Hook libc.so的open函数出现的问题

[TUGOhost]

测试出现的版本：安卓10,arm64-v8a。 代码：

#include <asm/fcntl.h>
#include "HookMain.h"
#include "Dobby/include/dobby.h"
#include "dlfcn.h"

extern "C" {
void HookMain() __attribute__((constructor));

JNIEXPORT void JNICALL
Java_com_example_dobbydemo_MainActivity_stringFromJNI(JNIEnv *env, jobject clazz) {
    __android_log_print(ANDROID_LOG_DEBUG, "Tag", "Print");
}

void (*old_print)(JNIEnv *env, jclass clazz);

JNIEXPORT void JNICALL new_print(JNIEnv *env, jclass clazz) {
    __android_log_print(ANDROID_LOG_DEBUG, "Tag", "Hooked");
    old_print(env, clazz);
}

void HookMain() {
    void *libc_handle;
    libc_handle = dlopen("libc.so", 0);

    void *ori_sym = dlsym(libc_handle, (char *)"open");
    DobbyHook(ori_sym, (void *)new_print, (void **)&old_print);
}

}

错误日志：

4281 24281 I Dobby   : [*] Initialize dx_hook_hookfun => 0x7b8dfb6be4 => 0x7b00321908
 4281 24281 I Dobby   : [*] ================ FunctionInlineReplaceRouting Start ================
 4281 24281 I Dobby   : [*] Set trampoline target => 0x7b00321908
 4281 24281 I Dobby   : [*] Generate trampoline => 0x7b00321908
 4281 24281 I Dobby   : [*] Initialize assembler code buffer at 0x7b9200bdc0
 4281 24281 I Dobby   : [*] Trampoline use [Adrp, Add, Br] combine
 4281 24281 I Dobby   : [*] Initialize assembler code buffer at 0x7b9200bdc0
--------- beginning of crash
 4281 24281 F libc    : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7b8dfb6be4 in tid 24281 (ample.dobbydemo), pid 24281 (ample.dobbydemo)
 848   948 D DisplayFeatureHal: set brightness to 319, virtual brightness 640
 919  5000 D FOD     : Alpha=0.631236 mBrightnessBackup=640, mTargetBrightness=1, backlight=640, mFodSystemBacklight=867
 919  2240 D BufferQueueLayer: Launcher new frame Arrived
 678   678 I Zygote  : Process 21304 exited due to signal 9 (Killed)
 837  1635 D libsensor-B2SNotifier: Backlight2SlpiNotifier brightness = 319
 570   570 I hwservicemanager: getTransport: Cannot find entry vendor.qti.hardware.servicetracker@1.0::IServicetracker/default in either framework or device manifest.
1652  1800 I libprocessgroup: Successfully killed process cgroup uid 10194 pid 21304 in 36ms
 7499 17499 E FloatingIconView: setBackgroundDrawableBounds  sTmpRect=Rect(-56, 0 - 222, 278)
 7257 18255 D UidObserver: onUidGone entry uid = 10194
1652  3343 I MiuiNetworkPolicy: removeUidState uid = 10194
 919   999 D BufferQueueLayer: Launcher new frame Arrived
 848   948 D DisplayFeatureHal: set brightness to 340, virtual brightness 681
 919  5000 D FOD     : Alpha=0.620669 mBrightnessBackup=681, mTargetBrightness=1, backlight=681, mFodSystemBacklight=867
 7499 18049 D Launcher.Transfer: transfer:onPause, extra:null
 837  1635 D libsensor-B2SNotifier: Backlight2SlpiNotifier brightness = 340
 7499 17499 E FloatingIconView: setBackgroundDrawableBounds  sTmpRect=Rect(-64, 0 - 231, 295)
 919  5000 D FOD     : Alpha=0.610689 mBrightnessBackup=721, mTargetBrightness=1, backlight=721, mFodSystemBacklight=867
 848   948 D DisplayFeatureHal: set brightness to 360, virtual brightness 721
 919   999 D BufferQueueLayer: Launcher new frame Arrived
 837  1635 D libsensor-B2SNotifier: Backlight2SlpiNotifier brightness = 360
 7499 17499 E FloatingIconView: setBackgroundDrawableBounds  sTmpRect=Rect(-70, 0 - 237, 307)
 919   999 D BufferQueueLayer: Launcher new frame Arrived
 919  5000 D FOD     : Alpha=0.600768 mBrightnessBackup=762, mTargetBrightness=1, backlight=762, mFodSystemBacklight=867
 848   948 D DisplayFeatureHal: set brightness to 380, virtual brightness 762
 837  1635 D libsensor-B2SNotifier: Backlight2SlpiNotifier brightness = 380
 7499 17499 E FloatingIconView: setBackgroundDrawableBounds  sTmpRect=Rect(-76, 0 - 242, 318)
 919   999 D BufferQueueLayer: Launcher new frame Arrived
 848   948 D DisplayFeatureHal: set brightness to 401, virtual brightness 803
 919  5000 D FOD     : Alpha=0.591133 mBrightnessBackup=803, mTargetBrightness=1, backlight=803, mFodSystemBacklight=867
 4334 24334 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone
1309  1309 I /system/bin/tombstoned: received crash request for pid 24281
 837  1635 D libsensor-B2SNotifier: Backlight2SlpiNotifier brightness = 401
 4334 24334 I crash_dump64: performing dump of process 24281 (target tid = 24281)
 7499 17499 E FloatingIconView: setBackgroundDrawableBounds  sTmpRect=Rect(-80, 0 - 247, 327)
 919  5000 D FOD     : Alpha=0.581763 mBrightnessBackup=844, mTargetBrightness=1, backlight=844, mFodSystemBacklight=867
 848   948 D DisplayFeatureHal: set brightness to 421, virtual brightness 844
 919   999 D BufferQueueLayer: Launcher new frame Arrived
 4334 24334 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
 4334 24334 F DEBUG   : Build fingerprint: 'Xiaomi/raphael/raphael:10/QKQ1.190825.002/20.9.24:user/release-keys'
 4334 24334 F DEBUG   : Revision: '0'
 4334 24334 F DEBUG   : ABI: 'arm64'
 4334 24334 F DEBUG   : Timestamp: 2020-0 4334 24334 F DEBUG   : pid: 24281, tid: 24281, name: ample.dobbydemo  >>> com.example.dobbydemo <<<
 4334 24334 F DEBUG   : uid: 10524
 4334 24334 F DEBUG   : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7b8dfb6be4
 4334 24334 F DEBUG   : Cause: execute-only (no-read) memory access error; likely due to data in .text.
 4334 24334 F DEBUG   :     x0  0000000000000000  x1  0000007fd6d685d0  x2  0000000000000005  x3  0000000000000003
 4334 24334 F DEBUG   :     x4  0000000000000000  x5  31007962626f44ff  x6  0000000000000000  x7  0000000000008000
 4334 24334 F DEBUG   :     x8  0000000000000000  x9  0000007b8dfb6be4  x10 0000000000000000  x11 0000000000000036
 4334 24334 F DEBUG   :     x12 0101010101010101  x13 0000000000000002  x14 0000000000000003  x15 000108c1197e4e3a
 4334 24334 F DEBUG   :     x16 0000007b00358758  x17 0000007b00322f1c  x18 0000007b930d4000  x19 0000007b9222c680
 4334 24334 F DEBUG   :     x20 0000007b93392553  x21 0000007b00355088  x22 0000000000000000  x23 0000007b9338dcb6
 4334 24334 F DEBUG   :     x24 0000007b93397238  x25 0000007b934a7000  x26 0000007b934a75a8  x27 0000000000000002
 4334 24334 F DEBUG   :     x28 0000007b0032196c  x29 0000007fd6d697d0
 4334 24334 F DEBUG   :     sp  0000007fd6d69350  lr  0000007b00327560  pc  0000007b0032757c
 837  1635 D libsensor-B2SNotifier: Backlight2SlpiNotifier brightness = 421
 7499 17499 E FloatingIconView: setBackgroundDrawableBounds  sTmpRect=Rect(-83, 0 - 251, 334)
1652  1893 I BackLightController:  grayScale = 0.6 factor = 1.0 inBrightness = 866 outBrightness = 866
 919  5000 D FOD     : Alpha=0.576838 mBrightnessBackup=866, mTargetBrightness=1, backlight=866, mFodSystemBacklight=867

在安卓6.0.1,arm32-v7a中正常运行的日志：

8723  8723 I Dobby   : [*] Initialize dx_hook_hookfun => 0xb6cb7b17 => 0xb39526c5
8723  8723 I Dobby   : [*] ================ FunctionInlineReplaceRouting Start ================
8723  8723 I Dobby   : [*] Set trampoline target => 0xb39526c5
8723  8723 I Dobby   : [*] Generate trampoline => 0xb39526c5
8723  8723 I Dobby   : [*] Assembler buffer at 0xa9291b40
8723  8723 I Dobby   : [*] Assembler buffer at 0xa9291b40
8723  8723 I Dobby   : [*] Assembler buffer at 0xa9291b40
8723  8723 I Dobby   : [*] Thumb relocate 10 start >>>>>
8723  8723 I Dobby   : [*] Relocate thumb1 instr: 0xb40e
8723  8723 I Dobby   : [*] Relocate thumb1 instr: 0xb503
8723  8723 I Dobby   : [*] Relocate thumb1 instr: 0x4601
8723  8723 I Dobby   : [*] Relocate thumb1 instr: 0x9a03
8723  8723 I Dobby   : [*] Relocate thumb2 instr: 0x63f06f
8723  8723 I Dobby   : [*] Finalize assembler at 0xb4b42000
8723  8723 I Dobby   : [*] 0xb6cb7b17 relocate 32 bytes, to 0xb4b42001
8723  8723 I Dobby   : [*] Code patch 0xa9291b00 => 0xb6cb7b17
8723  8723 I Dobby   : [*] ================ InterceptRouting End ================
8723  8723 W ResourceType: No package identifier when getting name for resource number 0x00000000
8723  8723 W art     : Before Android 4.1, method android.graphics.PorterDuffColorFilter androidx.vectordrawable.graphics.drawable.VectorDrawableCompat.updateTintFilter(android.graphics.PorterDuffColorFilter, android.content.res.ColorStateList, android.graphics.PorterDuff$Mode) would have incorrectly overridden the package-private method in android.graphics.drawable.Drawable
8723  8723 D Tag     : Hooked
8723  8723 D Tag     : Hooked
8723  8747 D Tag     : Hooked
8723  8747 D Tag     : Hooked
8723  8723 D AccessibilityManager: current package=com.example.dobbydemo, accessibility manager mIsFinalEnabled=false, mOptimizeEnabled=false, mIsUiAutomationEnabled=false, mIsInterestedPackage=false
5867  5891 I ThermalEngine: Sensor:tsens_tz_sensor5:60000 mC
5867  5937 I ThermalEngine: Sensor:tsens_tz_sensor5:60000 mC
5867  5937 I ThermalEngine: TM Id 'CPU0_MONITOR' Sensor 'cpu0' - alarm raised 2 at 60.0 degC
5867  5937 I ThermalEngine: ACTION: CPU - Setting CPU[0] to 1497600
5867  5937 I ThermalEngine: Mitigation:CPU[0]:1497600 Khz
5867  5937 I ThermalEngine: ACTION: CPU - Setting CPU[1] to 1497600
5867  5937 I ThermalEngine: Mitigation:CPU[1]:1497600 Khz
5867  5937 I ThermalEngine: ACTION: CPU - Setting CPU[2] to 1497600
5867  5937 I ThermalEngine: Mitigation:CPU[2]:1497600 Khz
5867  5937 I ThermalEngine: ACTION: CPU - Setting CPU[3] to 1497600
5867  5937 I ThermalEngine: Mitigation:CPU[3]:1497600 Khz
8723  8747 D Tag     : Hooked
8723  8747 D Tag     : Hooked

[TUGOhost]

刚才又测了pixel 8.1.0 arm64-v8a是成功的，日志如下：

525  7525 I Dobby   : [*] Initialize dx_hook_hookfun => 0x73b07f7144 => 0x731741f898
7525  7525 I Dobby   : [*] ================ FunctionInlineReplaceRouting Start ================
7525  7525 I Dobby   : [*] Set trampoline target => 0x731741f898
7525  7525 I Dobby   : [*] Generate trampoline => 0x731741f898
7525  7525 I Dobby   : [*] Initialize assembler code buffer at 0x732f183400
7525  7525 I Dobby   : [*] Trampoline use [Adrp, Add, Br] combine
7525  7525 I Dobby   : [*] Initialize assembler code buffer at 0x732f183400
7525  7525 I Dobby   : [*] Finalize assembler at 0x73b312a000
7525  7525 I Dobby   : [*] 0x73b07f7144 relocate 28 bytes, to 0x73b312a000
7525  7525 I Dobby   : [*] Code patch 0x732f0b7f00 => 0x73b07f7144
7525  7525 I Dobby   : [*] ================ InterceptRouting End ================
7525  7552 D OpenGLRenderer: HWUI GL Pipeline
7525  7552 I Adreno  : QUALCOMM build                   : 2941438, I916dfac403
7525  7552 I Adreno  : Build Date                       : 10/03/17
7525  7552 I Adreno  : OpenGL ES Shader Compiler Version: EV031.21.02.00
7525  7552 I Adreno  : Local Branch                     : O18A
7525  7552 I Adreno  : Remote Branch                    : 
7525  7552 I Adreno  : Remote Branch                    : 
7525  7552 I Adreno  : Reconstruct Branch               : 
7525  7552 D Tag     : Hooked
7525  7552 I chatty  : uid=10128(com.example.dobbydemo) RenderThread identical 13 lines
7525  7552 D Tag     : Hooked
7525  7552 I Adreno  : PFP: 0x005ff087, ME: 0x005ff063
7525  7552 D Tag     : Hooked
7525  7552 D Tag     : Hooked
7525  7552 I zygote64: android::hardware::configstore::V1_0::ISurfaceFlingerConfigs::hasWideColorDisplay retrieved: 0
7525  7552 I OpenGLRenderer: Initialized EGL, version 1.4
7525  7552 D OpenGLRenderer: Swap behavior 2
1321  1321 I GoogleInputMethodService: GoogleInputMethodService.onFinishInput():3160 
1321  1321 I GoogleInputMethodService: GoogleInputMethodService.onStartInput():1829 
7525  7552 D Tag     : Hooked
 610   610 D QCOM PowerHAL: LAUNCH HINT: OFF
 809   858 I ActivityManager: Displayed com.example.dobbydemo/.MainActivity: +376ms
1834  7309 I PBSessionCacheImpl: Deleted sessionId[8067618559419448] from persistence.
 809  7508 I WifiService: getWifiEnabledState uid=10051
1834  2264 W SearchServiceCore: Abort, client detached.

[TUGOhost]

现代码：

void HookMain() {
    void * addr = get_library_address("libc.so");
    size_t  size = get_library_size("libc.so");
    void *libc_handle;
    libc_handle = dlopen("libc.so", 0);
    void *ori_sym = dlsym(libc_handle, (char *)"open");
    mprotect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC);
    dx_hook_hookfun(ori_sym, (void *)new_print, (void **)&old_print);
    mprotect(addr, size, PROT_EXEC);
}

在pixel，安卓10,arm64-v8a上可以正常hook。 上午的问题已经解决，具体这个：https://developer.android.com/about/versions/10/behavior-changes-all?hl=zh-cn#xom-binaries 日志如下： 09/28 15:23:28: Launching 'app' on Google Pixel. $ adb shell am start -n "com.example.dobbydemo/com.example.dobbydemo.MainActivity" -a android.intent.action.MAIN -c android.intent.category.LAUNCHER Connected to process 12220 on device 'google-pixel-FA75R0302109'. Capturing and displaying logcat messages from application. This behavior can be disabled in the "Logcat output" section of the "Debugger" settings page. I/Dobby: [] Initialize dx_hook_hookfun => 0x707c6913ac => 0x6f914299d8 I/Dobby: [] ================ FunctionInlineReplaceRouting Start ================ [] Set trampoline target => 0x6f914299d8 [] Generate trampoline => 0x6f914299d8 [] Initialize assembler code buffer at 0x707da710e0 [] Trampoline use [Adrp, Add, Br] combine [] Initialize assembler code buffer at 0x707da710e0 [] Finalize assembler at 0x707d423000 [] 0x707c6913ac relocate 28 bytes, to 0x707d423000 [] Code patch 0x707da6c2e0 => 0x707c6913ac [*] ================ InterceptRouting End ================ W/ample.dobbydem: Accessing hidden method Landroid/view/View;->computeFitSystemWindows(Landroid/graphics/Rect;Landroid/graphics/Rect;)Z (greylist, reflection, allowed) W/ample.dobbydem: Accessing hidden method Landroid/view/ViewGroup;->makeOptionalFitsSystemWindows()V (greylist, reflection, allowed) I/Adreno: QUALCOMM build : 4a00b69, I4e7e888065 Build Date : 04/09/19 OpenGL ES Shader Compiler Version: EV031.26.06.00 Local Branch : mybranche95ae4c8-d77f-f18d-a9ef-1458d0b52ae8 Remote Branch : quic/gfx-adreno.lnx.1.0 Remote Branch : NONE Reconstruct Branch : NOTHING Build Config : S L 8.0.5 AArch64 D/Tag: Hooked I/chatty: uid=10170(com.example.dobbydemo) RenderThread identical 12 lines D/Tag: Hooked I/Adreno: PFP: 0x005ff110, ME: 0x005ff066 D/Tag: Hooked I/chatty: uid=10170(com.example.dobbydemo) RenderThread identical 8 lines D/Tag: Hooked D/Tag: Hooked W/Gralloc3: mapper 3.x is not supported D/Tag: Hooked D/Tag: Hooked D/Tag: Hooked

[jmpews]

我看下. 我记得我的 Android 10 没啥问题嗷, 我看过这个 10 的 mitigation

[TUGOhost]

我看下. 我记得我的 Android 10 没啥问题嗷, 我看过这个 10 的 mitigation

应该是小米的问题，第一个log是redmi K20 pro 安卓10报的错，但是pixel安卓10就不会报错。我把demo的targetSdkVersion换成29以下就可以在redmi K20 pro 安卓10上用。

[jmpews]

是的 我手里也是 pixel 10 那我回来试下 redmi

[david8557]

Any fixed on this? Maybe we do mprotect before hook?