-
-
[原创]JNIOnLoad 获取未导出函数的绝对地址
-
2021-9-24 17:42
-
哎,论坛搜了一圈没找到怎么获取获取未导出函数的绝对地址,自己当初学习时也是走了不少弯路啊,自己写一个吧,希望能帮助到你.
js脚本hook.js:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | function hook_libart() { var module_libart = Process.findModuleByName("libart.so"); var symbols = module_libart.enumerateSymbols(); //枚举模块的符号 var addr_Register = null; for(var i = 0; i < symbols.length; i++) { var name = symbols[i].name; if(name.indexOf("CheckJNI") == -1 && name.indexOf("JNI") > 0) { if(name.indexOf("RegisterNatives") > 0) { console.log("name: ", name); addr_Register = symbols[i].address; console.log("addr_Register: ", addr_Register); } } } var base_myjni = Module.findBaseAddress("libmyjni.so"); console.log('Module.findBaseAddress("libmyjni.so"): ', base_myjni); if(addr_Register) { Interceptor.attach(addr_Register, { onEnter: function(args) { var java_class = Java.vm.tryGetEnv().getClassName(args[1]); console.log("java_class: ", java_class); var methods = args[2]; console.log("methods: ", methods); var methods_count = parseInt(args[3]); console.log("methods_count: ", methods_count); for(var i = 0; i < methods_count; i ++) { console.log("----------"); console.log(methods.add(i * Process.pointerSize * 3).readPointer().readCString()); console.log(methods.add(i * Process.pointerSize * 3 + Process.pointerSize).readPointer().readCString()); console.log(methods.add(i * Process.pointerSize * 3 + Process.pointerSize * 2).readPointer()); console.log("----------"); } },onLeave: function(retval) { } }) }}function main() { hook_libart();}setImmediate(main); |
修改你的so
执行命令:frida -U -f com.gdufs.xman -l hook.js --no-pause
找到我要的函数名称和地址:
下面找so的地址:
计算函数的导出地址:ptr(0xdd6fb1f9).sub("0xdd6fa000")
搞定!!!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
