使用libffi实现hook Objective-C
libffi根据Method动态生成一个新的NewIMP,接着libffi把这个NewIMP与一个C函数做关联,然后通过OC的方法交换(这里需要保存原始的IMP)把Method的IMP替换为libffi生成的NewIMP,这样当OC方法执行时会走到关联的C函数中,在这里我们可以控制原OC方法的执行时机来达到hook的目的。
回调的
callback参数列表与实际被hook的参数(不包括self、selector)一一对应,不带参数的方法callback参数列表为void
API:
/// hook 实例方法
+ (ZDFfiHookInfo *)zd_hookInstanceMethod:(SEL)selector option:(ZDHookOption)option callback:(id)callback;
/// hook类方法
+ (ZDFfiHookInfo *)zd_hookClassMethod:(SEL)selector option:(ZDHookOption)option callback:(id)callback;
/// 仅仅对单个实例对象进行hook
- (ZDFfiHookInfo *)zd_hookInstanceMethod:(SEL)selector option:(ZDHookOption)option callback:(id)callback;
/// 移除hook
+ (BOOL)zd_removeHookToken:(ZDFfiHookInfo *)token;
/// 一般情况下不用手动移除单个实例的hook,当实例释放时会自动移除
- (BOOL)zd_removeHookToken:(ZDFfiHookInfo *)token;例子
- (void)testFfiHook {
[self.class zd_hookInstanceMethod:@selector(exeA:b:c:) option:ZDHookOption_After callback:^(NSInteger a, NSString *b, id c){
NSLog(@"~~~~~后hook");
}];
[self.class zd_hookInstanceMethod:@selector(exeA:b:c:) option:ZDHookOption_Before callback:^(NSInteger a, NSString *b, id c){
NSLog(@"~~~~~~先hook");
}];
id v = [self exeA:100 b:@"啦啦啦" c:NSObject.new];
NSLog(@"***************** %@", v);
}
#pragma mark - Method
- (id)exeA:(NSInteger)a b:(NSString *)b c:(id)c {
NSString *ret = [NSString stringWithFormat:@"结果 = %zd, %@, %@", a, b, c];
return ret;
}pod 'ZDFfiHook', :git => 'https://github.com/faimin/ZDFfiHook.git'