Dobby a lightweight, multi-platform, multi-architecture exploit hook framework.
- Minimal and modular library
- Multi-platform support(Windows/macOS/iOS/Android/Linux)
- Multiple architecture support(X86, X86-64, ARM, ARM64)
a lightweight, multi-platform, multi-architecture hook framework.
License: Apache License 2.0
Dobby a lightweight, multi-platform, multi-architecture exploit hook framework.
error: address of overloaded function 'strstr' does not match required type 'void'
ZzReplace((void *) strstr, (void *) fake_strstr, (void **) &origin_strstr);
####在android的7.1 arm64-v8a系统上Hook系统的send函数奔溃
使用HookZz在hook系统的send函数,运行之后,当点击屏幕时奔溃,如下代码
void send_pre_call(RegState *rs,ThreadStackPublic *tsp,CallStackPublic *csp, const HookEntryInfo *info)
{
LOGE("[SEND] pre calling ==============>>");
}
void send_post_call(RegState *rs,ThreadStackPublic *tsp,CallStackPublic *csp,const HookEntryInfo *info)
{
LOGE("[SEND] post calling =============>>");
}
void hook_send(){ZzWrap((void*) send,send_pre_call,send_post_call);}
奔溃日志如下:
09-13 15:00:30.749 23014-23014/my.hookdemo E/HOOKZZ_SOCKET: [RECVFROM] [fd:44]|[__buf:0x7a878acc20]|[__n:2264]|[__flg:64]|[__dst_addr:0x0]|[__dst_addr_length:0x0]
09-13 15:00:30.753 23014-23014/my.hookdemo E/HOOKZZ: [SEND] pre calling ==============>>
--------- beginning of crash
09-13 15:00:30.753 23014-23014/my.hookdemo A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7aa5b0db18 in tid 23014 (my.hookdemo)
09-13 15:00:30.831 23054-23054/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-13 15:00:30.832 23054-23054/? A/DEBUG: Build fingerprint: 'google/angler/angler:7.1.2/N2G48C/4104010:user/release-keys'
Revision: '0'
ABI: 'arm64'
pid: 23014, tid: 23014, name: my.hookdemo >>> my.hookdemo <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7aa5b0db18
x0 000000000000002c x1 0000007fdd2e9e60 x2 0000000000000010 x3 0000000000004040
x4 0000000000000000 x5 0000000000000000 x6 0000000000000000 x7 000000000000000b
x8 0000000000000008 x9 0000000000000003 x10 0000000010000000 x11 0000000000000000
x12 0000007fdd2ea860 x13 0000007a9308f600 x14 0000007a862d70c0 x15 0000007a96c1e1c8
x16 0000007a9551fd98 x17 0000007aa5b0db18 x18 0000000072c31a5c x19 0000007fdd2e9e60
x20 0000007a862d7d60 x21 0000000000000010 x22 0000000000004040 x23 0000000000000000
x24 0000000000000000 x25 000000000000128e x26 000000000000128e x27 0000000012d98140
x28 0000000000000001 x29 0000007fdd2e9e30 x30 0000007a9190a01c
sp 0000007fdd2e9e10 pc 0000007aa5b0db18 pstate 0000000060000000
09-13 15:00:30.834 23054-23054/? A/DEBUG: backtrace:
#00 pc 0000007aa5b0db18 <unknown>
#01 pc 0000000000000018 <anonymous:0000007a9190a000>
使用ZxReplace函数执行hook,也是在运行之后,点击屏幕就奔溃,hook代码
ssize_t (*origin_send)(int __fd, const void *__buf, size_t __n, int __flags);
ssize_t (fake_send)(int __fd, const void *__buf, size_t __n, int __flags) {
// SOCKET_LOG(" [SEND] fd:%d buf:%p n:%zu flag:%d\n", __fd,__buf,__n,__flags);
// send()
SOCKET_LOG("fake_send calling ****************>>");
return origin_send(__fd, __buf, __n, __flags);
}
static int doHookZZ(uint64_t target_addr, uint64_t new_addr, uint64_t **proto_addr) {
if (ZzReplace((void *) target_addr, (void *) new_addr, (void **) proto_addr) != RS_SUCCESS) {
return -1;
}
return 0;
}
日志
09-13 15:15:31.402 26230-26230/my.hookdemo E/HOOKZZ_SOCKET: fake_send calling ****************>>
--------- beginning of crash
09-13 15:15:31.403 26230-26230/my.hookdemo A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7aa5b0db18 in tid 26230 (my.hookdemo)
09-13 15:15:31.477 26398-26398/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/angler/angler:7.1.2/N2G48C/4104010:user/release-keys'
09-13 15:15:31.478 26398-26398/? A/DEBUG: Revision: '0'
ABI: 'arm64'
pid: 26230, tid: 26230, name: my.hookdemo >>> my.hookdemo <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7aa5b0db18
x0 000000000000002c x1 0000007fdd2e9e60 x2 0000000000000010 x3 0000000000004040
x4 0000000000000000 x5 0000000000000000 x6 0000007a96eed000 x7 0000000000000000
x8 0000000000004040 x9 0000000000000034 x10 0000007fdd2e9860 x11 0000000000000025
x12 0000000000000018 x13 0000000000000000 x14 0000000000000000 x15 0017fdb2c501f011
x16 0000007a93bf7a48 x17 0000007aa5b0db18 x18 0000000072c31a5c x19 0000007fdd2e9e60
x20 0000007a862e3040 x21 0000000000000010 x22 0000000000004040 x23 0000000000000000
x24 0000000000000000 x25 0000000000001421 x26 0000000000001421 x27 0000000012d84420
x28 0000000000000001 x29 0000007fdd2e9e00 x30 0000007a78fb3d6c
sp 0000007fdd2e9dd0 pc 0000007aa5b0db18 pstate 0000000060000000
09-13 15:15:31.982 26398-26398/? A/DEBUG: backtrace:
#00 pc 0000007aa5b0db18 <unknown>
#01 pc 000000000000dd68 /data/app/my.hookdemo-1/lib/arm64/libhookzz64.so (_Z9fake_sendiPKvmi+108)
#02 pc 0000000000022a7c /system/lib64/libinput.so (_ZN7android12InputChannel11sendMessageEPKNS_12InputMessageE+108)
#03 pc 0000000000024870 /system/lib64/libinput.so (_ZN7android13InputConsumer18sendFinishedSignalEjb+400)
09-13 15:15:31.983 26398-26398/? A/DEBUG: #04 pc 00000000000d8908 /system/lib64/libandroid_runtime.so (_ZN7android24NativeInputEventReceiver16finishInputEventEjb+56)
#05 pc 00000000000d8a5c /system/lib64/libandroid_runtime.so
#06 pc 00000000022111e4 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.InputEventReceiver.nativeFinishInputEvent+144)
#07 pc 0000000002211734 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.InputEventReceiver.finishInputEvent+384)
#08 pc 000000000230a68c /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.finishInputEvent+168)
#09 pc 0000000002307378 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.-wrap5+52)
#10 pc 00000000022fbbc8 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.onDeliverToNext+100)
#11 pc 00000000022fec88 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$SyntheticInputStage.onDeliverToNext+324)
#12 pc 00000000022fbb24 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.forward+48)
#13 pc 00000000022fb714 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.apply+64)
#14 pc 00000000022fb934 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.deliver+160)
#15 pc 00000000022fbba0 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.onDeliverToNext+60)
#16 pc 0000000002303d24 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$ViewPostImeInputStage.onDeliverToNext+256)
#17 pc 00000000022fbb24 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.forward+48)
#18 pc 00000000022fb714 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.apply+64)
#19 pc 00000000022fb934 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.deliver+160)
#20 pc 00000000022fbba0 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.onDeliverToNext+60)
#21 pc 00000000022fbb24 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.forward+48)
#22 pc 00000000022fc600 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$AsyncInputStage.forward+92)
#23 pc 00000000022fb714 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.apply+64)
#24 pc 00000000022fc38c /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$AsyncInputStage.apply+120)
#25 pc 00000000022fb934 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.deliver+160)
#26 pc 00000000022fbba0 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.onDeliverToNext+60)
#27 pc 00000000022fbb24 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.forward+48)
#28 pc 00000000022fb714 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.apply+64)
#29 pc 00000000022fb934 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$InputStage.deliver+160)
#30 pc 00000000023089e4 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.deliverInputEvent+272)
#31 pc 0000000002314428 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.doProcessInputEvents+372)
#32 pc 0000000002314d5c /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl.enqueueInputEvent+312)
#33 pc 0000000002306ee8 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.ViewRootImpl$WindowInputEventReceiver.onInputEvent+68)
#34 pc 0000000002210e0c /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.view.InputEventReceiver.dispatchInputEvent+120)
#35 pc 00000000000d3b34 /system/lib64/libart.so (art_quick_invoke_stub+580)
#36 pc 00000000000e0800 /system/lib64/libart.so (_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc+204)
#37 pc 0000000000432240 /system/lib64/libart.so (_ZN3artL18InvokeWithArgArrayERKNS_33ScopedObjectAccessAlreadyRunnableEPNS_9ArtMethodEPNS_8ArgArrayEPNS_6JValueEPKc+108)
#38 pc 00000000004337ec /system/lib64/libart.so (_ZN3art35InvokeVirtualOrInterfaceWithVarArgsERKNS_33ScopedObjectAccessAlreadyRunnableEP8_jobjectP10_jmethodIDSt9__va_list+388)
09-13 15:15:31.984 26398-26398/? A/DEBUG: #39 pc 0000000000337e1c /system/lib64/libart.so (_ZN3art3JNI15CallVoidMethodVEP7_JNIEnvP8_jobjectP10_jmethodIDSt9__va_list+624)
#40 pc 000000000010700c /system/lib64/libart.so (_ZN3art8CheckJNI11CallMethodVEPKcP7_JNIEnvP8_jobjectP7_jclassP10_jmethodIDSt9__va_listNS_9Primitive4TypeENS_10InvokeTypeE+3684)
#41 pc 00000000000f93a0 /system/lib64/libart.so (_ZN3art8CheckJNI15CallVoidMethodVEP7_JNIEnvP8_jobjectP10_jmethodIDSt9__va_list+96)
#42 pc 00000000000a5df8 /system/lib64/libandroid_runtime.so
#43 pc 00000000000d8cc4 /system/lib64/libandroid_runtime.so (_ZN7android24NativeInputEventReceiver13consumeEventsEP7_JNIEnvblPb+432)
#44 pc 00000000000d9270 /system/lib64/libandroid_runtime.so (_ZN7android24NativeInputEventReceiver11handleEventEiiPv+440)
#45 pc 0000000000018308 /system/lib64/libutils.so (_ZN7android6Looper9pollInnerEi+916)
#46 pc 0000000000017eb4 /system/lib64/libutils.so (_ZN7android6Looper8pollOnceEiPiS1_PPv+60)
#47 pc 00000000000f0cf4 /system/lib64/libandroid_runtime.so (_ZN7android18NativeMessageQueue8pollOnceEP7_JNIEnvP8_jobjecti+48)
#48 pc 0000000001f324f0 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.os.MessageQueue.nativePollOnce+140)
#49 pc 0000000001f34110 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.os.MessageQueue.next+236)
#50 pc 0000000001f2de28 /system/framework/arm64/boot-framework.oat (offset 0x1691000) (android.os.Looper.loop+340)
#51 pc 00000000000dd37c /system/lib64/libart.so
--------- beginning of system
您好,我看你的博客有这个inlinehook对抗的文章
里面有对inlinehook前几条指令内容进行,判断的方法。
一般来说使用 inlinehook 进行 hook 函数, 修改函数的前几条指令为跳转指令. 可以通过这个进行校验.
比如有一个检测函数对传入的函数地址的第二条指令进行了判断,如果是跳转指令则认为它是被修改过的了。 我想把前二条指令修改为垃圾指令,该从什么地方入手呢?
Undefined symbols for architecture arm64:
"_ZzInstrument", referenced from:
____main in ViewController.o
ld: symbol(s) not found for architecture arm64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
编译出来的libhookzz.dylib,放IDA里面看也没有ZzInstrument这个方法,麻烦问下是使用的原因吗。。
Hi,
I'm using the latest code in master (commit no: f2adeae ) for AppleTrace.
For reproduct the assert exception in BKSDisplayServices , please follow the 3 steps below:
git clone [email protected]:everettjf/AppleTrace.git
git checkout crash
Open AppleTrace/sample/TraceAllMsgDemo/TraceAllMsgDemo.xcodeproj
Connect arm64 device, command+r
run.
Then assert exception occur : ( it is a assert BKSDisplayServices assert)
2018-10-28 17:44:31.651408+0800 TraceAllMsgDemo[21902:2695316] *** Assertion failure in Boolean BKSDisplayServicesStart(void)(), /BuildRoot/Library/Caches/com.apple.xbs/Sources/BackBoardServicesFramework/backboarddaemon-195.45.7/BackBoardServices/BKSDisplayServices.m:48
cmake:
ANDROID_NDK=/home/user/dev/android-ndk-r17b
cmake .. \
-DCMAKE_TOOLCHAIN_FILE=$ANDROID_NDK/build/cmake/android.toolchain.cmake \
-DANDROID_NDK=$ANDROID_NDK \
-DCMAKE_BUILD_TYPE=Release \
-DANDROID_ABI=armeabi-v7a \
-DCXX=OFF \
-DX_ARCH=arm \
-DX_PLATFORM=Android \
-DX_SHARED=ON \
-DX_LOG=OFF \
-DCMAKE_VERBOSE_MAKEFILE=OFF
build:
[ 5%] Building C object CMakeFiles/hookzz.dir/src/closure_bridge.c.o
[ 10%] Building C object CMakeFiles/hookzz.dir/src/hookzz.c.o
[ 15%] Building C object CMakeFiles/hookzz.dir/src/interceptor.c.o
[ 21%] Building C object CMakeFiles/hookzz.dir/src/interceptor_routing.c.o
/home/user/build/HookZz/src/interceptor_routing.c:103:32: warning: incompatible pointer to integer conversion assigning to 'uintptr_t' (aka 'unsigned int') from
'void *' [-Wint-conversion]
fp_reg = get_current_fp_reg();
^ ~~~~~~~~~~~~~~~~~~~~
1 warning generated.
[ 26%] Building C object CMakeFiles/hookzz.dir/src/interceptor_routing_trampoline.c.o
[ 31%] Building C object CMakeFiles/hookzz.dir/src/logging.c.o
[ 36%] Building C object CMakeFiles/hookzz.dir/src/memory_manager.c.o
[ 42%] Building C object CMakeFiles/hookzz.dir/src/std_kit/std_buffer_array.c.o
[ 47%] Building C object CMakeFiles/hookzz.dir/src/std_kit/std_kit.c.o
/home/user/build/HookZz/src/std_kit/std_kit.c:4:47: warning: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Wformat]
ERROR_LOG("[!] malloc with size %ld", size);
~~~ ^~~~
%zu
/home/user/build/HookZz/./src/std_kit/std_kit.h:62:47: note: expanded from macro 'ERROR_LOG'
__FILE__, __LINE__, __func__, __VA_ARGS__); \
^~~~~~~~~~~
1 warning generated.
[ 52%] Building C object CMakeFiles/hookzz.dir/src/std_kit/std_list.c.o
[ 57%] Building C object CMakeFiles/hookzz.dir/src/std_kit/std_map.c.o
[ 63%] Building C object CMakeFiles/hookzz.dir/src/thread_support/thread_local_storage.c.o
[ 68%] Building C object CMakeFiles/hookzz.dir/src/thread_support/thread_stack.c.o
[ 73%] Building C object CMakeFiles/hookzz.dir/src/compiler-rt/lib/builtins/clear_cache.c.o
[ 78%] Building C object CMakeFiles/hookzz.dir/src/platforms/backend-posix/memory-helper-posix.c.o
[ 84%] Building C object CMakeFiles/hookzz.dir/src/platforms/backend-posix/memory-manager-posix.c.o
[ 89%] Building C object CMakeFiles/hookzz.dir/src/platforms/backend-posix/thread-local-storage-posix.c.o
[ 94%] Building C object CMakeFiles/hookzz.dir/src/platforms/backend-linux/memory-manager-linux.c.o
/home/user/build/HookZz/src/platforms/backend-linux/memory-manager-linux.c:56:57: warning: format specifies type 'unsigned long *' but the argument has type
'zz_addr_t *' (aka 'unsigned int *') [-Wformat]
if (sscanf(buf, "%lx-%lx %s %llx %x:%x %lu %s", &start_addr, &end_addr, prot, &offset, &dev, &sdev, &inode,
~~~ ^~~~~~~~~~~
%x
/home/user/build/HookZz/src/platforms/backend-linux/memory-manager-linux.c:56:70: warning: format specifies type 'unsigned long *' but the argument has type
'zz_addr_t *' (aka 'unsigned int *') [-Wformat]
if (sscanf(buf, "%lx-%lx %s %llx %x:%x %lu %s", &start_addr, &end_addr, prot, &offset, &dev, &sdev, &inode,
~~~ ^~~~~~~~~
%x
2 warnings generated.
[100%] Linking C shared library libhookzz.so
/home/user/build/HookZz/src/closure_bridge.c:23: error: undefined reference to 'ClosureBridgeInitializeTablePage'
/home/user/build/HookZz/src/closure_bridge.c:48: error: undefined reference to 'ClosureBridgeInitializeClosureBridgeInfo'
/home/user/build/HookZz/src/hookzz.c:25: error: undefined reference to 'interceptor_trampoline_active'
/home/user/build/HookZz/src/interceptor_routing.c:78: error: undefined reference to 'get_next_hop_addr_PTR'
/home/user/build/HookZz/src/interceptor_routing.c:79: error: undefined reference to 'get_ret_addr_PTR'
/home/user/build/HookZz/src/interceptor_routing.c:86: error: undefined reference to 'get_next_hop_addr_PTR'
/home/user/build/HookZz/src/interceptor_routing.c:93: error: undefined reference to 'get_next_hop_addr_PTR'
/home/user/build/HookZz/src/interceptor_routing.c:103: error: undefined reference to 'get_current_fp_reg'
/home/user/build/HookZz/src/interceptor_routing.c:106: error: undefined reference to 'get_ret_addr_PTR'
/home/user/build/HookZz/src/interceptor_routing_trampoline.c:5: error: undefined reference to 'interceptor_trampoline_prepare'
/home/user/build/HookZz/src/interceptor_routing_trampoline.c:6: error: undefined reference to 'interceptor_trampoline_build_for_enter'
/home/user/build/HookZz/src/interceptor_routing_trampoline.c:7: error: undefined reference to 'interceptor_trampoline_build_for_invoke'
/home/user/build/HookZz/src/interceptor_routing_trampoline.c:10: error: undefined reference to 'interceptor_trampoline_prepare'
/home/user/build/HookZz/src/interceptor_routing_trampoline.c:11: error: undefined reference to 'interceptor_trampoline_build_for_enter_transfer'
/home/user/build/HookZz/src/interceptor_routing_trampoline.c:15: error: undefined reference to 'interceptor_trampoline_build_for_enter'
/home/user/build/HookZz/src/interceptor_routing_trampoline.c:0: error: undefined reference to 'interceptor_trampoline_build_for_leave'
/home/user/build/HookZz/src/interceptor_routing_trampoline.c:18: error: undefined reference to 'interceptor_trampoline_prepare'
/home/user/build/HookZz/src/interceptor_routing_trampoline.c:19: error: undefined reference to 'interceptor_trampoline_build_for_dynamic_binary_instrumentation'
/home/user/build/HookZz/src/interceptor_routing_trampoline.c:0: error: undefined reference to 'interceptor_trampoline_build_for_invoke'
clang: error: linker command failed with exit code 1 (use -v to see invocation)
Can you point me in the right direction how to make building this library work? Thanks!
Env: iOS arm64
Code:
ZzHookGOT("objc_msgSend",NULL,NULL, objc_msgSend_pre_call, objc_msgSend_post_call);
Full Code:
Question:
objc_msgSend_post_call
not called while objc_msgSend_pre_call
is called.
Is it a gothook bug or bug for me? 😄
Try to read the design doc, but can't find anything about how to implement.
hi, 我想编译arm64位版本在android下使用,但是编译出错,能帮忙看下么。
根目录下有个android.mk, 我自己写了一个application.mk, 再组织一下文件格式,直接用ndk可以编译出来一个 libhookzz.a 静态库文件,但是在使用这个静态库时,链接到我的so时出错:
In function zz_arm64_thunker_build_enter_thunk': E:/xxxx/hook/HookZz-master/jni/src/platforms/backend-arm64/thunker-arm64.c:291: undefined reference to
ctx_save'
E:/xxxx/hook/HookZz-master/jni/src/platforms/backend-arm64/thunker-arm64.c:291: undefined reference to **ctx_save**' E:/xxxx/hook/HookZz-master/jni/src/platforms/backend-arm64/thunker-arm64.c:318: undefined reference to
ctx_restore'
E:/xxxx/hook/HookZz-master/jni/src/platforms/backend-arm64/thunker-arm64.c:318: undefined reference to ctx_restore' E:/xxxx/MyApplication/app/src/main/jni/libhookzz.a(thunker-arm64.o): In function
zz_arm64_thunker_build_half_thunk':
E:/xxxx/hook/HookZz-master/jni/src/platforms/backend-arm64/thunker-arm64.c:332: undefined reference to ctx_save' E:/xxxx/hook/HookZz-master/jni/src/platforms/backend-arm64/thunker-arm64.c:523: undefined reference to
enter_thunk_template'
E:/xxx/hook/HookZz-master/jni/src/platforms/backend-arm64/thunker-arm64.c:523: undefined reference to `enter_thunk_template'
......
提示thunker-arm64.c文件里找不到ctx_save、ctx_restore等几个函数的实现。我去到thunker-arm64.c文件里,发现这几个函数被注释掉了,是因为功能不稳定么? 我将这些注释去掉,再将interceptor-arm64.h头文件里这几个函数的声明注释(奇怪的是interceptor-arm64.c里也没有实现这几个函数),可以链接成功,但是运行起来后,hook时崩溃了。
是因为interceptor-arm64.c 没有上传?或者我使用姿势有误吗?
Look at title. No way to compile under arm without any errors.
三星A70 9.0系统 hook fstatat64 出现seccomp prevented call to disallowed arm64 system call 300
A/libc: Fatal signal 31 (SIGSYS), code 1 (SYS_SECCOMP) in tid 6546 (.fileredirect:x), pid 6546 (.fileredirect:x)
2019-05-09 19:06:04.185 1797-11947/? E/WindowManager: win=Window{6b989cf u0 com.sec.android.app.launcher/com.sec.android.app.launcher.activities.LauncherActivity} destroySurfaces: appStopped=false win.mWindowRemovalAllowed=false win.mRemoveOnExit=false win.mViewVisibility=8 caller=com.android.server.wm.WindowManagerService.tryStartExitingAnimation:2752 com.android.server.wm.WindowManagerService.relayoutWindow:2449 com.android.server.wm.Session.relayoutForTranslate:287 android.view.IWindowSession$Stub.onTransact:432 com.android.server.wm.Session.onTransact:186 android.os.Binder.execTransact:739
2019-05-09 19:06:06.831 6566-6566/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2019-05-09 19:06:06.831 6566-6566/? A/DEBUG: Build fingerprint: 'samsung/a70qzc/a70q:9/PPR1.180610.011/A7050ZCU1ASD6:user/release-keys'
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: Revision: '12'
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: ABI: 'arm64'
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: pid: 6546, tid: 6546, name: .fileredirect:x >>> cn.qssq666.fileredirect:x <<<
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: signal 31 (SIGSYS), code 1 (SYS_SECCOMP), fault addr --------
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: Cause: seccomp prevented call to disallowed arm64 system call 300
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: x0 00000000ffffff9c x1 0000007fd2014418 x2 0000007fd20102a8 x3 0000000000000100
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: x4 0000000000000000 x5 f81d610211055200 x6 f81d610211055200 x7 0052051102611df8
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: x8 000000000000012c x9 0000007fd20100e0 x10 000000000000012c x11 0101010101010101
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: x12 0000000000000009 x13 0000000000000003 x14 0000007d68655320 x15 f81d610211055200
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: x16 0000007d50d928f0 x17 0000007de9337490 x18 0000000000000000 x19 0000007fd2014418
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: x20 0000000000000005 x21 0000000000000001 x22 0000007fd2011328 x23 000000000000002d
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: x24 0000007fd201232c x25 0000000000000004 x26 0000007def2715f8 x27 0000007fd201232c
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: x28 0000007fd2012328 x29 0000007fd2010280
2019-05-09 19:06:06.832 6566-6566/? A/DEBUG: sp 0000007fd2010240 lr 0000007d50d52d1c pc 0000007de93374b0
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: backtrace:
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #00 pc 000000000001f4b0 /system/lib64/libc.so (syscall+32)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #1 pc 000000000000cd18 /data/app/cn.qssq666.fileredirect-K8mW5u6caOcgcWJomj8QfA==/lib/arm64/libqssqredirect.so (new_fstatat64+84)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #2 pc 0000000000054e48 /system/lib64/libc.so (offset 0x26000) (realpath+640)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #3 pc 000000000001c8cc /system/lib64/libopenjdk.so (canonicalize+176)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #4 pc 000000000001fc34 /system/lib64/libopenjdk.so (Java_java_io_UnixFileSystem_canonicalize0+88)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #5 pc 0000000000116748 /system/framework/arm64/boot.oat (offset 0x115000) (java.lang.invoke.MethodHandle.invoke [DEDUPED]+152)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #6 pc 0000000000559388 /system/lib64/libart.so (art_quick_invoke_stub+584)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #7 pc 00000000000d02c8 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+200)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #8 pc 0000000000280cc0 /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #9 pc 000000000027acc8 /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #10 pc 000000000052971c /system/lib64/libart.so (MterpInvokeDirect+296)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #11 pc 000000000054bb14 /system/lib64/libart.so (ExecuteMterpImpl+14484)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #12 pc 00000000000c1802 /system/framework/boot.vdex (java.io.UnixFileSystem.canonicalize+8)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #13 pc 000000000025491c /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.1035353631+488)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #14 pc 000000000025a410 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #15 pc 000000000027acac /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #16 pc 00000000005283dc /system/lib64/libart.so (MterpInvokeVirtual+588)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #17 pc 000000000054ba14 /system/lib64/libart.so (ExecuteMterpImpl+14228)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #18 pc 00000000000b856a /system/framework/boot.vdex (java.io.File.getCanonicalPath+28)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #19 pc 000000000025491c /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.1035353631+488)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #20 pc 000000000025a410 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-05-09 19:06:06.951 6566-6566/? A/DEBUG: #21 pc 000000000027acac /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #22 pc 00000000005283dc /system/lib64/libart.so (MterpInvokeVirtual+588)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #23 pc 000000000054ba14 /system/lib64/libart.so (ExecuteMterpImpl+14228)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #24 pc 000000000012585a /dev/ashmem/dalvik-classes.dex extracted in memory from /data/app/cn.qssq666.fileredirect-K8mW5u6caOcgcWJomj8QfA==/base.apk_6546_6546 (deleted) (cn.qssq666.fileredirect.AppContext.testRedirect+126)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #25 pc 000000000025491c /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.1035353631+488)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #26 pc 000000000025a410 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #27 pc 000000000027acac /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #28 pc 000000000052971c /system/lib64/libart.so (MterpInvokeDirect+296)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #29 pc 000000000054bb14 /system/lib64/libart.so (ExecuteMterpImpl+14484)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #30 pc 00000000001257bc /dev/ashmem/dalvik-classes.dex extracted in memory from /data/app/cn.qssq666.fileredirect-K8mW5u6caOcgcWJomj8QfA==/base.apk_6546_6546 (deleted) (cn.qssq666.fileredirect.AppContext.onCreate+20)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #31 pc 000000000025491c /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.1035353631+488)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #32 pc 000000000025a410 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #33 pc 000000000027acac /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #34 pc 00000000005283dc /system/lib64/libart.so (MterpInvokeVirtual+588)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #35 pc 000000000054ba14 /system/lib64/libart.so (ExecuteMterpImpl+14228)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #36 pc 00000000004eac94 /system/framework/boot-framework.vdex (android.app.Instrumentation.callApplicationOnCreate)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #37 pc 000000000025491c /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.1035353631+488)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #38 pc 000000000025a410 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #39 pc 000000000027acac /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #40 pc 00000000005283dc /system/lib64/libart.so (MterpInvokeVirtual+588)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #41 pc 000000000054ba14 /system/lib64/libart.so (ExecuteMterpImpl+14228)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #42 pc 00000000004c45c2 /system/framework/boot-framework.vdex (android.app.ActivityThread.handleBindApplication+2270)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #43 pc 000000000025491c /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.1035353631+488)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #44 pc 000000000025a410 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #45 pc 000000000027acac /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #46 pc 000000000052971c /system/lib64/libart.so (MterpInvokeDirect+296)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #47 pc 000000000054bb14 /system/lib64/libart.so (ExecuteMterpImpl+14484)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #48 pc 00000000005e9fc8 /system/framework/boot-framework.vdex (android.app.ActivityThread.access$1200)
2019-05-09 19:06:06.952 6566-6566/? A/DEBUG: #49 pc 000000000025491c /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.1035353631+488)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #50 pc 000000000025a410 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #51 pc 000000000027acac /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #52 pc 00000000005298e0 /system/lib64/libart.so (MterpInvokeStatic+204)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #53 pc 000000000054bb94 /system/lib64/libart.so (ExecuteMterpImpl+14612)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #54 pc 00000000004c113a /system/framework/boot-framework.vdex (android.app.ActivityThread$H.handleMessage+1574)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #55 pc 000000000025491c /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.1035353631+488)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #56 pc 000000000025a410 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #57 pc 000000000027acac /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #58 pc 00000000005283dc /system/lib64/libart.so (MterpInvokeVirtual+588)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #59 pc 000000000054ba14 /system/lib64/libart.so (ExecuteMterpImpl+14228)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #60 pc 0000000000c73dde /system/framework/boot-framework.vdex (android.os.Handler.dispatchMessage+42)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #61 pc 000000000025491c /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.1035353631+488)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #62 pc 000000000025a410 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #63 pc 000000000027acac /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #64 pc 00000000005283dc /system/lib64/libart.so (MterpInvokeVirtual+588)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #65 pc 000000000054ba14 /system/lib64/libart.so (ExecuteMterpImpl+14228)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #66 pc 0000000000c7c9b2 /system/framework/boot-framework.vdex (android.os.Looper.loop+406)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #67 pc 000000000025491c /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.1035353631+488)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #68 pc 000000000025a410 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #69 pc 000000000027acac /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #70 pc 00000000005298e0 /system/lib64/libart.so (MterpInvokeStatic+204)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #71 pc 000000000054bb94 /system/lib64/libart.so (ExecuteMterpImpl+14612)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #72 pc 00000000004c68fc /system/framework/boot-framework.vdex (android.app.ActivityThread.main+220)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #73 pc 000000000025491c /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.1035353631+488)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #74 pc 0000000000518c70 /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #75 pc 00000000005624fc /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
2019-05-09 19:06:06.953 6566-6566/? A/DEBUG: #76 pc 000000000055964c /system/lib64/libart.so (art_quick_invoke_static_stub+604)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #77 pc 00000000000d02e8 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #78 pc 000000000045ed50 /system/lib64/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #79 pc 00000000004607a4 /system/lib64/libart.so (art::InvokeMethod(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+1440)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #80 pc 00000000003efe28 /system/lib64/libart.so (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*)+52)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #81 pc 000000000011f7e4 /system/framework/arm64/boot.oat (offset 0x115000) (java.lang.Class.getDeclaredMethodInternal [DEDUPED]+180)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #82 pc 0000000000559388 /system/lib64/libart.so (art_quick_invoke_stub+584)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #83 pc 00000000000d02c8 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+200)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #84 pc 0000000000280cc0 /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #85 pc 000000000027acc8 /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #86 pc 00000000005283dc /system/lib64/libart.so (MterpInvokeVirtual+588)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #87 pc 000000000054ba14 /system/lib64/libart.so (ExecuteMterpImpl+14228)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #88 pc 00000000013e13ea /system/framework/boot-framework.vdex (com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run+22)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #89 pc 000000000025491c /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.1035353631+488)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #90 pc 0000000000518c70 /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #91 pc 00000000005624fc /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #92 pc 0000000000e15180 /system/framework/arm64/boot-framework.oat (offset 0x41e000) (com.android.internal.os.ZygoteInit.main+2208)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #93 pc 000000000055964c /system/lib64/libart.so (art_quick_invoke_static_stub+604)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #94 pc 00000000000d02e8 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #95 pc 000000000045ed50 /system/lib64/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #96 pc 000000000045e9b0 /system/lib64/libart.so (art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+424)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #97 pc 0000000000363698 /system/lib64/libart.so (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+652)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #98 pc 00000000000b8238 /system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+116)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #99 pc 00000000000bae90 /system/lib64/libandroid_runtime.so (android::AndroidRuntime::start(char const*, android::Vectorandroid::String8 const&, bool)+768)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #100 pc 0000000000004c44 /system/bin/app_process64 (main+1832)
2019-05-09 19:06:06.954 6566-6566/? A/DEBUG: #101 pc 00000000000c9e60 /system/lib64/libc.so (offset 0x7e000) (__libc_init+88)
2019-05-09 19:06:07.116 1083-1083/? E//system/bin/tombstoned: Tombstone written to: /data/tombstones/tombstone_03
2019-05-09 19:06:07.128 606-606/? E/audit: type=1701 audit(1557399967.115:3855): auid=4294967295 uid=10235 gid=10235 ses=4294967295 subj=u:r:untrusted_app:s0:c235,c256,c512,c768 pid=6546 comm=".fileredirect:x" exe="/system/bin/app_process64" sig=31 res=1
2019-05-09 19:06:07.172 1797-6015/? E/WindowManager: win=Window{d6c63ae u0 Splash Screen cn.qssq666.fileredirect EXITING} destroySurfaces: appStopped=false win.mWindowRemovalAllowed=true win.mRemoveOnExit=true win.mViewVisibility=0 caller=com.android.server.wm.AppWindowToken.destroySurfaces:888 com.android.server.wm.AppWindowToken.destroySurfaces:869 com.android.server.wm.WindowState.onExitAnimationDone:5453 com.android.server.wm.-$$Lambda$01bPtngJg5AqEoOWfW3rWfV7MH4.accept:2 java.util.ArrayList.forEach:1262 com.android.server.wm.AppWindowToken.onAnimationFinished:2422 com.android.server.wm.AppWindowToken.setVisibility:552
2019-05-09 19:06:13.266 606-606/? E/audit: type=1400 audit(1557399973.255:3856): avc: denied { read } for pid=6214 comm="KernelThread-2" name="version" dev="proc" ino=4026532038 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file permissive=0 SEPF_SM-A7050_9_0002 audit_filtered
2019-05-09 19:06:13.266 606-606/? E/audit: type=1300 audit(1557399973.255:3856): arch=40000028 syscall=322 per=8 success=no exit=-13 a0=ffffff9c a1=c1d67558 a2=20000 a3=0 items=0 ppid=614 pid=6214 auid=4294967295 uid=10208 gid=10208 euid=10208 suid=10208 fsuid=10208 egid=10208 sgid=10208 fsgid=10208 tty=(none) ses=4294967295 comm="KernelThread-2" exe="/system/bin/app_process32" subj=u:r:untrusted_app_27:s0:c512,c768 key=(null)
2019-05-09 19:06:13.266 606-606/? E/audit: type=1327 audit(1557399973.255:3856): proctitle="com.eg.android.AlipayGphone:push"
2019-05-09 19:06:13.269 606-606/? E/audit: type=1400 audit(1557399973.255:3857): avc: denied { read } for pid=6214 comm="KernelThread-2" name="power_supply" dev="sysfs" ino=34742 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 SEPF_SM-A7050_9_0002 audit_filtered
2019-05-09 19:06:13.270 606-606/? E/audit: type=1300 audit(1557399973.255:3857): arch=40000028 syscall=322 per=8 success=no exit=-13 a0=ffffff9c a1=c1d67560 a2=a4000 a3=0 items=0 ppid=614 pid=6214 auid=4294967295 uid=10208 gid=10208 euid=10208 suid=10208 fsuid=10208 egid=10208 sgid=10208 fsgid=10208 tty=(none) ses=4294967295 comm="KernelThread-2" exe="/system/bin/app_process32" subj=u:r:untrusted_app_27:s0:c512,c768 key=(null)
2019-05-09 19:06:13.270 606-606/? E/audit: type=1327 audit(1557399973.255:3857): proctitle="com.eg.android.AlipayGphone:push"
2019-05-09 19:06:13.270 606-606/? E/audit: type=1400 audit(1557399973.255:3858): avc: denied { read } for pid=6214 comm="KernelThread-2" name="power_supply" dev="sysfs" ino=34742 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 SEPF_SM-A7050_9_0002 audit_filtered
2019-05-09 19:06:13.270 606-606/? E/audit: type=1300 audit(1557399973.255:3858): arch=40000028 syscall=322 per=8 success=no exit=-13 a0=ffffff9c a1=c1d67560 a2=a4000 a3=0 items=0 ppid=614 pid=6214 auid=4294967295 uid=10208 gid=10208 euid=10208 suid=10208 fsuid=10208 egid=10208 sgid=10208 fsgid=10208 tty=(none) ses=4294967295 comm="KernelThread-2" exe="/system/bin/app_process32" subj=u:r:untrusted_app_27:s0:c512,c768 key=(null)
2019-05-09 19:06:13.270 606-606/? E/audit: type=1327 audit(1557399973.255:3858): proctitle="com.eg.android.AlipayGphone:push"
2019-05-09 19:06:13.284 6214-6528/? E/libc: Access denied finding property "ro.serialno"
崩溃堆栈如下:
07-25 11:48:14.676 14388 14388 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone
07-25 11:48:14.676 840 840 I /system/bin/tombstoned: received crash request for pid 14363
07-25 11:48:14.677 14388 14388 I crash_dump64: performing dump of process 14363 (target tid = 14363)
07-25 11:48:14.681 14388 14388 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
07-25 11:48:14.681 14388 14388 F DEBUG : Build fingerprint: 'HUAWEI/ELE-TL00/HWELE:9/HUAWEIELE-TL00/162C01:user/release-keys'
07-25 11:48:14.681 14388 14388 F DEBUG : Revision: '0'
07-25 11:48:14.681 14388 14388 F DEBUG : ABI: 'arm64'
07-25 11:48:14.681 14388 14388 F DEBUG : Happend: 'Thu Jul 25 11:48:14 2019
07-25 11:48:14.681 14388 14388 F DEBUG : '
07-25 11:48:14.681 14388 14388 F DEBUG : SYSVMTYPE: Maple
07-25 11:48:14.681 14388 14388 F DEBUG : APPVMTYPE: Art
07-25 11:48:14.681 14388 14388 F DEBUG : pid: 14363, tid: 14363, name: om.example.prop >>> com.example.prop <<<
07-25 11:48:14.681 14388 14388 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x80401010080401
07-25 11:48:14.681 14388 14388 F DEBUG : x0 0080401010080401 x1 0000007b0580695e x2 0000007fee57c5dc x3 0000000000000100
07-25 11:48:14.681 14388 14388 F DEBUG : x4 0000007fee57c638 x5 0000007fee57a62b x6 68646e617362696c x7 00000004691cc533
07-25 11:48:14.681 14388 14388 F DEBUG : x8 0000000000000002 x9 0000007b8bfa0098 x10 0000007b0580695e x11 0000000000000000
07-25 11:48:14.681 14388 14388 F DEBUG : x12 6b6f6f68646e6173 x13 526f2e00006f732e x14 00006f732e6b6f6f x15 0000000000003e98
07-25 11:48:14.681 14388 14388 F DEBUG : x16 0000007b88934f40 x17 0000007b87433924 x18 0000000000000008 x19 0000007fee57c5dc
07-25 11:48:14.681 14388 14388 F DEBUG : x20 0000007b8bfa0098 x21 0000007b0580695e x22 0000007fee57d78c x23 0000007b8c24d5e0
07-25 11:48:14.681 14388 14388 F DEBUG : x24 0000007fee57c5dc x25 0000007b8c24d5e0 x26 0000007b05a15ca0 x27 0000007b8c24d5e0
07-25 11:48:14.681 14388 14388 F DEBUG : x28 0000000000000000 x29 0000007fee57c590
07-25 11:48:14.681 14388 14388 F DEBUG : sp 0000007fee57c570 lr 0000007ae9807994 pc 0000007b87424b44
07-25 11:48:14.758 14388 14388 F DEBUG :
07-25 11:48:14.758 14388 14388 F DEBUG : backtrace:
07-25 11:48:14.758 14388 14388 F DEBUG : #00 pc 0000000000021b44 /system/lib64/libc.so (SystemProperties::Get(char const*, char*)+44)
07-25 11:48:14.758 14388 14388 F DEBUG : #01 pc 0000000000000990 /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/lib/arm64/libnative-lib.so (fake__system_property_get(char const*, char*)+36)
07-25 11:48:14.758 14388 14388 F DEBUG : #02 pc 000000000000dedc /system/lib64/libcutils.so (property_get_int32+80)
07-25 11:48:14.758 14388 14388 F DEBUG : #03 pc 00000000003d32e0 /system/lib64/libart.so (art::DexFile_Hotfix(char const*)+88)
07-25 11:48:14.758 14388 14388 F DEBUG : #04 pc 0000000000003f7c /system/lib64/libopenjdkjvm.so (JVM_NativeLoad+120)
07-25 11:48:14.758 14388 14388 F DEBUG : #05 pc 000000000013bbc8 /system/framework/arm64/boot.oat (offset 0x13b000) (java.lang.Runtime.nativeLoad [DEDUPED]+200)
07-25 11:48:14.758 14388 14388 F DEBUG : #06 pc 00000000001d005c /system/framework/arm64/boot.oat (offset 0x13b000) (java.lang.Runtime.loadLibrary0+188)
07-25 11:48:14.758 14388 14388 F DEBUG : #07 pc 00000000001d5d20 /system/framework/arm64/boot.oat (offset 0x13b000) (java.lang.System.loadLibrary+96)
07-25 11:48:14.758 14388 14388 F DEBUG : #08 pc 000000000056f24c /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.758 14388 14388 F DEBUG : #09 pc 00000000000d4224 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.758 14388 14388 F DEBUG : #10 pc 0000000000283fa8 /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
07-25 11:48:14.758 14388 14388 F DEBUG : #11 pc 000000000027dfb0 /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
07-25 11:48:14.758 14388 14388 F DEBUG : #12 pc 000000000053ff9c /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.758 14388 14388 F DEBUG : #13 pc 0000000000561794 /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.758 14388 14388 F DEBUG : #14 pc 00000000001b0200 /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.swift.sandhook.SandHookConfig$1.loadLib+12)
07-25 11:48:14.758 14388 14388 F DEBUG : #15 pc 0000000000257cb4 /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.758 14388 14388 F DEBUG : #16 pc 000000000025d7a8 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
07-25 11:48:14.758 14388 14388 F DEBUG : #17 pc 000000000027df94 /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
07-25 11:48:14.758 14388 14388 F DEBUG : #18 pc 000000000053fa14 /system/lib64/libart.so (MterpInvokeInterface+1392)
07-25 11:48:14.758 14388 14388 F DEBUG : #19 pc 0000000000561814 /system/lib64/libart.so (ExecuteMterpImpl+14740)
07-25 11:48:14.758 14388 14388 F DEBUG : #20 pc 00000000001b0bb0 /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.swift.sandhook.SandHook.<clinit>+32)
07-25 11:48:14.758 14388 14388 F DEBUG : #21 pc 0000000000257cb4 /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.758 14388 14388 F DEBUG : #22 pc 000000000052aa88 /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
07-25 11:48:14.758 14388 14388 F DEBUG : #23 pc 00000000005780fc /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
07-25 11:48:14.758 14388 14388 F DEBUG : #24 pc 000000000056f24c /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.758 14388 14388 F DEBUG : #25 pc 00000000000d4224 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.758 14388 14388 F DEBUG : #26 pc 000000000012c00c /system/lib64/libart.so (art::ClassLinker::InitializeClass(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+2196)
07-25 11:48:14.758 14388 14388 F DEBUG : #27 pc 0000000000117470 /system/lib64/libart.so (art::ClassLinker::EnsureInitialized(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+192)
07-25 11:48:14.758 14388 14388 F DEBUG : #28 pc 0000000000284040 /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+496)
07-25 11:48:14.758 14388 14388 F DEBUG : #29 pc 000000000027dfb0 /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
07-25 11:48:14.758 14388 14388 F DEBUG : #30 pc 000000000053ff9c /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.758 14388 14388 F DEBUG : #31 pc 0000000000561794 /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.758 14388 14388 F DEBUG : #32 pc 00000000001b59bc /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.swift.sandhook.xposedcompat.hookstub.HookStubManager.<clinit>)
07-25 11:48:14.758 14388 14388 F DEBUG : #33 pc 0000000000257cb4 /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.758 14388 14388 F DEBUG : #34 pc 000000000052aa88 /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
07-25 11:48:14.758 14388 14388 F DEBUG : #35 pc 00000000005780fc /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
07-25 11:48:14.758 14388 14388 F DEBUG : #36 pc 000000000056f24c /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.758 14388 14388 F DEBUG : #37 pc 00000000000d4224 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.758 14388 14388 F DEBUG : #38 pc 000000000012c00c /system/lib64/libart.so (art::ClassLinker::InitializeClass(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+2196)
07-25 11:48:14.758 14388 14388 F DEBUG : #39 pc 0000000000117470 /system/lib64/libart.so (art::ClassLinker::EnsureInitialized(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+192)
07-25 11:48:14.758 14388 14388 F DEBUG : #40 pc 0000000000284040 /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+496)
07-25 11:48:14.758 14388 14388 F DEBUG : #41 pc 000000000027dfb0 /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
07-25 11:48:14.758 14388 14388 F DEBUG : #42 pc 000000000053ff9c /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.758 14388 14388 F DEBUG : #43 pc 0000000000561794 /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.758 14388 14388 F DEBUG : #44 pc 00000000001bf1f0 /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.swift.sandhook.xposedcompat.methodgen.DynamicBridge.hookMethod+204)
07-25 11:48:14.758 14388 14388 F DEBUG : #45 pc 0000000000257cb4 /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.758 14388 14388 F DEBUG : #46 pc 000000000052aa88 /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
07-25 11:48:14.758 14388 14388 F DEBUG : #47 pc 00000000005780fc /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
07-25 11:48:14.758 14388 14388 F DEBUG : #48 pc 000000000056f24c /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.758 14388 14388 F DEBUG : #49 pc 00000000000d4224 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.758 14388 14388 F DEBUG : #50 pc 0000000000283fa8 /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
07-25 11:48:14.758 14388 14388 F DEBUG : #51 pc 000000000027dfb0 /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
07-25 11:48:14.758 14388 14388 F DEBUG : #52 pc 000000000053ff9c /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.758 14388 14388 F DEBUG : #53 pc 0000000000561794 /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.758 14388 14388 F DEBUG : #54 pc 00000000001c3972 /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (de.robv.android.xposed.XposedBridge.hookMethodNative+10)
07-25 11:48:14.758 14388 14388 F DEBUG : #55 pc 0000000000257cb4 /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG : #56 pc 000000000025d7a8 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
07-25 11:48:14.759 14388 14388 F DEBUG : #57 pc 000000000027df94 /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
07-25 11:48:14.759 14388 14388 F DEBUG : #58 pc 000000000053ff9c /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.759 14388 14388 F DEBUG : #59 pc 0000000000561794 /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.759 14388 14388 F DEBUG : #60 pc 00000000001c36aa /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (de.robv.android.xposed.XposedBridge.hookMethod+298)
07-25 11:48:14.759 14388 14388 F DEBUG : #61 pc 0000000000257cb4 /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG : #62 pc 000000000052aa88 /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
07-25 11:48:14.759 14388 14388 F DEBUG : #63 pc 00000000005780fc /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
07-25 11:48:14.759 14388 14388 F DEBUG : #64 pc 000000000056f24c /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.759 14388 14388 F DEBUG : #65 pc 00000000000d4224 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.759 14388 14388 F DEBUG : #66 pc 0000000000283fa8 /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
07-25 11:48:14.759 14388 14388 F DEBUG : #67 pc 000000000027dfb0 /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
07-25 11:48:14.759 14388 14388 F DEBUG : #68 pc 000000000053ff9c /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.759 14388 14388 F DEBUG : #69 pc 0000000000561794 /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.759 14388 14388 F DEBUG : #70 pc 00000000001c3f02 /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (de.robv.android.xposed.XposedHelpers.findAndHookMethod+62)
07-25 11:48:14.759 14388 14388 F DEBUG : #71 pc 0000000000257cb4 /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG : #72 pc 000000000052aa88 /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
07-25 11:48:14.759 14388 14388 F DEBUG : #73 pc 00000000005780fc /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
07-25 11:48:14.759 14388 14388 F DEBUG : #74 pc 000000000056f24c /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.759 14388 14388 F DEBUG : #75 pc 00000000000d4224 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.759 14388 14388 F DEBUG : #76 pc 0000000000283fa8 /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
07-25 11:48:14.759 14388 14388 F DEBUG : #77 pc 000000000027dfb0 /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
07-25 11:48:14.759 14388 14388 F DEBUG : #78 pc 000000000053ff9c /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.759 14388 14388 F DEBUG : #79 pc 0000000000561794 /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.759 14388 14388 F DEBUG : #80 pc 00000000001afc90 /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.example.prop.javahooker.HookHelper.doHook+316)
07-25 11:48:14.759 14388 14388 F DEBUG : #81 pc 0000000000257cb4 /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG : #82 pc 000000000025d7a8 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
07-25 11:48:14.759 14388 14388 F DEBUG : #83 pc 000000000027df94 /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
07-25 11:48:14.759 14388 14388 F DEBUG : #84 pc 0000000000541adc /system/lib64/libart.so (MterpInvokeVirtualQuick+584)
07-25 11:48:14.759 14388 14388 F DEBUG : #85 pc 0000000000565394 /system/lib64/libart.so (ExecuteMterpImpl+29972)
07-25 11:48:14.759 14388 14388 F DEBUG : #86 pc 00000000001af830 /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.example.prop.javahooker.AndroidSysClassHK.main+20)
07-25 11:48:14.759 14388 14388 F DEBUG : #87 pc 0000000000257cb4 /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG : #88 pc 000000000025d7a8 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
07-25 11:48:14.759 14388 14388 F DEBUG : #89 pc 000000000027df94 /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
07-25 11:48:14.759 14388 14388 F DEBUG : #90 pc 0000000000541adc /system/lib64/libart.so (MterpInvokeVirtualQuick+584)
07-25 11:48:14.759 14388 14388 F DEBUG : #91 pc 0000000000565394 /system/lib64/libart.so (ExecuteMterpImpl+29972)
07-25 11:48:14.759 14388 14388 F DEBUG : #92 pc 00000000001ad132 /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.example.prop.MainActivity.working+26)
07-25 11:48:14.759 14388 14388 F DEBUG : #93 pc 0000000000257cb4 /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG : #94 pc 000000000025d7a8 /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
07-25 11:48:14.759 14388 14388 F DEBUG : #95 pc 000000000027df94 /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
07-25 11:48:14.759 14388 14388 F DEBUG : #96 pc 0000000000541adc /system/lib64/libart.so (MterpInvokeVirtualQuick+584)
07-25 11:48:14.759 14388 14388 F DEBUG : #97 pc 0000000000565394 /system/lib64/libart.so (ExecuteMterpImpl+29972)
07-25 11:48:14.759 14388 14388 F DEBUG : #98 pc 00000000001ad082 /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.example.prop.MainActivity.onCreate+126)
07-25 11:48:14.759 14388 14388 F DEBUG : #99 pc 0000000000257cb4 /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG : #100 pc 000000000052aa88 /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
07-25 11:48:14.759 14388 14388 F DEBUG : #101 pc 00000000005780fc /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
07-25 11:48:14.759 14388 14388 F DEBUG : #102 pc 0000000000b66c48 /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.Activity.performCreate+232)
07-25 11:48:14.759 14388 14388 F DEBUG : #103 pc 0000000000818b60 /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.Instrumentation.callActivityOnCreate+240)
07-25 11:48:14.759 14388 14388 F DEBUG : #104 pc 000000000094726c /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.ActivityThread.performLaunchActivity+2428)
07-25 11:48:14.759 14388 14388 F DEBUG : #105 pc 000000000094e0f4 /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.ActivityThread.handleLaunchActivity+1364)
07-25 11:48:14.759 14388 14388 F DEBUG : #106 pc 0000000000b71834 /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.servertransaction.LaunchActivityItem.execute+372)
07-25 11:48:14.759 14388 14388 F DEBUG : #107 pc 000000000083c9e4 /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.servertransaction.TransactionExecutor.executeCallbacks+708)
07-25 11:48:14.759 14388 14388 F DEBUG : #108 pc 000000000083c6a8 /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.servertransaction.TransactionExecutor.execute+280)
07-25 11:48:14.759 14388 14388 F DEBUG : #109 pc 0000000000934bd0 /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.ActivityThread$H.handleMessage+1536)
07-25 11:48:14.759 14388 14388 F DEBUG : #110 pc 0000000000baf614 /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.os.Handler.dispatchMessage+180)
07-25 11:48:14.759 14388 14388 F DEBUG : #111 pc 0000000000bb2a80 /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.os.Looper.loop+1472)
07-25 11:48:14.759 14388 14388 F DEBUG : #112 pc 0000000000945b54 /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.ActivityThread.main+1236)
07-25 11:48:14.759 14388 14388 F DEBUG : #113 pc 000000000056f24c /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.759 14388 14388 F DEBUG : #114 pc 00000000000d4224 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.759 14388 14388 F DEBUG : #115 pc 0000000000472fd4 /system/lib64/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104)
07-25 11:48:14.759 14388 14388 F DEBUG : #116 pc 0000000000474a28 /system/lib64/libart.so (art::InvokeMethod(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+1440)
07-25 11:48:14.759 14388 14388 F DEBUG : #117 pc 00000000004043ac /system/lib64/libart.so (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*)+52)
07-25 11:48:14.759 14388 14388 F DEBUG : #118 pc 00000000001456d4 /system/framework/arm64/boot.oat (offset 0x13b000) (java.lang.Class.getDeclaredMethodInternal [DEDUPED]+180)
07-25 11:48:14.759 14388 14388 F DEBUG : #119 pc 0000000000edc9a8 /system/framework/arm64/boot-framework.oat (offset 0x415000) (com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run+136)
07-25 11:48:14.759 14388 14388 F DEBUG : #120 pc 0000000000ee39cc /system/framework/arm64/boot-framework.oat (offset 0x415000) (com.android.internal.os.ZygoteInit.main+2540)
07-25 11:48:14.759 14388 14388 F DEBUG : #121 pc 000000000056f24c /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.759 14388 14388 F DEBUG : #122 pc 00000000000d4224 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.759 14388 14388 F DEBUG : #123 pc 0000000000472fd4 /system/lib64/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104)
07-25 11:48:14.759 14388 14388 F DEBUG : #124 pc 0000000000472c34 /system/lib64/libart.so (art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+424)
07-25 11:48:14.759 14388 14388 F DEBUG : #125 pc 0000000000367254 /system/lib64/libart.so (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+652)
07-25 11:48:14.759 14388 14388 F DEBUG : #126 pc 00000000000b9600 /system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+120)
07-25 11:48:14.759 14388 14388 F DEBUG : #127 pc 00000000000bc378 /system/lib64/libandroid_runtime.so (android::AndroidRuntime::start(char const*, android::Vector<android::String8> const&, bool)+780)
07-25 11:48:14.759 14388 14388 F DEBUG : #128 pc 0000000000002368 /system/bin/app_process64 (main+1444)
07-25 11:48:14.759 14388 14388 F DEBUG : #129 pc 00000000000ae78c /system/lib64/libc.so (offset 0x31000) (__libc_init+88)
07-25 11:48:14.840 776 849 E dubaid : [CpuHandler.cpp] findUidEntry# Uid(10719) has not package, maybe it's already uninstalled
07-25 11:48:14.840 776 849 E dubaid : [CpuHandler.cpp] setUidCpuTime# Failed to find uid entry
07-25 11:48:14.841 776 849 E dubaid : [CpuHandler.cpp] findUidEntry# Uid(10718) has not package, maybe it's already uninstalled
07-25 11:48:14.841 776 849 E dubaid : [CpuHandler.cpp] setUidCpuTime# Failed to find uid entry
07-25 11:48:14.863 840 840 E /system/bin/tombstoned: Tombstone written to: /data/tombstones/tombstone_06
07-25 11:48:14.864 1253 1354 I BootReceiver: Copying /data/tombstones/tombstone_06 to DropBox (SYSTEM_TOMBSTONE)
07-25 11:48:14.865 1253 14391 W ActivityManager: finishTopCrashedActivityLocked Force finishing activity com.example.prop/.MainActivity
07-25 11:48:14.865 1253 14391 V ActivityManager: positionChild stackId=0 to top.
hook代码:
int (*orig__system_property_get)(const char *name, char *value);
int fake__system_property_get(const char *name, char *value) {
int t = orig__system_property_get(name, value);
LOGE("### fake: __system_property_get(%s, %s) == 0x%x", name, value, t);
return t;
}
void hook___system_property_get() {
ZzReplace((void *) __system_property_get, (void *) fake__system_property_get,
(void **) &orig__system_property_get);
}
例如项目使用了多个so文件,
现在要用hookzz 拦截其libttx.so中的getMd5函数
该如何写代码??
我需要在APP内HOOK一些socket函数,fishhook在物理设备上不能满足需求。
In file included from ././src/platforms/arch-arm/instructions.c:1:
././src/platforms/arch-arm/instructions.h:5:10: fatal error: 'zkit.h' file not found
#include "zkit.h"
^~~~~~~~
1 error generated.
make: *** [obj/local/armeabi/objs/hookzz/./src/platforms/arch-arm/instructions.o] Error 1
I cant find this file in the src folder
arm7 ipone5 se
仅仅是将libhookzz.dylib动态库打包到 企业版中,未做任何调用,就直接崩溃
非越狱环境
请问一下是不支持arm7么
hook printf例子没有问题,仿照hook prinrf写的hook socket报错:Fatal signal 7 (SIGBUS), code 1, fault addr 0x17f in tid 12627,报错在执行orig_connect的时候。下面是代码:
int (*orig_connect)(int, const struct sockaddr*, socklen_t);
int fake_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
LOGI("call connect");
LOGI("%s", inet_ntoa(((sockaddr_in *)addr)->sin_addr));
void *connect_ptr = (void *)connect;
LOGI("connect_ptr:%p", connect_ptr);
LOGI("orig_connect:%p", orig_connect);
int x = orig_connect(sockfd, addr, addrlen);
return x;
}
void connect_pre_call(RegState *rs, ThreadStack *threadstack, CallStack *callstack) {
LOGI("connect-pre-call");
}
void connect_post_call(RegState *rs, ThreadStack *threadstack, CallStack *callstack) {
LOGI("connect-post-call");
}
__attribute__((constructor)) void test_hook_connect() {
ZzEnableDebugMode();
ZzHook((void *)connect, (void *)fake_connect, (void **)&orig_connect, connect_pre_call, connect_post_call, FALSE);
LOGI("test_hook_connect:%p", orig_connect);
}
如题,readme看不懂里边的步骤,我现在有一个Xcode工程,想用hookzz来打印函数的调用,如何集成呢?
例如我想hook进程com.jingdong.app.mall中的libtt.so模块中的getmd5函数,该如何配置呢??
RT.
1 11:15:44.811 160-160/? I/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
01-21 11:15:44.811 160-160/? I/DEBUG: Build fingerprint: 'vivo/PD1709/PD1709:4.4.2/NMF26X/381180523:user/release-keys'
01-21 11:15:44.811 160-160/? I/DEBUG: Revision: '0'
01-21 11:15:44.811 160-160/? I/DEBUG: pid: 7975, tid: 7975, name: qssq666.ndkhook >>> cn.qssq666.ndkhook <<<
01-21 11:15:44.811 160-160/? I/DEBUG: signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 7d94be40
01-21 11:15:44.831 160-160/? I/DEBUG: eax 7d94c4b4 ebx 7d94c9a0 ecx 7d94c964 edx 7d94c4ec
01-21 11:15:44.831 160-160/? I/DEBUG: esi 00031720 edi 00000208
01-21 11:15:44.831 160-160/? I/DEBUG: xcs 00000073 xds 0000007b xes 0000007b xfs 0000003b xss 0000007b
01-21 11:15:44.831 160-160/? I/DEBUG: eip 18084f30 ebp 1a012000 esp 7d94be10 flags 00210206
01-21 11:15:44.831 160-160/? I/DEBUG: backtrace:
01-21 11:15:44.831 160-160/? I/DEBUG: #00 pc 00054f30 <unknown>
01-21 11:15:44.831 160-160/? I/DEBUG: memory map around fault addr 7d94be40:
01-21 11:15:44.831 160-160/? I/DEBUG: 7d948000-7d94b000 rw-
01-21 11:15:44.831 160-160/? I/DEBUG: 7d94b000-7d94c000 --- [stack:7975]
01-21 11:15:44.831 160-160/? I/DEBUG: 7d94c000-7dd4b000 rw-
Can this framework be used to solve this problem ?
Is it possible to access any VR Android app's GPU context i.e. what images/graphics the other VR app is rendering on screen from our custom app. I want to get the images rendered by other VR app and apply custom distortion. If yes, how can it be achieved?
My idea was to hook a service the the buffer stream, i.e. read whatever is going to be displayed on screen, apply custom distortion/filter and display it back. Will SwapChain from gvr-android-sdk work in this scenario? Reading GPU buffer from an android service and displaying it back. (For now we don't worry about the DRM protection etc. later we'll be askig for permissions)
https://stackoverflow.com/questions/50920427/android-access-vr-apps-gpu-context
崩溃堆栈如下:
2019-07-10 17:34:48.682 20622-20622/? A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 20622 (om.example.prop)
2019-07-10 17:34:48.712 20646-20646/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2019-07-10 17:34:48.712 20646-20646/? A/DEBUG: Build fingerprint: 'HUAWEI/MHA-AL00/HWMHA:8.0.0/HUAWEIMHA-AL00/323daily(C00):user/release-keys'
2019-07-10 17:34:48.712 20646-20646/? A/DEBUG: Revision: '0'
2019-07-10 17:34:48.712 20646-20646/? A/DEBUG: ABI: 'arm'
2019-07-10 17:34:48.712 20646-20646/? A/DEBUG: pid: 20622, tid: 20622, name: om.example.prop >>> com.example.prop <<<
2019-07-10 17:34:48.712 20646-20646/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
2019-07-10 17:34:48.712 20646-20646/? A/DEBUG: Cause: null pointer dereference
2019-07-10 17:34:48.712 20646-20646/? A/DEBUG: r0 ecd6ed20 r1 ecd19bd0 r2 ff7f9240 r3 00000000
2019-07-10 17:34:48.712 20646-20646/? A/DEBUG: r4 eeca91c8 r5 ecd6ed20 r6 00000008 r7 ff7f9250
2019-07-10 17:34:48.712 20646-20646/? A/DEBUG: r8 00000002 r9 4606461c sl eec62d30 fp ff7f928c
2019-07-10 17:34:48.712 20646-20646/? A/DEBUG: ip eeca2d60 sp ff7f9240 lr ccb1f747 pc ccb201bc cpsr 200d0030
2019-07-10 17:34:48.713 20646-20646/? A/DEBUG: backtrace:
2019-07-10 17:34:48.713 20646-20646/? A/DEBUG: #00 pc 0000d1bc /data/app/com.example.prop-DXtwn0768217AYyePMp1rw==/lib/arm/libhookzz.so (_ZN22LiteCollectionIterator13getNextObjectEv+19)
2019-07-10 17:34:48.713 20646-20646/? A/DEBUG: #01 pc 0000c745 /data/app/com.example.prop-DXtwn0768217AYyePMp1rw==/lib/arm/libhookzz.so (_Z23gen_thumb_relocate_codePvPijj+276)
2019-07-10 17:34:48.713 20646-20646/? A/DEBUG: #02 pc 0000ccdf /data/app/com.example.prop-DXtwn0768217AYyePMp1rw==/lib/arm/libhookzz.so (_ZN16InterceptRouting7PrepareEv+62)
2019-07-10 17:34:48.713 20646-20646/? A/DEBUG: #03 pc 0000ce51 /data/app/com.example.prop-DXtwn0768217AYyePMp1rw==/lib/arm/libhookzz.so (_ZN28FunctionInlineReplaceRouting8DispatchEv+12)
2019-07-10 17:34:48.713 20646-20646/? A/DEBUG: #04 pc 0000cec9 /data/app/com.example.prop-DXtwn0768217AYyePMp1rw==/lib/arm/libhookzz.so (ZzReplace+100)
2019-07-10 17:34:48.713 20646-20646/? A/DEBUG: #05 pc 000022f1 /data/app/com.example.prop-DXtwn0768217AYyePMp1rw==/lib/arm/libnative-lib.so (Java_com_example_prop_MainActivity_stringFromJNI+48)
2019-07-10 17:34:48.713 20646-20646/? A/DEBUG: #06 pc 0005eff3 /data/app/com.example.prop-DXtwn0768217AYyePMp1rw==/oat/arm/base.odex (offset 0x1c000)
2019-07-10 17:34:48.726 1117-1257/system_process E/AwareLog: RMS.AwareIntelligentRecg: delete com.example.prop from iAware.db```
HOOK代码:
size_t (*origin_fread)(void * ptr, size_t size, size_t nitems, FILE * stream);
size_t (fake_fread)(void * ptr, size_t size, size_t nitems, FILE * stream) {
// Do What you Want.
return origin_fread(ptr, size, nitems, stream);
}
void hook_fread() {
ZzReplace((void *)fread, (void *)fake_fread, (void **)&origin_fread);
}
I can build in Ubuntu18.04 ,but i can't use!
Debug and found ,ZzReplace has someting error!
ZzReplace->route->Dispatch();-> Prepare();->GenRelocateCode error at this
I debug in Ubuntu 14.0,It running.Linux version is 4.4
编译基于HookZz的tweak的时候报错:
Undefined symbols for architecture arm64:
"ZzBuildHook(void*, void*, void**, void ()(_RegState, _ThreadStack*, _CallStack*), void ()(_RegState, _ThreadStack*, _CallStack*), bool)"
分享一下解决办法,即给hookzz加上一个C函数声明:
#ifdef __cplusplus
extern "C" {
#endif //__cplusplus
// hookzz 函数列表
#ifdef __cplusplus
}
#endif //__cplusplus
android device without root can use this library?
➜ HookZz-master make -j4
Scanning dependencies of target hookzz
[ 16%] Building CXX object CMakeFiles/hookzz.dir/srcxx/vm_core/base/page-allocator.cc.o
[ 16%] Building CXX object CMakeFiles/hookzz.dir/srcxx/vm_core/logging.cc.o
[ 16%] Building CXX object CMakeFiles/hookzz.dir/srcxx/intercept_routing_handler.cc.o
[ 16%] Building CXX object CMakeFiles/hookzz.dir/srcxx/vm_core/arch/cpu.cc.o
warning: include path for stdlibc++ headers not found; pass '-std=libc++' on the commandwarning : line to use includethe pathlibc++ forstandard stdlibc++library headersinstead not[-Wstdlibcxx-not-found] found;
pass '-std=libc++' on the command line to use the libc++ standard library instead [-Wstdlibcxx-not-found]
warning: include path for stdlibc++ headers not found; pass '-std=libc++' on the command line to use the libc++ standard library instead [-Wstdlibcxx-not-found]
warning: include path for stdlibc++ headers not found; pass '-std=libc++' on the command line to use the libc++ standard library instead [-Wstdlibcxx-not-found]
In file included from /Users/youssef/Downloads/HookZz-master/srcxx/vm_core/logging.cc:1:
In file included from /Users/youssef/Downloads/HookZz-master/./srcxx/vm_core/logging.h:4:
/Users/youssef/Downloads/HookZz-master/./srcxx/vm_core/platform/platform.h:4:10: fatal error: 'cstdarg' file not found
#include
^~~~~~~~~
In file included from /Users/youssef/Downloads/HookZz-master/srcxx/intercept_routing_handler.cc:1:
In file included from /Users/youssef/Downloads/HookZz-master/./srcxx/intercept_routing_handler.h:4:
/Users/youssef/Downloads/HookZz-master/./srcxx/AssemblyClosureTrampoline.h:4:10: fatal error: 'iostream' file not found
#include
^~~~~~~~~~
1 warning generated.
[ 20%] Building CXX object CMakeFiles/hookzz.dir/srcxx/vm_core/objects/code.cc.o
In file included from /Users/youssef/Downloads/HookZz-master/srcxx/vm_core/arch/cpu.cc:2:
In file included from /Users/youssef/Downloads/HookZz-master/./srcxx/vm_core/arch/cpu.h:4:
In file included from /Users/youssef/Downloads/HookZz-master/./srcxx/vm_core/globals.h:4:
In file included from /Users/youssef/Downloads/HookZz-master/./srcxx/vm_core/macros.h:7:
In file included from /Users/youssef/Downloads/HookZz-master/./srcxx/vm_core/logging.h:4:
/Users/youssef/Downloads/HookZz-master/./srcxx/vm_core/platform/platform.h:4:10: fatal error: 'cstdarg' file not found
#include
^~~~~~~~~
1 warning and 1 error generated.
warning: include path for stdlibc++ headers not found; pass '-std=libc++' on the command line to use the libc++ standard library instead [-Wstdlibcxx-not-found]
make[2]: *** [CMakeFiles/hookzz.dir/srcxx/vm_core/logging.cc.o] Error 1
make[2]: *** Waiting for unfinished jobs....
1 warning and 1 error generated.
1 warning and 1 error generated.
make[2]: *** [CMakeFiles/hookzz.dir/srcxx/vm_core/arch/cpu.cc.o] Error 1
make[2]: *** [CMakeFiles/hookzz.dir/srcxx/intercept_routing_handler.cc.o] Error 1
In file included from /Users/youssef/Downloads/HookZz-master/srcxx/vm_core/objects/code.cc:1:
In file included from /Users/youssef/Downloads/HookZz-master/./srcxx/vm_core/objects/code.h:4:
In file included from /Users/youssef/Downloads/HookZz-master/./srcxx/vm_core/globals.h:4:
In file included from /Users/youssef/Downloads/HookZz-master/./srcxx/vm_core/macros.h:7:
In file included from /Users/youssef/Downloads/HookZz-master/./srcxx/vm_core/logging.h:4:
/Users/youssef/Downloads/HookZz-master/./srcxx/vm_core/platform/platform.h:4:10: fatal error: 'cstdarg' file not found
#include
^~~~~~~~~
1 warning and 1 error generated.
make[2]: *** [CMakeFiles/hookzz.dir/srcxx/vm_core/objects/code.cc.o] Error 1
make[1]: *** [CMakeFiles/hookzz.dir/all] Error 2
make: *** [all] Error 2
cmake ..
-DCMAKE_TOOLCHAIN_FILE=cmake/ios.toolchain.cmake
-DIOS_PLATFORM=OS
-DENABLE_VISIBILITY=ON
-DIOS_ARCH=armv7
-DENABLE_ARC=TRUE
-DENABLE_BITCODE=OFF
-DCXX=OFF
-DX_ARCH=armv7
-DX_PLATFORM=iOS
-DX_SHARED=ON
-DX_LOG=ON
-DCMAKE_VERBOSE_MAKEFILE=OFF
make
我这样编译会有一个异常:
/Users/aabbc/github/HookZz/src/thread_support/thread_local_storage.c:4:1: error: thread-local storage is not supported for the current target
Hello, I want to use HookZz on an app that is located inside of the virtual space of a host app that use VirtualApp by asLody. The main library I want to hook is located in /data/data/{Package Name}/virtual/data/app/{Package Name in Virtual Space}/lib/lib.so and not in /data/data/{Package Name}/lib/lib.so
How would I hook and possibly use ZzHookReplace when lib I want to hook is located in a different directory? Does HookZz have an option to declare the lib location to hook?
Example of custom declaration of lib -> ZzHookLib(const char * filename, const char * mode FILE * stream );
Example of usage -> ZzHookLib("/data/data/com.example.example/lib/libgame.so", "w", stdout);
Example of usage with VirtualApp ->
ZzHookLib("/data/data/com.example.example/virtual/data/app/com.installed.example/lib/libgame.so", "w", stdout);
Or maybe you can use ZzHookReplace and add a parameter for the lib?
ZzHookReplace("/data/data/com.example.example/virtual/data/app/com.installed.example/lib/libgame.so", (void *) stuff_addr, (void *) fake_stuff, (void **) &orig_suff);
This is mostly just ideas I am hoping you can maybe implement.
Showing All Messages
CreateBuildDirectory /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex (in target: hooklib)
cd /Users/debug/Desktop/hooklib
builtin-create-build-directory /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex
CreateBuildDirectory /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Products (in target: hooklib)
cd /Users/debug/Desktop/hooklib
builtin-create-build-directory /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Products
WriteAuxiliaryFile /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib.hmap (in target: hooklib)
cd /Users/debug/Desktop/hooklib
write-file /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib.hmap
WriteAuxiliaryFile /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-project-headers.hmap (in target: hooklib)
cd /Users/debug/Desktop/hooklib
write-file /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-project-headers.hmap
WriteAuxiliaryFile /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-own-target-headers.hmap (in target: hooklib)
cd /Users/debug/Desktop/hooklib
write-file /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-own-target-headers.hmap
WriteAuxiliaryFile /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-generated-files.hmap (in target: hooklib)
cd /Users/debug/Desktop/hooklib
write-file /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-generated-files.hmap
WriteAuxiliaryFile /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-all-target-headers.hmap (in target: hooklib)
cd /Users/debug/Desktop/hooklib
write-file /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-all-target-headers.hmap
WriteAuxiliaryFile /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-all-non-framework-target-headers.hmap (in target: hooklib)
cd /Users/debug/Desktop/hooklib
write-file /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-all-non-framework-target-headers.hmap
WriteAuxiliaryFile /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/all-product-headers.yaml (in target: hooklib)
cd /Users/debug/Desktop/hooklib
write-file /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/all-product-headers.yaml
CompileC /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/Objects-normal/x86_64/hooklib.o /Users/debug/Desktop/hooklib/hooklib.cpp normal x86_64 c++ com.apple.compilers.llvm.clang.1_0.compiler (in target: hooklib)
cd /Users/debug/Desktop/hooklib
export LANG=en_US.US-ASCII
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang -x c++ -arch x86_64 -fmessage-length=0 -fdiagnostics-show-note-include-stack -fmacro-backtrace-limit=0 -std=c++11 -stdlib=libc++ -fmodules -gmodules -fmodules-cache-path=/Users/debug/Library/Developer/Xcode/DerivedData/ModuleCache.noindex -fmodules-prune-interval=86400 -fmodules-prune-after=345600 -fbuild-session-file=/Users/debug/Library/Developer/Xcode/DerivedData/ModuleCache.noindex/Session.modulevalidation -fmodules-validate-once-per-build-session -Wnon-modular-include-in-framework-module -Werror=non-modular-include-in-framework-module -Wno-trigraphs -fpascal-strings -O0 -fno-common -Wno-missing-field-initializers -Wno-missing-prototypes -Werror=return-type -Wdocumentation -Wunreachable-code -Werror=deprecated-objc-isa-usage -Werror=objc-root-class -Wno-non-virtual-dtor -Wno-overloaded-virtual -Wno-exit-time-destructors -Wno-missing-braces -Wparentheses -Wswitch -Wunused-function -Wno-unused-label -Wno-unused-parameter -Wunused-variable -Wunused-value -Wempty-body -Wuninitialized -Wconditional-uninitialized -Wno-unknown-pragmas -Wno-shadow -Wno-four-char-constants -Wno-conversion -Wconstant-conversion -Wint-conversion -Wbool-conversion -Wenum-conversion -Wno-float-conversion -Wnon-literal-null-conversion -Wobjc-literal-conversion -Wshorten-64-to-32 -Wno-newline-eof -Wno-c++11-extensions -DDEBUG=1 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.14.sdk -fasm-blocks -fstrict-aliasing -Wdeprecated-declarations -Winvalid-offsetof -mmacosx-version-min=10.14 -g -fvisibility-inlines-hidden -Wno-sign-conversion -Winfinite-recursion -Wmove -Wcomma -Wblock-capture-autoreleasing -Wstrict-prototypes -Wrange-loop-analysis -Wno-semicolon-before-method-body -Wunguarded-availability -index-store-path /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Index/DataStore -iquote /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-generated-files.hmap -I/Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-own-target-headers.hmap -I/Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-all-target-headers.hmap -iquote /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/hooklib-project-headers.hmap -I/Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Products/Debug/include -I/Users/debug/Desktop/hooklib/HookZz-dev/include -I/Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/DerivedSources-normal/x86_64 -I/Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/DerivedSources/x86_64 -I/Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/DerivedSources -F/Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Products/Debug -MMD -MT dependencies -MF /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/Objects-normal/x86_64/hooklib.d --serialize-diagnostics /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/Objects-normal/x86_64/hooklib.dia -c /Users/debug/Desktop/hooklib/hooklib.cpp -o /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/Objects-normal/x86_64/hooklib.o
WriteAuxiliaryFile /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/Objects-normal/x86_64/hooklib.LinkFileList (in target: hooklib)
cd /Users/debug/Desktop/hooklib
write-file /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/Objects-normal/x86_64/hooklib.LinkFileList
Ld /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Products/Debug/libhooklib.dylib normal x86_64 (in target: hooklib)
cd /Users/debug/Desktop/hooklib
export MACOSX_DEPLOYMENT_TARGET=10.14
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang++ -arch x86_64 -dynamiclib -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.14.sdk -L/Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Products/Debug -L/Users/debug/Desktop/hooklib/HookZz-dev/BuildScript/temp_build_x86_64 -F/Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Products/Debug -filelist /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/Objects-normal/x86_64/hooklib.LinkFileList -install_name /usr/local/lib/libhooklib.dylib -mmacosx-version-min=10.14 -Xlinker -object_path_lto -Xlinker /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/Objects-normal/x86_64/hooklib_lto.o -Xlinker -export_dynamic -Xlinker -no_deduplicate -stdlib=libc++ -lhookzz -compatibility_version 1 -current_version 1 -Xlinker -dependency_info -Xlinker /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Intermediates.noindex/hooklib.build/Debug/hooklib.build/Objects-normal/x86_64/hooklib_dependency_info.dat -o /Users/debug/Library/Developer/Xcode/DerivedData/hooklib-blwpjobrwbjviodanuktayiiexdh/Build/Products/Debug/libhooklib.dylib
Undefined symbols for architecture x86_64:
"_LOGFUNC", referenced from:
_ZzReplace in libhookzz.a(FunctionInlineReplaceExport.cc.o)
InterceptRouting::Prepare() in libhookzz.a(InterceptRouting.cpp.o)
InterceptRouting::Active() in libhookzz.a(InterceptRouting.cpp.o)
zz::x64::Assembler::Assembler(void*) in libhookzz.a(trampoline-x64.cc.o)
GenRelocateCodeTo(void*, int*, unsigned long long, unsigned long long) in libhookzz.a(X64InstructionRelocation.cc.o)
zz::x64::Assembler::Assembler(void*) in libhookzz.a(X64InstructionRelocation.cc.o)
zz::AssemblyCode::FinalizeFromTurboAssember(zz::AssemblerBase*) in libhookzz.a(AssemblyCode.cc.o)
...
"_memcpy(void*, void const*, int)", referenced from:
InterceptRouting::Prepare() in libhookzz.a(InterceptRouting.cpp.o)
CodeBufferBase::EmitBuffer(void*, int) in libhookzz.a(CodeBufferBase.cc.o)
"_memset(void*, int, int)", referenced from:
GenRelocateCodeTo(void*, int*, unsigned long long, unsigned long long) in libhookzz.a(X64InstructionRelocation.cc.o)
"LiteObject::free()", referenced from:
vtable for LiteCollection in libhookzz.a(Interceptor.cpp.o)
vtable for CodeBuffer in libhookzz.a(trampoline-x64.cc.o)
vtable for CodeBufferBase in libhookzz.a(trampoline-x64.cc.o)
vtable for CodeBuffer in libhookzz.a(X64InstructionRelocation.cc.o)
vtable for CodeBufferBase in libhookzz.a(X64InstructionRelocation.cc.o)
vtable for zz::AssemblyCode in libhookzz.a(X64InstructionRelocation.cc.o)
vtable for zz::AssemblyCode in libhookzz.a(AssemblyCode.cc.o)
...
"LiteObject::init()", referenced from:
vtable for LiteCollection in libhookzz.a(Interceptor.cpp.o)
vtable for CodeBuffer in libhookzz.a(trampoline-x64.cc.o)
vtable for CodeBufferBase in libhookzz.a(trampoline-x64.cc.o)
vtable for CodeBuffer in libhookzz.a(X64InstructionRelocation.cc.o)
vtable for CodeBufferBase in libhookzz.a(X64InstructionRelocation.cc.o)
vtable for zz::AssemblyCode in libhookzz.a(X64InstructionRelocation.cc.o)
vtable for zz::AssemblyCode in libhookzz.a(AssemblyCode.cc.o)
...
"LiteObject::release()", referenced from:
vtable for LiteCollection in libhookzz.a(Interceptor.cpp.o)
vtable for CodeBuffer in libhookzz.a(trampoline-x64.cc.o)
vtable for CodeBufferBase in libhookzz.a(trampoline-x64.cc.o)
vtable for CodeBuffer in libhookzz.a(X64InstructionRelocation.cc.o)
vtable for CodeBufferBase in libhookzz.a(X64InstructionRelocation.cc.o)
vtable for zz::AssemblyCode in libhookzz.a(X64InstructionRelocation.cc.o)
vtable for zz::AssemblyCode in libhookzz.a(AssemblyCode.cc.o)
...
"LiteMutableBuffer::ensureCapacity(int)", referenced from:
vtable for CodeBuffer in libhookzz.a(trampoline-x64.cc.o)
vtable for CodeBufferBase in libhookzz.a(trampoline-x64.cc.o)
vtable for CodeBuffer in libhookzz.a(X64InstructionRelocation.cc.o)
vtable for CodeBufferBase in libhookzz.a(X64InstructionRelocation.cc.o)
"LiteMutableBuffer::initWithCapacity(int)", referenced from:
vtable for CodeBuffer in libhookzz.a(trampoline-x64.cc.o)
vtable for CodeBufferBase in libhookzz.a(trampoline-x64.cc.o)
vtable for CodeBuffer in libhookzz.a(X64InstructionRelocation.cc.o)
vtable for CodeBufferBase in libhookzz.a(X64InstructionRelocation.cc.o)
"LiteCollectionIterator::withCollection(LiteCollection const*)", referenced from:
Interceptor::FindHookEntry(void*) in libhookzz.a(Interceptor.cpp.o)
ExecutableMemoryArena::AllocateCodeChunk(int) in libhookzz.a(ExecutableMemoryArena.cc.o)
"typeinfo for LiteObject", referenced from:
typeinfo for LiteCollection in libhookzz.a(Interceptor.cpp.o)
typeinfo for zz::AssemblyCode in libhookzz.a(X64InstructionRelocation.cc.o)
typeinfo for zz::AssemblyCode in libhookzz.a(AssemblyCode.cc.o)
typeinfo for LiteCollection in libhookzz.a(ExecutableMemoryArena.cc.o)
"typeinfo for LiteMutableBuffer", referenced from:
typeinfo for CodeBufferBase in libhookzz.a(trampoline-x64.cc.o)
typeinfo for CodeBufferBase in libhookzz.a(X64InstructionRelocation.cc.o)
"vtable for LiteObject", referenced from:
LiteObject::LiteObject() in libhookzz.a(Interceptor.cpp.o)
LiteObject::LiteObject() in libhookzz.a(trampoline-x64.cc.o)
LiteObject::LiteObject() in libhookzz.a(X64InstructionRelocation.cc.o)
LiteObject::LiteObject() in libhookzz.a(AssemblyCode.cc.o)
LiteObject::LiteObject() in libhookzz.a(ExecutableMemoryArena.cc.o)
NOTE: a missing vtable usually means the first non-inline virtual member function has no definition.
"vtable for LiteMutableArray", referenced from:
LiteMutableArray::LiteMutableArray(int) in libhookzz.a(Interceptor.cpp.o)
LiteMutableArray::LiteMutableArray() in libhookzz.a(ExecutableMemoryArena.cc.o)
LiteMutableArray::LiteMutableArray(int) in libhookzz.a(ExecutableMemoryArena.cc.o)
NOTE: a missing vtable usually means the first non-inline virtual member function has no definition.
"vtable for LiteMutableBuffer", referenced from:
LiteMutableBuffer::LiteMutableBuffer(int) in libhookzz.a(trampoline-x64.cc.o)
LiteMutableBuffer::LiteMutableBuffer(int) in libhookzz.a(X64InstructionRelocation.cc.o)
NOTE: a missing vtable usually means the first non-inline virtual member function has no definition.
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
Activity Log Complete 2019/6/20, 1:23 AM 0.1 seconds
something like
void log(const char *text);
void hooked();
typedef void(*hooked_t)(void);
hooked_t origin1;
void replacement1() {
log("hook 1 works");
origin1();
}
hooked_t origin2;
void replacement2() {
log("hook 2 works");
origin2();
}
ZzHookReplace(
&hooked,
&replacement2,
&origin2
);
ZzHookReplace(
&hooked,
&replacement1,
&origin1
);
hooked();
/*
* log now contains:
* hook 1 works
* hook 2 works
*/
大佬,支持以下这种吗?
hook address(a piece of code) with pre_call and half_call
在win环境下编译是没问题的
在ubuntu环境下 android.mk中使用wildcard从而导致路径指向错误 这个小CASE就不劳大神了
但在编译interceptor-template-arm64.S时 大量报错
development/libmy/src/platforms/backend-arm64/interceptor-template-arm64.S:26:2: error: invalid instruction
stp q6, q7, [sp, #(616)]
^
development/libmy/src/platforms/backend-arm64/interceptor-template-arm64.S:27:2: error: invalid instruction
stp q4, q5, [sp, #(416)]
^
development/libmy/src/platforms/backend-arm64/interceptor-template-arm64.S:28:2: error: invalid instruction
stp q2, q3, [sp, #(2*16)]
^
..................................
以下省略
请问该如何解决呢?
我是准备放在安卓7.1.2源码环境下编译的 不知道有没有影响
如题,makefile 引入代码
xxxx_LDFLAGS += -lhookzz
编译之后,tweak 失效了,
把这一行注释重新编译,tweak 就正常工作,请问是哪里出了问题?
How to detach hooks or single hook? Frida has special method - "Interceptor.detachAll();".
https://jmpews.github.io/zzpp/getting-started/ 第三步的run script中有一行是:
/Users/jmpews/Desktop/SpiderZz/Pwntools/Darwin/bin/optool install -c load -p "@executable_path/test_hook_oc.dylib" -t ${EXECUTABLE_NAME}
这个SpiderZz/Pwntools/Darwin/bin/optool 似乎并没有说明从哪里来的,求详
怎么在WINDOWS编译ANDROID版源码?
如,librtmp.a里的函数;比起fishhook不能hook静态库函数和同一个模块内直接绑定的symbol,这个可以做到吗? 还是把printf的例子拷过来,怎么直接崩溃了? 提示找不到image, libhookzz.dylib
/code/ios/HookZz/src/platforms/arch-arm64/arch-arm64.c:5:44: error: no member named 'general' in 'struct _RegState'
void *next_hop_addr_PTR = (void *)&rs->general.regs.x15;
~~ ^
/code/ios/HookZz/src/platforms/arch-arm64/arch-arm64.c:10:39: error: no member named 'lr' in 'struct _RegState'
void *ret_addr_PTR = (void *)&rs->lr;
commit: ac9b68a
使用capstone的版本没有问题,测试代码:
void precall(RegState *rs, ThreadStack *threadstack, CallStack *callstack) {
printf("enter precall\n");
printf("arg2:%s\n", (char*)rs->general.regs.x1);
}
void postcall(RegState *rs, ThreadStack *threadstack, CallStack *callstack) {
}
void test_func(char* a1, char* a2) {
printf("function is called %s %s\n", a1, a2);
}
int main(int argc, char **argv, char **envp) {
ZzBuildHook((void *)test_func, NULL, NULL, precall, postcall);
ZzEnableHook((void *)test_func);
test_func(NULL, "123");
return;
}
https://stackoverflow.com/questions/49875987/hookzz-libart-so-not-working
大佬,为什么不能hook libart.so中的函数啊,printf的这些可以 Android7.0 ,import export都不行
但是如果是自定义的so中的函数可以hook
代码:
void precall(RegState *rs, ThreadStack *threadstack, CallStack *callstack) {
}
void postcall(RegState *rs, ThreadStack *threadstack, CallStack *callstack) {
}
ssize_t (*orig_send)(int, const void *, size_t, int);
ssize_t fake_send (int __fd, const void *__buf, size_t __n, int __flags) {
LOGI("called send");
ssize_t x = orig_send(__fd, __buf, __n, __flags);
return x;
}
__attribute__((constructor)) void hook_socket() {
ZzEnableDebugMode();
ZzHook((void *)send, (void *)fake_send, (void **)&orig_send, precall, postcall, FALSE);
}
编译时报错unknown type name 'LOGFUNC'。
平台 Android
NDK Version: ndkr16b
使用cmkae正常编译出32bit静态库libhookzz.a。但链接静态库时,编译器显示错误。
\HookZz-dev\srcxx\InterceptRoutingPlugin\FunctionInlineReplace/FunctionInlineReplaceExport.cc:0: error: undefined reference to 'LOGFUNC'
\HookZz-dev\.\OneLib\stdcxx\stdcxx/LiteMutableArray.h:20: error: undefined reference to 'LiteMutableArray::initWithCapacity(unsigned int)'
\HookZz-dev\srcxx/Interceptor.cpp:0: error: undefined reference to 'vtable for LiteMutableArray'
arm-linux-androideabi/bin\ld: the vtable symbol may be undefined because the class is missing its key function
\HookZz-dev\srcxx/Interceptor.cpp:20: error: undefined reference to 'LiteCollectionIterator::withCollection(LiteCollection const*)'
\HookZz-dev\srcxx\InterceptRouting/InterceptRouting.cpp:31: error: undefined reference to '_memcpy(void*, void const*, int)'
\HookZz-dev\.\OneLib\stdcxx\stdcxx/LiteMutableBuffer.h:26: error: undefined reference to 'LiteMutableBuffer::initWithCapacity(int)'
\HookZz-dev\.\srcxx\core/modules/assembler/assembler-arm.h:0: error: undefined reference to 'vtable for LiteMutableBuffer'
ld: the vtable symbol may be undefined because the class is missing its key function
trampoline-arm.cc:vtable for CodeBuffer: error: undefined reference to 'LiteObject::init()'
trampoline-arm.cc:vtable for CodeBuffer: error: undefined reference to 'LiteObject::free()'
trampoline-arm.cc:vtable for CodeBuffer: error: undefined reference to 'LiteObject::release()'
trampoline-arm.cc:vtable for CodeBuffer: error: undefined reference to 'LiteMutableBuffer::ensureCapacity(int)'
trampoline-arm.cc:vtable for CodeBuffer: error: undefined reference to 'LiteMutableBuffer::initWithCapacity(int)'
trampoline-arm.cc:typeinfo for CodeBufferBase: error: undefined reference to 'typeinfo for LiteMutableBuffer'
\srcxx\core/modules/assembler/assembler-arm.h:0: error: undefined reference to 'LOGFUNC'
libhookzz.a(AssemblyCode.cc.o):AssemblyCode.cc:vtable for zz::AssemblyCode: error: undefined reference to 'LiteObject::init()'
libhookzz.a(AssemblyCode.cc.o):AssemblyCode.cc:vtable for zz::AssemblyCode: error: undefined reference to 'LiteObject::free()'
libhookzz.a(AssemblyCode.cc.o):AssemblyCode.cc:vtable for zz::AssemblyCode: error: undefined reference to 'LiteObject::release()'
libhookzz.a(AssemblyCode.cc.o):AssemblyCode.cc:typeinfo for zz::AssemblyCode: error: undefined reference to 'typeinfo for LiteObject'
.\OneLib\stdcxx\stdcxx/LiteMutableArray.h:16: error: undefined reference to 'LiteMutableArray::initWithCapacity(unsigned int)'
srcxx\ExecMemory/ExecutableMemoryArena.cc:26: error: undefined reference to 'LiteCollectionIterator::withCollection(LiteCollection const*)'
.\OneLib\stdcxx\stdcxx/LiteMutableArray.h:20: error: undefined reference to 'LiteMutableArray::initWithCapacity(unsigned int)'
srcxx\ExecMemory/ExecutableMemoryArena.cc:0: error: undefined reference to 'vtable for LiteMutableArray'
arm-linux-androideabi/bin\ld: the vtable symbol may be undefined because the class is missing its key function
srcxx\ExecMemory/ExecutableMemoryArena.cc:0: error: undefined reference to 'LOGFUNC'
srcxx\ExecMemory/ExecutableMemoryArena.cc:0: error: undefined reference to 'vtable for LiteMutableArray'
arm-linux-androideabi/bin\ld: the vtable symbol may be undefined because the class is missing its key function
\HookZz-dev\srcxx\ExecMemory\CodeBuffer/CodeBufferBase.cc:40: error: undefined reference to '_memcpy(void*, void const*, int)'
\HookZz-dev\srcxx\InstructionRelocation\arm/ARMInstructionRelocation.cc:0: error: undefined reference to 'LOGFUNC'
\HookZz-dev\srcxx\InstructionRelocation\arm/ARMInstructionRelocation.cc:529: error: undefined reference to 'LiteCollectionIterator::withCollection(LiteCollection const*)'
\HookZz-dev\srcxx\InstructionRelocation\arm/ARMInstructionRelocation.cc:597: error: undefined reference to 'LiteCollectionIterator::withCollection(LiteCollection const*)'
clang++.exe: error: linker command failed with exit code 1 (use -v to see invocation)
#define xASM(x) asm(x)这个编译不过 去掉c11就好了
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.