mirror of
https://github.com/topjohnwu/Magisk.git
synced 2024-11-28 20:45:24 +00:00
Use xHook to hook functions in PLT
This commit is contained in:
parent
ef98eaed8f
commit
a30d510eb1
3
.gitmodules
vendored
3
.gitmodules
vendored
@ -25,6 +25,9 @@
|
||||
[submodule "pcre"]
|
||||
path = native/jni/external/pcre
|
||||
url = https://android.googlesource.com/platform/external/pcre
|
||||
[submodule "xhook"]
|
||||
path = native/jni/external/xhook
|
||||
url = https://github.com/iqiyi/xHook.git
|
||||
[submodule "termux-elf-cleaner"]
|
||||
path = tools/termux-elf-cleaner
|
||||
url = https://github.com/termux/termux-elf-cleaner.git
|
||||
|
@ -8,7 +8,7 @@ ifdef B_MAGISK
|
||||
|
||||
include $(CLEAR_VARS)
|
||||
LOCAL_MODULE := magisk
|
||||
LOCAL_STATIC_LIBRARIES := libnanopb libsystemproperties libutils
|
||||
LOCAL_STATIC_LIBRARIES := libnanopb libsystemproperties libutils libxhook
|
||||
LOCAL_C_INCLUDES := jni/include
|
||||
|
||||
LOCAL_SRC_FILES := \
|
||||
@ -32,7 +32,8 @@ LOCAL_SRC_FILES := \
|
||||
su/pts.cpp \
|
||||
su/su_daemon.cpp \
|
||||
inject/entry.cpp \
|
||||
inject/utils.cpp
|
||||
inject/utils.cpp \
|
||||
inject/hook.cpp
|
||||
|
||||
LOCAL_LDLIBS := -llog
|
||||
include $(BUILD_EXECUTABLE)
|
||||
|
17
native/jni/external/Android.mk
vendored
17
native/jni/external/Android.mk
vendored
@ -353,6 +353,23 @@ LOCAL_SRC_FILES := \
|
||||
pcre/dist2/src/pcre2_xclass.c
|
||||
include $(BUILD_STATIC_LIBRARY)
|
||||
|
||||
# libxhook.a
|
||||
include $(CLEAR_VARS)
|
||||
LOCAL_MODULE:= libxhook
|
||||
LOCAL_C_INCLUDES := $(LOCAL_PATH)/xhook/libxhook/jni
|
||||
LOCAL_EXPORT_C_INCLUDES := $(LOCAL_C_INCLUDES)
|
||||
LOCAL_CFLAGS := -Wall -Wextra -Werror -fvisibility=hidden
|
||||
LOCAL_CONLYFLAGS := -std=c11
|
||||
LOCAL_SRC_FILES := \
|
||||
xhook/libxhook/jni/xh_log.c \
|
||||
xhook/libxhook/jni/xh_version.c \
|
||||
xhook/libxhook/jni/xh_jni.c \
|
||||
xhook/libxhook/jni/xhook.c \
|
||||
xhook/libxhook/jni/xh_core.c \
|
||||
xhook/libxhook/jni/xh_util.c \
|
||||
xhook/libxhook/jni/xh_elf.c
|
||||
include $(BUILD_STATIC_LIBRARY)
|
||||
|
||||
CWD := $(LOCAL_PATH)
|
||||
include $(CWD)/systemproperties/Android.mk
|
||||
include $(CWD)/mincrypt/Android.mk
|
||||
|
1
native/jni/external/xhook
vendored
Submodule
1
native/jni/external/xhook
vendored
Submodule
@ -0,0 +1 @@
|
||||
Subproject commit 9180bd74098fd41f808d3968e2e52b4f5db92c99
|
@ -41,7 +41,10 @@ static void inject_cleanup() {
|
||||
nanosleep(&ts, nullptr);
|
||||
}
|
||||
|
||||
static inline void self_unload() {
|
||||
void self_unload() {
|
||||
// If unhook failed, do not unload or else it will cause SIGSEGV
|
||||
if (!unhook_functions())
|
||||
return;
|
||||
new_daemon_thread(reinterpret_cast<void *(*)(void *)>(&dlclose), self_handle);
|
||||
active_threads--;
|
||||
}
|
||||
@ -95,15 +98,12 @@ static void inject_init() {
|
||||
self_handle = dlopen(INJECT_LIB_2, RTLD_LAZY);
|
||||
dlclose(self_handle);
|
||||
|
||||
// TODO: actually inject stuffs here
|
||||
hook_functions();
|
||||
|
||||
// Some cleanup
|
||||
sanitize_environ();
|
||||
active_threads++;
|
||||
new_daemon_thread(&unload_first_stage);
|
||||
|
||||
// Demonstrate self unloading 2nd stage
|
||||
self_unload();
|
||||
} else if (char *env = getenv(INJECT_ENV_1)) {
|
||||
LOGD("zygote: inject 1st stage\n");
|
||||
|
||||
|
70
native/jni/inject/hook.cpp
Normal file
70
native/jni/inject/hook.cpp
Normal file
@ -0,0 +1,70 @@
|
||||
#include <jni.h>
|
||||
|
||||
#include <xhook.h>
|
||||
#include <utils.hpp>
|
||||
#include <flags.hpp>
|
||||
|
||||
#include "inject.hpp"
|
||||
|
||||
using namespace std;
|
||||
|
||||
// Static vector won't work, use a pointer instead
|
||||
static vector<tuple<const char *, const char *, void **>> *hook_list;
|
||||
|
||||
#define DEF_HOOK_FUNC(ret, func, ...) \
|
||||
static ret (*old_##func)(__VA_ARGS__); \
|
||||
static ret new_##func(__VA_ARGS__)
|
||||
|
||||
DEF_HOOK_FUNC(int, jniRegisterNativeMethods,
|
||||
JNIEnv *env, const char *className, const JNINativeMethod *methods, int numMethods) {
|
||||
LOGD("hook: jniRegisterNativeMethods %s", className);
|
||||
|
||||
// TODO: actually do things like replacing JNI native methods
|
||||
|
||||
return old_jniRegisterNativeMethods(env, className, methods, numMethods);
|
||||
}
|
||||
|
||||
static bool hook_refresh() {
|
||||
if (xhook_refresh(0) == 0) {
|
||||
xhook_clear();
|
||||
LOGI("hook: xhook success\n");
|
||||
return true;
|
||||
} else {
|
||||
LOGE("hook: xhook failed\n");
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
static int hook_register(const char *path, const char *symbol, void *new_func, void **old_func) {
|
||||
int ret = xhook_register(path, symbol, new_func, old_func);
|
||||
if (ret != 0) {
|
||||
LOGE("hook: Failed to register hook \"%s\"\n", symbol);
|
||||
return ret;
|
||||
}
|
||||
hook_list->emplace_back(path, symbol, old_func);
|
||||
return 0;
|
||||
}
|
||||
|
||||
#define XHOOK_REGISTER(PATH_REGEX, NAME) \
|
||||
hook_register(PATH_REGEX, #NAME, (void*) new_##NAME, (void **) &old_##NAME)
|
||||
|
||||
void hook_functions() {
|
||||
#ifdef MAGISK_DEBUG
|
||||
xhook_enable_debug(1);
|
||||
xhook_enable_sigsegv_protection(0);
|
||||
#endif
|
||||
hook_list = new remove_pointer_t<decltype(hook_list)>();
|
||||
XHOOK_REGISTER(".*\\libandroid_runtime.so$", jniRegisterNativeMethods);
|
||||
hook_refresh();
|
||||
}
|
||||
|
||||
bool unhook_functions() {
|
||||
for (auto &[path, sym, old_func] : *hook_list) {
|
||||
if (xhook_register(path, sym, *old_func, nullptr) != 0) {
|
||||
LOGE("hook: Failed to register hook \"%s\"\n", sym); \
|
||||
return false;
|
||||
}
|
||||
}
|
||||
delete hook_list;
|
||||
return hook_refresh();
|
||||
}
|
@ -15,3 +15,7 @@ uintptr_t get_function_lib(uintptr_t addr, char *lib);
|
||||
|
||||
// Get library base address with name
|
||||
uintptr_t get_remote_lib(int pid, const char *lib);
|
||||
|
||||
void self_unload();
|
||||
void hook_functions();
|
||||
bool unhook_functions();
|
||||
|
Loading…
Reference in New Issue
Block a user