search

jmpews / Dobby

a lightweight, multi-platform, multi-architecture hook framework.
Apache License 2.0
3.89k stars 796 forks source link

MacOS Apple M1芯片 hook Mac应用函数,如果是经过Rosetta翻译的x86_64应用,dobby hook不到问题 #173

Open 1021811501 opened 2 years ago

1021811501 commented 2 years ago

经过测试,纯arm应用没有经过rosetta翻译的是正常的,但是是经过rosetta翻译的应用,dobby是无法hook的,请问这个要怎么解决

系统版本: 11.6 Xcode版本: 12.5.1

DanboDuan commented 2 years ago

在 M1 上 hook openstat函数会崩溃,pthread_create不会。 环境: M1 macOS Monterey 12.0.1 (21A559) Xcode Version 13.1 (13A1030d) 流程:

  1. git clone git@github.com:jmpews/Dobby.git
  2. cd Dobby && mkdir build && cd build && cmake .. -G Xcode -DDOBBY_GENERATE_SHARED=OFF
  3. 打开 xcode工程,修改编译配置为 baseSDK 和 Architecture
  4. darwin_common_api.cc里面添加测试代码 
    
#include <fcntl.h>
#include <sys/stat.h>

static typeof(open) open_p; static typeof(stat) stat_p;

int stat_tmp(const char pathname, struct stat stat) { return stat_p(pathname, stat); }

int open_tmp(const char * pathname, int flags, mode_t mode) {

return open_p(pathname, flags, mode); } DobbyGlobalOffsetTableReplace(NULL, "_open", (void *)open_tmp, (void *)&open_p); DobbyGlobalOffsetTableReplace(NULL, "_stat", (void )stat_tmp, (void **)&stat_p);

运行直接崩溃在 `global_offset_table_hook.cc` line:185 ` *(void **)stub = fake_func;` 这一行

Thread 1: EXC_BAD_ACCESS (code=2, address=0x1db9e4940)

PUBLIC int DobbyGlobalOffsetTableReplace(char image_name, char symbol_name, void *fake_func, void **orig_func_ptr) { std::vector ProcessModuleMap = ProcessRuntimeUtility::GetProcessModuleMap();

for (auto module : ProcessModuleMap) { if (image_name != NULL && strstr(module.path, image_name) == NULL) continue;

addr_t header = (addr_t)module.load_address;
size_t slide = 0;

if 0

if (header) {
  if (((struct mach_header *)header)->magic == MH_MAGIC_64)
    slide = macho_kit_get_slide64(header);
}

endif

if 0

LOG(1, "resolve image: %s", module.path);

endif

uint32_t nlist_count = 0;
nlist_t *nlist_array = 0;
char *string_pool = 0;

void *stub = get_global_offset_table_stub((mach_header_t *)header, symbol_name);
if (stub) {
  void *orig_func;
  orig_func = *(void **)stub;

if __has_feature(ptrauth_calls)

  orig_func = ptrauth_strip(orig_func, ptrauth_key_asia);
  orig_func = ptrauth_sign_unauthenticated(orig_func, ptrauth_key_asia, 0);

endif

  *orig_func_ptr = orig_func;

if __has_feature(ptrauth_calls)

  fake_func = (void *)ptrauth_strip(fake_func, ptrauth_key_asia);
  fake_func = ptrauth_sign_unauthenticated(fake_func, ptrauth_key_asia, stub);

endif

  *(void **)stub = fake_func;
}

if (image_name)
  return 0;

} return -1; }