Frida-Native层Hook

Hook能力

Hook有符号函数

//Module.getExportByName：搜索so文件中的函数位置
Interceptor.attach(Module.getExportByName('libnative-hello.so', '_ZN4FNB11Helloworld4initEijPvj'), {
            onEnter: function(args) {
                console.log('[*] args[0]', args[0])

                // 打印调用堆栈
                console.log('RegisterNatives called from:\n' +
                Thread.backtrace(this.context, Backtracer.ACCURATE)
                .map(DebugSymbol.fromAddress).join('\n') + '\n');
        
        
            },
            onLeave: function(retval) {
              // simply replace the value to be returned with 0
              retval.replace(0);
              console.log('return: '+ retval);
            }
        });

Hook无符号函数

Java.perform(function() {
		
        var base_addr = Module.findBaseAddress("libnative-hello.so");//获取so的基址
        var nativePointer = base_addr.add(0x000000000000341C)  //函数的虚拟地址
        
        console.log("lib base address: " + base_addr);
        Interceptor.attach(nativePointer, {
            onEnter: function(args) {
                console.log('[*] args[0]', args[0])

                // 打印调用堆栈
                console.log('RegisterNatives called from:\n' +
                Thread.backtrace(this.context, Backtracer.ACCURATE)
                .map(DebugSymbol.fromAddress).join('\n') + '\n');
        
        
            },
            onLeave: function(retval) {
              // simply replace the value to be returned with 0
              retval.replace(0);
              console.log('return: '+ retval);
            }
        });
});

原函数不执行的Hook

Java.perform(function() {

    var base_addr = Module.findBaseAddress("libnative-hello.so");//获取so的基址
    var nativePointer = base_addr.add(0x000D9488)  //函数的虚拟地址=so文件虚拟地址+函数偏移地址
    console.log("lib base address: " + base_addr);
    Interceptor.replace(nativePointer, new NativeCallback(function (a, b, c, d) {
         return 0;
    }, 'int', ['int', 'int', 'int', 'int']));
    
});

问题

TypeError: cannot read property ‘add’ of null

报错

TypeError: cannot read property 'add' of null
Error: expected a pointer

问题原因

frida HOOK非系统的第三方so库时，如果直接使用Module.findExportByName或者Module.findBaseAddress去在内存寻找so库地址，通常会返回null，因为这是这时候应用进程还没引入so库。

解决方案

double hook

我们先HOOK导入so库的函数，如果这个第三方so库是我们要HOOK的对象，我们再去HOOK这个so库内部的函数。

Java.perform(function () {
	//先HOOK libc.so->dlopen
	//第三方库导入后，HOOK第三方库中偏移地址为0x000BFA0C的函数。
    var funcname = 'dlopen';
    var funcAddress = Module.findExportByName("libc.so", funcname)   

    var result_pointer;
    var pmValue = '';
    Interceptor.attach(funcAddress,{
        onEnter:
            function(args){
            	pmValue = Memory.readUtf8String(args[0]);
            },
        onLeave:
            function(retval){
                if(pmValue.indexOf('libabcd.so') != -1){
                	console.log('dlopen return value: ' + retval);
                	//sub hook
                	var modexBAddress = Module.findBaseAddress("libabcd.so");
                	console.log('baseaddr: '+ modexBAddress)
                	var fucPtr = modexBAddress.add(0x000BFA0C);
                	console.log("function addr: " + fucPtr);
                	Interceptor.attach(retval, {
                    	onEnter:
                        	function(args2){
                            	console.log('----------------------\ncall unexported function: ' + funcname);
                        },
                    	onLeave:
                        	function(retval2){
                   }
                });
                //sub hook
            }
        });
});