call_function 是so函数加载后的第一个函数,参考https://bbs.pediy.com/thread-267430.htm
adb pull /system/bin/linker
function see(baseAddress,size){
for (let i = 0; i < size; i++) {
let result=Instruction.parse(baseAddress)
console.log(`address:${result.address} ${result.mnemonic},${result.opStr}`)
baseAddress=result.next
}
}
function fr(){
Java.perform(function (){
//call_function("DT_INIT", init_func_, get_realpath());
var linkermodule = Process.getModuleByName("linker");
var call_function_addr = null;
var symbols = linkermodule.enumerateSymbols();
for (var i = 0; i < symbols.length; i++) {
var symbol = symbols[i];
// console.log(symbol.name)
//LogPrint(linkername + "->" + symbol.name + "---" + symbol.address);
if (symbol.name.indexOf("__dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_jbS5_") != -1) {
call_function_addr = symbol.address;
console.log("linker->" + symbol.name + "---" + symbol.address)
}
}
if(call_function_addr){
Interceptor.attach(call_function_addr,{
onEnter:function (args){
let path= ptr(args[3]).readCString()
console.log(path)
if(path.indexOf("libnative-lib")>=0){
let libModule=Process.getModuleByName("libnative-lib.so")
let base=libModule.base
see(base.add(0x89D8),10)
//exit
let addr=base.add(0x89E4).add(1)
Memory.protect(addr,4,"rwx")
addr.writeByteArray([0x00,0xbf,0x00,0xbf])
//kill
let addr2=base.add(0x92C2).add(1)
Memory.protect(addr2,4,"rwx")
addr2.writeByteArray([0x00,0xbf,0x00,0xbf])
}
}
})
}
})
}
setImmediate(fr)
//frida -U -f "com.example.test" --no-pause -l agent/testfrida.js