Comments (11)
Yes, it may require more room if there are too many pc-relative instructions (e.g, mixed adr/adrp) that need to be relocated and aligned.
I will fix it as soon as possible, thanks.
from andhook.
Update: same device, more functions
03-30 18:41:09.062 30170 30170 I AndHook : hooking execv
03-30 18:41:09.062 30170 30170 E AndHook : rwx size is too small to hold 80 bytes backup instructions!
03-30 18:41:09.062 30170 30170 I AndHook : hooking execve
03-30 18:41:09.062 30170 30170 E AndHook : rwx size is too small to hold 88 bytes backup instructions!
from andhook.
After inspecting the attached libc.so
, it seems that the functions I'm trying to hook are just thin wrappers around syscalls/other functions:
So I am guessing the errors are caused by AndHook
stepping on itself since it has no room to write its hooking code for each function.
I'm really not sure what can be done here...
from andhook.
Hi, @axnsan12, I have just released the v3.5.0, could you have a try?
from andhook.
Hello and thanks a lot! Will have a look in a day or two 😄
from andhook.
So I tried it, and I have both good and bad news.
Good news is the original error doesn't happen any more and I can hook adjacent functions without crashing the program when they're called! Yay! 😄
Bad news is that I now sometimes see crashes when calling the original function. For example, if I hook only execve
, and then call
if (fork() == 0) {
system("ps");
}
I can actually see my hook function being executed, and log its arguments:
execve: /sbin/ps ps PATH=/sbin:/system/sbin:/system/bin:/system/xbin:/vendor/bin:/vendor/xbin DOWNLOAD_CACHE=/data/cache ANDROID_BOOTLOGO=1 ANDROID_ROOT=/system ANDROID_ASSETS=/system/app ANDROID_DATA=/data ANDROID_STORAGE=/storage EXTERNAL_STORAGE=/sdcard ASEC_MOUNTPOINT=/mnt/asec BOOTCLASSPATH=/system/framework/QPerformance.jar:/system/framework/core-oj.jar:/system/framework/core-libart.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/legacy-test.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/system/framework/apache-xml.jar:/system/framework/org.apache.http.legacy.boot.jar:/system/framework/android.hidl.base-V1.0-java.jar:/system/framework/android.hidl.manager-V1.0-java.jar:/system/framework/oneplus_sdk_utils.jar:/system/framework/oneplus_sdk_wrapper.jar:/system/framework/tcmiface.jar:/system/framework/telephony-ext.jar:/system/framework/WfdCommon.jar:/system/framework/oem-services.jar:/system/framework/qcom.fmradio.jar:/system/framework/qcnvitems.jar:/system/framework/qcrilhook.jar:/system/framework/com.qti.snapdragon.sdk.display.jar SYSTEMSERVERCLASSPATH=/system/framework/services.jar:/system/framework/ethernet-service.jar:/system/framework/wifi-service.jar ANDROID_SOCKET_zygote=9 CLASSPATH=/system/framework/XposedBridge.jar
However as soon as I try to execute the original function, the process crashes:
04-03 15:42:32.220 2902-2902/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
04-03 15:42:32.220 2902-2902/? A/DEBUG: Build fingerprint: 'OnePlus/OnePlus3/OnePlus3:8.0.0/OPR6.170623.013/01202200:user/release-keys'
04-03 15:42:32.220 2902-2902/? A/DEBUG: Revision: '0'
04-03 15:42:32.220 2902-2902/? A/DEBUG: ABI: 'arm64'
04-03 15:42:32.220 2902-2902/? A/DEBUG: pid: 2896, tid: 2896, name: <package.name> >>> <package.name> <<<
04-03 15:42:32.220 2902-2902/? A/DEBUG: signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7c9b3e7000
04-03 15:42:32.220 2902-2902/? A/DEBUG: x0 0000007cbc02ec47 x1 0000007fceab0a30 x2 0000007cba834e30 x3 0000000000000019
04-03 15:42:32.220 2902-2902/? A/DEBUG: x4 0000000000000086 x5 0000000000000000 x6 0000000000000000 x7 0000000000800000
04-03 15:42:32.220 2902-2902/? A/DEBUG: x8 0000007c9b7421b8 x9 b4adc4862297e4b0 x10 0000000000000086 x11 0000000000000000
04-03 15:42:32.220 2902-2902/? A/DEBUG: x12 0000000000000000 x13 0000007fceab0340 x14 0000007fceab03c8 x15 0000d7a959be9ea9
04-03 15:42:32.220 2902-2902/? A/DEBUG: x16 0000007cbc057cb0 x17 0000007cbbff5f2c x18 0000000000000020 x19 0000000000000000
04-03 15:42:32.220 2902-2902/? A/DEBUG: x20 0000007cba5fac00 x21 0000007cba8bfa00 x22 0000007fceab1038 x23 0000007c9ce36915
04-03 15:42:32.220 2902-2902/? A/DEBUG: x24 0000000000000004 x25 0000007cba8bfa98 x26 0000007c9c83c0e0 x27 0000000070236658
04-03 15:42:32.220 2902-2902/? A/DEBUG: x28 0000000000000001 x29 0000007fceab0a10 x30 0000007c9b69d94c
04-03 15:42:32.220 2902-2902/? A/DEBUG: sp 0000007fceab09f0 pc 0000007c9b3e7000 pstate 0000000060000000
04-03 15:42:32.222 2902-2902/? A/DEBUG: backtrace:
04-03 15:42:32.222 2902-2902/? A/DEBUG: #00 pc 00000000007ee000 anon_inode:dmabuf
04-03 15:42:32.222 2902-2902/? A/DEBUG: #01 pc 0000000000016948 /data/data/<package.name>/cache/lib/myjnilib.so (deleted)
04-03 15:42:32.222 2902-2902/? A/DEBUG: #02 pc 0000000000000ac4 /system/lib64/libc.so (offset 0x64000)
The same test worked on the previous version.
from andhook.
Thanks for Your Feedback!
That is, it crashes at calling the original execve
randomly? What about doing this in the parent process? If there is something wrong with instruction relocation, it should crash every time.
from andhook.
It crashes only for execve
(out of the functions I tried hooking), every time.
For example, here is a sample program where I hooked fork
, vfork
, system
and execve
.
system("pwd");
if (fork() == 0) {
AKLog("child");
char *argv[] = {NULL};
execv("su", argv);
AKLog("exec failed... %d", errno);
exit(1);
}
else {
AKLog("parent");
char *argv[] = {NULL};
execv("lsof", argv);
AKLog("exec failed... %d", errno);
exit(1);
}
You can see that the fork
and system
hooks sucesfully call their original functions, while execve
crashes in every situation. I also tried making the execve
hook into a no-op that just calls the original function, to make sure it is not my code that segfaults. Removing all hooks except execve
also does not fix the issue.
The same code with the same hooks executes sucesfully with the old version of the library.
Here is the log, annotated with my comments on the right
04-03 19:56:22.865 18201-18201/[package.name] I/AndHook: system: pwd<--------- hook of system() prints its arguments
04-03 19:56:22.865 18201-18201/[package.name] I/AndHook: vfork called - calling fork() instead <-------------- I hooked vfork() to call fork instead - without this, everything crashes and burns because of vfork's weird address space sharing
04-03 19:56:22.874 18201-18201/[package.name] I/AndHook: fork child pid: 18608, parent pid: 18201 <--------- system() calls fork => child 18608
04-03 19:56:22.888 18608-18608/? I/AndHook: execve: /system/bin/sh sh -c pwd PATH=/sbin:/system/sbin:/system/bin:/system/xbin:/vendor/bin:/vendor/xbin DOWNLOAD_CACHE=/data/cache ANDROID_BOOTLOGO=1 ANDROID_ROOT=/system ANDROID_ASSETS=/system/app ANDROID_DATA=/data ANDROID_STORAGE=/storage EXTERNAL_STORAGE=/sdcard ASEC_MOUNTPOINT=/mnt/asec BOOTCLASSPATH=/system/framework/QPerformance.jar:/system/framework/core-oj.jar:/system/framework/core-libart.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/legacy-test.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/system/framework/apache-xml.jar:/system/framework/org.apache.http.legacy.boot.jar:/system/framework/android.hidl.base-V1.0-java.jar:/system/framework/android.hidl.manager-V1.0-java.jar:/system/framework/oneplus_sdk_utils.jar:/system/framework/oneplus_sdk_wrapper.jar:/system/framework/tcmiface.jar:/system/framework/tel <----------------------- system() cals execve() in child; execve() hook in logs its arguments
04-03 19:56:22.888 18608-18608/? I/AndHook: file open w: /data/user/0/[package.name]/execve-18608-0
04-03 19:56:22.892 18608-18608/? A/libc: Fatal signal 11 (SIGSEGV), code 2, fault addr 0x7c9b3e7000 in tid 18608 ([package.name]) <------------ child 18608 started by system() crashes
04-03 19:56:22.938 464-464/? W/auditd: type=1400 "crash_dump64""[package.name]""dm-0"
04-03 19:56:22.971 18612-18612/? A/DEBUG: pid: 18608, tid: 18608, name: [package.name] >>> [package.name] <<<
04-03 19:56:22.973 18612-18612/? A/DEBUG: #01 pc 0000000000016714 /data/data/[package.name]/cache/lib/myjnilib.so (deleted)
04-03 19:56:23.265 18201-18201/[package.name] I/AndHook: fork called
04-03 19:56:23.274 18201-18201/[package.name] I/AndHook: fork child pid: 18613, parent pid: 18201 <-------- fork() called in parent => child 18613
04-03 19:56:23.274 18201-18201/[package.name] I/AndHook: parent <------ parent branch executes execv("lsof")
04-03 19:56:23.274 18201-18201/[package.name] I/AndHook: execve: lsof PATH=/sbin:/system/sbin:/system/bin:/system/xbin:/vendor/bin:/vendor/xbin DOWNLOAD_CACHE=/data/cache ANDROID_BOOTLOGO=1 ANDROID_ROOT=/system ANDROID_ASSETS=/system/app ANDROID_DATA=/data ANDROID_STORAGE=/storage EXTERNAL_STORAGE=/sdcard ASEC_MOUNTPOINT=/mnt/asec BOOTCLASSPATH=/system/framework/QPerformance.jar:/system/framework/core-oj.jar:/system/framework/core-libart.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/legacy-test.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/system/framework/apache-xml.jar:/system/framework/org.apache.http.legacy.boot.jar:/system/framework/android.hidl.base-V1.0-java.jar:/system/framework/android.hidl.manager-V1.0-java.jar:/system/framework/oneplus_sdk_utils.jar:/system/framework/oneplus_sdk_wrapper.jar:/system/framework/tcmiface.jar:/system/framework/telephony-ext.jar:/syst <---------------- execv() calls execve(), execve() hook prints arguments
04-03 19:56:23.274 18201-18201/[package.name] I/AndHook: file open w: /data/user/0/[package.name]/execve-18201-0
04-03 19:56:23.275 18201-18201/[package.name] A/libc: Fatal signal 11 (SIGSEGV), code 2, fault addr 0x7c9b3e7000 in tid 18201 ([package.name]) <--------- parent process crashes
04-03 19:56:23.295 18613-18613/? I/AndHook: child <-------- child branch of fork, calls execv("su")
04-03 19:56:23.295 18613-18613/? I/AndHook: execve: su PATH=/sbin:/system/sbin:/system/bin:/system/xbin:/vendor/bin:/vendor/xbin DOWNLOAD_CACHE=/data/cache ANDROID_BOOTLOGO=1 ANDROID_ROOT=/system ANDROID_ASSETS=/system/app ANDROID_DATA=/data ANDROID_STORAGE=/storage EXTERNAL_STORAGE=/sdcard ASEC_MOUNTPOINT=/mnt/asec BOOTCLASSPATH=/system/framework/QPerformance.jar:/system/framework/core-oj.jar:/system/framework/core-libart.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/legacy-test.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/system/framework/apache-xml.jar:/system/framework/org.apache.http.legacy.boot.jar:/system/framework/android.hidl.base-V1.0-java.jar:/system/framework/android.hidl.manager-V1.0-java.jar:/system/framework/oneplus_sdk_utils.jar:/system/framework/oneplus_sdk_wrapper.jar:/system/framework/tcmiface.jar:/system/framework/telephony-ext.jar:/system <--------------- execve() hook in child logs
04-03 19:56:23.295 18613-18613/? I/AndHook: file open w: /data/user/0/[package.name]/execve-18613-0
04-03 19:56:23.296 18613-18613/? A/libc: Fatal signal 11 (SIGSEGV), code 2, fault addr 0x7c9b3e7000 in tid 18613 ([package.name]) <------- child 18613 crashes
from andhook.
It seems that the crash happened only with Android 8.0 and was caused simply by a misspelling, sorry for the inconvenience.
Please have a try with andhook-lib-3.5.0-r1.zip, thanks!
from andhook.
Yep, seems to be working now!
And thank YOU, you're doing this for free 😄
from andhook.
Well I'm pleased to hear that😄. Close it.
from andhook.
Related Issues (20)
- 虚拟机崩溃
- zygote AKInitializeOnce失败 HOT 2
- How to install andhook? HOT 1
- NoSuchMethodError getPackageInfo
- hook libc.so clock_gettime 闪退
- 如何hook微信方法?
- 寻求andhook 二次开发
- 混淆proguard咋写
- When does this tool support android Q?
- 如何在andhook的app程序里hook另一个app里的方法? HOT 1
- andhook crash when arm64 app
- 在Android9.0上直接崩溃,请问有支持Android9.0的计划么
- hook fun getPackageName inoperative
- hook fun getPackageName inoperative
- How to hook events?
- proc/$pid/mem HOT 1
- I got error
- crashing on 64 bit
- How to use in cmake
- 請問一下程式的用途
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from andhook.