-
-
[原创]记录一下YAHFA相关
-
发表于: 2021-5-14 21:18
-
这里使用的手机是google Pixel XL 8.1
本文的目的是记录一下使用frida对YAHFA的原理的简单分析
首先写一个安卓demo如下
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
findViewById(R.id.sample_text).setOnClickListener(v -> {
try {
Method doWork1 = MainActivity.class.getDeclaredMethod("doWork1");
Method doWork2 = MainActivity.class.getDeclaredMethod("doWork2");
Method doWork3 = MainActivity.class.getDeclaredMethod("doWork3");
calledBefore(doWork1,doWork2,doWork3);
HookMain.backupAndHook(doWork1,doWork2,doWork3);
calledAfter(doWork1,doWork2,doWork3);
} catch (NoSuchMethodException e) {
e.printStackTrace();
}
});
}private static void doWork1() { Log.i(TAG, "doWork1");
}private static void doWork2() { Log.i(TAG, "doWork2");
}private static void doWork3() { Log.i(TAG, "doWork3");
}public native void calledBefore(Method doWork1, Method doWork2, Method doWork3);public native void calledAfter(Method doWork1, Method doWork2, Method doWork3); |
两个native方法(calledBefore/calledAfter)在native层啥也不用做 只是拿到一个反射方法
顺带附上hook代码,主要是用frida展示artmethod指针内存的变化
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
var getArtMethod = new NativeFunction(Module.findExportByName('libnative-lib.so','getArtMethod'),'pointer',['pointer','pointer'])
Interceptor.attach(Module.findExportByName('libnative-lib.so','Java_com_lzy_yahfa_MainActivity_calledBefore'),{
onEnter:function(args){
LOG("\n----------------------- Before -----------------------\n",LogColor.RED)
showLog(args[0],args[2],args[3],args[4])
},
onLeave:function(ret){
}
})Interceptor.attach(Module.findExportByName('libnative-lib.so','Java_com_lzy_yahfa_MainActivity_calledAfter'),{
onEnter:function(args){
LOG("\n----------------------- After -----------------------\n",LogColor.RED)
showLog(args[0],args[2],args[3],args[4])
},
onLeave:function(ret){
}
})function showLog(a0,a1,a2,a3){ LOG(" ----- ORG ----- ",LogColor.YELLOW)
var method = getArtMethod(a0,a1)
seeHexA(method,p_size*8)
LOG("entry_point_from_quick_compiled_code -> "+method.add(p_size*7).readPointer()+" ---> "+method.add(p_size*7).readPointer().readPointer())
LOG("\n")
LOG(" ----- Hook ----- ",LogColor.YELLOW)
var method = getArtMethod(a0,a2)
seeHexA(method,p_size*8)
LOG("entry_point_from_quick_compiled_code -> "+method.add(p_size*7).readPointer()+" ---> "+method.add(p_size*7).readPointer().readPointer())
LOG("\n")
LOG(" ----- Back ----- ",LogColor.YELLOW)
var method = getArtMethod(a0,a3)
seeHexA(method,p_size*8)
LOG("entry_point_from_quick_compiled_code -> "+method.add(p_size*7).readPointer()+" ---> "+method.add(p_size*7).readPointer().readPointer())
} |
这里我用的是google原生系统 8.1
直接去参考源码得到 artMethod 结构体长这样:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
4 GcRoot
4 std::atomic
4 uint32_t dex_code_item_offset_;
4 uint32_t dex_method_index_;
2 uint16_t method_index_;
2 uint16_t hotness_count_;
12 struct PtrSizedFields {
4 ArtMethod** dex_cache_resolved_methods_;
4 void* data_;
4 void* entry_point_from_quick_compiled_code_;
} ptr_sized_fields_;
|
运行起来点击textview即可得到一下日志
cpu三级流水线可知程序运行到0xf48bc018的时候
pc应该是往后的两条指令,即为0xf48bc020
这里计算一下跳板地址跳到了哪里
最后于 2021-5-15 07:44
被唱过阡陌编辑
,原因:
|
|
|---|---|
