lasting-yang / frida_hook_libart Goto Github PK
View Code? Open in Web Editor NEWFrida hook some jni functions
License: MIT License
Frida hook some jni functions
License: MIT License
commit c42bb2e0beb00f51b13a9482641fbeda0e2c4dba里
把上一条修改fnOffset的地方回退了
" fnOffset:", ptr(fnPtr_ptr).sub(find_module.base)
现在:
" fnOffset:", symbol,
native 调用jni function 太多,可以考虑加个过滤机制,减小日志大小
想输出注册的是哪个类。
建议加个指定so名字的参数,栈回溯一下,如果返回地址在某个so代码段范围则监控。
[RegisterNatives] method_count: 0x1
TypeError: cannot read property 'base' of null
at onEnter (/hook_RegisterNatives.js:42)
[RegisterNatives] method_count: 0xc
[RegisterNatives] method_count: 0x9
TypeError: cannot read property 'base' of null
at onEnter (/hook_RegisterNatives.js:42)
TypeError: cannot read property 'base' of null
at onEnter (/hook_RegisterNatives.js:42)
这个错误是因为模拟器导致的吗?
360加固自己实现了类似linker的so加载,这样加载出来的so无法被被识别为module,find_module为null
机型:pixle3
系统:安卓11
其他:安装面具已经获得root 安装LSposed
执行 frida -U --no-pause -f com.ss.android.ugc.aweme -l hook_RegisterNatives.js
只能打印两行注册地址:
RegisterNatives is at ···
RegisterNatives is at ···
切换到安卓8的手机之后恢复正常
frida -U --no-pause -f com.cubic.xxx -l hook_RegisterNatives.js
报一下问题,是什么原因呢?
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: b sig: (Landroid/content/Context;Landroid/app/Application;)V fnPtr: 0xcec98a15 fnOffset: 0xcec98a15 libDexHelper.so!0x17a15 callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: c sig: ()V fnPtr: 0xcec9aa65 fnOffset: 0xcec9aa65 libDexHelper.so!0x19a65 callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: d sig: (Ljava/lang/String;)Ljava/lang/String; fnPtr: 0xceca0639 fnOffset: 0xceca0639 libDexHelper.so!0x1f639 callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: e sig: (Ljava/lang/Object;Ljava/util/List;Ljava/lang/String;)[Ljava/lang/Object; fnPtr: 0xceca1175 fnOffset: 0xceca1175 libDexHelper.so!0x20175 callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: bb sig: (Landroid/content/Context;Landroid/app/Application;Landroid/app/Application;)V fnPtr: 0xcec98dfd fnOffset: 0xcec98dfd libDexHelper.so!0x17dfd callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: o sig: (Landroid/content/Context;)I fnPtr: 0xceca960d fnOffset: 0xceca960d libDexHelper.so!0x2860d callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: p sig: ()V fnPtr: 0xcec9383d fnOffset: 0xcec9383d libDexHelper.so!0x1283d callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: q sig: ()I fnPtr: 0xcec96e5d fnOffset: 0xcec96e5d libDexHelper.so!0x15e5d callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: mu sig: ()I fnPtr: 0xcec96f5d fnOffset: 0xcec96f5d libDexHelper.so!0x15f5d callee: 0xcec986f3 libDexHelper.so!0x176f3
Process crashed: Trace/BPT trap
使用 hook_art.js 会爆Failed to load script: script(line 2): SyntaxError: parse error 这个错误呀
wxxdeMacBook-Pro:frida_hook_libart-master wxx$ frida -U -f com.xingin.xhs -l hook_art.js
____
/ _ | Frida 15.1.23 - A world-class dynamic instrumentation toolkit
| (| |
> _ | Commands:
// |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to ONEPLUS A3010 (id=f3f66c2c)
Failed to spawn: command failed: 99
frida -U -f com.app--pause --exit-on-error --kill-on-exit -l .\hook_artmethod.js
____
/ _ | Frida 16.2.1 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to SM-G960N (id=127.0.0.1:5565)
Spawning `com.app`...
android_dlopen_ext: 0xc7f2d8f0 dlopen: 0xc7f2d9f0
_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc
...
...
...
ArtMethod Invoke:sun.nio.ch.FileChannelImpl.write called from:
0xc32a85b7 libart.so!_ZN3art11interpreter34ArtInterpreterToCompiledCodeBridgeEPNS_6ThreadEPNS_9ArtMethodEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+0x127
0xc32a0458 libart.so!_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+0x268
0xc36082af libart.so!MterpInvokeVirtual+0x2cf
0xc30869a2 libart.so!ExecuteMterpImpl+0x37a2
0xc3270eb9 libart.so!_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+0x1e9
0xc3278701 libart.so!_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+0xc1
0xc32a043c libart.so!_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+0x24c
0xc3609f7f libart.so!MterpInvokeStatic+0x19f
0xc3086b22 libart.so!ExecuteMterpImpl+0x3922
0xc3270eb9 libart.so!_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+0x1e9
0xc3278701 libart.so!_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+0xc1
0xc32a043c libart.so!_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+0x24c
0xc3609f7f libart.so!MterpInvokeStatic+0x19f
0xc3086b22 libart.so!ExecuteMterpImpl+0x3922
0xc3270eb9 libart.so!_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+0x1e9
0xc3278701 libart.so!_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+0xc1
Process crashed: Bad access due to invalid address
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/android_x86/x86:7.1.2/N2G48B/327:user/release-keys'
Revision: '0'
ABI: 'x86'
pid: 3574, tid: 3599, name: .15(596040118)) >>> **com.app<<<**
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x4
eax 00000000 ebx 00000df6 ecx 00000e0f edx 0000000b
esi 95980c4c edi 959809f0
xcs 00000073 xds 0000007b xes 0000007b xfs 0000003b xss 0000007b
eip c7f28c10 ebp 95980a70 esp 95980988 flags 00000296
backtrace:
#00 pc 00000c10 [vdso:c7f28000] (__kernel_vsyscall+16)
#01 pc 0007ac08 /system/bin/linker (offset 0x5000)
***
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.