Closed BiteFoo closed 5 years ago
使用HookZz在hook系统的send函数,运行之后,当点击屏幕时奔溃,如下代码
void send_pre_call(RegState *rs,ThreadStackPublic *tsp,CallStackPublic *csp, const HookEntryInfo *info) { LOGE("[SEND] pre calling ==============>>"); } void send_post_call(RegState *rs,ThreadStackPublic *tsp,CallStackPublic *csp,const HookEntryInfo *info) { LOGE("[SEND] post calling =============>>"); } void hook_send(){ZzWrap((void*) send,send_pre_call,send_post_call);}
奔溃日志如下:
09-13 15:00:30.749 23014-23014/my.hookdemo E/HOOKZZ_SOCKET: [RECVFROM] [fd:44]|[__buf:0x7a878acc20]|[__n:2264]|[__flg:64]|[__dst_addr:0x0]|[__dst_addr_length:0x0] 09-13 15:00:30.753 23014-23014/my.hookdemo E/HOOKZZ: [SEND] pre calling ==============>> --------- beginning of crash 09-13 15:00:30.753 23014-23014/my.hookdemo A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7aa5b0db18 in tid 23014 (my.hookdemo) 09-13 15:00:30.831 23054-23054/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 09-13 15:00:30.832 23054-23054/? A/DEBUG: Build fingerprint: 'google/angler/angler:7.1.2/N2G48C/4104010:user/release-keys' Revision: '0' ABI: 'arm64' pid: 23014, tid: 23014, name: my.hookdemo >>> my.hookdemo <<< signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7aa5b0db18 x0 000000000000002c x1 0000007fdd2e9e60 x2 0000000000000010 x3 0000000000004040 x4 0000000000000000 x5 0000000000000000 x6 0000000000000000 x7 000000000000000b x8 0000000000000008 x9 0000000000000003 x10 0000000010000000 x11 0000000000000000 x12 0000007fdd2ea860 x13 0000007a9308f600 x14 0000007a862d70c0 x15 0000007a96c1e1c8 x16 0000007a9551fd98 x17 0000007aa5b0db18 x18 0000000072c31a5c x19 0000007fdd2e9e60 x20 0000007a862d7d60 x21 0000000000000010 x22 0000000000004040 x23 0000000000000000 x24 0000000000000000 x25 000000000000128e x26 000000000000128e x27 0000000012d98140 x28 0000000000000001 x29 0000007fdd2e9e30 x30 0000007a9190a01c sp 0000007fdd2e9e10 pc 0000007aa5b0db18 pstate 0000000060000000 09-13 15:00:30.834 23054-23054/? A/DEBUG: backtrace: #00 pc 0000007aa5b0db18 <unknown> #01 pc 0000000000000018 <anonymous:0000007a9190a000>
使用ZxReplace函数执行hook,也是在运行之后,点击屏幕就奔溃,hook代码
ssize_t (*origin_send)(int __fd, const void *__buf, size_t __n, int __flags); ssize_t (fake_send)(int __fd, const void *__buf, size_t __n, int __flags) { // SOCKET_LOG(" [SEND] fd:%d buf:%p n:%zu flag:%d\n", __fd,__buf,__n,__flags); // send() SOCKET_LOG("fake_send calling ****************>>"); return origin_send(__fd, __buf, __n, __flags); } static int doHookZZ(uint64_t target_addr, uint64_t new_addr, uint64_t **proto_addr) { if (ZzReplace((void *) target_addr, (void *) new_addr, (void **) proto_addr) != RS_SUCCESS) { return -1; } return 0; }
日志
09-13 15:15:31.402 26230-26230/my.hookdemo E/HOOKZZ_SOCKET: fake_send calling ****************>> --------- beginning of crash 09-13 15:15:31.403 26230-26230/my.hookdemo A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7aa5b0db18 in tid 26230 (my.hookdemo) 09-13 15:15:31.477 26398-26398/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** Build fingerprint: 'google/angler/angler:7.1.2/N2G48C/4104010:user/release-keys' 09-13 15:15:31.478 26398-26398/? A/DEBUG: Revision: '0' ABI: 'arm64' pid: 26230, tid: 26230, name: my.hookdemo >>> my.hookdemo <<< signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7aa5b0db18 x0 000000000000002c x1 0000007fdd2e9e60 x2 0000000000000010 x3 0000000000004040 x4 0000000000000000 x5 0000000000000000 x6 0000007a96eed000 x7 0000000000000000 x8 0000000000004040 x9 0000000000000034 x10 0000007fdd2e9860 x11 0000000000000025 x12 0000000000000018 x13 0000000000000000 x14 0000000000000000 x15 0017fdb2c501f011 x16 0000007a93bf7a48 x17 0000007aa5b0db18 x18 0000000072c31a5c x19 0000007fdd2e9e60 x20 0000007a862e3040 x21 0000000000000010 x22 0000000000004040 x23 0000000000000000 x24 0000000000000000 x25 0000000000001421 x26 0000000000001421 x27 0000000012d84420 x28 0000000000000001 x29 0000007fdd2e9e00 x30 0000007a78fb3d6c sp 0000007fdd2e9dd0 pc 0000007aa5b0db18 pstate 0000000060000000 09-13 15:15:31.982 26398-26398/? A/DEBUG: backtrace: #00 pc 0000007aa5b0db18 <unknown> #01 pc 000000000000dd68 /data/app/my.hookdemo-1/lib/arm64/libhookzz64.so (_Z9fake_sendiPKvmi+108) #02 pc 0000000000022a7c /system/lib64/libinput.so (_ZN7android12InputChannel11sendMessageEPKNS_12InputMessageE+108) #03 pc 0000000000024870 /system/lib64/libinput.so (_ZN7android13InputConsumer18sendFinishedSignalEjb+400) 09-13 15:15:31.983 26398-26398/? A/DEBUG: #04 pc 00000000000d8908 /system/lib64/libandroid_runtime.so (_ZN7android24NativeInputEventReceiver16finishInputEventEjb+56) #05 pc 00000000000d8a5c /system/lib64/libandroid_runtime.so #06 pc 00000000022111e4 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.InputEventReceiver.nativeFinishInputEvent+144) #07 pc 0000000002211734 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.InputEventReceiver.finishInputEvent+384) #08 pc 000000000230a68c /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.finishInputEvent+168) #09 pc 0000000002307378 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.-wrap5+52) #10 pc 00000000022fbbc8 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.onDeliverToNext+100) #11 pc 00000000022fec88 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$SyntheticInputStage.onDeliverToNext+324) #12 pc 00000000022fbb24 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.forward+48) #13 pc 00000000022fb714 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.apply+64) #14 pc 00000000022fb934 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.deliver+160) #15 pc 00000000022fbba0 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.onDeliverToNext+60) #16 pc 0000000002303d24 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$ViewPostImeInputStage.onDeliverToNext+256) #17 pc 00000000022fbb24 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.forward+48) #18 pc 00000000022fb714 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.apply+64) #19 pc 00000000022fb934 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.deliver+160) #20 pc 00000000022fbba0 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.onDeliverToNext+60) #21 pc 00000000022fbb24 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.forward+48) #22 pc 00000000022fc600 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$AsyncInputStage.forward+92) #23 pc 00000000022fb714 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.apply+64) #24 pc 00000000022fc38c /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$AsyncInputStage.apply+120) #25 pc 00000000022fb934 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.deliver+160) #26 pc 00000000022fbba0 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.onDeliverToNext+60) #27 pc 00000000022fbb24 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.forward+48) #28 pc 00000000022fb714 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.apply+64) #29 pc 00000000022fb934 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.deliver+160) #30 pc 00000000023089e4 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.deliverInputEvent+272) #31 pc 0000000002314428 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.doProcessInputEvents+372) #32 pc 0000000002314d5c /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.enqueueInputEvent+312) #33 pc 0000000002306ee8 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$WindowInputEventReceiver.onInputEvent+68) #34 pc 0000000002210e0c /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.InputEventReceiver.dispatchInputEvent+120) #35 pc 00000000000d3b34 /system/lib64/libart.so (art_quick_invoke_stub+580) #36 pc 00000000000e0800 /system/lib64/libart.so (_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc+204) #37 pc 0000000000432240 /system/lib64/libart.so (_ZN3artL18InvokeWithArgArrayERKNS_33ScopedObjectAccessAlreadyRunnableEPNS_9ArtMethodEPNS_8ArgArrayEPNS_6JValueEPKc+108) #38 pc 00000000004337ec /system/lib64/libart.so (_ZN3art35InvokeVirtualOrInterfaceWithVarArgsERKNS_33ScopedObjectAccessAlreadyRunnableEP8_jobjectP10_jmethodIDSt9__va_list+388) 09-13 15:15:31.984 26398-26398/? A/DEBUG: #39 pc 0000000000337e1c /system/lib64/libart.so (_ZN3art3JNI15CallVoidMethodVEP7_JNIEnvP8_jobjectP10_jmethodIDSt9__va_list+624) #40 pc 000000000010700c /system/lib64/libart.so (_ZN3art8CheckJNI11CallMethodVEPKcP7_JNIEnvP8_jobjectP7_jclassP10_jmethodIDSt9__va_listNS_9Primitive4TypeENS_10InvokeTypeE+3684) #41 pc 00000000000f93a0 /system/lib64/libart.so (_ZN3art8CheckJNI15CallVoidMethodVEP7_JNIEnvP8_jobjectP10_jmethodIDSt9__va_list+96) #42 pc 00000000000a5df8 /system/lib64/libandroid_runtime.so #43 pc 00000000000d8cc4 /system/lib64/libandroid_runtime.so (_ZN7android24NativeInputEventReceiver13consumeEventsEP7_JNIEnvblPb+432) #44 pc 00000000000d9270 /system/lib64/libandroid_runtime.so (_ZN7android24NativeInputEventReceiver11handleEventEiiPv+440) #45 pc 0000000000018308 /system/lib64/libutils.so (_ZN7android6Looper9pollInnerEi+916) #46 pc 0000000000017eb4 /system/lib64/libutils.so (_ZN7android6Looper8pollOnceEiPiS1_PPv+60) #47 pc 00000000000f0cf4 /system/lib64/libandroid_runtime.so (_ZN7android18NativeMessageQueue8pollOnceEP7_JNIEnvP8_jobjecti+48) #48 pc 0000000001f324f0 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.os.MessageQueue.nativePollOnce+140) #49 pc 0000000001f34110 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.os.MessageQueue.next+236) #50 pc 0000000001f2de28 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.os.Looper.loop+340) #51 pc 00000000000dd37c /system/lib64/libart.so --------- beginning of system
try the latest version (v2 update done)
在android的7.1 arm64-v8a系统上Hook系统的send函数奔溃
使用HookZz在hook系统的send函数,运行之后,当点击屏幕时奔溃,如下代码
奔溃日志如下:
使用ZxReplace函数执行hook,也是在运行之后,点击屏幕就奔溃,hook代码
日志