1. 項目信息

項目源碼：https://github.com/iqiyi/xHook

對應(yīng)文檔：https://github.com/iqiyi/xHook/blob/master/docs/overview/android_plt_hook_overview.zh-CN.md

2. 使用

以 hook mmap 為例：

#include "gothook/xhook.h"

void* (*old_mmap)(void* start,size_t length,int prot,int flags,int fd,off_t offset);

void* testmmap(void* start,size_t length,int prot,int flags,int fd,off_t offset) {
    __android_log_print(ANDROID_LOG_INFO, "Wooo", "this is test hook mmap : %x", length);
    void* addr =  old_mmap(start, length, prot, flags, fd, offset);
    __android_log_print(ANDROID_LOG_INFO, "Wooo", "real hook mmap : %x", addr);
    return 1003;
}

void native_register(JNIEnv* env, jobject obj) {
    xhook_register(".*/libmainNative\\.so$", "mmap", testmmap, (void **)(&old_mmap));
    xhook_refresh(0);    // 同步或一步處理。這里是同步處理。
    __android_log_print(ANDROID_LOG_INFO, "Wooo", "native register finish");
}

xhook_refresh 函數(shù)的參數(shù)，1為一步，0為同步。
這樣就觸發(fā)了 hook。測試沒辦法取消掉 hook，所以要保留原函數(shù)，來調(diào)用。

幾個原生函數(shù)聲明對應(yīng)如下：

int (*old_open)(const char* pathname,int flags,mode_t mode);
int (*old_fstat)(int fildes,struct stat *buf);
ssize_t (*old_read_chk)(int fd, void * buf, size_t nbytes, size_t buflen);
ssize_t (*old_read)(int fd,void * buf ,size_t count);
void* (*old_mmap)(void* start,size_t length,int prot,int flags,int fd,off_t offset);
int (*old_munmap)(void *start,size_t length);
pid_t (*old_fork)( void);

新函數(shù)對應(yīng)如下：

int hook(uint32_t addr,uint32_t fakeaddr,uint32_t** old_addr);
int new_open(const char* pathname,int flags,mode_t mode);
int new_fstat(int fildes,struct stat *buf);
ssize_t new_read(int fd,void * buf ,size_t count);
ssize_t new_read_chk(int fd, void * buf, size_t nbytes, size_t buflen);
void* new_mmap(void* start,size_t length,int prot,int flags,int fd,off_t offset);
int new_munmap(void *start,size_t length);
pid_t new_fork( void);

hook 的 elf 文件路徑示例：

//detect memory leaks
xhook_register(".*\\.so$", "malloc",  my_malloc,  NULL);
xhook_register(".*\\.so$", "calloc",  my_calloc,  NULL);
xhook_register(".*\\.so$", "realloc", my_realloc, NULL);
xhook_register(".*\\.so$", "free",    my_free,    NULL);

//inspect sockets lifecycle
xhook_register(".*\\.so$", "getaddrinfo", my_getaddrinfo, NULL);
xhook_register(".*\\.so$", "socket",      my_socket,      NULL);
xhook_register(".*\\.so$", "setsockopt"   my_setsockopt,  NULL);
xhook_register(".*\\.so$", "bind",        my_bind,        NULL);
xhook_register(".*\\.so$", "listen",      my_listen,      NULL);
xhook_register(".*\\.so$", "connect",     my_connect,     NULL);
xhook_register(".*\\.so$", "shutdown",    my_shutdown,    NULL);
xhook_register(".*\\.so$", "close",       my_close,       NULL);

//filter off and save some android log to local file
xhook_register(".*\\.so$", "__android_log_write",  my_log_write,  NULL);
xhook_register(".*\\.so$", "__android_log_print",  my_log_print,  NULL);
xhook_register(".*\\.so$", "__android_log_vprint", my_log_vprint, NULL);
xhook_register(".*\\.so$", "__android_log_assert", my_log_assert, NULL);

//tracking (ignore linker and linker64)
xhook_register("^/system/.*$", "mmap",   my_mmap,   NULL);
xhook_register("^/vendor/.*$", "munmap", my_munmap, NULL);
xhook_ignore  (".*/linker$",   "mmap");
xhook_ignore  (".*/linker$",   "munmap");
xhook_ignore  (".*/linker64$", "mmap");
xhook_ignore  (".*/linker64$", "munmap");

//defense to some injection attacks
xhook_register(".*com\\.hacker.*\\.so$", "malloc",  my_malloc_always_return_NULL, NULL);
xhook_register(".*/libhacker\\.so$",     "connect", my_connect_with_recorder,     NULL);

//fix some system bug
xhook_register(".*some_vendor.*/libvictim\\.so$", "bad_func", my_nice_func, NULL);

//ignore all hooks in libwebviewchromium.so
xhook_ignore(".*/libwebviewchromium.so$", NULL);

//hook now!
xhook_refresh(1);

3. 測試說明

測試可以 hook libmainNative.so 的 mmap 函數(shù)，但是不能 hook so 文件內(nèi)的內(nèi)部函數(shù) testfindsm。內(nèi)部調(diào)用函數(shù)無法調(diào)用。