asLody/ElfHook asLody/ElfHook

  • Stars
    star
    227
  • Rank 175,900 (Top 4 %)
  • Language
    C++
  • Created over 8 years ago
  • Updated over 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
asLody/ElfHook
github

asLody

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

modify PLT to hook api, supported android 5\6.

0x01 Brief About ElfHook

  这份ElfHook的代码参考boyliang的AllHookInOne, 修复AllHookInOne的 ElfHook中的一些问题,同时也解决我们项目中遇到的一些问题。

  • NOT DT_HAST in .dynmaic section,but .gun.hash instead.

  • NOT DT_REL and DT_RELSZ in .dynmaic section, but DT_ANDROID_REL and DT_ANDROID_RELSZ instead.

  • 计算动态库加载的base_addr是错误的,应该使用bias_addr来计算出ehdr、phdr和shdr之外的所有地址。

  • 替换函数时,修改page的读写权限时,在SEAndroid上PROT_EXEC和PROT_WRITE同时设置可能会导致异常,

  • after hook "dlopen" function, how to get base_addr from return value of old dlopen in new dlopen function.

  • support aarch64 (arm64-v8a)

ref:

 AllHookInOne : [https://github.com/boyliang/AllHookInOne.git]

 AllHookInOne说明 : [http://bbs.pediy.com/showthread.php?p=1328038]

 bionic : [https://android.googlesource.com/platform/bionic]

0x02 How To Build

Export android ndk path

export -p PATH=$PATH:$ANDROID_NDK

Build

make

make clean

make install # copy libElfHook.so to jniLibs dir in Demo.

or

ndk-build NDK_PROJECT_PATH=. NDK_OUT=./objs NDK_LIBS_OUT=./bin APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-23 APP_ABI=arm64-v8a,armeabi-v7a APP_STL=stlport_static

0x03 How To Use

elf_module is a shared library or executable, elf_hooker is wrapper of hook function.

  • bool elf_hooker::phrase_proc_maps()

phrase /proc/self/maps to create all elf modules have been loadded

  • void elf_hooker::dump_module_list()

print all elf moudle's info, base addr and full path.

  • void elf_hooker::set_prehook_cb( prehook_cb ):

set a callback function, which would be invoked before hooked. if it return false, prehook_cb function like this:

bool prehook_cb(const char* module_name, const char* func_name);

 module_name: the full filename of shared library or executable.

 func_name: function name would be hooked.

  • void elf_hooker::hook_all_modules(const char *func_name, void *pfn_new, void** ppfn_old)

hook a function of all the modules, MUST call phrase_proc_maps() before hook_all_modules()

 func_name: the name of function that will be hooked.

 pfn_new: new function pointer

 ppfn_old: return raw function pointer, ppfn_old MUST NOT be NULL

  • bool elf_hooker::hook(elf_module *module, const char* func_name, void *pfn_new, void **ppfn_old)

hook a function of a single module.

 module: pointer of elf_module.

 other parameters is the same as hook_all_modules()

More Repositories

1

VirtualApp

Virtual Engine for Android(Support 14.0 in business version)
Java
10,183
star
2

SandHook

Android ART Hook/Native Inline Hook/Single Instruction Hook - support 4.4 - 11.0 32/64 bit - Xposed API Compat
Java
2,030
star
3

legend

A framework for hook java methods.
Java
1,598
star
4

whale

Hook Framework for Android/IOS/Linux/MacOS
C++
1,559
star
5

TurboDex

fast load dex in memory.
C++
1,477
star
6

SandVXposed

Xposed environment without root (OS 5.0 - 10.0)
Java
948
star
7

AndHook

Android dynamic instrumentation framework
Java
754
star
8

SourceAnalysis

56
star
9

JBootImage

Java
11
star
10

JailbreakIOS12

escape sandbox and install cydia on IOS 12.0 ~ 12.1.2
5
star
11

GmsSupport

GMS support for internal versions of VirtualApp
4
star
12

OLLVM-Elimination

This is the first general purpose OLLVM elimination algorithm.
3
star
13

OpenInstantApp

3
star
14

aibox

AI aimbot implemented in RK3588 platform.
C++
2
star
15

MyNote

1
star