Cross-platform instrumentation and introspection library written in C.

This library is consumed by frida-core through its JavaScript bindings, GumJS.

Provides:

• Instrumentation core

  • Inline hooking: Interceptor
  • Stealthy code tracing: Stalker
  • Memory monitoring: MemoryAccessMonitor

• Cross-platform introspection

  • Running threads and other process state
  • Loaded modules, including their:
    • Imports
    • Exports
    • Symbols
  • Memory scanning
  • DebugSymbol lookups
  • Backtracer implementations
  • Kernel state (iOS only for now)

• Out-of-process dynamic linker for i/macOS: Gum.Darwin.Mapper

• Code generation:

  • X86Writer
  • ArmWriter
  • ThumbWriter
  • Arm64Writer
  • MipsWriter

• Code relocation:

  • X86Relocator
  • ArmRelocator
  • ThumbRelocator
  • Arm64Relocator
  • MipsRelocator

• Helper libraries for developers needing highly granular:

  • Heap allocation tracking and leak checking.
  • Profiling with worst-case inspector callback.

Builds can be configured with the configure script. configure.bat is available for Windows users.

./configure --enable-gumpp --enable-gumjs --enable-tests
make

Run configure with --help to see all options.

Tests are built with make test and run with ./build/tests/gum-tests. You can specify a test path with -p to run a specific test or group of tests.

Test paths follow the pattern /<Area>/<Module>/<test_name> where the area/module come from TESTENTRY macros in the fixture files (e.g. TESTENTRY_WITH_FIXTURE("Core/Interceptor", ...)).

./build/tests/gum-tests
./build/tests/gum-tests -p /Core/Interceptor/attach_one

Download a devkit for statically linking into your own projects from the Frida releases page.