Android Native 函数 Hook 技术介绍

Author: CYRUS-STUDIO

app/build.gradle.kts

@@ -68,12 +68,17 @@ android {
     }
     buildFeatures {
         compose = true
+        prefab = true
     }
     ndkVersion = "27.1.12297006"
 }
 
 dependencies {
     implementation(project(":vmp"))
+    implementation(libs.libsu.core)
+    implementation(libs.libsu.service)
+    implementation(libs.libsu.nio)
+    implementation(libs.shadowhook)
     implementation(libs.androidx.core.ktx)
     implementation(libs.androidx.lifecycle.runtime.ktx)
     implementation(libs.androidx.activity.compose)

app/src/main/AndroidManifest.xml

@@ -18,12 +18,18 @@
         android:theme="@style/Theme.AndroidExample"
         tools:ignore="HardcodedDebugMode"
         tools:targetApi="31">
+        <activity
+            android:name=".root.RootActivity"
+            android:exported="false" />
+        <activity
+            android:name=".hook.HookActivity"
+            android:exported="false" />
         <activity
             android:name=".hotfix.HotFixActivity"
             android:exported="false" />
         <activity
             android:name=".plugin.PluginActivity"
-            android:exported="true"/>
+            android:exported="true" />
         <activity
             android:name=".classloader.ClassLoaderActivity"
             android:exported="false" />

app/src/main/cpp/CMakeLists.txt

@@ -342,3 +342,34 @@ target_link_libraries(
         # 链接 LibTomCrypt
         libtomcrypt
 )
+
+## CyrusStudioHook ##########################################################################################
+
+find_package(shadowhook REQUIRED CONFIG)
+
+add_library( # 设置库的名称
+        cyrus_studio_hook
+
+        # 设置库的类型
+        SHARED
+
+        # 设置源文件路径
+        cyrus_studio_hook.cpp
+)
+
+# 为 cyrus_studio_hook 动态库启用字符串加密
+target_compile_options(
+        cyrus_studio_hook
+        PRIVATE
+        -mllvm -sobf)
+
+# 抹除符号
+set_target_properties(aes PROPERTIES LINK_FLAGS "-Wl,--version-script=${CMAKE_SOURCE_DIR}/hide.map")
+
+target_link_libraries(
+        cyrus_studio_hook
+        # 链接 log 库
+        ${log-lib}
+        # 链接 shadowhook
+        shadowhook::shadowhook
+)

app/src/main/cpp/cyrus_studio_hook.cpp

@@ -0,0 +1,177 @@
+#include <unistd.h>
+#include <android/log.h>
+#include <jni.h>
+#include <string>
+#include <stddef.h>
+#include "shadowhook.h"
+
+#include "dex/dex_file.h"
+#include "dex/art_method.h"
+#include "dex/class_accessor.h"
+
+using namespace cyurs;
+
+#define LOG_TAG "cyrus_studio_hook"
+#define LOGI(...) __android_log_print(ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__)
+#define LOGW(...) __android_log_print(ANDROID_LOG_WARN, LOG_TAG, __VA_ARGS__)
+#define LOGE(...) __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__)
+
+
+int g_sdkLevel = 0;
+
+__attribute__ ((constructor)) void init() {
+    // api level
+    g_sdkLevel = android_get_device_api_level();
+}
+
+// 原始 execve 函数指针
+int (*orig_execve)(const char *__file, char *const *__argv, char *const *__envp);
+
+// 替代 execve 实现
+int my_execve(const char *__file, char *const *__argv, char *const *__envp) {
+
+    LOGI("execve called: %s", __file);
+
+    if (__file && strstr(__file, "dex2oat")) {
+        LOGW("Blocked dex2oat execution: %s", __file);
+        // 返回失败，模拟 dex2oat 调用失败
+        return -1;
+    }
+
+    // 调用原始 execve
+    return orig_execve(__file, __argv, __envp);
+}
+
+extern "C"
+JNIEXPORT void JNICALL
+Java_com_cyrus_example_hook_CyrusStudioHook_hookExecve(JNIEnv *, jclass) {
+    void *handle = shadowhook_hook_sym_name(
+            "libc.so",  // 函数所在模块
+            "execve", // 要 hook 的符号名
+            reinterpret_cast<void *>(my_execve),
+            reinterpret_cast<void **>(&orig_execve)
+    );
+
+    if (handle != nullptr) {
+        LOGI("Successfully hooked execve");
+    } else {
+        LOGW("Failed to hook execve");
+    }
+}
+
+///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+extern char **environ;
+
+extern "C"
+JNIEXPORT jboolean JNICALL
+Java_com_cyrus_example_hook_CyrusStudioHook_dex2oat(JNIEnv *env, jclass,
+                                                    jstring dexPath_,
+                                                    jstring oatPath_) {
+    const char *dexPath = env->GetStringUTFChars(dexPath_, nullptr);
+    const char *oatPath = env->GetStringUTFChars(oatPath_, nullptr);
+
+    const char *dex2oatPath = "/system/bin/dex2oat";
+
+    char dexArg[256];
+    char oatArg[256];
+    char isaArg[] = "--instruction-set=arm64";
+    snprintf(dexArg, sizeof(dexArg), "--dex-file=%s", dexPath);
+    snprintf(oatArg, sizeof(oatArg), "--oat-file=%s", oatPath);
+
+    const char *argv[] = {
+            dex2oatPath,
+            dexArg,
+            oatArg,
+            isaArg,
+            "--runtime-arg", "-Xbootclasspath:/apex/com.android.art/javalib/core-oj.jar:/apex/com.android.art/javalib/core-libart.jar",
+            "--boot-image=/apex/com.android.art/javalib/boot.art",
+            nullptr
+    };
+
+    LOGI("Calling dex2oat with: %s %s %s", dexArg, oatArg, isaArg);
+
+    int ret = execve(dex2oatPath, (char *const *) argv, environ);
+
+    LOGE("execve called with ret: %s", ret);
+
+    env->ReleaseStringUTFChars(dexPath_, dexPath);
+    env->ReleaseStringUTFChars(oatPath_, oatPath);
+
+    return false; // execve 不返回，除非失败
+}
+
+
+///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+void *(*orig_LoadMethod)(void *, void *, void *, void *, void *);
+
+void *my_LoadMethod(void *linker, void *dex_file, void *method, void *klass_handle, void *dst) {
+
+    // DexFile
+    std::string location;
+    uint8_t *begin = nullptr;
+    uint64_t dexSize = 0;
+    if (g_sdkLevel >= 35) {
+        auto *dexFileV35 = (V35::DexFile *) dex_file;
+        location = dexFileV35->location_;
+        begin = (uint8_t *) dexFileV35->begin_;
+        dexSize = dexFileV35->header_->file_size_;
+    } else if (g_sdkLevel >= __ANDROID_API_P__) {
+        auto *dexFileV28 = (V28::DexFile *) dex_file;
+        location = dexFileV28->location_;
+        begin = (uint8_t *) dexFileV28->begin_;
+        dexSize = dexFileV28->size_ == 0 ? dexFileV28->header_->file_size_ : dexFileV28->size_;
+    } else {
+        auto *dexFileV21 = (V21::DexFile *) dex_file;
+        location = dexFileV21->location_;
+        begin = (uint8_t *) dexFileV21->begin_;
+        dexSize = dexFileV21->size_ == 0 ? dexFileV21->header_->file_size_ : dexFileV21->size_;
+    }
+
+    // 打印 DexFile 信息
+    LOGI("[pid=%d][API=%d] enter my_LoadMethod:\n  DexFile Base    = %p\n  DexFile Size    = %zu bytes\n  DexFile Location= %s",
+         getpid(), g_sdkLevel, begin, dexSize, location.c_str());
+
+    // 调用原始函数，使 ArtMethod 数据填充完成
+    void *result = orig_LoadMethod(linker, dex_file, method, klass_handle, dst);
+
+    // ArtMethod
+    uint32_t dex_code_item_offset_ = -1;
+    uint32_t dex_method_index_;
+    if (g_sdkLevel >= 31) {
+        auto *dstV31 = (V31::ArtMethod *) dst;
+        auto classAccessor_method = reinterpret_cast<Method &>(method);
+        dex_code_item_offset_ = classAccessor_method.code_off_;
+        dex_method_index_ = dstV31->dex_method_index_;
+    } else {
+        auto *dstV28 = (V28::ArtMethod *) dst;
+        dex_code_item_offset_ = dstV28->dex_code_item_offset_;
+        dex_method_index_ = dstV28->dex_method_index_;
+    }
+
+    // 打印 Method 信息
+    LOGI("[pid=%d][API=%d] enter my_LoadMethod:\n"
+         "  ArtMethod.dex_code_item_offset_ = 0x%x\n"
+         "  ArtMethod.dex_method_index_     = %d",
+         getpid(), g_sdkLevel, dex_code_item_offset_, dex_method_index_);
+
+    return result;
+}
+
+
+extern "C"
+JNIEXPORT void JNICALL
+Java_com_cyrus_example_hook_CyrusStudioHook_hookLoadMethod(JNIEnv *, jclass) {
+    void *handle = shadowhook_hook_sym_name(
+            "libart.so",
+            "_ZN3art11ClassLinker10LoadMethodERKNS_7DexFileERKNS_13ClassAccessor6MethodENS_6HandleINS_6mirror5ClassEEEPNS_9ArtMethodE", // 要 hook 的符号名
+            reinterpret_cast<void *>(my_LoadMethod),
+            reinterpret_cast<void **>(&orig_LoadMethod)
+    );
+
+    if (handle != nullptr) {
+        LOGI("Successfully hooked LoadMethod");
+    } else {
+        LOGW("Failed to hook LoadMethod");
+    }
+}

app/src/main/cpp/dex/art_method.h

@@ -0,0 +1,83 @@
+#ifndef CYRUS_ART_METHOD_H
+#define CYRUS_ART_METHOD_H
+
+#include <stdint.h>
+#include <string>
+
+namespace cyurs {
+
+    // android9+
+    namespace V28 {
+        class ArtMethod {
+        public:
+            // Field order required by test "ValidateFieldOrderOfJavaCppUnionClasses".
+            // The class we are a part of.
+            uint8_t declaring_class_;
+
+            // Access flags; low 16 bits are defined by spec.
+            // Getting and setting this flag needs to be atomic when concurrency is
+            // possible, e.g. after this method's class is linked. Such as when setting
+            // verifier flags and single-implementation flag.
+            uint32_t access_flags_;
+
+            /* Dex file fields. The defining dex file is available via declaring_class_->dex_cache_ */
+
+            // Offset to the CodeItem.
+            uint32_t dex_code_item_offset_;
+
+            // Index into method_ids of the dex file associated with this method.
+            uint32_t dex_method_index_;
+
+            /* End of dex file fields. */
+
+            // Entry within a dispatch table for this method. For static/direct methods the index is into
+            // the declaringClass.directMethods, for virtual methods the vtable and for interface methods the
+            // ifTable.
+            uint16_t method_index_;
+
+            union {
+                // Non-abstract methods: The hotness we measure for this method. Not atomic,
+                // as we allow missing increments: if the method is hot, we will see it eventually.
+                uint16_t hotness_count_;
+                // Abstract methods: IMT index (bitwise negated) or zero if it was not cached.
+                // The negation is needed to distinguish zero index and missing cached entry.
+                uint16_t imt_index_;
+            };
+        };
+
+    } //namespace V28
+
+
+    // android 12 开始去掉了 dex_code_item_offset_ 字段
+    namespace V31 {
+
+        class ArtMethod {
+        public:
+            // Field order required by test "ValidateFieldOrderOfJavaCppUnionClasses".
+            // The class we are a part of.
+            uint8_t declaring_class_;
+
+            // Access flags; low 16 bits are defined by spec.
+            // Getting and setting this flag needs to be atomic when concurrency is
+            // possible, e.g. after this method's class is linked. Such as when setting
+            // verifier flags and single-implementation flag.
+            uint32_t access_flags_;
+
+            /* Dex file fields. The defining dex file is available via declaring_class_->dex_cache_ */
+
+            // Index into method_ids of the dex file associated with this method.
+            uint32_t dex_method_index_;
+
+            /* End of dex file fields. */
+
+            // Entry within a dispatch table for this method. For static/direct methods the index is into
+            // the declaringClass.directMethods, for virtual methods the vtable and for interface methods the
+            // ifTable.
+            uint16_t method_index_;
+        };
+
+    } //namespace V35
+
+};//namespace cyrus
+
+#endif //CYRUS_ART_METHOD_H

app/src/main/cpp/dex/class_accessor.h

@@ -0,0 +1,30 @@
+#ifndef CYRUS_METHOD_H
+#define CYRUS_METHOD_H
+
+#include <stdint.h>
+#include <string>
+
+
+namespace cyurs {
+
+    class BaseItem {
+    public:
+        // Internal data pointer for reading.
+        const void* dex_file_;
+        const uint8_t* ptr_pos_ = nullptr;
+        const uint8_t* hiddenapi_ptr_pos_ = nullptr;
+        uint32_t index_ = 0u;
+        uint32_t access_flags_ = 0u;
+        uint32_t hiddenapi_flags_ = 0u;
+    };
+
+    // A decoded version of the method of a class_data_item.
+    class Method : public BaseItem {
+    public:
+        bool is_static_or_direct_ = true;
+        uint32_t code_off_ = 0u;
+    };
+
+};//namespace cyrus
+
+#endif //CYRUS_METHOD_H