在对应的so加载后再执行hook代码
//刚注入的时候这个so还没加载,需要hook dlopen
function inline_hook() {
var base_hello_jni = Module.findBaseAddress("libxxxx.so");
console.log("base_hello_jni:", base_hello_jni);
if (base_hello_jni) {
console.log(base_hello_jni);
//inline hook
var addr_07320 = base_hello_jni.add(0x07320);//指令执行的地址,不是变量所在的栈或堆
Interceptor.attach(addr_07320, {
onEnter: function (args) {
console.log("addr_07320 x13:", this.context.x13);//注意这里是怎么得到寄存器值的
}, onLeave: function (retval) {
}
});
}
}
//8.0以下所有的so加载都通过dlopen
function hook_dlopen() {
var dlopen = Module.findExportByName(null, "dlopen");
Interceptor.attach(dlopen, {
onEnter: function (args) {
this.call_hook = false;
var so_name = ptr(args[0]).readCString();
if (so_name.indexOf("libxxxx.so") >= 0) {
console.log("dlopen:", ptr(args[0]).readCString());
this.call_hook = true;//dlopen函数找到了
}
}, onLeave: function (retval) {
if (this.call_hook) {//dlopen函数找到了就hook so
inline_hook();
}
}
});
// 高版本Android系统使用android_dlopen_ext
var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");
Interceptor.attach(android_dlopen_ext, {
onEnter: function (args) {
this.call_hook = false;
var so_name = ptr(args[0]).readCString();
if (so_name.indexOf("libhxxxx.so") >= 0) {
console.log("android_dlopen_ext:", ptr(args[0]).readCString());
this.call_hook = true;
}
}, onLeave: function (retval) {
if (this.call_hook) {
inline_hook();
}
}
});
}