Android Art Hook 技术方案

by 低端码农 at 2015.4.13
www.im-boy.net

0x1 开始

Anddroid上的ART从5.0之后变成默认的选择,可见ART的重要性,目前关于Dalvik Hook方面研究的文章很多,但我在网上却找不到关于ART Hook相关的文章,甚至连鼎鼎大名的XPosed和Cydia Substrate到目前为止也不支持ART的Hook。当然我相信,技术方案他们肯定是的,估计卡在机型适配上的了。

既然网上找不到相关的资料,于是我决定自己花些时间去研究一下,终于黃天不负有心人,我找到了一个切实可行的方法,即本文所介绍的方法。

应该说明的是本文所介绍的方法肯定不是最好的,但大家看完本文之后,如果能启发大家找到更好的ART Hook方法,那我抛砖引玉的目的就达到了。废话不多说,我们开始吧。

  • 运行环境: 4.4.2 ART模式的模拟器
  • 开发环境: Mac OS X 10.10.3

0x2 ART类方法加载及执行

在ART中类方法的执行要比在Dalvik中要复杂得多,Dalvik如果除去JIT部分,可以理解为是一个解析执行的虚拟机,而ART则同时包含本地指令执行和解析执行两种模式,同时所生成的oat文件也包含两种类型,分别是portable和quick。portable和quick的主要区别是对于方法的加载机制不相同,quick大量使用了Lazy Load机制,因此应用的启动速度更快,但加载流程更复杂。其中quick是作为默认选项,因此本文所涉及的技术分析都是基于quick类型的。

由于ART存在本地指令执行和解析执行两种模式,因此类方法之间并不是能直接跳转的,而是通过一些预先定义的bridge函数进行状态和上下文的切换,这里引用一下老罗博客中的示意图:

当执行某个方法时,如果当前是本地指令执行模式,则会执行ArtMethod::GetEntryPointFromCompiledCode()指向的函数,否则则执行ArtMethod::GetEntryPointFromInterpreter()指向的函数。因此每个方法,都有两个入口点,分别保存在ArtMethod::entry_point_from_compiled_code_ArtMethod::entry_point_from_interpreter_。了解这一点非常重要,后面我们主要就是在这两个入口做文章。

在讲述原理之前,需要先把以下两个流程了解清楚,这里的内容要展开是非常庞大的,我针对Hook的关键点,简明扼要的描述一下,但还是强烈建议大家去老罗的博客里细读一下其中关于ART的几篇文章。

  • ArtMethod加载流程

这个过程发生在oat被装载进内存并进行类方法链接的时候,类方法链接的代码在art/runtime/class_linker.cc中的LinkCode,如下所示:

<code class="hljs lasso has-numbering">static <span class="hljs-literal">void</span> LinkCode(SirtRef<span class="hljs-subst"><</span>mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">>&</span> method, const OatFile<span class="hljs-tag">::OatClass</span><span class="hljs-subst">*</span> oat_class, uint32_t method_index)SHARED_LOCKS_REQUIRED(Locks<span class="hljs-tag">::mutator_lock_</span>) {<span class="hljs-comment">// Method shouldn't have already been linked.</span>DCHECK(method<span class="hljs-subst">-></span>GetEntryPointFromCompiledCode() <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span>);<span class="hljs-comment">// Every kind of method should at least get an invoke stub from the oat_method.</span><span class="hljs-comment">// non-abstract methods also get their code pointers.</span>const OatFile<span class="hljs-tag">::OatMethod</span> oat_method <span class="hljs-subst">=</span> oat_class<span class="hljs-subst">-></span>GetOatMethod(method_index);<span class="hljs-comment">// 这里默认会把method::entry_point_from_compiled_code_设置oatmethod的code</span>oat_method<span class="hljs-built_in">.</span>LinkMethod(method<span class="hljs-built_in">.</span>get());<span class="hljs-comment">// Install entry point from interpreter.</span>Runtime<span class="hljs-subst">*</span> runtime <span class="hljs-subst">=</span> Runtime<span class="hljs-tag">::Current</span>();bool enter_interpreter <span class="hljs-subst">=</span> NeedsInterpreter(method<span class="hljs-built_in">.</span>get(), method<span class="hljs-subst">-></span>GetEntryPointFromCompiledCode()); <span class="hljs-comment">//判断方法是否需要解析执行</span><span class="hljs-comment">// 设置解析执行的入口点</span><span class="hljs-keyword">if</span> (enter_interpreter) {method<span class="hljs-subst">-></span>SetEntryPointFromInterpreter(interpreter<span class="hljs-tag">::artInterpreterToInterpreterBridge</span>);} <span class="hljs-keyword">else</span> {method<span class="hljs-subst">-></span>SetEntryPointFromInterpreter(artInterpreterToCompiledCodeBridge);}<span class="hljs-comment">// 下面是设置本地指令执行的入口点</span><span class="hljs-keyword">if</span> (method<span class="hljs-subst">-></span>IsAbstract()) {method<span class="hljs-subst">-></span>SetEntryPointFromCompiledCode(GetCompiledCodeToInterpreterBridge());<span class="hljs-keyword">return</span>;}<span class="hljs-comment">// 这里比较难理解,如果是静态方法,但不是clinit,但需要把entry_point_from_compiled_code_设置为GetResolutionTrampoline的返回值</span><span class="hljs-keyword">if</span> (method<span class="hljs-subst">-></span>IsStatic() <span class="hljs-subst">&&</span> <span class="hljs-subst">!</span>method<span class="hljs-subst">-></span>IsConstructor()) {<span class="hljs-comment">// For static methods excluding the class initializer, install the trampoline.</span><span class="hljs-comment">// It will be replaced by the proper entry point by ClassLinker::FixupStaticTrampolines</span><span class="hljs-comment">// after initializing class (see ClassLinker::InitializeClass method).</span>method<span class="hljs-subst">-></span>SetEntryPointFromCompiledCode(GetResolutionTrampoline(runtime<span class="hljs-subst">-></span>GetClassLinker()));} <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (enter_interpreter) {<span class="hljs-comment">// Set entry point from compiled code if there's no code or in interpreter only mode.</span>method<span class="hljs-subst">-></span>SetEntryPointFromCompiledCode(GetCompiledCodeToInterpreterBridge());}<span class="hljs-keyword">if</span> (method<span class="hljs-subst">-></span>IsNative()) {<span class="hljs-comment">// Unregistering restores the dlsym lookup stub.</span>method<span class="hljs-subst">-></span>UnregisterNative(<span class="hljs-keyword">Thread</span><span class="hljs-tag">::Current</span>());}<span class="hljs-comment">// Allow instrumentation its chance to hijack code.</span>runtime<span class="hljs-subst">-></span>GetInstrumentation()<span class="hljs-subst">-></span>UpdateMethodsCode(method<span class="hljs-built_in">.</span>get(),method<span class="hljs-subst">-></span>GetEntryPointFromCompiledCode());
}</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li><li>47</li><li>48</li></ul>

通过上面的代码我们可以得到,一个ArtMethod的入口主要有以下几种:

  1. Interpreter2Interpreter对应artInterpreterToInterpreterBridge(art/runtime/interpreter/interpreter.cc);
  2. Interpreter2CompledCode对应artInterpreterToCompiledCodeBridge(/art/runtime/entrypoints/interpreter/interpreter_entrypoints.cc);
  3. CompliedCode2Interpreter对应art_quick_to_interpreter_bridge(art/runtime/arch/arm/quick_entrypoints_arm.S);
  4. CompliedCode2ResolutionTrampoline对应art_quick_resolution_trampoline(art/runtime/arch/arm/quick_entrypoints_arm.S);
  5. CompliedCode2CompliedCode这个入口是直接指向oat中的指令,详细可见OatMethod::LinkMethod;

其中调用约定主要有两种,分别是:

  1. typedef void (EntryPointFromInterpreter)(Thread* self, MethodHelper& mh, const DexFile::CodeItem* code_item, ShadowFrame* shadow_frame, JValue* result), 这种对应上述1,3两种入口;

  2. 剩下的2,4,5三种入口对应的是CompledCode的入口,代码中并没有直接给出,但我们通过分析ArtMethod::Invoke的方法调用,就可以知道其调用约定了。Invoke过程中会调用art_quick_invoke_stub(/art/runtime/arch/arm/quick_entrypoints_arm.S),代码如下所示:

    <code class="hljs avrasm has-numbering"> <span class="hljs-comment">/** Quick invocation stub.* On entry:*   r0 = method pointer*   r1 = argument array or NULL for no argument methods*   r2 = size of argument array in bytes*   r3 = (managed) thread pointer*   [sp] = JValue* result*   [sp + 4] = result type char*/</span>
ENTRY art_quick_invoke_stub
<span class="hljs-keyword">push</span>   {<span class="hljs-built_in">r0</span>, <span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r11</span>, lr}       @ spill regs
<span class="hljs-preprocessor">.save</span>  {<span class="hljs-built_in">r0</span>, <span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r11</span>, lr}
<span class="hljs-preprocessor">.pad</span> <span class="hljs-preprocessor">#24</span>
<span class="hljs-preprocessor">.cfi</span>_adjust_cfa_offset <span class="hljs-number">24</span>
<span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r0</span>, <span class="hljs-number">0</span>
<span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r4</span>, <span class="hljs-number">4</span>
<span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r5</span>, <span class="hljs-number">8</span>
<span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r9</span>, <span class="hljs-number">12</span>
<span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r11</span>, <span class="hljs-number">16</span>
<span class="hljs-preprocessor">.cfi</span>_rel_offset lr, <span class="hljs-number">20</span>
<span class="hljs-keyword">mov</span>    <span class="hljs-built_in">r11</span>, sp                         @ save the stack pointer
<span class="hljs-preprocessor">.cfi</span>_def_cfa_register <span class="hljs-built_in">r11</span>
<span class="hljs-keyword">mov</span>    <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r3</span>                          @ move managed thread pointer into <span class="hljs-built_in">r9</span>
<span class="hljs-keyword">mov</span>    <span class="hljs-built_in">r4</span>, <span class="hljs-preprocessor">#SUSPEND_CHECK_INTERVAL     @ reset r4 to suspend check interval</span>
<span class="hljs-keyword">add</span>    <span class="hljs-built_in">r5</span>, <span class="hljs-built_in">r2</span>, <span class="hljs-preprocessor">#16                     @ create space for method pointer in frame</span>
<span class="hljs-keyword">and</span>    <span class="hljs-built_in">r5</span>, <span class="hljs-preprocessor">#0xFFFFFFF0                 @ align frame size to 16 bytes</span>
<span class="hljs-keyword">sub</span>    sp, <span class="hljs-built_in">r5</span>                          @ reserve stack space for argument array
<span class="hljs-keyword">add</span>    <span class="hljs-built_in">r0</span>, sp, <span class="hljs-preprocessor">#4                      @ pass stack pointer + method ptr as dest for memcpy</span>
bl     memcpy                          @ memcpy (dest, src, bytes)
ldr    <span class="hljs-built_in">r0</span>, [<span class="hljs-built_in">r11</span>]                       @ restore method*
ldr    <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#4]                    @ copy arg value for r1</span>
ldr    <span class="hljs-built_in">r2</span>, [sp, <span class="hljs-preprocessor">#8]                    @ copy arg value for r2</span>
ldr    <span class="hljs-built_in">r3</span>, [sp, <span class="hljs-preprocessor">#12]                   @ copy arg value for r3</span>
<span class="hljs-keyword">mov</span>    ip, <span class="hljs-preprocessor">#0                          @ set ip to 0</span>
str    ip, [sp]                        @ store NULL for method* at bottom of frame
ldr    ip, [<span class="hljs-built_in">r0</span>, <span class="hljs-preprocessor">#METHOD_CODE_OFFSET]   @ get pointer to the code</span>
blx    ip                              @ <span class="hljs-keyword">call</span> the method
<span class="hljs-keyword">mov</span>    sp, <span class="hljs-built_in">r11</span>                         @ restore the stack pointer
ldr    ip, [sp, <span class="hljs-preprocessor">#24]                   @ load the result pointer</span>
strd   <span class="hljs-built_in">r0</span>, [ip]                        @ store <span class="hljs-built_in">r0</span>/<span class="hljs-built_in">r1</span> into result pointer
<span class="hljs-keyword">pop</span>    {<span class="hljs-built_in">r0</span>, <span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r11</span>, lr}       @ restore spill regs
<span class="hljs-preprocessor">.cfi</span>_adjust_cfa_offset -<span class="hljs-number">24</span>
bx     lr
END art_quick_invoke_stub</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li></ul>

“ldr ip, [r0, #METHOD_CODE_OFFSET]”其实就是把ArtMethod::entry_point_from_compiled_code_赋值给ip,然后通过blx直接调用。通过这段小小的汇编代码,我们得出如下堆栈的布局:

<code class="hljs oxygene has-numbering">   -(low)| caller(<span class="hljs-function"><span class="hljs-keyword">Method</span> *)   | <- <span class="hljs-title">sp</span> | <span class="hljs-title">arg1</span>               | <- <span class="hljs-title">r1</span>| <span class="hljs-title">arg2</span>               | <- <span class="hljs-title">r2</span>| <span class="hljs-title">arg3</span>               | <- <span class="hljs-title">r3</span>| ...                | | <span class="hljs-title">argN</span>               || <span class="hljs-title">callee</span><span class="hljs-params">(<span class="hljs-keyword">Method</span> *)</span>   | <- <span class="hljs-title">r0</span>+<span class="hljs-params">(high)</span></span></code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li></ul>

这种调用约定并不是平时我们所见的调用约定,主要体现在参数当超过4时,并不是从sp开始保存,而是从sp + 20这个位置开始存储,所以这就是为什么在代码里entry_point_from_compiled_code_的类型是void *的原因了,因为无法用代码表示。

理解好这个调用约定对我们方案的实现至关重要

  • ArtMethod执行流程

上面详细讲述了类方法加载和链接的过程,但在实际执行的过程中,其实还不是直接调用ArtMethod的entry_point(解析执行和本地指令执行的入口),为了加快执行速度,ART为oat文件中的每个dex创建了一个DexCache(art/runtime/mirror/dex_cache.h)结构,这个结构会按dex的结构生成一系列的数组,这里我们只分析它里面的methods字段。 DexCache初始化的方法是Init,实现如下:

<code class="hljs r has-numbering">void DexCache::Init(const DexFile* dex_file,String* location,ObjectArray<String>* strings,ObjectArray<Class>* resolved_types,ObjectArray<ArtMethod>* resolved_methods,ObjectArray<ArtField>* resolved_fields,ObjectArray<StaticStorageBase>* initialized_static_storage) {//<span class="hljs-keyword">...</span>//<span class="hljs-keyword">...</span>Runtime* runtime = Runtime::Current();<span class="hljs-keyword">if</span> (runtime->HasResolutionMethod()) {// Initialize the resolve methods array to contain trampolines <span class="hljs-keyword">for</span> resolution.ArtMethod* trampoline = runtime->GetResolutionMethod();size_t length = resolved_methods->GetLength();<span class="hljs-keyword">for</span> (size_t i = <span class="hljs-number">0</span>; i < length; i++) {resolved_methods->SetWithoutChecks(i, trampoline);}}
}</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li></ul>

根据dex方法的个数,产生相应长度resolved_methods数组,然后每一个都用Runtime::GetResolutionMethod()返回的结果进行填充,这个方法是由Runtime::CreateResolutionMethod产生的,代码如下:

<code class="hljs lasso has-numbering">mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*</span> Runtime<span class="hljs-tag">::CreateResolutionMethod</span>() {mirror<span class="hljs-tag">::Class</span><span class="hljs-subst">*</span> method_class <span class="hljs-subst">=</span> mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-tag">::GetJavaLangReflectArtMethod</span>();<span class="hljs-keyword">Thread</span><span class="hljs-subst">*</span> <span class="hljs-built_in">self</span> <span class="hljs-subst">=</span> <span class="hljs-keyword">Thread</span><span class="hljs-tag">::Current</span>();SirtRef<span class="hljs-subst"><</span>mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">></span>method(<span class="hljs-built_in">self</span>, down_cast<span class="hljs-subst"><</span>mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*></span>(method_class<span class="hljs-subst">-></span>AllocObject(<span class="hljs-built_in">self</span>)));method<span class="hljs-subst">-></span>SetDeclaringClass(method_class);<span class="hljs-comment">// TODO: use a special method for resolution method saves</span>method<span class="hljs-subst">-></span>SetDexMethodIndex(DexFile<span class="hljs-tag">::kDexNoIndex</span>);<span class="hljs-comment">// When compiling, the code pointer will get set later when the image is loaded.</span>Runtime<span class="hljs-subst">*</span> r <span class="hljs-subst">=</span> Runtime<span class="hljs-tag">::Current</span>();ClassLinker<span class="hljs-subst">*</span> cl <span class="hljs-subst">=</span> r<span class="hljs-subst">-></span>GetClassLinker();method<span class="hljs-subst">-></span>SetEntryPointFromCompiledCode(r<span class="hljs-subst">-></span>IsCompiler() <span class="hljs-subst">?</span> <span class="hljs-built_in">NULL</span> : GetResolutionTrampoline(cl));<span class="hljs-keyword">return</span> method<span class="hljs-built_in">.</span>get();
}</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li></ul>

从method->SetDexMethodIndex(DexFile::kDexNoIndex)这句得知,所有的ResolutionMethod的methodIndexDexFile::kDexNoIndex。而ResolutionMethod的entrypoint就是我们上面入口分析中的第4种情况,GetResolutionTrampoline最终返回的入口为art_quick_resolution_trampoline(art/runtime/arch/arm/quick_entrypoints_arm.S)。我们看一下其实现代码:

<code class="hljs avrasm has-numbering">    <span class="hljs-preprocessor">.extern</span> artQuickResolutionTrampoline
ENTRY art_quick_resolution_trampolineSETUP_REF_AND_ARGS_CALLEE_SAVE_FRAME<span class="hljs-keyword">mov</span>     <span class="hljs-built_in">r2</span>, <span class="hljs-built_in">r9</span>                 @ pass Thread::Current<span class="hljs-keyword">mov</span>     <span class="hljs-built_in">r3</span>, sp                 @ pass SPblx     artQuickResolutionTrampoline  @ (Method* called, receiver, Thread*, SP)cbz     <span class="hljs-built_in">r0</span>, <span class="hljs-number">1</span>f                 @ is code pointer null? goto exception<span class="hljs-keyword">mov</span>     <span class="hljs-built_in">r12</span>, <span class="hljs-built_in">r0</span>ldr  <span class="hljs-built_in">r0</span>, [sp, <span class="hljs-preprocessor">#0]              @ load resolved method in r0</span>ldr  <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#8]              @ restore non-callee save r1</span>ldrd <span class="hljs-built_in">r2</span>, [sp, <span class="hljs-preprocessor">#12]             @ restore non-callee saves r2-r3</span>ldr  lr, [sp, <span class="hljs-preprocessor">#44]             @ restore lr</span><span class="hljs-keyword">add</span>  sp, <span class="hljs-preprocessor">#48                   @ rewind sp</span><span class="hljs-preprocessor">.cfi</span>_adjust_cfa_offset -<span class="hljs-number">48</span>bx      <span class="hljs-built_in">r12</span>                    @ tail-<span class="hljs-keyword">call</span> into actual code
<span class="hljs-number">1</span>:RESTORE_REF_AND_ARGS_CALLEE_SAVE_FRAMEDELIVER_PENDING_EXCEPTION
END art_quick_resolution_trampoline
</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li></ul>

调整好寄存器后,直接跳转至artQuickResolutionTrampoline(art/runtime/entrypoints/quick/quick_trampoline_entrypoints.cc),接下来我们分析这个方法的实现(大家不要晕了。。。,我会把无关紧要的代码去掉):

<code class="hljs r has-numbering">// Lazily resolve a method <span class="hljs-keyword">for</span> quick. Called by stub code.
extern <span class="hljs-string">"C"</span> const void* artQuickResolutionTrampoline(mirror::ArtMethod* called,mirror::Object* receiver,Thread* thread, mirror::ArtMethod** sp)SHARED_LOCKS_REQUIRED(Locks::mutator_lock_) {FinishCalleeSaveFrameSetup(thread, sp, Runtime::kRefsAndArgs);// Start new JNI local reference stateJNIEnvExt* env = thread->GetJniEnv();ScopedObjectAccessUnchecked soa(env);ScopedJniEnvLocalRefState env_state(env);const char* old_cause = thread->StartAssertNoThreadSuspension(<span class="hljs-string">"Quick method resolution set up"</span>);// Compute details about the called method (avoid GCs)ClassLinker* linker = Runtime::Current()->GetClassLinker();mirror::ArtMethod* caller = QuickArgumentVisitor::GetCallingMethod(sp);InvokeType invoke_type;const DexFile* dex_file;uint32_t dex_method_idx;<span class="hljs-keyword">if</span> (called->IsRuntimeMethod()) {//<span class="hljs-keyword">...</span>//<span class="hljs-keyword">...</span>} <span class="hljs-keyword">else</span> {invoke_type = kStatic;dex_file = &MethodHelper(called).GetDexFile();dex_method_idx = called->GetDexMethodIndex();}//<span class="hljs-keyword">...</span>// Resolve method filling <span class="hljs-keyword">in</span> dex cache.<span class="hljs-keyword">if</span> (called->IsRuntimeMethod()) {called = linker->ResolveMethod(dex_method_idx, caller, invoke_type);}const void* code = <span class="hljs-literal">NULL</span>;<span class="hljs-keyword">if</span> (LIKELY(!thread->IsExceptionPending())) {//<span class="hljs-keyword">...</span>linker->EnsureInitialized(called_class, true, true);//<span class="hljs-keyword">...</span>}// <span class="hljs-keyword">...</span><span class="hljs-keyword">return</span> code;
}
</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li></ul>
<code class="hljs objectivec has-numbering"><span class="hljs-keyword">inline</span> <span class="hljs-keyword">bool</span> ArtMethod::IsRuntimeMethod() <span class="hljs-keyword">const</span> {<span class="hljs-keyword">return</span> GetDexMethodIndex() == DexFile::kDexNoIndex;
}</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li></ul>

called->IsRuntimeMethod()用于判断当前方法是否为ResolutionMethod。如果是,那么就走ClassLinker::ResolveMethod流程去获取真正的方法,见代码:

<code class="hljs lasso has-numbering">mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*</span> ClassLinker<span class="hljs-tag">::ResolveMethod</span>(const DexFile<span class="hljs-subst">&</span> dex_file,uint32_t method_idx,mirror<span class="hljs-tag">::DexCache</span><span class="hljs-subst">*</span> dex_cache,mirror<span class="hljs-tag">::ClassLoader</span><span class="hljs-subst">*</span> class_loader,const mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*</span> <span class="hljs-keyword">referrer</span>,InvokeType <span class="hljs-keyword">type</span>) {DCHECK(dex_cache <span class="hljs-subst">!=</span> <span class="hljs-built_in">NULL</span>);<span class="hljs-comment">// Check for hit in the dex cache.</span>mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*</span> resolved <span class="hljs-subst">=</span> dex_cache<span class="hljs-subst">-></span>GetResolvedMethod(method_idx);<span class="hljs-keyword">if</span> (resolved <span class="hljs-subst">!=</span> <span class="hljs-built_in">NULL</span>) {<span class="hljs-keyword">return</span> resolved;}<span class="hljs-comment">// Fail, get the declaring class.</span>const DexFile<span class="hljs-tag">::MethodId</span><span class="hljs-subst">&</span> method_id <span class="hljs-subst">=</span> dex_file<span class="hljs-built_in">.</span>GetMethodId(method_idx);mirror<span class="hljs-tag">::Class</span><span class="hljs-subst">*</span> klass <span class="hljs-subst">=</span> ResolveType(dex_file, method_id<span class="hljs-built_in">.</span>class_idx_, dex_cache, class_loader);<span class="hljs-keyword">if</span> (klass <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span>) {DCHECK(<span class="hljs-keyword">Thread</span><span class="hljs-tag">::Current</span>()<span class="hljs-subst">-></span>IsExceptionPending());<span class="hljs-keyword">return</span> <span class="hljs-built_in">NULL</span>;}<span class="hljs-comment">// Scan using method_idx, this saves string compares but will only hit for matching dex</span><span class="hljs-comment">// caches/files.</span>switch (<span class="hljs-keyword">type</span>) {<span class="hljs-keyword">case</span> kDirect:  <span class="hljs-comment">// Fall-through.</span><span class="hljs-keyword">case</span> kStatic:resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindDirectMethod(dex_cache, method_idx);break;<span class="hljs-keyword">case</span> kInterface:resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindInterfaceMethod(dex_cache, method_idx);DCHECK(resolved <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span> <span class="hljs-subst">||</span> resolved<span class="hljs-subst">-></span>GetDeclaringClass()<span class="hljs-subst">-></span>IsInterface());break;<span class="hljs-keyword">case</span> kSuper:  <span class="hljs-comment">// Fall-through.</span><span class="hljs-keyword">case</span> kVirtual:resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindVirtualMethod(dex_cache, method_idx);break;default:<span class="hljs-keyword">LOG</span>(FATAL) <span class="hljs-subst"><<</span> <span class="hljs-string">"Unreachable - invocation type: "</span> <span class="hljs-subst"><<</span> <span class="hljs-keyword">type</span>;}<span class="hljs-keyword">if</span> (resolved <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span>) {<span class="hljs-comment">// Search by name, which works across dex files.</span>const char<span class="hljs-subst">*</span> name <span class="hljs-subst">=</span> dex_file<span class="hljs-built_in">.</span>StringDataByIdx(method_id<span class="hljs-built_in">.</span>name_idx_);std<span class="hljs-tag">::string</span> signature(dex_file<span class="hljs-built_in">.</span>CreateMethodSignature(method_id<span class="hljs-built_in">.</span>proto_idx_, <span class="hljs-built_in">NULL</span>));switch (<span class="hljs-keyword">type</span>) {<span class="hljs-keyword">case</span> kDirect:  <span class="hljs-comment">// Fall-through.</span><span class="hljs-keyword">case</span> kStatic:resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindDirectMethod(name, signature);break;<span class="hljs-keyword">case</span> kInterface:resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindInterfaceMethod(name, signature);DCHECK(resolved <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span> <span class="hljs-subst">||</span> resolved<span class="hljs-subst">-></span>GetDeclaringClass()<span class="hljs-subst">-></span>IsInterface());break;<span class="hljs-keyword">case</span> kSuper:  <span class="hljs-comment">// Fall-through.</span><span class="hljs-keyword">case</span> kVirtual:resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindVirtualMethod(name, signature);break;}}<span class="hljs-keyword">if</span> (resolved <span class="hljs-subst">!=</span> <span class="hljs-built_in">NULL</span>) {<span class="hljs-comment">// Be a good citizen and update the dex cache to speed subsequent calls.</span>dex_cache<span class="hljs-subst">-></span>SetResolvedMethod(method_idx, resolved);<span class="hljs-keyword">return</span> resolved;} <span class="hljs-keyword">else</span> {<span class="hljs-comment">// ...</span>}
}
</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li><li>47</li><li>48</li><li>49</li><li>50</li><li>51</li><li>52</li><li>53</li><li>54</li><li>55</li><li>56</li><li>57</li><li>58</li><li>59</li><li>60</li><li>61</li><li>62</li><li>63</li><li>64</li><li>65</li><li>66</li><li>67</li><li>68</li><li>69</li><li>70</li></ul>

其实这里发生了“连锁反应”,ClassLinker::ResolveType走的流程,跟ResolveMethod是非常类似的,有兴趣的朋友可以跟一下。
找到解析后的klass,再经过一轮疯狂的搜索,把找到的resolved通过DexCache::SetResolvedMethod覆盖掉之前的“替身”。当再下次再通过ResolveMethod解析方法时,就可以直接把该方法返回,不需要再解析了。

我们回过头来再重新“复现”一下这个过程,当我们首次调用某个类方法,其过程如下所示:

  1. 调用ResolutionMethod的entrypoint,进入art_quick_resolution_trampoline;
  2. art_quick_resolution_trampoline跳转到artQuickResolutionTrampoline;
  3. artQuickResolutionTrampoline调用ClassLinker::ResolveMethod解析类方法;
  4. ClassLinker::ResolveMethod调用ClassLinkder::ResolveType解析类,再从解析好的类寻找真正的方法;
  5. 调用DexCache::SetResolvedMethod,用真正的方法覆盖掉“替身”方法;
  6. 调用真正方法的entrypoint代码;

也许你会问,为什么要把过程搞得这么绕? 一切都是为了延迟加载,提高启动速度,这个过程跟ELF Linker的PLT/GOT符号重定向的过程是何其相似啊,所以技术都是想通的,一通百明。

0x3 Hook ArtMethod

通过上述ArtMethod加载和执行两个流程的分析,对于如何Hook ArtMethod,我想到了两个方案,分别

  1. 修改DexCach里的methods,把里面的entrypoint修改为自己的,做一个中转处理;
  2. 直接修改加载后的ArtMethod的entrypoint,同样做一个中转处理;

上面两个方法都是可行的,但由于我希望整个项目可以在NDK环境(而不是在源码下)下编译,因为就采用了方案2,因为通过JNI的接口就可以直接获取解析之后的ArtMethod,可以减少很多文件依赖。

回到前面的调用约定,每个ArtMethod都有两个约定,按道理我们应该准备两个中转函数的,但这里我们不考虑强制解析模式执行,所以只要处理好entry_point_from_compiled_code的中转即可。

首先,我们找到对应的方法,先保存其entrypoint,然后再把我们的中转函数art_quick_dispatcher覆盖,代码如下所示:

<code class="hljs cpp has-numbering"><span class="hljs-keyword">extern</span> <span class="hljs-keyword">int</span> __attribute__ ((visibility (<span class="hljs-string">"hidden"</span>))) art_java_method_hook(JNIEnv* env, HookInfo *info) {<span class="hljs-keyword">const</span> <span class="hljs-keyword">char</span>* classDesc = info->classDesc;<span class="hljs-keyword">const</span> <span class="hljs-keyword">char</span>* methodName = info->methodName;<span class="hljs-keyword">const</span> <span class="hljs-keyword">char</span>* methodSig = info->methodSig;<span class="hljs-keyword">const</span> <span class="hljs-keyword">bool</span> isStaticMethod = info->isStaticMethod;<span class="hljs-comment">// TODO we can find class by special classloader what do just like dvm</span>jclass claxx = env->FindClass(classDesc);<span class="hljs-keyword">if</span>(claxx == NULL){LOGE(<span class="hljs-string">"[-] %s class not found"</span>, classDesc);<span class="hljs-keyword">return</span> -<span class="hljs-number">1</span>;}jmethodID methid = isStaticMethod ?env->GetStaticMethodID(claxx, methodName, methodSig) :env->GetMethodID(claxx, methodName, methodSig);<span class="hljs-keyword">if</span>(methid == NULL){LOGE(<span class="hljs-string">"[-] %s->%s method not found"</span>, classDesc, methodName);<span class="hljs-keyword">return</span> -<span class="hljs-number">1</span>;}ArtMethod *artmeth = <span class="hljs-keyword">reinterpret_cast</span><ArtMethod *>(methid);<span class="hljs-keyword">if</span>(art_quick_dispatcher != artmeth->GetEntryPointFromCompiledCode()){uint64_t (*entrypoint)(ArtMethod* method, Object *thiz, u4 *arg1, u4 *arg2);entrypoint = (uint64_t (*)(ArtMethod*, Object *, u4 *, u4 *))artmeth->GetEntryPointFromCompiledCode();info->entrypoint = (<span class="hljs-keyword">const</span> <span class="hljs-keyword">void</span> *)entrypoint;info->nativecode = artmeth->GetNativeMethod();artmeth->SetEntryPointFromCompiledCode((<span class="hljs-keyword">const</span> <span class="hljs-keyword">void</span> *)art_quick_dispatcher);<span class="hljs-comment">// save info to nativecode :)</span>artmeth->SetNativeMethod((<span class="hljs-keyword">const</span> <span class="hljs-keyword">void</span> *)info);LOGI(<span class="hljs-string">"[+] %s->%s was hooked\n"</span>, classDesc, methodName);}<span class="hljs-keyword">else</span>{LOGW(<span class="hljs-string">"[*] %s->%s method had been hooked"</span>, classDesc, methodName);}<span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;
}</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li></ul>

我们关键的信息通过ArtMethod::SetNativeMethod保存起来了。

考虑到ART特殊的调用约定,art_quick_dispatcher只能用汇编实现了,把寄存器适当的调整一下,再跳转到另一个函数artQuickToDispatcher,这样就可以很方便用c/c++访问参数了。

先看一下art_quick_dispatcher函数的实现如下:

<code class="hljs avrasm has-numbering"><span class="hljs-comment">/** Art Quick Dispatcher.* On entry:*   r0 = method pointer*   r1 = arg1*   r2 = arg2*   r3 = arg3*   [sp] = method pointer*   [sp + 4] = addr of thiz*   [sp + 8] = addr of arg1*   [sp + 12] = addr of arg2*   [sp + 16] = addr of arg3* and so on*/</span><span class="hljs-preprocessor">.extern</span> artQuickToDispatcher
ENTRY art_quick_dispatcher<span class="hljs-keyword">push</span>    {<span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, lr}           @ sp - <span class="hljs-number">12</span><span class="hljs-keyword">mov</span>     <span class="hljs-built_in">r0</span>, <span class="hljs-built_in">r0</span>                 @ pass <span class="hljs-built_in">r0</span> to methodstr     <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#(12 + 4)]</span>str     <span class="hljs-built_in">r2</span>, [sp, <span class="hljs-preprocessor">#(12 + 8)]</span>str     <span class="hljs-built_in">r3</span>, [sp, <span class="hljs-preprocessor">#(12 + 12)]</span><span class="hljs-keyword">mov</span>     <span class="hljs-built_in">r1</span>, <span class="hljs-built_in">r9</span>                 @ pass <span class="hljs-built_in">r1</span> to thread<span class="hljs-keyword">add</span>     <span class="hljs-built_in">r2</span>, sp, <span class="hljs-preprocessor">#(12 + 4)      @ pass r2 to args array</span><span class="hljs-keyword">add</span>     <span class="hljs-built_in">r3</span>, sp, <span class="hljs-preprocessor">#12            @ pass r3 to old SP</span>blx     artQuickToDispatcher   @ (Method* method, Thread*, u4 **, u4 **)<span class="hljs-keyword">pop</span>     {<span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, pc}           @ return on success, <span class="hljs-built_in">r0</span> <span class="hljs-keyword">and</span> <span class="hljs-built_in">r1</span> hold the result
END art_quick_dispatcher</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li></ul>

我把r2指向参数数组,这样就我们就可以非常方便的访问所有参数了。另外,我用r3保存了旧的sp地址,这样是为后面调用原来的entrypoint做准备的。我们先看看artQuickToDispatcher的实现:

<code class="hljs coffeescript has-numbering">extern <span class="hljs-string">"C"</span> uint64_t artQuickToDispatcher(ArtMethod* method, Thread *self, u4 **args, u4 **old_sp){HookInfo *info = (HookInfo *)method->GetNativeMethod();LOGI(<span class="hljs-string">"[+] entry ArtHandler %s->%s"</span>, info->classDesc, info->methodName);<span class="hljs-regexp">//</span> If it <span class="hljs-keyword">not</span> <span class="hljs-keyword">is</span> static method, <span class="hljs-keyword">then</span> args[<span class="hljs-number">0</span>] was pointing to <span class="hljs-keyword">this</span><span class="hljs-keyword">if</span>(!info->isStaticMethod){Object *thiz = reinterpret_cast<Object *>(args[<span class="hljs-number">0</span>]);<span class="hljs-keyword">if</span>(thiz != NULL){char *bytes = get_chars_from_utf16<span class="hljs-function"><span class="hljs-params">(thiz->GetClass()->GetName())</span>;<span class="hljs-title">LOGI</span><span class="hljs-params">(<span class="hljs-string">"[+] thiz class is %s"</span>, bytes)</span>;<span class="hljs-title">delete</span> <span class="hljs-title">bytes</span>;}}<span class="hljs-title">const</span> <span class="hljs-title">void</span> *<span class="hljs-title">entrypoint</span> = <span class="hljs-title">info</span>-></span>entrypoint;method->SetNativeMethod(info->nativecode); <span class="hljs-regexp">//</span>restore nativecode <span class="hljs-keyword">for</span> JNI methoduint64_t res = art_quick_call_entrypoint(method, self, args, old_sp, entrypoint);JValue* result = (JValue* )&res;<span class="hljs-keyword">if</span>(result != NULL){Object *obj = result->l;char *raw_class_name = get_chars_from_utf16<span class="hljs-function"><span class="hljs-params">(obj->GetClass()->GetName())</span>;<span class="hljs-title">if</span><span class="hljs-params">(strcmp(raw_class_name, <span class="hljs-string">"java.lang.String"</span>) == <span class="hljs-number">0</span>)</span>{<span class="hljs-title">char</span> *<span class="hljs-title">raw_string_value</span> = <span class="hljs-title">get_chars_from_utf16</span><span class="hljs-params">((String *)obj)</span>;<span class="hljs-title">LOGI</span><span class="hljs-params">(<span class="hljs-string">"result-class %s, result-value \"%s\""</span>, raw_class_name, raw_string_value)</span>;<span class="hljs-title">free</span><span class="hljs-params">(raw_string_value)</span>;}<span class="hljs-title">else</span>{<span class="hljs-title">LOGI</span><span class="hljs-params">(<span class="hljs-string">"result-class %s"</span>, raw_class_name)</span>;}<span class="hljs-title">free</span><span class="hljs-params">(raw_class_name)</span>;}// <span class="hljs-title">entrypoid</span> <span class="hljs-title">may</span> <span class="hljs-title">be</span> <span class="hljs-title">replaced</span> <span class="hljs-title">by</span> <span class="hljs-title">trampoline</span>, <span class="hljs-title">only</span> <span class="hljs-title">once</span>.
//  <span class="hljs-title">if</span><span class="hljs-params">(method->IsStatic() && !method->IsConstructor())</span>{<span class="hljs-title">entrypoint</span> = <span class="hljs-title">method</span>-></span>GetEntryPointFromCompiledCode();<span class="hljs-keyword">if</span>(entrypoint != (<span class="hljs-reserved">const</span> <span class="hljs-reserved">void</span> *)art_quick_dispatcher){LOGW(<span class="hljs-string">"[*] entrypoint was replaced. %s->%s"</span>, info->classDesc, info->methodName);method->SetEntryPointFromCompiledCode((<span class="hljs-reserved">const</span> <span class="hljs-reserved">void</span> *)art_quick_dispatcher);info->entrypoint = entrypoint;info->nativecode = method->GetNativeMethod();}method->SetNativeMethod((<span class="hljs-reserved">const</span> <span class="hljs-reserved">void</span> *)info);<span class="hljs-regexp">//</span>  }<span class="hljs-keyword">return</span> res;
}
</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li><li>47</li><li>48</li><li>49</li><li>50</li><li>51</li><li>52</li><li>53</li></ul>

这里参数解析就不详细说了,接下来是最棘手的问题——如何重新调回原来的entrypoint。

这里的关键点是要还原之前的堆栈布局,art_quick_call_entrypoint就是负责完成这个工作的,其实现如下所示:

<code class="hljs avrasm has-numbering"><span class="hljs-comment">/*** Art Quick Call Entrypoint* On entry:*  r0 = method pointer*  r1 = thread pointer*  r2 = args arrays pointer*  r3 = old_sp*  [sp] = entrypoint*/</span>
ENTRY art_quick_call_entrypoint<span class="hljs-keyword">push</span>    {<span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, lr}           @ sp - <span class="hljs-number">12</span><span class="hljs-keyword">sub</span>     sp, <span class="hljs-preprocessor">#(40 + 20)         @ sp - 40 - 20</span>str     <span class="hljs-built_in">r0</span>, [sp, <span class="hljs-preprocessor">#(40 + 0)]    @ var_40_0 = method_pointer</span>str     <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#(40 + 4)]    @ var_40_4 = thread_pointer</span>str     <span class="hljs-built_in">r2</span>, [sp, <span class="hljs-preprocessor">#(40 + 8)]    @ var_40_8 = args_array</span>str     <span class="hljs-built_in">r3</span>, [sp, <span class="hljs-preprocessor">#(40 + 12)]   @ var_40_12 = old_sp</span><span class="hljs-keyword">mov</span>     <span class="hljs-built_in">r0</span>, sp<span class="hljs-keyword">mov</span>     <span class="hljs-built_in">r1</span>, <span class="hljs-built_in">r3</span>ldr     <span class="hljs-built_in">r2</span>, =<span class="hljs-number">40</span>blx     memcpy                 @ memcpy(dest, src, size_of_byte)ldr     <span class="hljs-built_in">r0</span>, [sp, <span class="hljs-preprocessor">#(40 + 0)]    @ restore method to r0</span>ldr     <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#(40 + 4)]</span><span class="hljs-keyword">mov</span>     <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r1</span>                 @ restore thread to <span class="hljs-built_in">r9</span>ldr     <span class="hljs-built_in">r5</span>, [sp, <span class="hljs-preprocessor">#(40 + 8)]    @ pass r5 to args_array</span>ldr     <span class="hljs-built_in">r1</span>, [<span class="hljs-built_in">r5</span>]               @ restore arg1ldr     <span class="hljs-built_in">r2</span>, [<span class="hljs-built_in">r5</span>, <span class="hljs-preprocessor">#4]           @ restore arg2</span>ldr     <span class="hljs-built_in">r3</span>, [<span class="hljs-built_in">r5</span>, <span class="hljs-preprocessor">#8]           @ restore arg3</span>ldr     <span class="hljs-built_in">r5</span>, [sp, <span class="hljs-preprocessor">#(40 + 20 + 12)] @ pass ip to entrypoint</span>blx     <span class="hljs-built_in">r5</span><span class="hljs-keyword">add</span>     sp, <span class="hljs-preprocessor">#(40 + 20)</span><span class="hljs-keyword">pop</span>     {<span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, pc}           @ return on success, <span class="hljs-built_in">r0</span> <span class="hljs-keyword">and</span> <span class="hljs-built_in">r1</span> hold the result
END art_quick_call_entrypoint</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li></ul>

这里我偷懒了,直接申请了10个参数的空间,再使用之前传进入来的old_sp进行恢复,使用memcpy直接复制40字节。之后就是还原r0, r1, r2, r3, r9的值了。调用entrypoint完后,结果保存在r0和r1,再返回给artQuickToDispatcher。

至此,整个ART Hook就分析完毕了。

0x4 4.4与5.X上实现的区别

我的整个方案都是在4.4上测试的,主要是因为我只有4.4的源码,而且硬盘空间不足,实在装不下5.x的源码了。但整个思路,是完全可以套用用5.X上。另外,5.X的实现代码比4.4上复杂了很多,否能像我这样在NDK下编译完成就不知道了。

正常的4.4模拟器是以dalvik启动的,要到设置里改为art,这里会要求进行重启,但一般无效,我们手动关闭再重新打开就OK了,但需要等上一段时间才可以。

0x5 结束

虽然这篇文章只是介绍了Art Hook的技术方案,但其中的技术原理,对于如何在ART上进行代码加固、动态代码还原等等也是很有启发性。

老样子,整个项目的代码,我已经提交到https://github.com/boyliang/AllHookInOne,大家遇到什么问题,欢迎提问,有问题记得反馈。

对了,请用https://github.com/boyliang/ndk-patch给你的NDK打一下patch。

原文地址: http://blog.csdn.net/l173864930/article/details/45035521

Android Art Hook 技术方案相关推荐

  1. android so hook技术,【原创】Android5.1 Art Hook 技术分享,求加精转正式会员

    标 题:[原创]Android5.1 Art Hook 技术分享,求加精转正式会员作 者: luciya 时 间: 2015-09-16,22:42:53 链 接: http://bbs.pediy. ...

  2. 【原创】Android5.1 Art Hook 技术分享

    [原创]Android5.1 Art Hook 技术分享 Hi,大家好,很多次的在各种技术论坛上看到大牛的分享,学到了很多.本着共建社区,共享知识的目的,在这里我和大家分享一下我最近研究到的关于And ...

  3. 【转载】Android 5.1 Art Hook 技术分享

    转载一篇关于Android5.1的ART HOOK方案. 首先简单介绍一下hook.所谓hook就是通过一些手段改变一个函数的执行逻辑,比如在函数调用前更改一下参数或者在调用后修改返回值,甚至直接返回 ...

  4. android socket_盘点Android常用Hook技术

    Android平台开发测试过程中,Hook技术是每个开发人员都常用的技术.可以用于绕过系统限制.修改别人发布的代码.动态化.调用隐藏API.插件化.组件化.自动化测试.沙箱等等. Hook如果要跨进程 ...

  5. Android5.1 Art Hook 技术分享

    转自:http://bbs.pediy.com/thread-204183.htm Hi,大家好,很多次的在各种技术论坛上看到大牛的分享,学到了很多.本着共建社区,共享知识的目的,在这里我和大家分享一 ...

  6. Android通过Hook技术实现一键换肤

    目录 1.什么是一键换肤 2.界面上那些东西可以换肤 3.利用Hook实现一键换肤 4.Android创建视图源码分析 4.1.自定义Activity设置要显示的布局文件xml 4.2.调用兼容App ...

  7. Android安全 Hook技术,AndroidHook技术分析.pdf-北京理工大学信息系统及安全对抗实验中心.PDF...

    AndroidHook技术分析.pdf-北京理工大学信息系统及安全对抗实验中心.PDF The name of the DepartmentBeijing Forest Studio 北京理工大学信息 ...

  8. Android ART Hook 实现 - SandHook

    简介 Github: https://github.com/ganyao114/SandHook 关于 Hook,一直是比较小众的需求.本人公司有在做 Android Sandbox(类似 VA),算 ...

  9. Android APK加固技术方案调研

    @author ASCE1885的 Github 简书 微博 CSDN 最近项目中需要实现自己的APK加固方案,因此就有了这一篇调研报告. 软件安全领域的攻防向来是道高一尺魔高一丈,攻防双方都处于不断 ...

最新文章

  1. Python 进阶_OOP 面向对象编程_类和继承
  2. c++ socket框架
  3. 自己实现一个最简单的数据库
  4. Leaflet中加载离线OSM瓦片地图(使用OfflineMapMaker切割下载离线png地图文件)
  5. STM32 之七 备份域(备份寄存器、备份SRAM)详解及数据丢失问题处理
  6. java api 英文_教你查阅Java API 英文文档(JDK 11)
  7. 小白兔想的飞鸽传书(173dmba)安卓版
  8. 7-277 单身狗 (25 分)
  9. 软件开发工程师证书有用吗_监理工程师证书有用吗?有没有含金量?
  10. 甜甜的爱情+美食完美情人节海报,PSD分层模板轻松搞定设计,拿去用!
  11. delete kubectl pod_使用kubectl管理k8s集群(三十)
  12. SAP License:SAP中的一些扩展表
  13. WAV音频格式解析C代码
  14. PrestaShop加速11招立刻加速PrestaShop外贸电子商务网站无额外插件
  15. 浅谈怎样入侵服务器,仅供学习用
  16. 删库跑路最佳实践总结
  17. java jks 转pfx_证书pfx转换成jks
  18. 【matplotlib绘图】调整图片尺寸大小
  19. 2022年全球市场介质浆料总体规模、主要生产商、主要地区、产品和应用细分研究报告
  20. 使用GDAL工具对OrbView-3数据进行正射校正

热门文章

  1. CSS3 Animation制作飘动的浮云和星星效果
  2. notepad++中的unexpected indent
  3. Python学习笔记:接下来
  4. 全国计算机网络自学考试,2008年1月全国自考“计算机网络基本原理”试题
  5. yii2 redis封装类 php,yii2项目中如何使用redis
  6. caffe中solver.prototxt文件参数解释
  7. 英伟达jetson tx1开发套件配置tensorflow
  8. [云炬创业基础笔记]第四章测试22
  9. USTC English Club Note20171014
  10. 重磅!66 个机器学习硬核资源,请务必收藏!