search

jmpews / Dobby

a lightweight, multi-platform, multi-architecture hook framework.
Apache License 2.0
3.93k stars 809 forks source link

安卓是否支持DobbyInstrument,如果支持麻烦看下这个问题 #95

Closed ndl1302732 closed 3 years ago

ndl1302732 commented 3 years ago

一 dobby编译脚本DDynamicBinaryInstrument=ON make .. \ -DCMAKE_TOOLCHAIN_FILE=$ANDROID_NDK/build/cmake/android.toolchain.cmake \ -DCMAKE_BUILD_TYPE=Release \ -DCMAKE_SYSTEM_NAME=Android \ -DCMAKE_ANDROID_ARCH_ABI="armeabi-v7a" \ -DCMAKE_ANDROID_NDK=$ANDROID_NDK \ -DCMAKE_SYSTEM_VERSION=21 \ -DANDROID_TOOLCHAIN=clang \ -DCMAKE_ANDROID_NDK_TOOLCHAIN_VERSION=clang \ -DDynamicBinaryInstrument=ON \ -DNearBranch=ON \ -DPlugin.SymbolResolver=ON make -j4

二、编译成静态库,在apk中使用,然后使用DobbyInstrument hook free 函数

三、测试代码如下

void free_callback(RegisterContext reg_ctx, const HookEntryInfo info){

uintptr_t mem_ptr;

mem_ptr = getCallFirstArg(reg_ctx);

char *buffer = (char *)"[-] function free first arg: 0x00000000.\n";
format_integer_manually(strchr(buffer, '.') - 1, mem_ptr);
puts(buffer);

}

static void hook(){ DobbyInstrument((void *)free, free_callback); }

补充说明:free_callback中的代码即使全部注释掉,还是会奔溃。

四 崩溃日志如下: (测试机器Android10 PixelXL,在OPPO R9S上也会崩溃,但是抓不到详细奔溃日志,所以只贴上PixelXL的日志)

2020-08-19 16:31:54.429 8391-8391/com.xx.xx.xx A/libc: Fatal signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0xeec0004c in tid 8391 (com.xx.xx.xx), pid 8391 (com.xx.xx.xx) 2020-08-19 16:31:54.485 8430-8430/? A/DEBUG: 2020-08-19 16:31:54.485 8430-8430/? A/DEBUG: Build fingerprint: 'google/marlin/marlin:10/QP1A.190711.020/5800535:user/release-keys' 2020-08-19 16:31:54.485 8430-8430/? A/DEBUG: Revision: '0' 2020-08-19 16:31:54.485 8430-8430/? A/DEBUG: ABI: 'arm' 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: Timestamp: 2020-08-19 16:31:54+0800 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: pid: 8391, tid: 8391, name: com.xx.xx.xx >>> com.xx.xx.xx <<< 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: uid: 10176 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0xeec0004c (*pc=0xffffffff) 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: r0 ffde4797 r1 ffde4700 r2 00000000 r3 ffde479f 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: r4 00000001 r5 ffde4710 r6 00000000 r7 7fffffff 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: r8 00000001 r9 ffde4664 r10 c5d32557 r11 edc92260 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: ip 00000000 sp ffde4110 lr edc6a0a1 pc eec0004c 2020-08-19 16:31:54.580 8430-8430/? A/DEBUG: backtrace: 2020-08-19 16:31:54.580 8430-8430/? A/DEBUG: #00 pc 0000004c 2020-08-19 16:31:54.581 8430-8430/? A/DEBUG: #01 pc 0008e09d /apex/com.android.runtime/lib/bionic/libc.so!libc.so (offset 0x2a000) (__vfprintf+6344) (BuildId: 68c87e04526a60689ecb5deb329804a0) 2020-08-19 16:31:54.581 8430-8430/? A/DEBUG: #02 pc 645f3ce3

ndl1302732 commented 3 years ago

补充下:已经pull了最新的代码

ndl1302732 commented 3 years ago

@jmpews

在builtin-plugins目录下有个例子 attribute((constructor)) static void ctor() { void lib = dlopen("/usr/lib/libMobileGestalt.dylib", RTLD_NOW); void MGCopyAnswer_addr = DobbySymbolResolver("libMobileGestalt.dylib", "MGCopyAnswer");

dobby_enable_near_branch_trampoline(); DobbyInstrument((void *)MGCopyAnswer_addr, common_handler); dobby_disable_near_branch_trampoline(); }

请教下怎么调用 dobby_enable_near_branch_trampoline() 和 dobby_disable_near_branch_trampoline

dobby.h没有导出这两个函数

jmpews commented 3 years ago

free 是敏感函数. 内部流程会使用到 free 所以会造成递归, 请选择其他函数。

dobby.h 只在 IA64 下导出这两个函数.

ndl1302732 commented 3 years ago

thanks