其他
Android逆向之分析基础
The following article is from 妄为写代码 Author 花儿谢了
1,ndk开发函数名体现形式
总结:
__attribute__ ((visibility ("hidden"))) --> 函数名隐藏
JNIEXPORT --> C++ 为了重载的 name mangling
extern "C" JNIEXPORT --> 按C语言进行编译,函数名不变
2,函数注册跟踪
so文件监控及静态注册
function find_function(){ Java.perform(function (){ // var func_name = "android_dlopen_ext"; var func_name = "dlsym"; var func_address; var modules = Process.enumerateModules(); for(var i=0;i<modules.length;i++){ var module = modules[i]; var module_name = module.name; var exports = module.enumerateExports(); for(var j=0;j<exports.length;j++){ var export_name = exports[j].name; if(export_name.indexOf(func_name) > -1){ console.log("find function", module_name, export_name); if (func_name == export_name){ func_address = exports[j].address; } } } } if(func_address){ console.log("fun_address", func_address); Interceptor.attach(func_address, { onEnter: function (args) { if (func_name.indexOf("dlopen") > -1){ // dlopen this.path = ptr(args[0]).readCString(); }else if (func_name.indexOf("dlsym") > -1){ // dlsym this.func_name = ptr(args[1]).readCString(); }else{ console.log("please check your code"); } console.log("find agrs", "arg[0] =", this.path, ", arg[1] =", this.func_name); }, onLeave: function (retval){ if(Process.findModuleByAddress(retval)){ console.log("find target", Process.findModuleByAddress(retval).name, "-->", this.func_name); }else{ console.log("find other", this.path, "-->", this.func_name); } } }); } });}hook dlopen:
hook dlsym:
动态注册
yang神的脚本地址:
https://github.com/lasting-yang/frida_hook_libart
3,trace剑客
jnitrace
frida-trace
hook strcat:
hook open:
hook dlsym:
hook_artmethod
yang神的脚本地址:
https://github.com/lasting-yang/frida_hook_libart
trace结果:
ndk开发代码:
看了这些trace再看凯神的unidbg是不是有点似曾相识的感觉和熟悉的点位