hook 系统级send函数时coredump

jmpews / Dobby

a lightweight, multi-platform, multi-architecture hook framework.

Apache License 2.0

3.98k stars 822 forks source link

hook 系统级send函数时coredump #9

Closed zhaowq32 closed 6 years ago

zhaowq32 commented 6 years ago

代码：

void precall(RegState *rs, ThreadStack *threadstack, CallStack *callstack) {
}
void postcall(RegState *rs, ThreadStack *threadstack, CallStack *callstack) {
}
ssize_t (*orig_send)(int, const void *, size_t, int);
ssize_t fake_send (int __fd, const void *__buf, size_t __n, int __flags) {
    LOGI("called send");
    ssize_t x = orig_send(__fd, __buf, __n, __flags);
    return x;
}
__attribute__((constructor)) void hook_socket() {
    ZzEnableDebugMode();
    ZzHook((void *)send, (void *)fake_send, (void **)&orig_send, precall, postcall, FALSE);
}

jmpews commented 6 years ago

拉取的是最新的代码嘛? 我这里测试没有问题.

zhaowq32 commented 6 years ago

代码是最新的我重新rebuild了一下还是报错。Fatal signal 7 (SIGBUS), code 1, fault addr 0x36 in tid 12110

jmpews commented 6 years ago

ok, 有几个问题.

系统版本?
下面这段代码, 在 <breakpoint> 处加上断点, 会断在哪里呢? 还是三处都没有触发断点.

void precall(RegState *rs, ThreadStack *threadstack, CallStack *callstack) {
<breakpoint>
}
void postcall(RegState *rs, ThreadStack *threadstack, CallStack *callstack) {
<breakpoint>
}

ssize_t (*orig_send)(int, const void *, size_t, int);
ssize_t fake_send (int __fd, const void *__buf, size_t __n, int __flags) {
<breakpoint>
    LOGI("called send");
    ssize_t x = orig_send(__fd, __buf, __n, __flags);
    return x;
}
__attribute__((constructor)) void hook_socket() {
    ZzEnableDebugMode();
    ZzHook((void *)send, (void *)fake_send, (void **)&orig_send, precall, postcall, FALSE);
    send(-1, "test", 4, 0);
}

能发一下 debug 的 log 输出么? ZzEnableDebugMode 会启用 log 输出, 能否粘贴一下.

zhaowq32 commented 6 years ago

换了个手机就不报错了。。和android版本有关？报错的是红米NOTE4x android7.0。不报错的是三星NOTE3 android5.0

jmpews commented 6 years ago

这个问题, 是对齐的, 我再 check 下, 顺便加强一下 log 函数.

zhaowq32 commented 6 years ago

ssize_t x = orig_send(fd, buf, n, flags);这一行执行之后就coredump了下面是日志

10-30 21:30:09.366 30807-30807/coder.priv.hook I/zzinfo: ZzThunkerBuildThunk:
                                                         LogInfo: enter_thunk at 0xe925d000, length: 194.
10-30 21:30:09.366 30807-30807/coder.priv.hook I/zzinfo: ZzThunkerBuildThunk:
                                                         LogInfo: leave_thunk at 0xe925d0c4, length: 194.
10-30 21:30:09.366 30807-30807/coder.priv.hook I/zzinfo: ZzBuildEnterTrampoline:
                                                         LogInfo: on_enter_trampoline at 0xe925d24c, length: 32. hook-entry: 0xf0c13480. and will jump to enter_thunk(0xe925d001)
10-30 21:30:09.367 30807-30807/coder.priv.hook I/zzinfo: ZzBuildInvokeTrampoline:
                                                         LogInfo: on_invoke_trampoline at 0xe925d26c, length: 20. and will jump to rest code(0xf189fabe).
                                                         ThumbInstructionFix: origin instruction at 0xf189fab6, end at 0xf189fabe, relocator instruction nums 3
                                                         origin_prologue: 0x80 0xb5 0x82 0xb0 0x4f 0xf0 0x00 0x0c 
10-30 21:30:09.367 30807-30807/coder.priv.hook I/zzinfo: ZzBuildLeaveTrampoline:
                                                         LogInfo: on_leave_trampoline at 0xe925d280, length: 32. and will jump to leave_thunk(0xe925d0c5).

jmpews commented 6 years ago

我的 wechat: winter1ife QQ: 858982985, 欢迎交流