search

jmpews / Dobby

a lightweight, multi-platform, multi-architecture hook framework.
Apache License 2.0
3.98k stars 822 forks source link

在android的7.1 arm64-v8a系统上Hook系统的send函数崩溃 #38

Closed BiteFoo closed 5 years ago

BiteFoo commented 5 years ago

在android的7.1 arm64-v8a系统上Hook系统的send函数奔溃

使用HookZz在hook系统的send函数,运行之后,当点击屏幕时奔溃,如下代码

void send_pre_call(RegState *rs,ThreadStackPublic *tsp,CallStackPublic *csp, const HookEntryInfo *info)
{
    LOGE("[SEND] pre calling ==============>>");
}
void send_post_call(RegState *rs,ThreadStackPublic *tsp,CallStackPublic *csp,const HookEntryInfo *info)
{
    LOGE("[SEND] post calling =============>>");
}

void hook_send(){ZzWrap((void*) send,send_pre_call,send_post_call);}

奔溃日志如下:

09-13 15:00:30.749 23014-23014/my.hookdemo E/HOOKZZ_SOCKET:  [RECVFROM]    [fd:44]|[__buf:0x7a878acc20]|[__n:2264]|[__flg:64]|[__dst_addr:0x0]|[__dst_addr_length:0x0]

09-13 15:00:30.753 23014-23014/my.hookdemo E/HOOKZZ: [SEND] pre calling ==============>>

    --------- beginning of crash
09-13 15:00:30.753 23014-23014/my.hookdemo A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7aa5b0db18 in tid 23014 (my.hookdemo)
09-13 15:00:30.831 23054-23054/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-13 15:00:30.832 23054-23054/? A/DEBUG: Build fingerprint: 'google/angler/angler:7.1.2/N2G48C/4104010:user/release-keys'
    Revision: '0'
    ABI: 'arm64'
    pid: 23014, tid: 23014, name: my.hookdemo  >>> my.hookdemo <<<
    signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7aa5b0db18
        x0   000000000000002c  x1   0000007fdd2e9e60  x2   0000000000000010  x3   0000000000004040
        x4   0000000000000000  x5   0000000000000000  x6   0000000000000000  x7   000000000000000b
        x8   0000000000000008  x9   0000000000000003  x10  0000000010000000  x11  0000000000000000
        x12  0000007fdd2ea860  x13  0000007a9308f600  x14  0000007a862d70c0  x15  0000007a96c1e1c8
        x16  0000007a9551fd98  x17  0000007aa5b0db18  x18  0000000072c31a5c  x19  0000007fdd2e9e60
        x20  0000007a862d7d60  x21  0000000000000010  x22  0000000000004040  x23  0000000000000000
        x24  0000000000000000  x25  000000000000128e  x26  000000000000128e  x27  0000000012d98140
        x28  0000000000000001  x29  0000007fdd2e9e30  x30  0000007a9190a01c
        sp   0000007fdd2e9e10  pc   0000007aa5b0db18  pstate 0000000060000000
09-13 15:00:30.834 23054-23054/? A/DEBUG: backtrace:
        #00 pc 0000007aa5b0db18  <unknown>
        #01 pc 0000000000000018  <anonymous:0000007a9190a000>

使用ZxReplace函数执行hook,也是在运行之后,点击屏幕就奔溃,hook代码

ssize_t (*origin_send)(int __fd, const void *__buf, size_t __n, int __flags);

ssize_t (fake_send)(int __fd, const void *__buf, size_t __n, int __flags) {
//    SOCKET_LOG(" [SEND] fd:%d buf:%p n:%zu flag:%d\n", __fd,__buf,__n,__flags);
//    send()
    SOCKET_LOG("fake_send calling ****************>>");
    return origin_send(__fd, __buf, __n, __flags);
}

static int doHookZZ(uint64_t target_addr, uint64_t new_addr, uint64_t **proto_addr) {

    if (ZzReplace((void *) target_addr, (void *) new_addr, (void **) proto_addr) != RS_SUCCESS) {
        return -1;
    }
    return 0;
}

日志

09-13 15:15:31.402 26230-26230/my.hookdemo E/HOOKZZ_SOCKET: fake_send calling ****************>>

    --------- beginning of crash
09-13 15:15:31.403 26230-26230/my.hookdemo A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7aa5b0db18 in tid 26230 (my.hookdemo)
09-13 15:15:31.477 26398-26398/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
    Build fingerprint: 'google/angler/angler:7.1.2/N2G48C/4104010:user/release-keys'
09-13 15:15:31.478 26398-26398/? A/DEBUG: Revision: '0'
    ABI: 'arm64'
    pid: 26230, tid: 26230, name: my.hookdemo  >>> my.hookdemo <<<
    signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7aa5b0db18
        x0   000000000000002c  x1   0000007fdd2e9e60  x2   0000000000000010  x3   0000000000004040
        x4   0000000000000000  x5   0000000000000000  x6   0000007a96eed000  x7   0000000000000000
        x8   0000000000004040  x9   0000000000000034  x10  0000007fdd2e9860  x11  0000000000000025
        x12  0000000000000018  x13  0000000000000000  x14  0000000000000000  x15  0017fdb2c501f011
        x16  0000007a93bf7a48  x17  0000007aa5b0db18  x18  0000000072c31a5c  x19  0000007fdd2e9e60
        x20  0000007a862e3040  x21  0000000000000010  x22  0000000000004040  x23  0000000000000000
        x24  0000000000000000  x25  0000000000001421  x26  0000000000001421  x27  0000000012d84420
        x28  0000000000000001  x29  0000007fdd2e9e00  x30  0000007a78fb3d6c
        sp   0000007fdd2e9dd0  pc   0000007aa5b0db18  pstate 0000000060000000
09-13 15:15:31.982 26398-26398/? A/DEBUG: backtrace:
        #00 pc 0000007aa5b0db18  <unknown>
        #01 pc 000000000000dd68  /data/app/my.hookdemo-1/lib/arm64/libhookzz64.so (_Z9fake_sendiPKvmi+108)
        #02 pc 0000000000022a7c  /system/lib64/libinput.so (_ZN7android12InputChannel11sendMessageEPKNS_12InputMessageE+108)
        #03 pc 0000000000024870  /system/lib64/libinput.so (_ZN7android13InputConsumer18sendFinishedSignalEjb+400)
09-13 15:15:31.983 26398-26398/? A/DEBUG:     #04 pc 00000000000d8908  /system/lib64/libandroid_runtime.so (_ZN7android24NativeInputEventReceiver16finishInputEventEjb+56)
        #05 pc 00000000000d8a5c  /system/lib64/libandroid_runtime.so
        #06 pc 00000000022111e4  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.InputEventReceiver.nativeFinishInputEvent+144)
        #07 pc 0000000002211734  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.InputEventReceiver.finishInputEvent+384)
        #08 pc 000000000230a68c  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.finishInputEvent+168)
        #09 pc 0000000002307378  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.-wrap5+52)
        #10 pc 00000000022fbbc8  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.onDeliverToNext+100)
        #11 pc 00000000022fec88  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$SyntheticInputStage.onDeliverToNext+324)
        #12 pc 00000000022fbb24  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.forward+48)
        #13 pc 00000000022fb714  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.apply+64)
        #14 pc 00000000022fb934  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.deliver+160)
        #15 pc 00000000022fbba0  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.onDeliverToNext+60)
        #16 pc 0000000002303d24  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$ViewPostImeInputStage.onDeliverToNext+256)
        #17 pc 00000000022fbb24  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.forward+48)
        #18 pc 00000000022fb714  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.apply+64)
        #19 pc 00000000022fb934  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.deliver+160)
        #20 pc 00000000022fbba0  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.onDeliverToNext+60)
        #21 pc 00000000022fbb24  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.forward+48)
        #22 pc 00000000022fc600  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$AsyncInputStage.forward+92)
        #23 pc 00000000022fb714  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.apply+64)
        #24 pc 00000000022fc38c  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$AsyncInputStage.apply+120)
        #25 pc 00000000022fb934  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.deliver+160)
        #26 pc 00000000022fbba0  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.onDeliverToNext+60)
        #27 pc 00000000022fbb24  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.forward+48)
        #28 pc 00000000022fb714  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.apply+64)
        #29 pc 00000000022fb934  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.deliver+160)
        #30 pc 00000000023089e4  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.deliverInputEvent+272)
        #31 pc 0000000002314428  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.doProcessInputEvents+372)
        #32 pc 0000000002314d5c  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.enqueueInputEvent+312)
        #33 pc 0000000002306ee8  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$WindowInputEventReceiver.onInputEvent+68)
        #34 pc 0000000002210e0c  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.InputEventReceiver.dispatchInputEvent+120)
        #35 pc 00000000000d3b34  /system/lib64/libart.so (art_quick_invoke_stub+580)
        #36 pc 00000000000e0800  /system/lib64/libart.so (_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc+204)
        #37 pc 0000000000432240  /system/lib64/libart.so (_ZN3artL18InvokeWithArgArrayERKNS_33ScopedObjectAccessAlreadyRunnableEPNS_9ArtMethodEPNS_8ArgArrayEPNS_6JValueEPKc+108)
        #38 pc 00000000004337ec  /system/lib64/libart.so (_ZN3art35InvokeVirtualOrInterfaceWithVarArgsERKNS_33ScopedObjectAccessAlreadyRunnableEP8_jobjectP10_jmethodIDSt9__va_list+388)
09-13 15:15:31.984 26398-26398/? A/DEBUG:     #39 pc 0000000000337e1c  /system/lib64/libart.so (_ZN3art3JNI15CallVoidMethodVEP7_JNIEnvP8_jobjectP10_jmethodIDSt9__va_list+624)
        #40 pc 000000000010700c  /system/lib64/libart.so (_ZN3art8CheckJNI11CallMethodVEPKcP7_JNIEnvP8_jobjectP7_jclassP10_jmethodIDSt9__va_listNS_9Primitive4TypeENS_10InvokeTypeE+3684)
        #41 pc 00000000000f93a0  /system/lib64/libart.so (_ZN3art8CheckJNI15CallVoidMethodVEP7_JNIEnvP8_jobjectP10_jmethodIDSt9__va_list+96)
        #42 pc 00000000000a5df8  /system/lib64/libandroid_runtime.so
        #43 pc 00000000000d8cc4  /system/lib64/libandroid_runtime.so (_ZN7android24NativeInputEventReceiver13consumeEventsEP7_JNIEnvblPb+432)
        #44 pc 00000000000d9270  /system/lib64/libandroid_runtime.so (_ZN7android24NativeInputEventReceiver11handleEventEiiPv+440)
        #45 pc 0000000000018308  /system/lib64/libutils.so (_ZN7android6Looper9pollInnerEi+916)
        #46 pc 0000000000017eb4  /system/lib64/libutils.so (_ZN7android6Looper8pollOnceEiPiS1_PPv+60)
        #47 pc 00000000000f0cf4  /system/lib64/libandroid_runtime.so (_ZN7android18NativeMessageQueue8pollOnceEP7_JNIEnvP8_jobjecti+48)
        #48 pc 0000000001f324f0  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.os.MessageQueue.nativePollOnce+140)
        #49 pc 0000000001f34110  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.os.MessageQueue.next+236)
        #50 pc 0000000001f2de28  /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.os.Looper.loop+340)
        #51 pc 00000000000dd37c  /system/lib64/libart.so

    --------- beginning of system
jmpews commented 5 years ago

try the latest version (v2 update done)