0x01 作用
hook native层的RegisterNatives函数,打印注册的函数名和函数地址
0x02 代码
var ishook_libart = true;function hook_libart() {if (ishook_libart === false) {return;}var symbols = Module.enumerateSymbolsSync("libart.so");var addrGetStringUTFChars = null;var addrNewStringUTF = null;var addrFindClass = null;var addrGetMethodID = null;var addrGetStaticMethodID = null;var addrGetFieldID = null;var addrGetStaticFieldID = null;var addrRegisterNatives = null;var addrAllocObject = null;var addrCallObjectMethod = null;var addrGetObjectClass = null;var addrReleaseStringUTFChars = null;for (var i = 0; i < symbols.length; i++) {var symbol = symbols[i];if (symbol.name == "_ZN3art3JNI17GetStringUTFCharsEP7_JNIEnvP8_jstringPh") {addrGetStringUTFChars = symbol.address;// console.log("GetStringUTFChars is at ", symbol.address, symbol.name);} else if (symbol.name == "_ZN3art3JNI12NewStringUTFEP7_JNIEnvPKc") {addrNewStringUTF = symbol.address;// console.log("NewStringUTF is at ", symbol.address, symbol.name);} else if (symbol.name == "_ZN3art3JNI9FindClassEP7_JNIEnvPKc") {addrFindClass = symbol.address;// console.log("FindClass is at ", symbol.address, symbol.name);} else if (symbol.name == "_ZN3art3JNI11GetMethodIDEP7_JNIEnvP7_jclassPKcS6_") {addrGetMethodID = symbol.address;// console.log("GetMethodID is at ", symbol.address, symbol.name);} else if (symbol.name == "_ZN3art3JNI17GetStaticMethodIDEP7_JNIEnvP7_jclassPKcS6_") {addrGetStaticMethodID = symbol.address;// console.log("GetStaticMethodID is at ", symbol.address, symbol.name);} else if (symbol.name == "_ZN3art3JNI10GetFieldIDEP7_JNIEnvP7_jclassPKcS6_") {addrGetFieldID = symbol.address;// console.log("GetFieldID is at ", symbol.address, symbol.name);} else if (symbol.name == "_ZN3art3JNI16GetStaticFieldIDEP7_JNIEnvP7_jclassPKcS6_") {addrGetStaticFieldID = symbol.address;// console.log("GetStaticFieldID is at ", symbol.address, symbol.name);} else if (symbol.name == "_ZN3art3JNI15RegisterNativesEP7_JNIEnvP7_jclassPK15JNINativeMethodi") {addrRegisterNatives = symbol.address;console.log("RegisterNatives is at ", symbol.address, symbol.name);} else if (symbol.name.indexOf("_ZN3art3JNI11AllocObjectEP7_JNIEnvP7_jclass") >= 0) {addrAllocObject = symbol.address;// console.log("AllocObject is at ", symbol.address, symbol.name);} else if (symbol.name.indexOf("_ZN3art3JNI16CallObjectMethodEP7_JNIEnvP8_jobjectP10_jmethodIDz") >= 0) {addrCallObjectMethod = symbol.address;// console.log("CallObjectMethod is at ", symbol.address, symbol.name);} else if (symbol.name.indexOf("_ZN3art3JNI14GetObjectClassEP7_JNIEnvP8_jobject") >= 0) {addrGetObjectClass = symbol.address;// console.log("GetObjectClass is at ", symbol.address, symbol.name);} else if (symbol.name.indexOf("_ZN3art3JNI21ReleaseStringUTFCharsEP7_JNIEnvP8_jstringPKc") >= 0) {addrReleaseStringUTFChars = symbol.address;// console.log("ReleaseStringUTFChars is at ", symbol.address, symbol.name);}}if (addrRegisterNatives != null) {Interceptor.attach(addrRegisterNatives, {onEnter: function (args) {console.log("[RegisterNatives] method_count:", args[3]);var env = args[0];var java_class = args[1];var funcAllocObject = new NativeFunction(addrAllocObject, "pointer", ["pointer", "pointer"]);var funcGetMethodID = new NativeFunction(addrGetMethodID, "pointer", ["pointer", "pointer", "pointer", "pointer"]);var funcCallObjectMethod = new NativeFunction(addrCallObjectMethod, "pointer", ["pointer", "pointer", "pointer"]);var funcGetObjectClass = new NativeFunction(addrGetObjectClass, "pointer", ["pointer", "pointer"]);var funcGetStringUTFChars = new NativeFunction(addrGetStringUTFChars, "pointer", ["pointer", "pointer", "pointer"]);var funcReleaseStringUTFChars = new NativeFunction(addrReleaseStringUTFChars, "void", ["pointer", "pointer", "pointer"]);var clz_obj = funcAllocObject(env, java_class);var mid_getClass = funcGetMethodID(env, java_class, Memory.allocUtf8String("getClass"), Memory.allocUtf8String("()Ljava/lang/Class;"));var clz_obj2 = funcCallObjectMethod(env, clz_obj, mid_getClass);var cls = funcGetObjectClass(env, clz_obj2);var mid_getName = funcGetMethodID(env, cls, Memory.allocUtf8String("getName"), Memory.allocUtf8String("()Ljava/lang/String;"));var name_jstring = funcCallObjectMethod(env, clz_obj2, mid_getName);var name_pchar = funcGetStringUTFChars(env, name_jstring, ptr(0));var class_name = ptr(name_pchar).readCString();funcReleaseStringUTFChars(env, name_jstring, name_pchar);//console.log(class_name);var methods_ptr = ptr(args[2]);var method_count = parseInt(args[3]);for (var i = 0; i < method_count; i++) {var name_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3));var sig_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize));var fnPtr_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2));var name = Memory.readCString(name_ptr);var sig = Memory.readCString(sig_ptr);var find_module = Process.findModuleByAddress(fnPtr_ptr);console.log("[RegisterNatives] java_class:", class_name, "name:", name, "sig:", sig, "fnPtr:", fnPtr_ptr, "module_name:", find_module.name, "module_base:", find_module.base, "offset:", ptr(fnPtr_ptr).sub(find_module.base));}},onLeave: function (retval) { }});}ishook_libart = true;}hook_libart();//frida -U --no-pause -f co.c0c.myApplication -l hookregisternatives.js
若有收获,就点个赞吧
0 人点赞
