iqiyi / xhook Goto Github PK

View Code? Open in Web Editor NEW

4.0K 117.0 739.0 839 KB

🔥 A PLT hook library for Android native ELF.

License: Other

Shell 1.22% Makefile 0.90% C 93.71% Java 4.17%

android hook elf plt got

xhook's People

Contributors

Stargazers

Watchers

Forkers

hiwong waruqi skyformat99 guoguo338 lianchengtong butterflyhack dodola kungia09 simpleton zzz9328fb crackercat dstmath pinkelf heartbee focuspadding xubingyue xj-coder devopsmi yujiaolong tempdban xvsdf100 yeyiqun coding4fun2012 cqcqwind jiangilhui0330 just-d liyic forbe ondreji saliey antediluvian zoutaov 03050903 praiseqin leaderyangzi fcccode jonyang1 shiftwinting ryanfu gavinljj androlua huyanghu nanangarsyad linecode trendingtechnology chenfeifei01 xuwakao yrickwong shuixi2013 tianyutingxy zhaoxuyang rockystevejobs yuknight liumengdeqq gitqqqhs 8enet dunjunliu hudawei996 zhanglang001 cnsheds xxxyanchenxxx obaby lllliiillll lovesuae secice zbx91 skyun1314 zzage binihao5bei bingwin techlord-rce aetkrad misscoconut username13107 nexthacker ilovehairtail tsdl2018 qipeng090 andy0214 jimmyjones97 android-crack huimieer yuaom debugpro severecold killvxk fruittang poyoten sylingyy p0prxx zengkefu xautzbl angrykub gg-coder889 18712886438 samshine bb33bb ac-km romatotti imatary

xhook's Issues

hooking in JNI_OnLoad

I'm trying to dynamically load .so to debuggable apk by using jdwp:
https://koz.io/library-injection-for-debuggable-android-apps/
and after loading my custom xhook.so, i implimented a JNI_Onload function
JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void*) {
and try to do malloc hooking in it, but it seems didn't work. Everything works fine when i pack the so to the apk like before. But there's no malloc log when i'm using the above method.
So, is it because we can't do PLT hook in JNI_OnLoad or i'm doing something wrong here?

几个编译错误

xh_core.c中未引入stdio.h导致编译时产生如下错误：
jni/xh_core.c:140:5: error: use of undeclared identifier 'FILE'
FILE *fp;
xh_elf.h中一些宏重复定义或者没有定义：

jni/xh_elf.c:61:9: error: 'ELF_R_SYM' macro redefined [-Werror,-Wmacro-redefined]
#define ELF_R_SYM(info) ELF32_R_SYM(info)
^
/Users/killer/AndTool/ndk/platforms/android-14/arch-arm/usr/include/sys/exec_elf.h:559:9: note: previous definition is here
#define ELF_R_SYM ELF32_R_SYM
^
jni/xh_elf.c:62:9: error: 'ELF_R_TYPE' macro redefined [-Werror,-Wmacro-redefined]
#define ELF_R_TYPE(info) ELF32_R_TYPE(info)
^
/Users/killer/AndTool/ndk/platforms/android-14/arch-arm/usr/include/sys/exec_elf.h:560:9: note: previous definition is here
#define ELF_R_TYPE ELF32_R_TYPE
^
jni/xh_elf.c:906:14: error: use of undeclared identifier 'DT_ANDROID_REL'
case DT_ANDROID_REL:
^
jni/xh_elf.c:907:14: error: use of undeclared identifier 'DT_ANDROID_RELA'
case DT_ANDROID_RELA:
^
jni/xh_elf.c:913:14: error: use of undeclared identifier 'DT_ANDROID_RELSZ'
case DT_ANDROID_RELSZ:
^
jni/xh_elf.c:914:14: error: use of undeclared identifier 'DT_ANDROID_RELASZ'
case DT_ANDROID_RELASZ:
^
jni/xh_elf.c:927:14: error: use of undeclared identifier 'DT_GNU_HASH'
case DT_GNU_HASH:
^
jni/xh_elf.c:1026:28: error: use of undeclared identifier 'R_ARM_JUMP_SLOT'
if(is_plt && r_type != R_GENERIC_JUMP_SLOT) return 0;
^
jni/xh_elf.c:48:29: note: expanded from macro 'R_GENERIC_JUMP_SLOT'
#define R_GENERIC_JUMP_SLOT R_ARM_JUMP_SLOT //.rel.plt
^
jni/xh_elf.c:1027:30: error: use of undeclared identifier 'R_ARM_GLOB_DAT'
if(!is_plt && (r_type != R_GENERIC_GLOB_DAT && r_type != R_GENERIC_ABS)) return 0;
^
jni/xh_elf.c:49:29: note: expanded from macro 'R_GENERIC_GLOB_DAT'
#define R_GENERIC_GLOB_DAT R_ARM_GLOB_DAT //.rel.dyn
^
jni/xh_elf.c:1027:62: error: use of undeclared identifier 'R_ARM_ABS32'
if(!is_plt && (r_type != R_GENERIC_GLOB_DAT && r_type != R_GENERIC_ABS)) return 0;
^
jni/xh_elf.c:50:29: note: expanded from macro 'R_GENERIC_ABS'
#define R_GENERIC_ABS R_ARM_ABS32 //.rel.dyn
^
10 errors generated.

可以给一个demo吗，不知道怎么hook

how to use xhook to inject .so

how to hook a member function ?

For example, how i can hook WebRequest:WebRequest funtion in webkit . Could you give more details example, thank u very much

hmm suggestions?

add bytes array injection and scanner. :)

Verbosity

Hi,
I am trying to use your project, but I do not know exactly how to proceed. Could you add some more documentation about how to create the hooks, use them, and interact with the Android application in the project?

hook getaddrinfo

excuse me , when i use xhook to hook getaddrinfo, i just modify biz.c and add:
xhook_register("^/system/.\.so$", "getaddrinfo", my_getaddrinfo, NULL); xhook_register("^/vendor/.\.so$", "getaddrinfo", my_getaddrinfo, NULL);

my_getaddrinfo is defined as following:

static int my_getaddrinfo(const char* hostname, const char* servname,
const struct addrinfo* hints, struct addrinfo** res) {
LOGD("rock_hook getaddrinfo");
return getaddrinfo(hostname, servname, hints, res);
}

however , when I load a webview with http://www.google.com, I can not receive the log, can you help me ?

cannot get target function name in taget so-file

after loading so-files in order (xhook.so,xhookInject.so,thridSDK.so),I sucessfully hook malloc/free method,but fail to get back_trace symbols in thirdSDK with using dladdr(return empty character,just get symbol in xhookInject so).Thanks for your help.

Have problems to hook "new" rather than "malloc" in libtest.so

I have used it to hook "malloc" in libtest.so and it works. However, I can not hook "new" in libtest.so. Is this possible?
With the follow code:
xhook_register(".\.so$", "malloc", (void)my_malloc, NULL);
xhook_ignore(".*/libbiz\.so$", "malloc");
I can hook "new" in libtest.so in this way.
However, if I try to use data structure in standard library to record some memory information(e.g. unordered_map) in biz.cpp, "new" can not be hooked. It seems that any called "new" in biz.cpp can cause that problem, maybe I have used this tool in a wrong way, I wish that anyone can help me, thanks.

可以钩取到系统库调用的函数吗(strdup中调用的malloc)？

我需要钩取内存分配函数进行内存解析，所以钩取了malloc，new函数，但是如果调用strdup()函数，无法进入我自定义的malloc，请问这种情况是不是原理上的问题，应该换用inline-hook？
谢谢！

xhook_ignore 函数的调用问题

请问在 hook 一个函数之后,调用了xhook_refresh()函数使hook 生效.
之后如果想不 hook 该函数,调用xhook_ignore 之后,提示不要在 refresh 后调用.
那怎么实现动态的取消 hook 呢?
还望赐教!

Support x86?

RT.

如何获取到被hook的方法的地址

换一种说法就是:如何在自己写的hook方法里面调用被hook的方法.比如,我要hook某个游戏的解密方法:char[] Decrypt(),把这个函数换成我的myDecrypt,然后在myDecrypt调用Decrypt方法,获取Decrypt方法的返回值,得到解密后的数据.我看了demo,发现没有这方面的代码,可以指教一下用xHook如何实现我说的这个功能吗.

如何避免重名函数被hook呢？

如果我只想hook调用libc.so的open函数，假如一个so也实现了一个open函数会不会被误hook掉？

好像无法hook exec 族的函数

int (*old_execve)(const char *path, char *const argv[], char *const envp[]);
int new_execve(const char *path, char *const argv[], char *const envp[]){
    LOGD("hook sucessful");
    return 99;
}
int so_init(){
    LOGD("start so_init");
    xhook_enable_debug(1);
    xhook_register("/system/lib/libc.so", "execve", (void *)new_execve, (void**)&old_execve);
    xhook_refresh(0);
    LOGD("finshed so_init");
    return 0;
}

01-13 01:01:32.946 25904-25904/com.winer.proxyapp I/xhook: libxhook 1.1.10 (arm)
01-13 01:01:32.952 25904-25904/com.winer.proxyapp I/xhook: init OK: /system/lib/libc.so (REL ELF_HASH PLT:5096 DYN:10872 ANDROID:0)
hooking execve in /system/lib/libc.so
found execve at symidx: 932 (ELF_HASH)
found execve at .rel.plt offset: 0x69db8
01-13 01:01:32.956 25904-25904/com.winer.proxyapp I/xhook: XH_HK_OK 0xb6e86db8: 0xb6e5708c -> 0xb3598a75 execve /system/lib/libc.so

日志上是成功的不知道是不是fork影响的？

只可以hook系统的方法吗，想hook so里面自己定义的函数没有相关的事例

Android4.4.3（arm）Hook libandroidfw.so中的函数失败。

使用了xhook 尝试去hook /frameworks/base/libs/androidfw/ZipFileRO.cpp中的inflateBuffer函数，在日志中显示成功。但是在调用该函数是，并没有打印相应的日志，也就是hook没有真正的起作用。请问这个怎么解决啊？

日志信息如下：

I/xhook: libxhook 1.1.9 (arm)
      hook: _ZN7android9ZipFileRO13inflateBufferEPvPKvjj @ /system/lib/libandroidfw.so, (0xa9c40259, 0xa9c48048)
I/xhook: init OK: /system/lib/libandroidfw.so (REL ELF_HASH PLT:1360 DYN:1904 ANDROID:0)
    hooking _ZN7android9ZipFileRO13inflateBufferEPvPKvjj in /system/lib/libandroidfw.so
    found _ZN7android9ZipFileRO13inflateBufferEPvPKvjj at symidx: 14 (ELF_HASH)
    map refreshed
D/xhook:   b6deb000 /system/lib/libandroidfw.so

hook的关键代码如下：

    xhook_enable_debug(1);
    xhook_register("/system/lib/libandroidfw.so",
                   "_ZN7android9ZipFileRO13inflateBufferEPvPKvjj",
                   (void *) inflateBufferFake,
                   (void **) &inflateBuffer);
    xhook_refresh(0);

typedef bool (*inflateBufferType)(void *outBuf, const void *inBuf,
                                  size_t uncompLen, size_t compLen);

inflateBufferType inflateBuffer = NULL;

bool inflateBufferFake(void *outBuf, const void *inBuf, size_t uncompLen, size_t compLen) {
    DEBUG("invoke inflateBuffer");
    if (inflateBuffer != NULL) {
        return inflateBuffer(outBuf, inBuf, uncompLen, compLen);   
    } else {
        EGIS_ERROR("get the inflateBuffer function failed!");
        return false;
    }
}

xHook使用上的一点疑问

想请教下，
1.demo里写的biz.c这边，我去除了libtest.so的hook的话，那这样不是应该会hook到系统的__android_log_print函数吗？但是，输出的Log证明并没有生效，是我理解有误吗？

2.definitely failed when compiled with -O0 这个表示什么意思哈，局部定义的函数hook不到吗？

麻烦大神看到给个回复哈，公司做项目要用到，现在卡在这边，感谢！

biz.c
`void Java_com_qiyi_biz_NativeHandler_start(JNIEnv* env, jobject obj)
{
(void)env;
(void)obj;

xhook_register("^/system/.*\\.so$",  "__android_log_print", my_system_log_print,  NULL);
xhook_register("^/vendor/.*\\.so$",  "__android_log_print", my_system_log_print,  NULL);
//xhook_register(".*/libtest\\.so$", "__android_log_print", my_libtest_log_print, NULL);

//just for testing
//xhook_ignore(".*/liblog\\.so$", "__android_log_print"); //ignore __android_log_print in liblog.so
//xhook_ignore(".*/libjavacore\\.so$", NULL); //ignore all hooks in libjavacore.so

2019-01-03 15:53:49.137 8594-8618/com.qiyi.xhookwrapper D/mytest: call directly. 216
2019-01-03 15:53:49.137 8594-8618/com.qiyi.xhookwrapper D/mytest: call from global ptr. 216
2019-01-03 15:53:49.137 8594-8618/com.qiyi.xhookwrapper D/mytest: call from local ptr. 216
2019-01-03 15:53:49.137 8594-8618/com.qiyi.xhookwrapper D/mytest: call from local ptr2. 216 (definitely failed when compiled with -O0)

hook libart.so的mmap函数，跳转不到新的new_mmap函数

环境测试：
Nexus5 CM12

测试代码如下

LOGD("[+]xhook hook register");
    xhook_enable_debug(1);
    xhook_register(LIB_ART_PATH, "open", (void *)new_open, (void **)&old_open);
    xhook_register(LIB_ART_PATH, "mmap", (void *)new_mmap, (void **)&old_mmap);
     xhook_register(LIB_ART_PATH, "munmap", (void *)new_munmap, (void **)&old_munmap);
     if (xhook_refresh(0)) {
                LOGE("[-]xhook refresh failed");
      }
     xhook_clear();

Log如下：

I/xhook   ( 9542): libxhook 1.1.4 (arm)
I/xhook   ( 9542): init OK: /system/lib/libart.so (REL ELF_HASH PLT:1736 DYN:53984 ANDROID:0
I/xhook   ( 9542): hooking open in /system/lib/libart.so
I/xhook   ( 9542): found open at symidx: 505 (ELF_HASH)
I/xhook   ( 9542): found open at .rel.plt offset: 0x304d78
I/xhook   ( 9542): XH_HK_OK 0xb47fad78: 0xb6dcf76d -> 0xaf3a26e9 open /system/lib/libart.so
I/xhook   ( 9542): hooking mmap in /system/lib/libart.so
I/xhook   ( 9542): found mmap at symidx: 522 (ELF_HASH)
I/xhook   ( 9542): found mmap at .rel.plt offset: 0x304d80
I/xhook   ( 9542): XH_HK_OK 0xb47fad80: 0xb6dd3521 -> 0xaf3a2ae9 mmap /system/lib/libart.so
I/xhook   ( 9542): hooking munmap in /system/lib/libart.so
I/xhook   ( 9542): found munmap at symidx: 525 (ELF_HASH)
I/xhook   ( 9542): found munmap at .rel.plt offset: 0x304d84

hook open函数可以跳转到new_open函数，但是mmap和munmap函数不能跳转到新的函数

我看了下hook之后libart.so的got表 open mmap都被替换为了新的函数地址

HOOK 失败的BUG

case DT_HASH: 此时应该加个判断 self->is_use_gnu_hash 跳过，或者建立其他的bucket变量，否则会被覆盖，而且按gnu查找的时候会查找不到

__LIBC_HIDDEN__函数

您好，想请教一下

int android_getnameinfofornet(const struct sockaddr *, socklen_t, char *, size_t, char *, size_t, int, unsigned, unsigned) LIBC_HIDDEN;

#define LIBC_HIDDEN attribute((visibility("hidden")))
__LIBC_HIDDEN__定义的函数是hook不了的吗？

Hooking /system/bin/linker

Hello, I want to hook usages of open in linker, but it is not working. I can hook open in other libs, like libart but not in the linker. Is this not possible with xHook?

I want to hook this open specifically http://androidxref.com/5.0.0_r2/xref/bionic/linker/linker.cpp#723

Thank you for your wonderful tool.

int (*old_open)(const char *pathname, int flags, mode_t mode);
int my_open(const char *pathname, int flags, mode_t mode) {

    int result = old_open(pathname, flags, mode);
    __android_log_print(ANDROID_LOG_DEBUG, "xHook", "open - %s, %d, result %d", pathname, flags, result);
    return result;
}

JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM* vm, void* reserved) {
    JNIEnv* env;
    if (vm->GetEnv((void**)&env, JNI_VERSION_1_6) != JNI_OK) {
        return JNI_ERR; // JNI version not supported.
    }
    __android_log_print(ANDROID_LOG_DEBUG, "Culet", " JNI_OnLoad");
    xhook_enable_debug(1);
    xhook_enable_sigsegv_protection(0);
    xhook_register(".*\\linker$", "open", (void *)my_open, (void**)&old_open);
    xhook_refresh(0);
    return  JNI_VERSION_1_6;
}

搜索rel.plt表第一行会忽略的问题

在xh_elf.c文件中xh_elf_hook函数有如下代码：
xh_elf_plain_reloc_iterator_init(&plain_iter, self->relplt, self->relplt_sz, self->is_use_rela); while((NULL != (rel_common = xh_elf_plain_reloc_iterator_next(&plain_iter))) { if(0 != (r = xh_elf_find_and_replace_func(self, (self->is_use_rela ? ".rela.plt" : ".rel.plt"), 1, symbol, new_func, old_func, symidx, rel_common, &found))) return r; if(found) break; }
使用此代码，第一次查找就会从第二行开始，会忽略第一行，如果要hook的函数在rel.plt表中第一行就会hook失败。
可以修改为如下代码，即可正常使用：
xh_elf_plain_reloc_iterator_init(&plain_iter, self->relplt, self->relplt_sz, self->is_use_rela); rel_common = plain_iter.cur; while(NULL != rel_common) //(NULL != (rel_common = xh_elf_plain_reloc_iterator_next(&plain_iter))) { if(0 != (r = xh_elf_find_and_replace_func(self, (self->is_use_rela ? ".rela.plt" : ".rel.plt"), 1, symbol, new_func, old_func, symidx, rel_common, &found))) return r; if(found) break; rel_common = xh_elf_plain_reloc_iterator_next(&plain_iter); }

支持cpp吗？

支持cpp吗？怎么hook cpp ofstream的open呢？

Why not return r here (last line)?

int xh_elf_hook(xh_elf_t *self, const char *symbol, void *new_func, void **old_func)
{
    uint32_t                        symidx;
    void                           *rel_common;
    xh_elf_plain_reloc_iterator_t   plain_iter;
    xh_elf_packed_reloc_iterator_t  packed_iter;
    int                             found;
    int                             r;

    if(NULL == self->pathname)
    {
        XH_LOG_ERROR("not inited\n");
        return XH_ERRNO_ELFINIT; //not inited?
    }

    if(NULL == symbol || NULL == new_func) return XH_ERRNO_INVAL;

    XH_LOG_INFO("hooking %s in %s\n", symbol, self->pathname);
    
    //find symbol index by symbol name

    // NOTE: why not return r here
    if(0 != (r = xh_elf_find_symidx_by_name(self, symbol, &symidx))) return 0;

xhook 能使hook对系统所有进程生效么

比如进程A和进程B都使用了libtest.so的接口，进程A hook了这个进程，能让进程B也生效么

这是什么问题呢，全部failed

02-15 19:45:28.215: E/xhook(9452): get addr prot failed. ret: 1009
02-15 19:45:28.216: E/xhook(9452): replace function failed: fopen at .rel.plt
02-15 19:45:28.269: E/xhook(9452): get addr prot failed. ret: 1009
02-15 19:45:28.269: E/xhook(9452): replace function failed: access at .rel.plt
02-15 19:45:28.287: E/xhook(9452): get addr prot failed. ret: 1009
02-15 19:45:28.287: E/xhook(9452): replace function failed: chdir at .rel.plt
02-15 19:45:28.351: E/xhook(9452): get addr prot failed. ret: 1009
02-15 19:45:28.351: E/xhook(9452): replace function failed: __system_property_get at .rel.plt

Injecting armeabi-v7a library using x86 injector

Would it be possible to do this?

xhook_register 返回1002 怎么处理

xhook_register 时候返回1002 这个代表的是什么错误

可以定位泄漏处吗？

just get the old func

execuse me, in my case , i just want to get the old_func and invoke it .
those are my logic:
void **old_func = NULL;
but when i try xhook_register(".*/libart\.so$", "XXX", NULL, old_func),
old_func is always NULL, can xhook just get the address of old_func?

使用过程中一点疑问

我在使用的过程中遇到一个问题，没想明白，所以来提问。
首先我写了一个测试demo，如下代码：
写了一个jni的调用，

  int test_add(int a,int b){

    return a+b;
}

 jint
Java_com_famgy_xhooktest_NativeHandler_test_1add(JNIEnv* env, jobject obj,jint a,jint b)
{

//在这里调用test_add方法
    return test_add(a,b);
}

使用xhook写一个Hook模块，如下代码,
hook.so

int (*ori_testadd)(jint,jint);

static int my_test_add(jint a,jint b){
    __android_log_print(ANDROID_LOG_ERROR, "XHOOK====>> before ","a=%d ,b=%d", a,b);
    a=20;
    __android_log_print(ANDROID_LOG_ERROR, "XHOOK====>> after ","a=%d ,b=%d", a,b);
    return ori_testadd(a,b);
}

xhook_register(".*/libxhooktest\\.so$", "test_add", my_test_add,(void**)&ori_testadd);
    xhook_enable_debug(1);//开启debug模式，查看信息  
xhook_refresh(1);

运行demo后，实际能hook到xhooktest.so中的test_add方法，
test1的日志：

05-20 13:37:35.649 30579-30598/com.famgy.famgyelfhook I/xhook: init OK: /data/app/com.famgy.famgyelfhook-1/lib/arm/libxhooktest.so (REL ELF_HASH PLT:96 DYN:88 ANDROID:0)
    hooking test_add in /data/app/com.famgy.famgyelfhook-1/lib/arm/libxhooktest.so
    found test_add at symidx: 3 (ELF_HASH)
05-20 13:37:35.649 30579-30598/com.famgy.famgyelfhook E/xhook: sym  equals ,r_sym=3 ,symidx=3
    type   equals ,r_type=22 ,XH_ELF_R_GENERIC_JUMP_SLOT=22
    方法不是plt类型 is_plt=1 ,r_type=22,XH_ELF_R_GENERIC_GLOB_DAT=21,XH_ELF_R_GENERIC_ABS=2
05-20 13:37:35.649 30579-30598/com.famgy.famgyelfhook I/xhook: found test_add at .rel.plt offset: 0x2fe8
05-20 13:37:35.651 30579-30598/com.famgy.famgyelfhook I/xhook: XH_HK_OK 0xb3406fe8: 0xb3404775 -> 0xb35066b5 test_add /data/app/com.famgy.famgyelfhook-1/lib/arm/libxhooktest.so
05-20 13:37:35.654 30579-30598/com.famgy.famgyelfhook I/xhook: map refreshed
05-20 13:37:35.847 30579-30579/com.famgy.famgyelfhook E/XHOOK====>> before: a=10 ,b=6
05-20 13:37:35.847 30579-30579/com.famgy.famgyelfhook E/XHOOK====>> after: a=20 ,b=6

这里的调用关系为，首先通过xhook来注册hook函数，接着调用hooktest.so中的函数test_add。这个test_add函数在hooktest.so中的，通过jni方法调用。

但是现在有个问题是，按照上面的步骤，写另一个hooktest2.so的时候，调用里边的函数tt_add,如下

代码：
hook.so


void (*ori_testadd)(int,int);

 static void my_dohook(JNIEnv* env, jobject obj,jint sync)
{
    if(sync ==1)
    {
        __android_log_print(ANDROID_LOG_INFO, "XHOOK ====>>  before param ","sync=%d", sync);
        sync =5555;
    }

     __android_log_print(ANDROID_LOG_INFO, "XHOOK ====>>  change param ","sync=%d", sync);
    orii_dohook(env,obj,sync);
}


static int register_hook()
{

      xhook_register(".*/libtest\\.so$", "tt_add", my_test_add,(void**)&ori_testadd);
     xhook_enable_debug(1);
    xhook_refresh(1);
    return 0;

}

hooktest2.so的代码：

void tt_add(int a,int b)
{

    __android_log_print(ANDROID_LOG_DEBUG, "XHOOK_TEST====> ","tt_add>>>>  a=%d , b =%d   c =a+b=%d",a,b,(a+b));

}  


void Java_itsec_testerxhook_MainActivity_dohooktest(JNIEnv* env, jobject obj,jint sync)
{
    (void)env;
    (void)obj;

    __android_log_print(ANDROID_LOG_DEBUG, "XHOOK_TEST====> ","Java_itsec_testerxhook_MainActivity_dohooktest >>>> ");

    __android_log_print(ANDROID_LOG_DEBUG, "XHOOK_TEST====> ","Java_itsec_testerxhook_MainActivity_dohooktest >>>>  sync=%d",sync);

    tt_add(10,2);

}

test2日志如下：


05-20 13:18:15.606 29891-29909/itsec.testerxhook I/xhook: init OK: /data/app/itsec.testerxhook-1/lib/arm/libtest.so (REL ELF_HASH PLT:224 DYN:64 ANDROID:0)
    hooking tt_add in /data/app/itsec.testerxhook-1/lib/arm/libtest.so
    found tt_add at symidx: 3 (ELF_HASH)
05-20 13:18:15.606 29891-29909/itsec.testerxhook E/xhook: hooking tt_add in /data/app/itsec.testerxhook-1/lib/arm/libtest.so
    sym not equals ,r_sym=1 ,symidx=3 ,plt: is_plt=1
     
    sym not equals ,r_sym=4 ,symidx=3 ,plt: is_plt=1
     
    sym not equals ,r_sym=13 ,symidx=3 ,plt: is_plt=1
     
    sym not equals ,r_sym=15 ,symidx=3 ,plt: is_plt=1
     
    sym not equals ,r_sym=16 ,symidx=3 ,plt: is_plt=1

请问下这时什么问题导致的？

如果要hook c++里某个类的方法，怎么写呢

把要hook的目标.so反编译后，里面的目标函数是一个c++的类的成员方法，但是xhook好像没有提供一个参数是被hook函数的类名

Make it work for other process

Hi,
This is a great work and works as expected. However, this approach only able to hook functions of the same process. I am trying hook native library function of other processes. Do you have any idea with which I can make this framework with other process (may be with root privilege or as a kernel module)?

[咨询] 文档代码不能在 mumu 模拟器上运行

~/repos/xHook/docs/overview/code [master] $ ./run.sh
./main/libs/armeabi-v7a/libtest.so: 1 file pushed. 6.2 MB/s (13728 bytes in 0.002s)
./main/libs/armeabi-v7a/main: 1 file pushed. 7.3 MB/s (13784 bytes in 0.002s)
2 files pushed. 4.3 MB/s (27512 bytes in 0.006s)
/system/bin/sh: /data/local/tmp/main: not executable: 32-bit ELF file

Can supports black list?

If I want to hook any *.so but not *xxx.so, how should I do?

thanks

如何 hook C++方法呢？

我尝试hook一个c++方法如下：
1）原方法：
90 bool Exec(std::vectorstd::string& arg_vector, std::string* error_msg) {
91 int status = ExecAndReturnCode(arg_vector, error_msg);
92 if (status != 0) {
93 const std::string command_line(android::base::Join(arg_vector, ' '));
94 error_msg = StringPrintf("Failed execv(%s) because non-0 exit status",
95 command_line.c_str());
96 return false;
97 }
98 return true;
99 }
2）hook实现：
2.1）.cpp文件：
bool (org_Exec)(std::vectorstd::string&arg_vector, std::string error_msg) = NULL;
bool hook_Exec(std::vectorstd::string&arg_vector, std::string error_msg) {
__android_log_print(ANDROID_LOG_ERROR, "ElvisPreventDex2Oat", "hook_Exec222 false\n");
return false;
}
void *getHookMethod(){
return (void *)hook_Exec;
}
void **getOrgMethod(){
__android_log_print(ANDROID_LOG_ERROR, "ElvisPreventDex2Oat", "org_Exec : %ld ",(long)org_Exec);
return (void )&org_Exec;
}
2.2）.c文件：
int hook_exec_result = xhook_register(".so$", "Exec", (void *)getHookMethod(), (void **)getOrgMethod());
xhook_refresh(0);

但看起来hook失败了，虽然hook_exec_result=true，执行逻辑并没有走到hook_Exec函数中

可否给一个c++hook 的demo呢？

Do you know how to hook hide a process app in C/C++

能hook 别人app 中so 中的方法吗？

如果可以路径的正则是从 com.xxx.xxx 开始，还是直接写xxx.so 就可以

hook libc.so android_getaddrinfofornet ，貌似没hook成功

机型：小米6 Android8.0.0

将libc.so换成libjavacore.so是可以成功hook的，但是这样无法解决Webview的DNS解析问题。

代码：

static int new_android_getaddrinfofornet(const char *hostname, const char *servname,
                                         const struct addrinfo *hints, unsigned netid,
                                         unsigned mark, struct addrinfo **res) {
    log_error("hahahha,wo hook dao l ->android_getaddrinfofornet ");
    log_error("下面是hostname");
    log_error(hostname, "");
    if (hints->ai_flags == AI_NUMERICHOST) {
        if (fp) {
            fp(hostname, servname, hints, netid, mark, res);
        }
    } else {
        const char *ip = getIpByHttpDns(hostname);
        if (ip != NULL) {
            log_error("httpdns 解析成功，直接走IP");
            log_error("下面是ip");
            log_error(ip, "");
            fp(ip, servname, hints, netid, mark, res);
        } else {
            fp(hostname, servname, hints, netid, mark, res);
        }

    }

    return 0;
}

    xhook_register("/system/lib/libc.so", "android_getaddrinfofornet",
                   (void *) new_android_getaddrinfofornet, reinterpret_cast<void **>(&fp));
    xhook_enable_debug(1);
    xhook_refresh(1);

日志：

08-28 14:53:01.919 30014-30014/com.example.guolei.myapplication I/xhook: libxhook 1.1.9 (arm)
08-28 14:53:01.925 30014-30118/com.example.guolei.myapplication I/xhook: init OK: /system/lib/libc.so (REL GNU_HASH PLT:5392 DYN:11968 ANDROID:0)
    hooking android_getaddrinfofornet in /system/lib/libc.so
08-28 14:53:01.932 30014-30118/com.example.guolei.myapplication I/xhook: map refreshed

greadelf 工具查看sysbol

greadelf -s lib/libc.so| grep 'addrinfo'
    81: 000282e1    84 FUNC    GLOBAL DEFAULT   13 getaddrinfo@@LIBC
   618: 00028335    80 FUNC    GLOBAL DEFAULT   13 android_getaddrinfofornet@@LIBC_PRIVATE
   661: 00028271    30 FUNC    GLOBAL DEFAULT   13 freeaddrinfo@@LIBC
  1480: 00028385  2112 FUNC    GLOBAL DEFAULT   13 android_getaddrinfofornet@@LIBC_PRIVATE
  2253: 00028d99  1148 FUNC    LOCAL  DEFAULT   13 _dns_getaddrinfo
  2254: 00028bc5   468 FUNC    LOCAL  DEFAULT   13 _files_getaddrinfo
  8415: 00028385  2112 FUNC    GLOBAL DEFAULT   13 android_getaddrinfofornet
  8417: 00028271    30 FUNC    GLOBAL DEFAULT   13 freeaddrinfo
  8418: 00028335    80 FUNC    GLOBAL DEFAULT   13 android_getaddrinfofornet
  8420: 000282e1    84 FUNC    GLOBAL DEFAULT   13 getaddrinfo

用2中写法 hook mmap方法都会报错

环境: Android 6.0 x86模拟器

void *( my_mmap)(void *start, size_t len, int prot, int flags, int fd, off_t offset){
LOGD(" [mmap] =========“);
return old_mmap11(start, len, prot, flags, fd, offset);
};

xhook_register(".*libc\.so$", "mmap", (void )my_mmap, NULL); // 第一种写法
xhook_register("^/system/.$", "mmap", my_mmap, NULL); // 第二种写法
xhook_refresh(1);

第一种方式

看log是执行到了，但是崩溃了，my_mmap执行了，但是崩溃了

第二种方式

看日志应该是hook有输出，但是实际 my_mmap没有执行

invalid

~~delete~~

macOS 无法编译出相关 so 库

[armeabi] Compile thumb  : xhook <= xhook.c
[armeabi] Compile thumb  : xhook <= xh_core.c
/Users/hans/GitSpace/xHook/libxhook/jni/xh_core.c: In function 'xh_core_refresh_impl':
/Users/hans/GitSpace/xHook/libxhook/jni/xh_core.c:329:9: error: use of assignment suppression and length modifier together in gnu_scanf format [-Werror=format=]
         if(sscanf(line, "%"PRIxPTR"-%*lx %4s %lx %*x:%*x %*d%n", &base_addr, perm, &offset, &pathname_pos) != 3) continue;
         ^
cc1: all warnings being treated as errors
make: *** [/Users/hans/GitSpace/xHook/libxhook/obj/local/armeabi/objs/xhook/xh_core.o] Error 1
Android NDK: ERROR:/Users/hans/GitSpace/xHook/libbiz/jni/Android.mk:xhook: LOCAL_SRC_FILES points to a missing file    
Android NDK: Check that /Users/hans/GitSpace/xHook/libbiz/jni/../../libxhook/libs/armeabi/libxhook.so exists  or that its path is correct   
/Users/Hans/Library/Android/ndk/android-ndk-r12b/build/core/prebuilt-library.mk:45: *** Android NDK: Aborting    .  Stop.
[armeabi] Compile thumb  : test <= test.c
[armeabi] SharedLibrary  : libtest.so
[armeabi] Install        : libtest.so => libs/armeabi/libtest.so
[armeabi-v7a] Compile thumb  : test <= test.c
[armeabi-v7a] SharedLibrary  : libtest.so
[armeabi-v7a] Install        : libtest.so => libs/armeabi-v7a/libtest.so
[arm64-v8a] Compile        : test <= test.c
[arm64-v8a] SharedLibrary  : libtest.so
[arm64-v8a] Install        : libtest.so => libs/arm64-v8a/libtest.so
[x86] Compile        : test <= test.c
[x86] SharedLibrary  : libtest.so
[x86] Install        : libtest.so => libs/x86/libtest.so
[x86_64] Compile        : test <= test.c
[x86_64] SharedLibrary  : libtest.so
[x86_64] Install        : libtest.so => libs/x86_64/libtest.so

gnu hash 及 dl_iterate_phdr 疑问

gnu hash 查找方法，似乎与 https://flapenguin.me/2017/05/10/elf-lookup-dt-gnu-hash/ 一致。
与 linker 稍有不同，当然结果肯定是一致的。
linker 版本：https://github.com/aosp-mirror/platform_bionic/blob/master/linker/linker_soinfo.cpp#L183-L250

与此相关的一个疑问是，在 plt 查找过程中，基本上是要遍历两遍的。
一是 gnu hash 没有，要遍历 undef；另外就是直接遍历 plt。
这个过程，个人是觉得没有必须去遍历 undef hash，直接遍历 plt 就好。
目前的实现可能对 elf hash 友好一点。

有计划使用 dl_iterate_phdr 重写么？
毕竟 android 4.X 以下越来越少，而使用 dl_iterate_phdr 的话，可能工作会轻松很多。
自己尝试使用 dl_iterate_phdr 去检查是否被 hook，发现还比较简单。
而在使用 dl_iterate_phdr 的过程中，发现直接部分替代 dlsym，完全可以替代系统隐藏的公开方法。

发现只能修改单个PAGESIZE的BUG

xh_util.c里面

#define PAGE_START(addr) ((addr)&PAGE_MASK)
#define PAGE_END(addr) (PAGE_START(addr + sizeof(uintptr_t) - 1) + PAGE_SIZE)
原来的
#define PAGE_COVER(addr) (PAGE_END(addr) - PAGE_START(addr))
我的修复：
#define PAGE_COVER(saddr,eaddr) (PAGE_END(eaddr) - PAGE_START(saddr))

xh_util_flush_instruction_cache函数和xh_util_set_addr_protect 函数都要改

请教一个问题关于 hook 系统 so 的

如果是一个native 程序,直接调用了 libc 的 open 函数,没有经过其他 so.那还可以 hook 这个 open 函数的调用吗 ? 我理解是不可以的,不知是否理解有误?请赐教.

如何hook env->CallStaticVoidMethod这样的

有例子可以看吗

是不是会有一定时间的延时呢

是不是会有一定时间的延时，我这边要so加载进去后，然后取得一次值之后方法才能被篡改掉

I can hook libc.so can't work

,I want hook "open" and close but "open " can't work,"close" loop execution

public void copyFile(String oldPath, String newPath) {
try {
int bytesum = 0;
int byteread = 0;
File oldfile = new File(oldPath);
if (oldfile.exists()) {
InputStream inStream = new FileInputStream(oldPath);
FileOutputStream fs = new FileOutputStream(newPath);
byte[] buffer = new byte[1444];
int length;
while ( (byteread = inStream.read(buffer)) != -1) {
bytesum += byteread;
fs.write(buffer, 0, byteread);

            }
            inStream.close();
        }
    }
    catch (Exception e) {
        e.printStackTrace();

    }

}