function hook_dlopen() {
var dlopen = Module.findExportByName(null, 'android_dlopen_ext');
if (dlopen) {
Interceptor.attach(dlopen, {
onEnter: function (args) {
this.call_hook = false;
var so_name = ptr(args[0]).readCString()
if (so_name.indexOf("libc") > -1) {
this.call_hook = true;
}
console.log(so_name);
// console.log("dlopen:", ptr(args[0]).readCString())
},
onLeave: function () {
if (this.call_hook) {
hook_debug()
}
},
})
}
}
function hook_debug() {
const module = Process.getModuleByName("libc.so");
console.log(module.base);
//var methods=module.enumerateExports();
// for(var i=0;i<methods.length;++i){
// console.log(methods[i].name);
// }
var connect = module.findExportByName("connect");
console.log(connect);
Interceptor.attach(connect, {
onEnter: function (args) {
},
onLeave: function (retval) {
//使用replace修改参数和返回值
retval.replace(1);//将返回值修改为1表示连接端口成功
}
})
// const module = Process.getModuleByName("libc.so");
//首先先获取模块,然后在模块的导出表中循寻找strstr函数,
var strstr = module.findExportByName("strstr");
// console.log(strstr);
Interceptor.attach(strstr, {
onEnter: function (args) {
// console.log(args[1].readCString());//C字符串读取为JS字符串
},
onLeave: function (retval) {
retval.replace(0);
//修改strstr函数的返回值
}
})
var stat = module.findExportByName("stat");
console.log(stat);
Interceptor.attach(stat, {
onEnter: function (args) {
},
onLeave: function (retval) {
retval.replace(1);
}
})
var newStr = "new String";
var newstraddr = Memory.allocUtf8String(newStr);//写入内存,返回字符串第一个字符的地址
var strcpy = module.findExportByName("strstr");
Interceptor.attach(strcpy, {
//对于数值参数的修改,使用ptr()即可,字符串则需要在内存中Alloc后重新将地址赋值给参数
onEnter: function (args) {
args[1] = newstraddr;
console.log(args[1].readCString());
},
onLeave: function (retval) {
}
})
}
function main(){
hook_dlopen();
//anti_pthread();
// open_list();
}
function anti_pthread(){
var p_pthread_create = Module.findExportByName("libc.so", "pthread_create");
var pthread_create = new NativeFunction( p_pthread_create, "int", ["pointer", "pointer", "pointer", "pointer"]);
Interceptor.replace( p_pthread_create, new NativeCallback(function (ptr0, ptr1, ptr2, ptr3) {
var ret = ptr(0);
if (ptr1.isNull() && ptr3.isNull()) {
console.log("null")
} else {
try{
console.log(ptr0,ptr1,ptr2,ptr3)
ret = pthread_create(ptr0,ptr1,ptr2,ptr3);
}catch(error){
}
}
}, "int", ["pointer", "pointer", "pointer", "pointer"]));
}
function hook_native(){
open_list();
anti_fgets();
}
setImmediate(main)
