//枚举导入表
var improts = Module.enumerateImports("1.so");
for(let i = 0; i < improts.length; i++){
console.log(JSON.stringify(improts[i]));
console.log(improts[i].name + " " + improts[i].address);
}
//枚举导出表
var exports = Module.enumerateExports("1.so");
for(let i = 0; i < exports.length; i++){
console.log(exports[i].name + " " + exports[i].address);
}
//枚举符号表
var symbols = Module.enumerateSymbols("1.so");
for(let i = 0; i < symbols.length; i++){
console.log(symbols[i].name + " " + symbols[i].address);
}
//枚举进程中已加载的模块
var modules = Process.enumerateModules();
console.log(JSON.stringify(modules[0].enumerateExports()[0]));
//hook导出函数
var funcAddr = Module.findExportByName("1.so", "your_func_name");
console.log(funcAddr);
Interceptor.attach(funcAddr, {
onEnter: function (args) {
console.log("funcAddr onEnter args[1]: ", hexdump(args[1]));
console.log("funcAddr onEnter args[2]: ", args[2].toInt32());
this.args3 = args[3];
}, onLeave: function (retval) {
console.log("funcAddr onLeave args[3]: ", hexdump(this.args3));
}
});
//各种方式得到so基址
var module1 = Process.findModuleByName("1.so");
console.log(JSON.stringify(module1));
console.log("module1", module1.base);
var module2 = Process.getModuleByName("1.so");
console.log("module2", module2.base);
var soAddr = Module.findBaseAddress("1.so");
console.log("soAddr", soAddr);
var modules = Process.enumerateModules();
for(let i = 0; i < modules.length; i++){
if(modules[i].name == "1.so"){
console.log(modules[i].name + " " + modules[i].base);
}
}
var module = Process.findModuleByAddress(Module.findBaseAddress("1.so"));
console.log("module " + module.name + " " + module.base);
//hook任意函数
var soAddr = Module.findBaseAddress("1.so");
var so = 0x77ab999000;
// ptr ==> convert to nativePoint
console.log(ptr(so).add(0x1234));
var funcAddr = soAddr.add(0x1234);
Interceptor.attach(funcAddr, {
onEnter: function (args) {
console.log("funcAddr onEnter args[1]: ", hexdump(args[1]));
console.log("funcAddr onEnter args[2]: ", args[2].toInt32());
this.args3 = args[3];
}, onLeave: function (retval) {
console.log("funcAddr onLeave args[3]: ", hexdump(this.args3));
}
});
//有手就行的so hook
function print_arg(addr){
var module = Process.findRangeByAddress(addr);
if(module != null) return hexdump(addr) + "\n";
return ptr(addr) + "\n";
}
function hook_native_addr(funcPtr, paramsNum){
var module = Process.findModuleByAddress(funcPtr);
Interceptor.attach(funcPtr, {
onEnter: function(args){
this.logs = [];
this.params = [];
this.logs.push("call " + module.name + "||" + ptr(funcPtr).sub(module.base) + "\n");
for(let i = 0; i < paramsNum; i++){
this.params.push(args[i]);
this.logs.push("this.args" + i + " onEnter: " + print_arg(args[i]));
}
}, onLeave: function(retval){
for(let i = 0; i < paramsNum; i++){
this.logs.push("this.args" + i + " onLeave: " + print_arg(this.params[i]));
}
this.logs.push("retval onLeave: " + print_arg(retval) + "\n");
console.log(this.logs);
}
});
}
var soAddr = Module.findBaseAddress("1.so");
var funcAddr = soAddr.add(0x1234);
hook_native_addr(funcAddr, 2);
浙公网安备 33010602011771号