Android的加固so会调用open检测maps文件,我在此时dump so文件使用Thread.backtrace(this.context, Backtracer.FUZZY)查看open的调用栈,用ida在加固so的偏移位置只找到%1的占位符是为什么
var openptr=Module.findExportByName("libc.so","open")
const open=new NativeFunction(openptr,"int",["pointer","int"])
var MapsBuffer = Memory.alloc(512)
var MapsFile=new File(Fakepath,"w")
Interceptor.replace(openptr,new NativeCallback(function(pathname,flag){
var name=pathname.readCString()
if(name.indexOf("maps")!=-1){
dump_so(libcname)
console.log('RegisterNatives called from:\\n' + Thread.backtrace(this.context, Backtracer.FUZZY).map(DebugSymbol.fromAddress).join('\\n') + '\\n');
return open(pathname,flag)
}
return open(pathname,flag)
},"int",["pointer","int"]))
[培训]《冰与火的战歌:Windows内核攻防实战》!从零到实战,融合AI与Windows内核攻防全技术栈,打造具备自动化能力的内核开发高手。
