首页 > 其他分享 >Android hook so function

Android hook so function

时间:2023-01-10 20:22:16浏览次数:40  
标签:function console log args funcAddr hook so var Android

 //枚举导入表
 var improts = Module.enumerateImports("1.so");
 for(let i = 0; i < improts.length; i++){
     console.log(JSON.stringify(improts[i]));
     console.log(improts[i].name + " " + improts[i].address);
 }

 //枚举导出表
 var exports = Module.enumerateExports("1.so");
 for(let i = 0; i < exports.length; i++){
     console.log(exports[i].name + " " + exports[i].address);
 }

 //枚举符号表
 var symbols = Module.enumerateSymbols("1.so");
 for(let i = 0; i < symbols.length; i++){
     console.log(symbols[i].name + " " + symbols[i].address);
 }

 //枚举进程中已加载的模块
 var modules = Process.enumerateModules();
 console.log(JSON.stringify(modules[0].enumerateExports()[0]));

 //hook导出函数
 var funcAddr = Module.findExportByName("1.so", "your_func_name");
 console.log(funcAddr);
 Interceptor.attach(funcAddr, {
     onEnter: function (args) {
         console.log("funcAddr onEnter args[1]: ", hexdump(args[1]));
         console.log("funcAddr onEnter args[2]: ", args[2].toInt32());
         this.args3 = args[3];
     }, onLeave: function (retval) {
         console.log("funcAddr onLeave args[3]: ", hexdump(this.args3));
     }
 });

 //各种方式得到so基址
 var module1 = Process.findModuleByName("1.so");
 console.log(JSON.stringify(module1));
 console.log("module1", module1.base);

 var module2 = Process.getModuleByName("1.so");
 console.log("module2", module2.base);

 var soAddr = Module.findBaseAddress("1.so");
 console.log("soAddr", soAddr);

 var modules = Process.enumerateModules();
 for(let i = 0; i < modules.length; i++){
     if(modules[i].name == "1.so"){
         console.log(modules[i].name + " " + modules[i].base);
     }
 }

 var module = Process.findModuleByAddress(Module.findBaseAddress("1.so"));
 console.log("module " + module.name + " " + module.base);

 //hook任意函数
 var soAddr = Module.findBaseAddress("1.so");
  var so = 0x77ab999000;
  // ptr ==> convert to nativePoint
  console.log(ptr(so).add(0x1234));
 
 var funcAddr = soAddr.add(0x1234);
 Interceptor.attach(funcAddr, {
     onEnter: function (args) {
         console.log("funcAddr onEnter args[1]: ", hexdump(args[1]));
         console.log("funcAddr onEnter args[2]: ", args[2].toInt32());
         this.args3 = args[3];
     }, onLeave: function (retval) {
         console.log("funcAddr onLeave args[3]: ", hexdump(this.args3));
     }
 });

 //有手就行的so hook
function print_arg(addr){
    var module = Process.findRangeByAddress(addr);
    if(module != null) return hexdump(addr) + "\n";
    return ptr(addr) + "\n";
}
function hook_native_addr(funcPtr, paramsNum){
    var module = Process.findModuleByAddress(funcPtr);
    Interceptor.attach(funcPtr, {
        onEnter: function(args){
            this.logs = [];
            this.params = [];
            this.logs.push("call " + module.name + "||" + ptr(funcPtr).sub(module.base) + "\n");
            for(let i = 0; i < paramsNum; i++){
                this.params.push(args[i]);
				this.logs.push("this.args" + i + " onEnter: " + print_arg(args[i]));
            }
        }, onLeave: function(retval){
            for(let i = 0; i < paramsNum; i++){
                this.logs.push("this.args" + i + " onLeave: " + print_arg(this.params[i]));
            }
            this.logs.push("retval onLeave: " + print_arg(retval) + "\n");
            console.log(this.logs);
        }
    });
}

var soAddr = Module.findBaseAddress("1.so");
var funcAddr = soAddr.add(0x1234);
hook_native_addr(funcAddr, 2);

标签:function,console,log,args,funcAddr,hook,so,var,Android
From: https://www.cnblogs.com/longtou/p/17041288.html

相关文章

  • android包加固重签名
    apk打包后需要重新手动签名使用androidapksigner签名https://developer.android.google.cn/studio/command-line/apksigner  使用的时候需要注意密码不是直接的密......
  • npm run dev报错TypeError: loaderContext.getResolve is not a function
    vue安装lessless-loader之后,运行项目报错:TypeError:loaderContext.getResolveisnotafunctionnpminstalllessless-loader--save之后,找到webpack.base.conf.j......
  • 关于Unity的Android工程,写文件的问题
    UnityAndroid工程中的写文件在安卓工程下,写入文件可以直接用:File.WriteAllText(UnityEngine.Application.persistentDataPath+"/XXX.txt","文件内容");路径前面没有加“......
  • Android BaseAdapter应用基础
    Android基础类之BaseAdapterBaseAdapter就Android应用程序中经常用到的基础数据适配器,它的主要用途是将一组数据传到像ListView、Spinner、Gallery及GridView等UI显示......
  • android studio真机调试华为手机
    背景近来开发一个视频通话App,需要在华为手机上调试,按网上一顿操作,开启了USB调试之后,发现手机连上电脑后,androidstudio没反应,在此记录下解决方法。调试的手机型号是华为n......
  • Android从assets和res中读取文件
    1.相关文件夹介绍     在Android项目文件夹里面,主要的资源文件是放在res文件夹里面的。assets文件夹是存放不进行编译加工的原生文件,即该文件夹里面的文件不会像......
  • Android之Adobe AIR本地扩展
    ​ ​​学前准备...2​​​​所需知识...2​​​​额外工具...2​​​​用户等级...2​​​​例子文件...2​​​​设置AIRSDK以及本地开发工具...2​​​​含ASC2.......
  • error: use of deleted function ‘std::unique_ptr<_Tp, _Dp>::unique_ptr(...
    错误发生的场景#include<memory>#include<iostream>//用于测试错误的类classTestClass{public:intvalue_=0;};//用来测试传入unique_ptr的函数voidtes......
  • android 原生打包到混合开发框架uniapp 和cordova (2)解决Execution failed for task ‘
    android原生打包到混合开发框架uniapp和cordova(1) 在使用gradle自动打包的时候出现了Executionfailedfortask':app:lintVitalRelease'.>Lintfoundfatalerror......
  • GCC Built-in Functions
    TargetBuiltins-UsingtheGNUCompilerCollection(GCC)MIPSLoongsonBuilt-inFunctionsx86Built-inFunctionst.cpp:#include<immintrin.h>gcc-Et.cpp......