Comments (13)
caikelun
commented on August 14, 2024
1
如果要处理兼容性,需要hook:open,__open_real,__open_2。
可以参考bytehook的sample app:https://github.com/bytedance/bhook/blob/main/bytehook_sample/src/main/cpp/hacker.c#L152
from bhook.
LeeKasm
commented on August 14, 2024
1
我重新测试了下,您说的对,确实是我把几个设备搞混了。
安卓9走的libopenjdk.so,安卓10是走的libjavacore.so。
抱歉因为我的调试失误给您强行加了波班😀
from bhook.
LeeKasm
commented on August 14, 2024
您误会了,在此之前我都尝试过了,是不行的。
这可能是个bug,上一条是为了简化现象说的不够具体。
__open_real在API17之后已经不用了,在安卓9上应该不用_open_real。
#if ANDROID_API >= 17 && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
return __open_2(pathname, flags);
#else
return __open_real(pathname, flags);
#endif
除了open,stat等函数在安卓9上也hook不到,意外的是read却可以。
from bhook.
LeeKasm
commented on August 14, 2024
另外需要明确的是hook自己写的so库是没有这个问题的。目前发现的仅仅是安卓9 libjavacore.so库下libcore_io_Linux.cpp的open hook不到。
from bhook.
caikelun
commented on August 14, 2024
- 可以反编译一下被hook的so,看看源码中对应位置最后调用了什么函数,以及怎么调用的。
- 可以动态调试一下,确认下程序流程确实走到了你预期的位置。
from bhook.
LeeKasm
commented on August 14, 2024
您好,下面说的可能不完全正确但是应该方向大差不差,根据您的建议我反编译了libjavacore.so,确实存在open函数。
在安卓9中Java层的FileInputStream类实例化时对文件打开,
调用 libcore.io.IoBridge.open(String path, int flags),
进而调用了native方法libcore.io.Linux.open(String path, int flags, int mode),
随后进入底层libjavacore.so中libcore_io_Linux.cpp的Linux_open(JNIEnv* env, jobject, jstring javaPath, jint flags, jint mode)。
我用xhook验证,hook libjavacore.so的open可以打印出信息,也说明open函数是在这个so中。
但是用bhook虽然hook到了但是无打印结果,应该是没hook上。
from bhook.
caikelun
commented on August 14, 2024
您好,下面说的可能不完全正确但是应该方向大差不差,根据您的建议我反编译了libjavacore.so,确实存在open函数。
在安卓9中Java层的FileInputStream类实例化时对文件打开, 调用 libcore.io.IoBridge.open(String path, int flags), 进而调用了native方法libcore.io.Linux.open(String path, int flags, int mode), 随后进入底层libjavacore.so中libcore_io_Linux.cpp的Linux_open(JNIEnv* env, jobject, jstring javaPath, jint flags, jint mode)。
我用xhook验证,hook libjavacore.so的open可以打印出信息,也说明open函数是在这个so中。 但是用bhook虽然hook到了但是无打印结果,应该是没hook上。
收到,感谢反馈,我调试一下。。。
能问下你的android 9设备的机型吗?
from bhook.
LeeKasm
commented on August 14, 2024
您好,我用的两个设备分别是:
HUAWEI Mate9,型号:MHA-AL00,版本号:9.1.0.231;
HUAWEI MediaPad M5 lite 10,型号:BAH2-AL10,版本号:9.1.0.170;
from bhook.
caikelun
commented on August 14, 2024
@LeeKasm 我在“HUAWEI Mate9,型号:MHA-AL00”上试了下,bhook和xhook hook libjavacore.so 的open都是成功的,但是java层执行你贴的FileInputStream逻辑,都无法走到proxy函数中。你可以再用xhook确认下。
另外,你可以动态调试确认下FileInputStream流程确实会走到open?可以用inlinehook确认下,或者直接用frida之类的工具。
from bhook.
zhbzhbzhbz
commented on August 14, 2024
Android层测试代码: File file = new File("/storage/emulated/0/1.txt"); try { FileInputStream fileInputStream = new FileInputStream(file); byte[] buf = new byte[(int)file.length()]; fileInputStream.read(buf); fileInputStream.close(); } catch (IOException e) { e.printStackTrace(); }
c层hook代码: bytehook_hook_single("libjavacore.so", NULL, "open", open_proxy, open_hooked_callback, NULL); bytehook_hook_single("libjavacore.so", NULL, "stat", stat_proxy, stat_hooked_callback, NULL); bytehook_hook_single("libjavacore.so", NULL, "read", read_proxy_auto, read_hooked_callback, NULL);
安卓9的回调显示hook成功了。 bytehook_tag: >>>>> hooked. stub: c6b93ac0, status: 0, caller_path_name: /system/lib/libjavacore.so, sym_name: open, new_func: c5e08ebd, prev_func: e756aefd, arg: 0 安卓10的回调也类似。 bytehook_tag: >>>>> hooked. stub: ba5d3480, status: 0, caller_path_name: /apex/com.android.runtime/lib/libjavacore.so, sym_name: open, new_func: c04afebd, prev_func: edaa2299, arg: 0 但是实际测试中在open入口打印,只有安卓10的设备有响应。 LOG("open hooked path("%s")", pathname);
@LeeKasm 求问您方便分享下您hook read和write的代码么~ C语言小白想参考下
from bhook.
LeeKasm
commented on August 14, 2024
bytehook_hook_single("libjavacore.so", NULL, "read", (void *) my_read, NULL, NULL);
bytehook_hook_single("libjavacore.so", NULL, "pread64", (void *) my_pread64, NULL, NULL);
bytehook_hook_single("libjavacore.so", NULL, "readv", (void *) my_readv, NULL, NULL);
bytehook_hook_single("libjavacore.so", NULL, "write", (void *) my_write, NULL, NULL);
bytehook_hook_single("libjavacore.so", NULL, "pwrite64", (void *) my_pwrite64, NULL, NULL);
bytehook_hook_single("libjavacore.so", NULL, "writev", (void *) my_writev, NULL, NULL);
from bhook.
zhbzhbzhbz
commented on August 14, 2024
bytehook_hook_single("libjavacore.so", NULL, "read", (void *) my_read, NULL, NULL); bytehook_hook_single("libjavacore.so", NULL, "pread64", (void *) my_pread64, NULL, NULL); bytehook_hook_single("libjavacore.so", NULL, "readv", (void *) my_readv, NULL, NULL); bytehook_hook_single("libjavacore.so", NULL, "write", (void *) my_write, NULL, NULL); bytehook_hook_single("libjavacore.so", NULL, "pwrite64", (void *) my_pwrite64, NULL, NULL); bytehook_hook_single("libjavacore.so", NULL, "writev", (void *) my_writev, NULL, NULL);
谢谢!!!
from bhook.
zhbzhbzhbz
commented on August 14, 2024
如果要处理兼容性,需要hook:open,__open_real,__open_2。 可以参考bytehook的sample app:https://github.com/bytedance/bhook/blob/main/bytehook_sample/src/main/cpp/hacker.c#L152
最近发现,c语言下的open(path, O_RDONLY);会触发open2或者open_real,只使用open确实会拦截不到
from bhook.
Related Issues (20)
- hook jni 方法失败 HOT 2
- 老哥,BYTESIG_TRY好像不能生效 HOT 2
- hook 构造函数崩溃问题 HOT 2
- 可否支持armeabi架构呢?
- native crash at android 13 HOT 2
- 鲜时光TV APK Android 13平台无法打开 HOT 1
- mprotect 返回-1 HOT 1
- Building documentation instructions with mkdocs HOT 2
- hook __android_log_print没效果 HOT 2
- 在Android 7 对dlopen的监控会影响系统原本的dlopen调用导致后续的so都无法loading HOT 4
- Crash at hook __system_property_read_callback HOT 1
- hook不成功 HOT 1
- 合并bytehook与shadowhook HOT 1
- bytesig被初始化多次时, 后面的会失败 HOT 3
- Android 9部分设备上hook 失败 HOT 3
- bHook在部分系统上面会报“替换 GOT 值之前,通过 dladdr() 验证函数地址失败。”错误码19 HOT 2
- After updating Android Studio, typedef now fail: error: unexpected type name 'read_t': expected expression
- bytesig是否允许选择性启用
- Android 12 hook 后 cfi_check 崩溃显著增加
- Can't hook library HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bhook.