search

bytedance / bhook

:fire: ByteHook is an Android PLT hook library which supports armeabi-v7a, arm64-v8a, x86 and x86_64.
https://github.com/bytedance/bhook/tree/main/doc#readme
MIT License
2.1k stars 328 forks source link

Crash at hook __system_property_read_callback #84

Closed chiteroman closed 1 year ago

chiteroman commented 1 year ago

bytehook Version

1.0.9

Android OS Version

13

Android ABIs

arm64-v8a

Device Manufacturers and Models

Xiaomi POCO X3 Pro

Describe the Bug

I'm trying to hook __system_property_read_callback:

#if __ANDROID_API__ >= 26
void __system_property_read_callback(const prop_info* _Nonnull __pi,
    void (* _Nonnull __callback)(void* _Nullable __cookie, const char* _Nonnull __name, const char* _Nonnull __value, uint32_t __serial),
    void* _Nullable __cookie) __INTRODUCED_IN(26);
#endif /* __ANDROID_API__ >= 26 */

I have this code:

typedef void (*T_Callback)(void *, const char *, const char *, uint32_t);

static std::map<void *, T_Callback> map;

static void
handle_system_property(void *cookie, const char *name, const char *value, uint32_t serial) {

    LOGD("[%s] -> %s", name, value);

    std::string_view prop(name);

    if (prop.compare("ro.product.first_api_level") == 0) value = "25";
    else if (prop.compare("ro.boot.verifiedbootstate") == 0) value = "green";
    else if (prop.compare("ro.secure") == 0 || prop.compare("ro.boot.flash.locked") == 0)
        value = "1";
    else if (prop.compare("ro.debuggable") == 0) value = "0";
    else if (prop.compare("ro.boot.vbmeta.device_state") == 0) value = "locked";
    else if (prop.compare("sys.usb.state") == 0) value = "none";

    map[cookie](cookie, name, value, serial);
}

static void my_hook(const prop_info *pi, T_Callback callback, void *cookie) {
    BYTEHOOK_STACK_SCOPE();
    LOGD("Cookie: %p", cookie);
    map[cookie] = callback;
    BYTEHOOK_CALL_PREV(my_hook, pi, handle_system_property, cookie);
}

static void createHook() {
    bytehook_init(BYTEHOOK_MODE_AUTOMATIC, true);

    LOGD("Trying to get __system_property_read_callback handle...");
    auto handle = bytehook_hook_all(
            nullptr,
            "__system_property_read_callback",
            reinterpret_cast<void *>(my_hook),
            nullptr,
            nullptr
    );
    if (handle == nullptr) {
        LOGD("Couldn't get __system_property_read_callback handle :(");
    } else {
        LOGD("Hooked __system_property_read_callback at %p", handle);
    }
}

But when it runs the app crash, I tried to change __system_property_read_callback to __system_property_get and it works! But doesn't log any prop :(

Is it maybe the problem the custom "handle_system_property" function?

Using Shadowhook I can hook both with no problems.

chiteroman commented 1 year ago

I finally fixed it but doesn't work like I want, using Dobby fixed the problem.