heibai2006/frida-snippets
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

hook before init_array

Browse Source
This commit is contained in:
iddoeldor 2020-12-21 21:53:18 +02:00 committed by GitHub
parent 716e8236c5
commit e5468a4f6a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
README.md
View File

@ -18,6 +18,7 @@
* [`Memory scan`](#memory-scan) * [`Memory scan`](#memory-scan)
* [`Stalker`](#stalker) * [`Stalker`](#stalker)
* [`Cpp Demangler`](#cpp-demangler) * [`Cpp Demangler`](#cpp-demangler)
* [`Early hook`](#early-hook)
</details> </details>
@ -2227,6 +2228,52 @@ TODO
<br>[⬆ Back to top](#table-of-contents) <br>[⬆ Back to top](#table-of-contents)
#### Early hook
Set hooks before DT_INIT_ARRAY ( [source](https://cs.android.com/android/platform/superproject/+/master:bionic/linker/linker_soinfo.cpp;l=386;drc=android-8.0.0_r1?q=call_constructor&ss=android%2Fplatform%2Fsuperproject) )
```js
let base;
let do_dlopen = null;
let call_ctor = null;
const target_lib_name = 'targetlib.so';
Process.findModuleByName('linker64').enumerateSymbols().forEach(sym => {
if (sym.name.indexOf('do_dlopen') >= 0) {
do_dlopen = sym.address;
} else if (sym.name.indexOf('call_constructor') >= 0) {
call_ctor = sym.address;
}
})
Interceptor.attach(do_dlopen, function () {
var what = this.context['x0'].readUtf8String();
if (what.indexOf(target_lib_name) >= 0) {
Interceptor.attach(call_ctor, function () {
Interceptor.detachAll();
console.log('loading target');
const module = Process.findModuleByName(target_lib_name);
console.log(module.base);
base = module.base;
// DoStuff
})
}
})
```
Credit: [iGio90](https://github.com/iGio90)
<details>
<summary>Output example</summary>
TODO
</details>
<br>[⬆ Back to top](#table-of-contents)