Comments (2)
gitQqqHs
commented on August 29, 2024
寄存器污染
在进行 inlinehook 需要进行各种跳转, 通常会以以下模板进行跳转.
0: ldr x16, 8;
4: br x16;
8: 0x12345678
12: 0x00000000
问题在于这会造成 x16 寄存器被污染(�arm64 中 svc #0x80 使用 x16 传递系统调用号) 所以这里有两种思路解决这个问题.
思路一:
在使用寄存器之前进行 push, 跳转后 pop, 这里存在一个问题就是在原地址的几条指令进行 patch code 时一定会污染一个寄存器(也不能说一定, 如果这时进行压栈, 在之后的 invoke_trampline 会导致函数栈发生改变, 此时有个解决方法可以 pop 出来, 由 hook-entry 或者其他变量暂时保存, 但这时需要处理锁的问题. )
思路二:
挑选合适的寄存器, 不考虑污染问题. 这时可以参考, 下面的资料, 选择 x16 or x17, 或者自己做一个实验 otool -tv ~/Downloads/DiSpecialDriver64 > ~/Downloads/DiSpecialDriver64.txt 通过 dump 一个 arm64 程序的指令, 来判断哪个寄存器用的最少, 但是不要使用 x18 寄存器, 你对该寄存器的修改是无效的.
Tips: 之前还想过为对每一个寄存器都做适配, 用户可以选择当前的 hook-entry 选择哪一个寄存器作为临时寄存器.
参考资料:
PAGE: 9-3
Programmer’s Guide for ARMv8-A
9.1 Register use in the AArch64 Procedure Call Standard
9.1.1 Parameters in general-purpose registers
这里也有一个问题, 这也是 frida-gum 中遇到一个问题, 就是对于 svc #0x80 类系统调用, 系统调用号(syscall number)的传递是利用 x16 寄存器进行传递的, 所以本框架使用 x17 寄存器, 并且在传递参数时使用 push & pop, 在跳转后恢复 x17, 避免了一个寄存器的使用.
(转自看雪论坛)
from frida-java-bridge.
oleavr
commented on August 29, 2024
Fixed in latest versions.
from frida-java-bridge.
Related Issues (20)
- hook openjdk 17 on linux will carsh HOT 2
- Error in Java.deoptimizeEverything "no Instrumentation" HOT 1
- Java method hook do not take effect in Android 14
- Efficient way to get a class reference from a given instance
- [Android] Method Instrumentation Causes StackOverflow and App Crash HOT 2
- Error: java.lang.ClassNotFoundException: Didn't find class on path HOT 1
- art_quick_trampolines are not intercepted (Android 14, S22) when using optimized tests
- bug in function recompileExceptionClearForArm
- bug in function instrumentArtMethodInvocationFromInterpreter HOT 1
- enable_spawn_gating occasionally crashes
- global references used in enumerateLoadedClassesArt HOT 1
- Method with argument of type array of array cannot be instrumented HOT 2
- An error occurred when starting frida-server on Android HOT 3
- Function previously hooked then no longer intercepted HOT 2
- Unable to make thread_from_jni_environment() helper for the current architecture HOT 1
- The application freezes after replacing the method implementation HOT 1
- SIGSEGV in artQuickGenericJniTrampoline while hooking java methods HOT 5
- [Feature] Add annotations to Java.registerClass
- Error: Unable to parse ART internals
- Hooking functions on JDK17 (HotSpot) crashes the instrumented application
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from frida-java-bridge.