ele7enxxh / android-inline-hook Goto Github PK
View Code? Open in Web Editor NEWthumb16 thumb32 arm32 inlineHook in Android
Home Page: http://ele7enxxh.com/Android-Arm-Inline-Hook.html
License: Apache License 2.0
thumb16 thumb32 arm32 inlineHook in Android
Home Page: http://ele7enxxh.com/Android-Arm-Inline-Hook.html
License: Apache License 2.0
./relocate.c:239:25: warning: operator '<<' has lower precedence than '+'; '+' will be evaluated first
[-Wshift-op-parentheses]
value = ALIGN_PC(pc) + (instruction & 0xFF) << 2;
~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~ ~~
./relocate.c:610:18: warning: & has lower precedence than ==; == will be evaluated first [-Wparentheses]
if (target_addr & 1 == 1) {
^~~~~~~~
在 LDR_THUMB32 处理分支
寄存器可取 r0-r15
trampoline 使用的 thumb16 汇编指令无法处理 r8-r15的情况
trampoline_instructions[0] = 0x4800 | (r << 8); // LDR Rr, [PC]
Hi,你好
感谢提供如此好用的库,使用过程中发现一个问题,在Hook某些函数时,会导致目标进程的崩溃。
比如
#include <sys/types.h>
#include <sys/socket.h>
ssize_t send(int sockfd, const void *buf, size_t len, int flags);
#include <unistd.h>
ssize_t read(int fd, void *buf, size_t count);
都发现了导致崩溃的问题。
不知道是否是这两个函数的汇编代码太短,导致hook时刷掉了原汇编代码以外的部分代码导致了崩溃的发生。
目前在Android7.0上进行测试,hook系统函数例如send等是可以的,但是hook其他so里面的函数不行,请问博主知道原因吗?谢谢
HOOK了系统进程的一个接口,触发该接口频繁调用时HOOK, 会CRASH, 被HOOK的接口在子线程中被调用的。 测试机型Nexus 5 4.4系统。
static int getAllTids(pid_t pid, pid_t *tids)
该函数返回线程组,除了自己。
但是,如果hook发生在子线程中,根据原来的传入参数getpid(),那么tids返回值依然是除了主线程之外的线程组。然后ptrace依然会使子线程锁住。然后,会造成子进程与主进程互锁。
建议,pid的传入参数为gettid(),然后,就不会发生问题了。
if (tid != 0 && tid != gettid()) 这一行代码也需要修改为现在这个样子。
可以hook后篡改到其他进程去不,目前测试了一下可以篡改目前正在运行的进程,不过无法篡改到其他进程
由于"一个完善的Inline Hook方案必须要考虑多线程环境,即要考虑线程恰好执行到被修改指令的位置。"该项目用了ptrace方法解决这个问题.这就导致被类似xx加密,xx加固之类的加固厂商检测到,造成闪退.很多情况下,不考虑"线程恰好执行到被修改指令的位置"也没有太大的问题,建议给一个配置选项,配置是否需要处理多线程的情况.
I have tried two device ,one of huawei honor 6 ,another is huawei p9. While execute registerInlineHook function, app will look dead. Other Qualcomm cpu can work good. Can I resolve this problem?
博客没有评论功能,特到回复一下。
根据ptrace的文档:
The ptrace() system call provides a means by which one process (the
"tracer") may observe and control the execution of another process
(the "tracee"), and examine and change the tracee's memory and
registers.
指出了ptrace是在两个进程之间进行监控操作,所以你提到的问题应该是在同一个进程上面操作才出现的问题。
get the error: 'cacheflush' was not declared in this scope' when i build it something is missing?
比较奇怪的是ANR异常是偶现的,频率还挺高,通过打印日志调试发现只要是ANR,程序就会卡在inlineHook.c中unFreeze方法里wait(NULL);这一行。我C++比较弱希望dalao帮忙看一下非常感谢
只要是华为手机,海思的芯片都会崩溃,试了荣耀6,P7,P8,5X等
ssize_t (*old_write)(int, void *, size_t)=NULL;
ssize_t new_write(int sock, void *buf, size_t len){
int ret = old_write(sock,buf,len);
return ret;
}
int hook_write(){
if (registerInlineHook((uint32_t) write, (uint32_t) new_write, (uint32_t **) &old_write) != ELE7EN_OK) {
LOGD("hook_write faild 1");
return -1;
}
if (inlineHook((uint32_t) write) != ELE7EN_OK) {
LOGD("hook_write faild 2");
return -1;
}
LOGD("hook_write sucess");
return 0;
}
JNIEXPORT jint JNICALL Java_com_example_hooktest_HookJniUtil_startHookV1(JNIEnv *env, jobject thisObj) {
hook_write();
return 0;
}
您的代码中有一个地方与adbi不同,就是 adbi hook后,跳转到 hook的函数中的时候 调用preCall 把保存的8字节的指令,拷贝回去,然后直接调用原来函数的地址。返回后,在把8字节的指令再次替换。这样是不是 就可以避免 您说的 关于PC相对地址的指令的修复问题呢?
hi,非常感激提供如此好用的工具!
在hook时发现一种失败的情况,原因是目标函数所在段的读写属性不仅限于"r-xp",有的是"rwxp",跟着ELE7EN_ERROR_NOT_EXECUTABLE找到了isExecutableAddr函数
static bool isExecutableAddr(uint32_t addr)
// ...
if (strstr(line, "r-xp")) {
// ...
修改成
static bool isExecutableAddr(uint32_t addr)
// ...
if (strstr(line, "r-xp") || strstr(line, "rwxp")) {
// ...
后,就hook成功了。
再次感谢!
我发现relocate考虑得不太全面,比如我hook sleep函数,sleep是thumb模式的函数,relocate的时候会增加很多不必要的nop (https://github.com/ele7enxxh/Android-Inline-Hook/blob/master/relocate.c#L271)。 而sleep函数的前几个字节是这样的:
.text:0002DFCE PUSH {R0-R2,LR}
.text:0002DFD0 CMP R0, #0
.text:0002DFD2 IT LT
.text:0002DFD4 MOVLT R0, #0x7FFFFFFF
.text:0002DFD8 MOV R1, SP
relocate之后IT LT
之后多了一条nop命令,IT LT
的意思是如果小于零,则跳过下一条指令,这样MOVLT
这条指令本来应该跳过的,现在relocate之后就变成永远无法跳过了。
handle = dlopen("libc.so", RTLD_GLOBAL | RTLD_LAZY);
addr = dlsym(handle, "memcmp");
when registerInlineHook return ELE7EN_ERROR_NOT_EXECUTABLE
搞了我一晚上,以为是Android.mk的问题。结果是我的程序文件是CPP,最后去链接C的静态库,函数名识别不出。
在头文件里加上c++的判断就好了:
#ifdef __cplusplus
extern "C" {
...
}
求问大佬目标地址值的bit[0]为什么能确定目标地址的指令类型?
registerInlineHook(a,my_a,org_a)
registerInlineHook(a,my_a2,org_a)
void (*org_a)()
void a()
{
}
void my_a()
{
…
return org_a()
}
void my_a2()
{
…
return org_a()
}
如果更改同一个地址 执行到自己的函数,第二个函数my_a2中最后的原始a函数的指针是原始a函数还是my_a函数?
它们支持替换同一个地址,并依次执行吗?
如题。
根据这demo成功的执行了,但是程序依然挂了,
5 18:24:16.629 25936-25936/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'honor/FRD-AL10/HWFRD:8.0.0/HUAWEIFRD-AL10/535(C00):user/release-keys'
Revision: '0'
ABI: 'arm'
pid: 25912, tid: 25912, name: qssq666.ndkhook >>> cn.qssq666.ndkhook <<<
signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0xccb061ba
r0 00000037 r1 00000000 r2 c98369b7 r3 00000003
r4 f39c4064 r5 00000001 r6 00000000 r7 ff97fa28
r8 0000004e r9 f03da000 sl ff97fc18 fp ff97fba4
ip ff97f528 sp ff97f9f8 lr ccb061b9 pc ccb061ba cpsr 60070030
01-05 18:24:16.630 25936-25936/? A/DEBUG: backtrace:
#00 pc 000021ba /data/app/cn.qssq666.ndkhook-_tOyIPBMK3KPZRl7dBXO5Q==/lib/arm/libnative-lib.so (_Z8new_putsPKc+81)
#01 pc 0000235f /data/app/cn.qssq666.ndkhook-_tOyIPBMK3KPZRl7dBXO5Q==/lib/arm/libnative-lib.so (Java_cn_qssq666_ndkhook_MainActivity_stringFromJNI+258)
#02 pc 00009063 /data/app/cn.qssq666.ndkhook-_tOyIPBMK3KPZRl7dBXO5Q==/oat/arm/base.odex (offset 0x9000)
01-05 18:24:16.639 1122-1122/? I/TrafficMonitor: expired arrive. level:-1
8.0 arm64荣耀8 手机。
AAsset* new_AAssetManager_open(AAssetManager*, const char*, int)
新函数里执行相关操作后,调用记录的AAssetManager_open原函数地址时崩溃
设备:nexus 5x 系统版本:7.1.1
--------- beginning of crash
A/libc: Fatal signal 4 (SIGILL), code 1, fault addr 0xf6167ad6 in tid 31137 (xxxxx)
[ 12-21 15:20:34.814 362: 362 W/ ]
debuggerd: handling request: pid=31137 uid=10177 gid=10177 tid=31137
E/Layer: [com.android.systemui.ImageWallpaper] rejecting buffer: bufWidth=1920, bufHeight=1080, front.active.{w=2331, h=1920}
A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
A/DEBUG: Build fingerprint: 'google/bullhead/bullhead:7.1.1/NPF10C/3347772:user/release-keys'
A/DEBUG: Revision: 'rev_1.0'
A/DEBUG: ABI: 'arm'
A/DEBUG: pid: 31137, tid: 31137, name: xxxxx >>> org.xxxx.xxxx <<<
A/DEBUG: signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0xf6167ad6
A/DEBUG: r0 e850bbc0 r1 f232e32f r2 00000000 r3 f2363001
A/DEBUG: r4 f232dea0 r5 f232e32f r6 f232de4d r7 f232de0c
A/DEBUG: r8 fff6f4e8 r9 f3785400 sl 00000000 fp fff6f474
A/DEBUG: ip fff6ee3c sp fff6f300 lr f2363021 pc f6167ad6 cpsr 800e0010
A/DEBUG: backtrace:
A/DEBUG: #00 pc 00009ad6 /system/lib/libandroid.so
A/DEBUG: #1 pc 0000401f anonymous:f235f000
hook失败返回的错误:ELE7EN_ERROR_NOT_EXECUTABLE
APP只包含了ARM架构的动态库,hook的时候isExecutableAddr判断的结果是false
大哥,搞个支持64位的呗,好多手机都是64位的了
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.