frida native hook

2022-06-19  本文已影响0人  android小奉先

本篇介绍

frida 也支持hook native,本篇看下如何hook native

hook native函数

这次hook下设置,首先看下用了哪些so:

objection -g com.android.settings   explore
memory list modules

这时候输出如下:

Name                                                      Base          Size                 Path
--------------------------------------------------------  ------------  -------------------  ------------------------------------------------------------------------------
app_process64                                             0x5839cc7000  40960 (40.0 KiB)     /system/bin/app_process64
linker64                                                  0x72c2ba8000  200704 (196.0 KiB)   /system/bin/linker64
libandroid_runtime.so                                     0x72be415000  1699840 (1.6 MiB)    /system/lib64/libandroid_runtime.so
libbinder.so                                              0x72bd6dd000  663552 (648.0 KiB)   /system/lib64/libbinder.so
libcutils.so                                              0x72bde01000  73728 (72.0 KiB)     /system/lib64/libcutils.so
libhidlbase.so                                            0x72bf785000  757760 (740.0 KiB)   /system/lib64/libhidlbase.so
liblog.so                                                 0x72bc441000  73728 (72.0 KiB)     /system/lib64/liblog.so
libnativeloader.so                                        0x72bea00000  221184 (216.0 KiB)   /apex/com.android.art/lib64/libnativeloader.so
libutils.so                                               0x72bea5e000  122880 (120.0 KiB)   /system/lib64/libutils.so
libwilhelm.so                                             0x72bf602000  253952 (248.0 KiB)   /system/lib64/libwilhelm.so
libc++.so                                                 0x72be806000  720896 (704.0 KiB)   /system/lib64/libc++.so
libc.so                                                   0x72be659000  913408 (892.0 KiB)   /apex/com.android.runtime/lib64/bionic/libc.so
libm.so                                                   0x72c0b02000  225280 (220.0 KiB)   /apex/com.android.runtime/lib64/bionic/libm.so
libdl.so                                                  0x72bfcde000  20480 (20.0 KiB)     /apex/com.android.runtime/lib64/bionic/libdl.so
libbase.so                                                0x72bdf41000  249856 (244.0 KiB)   /system/lib64/libbase.so
libharfbuzz_ng.so                                         0x72c0640000  729088 (712.0 KiB)   /system/lib64/libharfbuzz_ng.so
libhwui.so                                                0x72bc510000  7782400 (7.4 MiB)    /system/lib64/libhwui.so
libminikin.so                                             0x72bcd8e000  172032 (168.0 KiB)   /system/lib64/libminikin.so
libnativehelper.so                                        0x72be151000  32768 (32.0 KiB)     /apex/com.android.art/lib64/libnativehelper.so
libz.so                                                   0x72bdb54000  98304 (96.0 KiB)     /system/lib64/libz.so
libziparchive.so                                          0x72bcfd3000  65536 (64.0 KiB)     /system/lib64/libziparchive.so
libandroidicu.so                                          0x72c0ac5000  212992 (208.0 KiB)   /apex/com.android.art/lib64/libandroidicu.so
libbpf_android.so                                         0x72be624000  53248 (52.0 KiB)     /system/lib64/libbpf_android.so
libnetdbpf.so                                             0x72bfe8a000  159744 (156.0 KiB)   /system/lib64/libnetdbpf.so
libnetdutils.so                                           0x72bee82000  81920 (80.0 KiB)     /system/lib64/libnetdutils.so
libmemtrack.so                                            0x72c0130000  16384 (16.0 KiB)     /system/lib64/libmemtrack.so
libandroidfw.so                                           0x72bce8f000  450560 (440.0 KiB)   /system/lib64/libandroidfw.so
libappfuse.so                                             0x72bc3c9000  57344 (56.0 KiB)     /system/lib64/libappfuse.so
libcrypto.so                                              0x72bd445000  1126400 (1.1 MiB)    /system/lib64/libcrypto.so
libdebuggerd_client.so                                    0x72be92f000  40960 (40.0 KiB)     /system/lib64/libdebuggerd_client.so
libui.so                                                  0x72bcf47000  290816 (284.0 KiB)   /system/lib64/libui.so
libgraphicsenv.so                                         0x72bd1cd000  57344 (56.0 KiB)     /system/lib64/libgraphicsenv.so
libgui.so                                                 0x72c09c0000  1003520 (980.0 KiB)  /system/lib64/libgui.so
libmediandk.so                                            0x72c094d000  204800 (200.0 KiB)   /system/lib64/libmediandk.so
libsensor.so                                              0x72bf000000  98304 (96.0 KiB)     /system/lib64/libsensor.so
libinput.so                                               0x72bfa87000  225280 (220.0 KiB)   /system/lib64/libinput.so
libcamera_client.so                                       0x72bf981000  491520 (480.0 KiB)   /system/lib64/libcamera_client.so
libcamera_metadata.so                                     0x72c0c6c000  53248 (52.0 KiB)     /system/lib64/libcamera_metadata.so
libsqlite.so                                              0x72bfaca000  1208320 (1.2 MiB)    /system/lib64/libsqlite.so
libEGL.so                                                 0x72c0183000  229376 (224.0 KiB)   /system/lib64/libEGL.so
libGLESv1_CM.so                                           0x72befad000  36864 (36.0 KiB)     /system/lib64/libGLESv1_CM.so
libGLESv2.so                                              0x72bdcd9000  106496 (104.0 KiB)   /system/lib64/libGLESv2.so
libGLESv3.so                                              0x72bdf89000  106496 (104.0 KiB)   /system/lib64/libGLESv3.so
libincfs.so                                               0x72c039b000  135168 (132.0 KiB)   /system/lib64/libincfs.so
libdataloader.so                                          0x72be5c2000  65536 (64.0 KiB)     /system/lib64/libdataloader.so
libvulkan.so                                              0x72bd047000  159744 (156.0 KiB)   /system/lib64/libvulkan.so
libETC1.so                                                0x72c1019000  16384 (16.0 KiB)     /system/lib64/libETC1.so
libhardware.so                                            0x72be968000  12288 (12.0 KiB)     /system/lib64/libhardware.so
libhardware_legacy.so                                     0x72bdd43000  28672 (28.0 KiB)     /system/lib64/libhardware_legacy.so
libselinux.so                                             0x72bff0d000  110592 (108.0 KiB)   /system/lib64/libselinux.so
libmedia.so                                               0x72bd20d000  659456 (644.0 KiB)   /system/lib64/libmedia.so
libmedia_helper.so                                        0x72bd114000  98304 (96.0 KiB)     /system/lib64/libmedia_helper.so
libmediametrics.so                                        0x72bf89e000  86016 (84.0 KiB)     /system/lib64/libmediametrics.so
libmeminfo.so                                             0x72bfd9b000  53248 (52.0 KiB)     /system/lib64/libmeminfo.so
libaudioclient.so                                         0x72bda1a000  798720 (780.0 KiB)   /system/lib64/libaudioclient.so
libaudiofoundation.so                                     0x72be027000  94208 (92.0 KiB)     /system/lib64/libaudiofoundation.so
libaudiopolicy.so                                         0x72bffcd000  24576 (24.0 KiB)     /system/lib64/libaudiopolicy.so
libusbhost.so                                             0x72bd878000  20480 (20.0 KiB)     /system/lib64/libusbhost.so
libpdfium.so                                              0x72bf064000  4988928 (4.8 MiB)    /system/lib64/libpdfium.so
libimg_utils.so                                           0x72bff88000  122880 (120.0 KiB)   /system/lib64/libimg_utils.so
libnetd_client.so                                         0x72be2d4000  36864 (36.0 KiB)     /system/lib64/libnetd_client.so
libprocessgroup.so                                        0x72c0d80000  258048 (252.0 KiB)   /system/lib64/libprocessgroup.so
libnativebridge_lazy.so                                   0x72bd7b4000  20480 (20.0 KiB)     /system/lib64/libnativebridge_lazy.so
libnativeloader_lazy.so                                   0x72bea9b000  16384 (16.0 KiB)     /system/lib64/libnativeloader_lazy.so
libmemunreachable.so                                      0x72be34f000  200704 (196.0 KiB)   /system/lib64/libmemunreachable.so
libvintf.so                                               0x72bfc32000  569344 (556.0 KiB)   /system/lib64/libvintf.so
libnativedisplay.so                                       0x72beb4d000  77824 (76.0 KiB)     /system/lib64/libnativedisplay.so
libnativewindow.so                                        0x72bdb2a000  28672 (28.0 KiB)     /system/lib64/libnativewindow.so
libdl_android.so                                          0x72bfd44000  12288 (12.0 KiB)     /apex/com.android.runtime/lib64/bionic/libdl_android.so
libstatslog.so                                            0x72c070f000  73728 (72.0 KiB)     /system/lib64/libstatslog.so
libstatssocket.so                                         0x72bcd12000  24576 (24.0 KiB)     /apex/com.android.os.statsd/lib64/libstatssocket.so
libtimeinstate.so                                         0x72bdf27000  49152 (48.0 KiB)     /system/lib64/libtimeinstate.so
server_configurable_flags.so                              0x72bdd80000  20480 (20.0 KiB)     /system/lib64/server_configurable_flags.so
libstatspull.so                                           0x72c078d000  266240 (260.0 KiB)   /apex/com.android.os.statsd/lib64/libstatspull.so
libvndksupport.so                                         0x72bdd1b000  16384 (16.0 KiB)     /system/lib64/libvndksupport.so
libnativebridge.so                                        0x72c08a5000  24576 (24.0 KiB)     /apex/com.android.art/lib64/libnativebridge.so
libmedia_codeclist.so                                     0x72bcf2e000  65536 (64.0 KiB)     /system/lib64/libmedia_codeclist.so
libaudiomanager.so                                        0x72bebb6000  20480 (20.0 KiB)     /system/lib64/libaudiomanager.so
libdatasource.so                                          0x72be8cc000  81920 (80.0 KiB)     /system/lib64/libdatasource.so
libstagefright.so                                         0x72c0e41000  1830912 (1.7 MiB)    /system/lib64/libstagefright.so
libstagefright_foundation.so                              0x72bd18a000  212992 (208.0 KiB)   /system/lib64/libstagefright_foundation.so
libstagefright_http_support.so                            0x72bd9ef000  16384 (16.0 KiB)     /system/lib64/libstagefright_http_support.so
libdng_sdk.so                                             0x72c0c80000  778240 (760.0 KiB)   /system/lib64/libdng_sdk.so
libexpat.so                                               0x72c0856000  139264 (136.0 KiB)   /system/lib64/libexpat.so
libjpeg.so                                                0x72c0067000  319488 (312.0 KiB)   /system/lib64/libjpeg.so
libpiex.so                                                0x72c01da000  102400 (100.0 KiB)   /system/lib64/libpiex.so
libpng.so                                                 0x72bf6c4000  217088 (212.0 KiB)   /system/lib64/libpng.so
libbinder_ndk.so                                          0x72beb27000  73728 (72.0 KiB)     /system/lib64/libbinder_ndk.so
libheif.so                                                0x72bfd14000  40960 (40.0 KiB)     /system/lib64/libheif.so
libprotobuf-cpp-lite.so                                   0x72be381000  483328 (472.0 KiB)   /system/lib64/libprotobuf-cpp-lite.so
libft2.so                                                 0x72bdb9d000  593920 (580.0 KiB)   /system/lib64/libft2.so
libsync.so                                                0x72befc2000  16384 (16.0 KiB)     /system/lib64/libsync.so
libicuuc.so                                               0x72bebc1000  1789952 (1.7 MiB)    /apex/com.android.art/lib64/libicuuc.so
libicui18n.so                                             0x72c03cb000  2543616 (2.4 MiB)    /apex/com.android.art/lib64/libicui18n.so
libbpf.so                                                 0x72be1d8000  36864 (36.0 KiB)     /system/lib64/libbpf.so
android.hardware.memtrack@1.0.so                          0x72bd0e5000  81920 (80.0 KiB)     /system/lib64/android.hardware.memtrack@1.0.so
libprocinfo.so                                            0x72bce03000  16384 (16.0 KiB)     /system/lib64/libprocinfo.so
android.hardware.graphics.allocator@2.0.so                0x72bd006000  90112 (88.0 KiB)     /system/lib64/android.hardware.graphics.allocator@2.0.so
android.hardware.graphics.allocator@3.0.so                0x72bf963000  90112 (88.0 KiB)     /system/lib64/android.hardware.graphics.allocator@3.0.so
android.hardware.graphics.allocator@4.0.so                0x72c00c3000  86016 (84.0 KiB)     /system/lib64/android.hardware.graphics.allocator@4.0.so
android.hardware.graphics.common-V1-ndk_platform.so       0x72c076a000  24576 (24.0 KiB)     /system/lib64/android.hardware.graphics.common-V1-ndk_platform.so
android.hardware.graphics.common@1.2.so                   0x72bde86000  12288 (12.0 KiB)     /system/lib64/android.hardware.graphics.common@1.2.so
android.hardware.graphics.mapper@2.0.so                   0x72bedc7000  102400 (100.0 KiB)   /system/lib64/android.hardware.graphics.mapper@2.0.so
android.hardware.graphics.mapper@2.1.so                   0x72c08e5000  106496 (104.0 KiB)   /system/lib64/android.hardware.graphics.mapper@2.1.so
android.hardware.graphics.mapper@3.0.so                   0x72bf85c000  114688 (112.0 KiB)   /system/lib64/android.hardware.graphics.mapper@3.0.so
android.hardware.graphics.mapper@4.0.so                   0x72bce49000  151552 (148.0 KiB)   /system/lib64/android.hardware.graphics.mapper@4.0.so
libgralloctypes.so                                        0x72be193000  77824 (76.0 KiB)     /system/lib64/libgralloctypes.so
android.hardware.graphics.bufferqueue@1.0.so              0x72bd903000  245760 (240.0 KiB)   /system/lib64/android.hardware.graphics.bufferqueue@1.0.so
android.hardware.graphics.bufferqueue@2.0.so              0x72bdfc5000  217088 (212.0 KiB)   /system/lib64/android.hardware.graphics.bufferqueue@2.0.so
android.hardware.graphics.common@1.1.so                   0x72bef5b000  12288 (12.0 KiB)     /system/lib64/android.hardware.graphics.common@1.1.so
android.hidl.token@1.0-utils.so                           0x72be0e8000  20480 (20.0 KiB)     /system/lib64/android.hidl.token@1.0-utils.so
android.frameworks.bufferhub@1.0.so                       0x72bd659000  139264 (136.0 KiB)   /system/lib64/android.frameworks.bufferhub@1.0.so
libbufferhub.so                                           0x72be744000  61440 (60.0 KiB)     /system/lib64/libbufferhub.so
libbufferhubqueue.so                                      0x72bcdc1000  114688 (112.0 KiB)   /system/lib64/libbufferhubqueue.so
libpdx_default_transport.so                               0x72c0d4c000  155648 (152.0 KiB)   /system/lib64/libpdx_default_transport.so
libandroid_runtime_lazy.so                                0x72bfe7b000  16384 (16.0 KiB)     /system/lib64/libandroid_runtime_lazy.so
libmediadrm.so                                            0x72bd891000  188416 (184.0 KiB)   /system/lib64/libmediadrm.so
libmedia_omx.so                                           0x72be080000  192512 (188.0 KiB)   /system/lib64/libmedia_omx.so
libmedia_jni_utils.so                                     0x72bd6ab000  12288 (12.0 KiB)     /system/lib64/libmedia_jni_utils.so
libmediandk_utils.so                                      0x72bd144000  16384 (16.0 KiB)     /system/lib64/libmediandk_utils.so
libbacktrace.so                                           0x72bf918000  163840 (160.0 KiB)   /system/lib64/libbacktrace.so
android.hardware.configstore@1.0.so                       0x72bc4dc000  147456 (144.0 KiB)   /system/lib64/android.hardware.configstore@1.0.so
android.hardware.configstore-utils.so                     0x72bff7d000  12288 (12.0 KiB)     /system/lib64/android.hardware.configstore-utils.so
libSurfaceFlingerProp.so                                  0x72bfa20000  114688 (112.0 KiB)   /system/lib64/libSurfaceFlingerProp.so
android.hardware.graphics.common@1.0.so                   0x72bd3b9000  12288 (12.0 KiB)     /system/lib64/android.hardware.graphics.common@1.0.so
android.system.suspend@1.0.so                             0x72bfdd2000  122880 (120.0 KiB)   /system/lib64/android.system.suspend@1.0.so
libpcre2.so                                               0x72bf668000  331776 (324.0 KiB)   /system/lib64/libpcre2.so
libpackagelistparser.so                                   0x72be137000  12288 (12.0 KiB)     /system/lib64/libpackagelistparser.so
capture_state_listener-aidl-V1-cpp.so                     0x72c0c0c000  40960 (40.0 KiB)     /system/lib64/capture_state_listener-aidl-V1-cpp.so
libaudioutils.so                                          0x72bd581000  139264 (136.0 KiB)   /system/lib64/libaudioutils.so
libmediautils.so                                          0x72c0202000  221184 (216.0 KiB)   /system/lib64/libmediautils.so
libnblog.so                                               0x72bcc85000  204800 (200.0 KiB)   /system/lib64/libnblog.so
libvibrator.so                                            0x72bfe0b000  49152 (48.0 KiB)     /system/lib64/libvibrator.so
libcgrouprc.so                                            0x72bc411000  20480 (20.0 KiB)     /system/lib64/libcgrouprc.so
libhidl-gen-utils.so                                      0x72bdef0000  57344 (56.0 KiB)     /system/lib64/libhidl-gen-utils.so
libtinyxml2.so                                            0x72bead1000  106496 (104.0 KiB)   /system/lib64/libtinyxml2.so
android.hardware.media.omx@1.0.so                         0x72bd3c6000  466944 (456.0 KiB)   /system/lib64/android.hardware.media.omx@1.0.so
libstagefright_framecapture_utils.so                      0x72bdc49000  167936 (164.0 KiB)   /system/lib64/libstagefright_framecapture_utils.so
libcodec2.so                                              0x72c0176000  12288 (12.0 KiB)     /system/lib64/libcodec2.so
libcodec2_vndk.so                                         0x72be20f000  606208 (592.0 KiB)   /system/lib64/libcodec2_vndk.so
libmedia_omx_client.so                                    0x72bd8c8000  24576 (24.0 KiB)     /system/lib64/libmedia_omx_client.so
libsfplugin_ccodec.so                                     0x72c02ea000  593920 (580.0 KiB)   /system/lib64/libsfplugin_ccodec.so
libsfplugin_ccodec_utils.so                               0x72bf706000  303104 (296.0 KiB)   /system/lib64/libsfplugin_ccodec_utils.so
libstagefright_codecbase.so                               0x72c0b77000  32768 (32.0 KiB)     /system/lib64/libstagefright_codecbase.so
libstagefright_omx_utils.so                               0x72be9cd000  24576 (24.0 KiB)     /system/lib64/libstagefright_omx_utils.so
libRScpp.so                                               0x72c024c000  274432 (268.0 KiB)   /system/lib64/libRScpp.so
libhidlallocatorutils.so                                  0x72c0bfa000  12288 (12.0 KiB)     /system/lib64/libhidlallocatorutils.so
libhidlmemory.so                                          0x72bef09000  28672 (28.0 KiB)     /system/lib64/libhidlmemory.so
android.hidl.allocator@1.0.so                             0x72bf55d000  90112 (88.0 KiB)     /system/lib64/android.hidl.allocator@1.0.so
android.hardware.cas.native@1.0.so                        0x72bd950000  98304 (96.0 KiB)     /system/lib64/android.hardware.cas.native@1.0.so
android.hardware.drm@1.0.so                               0x72bf590000  434176 (424.0 KiB)   /system/lib64/android.hardware.drm@1.0.so
android.hardware.common-V1-ndk_platform.so                0x72bd0b3000  16384 (16.0 KiB)     /system/lib64/android.hardware.common-V1-ndk_platform.so
android.hardware.media@1.0.so                             0x72c098c000  12288 (12.0 KiB)     /system/lib64/android.hardware.media@1.0.so
android.hidl.token@1.0.so                                 0x72bdde7000  94208 (92.0 KiB)     /system/lib64/android.hidl.token@1.0.so
libmediadrmmetrics_lite.so                                0x72c0010000  122880 (120.0 KiB)   /system/lib64/libmediadrmmetrics_lite.so
android.hardware.drm@1.1.so                               0x72be7a3000  290816 (284.0 KiB)   /system/lib64/android.hardware.drm@1.1.so
android.hardware.drm@1.2.so                               0x72c0dd8000  425984 (416.0 KiB)   /system/lib64/android.hardware.drm@1.2.so
android.hardware.drm@1.3.so                               0x72bee19000  151552 (148.0 KiB)   /system/lib64/android.hardware.drm@1.3.so
libunwindstack.so                                         0x72bd5cf000  454656 (444.0 KiB)   /system/lib64/libunwindstack.so
android.hardware.configstore@1.1.so                       0x72bf8e1000  118784 (116.0 KiB)   /system/lib64/android.hardware.configstore@1.1.so
libspeexresampler.so                                      0x72bee4a000  20480 (20.0 KiB)     /system/lib64/libspeexresampler.so
android.hardware.media.bufferpool@2.0.so                  0x72bccca000  217088 (212.0 KiB)   /system/lib64/android.hardware.media.bufferpool@2.0.so
libion.so                                                 0x72c0ba3000  16384 (16.0 KiB)     /system/lib64/libion.so
libfmq.so                                                 0x72bd9a7000  16384 (16.0 KiB)     /system/lib64/libfmq.so
libstagefright_bufferpool@2.0.1.so                        0x72be306000  172032 (168.0 KiB)   /system/lib64/libstagefright_bufferpool@2.0.1.so
android.hardware.media.c2@1.0.so                          0x72bd2dd000  589824 (576.0 KiB)   /system/lib64/android.hardware.media.c2@1.0.so
libcodec2_client.so                                       0x72bfa46000  151552 (148.0 KiB)   /system/lib64/libcodec2_client.so
libstagefright_bufferqueue_helper.so                      0x72c0801000  90112 (88.0 KiB)     /system/lib64/libstagefright_bufferqueue_helper.so
libstagefright_omx.so                                     0x72bd7ec000  299008 (292.0 KiB)   /system/lib64/libstagefright_omx.so
libstagefright_xmlparser.so                               0x72bcd48000  90112 (88.0 KiB)     /system/lib64/libstagefright_xmlparser.so
android.hidl.memory@1.0.so                                0x72bed87000  143360 (140.0 KiB)   /system/lib64/android.hidl.memory@1.0.so
android.hidl.memory.token@1.0.so                          0x72c0923000  81920 (80.0 KiB)     /system/lib64/android.hidl.memory.token@1.0.so
android.hardware.cas@1.0.so                               0x72be980000  262144 (256.0 KiB)   /system/lib64/android.hardware.cas@1.0.so
liblzma.so                                                0x72bc48c000  180224 (176.0 KiB)   /system/lib64/liblzma.so
libdexfile_support.so                                     0x72be058000  20480 (20.0 KiB)     /system/lib64/libdexfile_support.so
android.hidl.safe_union@1.0.so                            0x72bde79000  12288 (12.0 KiB)     /system/lib64/android.hidl.safe_union@1.0.so
android.hardware.media.c2@1.1.so                          0x72bdc88000  196608 (192.0 KiB)   /system/lib64/android.hardware.media.c2@1.1.so
libcodec2_hidl_client@1.0.so                              0x72beec9000  110592 (108.0 KiB)   /system/lib64/libcodec2_hidl_client@1.0.so
libcodec2_hidl_client@1.1.so                              0x72bfec5000  16384 (16.0 KiB)     /system/lib64/libcodec2_hidl_client@1.1.so
libart.so                                                 0x702bd17000  6946816 (6.6 MiB)    /apex/com.android.art/lib64/libart.so
libartpalette.so                                          0x72c165b000  16384 (16.0 KiB)     /apex/com.android.art/lib64/libartpalette.so
libsigchain.so                                            0x72c16ba000  20480 (20.0 KiB)     /system/lib64/libsigchain.so
libartbase.so                                             0x72c14c5000  491520 (480.0 KiB)   /apex/com.android.art/lib64/libartbase.so
libdexfile.so                                             0x72c15ea000  270336 (264.0 KiB)   /apex/com.android.art/lib64/libdexfile.so
libdexfile_external.so                                    0x72c155a000  28672 (28.0 KiB)     /apex/com.android.art/lib64/libdexfile_external.so
libprofile.so                                             0x72c1489000  217088 (212.0 KiB)   /apex/com.android.art/lib64/libprofile.so
libartpalette-system.so                                   0x72c1369000  24576 (24.0 KiB)     /system/lib64/libartpalette-system.so
libtombstoned_client.so                                   0x72c138c000  24576 (24.0 KiB)     /system/lib64/libtombstoned_client.so
boot.oat                                                  0x70512000    3153920 (3.0 MiB)    /apex/com.android.art/javalib/arm64/boot.oat
boot-core-libart.oat                                      0x70814000    417792 (408.0 KiB)   /apex/com.android.art/javalib/arm64/boot-core-libart.oat
boot-core-icu4j.oat                                       0x7087a000    991232 (968.0 KiB)   /apex/com.android.art/javalib/arm64/boot-core-icu4j.oat
boot-okhttp.oat                                           0x7096c000    253952 (248.0 KiB)   /apex/com.android.art/javalib/arm64/boot-okhttp.oat
boot-bouncycastle.oat                                     0x709aa000    135168 (132.0 KiB)   /apex/com.android.art/javalib/arm64/boot-bouncycastle.oat
boot-apache-xml.oat                                       0x709cb000    32768 (32.0 KiB)     /apex/com.android.art/javalib/arm64/boot-apache-xml.oat
boot-framework.oat                                        0x718ff000    11661312 (11.1 MiB)  /system/framework/arm64/boot-framework.oat
boot-ext.oat                                              0x7241e000    122880 (120.0 KiB)   /system/framework/arm64/boot-ext.oat
boot-telephony-common.oat                                 0x7243c000    45056 (44.0 KiB)     /system/framework/arm64/boot-telephony-common.oat
boot-voip-common.oat                                      0x72447000    36864 (36.0 KiB)     /system/framework/arm64/boot-voip-common.oat
boot-ims-common.oat                                       0x72450000    20480 (20.0 KiB)     /system/framework/arm64/boot-ims-common.oat
boot-framework-atb-backward-compatibility.oat             0x72455000    20480 (20.0 KiB)     /system/framework/arm64/boot-framework-atb-backward-compatibility.oat
libadbconnection.so                                       0x7024989000  65536 (64.0 KiB)     /apex/com.android.art/lib64/libadbconnection.so
libadbconnection_client.so                                0x702494a000  221184 (216.0 KiB)   /apex/com.android.adbd/lib64/libadbconnection_client.so
libriru_6011.so                                           0x7024744000  1085440 (1.0 MiB)    /system/lib64/libriru_6011.so
libperfetto_hprof.so                                      0x70245d4000  368640 (360.0 KiB)   /apex/com.android.art/lib64/libperfetto_hprof.so
libandroid.so                                             0x7024588000  143360 (140.0 KiB)   /system/lib64/libandroid.so
libxml2.so                                                0x7024445000  1261568 (1.2 MiB)    /system/lib64/libxml2.so
libpowermanager.so                                        0x7024401000  77824 (76.0 KiB)     /system/lib64/libpowermanager.so
libaaudio.so                                              0x70243d5000  28672 (28.0 KiB)     /system/lib64/libaaudio.so
libaaudio_internal.so                                     0x702434a000  311296 (304.0 KiB)   /system/lib64/libaaudio_internal.so
libamidi.so                                               0x7024331000  36864 (36.0 KiB)     /system/lib64/libamidi.so
libcamera2ndk.so                                          0x70242c3000  249856 (244.0 KiB)   /system/lib64/libcamera2ndk.so
libjnigraphics.so                                         0x7024282000  24576 (24.0 KiB)     /system/lib64/libjnigraphics.so
libOpenMAXAL.so                                           0x702426f000  16384 (16.0 KiB)     /system/lib64/libOpenMAXAL.so
libOpenSLES.so                                            0x7024208000  16384 (16.0 KiB)     /system/lib64/libOpenSLES.so
libRS.so                                                  0x7024110000  73728 (72.0 KiB)     /system/lib64/libRS.so
libutilscallstack.so                                      0x70241e3000  24576 (24.0 KiB)     /system/lib64/libutilscallstack.so
android.hardware.renderscript@1.0.so                      0x702414c000  417792 (408.0 KiB)   /system/lib64/android.hardware.renderscript@1.0.so
libstdc++.so                                              0x70240de000  16384 (16.0 KiB)     /system/lib64/libstdc++.so
libwebviewchromium_plat_support.so                        0x70240ac000  20480 (20.0 KiB)     /system/lib64/libwebviewchromium_plat_support.so
libicu_jni.so                                             0x7024060000  53248 (52.0 KiB)     /apex/com.android.art/lib64/libicu_jni.so
libjavacore.so                                            0x7024002000  245760 (240.0 KiB)   /apex/com.android.art/lib64/libjavacore.so
libandroidio.so                                           0x7023fe7000  16384 (16.0 KiB)     /apex/com.android.art/lib64/libandroidio.so
libopenjdk.so                                             0x7022785000  221184 (216.0 KiB)   /apex/com.android.art/lib64/libopenjdk.so
libopenjdkjvm.so                                          0x7022745000  40960 (40.0 KiB)     /apex/com.android.art/lib64/libopenjdkjvm.so
libart-compiler.so                                        0x70223e0000  3485696 (3.3 MiB)    /apex/com.android.art/lib64/libart-compiler.so
libvixl.so                                                0x70221a0000  2113536 (2.0 MiB)    /apex/com.android.art/lib64/libvixl.so
libjavacrypto.so                                          0x7017229000  294912 (288.0 KiB)   /apex/com.android.conscrypt/lib64/libjavacrypto.so
libcrypto.so                                              0x7017284000  1126400 (1.1 MiB)    /system/lib64/libcrypto.so
libssl.so                                                 0x70173c7000  339968 (332.0 KiB)   /system/lib64/libssl.so
libc++.so                                                 0x7017143000  720896 (704.0 KiB)   /system/lib64/libc++.so
libmedia_jni.so                                           0x70130b9000  540672 (528.0 KiB)   /system/lib64/libmedia_jni.so
libmediadrmmetrics_consumer.so                            0x701305d000  28672 (28.0 KiB)     /system/lib64/libmediadrmmetrics_consumer.so
libmtp.so                                                 0x7013000000  237568 (232.0 KiB)   /system/lib64/libmtp.so
libsonivox.so                                             0x7013166000  614400 (600.0 KiB)   /system/lib64/libsonivox.so
libmediadrmmetrics_full.so                                0x7012fd8000  147456 (144.0 KiB)   /system/lib64/libmediadrmmetrics_full.so
libasyncio.so                                             0x7012d71000  12288 (12.0 KiB)     /system/lib64/libasyncio.so
libprotobuf-cpp-full.so                                   0x7012d81000  2232320 (2.1 MiB)    /system/lib64/libprotobuf-cpp-full.so
libsoundpool.so                                           0x7012d0c000  90112 (88.0 KiB)     /system/lib64/libsoundpool.so
libaudioeffect_jni.so                                     0x7012cc5000  49152 (48.0 KiB)     /system/lib64/libaudioeffect_jni.so
librs_jni.so                                              0x7012c9a000  73728 (72.0 KiB)     /system/lib64/librs_jni.so
android.hidl.base-V1.0-java.odex                          0x7010a91000  20480 (20.0 KiB)     /system/framework/oat/arm64/android.hidl.base-V1.0-java.odex
android.hidl.manager-V1.0-java.odex                       0x7010a54000  20480 (20.0 KiB)     /system/framework/oat/arm64/android.hidl.manager-V1.0-java.odex
android.test.base.odex                                    0x7010a09000  20480 (20.0 KiB)     /system/framework/oat/arm64/android.test.base.odex
android.hardware.graphics.mapper@3.0-impl-qti-display.so  0x7010390000  45056 (44.0 KiB)     /vendor/lib64/hw/android.hardware.graphics.mapper@3.0-impl-qti-display.so
libutils.so                                               0x7010697000  122880 (120.0 KiB)   /apex/com.android.vndk.v30/lib64/libutils.so
libcutils.so                                              0x701085a000  73728 (72.0 KiB)     /apex/com.android.vndk.v30/lib64/libcutils.so
libhardware.so                                            0x701081c000  12288 (12.0 KiB)     /apex/com.android.vndk.v30/lib64/libhardware.so
libhidlbase.so                                            0x7010543000  757760 (740.0 KiB)   /apex/com.android.vndk.v30/lib64/libhidlbase.so
libqdMetaData.so                                          0x70107c3000  20480 (20.0 KiB)     /vendor/lib64/libqdMetaData.so
libgrallocutils.so                                        0x70106d4000  45056 (44.0 KiB)     /vendor/lib64/libgrallocutils.so
libgralloccore.so                                         0x70102b5000  40960 (40.0 KiB)     /vendor/lib64/libgralloccore.so
vendor.qti.hardware.display.mapper@3.0.so                 0x7010419000  114688 (112.0 KiB)   /vendor/lib64/vendor.qti.hardware.display.mapper@3.0.so
vendor.qti.hardware.display.mapperextensions@1.0.so       0x7010312000  167936 (164.0 KiB)   /vendor/lib64/vendor.qti.hardware.display.mapperextensions@1.0.so
android.hardware.graphics.mapper@2.0.so                   0x70102d6000  102400 (100.0 KiB)   /apex/com.android.vndk.v30/lib64/android.hardware.graphics.mapper@2.0.so
android.hardware.graphics.mapper@2.1.so                   0x70103cf000  106496 (104.0 KiB)   /apex/com.android.vndk.v30/lib64/android.hardware.graphics.mapper@2.1.so
android.hardware.graphics.mapper@3.0.so                   0x701091a000  114688 (112.0 KiB)   /apex/com.android.vndk.v30/lib64/android.hardware.graphics.mapper@3.0.so
vendor.qti.hardware.display.mapperextensions@1.1.so       0x7010500000  143360 (140.0 KiB)   /vendor/lib64/vendor.qti.hardware.display.mapperextensions@1.1.so
libc++.so                                                 0x701070e000  720896 (704.0 KiB)   /apex/com.android.vndk.v30/lib64/libc++.so
libprocessgroup.so                                        0x7010940000  258048 (252.0 KiB)   /apex/com.android.vndk.v30/lib64/libprocessgroup.so
libbase.so                                                0x7010480000  249856 (244.0 KiB)   /apex/com.android.vndk.v30/lib64/libbase.so
libgralloc.qti.so                                         0x70108f7000  32768 (32.0 KiB)     /vendor/lib64/libgralloc.qti.so
libion.so                                                 0x7010638000  16384 (16.0 KiB)     /apex/com.android.vndk.v30/lib64/libion.so
android.hardware.graphics.common@1.0.so                   0x7010673000  12288 (12.0 KiB)     /apex/com.android.vndk.v30/lib64/android.hardware.graphics.common@1.0.so
android.hardware.graphics.common@1.1.so                   0x701047b000  12288 (12.0 KiB)     /apex/com.android.vndk.v30/lib64/android.hardware.graphics.common@1.1.so
android.hardware.graphics.common@1.2.so                   0x70104ce000  12288 (12.0 KiB)     /apex/com.android.vndk.v30/lib64/android.hardware.graphics.common@1.2.so
libgralloctypes.so                                        0x7010883000  77824 (76.0 KiB)     /apex/com.android.vndk.v30/lib64/libgralloctypes.so
android.hardware.graphics.mapper@4.0.so                   0x7010995000  151552 (148.0 KiB)   /apex/com.android.vndk.v30/lib64/android.hardware.graphics.mapper@4.0.so
android.hardware.graphics.common-V1-ndk_platform.so       0x70109dc000  24576 (24.0 KiB)     /apex/com.android.vndk.v30/lib64/android.hardware.graphics.common-V1-ndk_pl...
android.hardware.common-V1-ndk_platform.so                0x7010376000  16384 (16.0 KiB)     /apex/com.android.vndk.v30/lib64/android.hardware.common-V1-ndk_platform.so
libEGL_adreno.so                                          0x7010021000  45056 (44.0 KiB)     /vendor/lib64/egl/libEGL_adreno.so
libadreno_utils.so                                        0x700ffc3000  94208 (92.0 KiB)     /vendor/lib64/libadreno_utils.so
libgsl.so                                                 0x701006e000  2125824 (2.0 MiB)    /vendor/lib64/libgsl.so
libz.so                                                   0x700ff99000  98304 (96.0 KiB)     /apex/com.android.vndk.v30/lib64/libz.so
libGLESv2_adreno.so                                       0x700ee18000  4059136 (3.9 MiB)    /vendor/lib64/egl/libGLESv2_adreno.so
libllvm-glnext.so                                         0x700f207000  13905920 (13.3 MiB)  /vendor/lib64/libllvm-glnext.so
libGLESv1_CM_adreno.so                                    0x700edc3000  241664 (236.0 KiB)   /vendor/lib64/egl/libGLESv1_CM_adreno.so
eglSubDriverAndroid.so                                    0x700ed49000  77824 (76.0 KiB)     /vendor/lib64/egl/eglSubDriverAndroid.so
vendor.qti.hardware.display.mapper@2.0.so                 0x700ed9b000  118784 (116.0 KiB)   /vendor/lib64/vendor.qti.hardware.display.mapper@2.0.so
libcompiler_rt.so                                         0x700ec8a000  544768 (532.0 KiB)   /system/lib64/libcompiler_rt.so
libwebviewchromium_loader.so                              0x700ec7b000  16384 (16.0 KiB)     /system/lib64/libwebviewchromium_loader.so
frida-agent-64.so                                         0x6fcb683000  22749184 (21.7 MiB)  /data/local/tmp/re.frida.server/frida-agent-64.so
org.apache.http.legacy.odex                               0x701a484000  339968 (332.0 KiB)   /system/framework/oat/arm64/org.apache.http.legacy.odex
system_ext@priv-app@Settings@Settings.apk@classes.dex     0x701a148000  1486848 (1.4 MiB)    /data/dalvik-cache/arm64/system_ext@priv-app@Settings@Settings.apk@classes....
libstats_jni.so                                           0x701b858000  12288 (12.0 KiB)     /apex/com.android.os.statsd/lib64/libstats_jni.so
gralloc.msmnile.so                                        0x6fbc923000  45056 (44.0 KiB)     /vendor/lib64/hw/gralloc.msmnile.so
linux-vdso.so.1                                           0x72c2ba7000  4096 (4.0 KiB)       linux-vdso.so.1

这时候就以hook liblog 为例子,打印log一般用的接口是__android_log_print, 那就hook下这个接口, 首先准备好hook 脚本:

function hook_native() {
    var addr = Module.getExportByName("liblog.so", "__android_log_print")
    Interceptor.attach(addr, {
        onEnter: function (args) {
            console.log("args 1 ", args[0])
            console.log("args 2 ", args[1].readCString())
            console.log("args 3 ", args[2].readCString())
        }, onLeave: function (retval) {
            console.log("retval is ", retval)
        }
    })
}

function main() {
    hook_native()
}

setImmediate(main)

这儿就是打印下参数和返回值,这时候操作下设置,显示如下:

shanks@BINDERLI-MB0 frida-agent-example % frida -UF -p 25064  -l hook.js
     ____
    / _  |   Frida 15.1.24 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Pixel 4 (id=9A291FFAZ00BWF)

[Pixel 4::PID::25064 ]-> args 1  0x6
args 2  MediaPlayerNative
args 3  error (%d, %d)
retval is  0x1
args 1  0x5
args 2  MediaPlayer-JNI
args 3  MediaPlayer finalized without being released
retval is  0x1

如果不确定目标应用使用了哪些符号,可以借助frida-trace工具, 比如执行 frida-trace -UF com.android.settings -I liblog.so
就会输出调用栈:

           /* TID 0x6226 */
 12345 ms  __android_log_buf_write()
 12345 ms     | __android_log_is_loggable()
 12345 ms     |    | __android_log_get_minimum_priority()
 12346 ms     | __android_log_write_log_message()
 12346 ms     |    | __android_log_logd_logger()
 12346 ms     |    |    | __android_log_is_debuggable()
 12347 ms  __android_log_buf_write()
 12347 ms     | __android_log_is_loggable()
 12347 ms     |    | __android_log_get_minimum_priority()
 12347 ms     | __android_log_write_log_message()
 12347 ms     |    | __android_log_logd_logger()
 12347 ms     |    |    | __android_log_is_debuggable()
 12347 ms  __android_log_buf_write()
 12347 ms     | __android_log_is_loggable()
 12347 ms     |    | __android_log_get_minimum_priority()
 12348 ms     | __android_log_write_log_message()
 12348 ms     |    | __android_log_logd_logger()
 12348 ms     |    |    | __android_log_is_debuggable()

这样就知道调用了__android_log_buf_write,如果函数的符号是没有导出的,这时候可以通过IDA看下相对地址, 就可以继续hook了,下面再示范下__android_log_buf_write, 通过工具查看地址相对liblog的偏移是0x6760, 原型如下:

int __android_log_buf_write(int bufID, int prio, const char* tag, const char* msg)

那么写脚本如下:


function hook_native() {
    var addr = Module.getBaseAddress("liblog.so")
    addr = addr.add('0x6760');
    Interceptor.attach(addr, {
        onEnter: function (args) {
            console.log("args 1 ", args[0])
            console.log("args 2 ", args[1])
            console.log("args 3 ", args[2].readCString())
            console.log("args 4 ", args[3].readCString())
        }, onLeave: function (retval) {
            console.log("retval is ", retval)
        }
    })
}

function main() {
    hook_native()
}

setImmediate(main)

再次hook,结果如下:

shanks@BINDERLI-MB0 frida-agent-example % frida -UF com.android.settings -l hook.js
     ____
    / _  |   Frida 15.1.24 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Pixel 4 (id=9A291FFAZ00BWF)
[Pixel 4::Settings ]-> args 1  0x0
args 2  0x5
args 3  ContextualCardManager
args 4  Legacy suggestion contextual card enabled, skipping contextual cards.
retval is  0x1
args 1  0x0
args 2  0x3
args 3  AvatarViewMixin
args 4  Feature disabled by config. Skipping
retval is  0x1
args 1  0x0
args 2  0x3
args 3  ControllerRendererPool
args 4  Controller is already there.
retval is  0x1

这样就愉快地完成hook了。

上一篇下一篇

猜你喜欢

热点阅读