-
Notifications
You must be signed in to change notification settings - Fork 0
/
JNI_hook.js
101 lines (95 loc) · 4.99 KB
/
JNI_hook.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
function hook_JNI() {
Java.perform(function () {
var GetStringUTFChars_addr = null;
var symbols = Module.enumerateSymbols("libart.so");
symbols.forEach(function (symbol) {
// 排除包含 "CheckJNI" 的符号,并且包含 "JNI" 的符号
if (symbol.name.includes("JNI") && !symbol.name.includes("CheckJNI")) {
// 查找包含 "GetStringUTFChars" 的符号
if (symbol.name.includes("GetStringUTFChars")) {
console.log("GetStringUTFChars: " + symbol.name);
GetStringUTFChars_addr = symbol.address;
}
}
});
Interceptor.attach(GetStringUTFChars_addr, {
onEnter: function (args) {
console.log("art::JNI::GetStringUTFChars(_JNIEnv*, _jstring*, unsigned char*)=> " + args[0], Java.vm.getEnv().getStringUtfChars(args[1], null).readCString(), args[2]);
// console.log('CCCryptorCreate called from:\n' +
// Thread.backtrace(this.context, Backtracer.ACCURATE)
// .map(DebugSymbol.fromAddress).join('\n') + '\n');
},
onLeave: function (retval) {
console.log("GetStringUTFChars retval: " + retval.readCString());
}
})
});
}
function replace_JNI() {
Java.perform(function () {
var NewStringUTF_addr = null;
var symbols = Module.enumerateSymbols("libart.so");
symbols.forEach(function (symbol) {
// 排除包含 "CheckJNI" 的符号,并且包含 "JNI" 的符号
if (symbol.name.includes("JNI") && !symbol.name.includes("CheckJNI")) {
// 查找包含 "GetStringUTFChars" 的符号
if (symbol.name.includes("NewStringUTF")) {
console.log("NewStringUTF name: " + symbol.name);
NewStringUTF_addr = symbol.address;
}
}
});
var NewStringUTF = new NativeFunction(NewStringUTF_addr, "pointer", ["pointer", "pointer"]);
Interceptor.replace(NewStringUTF_addr, new NativeCallback(function (env, str) {
console.log("NewStringUTF args: ", env, str.readCString());
console.log("NewStringUTF result: ", NewStringUTF(env, Memory.allocUtf8String("hooked_NewStringUTF")));
var newStr = Memory.allocUtf8String("hooked_NewStringUTF");
var newRet = NewStringUTF(env, newStr);
return newRet;
}, "pointer", ["pointer", "pointer"]));
})
}
function hook_RegisterNatives() {
Java.perform(function () {
var RegisterNatives_addr = null;
var symbols = Module.enumerateSymbols("libart.so");
symbols.forEach(function (symbol) {
// 排除包含 "CheckJNI" 的符号,并且包含 "JNI" 的符号
if (symbol.name.includes("JNI") && !symbol.name.includes("CheckJNI")) {
// 查找包含 "GetStringUTFChars" 的符号
if (symbol.name.includes("RegisterNatives")) {
console.log("RegisterNatives name: " + symbol.name);
RegisterNatives_addr = symbol.address;
}
}
});
if (RegisterNatives_addr != null) {
Interceptor.attach(RegisterNatives_addr, {
onEnter: function (args) {
console.log("RegisterNative method counts => ", args[3]);
var env = args[0];
var clazz = args[1];
var class_name = Java.vm.getEnv().getClassName(clazz);
var methods_ptr = ptr(args[2]);
var method_count = args[3].toInt32();
for (var i = 0; i < method_count; i++) {
var name_ptr = methods_ptr.add(i * Process.pointerSize * 3).readPointer();
var sig_ptr = methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize).readPointer();
var fnPtr_ptr = methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2).readPointer();
var find_module = Process.findModuleByAddress(fnPtr_ptr);
console.log("RegisterNative class_name => ", class_name);
console.log("RegisterNative name => ", Memory.readCString(name_ptr));
console.log("RegisterNative sig => ", Memory.readCString(sig_ptr));
console.log("RegisterNative fnPtr_ptr => ", JSON.stringify(DebugSymbol.fromAddress(fnPtr_ptr)));
console.log("RegisterNative find_module => ", JSON.stringify(find_module));
console.log("callee => ", DebugSymbol.fromAddress(this.returnAddress));
console.log("offset => ", ptr(fnPtr_ptr).sub(find_module.base));
}
}, onLeave: function () { }
})
} else {
console.log("RegisterNatives_addr is null");
}
})
}
setImmediate(hook_RegisterNatives);