tampermonkey VS frida

This extension makes use of JS computed property names to perform user specified dynamic actions on user specified elements.

I started working on an extension primarily for my own very specific use case. I knew of Tampermonkey and it's relatives before, but hadn't used it extensively. I also was following the news of MV3, so wasn't sure of their long term viability. But more than anything having recently got into frontend development I also just wanted to build an extension myself, getting to understand the newer limitation and alternatives was just a bonus point.

Literally a couple of days ago I got to know (From HN nonetheless https://news.ycombinator.com/item?id=38526277) that userscripts are going to be allowed in MV3 too, so I finally decided to actually check out ViolentMonkey, which is pretty neat, but from the looks of it would have to migrate to `chrome.userScripts.register` which would eventually require `userScripts` permission and with it would need [developer mode enabled](https://developer.chrome.com/docs/extensions/reference/api/u...). While browsing through the subsequent discussions I saw there were many other alternatives for dynamic script execution, from creating and the dynamic code to `` tags to using `evaljs`, but I wasn't aware of them while building this (see for ex: <a href="https://news.ycombinator.com/item?id=31425256">https://news.ycombinator.com/item?id=31425256</a> and <a href="https://github.com/Tampermonkey/tampermonkey/issues/644#issuecomment-857838249">https://github.com/Tampermonkey/tampermonkey/issues/644#issu...</a>) (and tbf it wan't even my goal to get full JS execution in my extension).<p>Long term my goal was to build a small JSON config for the actions needed and parse and apply them to have the desired behavior. I also was planning on exposing some extension only behavior (like tab functionality) via message passing with service workers (The config could be something like

Do you use "Never Remember History"? There are bug reports about it. Fix is soon to be released.

Yes, I'm having the exact same problem. It was updated on Nov. 30 and I can't find a way to downgrade back to the last version. There's been several issues posted on the tampermonkey github recently but I don't have enough technical knowledge to know if any of those issues applies to this problem. And just like you, I can't even see my scripts to move them to a different script manager.

I have no damn idea why Tampermonkey, which as very best I can tell is closed source <https://github.com/Tampermonkey/tampermonkey/blob/master/REA...>, is on the "blessed" Firefox for Android list when Violentmonkey <https://github.com/violentmonkey/violentmonkey#readme> is MIT, although I readily admit doesn't it have a "politically correct" name

I use it a lot and it used to be on github until version 2.9. I guess I could use that but wondering if there are some other nice selfhosted versions where I can easily modify my Chrome webpages that I should consider.

I want to chime on that as it's worth noting that Tampermonkey is no longer open source. I mean it's like that for years - its GitHub repo clearly stands it's just an archive version and commits there date back to 2018. Here's one of the first posts when author went proprietary license and started gaining data (with his comment btw) and technically there's also Security section in FAQ and full Privacy Policy. Also FWIK website is the only place you get info about changes - highlighting that to stop looking for insights on GitHub.

If you can't the answers you're looking for in the Tampermonkey FAQ, you can ask them in the official Tampermonkey support forum.

Tampermonkey devs have implemented it but didn't release it yet and Violentmonkey devs don't want to implement it, so I guess I'm not fixing this issue anytime soon.

Specific case: uBlock Origin seems to block TamperMonkey from either injecting or running my userscript. (See https://github.com/Tampermonkey/tampermonkey/issues/1709 ) I was thinking it might be one of the above rules but I can't really get much out of the logger, and trying to disable those rules doesn't work. Does anyone have an idea on how to progress?

https://github.com/Tampermonkey/tampermonkey/blob/master/COP...

this says GPL so unless they update their license file here, this stays

Frida, uff this is just AMAZING, yes with uppercase and in bold letters. They also has bindings on different languages that can be found in their github repository. Spoiler alert...the Go binding it's pure shit...really couldn't run it. Use just the default that it's installed with pip install frida-tools.

A great framework for doing something along those lines is Frida (https://github.com/frida/frida). Works on a bunch of stuff, including Android and iOS. Some global-ish certificate pinning bypasses work through Frida, by patching http libraries to not raise exceptions, accept system certificates, etc and just quietly hum along instead. Certificate unpinning in turn enables network MITM with mitmproxy, which makes it a lot quicker and easier to inspect, block, or modify network traffic.

Funnily enough, I've seen much stronger obfuscation from reverse engineering from my cheap Tuya IoT devices app than from my bank app.

Install Frida from Github :- https://github.com/frida/frida

// see: https://github.com/frida/frida/issues/382

If anyone needs a "monkey" not for web pages but for any process on your computer system, may I recommend Frida:

https://frida.re

https://github.com/frida/frida

With Frida, you write JavaScript programs and inject them into arbitrary processes, to hook and modify and call whatever you please.

It gets a lot of use in the reverse engineering and vulnerability research communities, but has broader scope too. For instance, I used it recently to automate the UI of a video production program on Windows, by injecting a thread that sends window messages to the main message loop and hooks into various system dialog functions.

var android_log_write = new NativeFunction( Module.getExportByName(null, '__android_log_write'), 'int', ['int', 'pointer', 'pointer'] ); var tag = Memory.allocUtf8String("[frida-sript][ax]"); var work = function() { setTimeout(function() { android_log_write(3, tag, Memory.allocUtf8String("ping @ " + Date.now())); work(); }, 1000); } work(); // console.log does not seems to work. see: https://github.com/frida/frida/issues/382 console.log("console.log"); console.error("console.error"); console.warn("WARN"); android_log_write(3, tag, Memory.allocUtf8String(">--(O.o)-<)");

Go to https://github.com/frida/frida/releases and download the latest frida-server--android-arm64.xz. Extract it and run adb push frida-server--android-arm64 /sdcard/frida-server

It sounds like a kind of black magic:

> ...It’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX.

> ...Frida’s core is written in C and injects QuickJS into the target processes, where your JS gets executed with full access to memory, hooking functions and even calling native functions inside the process.

> There’s a bi-directional communication channel that is used to talk between your app and the JS running inside the target process.

Here's a description of the architecture:

https://frida.re/docs/hacking/

And the source:

https://github.com/frida/frida

---

Apparently using "wxWindows Library Licence, Version 3.1":

> This is essentially the LGPL, with an exception stating that derived works in binary form may be distributed on the user's own terms. This is a solution that satisfies those who wish to produce GPL'ed software using Frida, and also those producing proprietary software.

https://github.com/frida/frida/blob/master/COPYING