一、先搭一个xposed的架子出来,在hook入口中加载自己的动态库
static {
System.loadLibrary("yooha");
}
将nativehook目录下cpp目录中的文件全拷贝到自己工程的cpp目录下
三、在native-lib.cpp中编写hook逻辑(添加自己的hook代码,不要添加在 _init,因为sandhook自己也在 _init中添加了一些函数来完成一些初始化,而我们的代码必须晚于sandhook执行,所以我们的代码最好添加在 JNI_Onload)
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++ open start +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
int (*old_open)(const char *, int, ...) = nullptr;
int (*open_addr)(const char *, int, ...) = nullptr;
int new_open(const char *arg0, int arg1, ...) {
va_list args;
va_start(args, arg1);
int mode = va_arg(args, int);
va_end(args);
LOGI("open path -> %s ", arg0);
return old_open(arg0, arg1, mode);
}
void starthooklibcopen() {
open_addr = open;
old_open = reinterpret_cast<int (*)(const char *, int, ...)>(SandInlineHook(reinterpret_cast<void *>(open_addr), reinterpret_cast<void *>(new_open)));
}
//--------------------------------------------------------- open end ---------------------------------------------------------
extern "C" jint JNICALL JNI_OnLoad(JavaVM *vm, void *reserved) {
LOGD("go into JNI_OnLoad");
starthooklibcopen();
//startHookLibnativeSub_1271();
return JNI_VERSION_1_6;
}
在/app/duild.gradle添加如下信息
externalNativeBuild {
cmake {
arguments '-DBUILD_TESTING=OFF'
cppFlags "-frtti -fexceptions -Wpointer-arith"
}
ndk {
abiFilters "armeabi-v7a", "arm64-v8a" //"armeabi-v7a",
}
}
四、编译安装,并在lsposed打开该插件,发现报错,内存访问错误,访问的内存地址刚好在libc.so中。在sandhook源码中跟了一下,发现有一处代码很可疑 /elf/elf.cpp
这里r--p 和 r-xp,并无写权限,猜测可能是写时除了问题,试着改一下读写权限试试, ./sandhook_native.cpp
extern "C"
EXPORT void* SandInlineHook(void* origin, void* replace) {
long pageSize = sysconf(_SC_PAGESIZE);
void* start = (void*)((long)origin & -pageSize);
if (mprotect(start, pageSize * 2, PROT_READ | PROT_WRITE | PROT_EXEC) == 0){
LOGI("mprotect success");
}else{
LOGE("mprotect failed -> %s", strerror(errno));
}
return InlineHook::instance->Hook(origin, replace);
}
五、再次测试,成功hook上open函数