-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dlopen hook failed in nexus6p with Android8.0 #448
Comments
I faced the same issue. In fact, I tested with Android 7.0 and 7.1 on the Nexus 6P too. I got the same error. |
@awakened1712 Now I change my nexus6p system from 8.1 to 6.0,and it works,I think something different about dlopen since Android 7.0 . |
I don't remember exactly. I think the below should work
|
@awakened1712 I try it and get this error
but it doesn't work,do you have this problem and how to deal with? |
|
@awakened1712 so you don't have this error in your nexus6p?Maybe I have some code error. |
I did not try to check the retval. Let me check again tomorrow. |
@awakened1712 thanks |
@awakened1712 Did you find something about it? |
AFAIK, in Android 7, Google introduced "namespaces" for dlopen, you can't load any dynamic library outside the app namespace or it will fault. Frida itself get around this using a neat trick, take a look at the android injection code for a reference, maybe you can adopt that to your hooking logic. |
@YaphetsH Have you solved this problem? |
same problem |
@YaphetsH I gave up on dlopen hook. Instead, I hooked its Java wrapper, System.loadLibrary, as below: Java.perform(function() {
const System = Java.use('java.lang.System');
const Runtime = Java.use('java.lang.Runtime');
const VMStack = Java.use('dalvik.system.VMStack');
System.loadLibrary.implementation = function(library) {
try {
console.log('System.loadLibrary("' + library + '")');
const loaded = Runtime.getRuntime().loadLibrary0(VMStack.getCallingClassLoader(), library);
return loaded;
} catch(ex) {
console.log(ex);
}
};
System.load.implementation = function(library) {
try {
console.log('System.load("' + library + '")');
const loaded = Runtime.getRuntime().load0(VMStack.getCallingClassLoader(), library);
return loaded;
} catch(ex) {
console.log(ex);
}
};
}); |
This code will log correctly and will not cause the program to crash abnormally. var dlopen = new NativeFunction(Module.findExportByName(null, 'dlopen'), 'pointer', ['pointer', 'int']);
Interceptor.replace(dlopen, new NativeCallback(function(path, mode) {
console.log("dlopen(" + "path=\"" + Memory.readUtf8String(path) + "\"" + ", mode=" + mode + ")");
var name = Memory.readUtf8String(path);
if (name !== null && name.indexOf('msm8994') !== -1) {
console.log("[*] found msm8994");
return dlopen(path, mode);
}
return dlopen(path, mode);
}, 'pointer', ['pointer', 'int'])); |
can you post this link? thanks |
Hey @chenbinhi, what about this link? https://github.com/frida/frida-java/blob/master/lib/android.js //c @madushan1000 |
for api < 23 Java.use('java.lang.System').load.implementation = function (lib) {
console.log(lib);
return Java.use('java.lang.Runtime').getRuntime().load(lib, Java.use('dalvik.system.VMStack').getCallingClassLoader());
}; |
I know this is an old one, but in my use case I had to combine the two solutions above.
Also, Anyway, here's the combined solution. Removed try/catch for simplicity. Java.perform(function () {
const System = Java.use('java.lang.System');
const Runtime = Java.use('java.lang.Runtime');
const VMStack = Java.use('dalvik.system.VMStack');
const sdkValue = Java.use('android.os.Build$VERSION').SDK_INT.value;
if (sdkValue < 24) {
Interceptor.attach(Module.findExportByName(null, 'dlopen'), {
onEnter: function (args) {
this.path = Memory.readUtf8String(args[0]);
console.log('[*] dlopen called with: ' + this.path);
},
onLeave: function () {
console.log('[*] dlopen finished with: ' + this.path);
}
});
} else {
System.loadLibrary.implementation = function (library) {
console.log('[*] loadLibrary called with: ' + library);
const loaded = Runtime.getRuntime().loadLibrary0(
VMStack.getCallingClassLoader(), library
);
console.log('[*] loadLibrary finished with: ' + library);
return loaded;
};
}
}); Note that there are two pairs of Maybe |
Try this code which I have tested on Android 7.1. function intercept_dlopen(address) {
try {
Interceptor.attach(address, {
onEnter: function(args) {
this.lib = Memory.readUtf8String(args[0]);
console.log("dlopen called with: " + this.lib);
},
onLeave: function(ignored) {}
});
} catch (e) {
console.error(e);
}
}
function find_dlopen_symbol() {
var dlopenSymbol;
symbols.forEach(function(symbol){
if (symbol.name == '__dl__Z9do_dlopenPKciPK17android_dlextinfoPKv') {
dlopenSymbol = symbol;
} else if (symbol.name == '__dl__Z9do_dlopenPKciPK17android_dlextinfoPv') {
dlopenSymbol = symbol;
} else if (symbol.name == '__dl__ZL10dlopen_extPKciPK17android_dlextinfoPv') {
dlopenSymbol = symbol;
} else if (symbol.name == '__dl__Z20__android_dlopen_extPKciPK17android_dlextinfoPKv') {
dlopenSymbol = symbol;
} else if (symbol.name == '__dl___loader_android_dlopen_ext') {
dlopenSymbol = symbol;
} else if (symbol.name == '__dl__Z9do_dlopenPKciPK17android_dlextinfo') {
dlopenSymbol = symbol;
} else if (symbol.name == '__dl__Z8__dlopenPKciPKv') {
dlopenSymbol = symbol;
} else if (symbol.name == '__dl___loader_dlopen') {
dlopenSymbol = symbol;
} else if (symbol.name == '__dl_dlopen') {
dlopenSymbol = symbol;
}
});
return dlopenSymbol;
}
var dlopenSymbol = find_dlopen_symbol();
console.log("hook " + dlopenSymbol.name + " " + dlopenSymbol.address);
intercept_dlopen(dlopenSymbol.address); |
Not a very good generic solution nowadays, because on apps that use "SuperPack" it will only log the loading of the superpack lib.
|
hook code:
Interceptor.attach(Module.findExportByName(null, 'dlopen'), {
onEnter: function (args) {
this.path = Memory.readUtf8String(args[0]);
console.log(this.path);
},
onLeave: function (retval) {
if(!retval.isNull() && this.path.indexOf('libnative-lib.so')!== -1 && !didHookApis) {
didHookApis = true;
console.log("File loaded hooking");
hooknative2();
// ...
}
}
});
And here is some error logs:
E/HAL: load: module=/vendor/lib64/hw/gralloc.msm8994.so
dlopen failed: library "/vendor/lib64/hw/gralloc.msm8994.so" needed or dlopened by "(unknown)" is not accessible for the namespace "(anonymous)"
What's the problem?
The text was updated successfully, but these errors were encountered: