frida的检测
最近看了一下frida的源码,发现在进行arthook的时候是这么写的function replaceArtImplementation (fn) {
if (fn === null && artOriginalMethodInfo === null) {
return;
}
const artMethodSpec = getArtMethodSpec(vm);
const artMethodOffset = artMethodSpec.offset; //获取ArtMethod各个字段的偏移
if (artOriginalMethodInfo === null) {
artOriginalMethodInfo = fetchMethod(methodId); //保存原方法信息
}
if (fn !== null) {
implementation = implement(f, fn);
// kAccFastNative so that the VM doesn't get suspended while executing JNI
// (so that we can modify the ArtMethod on the fly)
patchMethod(methodId, {
//替换entry_point_from_jni_为hook的方法;
'jniCode': implementation,
//native化
'accessFlags': (Memory.readU32(methodId.add(artMethodOffset.accessFlags)) | kAccNative | kAccFastNative) >>> 0,
//替换entry_point_from_quick_compiled_code_为art_quick_generic_jni_trampoline;
'quickCode': api.artQuickGenericJniTrampoline,
//entry_point_from_interpreter_;
'interpreterCode': api.artInterpreterToCompiledCodeBridge
});
patchedMethods.add(f);
} else {
patchedMethods.delete(f);
patchMethod(methodId, artOriginalMethodInfo);
implementation = null;
}
}
将ArtMethod的entry_point_fromjni替换为hook的方法,并将entry_point_from_quick_compiledcode替换为art_quick_generic_jni_trampoline。当调用被hook的方法时,首先会跳转到art_quick_generic_jni_trampoline,该函数会做一些jni调用的准备,然后跳转到ArtMethod结构的entry_point_fromjni所指向的hook方法,这样就完成了一次hook,他用了quick_compiledcode的入口,将方式变成了native类型,这是不是应为着,我可以通过检测方法是否从jni变成了native类型来判断函数是不是被hook了
页:
[1]