search

crmulliner / ddi

ddi - Dynamic Dalvik Instrumentation Toolkit
http://www.mulliner.org/android/
395 stars 159 forks source link

hook java static method #14

Open zmxsa opened 8 years ago

zmxsa commented 8 years ago

Hi, I try to hook the static method. But, when the original method is invoked, some exceptions are thrown. The example is as follow.

Java static method: Lexample;->test()V

My hook method: void sb_test(JNIEnv _env) { dalvik_prepare(&d, &sb, env); (_env)->CallStaticVoidMethod(env, sb.cls, sb.mid); // Exception is here!! dalvik_postcall(&d, &sb); }

Is there any problem? Thank for very much!

crmulliner commented 8 years ago

What is the exception ? What does logcat say?

On Nov 20, 2015, at 23:22, ziminlin notifications@github.com wrote:

Hi, I try to hook the static method. But, when the original method is invoked, some exceptions are thrown. The example is as follow.

Java static method:

Lexample;->test()V

My hook method: void sb_test(JNIEnv env) { dalvik_prepare(&d, &sb, env); (env)->CallStaticVoidMethod(env, sb.cls, sb.mid); // Exception is here!! dalvik_postcall(&d, &sb); }

Is there any problem? Thank for very much!

— Reply to this email directly or view it on GitHub.

zmxsa commented 8 years ago

Thanks for your prompt reply. I test this in the Android emulators 2.3, 3.0 and 4.0. This problem just occurs in the version 4.0.

In the log of DDI, the function "_Z20dvmDecodeIndirectRefP6ThreadP8_jobject" can be not resolved. So, the function "_Z20dvmDecodeIndirectRefP7_JNIEnvP8_jobject" is added. The follow is the concrete output. _Z20dvmDecodeIndirectRefP6ThreadP8_jobject = 0x0 _Z20dvmDecodeIndirectRefP7_JNIEnvP8_jobject = 0x4080a8d9

I wonder whether the problem is caused by the "dvmDecodeIndirectRef", where the logcat also gives some prompts. However, after searching the source code of Android, I don't find the dependency between "CallStatic###Method" and "dvmDecodeIndirectRef". Please help me to find the problem. Thank you!!!

The follow is the output of logcat.

I/DEBUG ( 33): r0 00000000 r1 000a0ac0 r2 00000000 r3 00000000 I/DEBUG ( 33): r4 deadd00d r5 4086cc58 r6 0000020c r7 409881e8 I/DEBUG ( 33): r8 40849027 r9 408488c3 10 40849033 fp 40849280 I/DEBUG ( 33): ip 00000000 sp befa52f0 lr 40805d63 pc 40805d62 cpsr 60000030 I/DEBUG ( 33): d0 0000009643160000 d1 3ff0000043160000 I/DEBUG ( 33): d2 0000000000000000 d3 405500003f800000 I/DEBUG ( 33): d4 43f0000000000000 d5 43f0000042d80000 I/DEBUG ( 33): d6 0000000000000000 d7 3f8000003f800000 I/DEBUG ( 33): d8 0000000000000000 d9 0000000000000000 I/DEBUG ( 33): d10 0000000000000000 d11 0000000000000000 I/DEBUG ( 33): d12 0000000000000000 d13 0000000000000000 I/DEBUG ( 33): d14 0000000000000000 d15 0000000000000000 I/DEBUG ( 33): scr 60000012 I/DEBUG ( 33): I/DEBUG ( 33): #00 pc 00050d62 /system/lib/libdvm.so (dvmAbort) I/DEBUG ( 33): #01 pc 000559c2 /system/lib/libdvm.so (_Z20dvmDecodeIndirectRefP7_JNIEnvP8_jobject) I/DEBUG ( 33): #02 pc 000449a0 /system/lib/libdvm.so I/DEBUG ( 33): #03 pc 000452e8 /system/lib/libdvm.so I/DEBUG ( 33): #04 pc 00049ab8 /system/lib/libdvm.so I/DEBUG ( 33): #05 pc 00001954 /data/local/tmp/libstrmon.so (sb30_sb250) I/DEBUG ( 33): #06 pc 0001ec70 /system/lib/libdvm.so (dvmPlatformInvoke) I/DEBUG ( 33): #07 pc 0005925a /system/lib/libdvm.so (_Z16dvmCallJNIMethodPKjP6JValuePK6MethodP6Thread) I/DEBUG ( 33): #08 pc 0004cc7c /system/lib/libdvm.so (_Z21dvmCheckCallJNIMethodPKjP6JValuePK6MethodP6Thread) I/DEBUG ( 33): #09 pc 00030a8c /system/lib/libdvm.so I/DEBUG ( 33): #10 pc 000342ac /system/lib/libdvm.so (_Z12dvmInterpretP6ThreadPK6MethodP6JValue) I/DEBUG ( 33): #11 pc 0006c93e /system/lib/libdvm.so (_Z15dvmInvokeMethodP6ObjectPK6MethodP11ArrayObjectS5_P11ClassObjectb) I/DEBUG ( 33): #12 pc 00073d4a /system/lib/libdvm.so I/DEBUG ( 33): #13 pc 00030a8c /system/lib/libdvm.so I/DEBUG ( 33): #14 pc 000342ac /system/lib/libdvm.so (_Z12dvmInterpretP6ThreadPK6MethodP6JValue) I/DEBUG ( 33): #15 pc 0006cc1c /system/lib/libdvm.so (_Z14dvmCallMethodVP6ThreadPK6MethodP6ObjectbP6JValueSt9va_list) I/DEBUG ( 33): #16 pc 00055226 /system/lib/libdvm.so I/DEBUG ( 33): #17 pc 00049b5c /system/lib/libdvm.so I/DEBUG ( 33): #18 pc 00040b7a /system/lib/libandroid_runtime.so I/DEBUG ( 33): #19 pc 000416e2 /system/lib/libandroid_runtime.so (ZN7android14AndroidRuntime5startEPKcS2) I/DEBUG ( 33): #20 pc 00008f0e /system/bin/app_process I/DEBUG ( 33): #21 pc 00016700 /system/lib/libc.so (libc_init) I/DEBUG ( 33): I/DEBUG ( 33): code around pc: I/DEBUG ( 33): 40805d40 34bcf8d3 ec16f7cd 26001e73 2f01f813 I/DEBUG ( 33): 40805d50 42abb152 d0074416 4798e7f8 f7ff4c0a I/DEBUG ( 33): 40805d60 7026ffa7 ec0cf7cd 2006490c 44794a0c I/DEBUG ( 33): 40805d70 f7cd447a 2000eace eb84f7cd 58e54b05 I/DEBUG ( 33): 40805d80 2b006c6b e7e9d1e9 deadd00d 00062278 I/DEBUG ( 33): I/DEBUG ( 33): code around lr: I/DEBUG ( 33): 40805d40 34bcf8d3 ec16f7cd 26001e73 2f01f813 I/DEBUG ( 33): 40805d50 42abb152 d0074416 4798e7f8 f7ff4c0a I/DEBUG ( 33): 40805d60 7026ffa7 ec0cf7cd 2006490c 44794a0c I/DEBUG ( 33): 40805d70 f7cd447a 2000eace eb84f7cd 58e54b05 I/DEBUG ( 33): 40805d80 2b006c6b e7e9d1e9 deadd00d 00062278 I/DEBUG ( 33): I/DEBUG ( 33): stack: I/DEBUG ( 33): befa52b0 00000000
I/DEBUG ( 33): befa52b4 4001df19 /system/lib/libc.so I/DEBUG ( 33): befa52b8 4004770c /system/lib/libc.so I/DEBUG ( 33): befa52bc 4004c85c
I/DEBUG ( 33): befa52c0 00000000
I/DEBUG ( 33): befa52c4 4001f121 /system/lib/libc.so I/DEBUG ( 33): befa52c8 4004755c /system/lib/libc.so I/DEBUG ( 33): befa52cc 00000000
I/DEBUG ( 33): befa52d0 0000020c
I/DEBUG ( 33): befa52d4 409881e8
I/DEBUG ( 33): befa52d8 40849027 /system/lib/libdvm.so I/DEBUG ( 33): befa52dc 4001df37 /system/lib/libc.so I/DEBUG ( 33): befa52e0 40867f90
I/DEBUG ( 33): befa52e4 befa54f3 [stack] ... ... W/dalvikvm( 483): threadid=2: spin on suspend #1 threadid=1 (pcf=0) ... ... I/DEBUG ( 33): befa54f4 32a61f77
I/DEBUG ( 33): befa54f8 dead4321
I/DEBUG ( 33): befa54fc befa561c [stack] I/DEBUG ( 33): befa5500 41363958
I/DEBUG ( 33): befa5504 4080a9c7 /system/lib/libdvm.so I/DEBUG ( 33): #01 befa5508 41363958
I/DEBUG ( 33): befa550c befa561c [stack] I/DEBUG ( 33): befa5510 40848e8e /system/lib/libdvm.so I/DEBUG ( 33): befa5514 407f99a5 /system/lib/libdvm.so W/dalvikvm( 483): threadid=2: spin on suspend #2 threadid=1 (pcf=0) I/dalvikvm( 483): "GC" daemon prio=5 tid=2 RUNNABLE I/dalvikvm( 483): | group="system" sCount=0 dsCount=0 obj=0x41341070 self=0x9ba68 I/dalvikvm( 483): | sysTid=486 nice=0 sched=0/0 cgrp=default handle=631024 I/dalvikvm( 483): | schedstat=( 72449266 434593906 33 ) utm=3 stm=4 core=0 I/dalvikvm( 483): at dalvik.system.NativeStart.run(Native Method) I

decash commented 8 years ago

i find solution

first

void sb_test(JNIEnv env) { sb.sm=1 // solution sb.resolvm = 1 // solution dalvik_prepare(&d, &sb, env); (env)->CallStaticVoidMethod(env, sb.cls, sb.mid); // Exception is here!! dalvik_postcall(&d, &sb); }

and

dalvik_hook_setup(&sb, "Ltest/test/test", "test", 0, sb_test); // solution insSize is not argSize+1, static method insSize == argSize