android 入口函数,关于so注入不能读取到入口函数地址的问题

之前在so注入的时候，能够得到入口函数的地址，使用的代码时Qever大牛的，后来在测试了代码的时候，出现了如下的问题：

root@android:/data/local/tmp # ll

-rwxrwxrwx root     root       506668 2016-03-18 03:01 aapt

-rwxrwxrwx root     root        13716 2016-03-18 03:01 box

-rwxrwxrwx root     root        13572 2017-02-15 05:37 inject

-rwxrwxrwx root     root        13452 2017-02-15 05:37 libqever.so

-rwxrwxrwx root     root         8708 2016-03-18 03:01 mtools

root@android:/data/local/tmp # chmod 777 inject

root@android:/data/local/tmp # ./inject

Usage:

./inject [lib] [entry] [target]

lib        the lib(*.so) to be injected

default is "/data/local/tmp/libqever.so"

entry    the entry of lib

default is "entry"

target    the target process to be injected, pid or name

default is "com.crackme"

root@android:/data/local/tmp # ./inject  com.crackme

[E]Can't find the process com.crackme

255|root@android:/data/local/tmp # ./inject  com.crackme

library path = com.crackme

以上是启动注入模块。在启动之前，我先启动了apk,之后调用了./inject 但是得到了如下的提示

130|root@android:/ # logcat  |grep "INJECT"

D/INJECT  (  940): [+] Injecting process: 922

D/INJECT  (  940): [+] get_remote_addr: local[40020000], remote[40020000]

D/INJECT  (  940): [+] Remote mmap address: 4003bf43

D/INJECT  (  940): [+] Calling mmap in target process.

D/INJECT  (  940): [+] Target process returned from mmap, return value=5230c000, pc=0

D/INJECT  (  940): [+] get_remote_addr: local[40000000], remote[40000000]

D/INJECT  (  940): [+] get_remote_addr: local[40000000], remote[40000000]

D/INJECT  (  940): [+] get_remote_addr: local[40000000], remote[40000000]

D/INJECT  (  940): [+] get_remote_addr: local[40000000], remote[40000000]

D/INJECT  (  940): [+] Get imports: dlopen: 400050ad, dlsym: 40005019, dlclose: 40004f59, dlerror: 40004f49

D/INJECT  (  940): [+] Calling dlopen in target process.

D/INJECT  (  940): [+] Target process returned from dlopen, return value=0, pc=0

D/INJECT  (  940): [+] Calling dlsym in target process.

D/INJECT  (  940): [+] Target process returned from dlsym, return value=0, pc=0

D/INJECT  (  940): hook_entry_addr = 0x0

D/INJECT  (  940): [+] Calling hook_entry in target process.

D/INJECT  (  940): [+] Target process returned from hook_entry, return value=5230c200, pc=0

D/INJECT  (  940): [+] Calling dlclose in target process.

D/INJECT  (  940): [+] Target process returned from dlclose, return value=0, pc=0

这里的hook_entry_addr =0x0，也就是说，虽然注入了，但是没拿到对应的入口函数，注入程序如下：

#define DEFAULT_LIBS "/data/local/tmp/libqever.so"

#define DEFAULT_ENTRY "entry" 这里是加载的libqever.so中的入口函数名称，

#define DEFAULT_TARGET "com.crackme"

void Usage(char * prog)

{

printf("Usage:\n");

printf("    %s [lib] [entry] [target]\n", prog);

printf("        lib        the lib(*.so) to be injected\n");

printf("                default is \"%s\"\n", DEFAULT_LIBS);

printf("        entry    the entry of lib\n");

printf("                default is \"%s\"\n", DEFAULT_ENTRY);

printf("        target    the target process to be injected, pid or name\n");

printf("                default is \"%s\"\n", DEFAULT_TARGET);

}

int main(int argc, char** argv) {

char * libs = DEFAULT_LIBS;

char * entry = DEFAULT_ENTRY;

char * target = DEFAULT_TARGET;

pid_t target_pid = 0;

switch(argc){

case 1:

Usage(argv[0]);

return 0;

case 4:

target_pid = atoi(argv[3]);

if(target_pid == 0){

target = argv[3];

}

case 3:

entry = argv[2];

case 2:

libs = argv[1];

}

if(target_pid == 0){

target_pid = find_pid_of(target);

}

if (-1 == target_pid) {

printf("[E]Can't find the process %s\n", target);

return -1;

}

//这里是主要注入的方法

inject_remote_process(target_pid, libs, entry,  "I'm parameter!", strlen("I'm parameter!"));

return 0;

}

试了好几次，还是不能拿到入口函数的地址，希望得到指点一下，谢谢~