原文地址https://github.com/lasting-yang/frida_hook_libart
frida -U --no-pause -f package_name -l hook_RegisterNatives.js
var ishook_libart = false;

function hook_libart() {

    if (ishook_libart === true) {

        return;

    }

    var symbols = Module.enumerateSymbolsSync("libart.so");

    var addrGetStringUTFChars = null;

    var addrNewStringUTF = null;

    var addrFindClass = null;

    var addrGetMethodID = null;

    var addrGetStaticMethodID = null;

    var addrGetFieldID = null;

    var addrGetStaticFieldID = null;

    var addrRegisterNatives = null;

    var addrAllocObject = null;

    var addrCallObjectMethod = null;

    var addrGetObjectClass = null;

    var addrReleaseStringUTFChars = null;

    for (var i = 0; i < symbols.length; i++) {

        var symbol = symbols[i];

        if (symbol.name == "_ZN3art3JNI17GetStringUTFCharsEP7_JNIEnvP8_jstringPh") {

            addrGetStringUTFChars = symbol.address;

            console.log("GetStringUTFChars is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI12NewStringUTFEP7_JNIEnvPKc") {

            addrNewStringUTF = symbol.address;

            console.log("NewStringUTF is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI9FindClassEP7_JNIEnvPKc") {

            addrFindClass = symbol.address;

            console.log("FindClass is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI11GetMethodIDEP7_JNIEnvP7_jclassPKcS6_") {

            addrGetMethodID = symbol.address;

            console.log("GetMethodID is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI17GetStaticMethodIDEP7_JNIEnvP7_jclassPKcS6_") {

            addrGetStaticMethodID = symbol.address;

            console.log("GetStaticMethodID is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI10GetFieldIDEP7_JNIEnvP7_jclassPKcS6_") {

            addrGetFieldID = symbol.address;

            console.log("GetFieldID is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI16GetStaticFieldIDEP7_JNIEnvP7_jclassPKcS6_") {

            addrGetStaticFieldID = symbol.address;

            console.log("GetStaticFieldID is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI15RegisterNativesEP7_JNIEnvP7_jclassPK15JNINativeMethodi") {

            addrRegisterNatives = symbol.address;

            console.log("RegisterNatives is at ", symbol.address, symbol.name);

        } else if (symbol.name.indexOf("_ZN3art3JNI11AllocObjectEP7_JNIEnvP7_jclass") >= 0) {

            addrAllocObject = symbol.address;

            console.log("AllocObject is at ", symbol.address, symbol.name);

        }  else if (symbol.name.indexOf("_ZN3art3JNI16CallObjectMethodEP7_JNIEnvP8_jobjectP10_jmethodIDz") >= 0) {

            addrCallObjectMethod = symbol.address;

            console.log("CallObjectMethod is at ", symbol.address, symbol.name);

        } else if (symbol.name.indexOf("_ZN3art3JNI14GetObjectClassEP7_JNIEnvP8_jobject") >= 0) {

            addrGetObjectClass = symbol.address;

            console.log("GetObjectClass is at ", symbol.address, symbol.name);

        } else if (symbol.name.indexOf("_ZN3art3JNI21ReleaseStringUTFCharsEP7_JNIEnvP8_jstringPKc") >= 0) {

            addrReleaseStringUTFChars = symbol.address;

            console.log("ReleaseStringUTFChars is at ", symbol.address, symbol.name);

        }

    }

    if (addrRegisterNatives != null) {

        Interceptor.attach(addrRegisterNatives, {

            onEnter: function (args) {

                console.log("[RegisterNatives] method_count:", args[3]);

                var env = args[0];

                var java_class = args[1];

                var funcAllocObject = new NativeFunction(addrAllocObject, "pointer", ["pointer", "pointer"]);

                var funcGetMethodID = new NativeFunction(addrGetMethodID, "pointer", ["pointer", "pointer", "pointer", "pointer"]);

                var funcCallObjectMethod = new NativeFunction(addrCallObjectMethod, "pointer", ["pointer", "pointer", "pointer"]);

                var funcGetObjectClass = new NativeFunction(addrGetObjectClass, "pointer", ["pointer", "pointer"]);

                var funcGetStringUTFChars = new NativeFunction(addrGetStringUTFChars, "pointer", ["pointer", "pointer", "pointer"]);

                var funcReleaseStringUTFChars = new NativeFunction(addrReleaseStringUTFChars, "void", ["pointer", "pointer", "pointer"]);

                var clz_obj = funcAllocObject(env, java_class);

                var mid_getClass = funcGetMethodID(env, java_class, Memory.allocUtf8String("getClass"), Memory.allocUtf8String("()Ljava/lang/Class;"));

                var clz_obj2 = funcCallObjectMethod(env, clz_obj, mid_getClass);

                var cls = funcGetObjectClass(env, clz_obj2);

                var mid_getName = funcGetMethodID(env, cls, Memory.allocUtf8String("getName"), Memory.allocUtf8String("()Ljava/lang/String;"));

                var name_jstring = funcCallObjectMethod(env, clz_obj2, mid_getName);

                var name_pchar = funcGetStringUTFChars(env, name_jstring, ptr(0));

                var class_name = ptr(name_pchar).readCString();

                funcReleaseStringUTFChars(env, name_jstring, name_pchar);

                //console.log(class_name);

                var methods_ptr = ptr(args[2]);

                var method_count = parseInt(args[3]);

                for (var i = 0; i < method_count; i++) {

                    var name_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3));

                    var sig_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize));

                    var fnPtr_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2));

                    var name = Memory.readCString(name_ptr);

                    var sig = Memory.readCString(sig_ptr);

                    var find_module = Process.findModuleByAddress(fnPtr_ptr);

                    console.log("[RegisterNatives] java_class:", class_name, "name:", name, "sig:", sig, "fnPtr:", fnPtr_ptr, "module_name:", find_module.name, "module_base:", find_module.base, "offset:", ptr(fnPtr_ptr).sub(find_module.base));

                }

            },

            onLeave: function (retval) { }

        });

    }

    ishook_libart = true;

}

hook_libart();

frida hook_RegisterNatives--使用frida打印so中动态注册的函数的更多相关文章

  1. 在Asp.net 4.0 中动态注册HttpModule

    using System; using System.Web; using Microsoft.Web.Infrastructure; namespace MvcApplication1 { publ ...

  2. Android 动态注册JNI函数

    1.JNI函数注册方式 在Android开发中,由于种种原因我们需要调用C/C++代码,在这个时候我们就需要使用jni了, jni在使用时要对定义的函数进行注册,这样java才能通过native关键字 ...

  3. SpringBoot27 JDK动态代理详解、获取指定的类类型、动态注册Bean、接口调用框架

    1 JDK动态代理详解 静态代理.JDK动态代理.Cglib动态代理的简单实现方式和区别请参见我的另外一篇博文. 1.1 JDK代理的基本步骤 >通过实现InvocationHandler接口来 ...

  4. Android Studio NDK JNI动态注册本地方法

    概述 可能大家觉得javah生成的函数名又臭又长,不太好看.这里可以提供另外一种方法来动态注册c++函数,让其根Java中的native方法关联起来. 实现 这里通过JNIEnv的Resisterna ...

  5. java中动态反射

    java中动态反射能达到的效果和python的语法糖很像,能够截获方法的实现,在真实方法调用之前和之后进行修改,甚至能够用自己的实现进行特别的替代,也可以用其实现面向切片的部分功能.动态代理可以方便实 ...

  6. frida报错frida.InvalidArgumentError: device not found问题解决方案

    一.问题描述     python安装好frida框架后,在安卓端启动了frida-server,启动要hook的应用,在cmd中执行python脚本,报错frida.InvalidArgumentE ...

  7. 第三章Struts2 Action中动态方法调用、通配符的使用

    01.Struts 2基本结构 使用Struts2框架实现用登录的功能,使用struts2标签和ognl表达式简化了试图的开发,并且利用struts2提供的特性对输入的数据进行验证,以及访问Servl ...

  8. Struts2中动态方法的调用

    Struts2中动态方法调用就是为了解决一个action对应多个请求的处理,以免action太多. 主要有一下三种方法:指定method属性.感叹号方式和通配符方式.推荐使用第三种方式. 1.指定me ...

  9. UE4 中在 Actor 中动态 Create Component 与ChildActor 的 小笔记

    Note:旧版本的UE4 的Attach 和12.13版本有些不一样 创建Component: UCpp_MyComponent* temp_imageCom = NewObject<UCpp_ ...

随机推荐

  1. Kconfig 配置文件编码规则

    最早接触到Kconfig是在u-boot的移植过程中.所今天来好好学习一下如何编写一个符合Kconffigde 配置文件.Kbuild或者是Kconfig的中文翻译意思是内核配置/构建系统.他最早出自 ...

  2. TypeScript with React

    TypeScript with React # Make a new directory $ mkdir react-typescript # Change to this directory wit ...

  3. macOS & timer & stop watch

    macOS & timer & stop watch https://matthewpalmer.net/blog/2018/09/28/top-free-countdown-time ...

  4. base 64 bug & encodeURIComponent

    base64 bug & encodeURIComponent window.btoa("jëh²H¶�%28"); // "autoskiptoclMjiu&q ...

  5. taro & Error: spawn taro ENOENT

    taro & Error: spawn taro ENOENT https://stackoverflow.com/questions/27688804/how-do-i-debug-erro ...

  6. Node.js & LTS

    Node.js & LTS 2020 https://nodejs.org/en/about/releases/ https://raw.githubusercontent.com/nodej ...

  7. lua调用dll导出的函数

    参考手册 hello.dll #include "pch.h" #include "lua.hpp" #pragma comment(lib, "lu ...

  8. oracle中的in参数超过1000的解决方案

    在oracle中,使用in方法查询记录的时候,如果in后面的参数个数超过1000个,那么会发生错误,JDBC会抛出"java.sql.SQLException: ORA-01795: 列表中 ...

  9. 验证销售部门的数据查看权限-脚本demo

    1 # coding:utf-8 2 ''' 3 @file: run_old.py 4 @author: jingsheng hong 5 @ide: PyCharm 6 @createTime: ...

  10. Java HashMap源码分析(含散列表、红黑树、扰动函数等重点问题分析)

    写在最前面 这个项目是从20年末就立好的 flag,经过几年的学习,回过头再去看很多知识点又有新的理解.所以趁着找实习的准备,结合以前的学习储备,创建一个主要针对应届生和初学者的 Java 开源知识项 ...