1. 项目信息

项目源码：https://github.com/iqiyi/xHook

对应文档：https://github.com/iqiyi/xHook/blob/master/docs/overview/android_plt_hook_overview.zh-CN.md

2. 使用

以 hook mmap 为例：

#include "gothook/xhook.h"

void* (*old_mmap)(void* start,size_t length,int prot,int flags,int fd,off_t offset);

void* testmmap(void* start,size_t length,int prot,int flags,int fd,off_t offset) {
    __android_log_print(ANDROID_LOG_INFO, "Wooo", "this is test hook mmap : %x", length);
    void* addr =  old_mmap(start, length, prot, flags, fd, offset);
    __android_log_print(ANDROID_LOG_INFO, "Wooo", "real hook mmap : %x", addr);
    return 1003;
}

void native_register(JNIEnv* env, jobject obj) {
    xhook_register(".*/libmainNative\\.so$", "mmap", testmmap, (void **)(&old_mmap));
    xhook_refresh(0);    // 同步或一步处理。这里是同步处理。
    __android_log_print(ANDROID_LOG_INFO, "Wooo", "native register finish");
}

xhook_refresh 函数的参数，1为一步，0为同步。
这样就触发了 hook。测试没办法取消掉 hook，所以要保留原函数，来调用。

几个原生函数声明对应如下：

int (*old_open)(const char* pathname,int flags,mode_t mode);
int (*old_fstat)(int fildes,struct stat *buf);
ssize_t (*old_read_chk)(int fd, void * buf, size_t nbytes, size_t buflen);
ssize_t (*old_read)(int fd,void * buf ,size_t count);
void* (*old_mmap)(void* start,size_t length,int prot,int flags,int fd,off_t offset);
int (*old_munmap)(void *start,size_t length);
pid_t (*old_fork)( void);

新函数对应如下：

int hook(uint32_t addr,uint32_t fakeaddr,uint32_t** old_addr);
int new_open(const char* pathname,int flags,mode_t mode);
int new_fstat(int fildes,struct stat *buf);
ssize_t new_read(int fd,void * buf ,size_t count);
ssize_t new_read_chk(int fd, void * buf, size_t nbytes, size_t buflen);
void* new_mmap(void* start,size_t length,int prot,int flags,int fd,off_t offset);
int new_munmap(void *start,size_t length);
pid_t new_fork( void);

hook 的 elf 文件路径示例：

//detect memory leaks
xhook_register(".*\\.so$", "malloc",  my_malloc,  NULL);
xhook_register(".*\\.so$", "calloc",  my_calloc,  NULL);
xhook_register(".*\\.so$", "realloc", my_realloc, NULL);
xhook_register(".*\\.so$", "free",    my_free,    NULL);

//inspect sockets lifecycle
xhook_register(".*\\.so$", "getaddrinfo", my_getaddrinfo, NULL);
xhook_register(".*\\.so$", "socket",      my_socket,      NULL);
xhook_register(".*\\.so$", "setsockopt"   my_setsockopt,  NULL);
xhook_register(".*\\.so$", "bind",        my_bind,        NULL);
xhook_register(".*\\.so$", "listen",      my_listen,      NULL);
xhook_register(".*\\.so$", "connect",     my_connect,     NULL);
xhook_register(".*\\.so$", "shutdown",    my_shutdown,    NULL);
xhook_register(".*\\.so$", "close",       my_close,       NULL);

//filter off and save some android log to local file
xhook_register(".*\\.so$", "__android_log_write",  my_log_write,  NULL);
xhook_register(".*\\.so$", "__android_log_print",  my_log_print,  NULL);
xhook_register(".*\\.so$", "__android_log_vprint", my_log_vprint, NULL);
xhook_register(".*\\.so$", "__android_log_assert", my_log_assert, NULL);

//tracking (ignore linker and linker64)
xhook_register("^/system/.*$", "mmap",   my_mmap,   NULL);
xhook_register("^/vendor/.*$", "munmap", my_munmap, NULL);
xhook_ignore  (".*/linker$",   "mmap");
xhook_ignore  (".*/linker$",   "munmap");
xhook_ignore  (".*/linker64$", "mmap");
xhook_ignore  (".*/linker64$", "munmap");

//defense to some injection attacks
xhook_register(".*com\\.hacker.*\\.so$", "malloc",  my_malloc_always_return_NULL, NULL);
xhook_register(".*/libhacker\\.so$",     "connect", my_connect_with_recorder,     NULL);

//fix some system bug
xhook_register(".*some_vendor.*/libvictim\\.so$", "bad_func", my_nice_func, NULL);

//ignore all hooks in libwebviewchromium.so
xhook_ignore(".*/libwebviewchromium.so$", NULL);

//hook now!
xhook_refresh(1);

3. 测试说明

测试可以 hook libmainNative.so 的 mmap 函数，但是不能 hook so 文件内的内部函数 testfindsm。内部调用函数无法调用。