bytedance
Android 5.1.1 AUTO模式时,后加载so无法hook
手机:Xiaomi MI NOTE Pro 系统:Android 5.1.1 bhook: 1.0.3
bytehook_init(BYTEHOOK_MODE_AUTOMATIC, true);
bytehook_hook_all(nullptr, "getaddrinfo", (void*)MY_getaddrinfo, hookCallbac, nullptr);
以上代码执行完后再加载webview,无法hook libwebviewchromium.so 但是,先在加载webview后再执行以上代码,则可以hook到libwebviewchromium.so
手机:Xiaomi MI NOTE Pro 系统:Android 5.1.1 bhook: 1.0.3
bytehook_init(BYTEHOOK_MODE_AUTOMATIC, true); bytehook_hook_all(nullptr, "getaddrinfo", (void*)MY_getaddrinfo, hookCallbac, nullptr);以上代码执行完后再加载webview,无法hook libwebviewchromium.so 但是,先在加载webview后再执行以上代码,则可以hook到libwebviewchromium.so
收到,感谢反馈,我调试一下。
@0x6666 我没找到和你一样的机型。我在 nexus5(Android 5.1.1) 上试了,无论在 bytehook_hook_all 之前或之后加载 libwebviewchromium.so,都可以 hook 到 libwebviewchromium.so 中的 getaddrinfo。你可以把 bytehook 的日志打开,观察下 hook 之前和之后加载libwebviewchromium.so的执行流程区别,或者把日志在这里贴一下。
... ... 2021-12-06 16:53:46.449 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: created for GOT 7fa3359be8, orig func 7fa74a2c84 2021-12-06 16:53:46.449 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: add(new) func, GOT 7fa3359be8, func 7f915b401c 2021-12-06 16:53:46.449 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: del func, GOT 7fa3359be8, func 7f915b401c 2021-12-06 16:53:46.449 15718-15718/cc.dns.demo I/bytehook_tag: DL monitor: post init, OK 2021-12-06 16:53:46.469 15718-15718/cc.dns.demo I/bytehook_tag: trampo: created for GOT 7f9ac73de0 at 7f8fc07690, size 104 + 16 = 120 2021-12-06 16:53:46.469 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: created for GOT 7f9ac73de0, orig func 7fb1eb74b0 2021-12-06 16:53:46.469 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: add(new) func, GOT 7f9ac73de0, func 7f9155246c 2021-12-06 16:53:46.469 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: verify OK: getaddrinfo in libc.so 2021-12-06 16:53:46.469 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: auto REPLACE. GOT 7f9ac73de0: 7fb1eb74b0 -> 7f8fc07690, getaddrinfo, /data/app/com.google.android.webview-2/lib/arm64/libwebviewchromium.so 2021-12-06 16:53:46.469 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: hook OK. GOT 7f9ac73de0: + 7f9155246c, getaddrinfo, /data/app/com.google.android.webview-2/lib/arm64/libwebviewchromium.so 2021-12-06 16:53:46.489 15718-15718/cc.dns.demo I/bytehook_tag: trampo: created for GOT 7f9ac73de8 at 7f8fc07708, size 104 + 16 = 120 2021-12-06 16:53:46.489 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: created for GOT 7f9ac73de8, orig func 7fb1eb61d0 2021-12-06 16:53:46.489 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: add(new) func, GOT 7f9ac73de8, func 7f915527a4 2021-12-06 16:53:46.489 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: verify OK: freeaddrinfo in libc.so 2021-12-06 16:53:46.489 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: auto REPLACE. GOT 7f9ac73de8: 7fb1eb61d0 -> 7f8fc07708, freeaddrinfo, /data/app/com.google.android.webview-2/lib/arm64/libwebviewchromium.so 2021-12-06 16:53:46.489 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: hook OK. GOT 7f9ac73de8: + 7f915527a4, freeaddrinfo, /data/app/com.google.android.webview-2/lib/arm64/libwebviewchromium.so
以上是先加载libwebviewchromium.so的部分日志。
后加载libwebviewchromium.so,日志会停留在DL monitor: post init, OK,加载so的过程或者之后没有任何日志。
后加载的过程中bh_dl_monitor_proxy_dlopen和bh_dl_monitor_stub_android_dlopen_ext没有回调。
bh_dl_monitor_proxy_loader_dlopen和bh_dl_monitor_proxy_loader_android_dlopen_ext也没有(我注释了__ANDROID_API_O__的限制)
Android 5.x 应该只可能走dlopen 和 android_dlopen_ext。bytehook 内部对这两个函数做了 hook_all(hook 到 bh_dl_monitor_proxy_dlopen 和 bh_dl_monitor_proxy_android_dlopen_ext)。可以看下日志,判断下这两个函数都hook到哪些 caller so 上了。
另外,你本地代码是否修改过其他地方?换个其他5.1.1的设备也能重现问题吗?