Hook系统native导出函数时快速定位

/ 3评 / 0

之前看到的一些文章,对于hook类似dlsym,dlopen函数时,往往时先dlopen linker,然后找到其中的偏移再进行hook,包括追踪一些软件行为时,可能我们需要hook大量的函数,包含java层和native层。java层的hook通常来说都比较简单,这里看看native层的

这里列举一个朋友的demo,hook JniENV中的结构体

myHookStruct myHookJNI[] =
{
    HOOKINLINE(DefineClass,0x14),
    HOOKINLINE(FindClass,0x18),
    /*此方法存在bug 可能会失败,原因未知*/
    HOOKINLINE(GetFieldID,0x178),
    HOOKINLINE(GetObjectClass,0x7c),
    //GetMethodID 0x84
    HOOKINLINE(GetMethodID,offsetof(JNINativeInterface,GetMethodID)),
    HOOKINLINE(GetStaticFieldID,0x240),
    HOOKINLINE(GetStaticMethodID,0x1C4),
    HOOKINLINE(DeleteLocalRef,0x5c),
    HOOKINLINE(RegisterNatives,offsetof(JNINativeInterface,RegisterNatives)),
    HOOKINLINE(GetSuperclass,0x28),
    //IsInstanceOf 0x80
    //HOOKINLINE(IsInstanceOf,0x80),
    //NewGlobalRef 0x54
    HOOKINLINE(NewGlobalRef,0x54),
    //NewLocalRef 0x64
    HOOKINLINE(NewLocalRef,0x64),
    //NewObject 0x70
    HOOKINLINE(NewObject,0x70),
    //NewObjectV 0x74
    HOOKINLINE(NewObjectV,0x74),
    //NewObjectA 0x78
    HOOKINLINE(NewObjectA,0x78),
    HOOKINLINE(AllocObject,0x6c),
    //NewString 0x28c
    HOOKINLINE(CallObjectMethodV,0x8c),
    HOOKINLINE(NewString,0x28c)
};

这里可以看到计算每个函数所在的位置都是通过env+偏移去计算的,这个偏移可能因系统版本或者是rom而变化,因此并不通用,在以往码代码的过程中可以发现,计算一个函数(可直接调用)所在的位置直接可以通过方法名就可以获得,那是否这类结构体也可以这么做,答案是肯定的

丢个我的示例:

    MSHookFunction((void *) dlsym, (void *) new_dlsym, (void **) &old_dlsym);
    MSHookFunction((void *) dlopen, (void *) new_dlopen, (void **) &old_dlopen);
    const struct JNINativeInterface* anInterface= env->functions;
    MSHookFunction((void *) anInterface->FindClass,
                   (void *) &myFindClass, (void **) &oldFindClass);
    MSHookFunction((void *) anInterface->GetStaticMethodID,
                   (void *) &myGetStaticMethodID, (void **) &oldGetStaticMethodID);
    MSHookFunction((void *) anInterface->GetFieldID,
                   (void *) &myGetFieldID, (void **) &oldGetFieldID);
    MSHookFunction((void *) anInterface->GetStaticFieldID,
                   (void *) &myGetStaticFieldID, (void **) &oldGetStaticFieldID);
    MSHookFunction((void *)anInterface->GetMethodID,
                  (void *) &myGetMethodID, (void **) &oldGetMethodID);
    MSHookFunction((void *) anInterface->CallObjectMethodV,
                   (void *) &myCallObjectMethodV, (void **) &oldCallObjectMethodV);

代码非常简单,而且不需要考虑偏移,这样可以大大节省时间。

3条回应:“Hook系统native导出函数时快速定位”

  1. 道长说道:

    汤神此文行云流水妙笔生花,使人醍醐灌顶拍案叫绝,大概6点20分发

  2. Yang说道:

    大神就厉害,我也可以了
    “`
    const struct JNINativeInterface *nativeInterface = env->functions;
    RetStatus status = ZzHook((void *) nativeInterface->RegisterNatives,
    (void *) fake_RegisterNatives,
    (void **) &orig_RegisterNatives, common_pre_call, common_post_call,
    true);
    “`

发表评论

电子邮件地址不会被公开。 必填项已用*标注