search

bytedance / android-inline-hook

:fire: ShadowHook is an Android inline hook library which supports thumb, arm32 and arm64.
https://github.com/bytedance/android-inline-hook/tree/main/doc
MIT License
1.7k stars 295 forks source link

memcpy 没调用 #26

Closed q601180252 closed 1 year ago

q601180252 commented 1 year ago

ShadowHook Version

1.0.4

Android OS Version

12

Android ABIs

arm64-v8a

Device Manufacturers and Models

one plus 8t

Describe the Bug

2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, strdup, 0x77d5414770) ... 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: create trampo for target_addr 7b07732c0c at 7afeafc000, size 96 + 16 = 112 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b077525b0 - 7b07753000 (load_bias 7b07696000, bc5b0 - bd000), NFZ 1, READABLE 1 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b07cb3840 - 7b07cb4000 (load_bias 7b07696000, 61d840 - 61e000), NFZ 0, READABLE 1 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap fill zero, 7b077525b0 - 7b07753000 (load_bias 7b07696000, bc5b0 - bd000), READABLE 1 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap resize, 7b077525b0 - 7b07752ff0 (load_bias 7b07696000, bc5b0 - bcff0) 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: in-library alloc, at 7b077525c0 (load_bias 7b07696000, bc5c0), len 16 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: alloc in library, exit 7b077525c0, pc 7b07732c0c, distance 1f9b4, range [-8000000, 7fffffc] 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64 rewrite: type 0, inst a9bd7bfd 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64: hook (WITH EXIT) OK. target 7b07732c0c -> exit 7b077525c0 -> new 7afeafc000 -> enter 7afeafb000 -> remaining 7b07732c10 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: add(new) func 77d5414770 2022-12-01 13:53:37.440 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: switch: hook in SHARED mode OK: target_addr 7b07732c0c, new_addr 77d5414770 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, strdup, 0x77d5414770) OK. return: 0xb4000078b57d29c0. 0 - OK 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, memcpy, 0x77d5414604) ... 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: create trampo for target_addr 7b0774b488 at 7afeafc070, size 96 + 16 = 112 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b077525b0 - 7b07753000 (load_bias 7b07696000, bc5b0 - bd000), NFZ 1, READABLE 1 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b07cb3840 - 7b07cb4000 (load_bias 7b07696000, 61d840 - 61e000), NFZ 0, READABLE 1 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap resize, 7b077525b0 - 7b07752ff0 (load_bias 7b07696000, bc5b0 - bcff0) 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: in-library alloc, at 7b077525d0 (load_bias 7b07696000, bc5d0), len 16 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: alloc in library, exit 7b077525d0, pc 7b0774b488, distance 7148, range [-8000000, 7fffffc] 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64 rewrite: type 0, inst 39404828 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64: hook (WITH EXIT) OK. target 7b0774b488 -> exit 7b077525d0 -> new 7afeafc070 -> enter 7afeafb100 -> remaining 7b0774b48c 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: add(new) func 77d5414604 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: switch: hook in SHARED mode OK: target_addr 7b0774b488, new_addr 77d5414604 2022-12-01 13:53:37.441 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, memcpy, 0x77d5414604) OK. return: 0xb4000078b57d2020. 0 - OK 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, memmove, 0x77d5414578) ... 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: create trampo for target_addr 7b0774b4a8 at 7afeafc0e0, size 96 + 16 = 112 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b077525b0 - 7b07753000 (load_bias 7b07696000, bc5b0 - bd000), NFZ 1, READABLE 1 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b07cb3840 - 7b07cb4000 (load_bias 7b07696000, 61d840 - 61e000), NFZ 0, READABLE 1 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap resize, 7b077525b0 - 7b07752ff0 (load_bias 7b07696000, bc5b0 - bcff0) 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: in-library alloc, at 7b077525e0 (load_bias 7b07696000, bc5e0), len 16 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: alloc in library, exit 7b077525e0, pc 7b0774b4a8, distance 7138, range [-8000000, 7fffffc] 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64 rewrite: type 0, inst 39404828 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64: hook (WITH EXIT) OK. target 7b0774b4a8 -> exit 7b077525e0 -> new 7afeafc0e0 -> enter 7afeafb200 -> remaining 7b0774b4ac 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: add(new) func 77d5414578 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: switch: hook in SHARED mode OK: target_addr 7b0774b4a8, new_addr 77d5414578 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, memmove, 0x77d5414578) OK. return: 0xb4000078b57d2d40. 0 - OK 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, memcmp, 0x77d5414690) ... 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: create trampo for target_addr 7b076dea00 at 7afeafc150, size 96 + 16 = 112 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b077525b0 - 7b07753000 (load_bias 7b07696000, bc5b0 - bd000), NFZ 1, READABLE 1 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap, 7b07cb3840 - 7b07cb4000 (load_bias 7b07696000, 61d840 - 61e000), NFZ 0, READABLE 1 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: gap resize, 7b077525b0 - 7b07752ff0 (load_bias 7b07696000, bc5b0 - bcff0) 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: in-library alloc, at 7b077525f0 (load_bias 7b07696000, bc5f0), len 16 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: exit: alloc in library, exit 7b077525f0, pc 7b076dea00, distance 73bf0, range [-8000000, 7fffffc] 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64 rewrite: type 0, inst d503245f 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: a64: hook (WITH EXIT) OK. target 7b076dea00 -> exit 7b077525f0 -> new 7afeafc150 -> enter 7afeafb300 -> remaining 7b076dea04 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: hub: add(new) func 77d5414690 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: switch: hook in SHARED mode OK: target_addr 7b076dea00, new_addr 77d5414690 2022-12-01 13:53:37.442 21162-21162/com.bytedance.shadowhook.sample I/shadowhook_tag: shadowhook: hook_sym_name(libc.so, memcmp, 0x77d5414690) OK. return: 0xb4000078b57d1bc0. 0 - OK

image

caikelun commented 1 year ago

memcpy 在很多设备上是 IFUNC (indirect functio),你可以用 llvm-readelf -sW libc.so | grep memcpy 确认一下。所以用函数名 “memcpy” 查找到的函数实际上是 memcpy_resolver

对于 IFUNC,请用 shadowhook_hook_sym_addr 来 hook:

shadowhook_hook_sym_addr(memcpy, (void *)proxy, (void **)&orig);

这样写,linker 加载你的动态库时会调用 memcpy_resolver,将你写的 memcpy relocate 到 __memcpy_a15__memcpy_a53__memcpy_a55 等等。

q601180252 commented 1 year ago

memcpy 在很多设备上是 IFUNC (indirect function),你可以用 llvm-readelf -sW libc.so | grep memcpy 确认一下。所以用函数名 “memcpy” 查找到的函数实际上是 memcpy_resolver

对于 IFUNC,请用 shadowhook_hook_sym_addr 来 hook:

shadowhook_hook_sym_addr(memcpy, (void *)proxy, (void **)&orig);

这样写,linker 加载你的动态库时会调用 memcpy_resolver,将你写的 memcpy relocate 到 __memcpy_a15__memcpy_a53__memcpy_a55 等等。

可以了 多谢