gets C int from JS value. Value has a lot of functions for different types. v8::Value::Int32Value(v8_Value_Int32Value) Code Listing So, let’s check the code now: { createFunc = { _ptr = Module.findExportByName( , name); NativeFunction(_ptr, retval, args); } uv_default_loop = createFunc( , , []); uv_async_init = createFunc( , , [ , , ]); uv_async_send = createFunc( , , [ ]); uv_unref = createFunc( , , [ ]); v8_Isolate_GetCurrent = createFunc( , , []); v8_Isolate_GetCurrentContext = createFunc( , , [ , ]); v8_Context_Enter = createFunc( , , [ ]); v8_HandleScope_init = createFunc( , , [ , ]); v8_String_NewFromUtf8 = createFunc( , , [ , , , , ]); v8_Script_Compile = createFunc( , , [ , , , ]); v8_Script_Run = createFunc( , , [ , ]); v8_Value_Int32Value = createFunc( , , [ ]); scriptToExecute = ; processPending = NativeCallback( { isolate = v8_Isolate_GetCurrent(); scope = Memory.alloc( ); v8_HandleScope_init(scope, isolate); opts = Memory.alloc( ); context = v8_Isolate_GetCurrentContext(isolate, opts); item = scriptToExecute; unkMem = Memory.alloc( ); source = v8_String_NewFromUtf8(unkMem, isolate, Memory.allocUtf8String(item), , ); script = v8_Script_Compile(context, Memory.readPointer(context), source, NULL); result = v8_Script_Run(Memory.readPointer(context), context); intResult = v8_Value_Int32Value(Memory.readPointer(result)); .log( , intResult); }, , [ ]); onClose = NativeCallback( { }, , [ ]); = Memory.alloc( ); uv_async_init(uv_default_loop(), , processPending); uv_async_send( ); uv_unref( ); } (ex) { .log( , ex); } try const ( ) => name, retval, args const null return new const 'uv_default_loop' 'pointer' const 'uv_async_init' 'int' 'pointer' 'pointer' 'pointer' const 'uv_async_send' 'int' 'pointer' const 'uv_unref' 'void' 'pointer' const '?GetCurrent@Isolate@v8@@SAPEAV12@XZ' 'pointer' const '?GetCurrentContext@Isolate@v8@@QEAA?AV?$Local@VContext@v8@@@2@XZ' 'pointer' 'pointer' 'pointer' const '?Enter@Context@v8@@QEAAXXZ' 'pointer' 'pointer' const '??0HandleScope@v8@@QEAA@PEAVIsolate@1@@Z' 'void' 'pointer' 'pointer' const '?NewFromUtf8@String@v8@@SA?AV?$MaybeLocal@VString@v8@@@2@PEAVIsolate@2@PEBDW4NewStringType@2@H@Z' 'pointer' 'pointer' 'pointer' 'pointer' 'int' 'int' const '?Compile@ScriptCompiler@v8@@SA?AV?$MaybeLocal@VScript@v8@@@2@V?$Local@VContext@v8@@@2@PEAVSource@12@W4CompileOptions@12@@Z' 'pointer' 'pointer' 'pointer' 'pointer' 'pointer' const '?Run@Script@v8@@QEAA?AV?$Local@VValue@v8@@@2@XZ' 'pointer' 'pointer' 'pointer' const '?Int32Value@Value@v8@@QEBAHXZ' 'int64' 'pointer' const `((a, b)=>{ console.log("Hello from Frida", a, b); return a+b; })(5, 17)` const new ( ) function const const 128 const 128 const const const 128 const 0 -1 const const const console 'Result' 'void' 'pointer' const new ( ) function 'void' 'pointer' const async 24 async async async catch console "Injected code execution error" Code Explained is a helper that is used to create JS bind with a specified signature to reuse later. createFunc All of the calls like are required to define JS bindings to native functions. const uv_default_loop = createFunc('uv_default_loop', 'pointer', []) is our injected code. scriptToExecute We define , then bind to the default event loop, then “wake up” that event loop for a callback call. uv async handler processPending Inside the callback, we receive an Isolate instance, initialize new , and take current context. HandleScope Then, we convert the JS string to V8 string, compile, and run it. After all, we just extract C value from the script execution result. int The Use of Node.js Inject That is a relatively simple example of how we can inject and run custom code inside a target Node.js process. It is not just about hacking. Instead, this concept allows us to write some kind of run-time plugins for Node.js, which will help to improve something specific, something that we cannot change without recompiling. Thanks to Anton Trofimov for helping with the article and sharing his software development expertise.

Node.js Inject: How to Conduct and Why to Use

Too Long; Didn't Read

Companies Mentioned

@maxim.savonin

RELATED STORIES