原文地址https://github.com/lasting-yang/frida_hook_libart
frida -U --no-pause -f package_name -l hook_RegisterNatives.js
var ishook_libart = false;

function hook_libart() {

    if (ishook_libart === true) {

        return;

    }

    var symbols = Module.enumerateSymbolsSync("libart.so");

    var addrGetStringUTFChars = null;

    var addrNewStringUTF = null;

    var addrFindClass = null;

    var addrGetMethodID = null;

    var addrGetStaticMethodID = null;

    var addrGetFieldID = null;

    var addrGetStaticFieldID = null;

    var addrRegisterNatives = null;

    var addrAllocObject = null;

    var addrCallObjectMethod = null;

    var addrGetObjectClass = null;

    var addrReleaseStringUTFChars = null;

    for (var i = 0; i < symbols.length; i++) {

        var symbol = symbols[i];

        if (symbol.name == "_ZN3art3JNI17GetStringUTFCharsEP7_JNIEnvP8_jstringPh") {

            addrGetStringUTFChars = symbol.address;

            console.log("GetStringUTFChars is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI12NewStringUTFEP7_JNIEnvPKc") {

            addrNewStringUTF = symbol.address;

            console.log("NewStringUTF is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI9FindClassEP7_JNIEnvPKc") {

            addrFindClass = symbol.address;

            console.log("FindClass is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI11GetMethodIDEP7_JNIEnvP7_jclassPKcS6_") {

            addrGetMethodID = symbol.address;

            console.log("GetMethodID is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI17GetStaticMethodIDEP7_JNIEnvP7_jclassPKcS6_") {

            addrGetStaticMethodID = symbol.address;

            console.log("GetStaticMethodID is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI10GetFieldIDEP7_JNIEnvP7_jclassPKcS6_") {

            addrGetFieldID = symbol.address;

            console.log("GetFieldID is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI16GetStaticFieldIDEP7_JNIEnvP7_jclassPKcS6_") {

            addrGetStaticFieldID = symbol.address;

            console.log("GetStaticFieldID is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI15RegisterNativesEP7_JNIEnvP7_jclassPK15JNINativeMethodi") {

            addrRegisterNatives = symbol.address;

            console.log("RegisterNatives is at ", symbol.address, symbol.name);

        } else if (symbol.name.indexOf("_ZN3art3JNI11AllocObjectEP7_JNIEnvP7_jclass") >= 0) {

            addrAllocObject = symbol.address;

            console.log("AllocObject is at ", symbol.address, symbol.name);

        }  else if (symbol.name.indexOf("_ZN3art3JNI16CallObjectMethodEP7_JNIEnvP8_jobjectP10_jmethodIDz") >= 0) {

            addrCallObjectMethod = symbol.address;

            console.log("CallObjectMethod is at ", symbol.address, symbol.name);

        } else if (symbol.name.indexOf("_ZN3art3JNI14GetObjectClassEP7_JNIEnvP8_jobject") >= 0) {

            addrGetObjectClass = symbol.address;

            console.log("GetObjectClass is at ", symbol.address, symbol.name);

        } else if (symbol.name.indexOf("_ZN3art3JNI21ReleaseStringUTFCharsEP7_JNIEnvP8_jstringPKc") >= 0) {

            addrReleaseStringUTFChars = symbol.address;

            console.log("ReleaseStringUTFChars is at ", symbol.address, symbol.name);

        }

    }

    if (addrRegisterNatives != null) {

        Interceptor.attach(addrRegisterNatives, {

            onEnter: function (args) {

                console.log("[RegisterNatives] method_count:", args[3]);

                var env = args[0];

                var java_class = args[1];

                var funcAllocObject = new NativeFunction(addrAllocObject, "pointer", ["pointer", "pointer"]);

                var funcGetMethodID = new NativeFunction(addrGetMethodID, "pointer", ["pointer", "pointer", "pointer", "pointer"]);

                var funcCallObjectMethod = new NativeFunction(addrCallObjectMethod, "pointer", ["pointer", "pointer", "pointer"]);

                var funcGetObjectClass = new NativeFunction(addrGetObjectClass, "pointer", ["pointer", "pointer"]);

                var funcGetStringUTFChars = new NativeFunction(addrGetStringUTFChars, "pointer", ["pointer", "pointer", "pointer"]);

                var funcReleaseStringUTFChars = new NativeFunction(addrReleaseStringUTFChars, "void", ["pointer", "pointer", "pointer"]);

                var clz_obj = funcAllocObject(env, java_class);

                var mid_getClass = funcGetMethodID(env, java_class, Memory.allocUtf8String("getClass"), Memory.allocUtf8String("()Ljava/lang/Class;"));

                var clz_obj2 = funcCallObjectMethod(env, clz_obj, mid_getClass);

                var cls = funcGetObjectClass(env, clz_obj2);

                var mid_getName = funcGetMethodID(env, cls, Memory.allocUtf8String("getName"), Memory.allocUtf8String("()Ljava/lang/String;"));

                var name_jstring = funcCallObjectMethod(env, clz_obj2, mid_getName);

                var name_pchar = funcGetStringUTFChars(env, name_jstring, ptr(0));

                var class_name = ptr(name_pchar).readCString();

                funcReleaseStringUTFChars(env, name_jstring, name_pchar);

                //console.log(class_name);

                var methods_ptr = ptr(args[2]);

                var method_count = parseInt(args[3]);

                for (var i = 0; i < method_count; i++) {

                    var name_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3));

                    var sig_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize));

                    var fnPtr_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2));

                    var name = Memory.readCString(name_ptr);

                    var sig = Memory.readCString(sig_ptr);

                    var find_module = Process.findModuleByAddress(fnPtr_ptr);

                    console.log("[RegisterNatives] java_class:", class_name, "name:", name, "sig:", sig, "fnPtr:", fnPtr_ptr, "module_name:", find_module.name, "module_base:", find_module.base, "offset:", ptr(fnPtr_ptr).sub(find_module.base));

                }

            },

            onLeave: function (retval) { }

        });

    }

    ishook_libart = true;

}

hook_libart();

frida hook_RegisterNatives--使用frida打印so中动态注册的函数的更多相关文章

  1. 在Asp.net 4.0 中动态注册HttpModule

    using System; using System.Web; using Microsoft.Web.Infrastructure; namespace MvcApplication1 { publ ...

  2. Android 动态注册JNI函数

    1.JNI函数注册方式 在Android开发中,由于种种原因我们需要调用C/C++代码,在这个时候我们就需要使用jni了, jni在使用时要对定义的函数进行注册,这样java才能通过native关键字 ...

  3. SpringBoot27 JDK动态代理详解、获取指定的类类型、动态注册Bean、接口调用框架

    1 JDK动态代理详解 静态代理.JDK动态代理.Cglib动态代理的简单实现方式和区别请参见我的另外一篇博文. 1.1 JDK代理的基本步骤 >通过实现InvocationHandler接口来 ...

  4. Android Studio NDK JNI动态注册本地方法

    概述 可能大家觉得javah生成的函数名又臭又长,不太好看.这里可以提供另外一种方法来动态注册c++函数,让其根Java中的native方法关联起来. 实现 这里通过JNIEnv的Resisterna ...

  5. java中动态反射

    java中动态反射能达到的效果和python的语法糖很像,能够截获方法的实现,在真实方法调用之前和之后进行修改,甚至能够用自己的实现进行特别的替代,也可以用其实现面向切片的部分功能.动态代理可以方便实 ...

  6. frida报错frida.InvalidArgumentError: device not found问题解决方案

    一.问题描述     python安装好frida框架后,在安卓端启动了frida-server,启动要hook的应用,在cmd中执行python脚本,报错frida.InvalidArgumentE ...

  7. 第三章Struts2 Action中动态方法调用、通配符的使用

    01.Struts 2基本结构 使用Struts2框架实现用登录的功能,使用struts2标签和ognl表达式简化了试图的开发,并且利用struts2提供的特性对输入的数据进行验证,以及访问Servl ...

  8. Struts2中动态方法的调用

    Struts2中动态方法调用就是为了解决一个action对应多个请求的处理,以免action太多. 主要有一下三种方法:指定method属性.感叹号方式和通配符方式.推荐使用第三种方式. 1.指定me ...

  9. UE4 中在 Actor 中动态 Create Component 与ChildActor 的 小笔记

    Note:旧版本的UE4 的Attach 和12.13版本有些不一样 创建Component: UCpp_MyComponent* temp_imageCom = NewObject<UCpp_ ...

随机推荐

  1. 无需扫描即可查找和攻击域SQL Server (SPN)

    无扫描SQL Server发现简介 当您没有凭据或正在寻找不在域中的SQL Server时,使用各种扫描技术来查找SQL Server可能非常有用.但是,此过程可能很嘈杂,耗时,并且可能由于子网未知, ...

  2. js code review

    js code review https://codereview.stackexchange.com/ refs xgqfrms 2012-2020 www.cnblogs.com 发布文章使用:只 ...

  3. GitHub user language statistics

    GitHub user language statistics 2020 https://madnight.github.io/githut/#/pull_requests/2020/2 2011 ~ ...

  4. PPT & order & animation

    PPT & order & animation powerpoint order of appearance https://support.office.com/en-us/arti ...

  5. Web API & Element & DOM

    Web API & Element & DOM Element https://developer.mozilla.org/en-US/docs/Web/API/Element HTM ...

  6. 埋点 & 数据上报 & 数据异常处理

    埋点 & 数据上报 & 数据异常处理 如何在用户关闭浏览器前面,发送请求 beforeunload unload https://developer.mozilla.org/en-US ...

  7. Django和Ueditor自定义存储上传文件的文件名

    django台后默认上传文件名 在不使用分布式文件存储系统等第三方文件存储时,django使用默认的后台ImageField和FileField上传文件名默认使用原文件名,当出现同名时会在后面追加下随 ...

  8. Vue学习笔记-基于CDN引入方式简单前后端分离项目学习(Vue+Element+Axios)

    一  使用环境 开发系统: windows 后端IDE: PyCharm 前端IDE: VSCode 数据库: msyql,navicat 编程语言: python3.7  (Windows x86- ...

  9. c语言:分治算法之大数相乘

    我们把整数A由规模n分为n1和n2,把整数B由规模m分为m1和m2,如下图: 则A分为n1位的A1和n2位的A1,B分为m1位的B1和m2位的B2,如下式所示: 以此类推,我们可以把A1.A2.B1. ...

  10. C++ Primer Plus 第一章 预备知识

    C++ Primer Plus 第一章 预备知识 知识点梳理 本章主要讲述了C++的由来,讨论了面向过程语言与面向对象语言的区别,介绍了ANSI/ISO制定的C++标准,阐述了在Windows.Mac ...