Use xHook to hook functions in PLT

This commit is contained in:
topjohnwu 2021-01-08 00:53:24 -08:00
parent ef98eaed8f
commit a30d510eb1
7 changed files with 103 additions and 7 deletions

3
.gitmodules vendored
View File

@ -25,6 +25,9 @@
[submodule "pcre"] [submodule "pcre"]
path = native/jni/external/pcre path = native/jni/external/pcre
url = https://android.googlesource.com/platform/external/pcre url = https://android.googlesource.com/platform/external/pcre
[submodule "xhook"]
path = native/jni/external/xhook
url = https://github.com/iqiyi/xHook.git
[submodule "termux-elf-cleaner"] [submodule "termux-elf-cleaner"]
path = tools/termux-elf-cleaner path = tools/termux-elf-cleaner
url = https://github.com/termux/termux-elf-cleaner.git url = https://github.com/termux/termux-elf-cleaner.git

View File

@ -8,7 +8,7 @@ ifdef B_MAGISK
include $(CLEAR_VARS) include $(CLEAR_VARS)
LOCAL_MODULE := magisk LOCAL_MODULE := magisk
LOCAL_STATIC_LIBRARIES := libnanopb libsystemproperties libutils LOCAL_STATIC_LIBRARIES := libnanopb libsystemproperties libutils libxhook
LOCAL_C_INCLUDES := jni/include LOCAL_C_INCLUDES := jni/include
LOCAL_SRC_FILES := \ LOCAL_SRC_FILES := \
@ -32,7 +32,8 @@ LOCAL_SRC_FILES := \
su/pts.cpp \ su/pts.cpp \
su/su_daemon.cpp \ su/su_daemon.cpp \
inject/entry.cpp \ inject/entry.cpp \
inject/utils.cpp inject/utils.cpp \
inject/hook.cpp
LOCAL_LDLIBS := -llog LOCAL_LDLIBS := -llog
include $(BUILD_EXECUTABLE) include $(BUILD_EXECUTABLE)

View File

@ -353,6 +353,23 @@ LOCAL_SRC_FILES := \
pcre/dist2/src/pcre2_xclass.c pcre/dist2/src/pcre2_xclass.c
include $(BUILD_STATIC_LIBRARY) include $(BUILD_STATIC_LIBRARY)
# libxhook.a
include $(CLEAR_VARS)
LOCAL_MODULE:= libxhook
LOCAL_C_INCLUDES := $(LOCAL_PATH)/xhook/libxhook/jni
LOCAL_EXPORT_C_INCLUDES := $(LOCAL_C_INCLUDES)
LOCAL_CFLAGS := -Wall -Wextra -Werror -fvisibility=hidden
LOCAL_CONLYFLAGS := -std=c11
LOCAL_SRC_FILES := \
xhook/libxhook/jni/xh_log.c \
xhook/libxhook/jni/xh_version.c \
xhook/libxhook/jni/xh_jni.c \
xhook/libxhook/jni/xhook.c \
xhook/libxhook/jni/xh_core.c \
xhook/libxhook/jni/xh_util.c \
xhook/libxhook/jni/xh_elf.c
include $(BUILD_STATIC_LIBRARY)
CWD := $(LOCAL_PATH) CWD := $(LOCAL_PATH)
include $(CWD)/systemproperties/Android.mk include $(CWD)/systemproperties/Android.mk
include $(CWD)/mincrypt/Android.mk include $(CWD)/mincrypt/Android.mk

1
native/jni/external/xhook vendored Submodule

@ -0,0 +1 @@
Subproject commit 9180bd74098fd41f808d3968e2e52b4f5db92c99

View File

@ -41,7 +41,10 @@ static void inject_cleanup() {
nanosleep(&ts, nullptr); nanosleep(&ts, nullptr);
} }
static inline void self_unload() { void self_unload() {
// If unhook failed, do not unload or else it will cause SIGSEGV
if (!unhook_functions())
return;
new_daemon_thread(reinterpret_cast<void *(*)(void *)>(&dlclose), self_handle); new_daemon_thread(reinterpret_cast<void *(*)(void *)>(&dlclose), self_handle);
active_threads--; active_threads--;
} }
@ -95,15 +98,12 @@ static void inject_init() {
self_handle = dlopen(INJECT_LIB_2, RTLD_LAZY); self_handle = dlopen(INJECT_LIB_2, RTLD_LAZY);
dlclose(self_handle); dlclose(self_handle);
// TODO: actually inject stuffs here hook_functions();
// Some cleanup // Some cleanup
sanitize_environ(); sanitize_environ();
active_threads++; active_threads++;
new_daemon_thread(&unload_first_stage); new_daemon_thread(&unload_first_stage);
// Demonstrate self unloading 2nd stage
self_unload();
} else if (char *env = getenv(INJECT_ENV_1)) { } else if (char *env = getenv(INJECT_ENV_1)) {
LOGD("zygote: inject 1st stage\n"); LOGD("zygote: inject 1st stage\n");

View File

@ -0,0 +1,70 @@
#include <jni.h>
#include <xhook.h>
#include <utils.hpp>
#include <flags.hpp>
#include "inject.hpp"
using namespace std;
// Static vector won't work, use a pointer instead
static vector<tuple<const char *, const char *, void **>> *hook_list;
#define DEF_HOOK_FUNC(ret, func, ...) \
static ret (*old_##func)(__VA_ARGS__); \
static ret new_##func(__VA_ARGS__)
DEF_HOOK_FUNC(int, jniRegisterNativeMethods,
JNIEnv *env, const char *className, const JNINativeMethod *methods, int numMethods) {
LOGD("hook: jniRegisterNativeMethods %s", className);
// TODO: actually do things like replacing JNI native methods
return old_jniRegisterNativeMethods(env, className, methods, numMethods);
}
static bool hook_refresh() {
if (xhook_refresh(0) == 0) {
xhook_clear();
LOGI("hook: xhook success\n");
return true;
} else {
LOGE("hook: xhook failed\n");
return false;
}
}
static int hook_register(const char *path, const char *symbol, void *new_func, void **old_func) {
int ret = xhook_register(path, symbol, new_func, old_func);
if (ret != 0) {
LOGE("hook: Failed to register hook \"%s\"\n", symbol);
return ret;
}
hook_list->emplace_back(path, symbol, old_func);
return 0;
}
#define XHOOK_REGISTER(PATH_REGEX, NAME) \
hook_register(PATH_REGEX, #NAME, (void*) new_##NAME, (void **) &old_##NAME)
void hook_functions() {
#ifdef MAGISK_DEBUG
xhook_enable_debug(1);
xhook_enable_sigsegv_protection(0);
#endif
hook_list = new remove_pointer_t<decltype(hook_list)>();
XHOOK_REGISTER(".*\\libandroid_runtime.so$", jniRegisterNativeMethods);
hook_refresh();
}
bool unhook_functions() {
for (auto &[path, sym, old_func] : *hook_list) {
if (xhook_register(path, sym, *old_func, nullptr) != 0) {
LOGE("hook: Failed to register hook \"%s\"\n", sym); \
return false;
}
}
delete hook_list;
return hook_refresh();
}

View File

@ -15,3 +15,7 @@ uintptr_t get_function_lib(uintptr_t addr, char *lib);
// Get library base address with name // Get library base address with name
uintptr_t get_remote_lib(int pid, const char *lib); uintptr_t get_remote_lib(int pid, const char *lib);
void self_unload();
void hook_functions();
bool unhook_functions();