search

jmpews / Dobby

a lightweight, multi-platform, multi-architecture hook framework.
Apache License 2.0
3.93k stars 809 forks source link

hook open函数时,有时会崩溃,测试环境等信息都贴上来了 #93

Closed ndl1302732 closed 3 years ago

ndl1302732 commented 3 years ago

问题: 玩某游戏时, hook open函数崩溃。(使用dobby写个测试app,hook自己的open函数,不会崩溃) 是因为open函数是可变参数函数么(记得之前hookzz好像也有类似问题)。但是hook自己写的demo app的open函数 不会崩溃。。 测试环境: Android10 Pixel XL(代码marlin) ,自己编译的AOSP刷机 代码如下:

typedef int ( PFN_OPEN)(const char path, int flags, ...); PFN_OPEN pOrgOpen = NULL; int fake_open(const char* path, int flags, ...){ mode_t mode = 0;

if ((flags & O_CREAT) != 0) {
    va_list args;
    va_start(args, flags);
    mode = static_cast<mode_t>(va_arg(args, int));
    va_end(args);
}

LOGI("fake_open %s", path);
return pOrgOpen(path, flags, mode);

}

void dohook(){ int ret = DobbyHook((void )open, (void )fake_open, (void **)&pOrgOpen); LOGI("hook open ret = %d", ret); }

崩溃堆栈如下:(崩溃代码=ILL_ILLOPC, 崩溃偏移 = open+4) 2020-08-12 10:05:15.238 8611-8611/? A/DEBUG: Build fingerprint: 'google/marlin/marlin:10/QP1A.190711.020/eng.androi.20200810.062111:userdebug/test-keys' 2020-08-12 10:05:15.238 8611-8611/? A/DEBUG: Revision: '0' 2020-08-12 10:05:15.238 8611-8611/? A/DEBUG: ABI: 'arm' 2020-08-12 10:05:15.239 8611-8611/? A/DEBUG: Timestamp: 2020-08-12 10:05:15+0800 2020-08-12 10:05:15.239 8611-8611/? A/DEBUG: pid: 8532, tid: 8532, name: .eosm.google.tw >>> com.bluepotiongames.eosm.google.tw <<< 2020-08-12 10:05:15.239 8611-8611/? A/DEBUG: uid: 10104 2020-08-12 10:05:15.239 8611-8611/? A/DEBUG: signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0xf2eece38 (*pc=0xccdd3405) 2020-08-12 10:05:15.239 8611-8611/? A/DEBUG: r0 ec612dd0 r1 00080000 r2 00000000 r3 f3f25001 2020-08-12 10:05:15.239 8611-8611/? A/DEBUG: r4 00080000 r5 ec612dd0 r6 00000000 r7 ffba0f60 2020-08-12 10:05:15.239 8611-8611/? A/DEBUG: r8 00000173 r9 ffba1000 r10 f2f3d260 r11 13e312a0 2020-08-12 10:05:15.239 8611-8611/? A/DEBUG: ip ffba0a68 sp ffba0f48 lr ccdd3457 pc f2eece38 2020-08-12 10:05:15.605 8611-8611/? A/DEBUG: backtrace: 2020-08-12 10:05:15.605 8611-8611/? A/DEBUG: #00 pc 00065e38 /apex/com.android.runtime/lib/bionic/libc.so!libc.so (offset 0x65000) (open+4) (BuildId: 73d3849d90f6332c8e1217c9f55cc9f5) 2020-08-12 10:05:15.605 8611-8611/? A/DEBUG: #01 pc 00026dce [anon:libc_malloc] 2020-08-12 10:05:15.780 836-836/? E//system/bin/tombstoned: Tombstone written to: /data/tombstones/tombstone_12

jmpews commented 3 years ago

https://github.com/jmpews/Dobby/blob/master/builtin-plugin/ApplicationEventMonitor/posix_file_descriptor_operation_monitor.cc#L25

ndl1302732 commented 3 years ago

谢谢大佬。下周抄代码试试。另外问下这个框架会一直维护么,我想集成到项目里面去

jmpews commented 3 years ago

是的.

zhaozzw commented 2 years ago

大佬,我也遇到了类似的问题.fopen崩溃情况,可以请教下吗