Java

Java.available:

a boolean specifying whether the current process has the a Java VM loaded, i.e. Dalvik or ART. Do not invoke any other Java properties or methods unless this is the case.

Java.enumerateLoadedClasses(callbacks)

enumerate classes loaded right now, where callbacks is an object specifying:
onMatch: function (className): called for each loaded class with className that may be passed to use() to get a JavaScript wrapper.

onComplete: function (): called when all classes have been enumerated.

Java.enumerateLoadedClassesSync(): synchronous version of enumerateLoadedClasses() that returns the class names in an array.

Java.perform(fn): ensure that the current thread is attached to the VM and call fn. (This isn’t necessary in callbacks from Java.)

Java.perform(function () {
    var Activity = Java.use("android.app.Activity");
    Activity.onResume.implementation = function () {
        send("onResume() got called! Let's call the original implementation");
        this.onResume();
    };
});

Java.use(className)

dynamically get a JavaScript wrapper for className that you can instantiate objects from by calling $new() on it to invoke a constructor. Call $dispose() on an instance to clean it up explicitly (or wait for the JavaScript object to get garbage-collected, or script to get unloaded). Static and non-static methods are available, and you can even replace a method implementation and throw an exception from it:

Java.perform(function () {
    var Activity = Java.use("android.app.Activity");
    var Exception = Java.use("java.lang.Exception");
    Activity.onResume.implementation = function () {
        throw Exception.$new("Oh noes!");
    };
});

Java.scheduleOnMainThread(fn):

run fn on the main thread of the VM.

Java.choose(className, callbacks):

enumerate live instances of the className class by scanning the Java heap, where callbacks is an object specifying:

onMatch: function (instance): called once for each live instance found with a ready-to-use instance just as if you would have called Java.cast() with a raw handle to this particular instance.

This function may return the string stop to cancel the enumeration early.

onComplete: function (): called when all instances have been enumerated

Java.cast(handle, klass):

create a JavaScript wrapper given the existing instance at handle of given class klass (as returned from Java.use()). Such a wrapper also has a class property for getting a wrapper for its class, and a $className property for getting a string representation of its class-name.

var Activity = Java.use("android.app.Activity");
var activity = Java.cast(ptr("0x1234"), Activity);

WeakRef

WeakRef.bind(value, fn): monitor value and call the fn callback as soon as value has been garbage-collected, or the script is about to get unloaded. Returns an id that you can pass to WeakRef.unbind() for explicit cleanup.
This API is useful if you’re building a language-binding, where you need to free native resources when a JS value is no longer needed.
WeakRef.unbind(id): stop monitoring the value passed to WeakRef.bind(value, fn), and call the fn callback immediately.

Frida JAVA API 文档