Android Art Hook 技術方案
by 低端碼農 at 2015.4.13
www.im-boy.net
0x1 開始
Anddroid上的ART從5.0之後變成預設的選擇,可見ART的重要性,目前關于Dalvik Hook方面研究的文章很多,但我在網上卻找不到關于ART Hook相關的文章,甚至連鼎鼎大名的XPosed和Cydia Substrate到目前為止也不支援ART的Hook。當然我相信,技術方案他們肯定是的,估計卡在機型适配上的了。
既然網上找不到相關的資料,于是我決定自己花些時間去研究一下,終于黃天不負有心人,我找到了一個切實可行的方法,即本文所介紹的方法。
應該說明的是本文所介紹的方法肯定不是最好的,但大家看完本文之後,如果能啟發大家找到更好的ART Hook方法,那我抛磚引玉的目的就達到了。廢話不多說,我們開始吧。
- 運作環境: 4.4.2 ART模式的模拟器
- 開發環境: Mac OS X 10.10.3
0x2 ART類方法加載及執行
在ART中類方法的執行要比在Dalvik中要複雜得多,Dalvik如果除去JIT部分,可以了解為是一個解析執行的虛拟機,而ART則同時包含本地指令執行和解析執行兩種模式,同時所生成的oat檔案也包含兩種類型,分别是portable和quick。portable和quick的主要差別是對于方法的加載機制不相同,quick大量使用了Lazy Load機制,是以應用的啟動速度更快,但加載流程更複雜。其中quick是作為預設選項,是以本文所涉及的技術分析都是基于quick類型的。
由于ART存在本地指令執行和解析執行兩種模式,是以類方法之間并不是能直接跳轉的,而是通過一些預先定義的bridge函數進行狀态和上下文的切換,這裡引用一下老羅部落格中的示意圖:
當執行某個方法時,如果目前是本地指令執行模式,則會執行ArtMethod::GetEntryPointFromCompiledCode()指向的函數,否則則執行ArtMethod::GetEntryPointFromInterpreter()指向的函數。是以每個方法,都有兩個入口點,分别儲存在ArtMethod::entry_point_from_compiled_code_和ArtMethod::entry_point_from_interpreter_。了解這一點非常重要,後面我們主要就是在這兩個入口做文章。
在講述原理之前,需要先把以下兩個流程了解清楚,這裡的内容要展開是非常龐大的,我針對Hook的關鍵點,簡明扼要的描述一下,但還是強烈建議大家去老羅的部落格裡細讀一下其中關于ART的幾篇文章。
- ArtMethod加載流程
這個過程發生在oat被裝載進記憶體并進行類方法連結的時候,類方法連結的代碼在art/runtime/class_linker.cc中的LinkCode,如下所示:
<code class="hljs lasso has-numbering">static <span class="hljs-literal">void</span> LinkCode(SirtRef<span class="hljs-subst"><</span>mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">>&</span> method, const OatFile<span class="hljs-tag">::OatClass</span><span class="hljs-subst">*</span> oat_class, uint32_t method_index)
SHARED_LOCKS_REQUIRED(Locks<span class="hljs-tag">::mutator_lock_</span>) {
<span class="hljs-comment">// Method shouldn't have already been linked.</span>
DCHECK(method<span class="hljs-subst">-></span>GetEntryPointFromCompiledCode() <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span>);
<span class="hljs-comment">// Every kind of method should at least get an invoke stub from the oat_method.</span>
<span class="hljs-comment">// non-abstract methods also get their code pointers.</span>
const OatFile<span class="hljs-tag">::OatMethod</span> oat_method <span class="hljs-subst">=</span> oat_class<span class="hljs-subst">-></span>GetOatMethod(method_index);
<span class="hljs-comment">// 這裡預設會把method::entry_point_from_compiled_code_設定oatmethod的code</span>
oat_method<span class="hljs-built_in">.</span>LinkMethod(method<span class="hljs-built_in">.</span>get());
<span class="hljs-comment">// Install entry point from interpreter.</span>
Runtime<span class="hljs-subst">*</span> runtime <span class="hljs-subst">=</span> Runtime<span class="hljs-tag">::Current</span>();
bool enter_interpreter <span class="hljs-subst">=</span> NeedsInterpreter(method<span class="hljs-built_in">.</span>get(), method<span class="hljs-subst">-></span>GetEntryPointFromCompiledCode()); <span class="hljs-comment">//判斷方法是否需要解析執行</span>
<span class="hljs-comment">// 設定解析執行的入口點</span>
<span class="hljs-keyword">if</span> (enter_interpreter) {
method<span class="hljs-subst">-></span>SetEntryPointFromInterpreter(interpreter<span class="hljs-tag">::artInterpreterToInterpreterBridge</span>);
} <span class="hljs-keyword">else</span> {
method<span class="hljs-subst">-></span>SetEntryPointFromInterpreter(artInterpreterToCompiledCodeBridge);
}
<span class="hljs-comment">// 下面是設定本地指令執行的入口點</span>
<span class="hljs-keyword">if</span> (method<span class="hljs-subst">-></span>IsAbstract()) {
method<span class="hljs-subst">-></span>SetEntryPointFromCompiledCode(GetCompiledCodeToInterpreterBridge());
<span class="hljs-keyword">return</span>;
}
<span class="hljs-comment">// 這裡比較難了解,如果是靜态方法,但不是clinit,但需要把entry_point_from_compiled_code_設定為GetResolutionTrampoline的傳回值</span>
<span class="hljs-keyword">if</span> (method<span class="hljs-subst">-></span>IsStatic() <span class="hljs-subst">&&</span> <span class="hljs-subst">!</span>method<span class="hljs-subst">-></span>IsConstructor()) {
<span class="hljs-comment">// For static methods excluding the class initializer, install the trampoline.</span>
<span class="hljs-comment">// It will be replaced by the proper entry point by ClassLinker::FixupStaticTrampolines</span>
<span class="hljs-comment">// after initializing class (see ClassLinker::InitializeClass method).</span>
method<span class="hljs-subst">-></span>SetEntryPointFromCompiledCode(GetResolutionTrampoline(runtime<span class="hljs-subst">-></span>GetClassLinker()));
} <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (enter_interpreter) {
<span class="hljs-comment">// Set entry point from compiled code if there's no code or in interpreter only mode.</span>
method<span class="hljs-subst">-></span>SetEntryPointFromCompiledCode(GetCompiledCodeToInterpreterBridge());
}
<span class="hljs-keyword">if</span> (method<span class="hljs-subst">-></span>IsNative()) {
<span class="hljs-comment">// Unregistering restores the dlsym lookup stub.</span>
method<span class="hljs-subst">-></span>UnregisterNative(<span class="hljs-keyword">Thread</span><span class="hljs-tag">::Current</span>());
}
<span class="hljs-comment">// Allow instrumentation its chance to hijack code.</span>
runtime<span class="hljs-subst">-></span>GetInstrumentation()<span class="hljs-subst">-></span>UpdateMethodsCode(method<span class="hljs-built_in">.</span>get(),method<span class="hljs-subst">-></span>GetEntryPointFromCompiledCode());
}</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li><li>47</li><li>48</li></ul> 通過上面的代碼我們可以得到,一個ArtMethod的入口主要有以下幾種:
- Interpreter2Interpreter對應artInterpreterToInterpreterBridge(art/runtime/interpreter/interpreter.cc);
- Interpreter2CompledCode對應artInterpreterToCompiledCodeBridge(/art/runtime/entrypoints/interpreter/interpreter_entrypoints.cc);
- CompliedCode2Interpreter對應art_quick_to_interpreter_bridge(art/runtime/arch/arm/quick_entrypoints_arm.S);
- CompliedCode2ResolutionTrampoline對應art_quick_resolution_trampoline(art/runtime/arch/arm/quick_entrypoints_arm.S);
- CompliedCode2CompliedCode這個入口是直接指向oat中的指令,詳細可見OatMethod::LinkMethod;
其中調用約定主要有兩種,分别是:
- typedef void (EntryPointFromInterpreter)(Thread* self, MethodHelper& mh, const DexFile::CodeItem* code_item, ShadowFrame* shadow_frame, JValue* result), 這種對應上述1,3兩種入口;
- 剩下的2,4,5三種入口對應的是CompledCode的入口,代碼中并沒有直接給出,但我們通過分析ArtMethod::Invoke的方法調用,就可以知道其調用約定了。Invoke過程中會調用art_quick_invoke_stub(/art/runtime/arch/arm/quick_entrypoints_arm.S),代碼如下所示:
<code class="hljs avrasm has-numbering"> <span class="hljs-comment">/* * Quick invocation stub. * On entry: * r0 = method pointer * r1 = argument array or NULL for no argument methods * r2 = size of argument array in bytes * r3 = (managed) thread pointer * [sp] = JValue* result * [sp + 4] = result type char */</span> ENTRY art_quick_invoke_stub <span class="hljs-keyword">push</span> {<span class="hljs-built_in">r0</span>, <span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r11</span>, lr} @ spill regs <span class="hljs-preprocessor">.save</span> {<span class="hljs-built_in">r0</span>, <span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r11</span>, lr} <span class="hljs-preprocessor">.pad</span> <span class="hljs-preprocessor">#24</span> <span class="hljs-preprocessor">.cfi</span>_adjust_cfa_offset <span class="hljs-number">24</span> <span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r0</span>, <span class="hljs-number">0</span> <span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r4</span>, <span class="hljs-number">4</span> <span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r5</span>, <span class="hljs-number">8</span> <span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r9</span>, <span class="hljs-number">12</span> <span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r11</span>, <span class="hljs-number">16</span> <span class="hljs-preprocessor">.cfi</span>_rel_offset lr, <span class="hljs-number">20</span> <span class="hljs-keyword">mov</span> <span class="hljs-built_in">r11</span>, sp @ save the stack pointer <span class="hljs-preprocessor">.cfi</span>_def_cfa_register <span class="hljs-built_in">r11</span> <span class="hljs-keyword">mov</span> <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r3</span> @ move managed thread pointer into <span class="hljs-built_in">r9</span> <span class="hljs-keyword">mov</span> <span class="hljs-built_in">r4</span>, <span class="hljs-preprocessor">#SUSPEND_CHECK_INTERVAL @ reset r4 to suspend check interval</span> <span class="hljs-keyword">add</span> <span class="hljs-built_in">r5</span>, <span class="hljs-built_in">r2</span>, <span class="hljs-preprocessor">#16 @ create space for method pointer in frame</span> <span class="hljs-keyword">and</span> <span class="hljs-built_in">r5</span>, <span class="hljs-preprocessor">#0xFFFFFFF0 @ align frame size to 16 bytes</span> <span class="hljs-keyword">sub</span> sp, <span class="hljs-built_in">r5</span> @ reserve stack space for argument array <span class="hljs-keyword">add</span> <span class="hljs-built_in">r0</span>, sp, <span class="hljs-preprocessor">#4 @ pass stack pointer + method ptr as dest for memcpy</span> bl memcpy @ memcpy (dest, src, bytes) ldr <span class="hljs-built_in">r0</span>, [<span class="hljs-built_in">r11</span>] @ restore method* ldr <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#4] @ copy arg value for r1</span> ldr <span class="hljs-built_in">r2</span>, [sp, <span class="hljs-preprocessor">#8] @ copy arg value for r2</span> ldr <span class="hljs-built_in">r3</span>, [sp, <span class="hljs-preprocessor">#12] @ copy arg value for r3</span> <span class="hljs-keyword">mov</span> ip, <span class="hljs-preprocessor">#0 @ set ip to 0</span> str ip, [sp] @ store NULL for method* at bottom of frame ldr ip, [<span class="hljs-built_in">r0</span>, <span class="hljs-preprocessor">#METHOD_CODE_OFFSET] @ get pointer to the code</span> blx ip @ <span class="hljs-keyword">call</span> the method <span class="hljs-keyword">mov</span> sp, <span class="hljs-built_in">r11</span> @ restore the stack pointer ldr ip, [sp, <span class="hljs-preprocessor">#24] @ load the result pointer</span> strd <span class="hljs-built_in">r0</span>, [ip] @ store <span class="hljs-built_in">r0</span>/<span class="hljs-built_in">r1</span> into result pointer <span class="hljs-keyword">pop</span> {<span class="hljs-built_in">r0</span>, <span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r11</span>, lr} @ restore spill regs <span class="hljs-preprocessor">.cfi</span>_adjust_cfa_offset -<span class="hljs-number">24</span> bx lr END art_quick_invoke_stub</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li></ul>
“ldr ip, [r0, #METHOD_CODE_OFFSET]”其實就是把ArtMethod::entry_point_from_compiled_code_指派給ip,然後通過blx直接調用。通過這段小小的彙編代碼,我們得出如下堆棧的布局:
<code class="hljs oxygene has-numbering"> -(low)
| caller(<span class="hljs-function"><span class="hljs-keyword">Method</span> *) | <- <span class="hljs-title">sp</span>
| <span class="hljs-title">arg1</span> | <- <span class="hljs-title">r1</span>
| <span class="hljs-title">arg2</span> | <- <span class="hljs-title">r2</span>
| <span class="hljs-title">arg3</span> | <- <span class="hljs-title">r3</span>
| ... |
| <span class="hljs-title">argN</span> |
| <span class="hljs-title">callee</span><span class="hljs-params">(<span class="hljs-keyword">Method</span> *)</span> | <- <span class="hljs-title">r0</span>
+<span class="hljs-params">(high)</span></span></code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li></ul> 這種調用約定并不是平時我們所見的調用約定,主要展現在參數當超過4時,并不是從sp開始儲存,而是從sp + 20這個位置開始存儲,是以這就是為什麼在代碼裡entry_point_from_compiled_code_的類型是void *的原因了,因為無法用代碼表示。
了解好這個調用約定對我們方案的實作至關重要。
- ArtMethod執行流程
上面詳細講述了類方法加載和連結的過程,但在實際執行的過程中,其實還不是直接調用ArtMethod的entry_point(解析執行和本地指令執行的入口),為了加快執行速度,ART為oat檔案中的每個dex建立了一個DexCache(art/runtime/mirror/dex_cache.h)結構,這個結構會按dex的結構生成一系列的數組,這裡我們隻分析它裡面的methods字段。 DexCache初始化的方法是Init,實作如下:
<code class="hljs r has-numbering">void DexCache::Init(const DexFile* dex_file,
String* location,
ObjectArray<String>* strings,
ObjectArray<Class>* resolved_types,
ObjectArray<ArtMethod>* resolved_methods,
ObjectArray<ArtField>* resolved_fields,
ObjectArray<StaticStorageBase>* initialized_static_storage) {
//<span class="hljs-keyword">...</span>
//<span class="hljs-keyword">...</span>
Runtime* runtime = Runtime::Current();
<span class="hljs-keyword">if</span> (runtime->HasResolutionMethod()) {
// Initialize the resolve methods array to contain trampolines <span class="hljs-keyword">for</span> resolution.
ArtMethod* trampoline = runtime->GetResolutionMethod();
size_t length = resolved_methods->GetLength();
<span class="hljs-keyword">for</span> (size_t i = <span class="hljs-number">0</span>; i < length; i++) {
resolved_methods->SetWithoutChecks(i, trampoline);
}
}
}</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li></ul> 根據dex方法的個數,産生相應長度resolved_methods數組,然後每一個都用Runtime::GetResolutionMethod()傳回的結果進行填充,這個方法是由Runtime::CreateResolutionMethod産生的,代碼如下:
<code class="hljs lasso has-numbering">mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*</span> Runtime<span class="hljs-tag">::CreateResolutionMethod</span>() {
mirror<span class="hljs-tag">::Class</span><span class="hljs-subst">*</span> method_class <span class="hljs-subst">=</span> mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-tag">::GetJavaLangReflectArtMethod</span>();
<span class="hljs-keyword">Thread</span><span class="hljs-subst">*</span> <span class="hljs-built_in">self</span> <span class="hljs-subst">=</span> <span class="hljs-keyword">Thread</span><span class="hljs-tag">::Current</span>();
SirtRef<span class="hljs-subst"><</span>mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">></span>
method(<span class="hljs-built_in">self</span>, down_cast<span class="hljs-subst"><</span>mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*></span>(method_class<span class="hljs-subst">-></span>AllocObject(<span class="hljs-built_in">self</span>)));
method<span class="hljs-subst">-></span>SetDeclaringClass(method_class);
<span class="hljs-comment">// TODO: use a special method for resolution method saves</span>
method<span class="hljs-subst">-></span>SetDexMethodIndex(DexFile<span class="hljs-tag">::kDexNoIndex</span>);
<span class="hljs-comment">// When compiling, the code pointer will get set later when the image is loaded.</span>
Runtime<span class="hljs-subst">*</span> r <span class="hljs-subst">=</span> Runtime<span class="hljs-tag">::Current</span>();
ClassLinker<span class="hljs-subst">*</span> cl <span class="hljs-subst">=</span> r<span class="hljs-subst">-></span>GetClassLinker();
method<span class="hljs-subst">-></span>SetEntryPointFromCompiledCode(r<span class="hljs-subst">-></span>IsCompiler() <span class="hljs-subst">?</span> <span class="hljs-built_in">NULL</span> : GetResolutionTrampoline(cl));
<span class="hljs-keyword">return</span> method<span class="hljs-built_in">.</span>get();
}</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li></ul> 從method->SetDexMethodIndex(DexFile::kDexNoIndex)這句得知,所有的ResolutionMethod的methodIndexDexFile::kDexNoIndex。而ResolutionMethod的entrypoint就是我們上面入口分析中的第4種情況,GetResolutionTrampoline最終傳回的入口為art_quick_resolution_trampoline(art/runtime/arch/arm/quick_entrypoints_arm.S)。我們看一下其實作代碼:
<code class="hljs avrasm has-numbering"> <span class="hljs-preprocessor">.extern</span> artQuickResolutionTrampoline
ENTRY art_quick_resolution_trampoline
SETUP_REF_AND_ARGS_CALLEE_SAVE_FRAME
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r2</span>, <span class="hljs-built_in">r9</span> @ pass Thread::Current
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r3</span>, sp @ pass SP
blx artQuickResolutionTrampoline @ (Method* called, receiver, Thread*, SP)
cbz <span class="hljs-built_in">r0</span>, <span class="hljs-number">1</span>f @ is code pointer null? goto exception
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r12</span>, <span class="hljs-built_in">r0</span>
ldr <span class="hljs-built_in">r0</span>, [sp, <span class="hljs-preprocessor">#0] @ load resolved method in r0</span>
ldr <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#8] @ restore non-callee save r1</span>
ldrd <span class="hljs-built_in">r2</span>, [sp, <span class="hljs-preprocessor">#12] @ restore non-callee saves r2-r3</span>
ldr lr, [sp, <span class="hljs-preprocessor">#44] @ restore lr</span>
<span class="hljs-keyword">add</span> sp, <span class="hljs-preprocessor">#48 @ rewind sp</span>
<span class="hljs-preprocessor">.cfi</span>_adjust_cfa_offset -<span class="hljs-number">48</span>
bx <span class="hljs-built_in">r12</span> @ tail-<span class="hljs-keyword">call</span> into actual code
<span class="hljs-number">1</span>:
RESTORE_REF_AND_ARGS_CALLEE_SAVE_FRAME
DELIVER_PENDING_EXCEPTION
END art_quick_resolution_trampoline
</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li></ul> 調整好寄存器後,直接跳轉至artQuickResolutionTrampoline(art/runtime/entrypoints/quick/quick_trampoline_entrypoints.cc),接下來我們分析這個方法的實作(大家不要暈了。。。,我會把無關緊要的代碼去掉):
<code class="hljs r has-numbering">// Lazily resolve a method <span class="hljs-keyword">for</span> quick. Called by stub code.
extern <span class="hljs-string">"C"</span> const void* artQuickResolutionTrampoline(mirror::ArtMethod* called,
mirror::Object* receiver,
Thread* thread, mirror::ArtMethod** sp)
SHARED_LOCKS_REQUIRED(Locks::mutator_lock_) {
FinishCalleeSaveFrameSetup(thread, sp, Runtime::kRefsAndArgs);
// Start new JNI local reference state
JNIEnvExt* env = thread->GetJniEnv();
ScopedObjectAccessUnchecked soa(env);
ScopedJniEnvLocalRefState env_state(env);
const char* old_cause = thread->StartAssertNoThreadSuspension(<span class="hljs-string">"Quick method resolution set up"</span>);
// Compute details about the called method (avoid GCs)
ClassLinker* linker = Runtime::Current()->GetClassLinker();
mirror::ArtMethod* caller = QuickArgumentVisitor::GetCallingMethod(sp);
InvokeType invoke_type;
const DexFile* dex_file;
uint32_t dex_method_idx;
<span class="hljs-keyword">if</span> (called->IsRuntimeMethod()) {
//<span class="hljs-keyword">...</span>
//<span class="hljs-keyword">...</span>
} <span class="hljs-keyword">else</span> {
invoke_type = kStatic;
dex_file = &MethodHelper(called).GetDexFile();
dex_method_idx = called->GetDexMethodIndex();
}
//<span class="hljs-keyword">...</span>
// Resolve method filling <span class="hljs-keyword">in</span> dex cache.
<span class="hljs-keyword">if</span> (called->IsRuntimeMethod()) {
called = linker->ResolveMethod(dex_method_idx, caller, invoke_type);
}
const void* code = <span class="hljs-literal">NULL</span>;
<span class="hljs-keyword">if</span> (LIKELY(!thread->IsExceptionPending())) {
//<span class="hljs-keyword">...</span>
linker->EnsureInitialized(called_class, true, true);
//<span class="hljs-keyword">...</span>
}
// <span class="hljs-keyword">...</span>
<span class="hljs-keyword">return</span> code;
}
</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li></ul> <code class="hljs objectivec has-numbering"><span class="hljs-keyword">inline</span> <span class="hljs-keyword">bool</span> ArtMethod::IsRuntimeMethod() <span class="hljs-keyword">const</span> {
<span class="hljs-keyword">return</span> GetDexMethodIndex() == DexFile::kDexNoIndex;
}</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li></ul> called->IsRuntimeMethod()用于判斷目前方法是否為ResolutionMethod。如果是,那麼就走ClassLinker::ResolveMethod流程去擷取真正的方法,見代碼:
<code class="hljs lasso has-numbering">mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*</span> ClassLinker<span class="hljs-tag">::ResolveMethod</span>(const DexFile<span class="hljs-subst">&</span> dex_file,
uint32_t method_idx,
mirror<span class="hljs-tag">::DexCache</span><span class="hljs-subst">*</span> dex_cache,
mirror<span class="hljs-tag">::ClassLoader</span><span class="hljs-subst">*</span> class_loader,
const mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*</span> <span class="hljs-keyword">referrer</span>,
InvokeType <span class="hljs-keyword">type</span>) {
DCHECK(dex_cache <span class="hljs-subst">!=</span> <span class="hljs-built_in">NULL</span>);
<span class="hljs-comment">// Check for hit in the dex cache.</span>
mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*</span> resolved <span class="hljs-subst">=</span> dex_cache<span class="hljs-subst">-></span>GetResolvedMethod(method_idx);
<span class="hljs-keyword">if</span> (resolved <span class="hljs-subst">!=</span> <span class="hljs-built_in">NULL</span>) {
<span class="hljs-keyword">return</span> resolved;
}
<span class="hljs-comment">// Fail, get the declaring class.</span>
const DexFile<span class="hljs-tag">::MethodId</span><span class="hljs-subst">&</span> method_id <span class="hljs-subst">=</span> dex_file<span class="hljs-built_in">.</span>GetMethodId(method_idx);
mirror<span class="hljs-tag">::Class</span><span class="hljs-subst">*</span> klass <span class="hljs-subst">=</span> ResolveType(dex_file, method_id<span class="hljs-built_in">.</span>class_idx_, dex_cache, class_loader);
<span class="hljs-keyword">if</span> (klass <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span>) {
DCHECK(<span class="hljs-keyword">Thread</span><span class="hljs-tag">::Current</span>()<span class="hljs-subst">-></span>IsExceptionPending());
<span class="hljs-keyword">return</span> <span class="hljs-built_in">NULL</span>;
}
<span class="hljs-comment">// Scan using method_idx, this saves string compares but will only hit for matching dex</span>
<span class="hljs-comment">// caches/files.</span>
switch (<span class="hljs-keyword">type</span>) {
<span class="hljs-keyword">case</span> kDirect: <span class="hljs-comment">// Fall-through.</span>
<span class="hljs-keyword">case</span> kStatic:
resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindDirectMethod(dex_cache, method_idx);
break;
<span class="hljs-keyword">case</span> kInterface:
resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindInterfaceMethod(dex_cache, method_idx);
DCHECK(resolved <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span> <span class="hljs-subst">||</span> resolved<span class="hljs-subst">-></span>GetDeclaringClass()<span class="hljs-subst">-></span>IsInterface());
break;
<span class="hljs-keyword">case</span> kSuper: <span class="hljs-comment">// Fall-through.</span>
<span class="hljs-keyword">case</span> kVirtual:
resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindVirtualMethod(dex_cache, method_idx);
break;
default:
<span class="hljs-keyword">LOG</span>(FATAL) <span class="hljs-subst"><<</span> <span class="hljs-string">"Unreachable - invocation type: "</span> <span class="hljs-subst"><<</span> <span class="hljs-keyword">type</span>;
}
<span class="hljs-keyword">if</span> (resolved <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span>) {
<span class="hljs-comment">// Search by name, which works across dex files.</span>
const char<span class="hljs-subst">*</span> name <span class="hljs-subst">=</span> dex_file<span class="hljs-built_in">.</span>StringDataByIdx(method_id<span class="hljs-built_in">.</span>name_idx_);
std<span class="hljs-tag">::string</span> signature(dex_file<span class="hljs-built_in">.</span>CreateMethodSignature(method_id<span class="hljs-built_in">.</span>proto_idx_, <span class="hljs-built_in">NULL</span>));
switch (<span class="hljs-keyword">type</span>) {
<span class="hljs-keyword">case</span> kDirect: <span class="hljs-comment">// Fall-through.</span>
<span class="hljs-keyword">case</span> kStatic:
resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindDirectMethod(name, signature);
break;
<span class="hljs-keyword">case</span> kInterface:
resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindInterfaceMethod(name, signature);
DCHECK(resolved <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span> <span class="hljs-subst">||</span> resolved<span class="hljs-subst">-></span>GetDeclaringClass()<span class="hljs-subst">-></span>IsInterface());
break;
<span class="hljs-keyword">case</span> kSuper: <span class="hljs-comment">// Fall-through.</span>
<span class="hljs-keyword">case</span> kVirtual:
resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindVirtualMethod(name, signature);
break;
}
}
<span class="hljs-keyword">if</span> (resolved <span class="hljs-subst">!=</span> <span class="hljs-built_in">NULL</span>) {
<span class="hljs-comment">// Be a good citizen and update the dex cache to speed subsequent calls.</span>
dex_cache<span class="hljs-subst">-></span>SetResolvedMethod(method_idx, resolved);
<span class="hljs-keyword">return</span> resolved;
} <span class="hljs-keyword">else</span> {
<span class="hljs-comment">// ...</span>
}
}
</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li><li>47</li><li>48</li><li>49</li><li>50</li><li>51</li><li>52</li><li>53</li><li>54</li><li>55</li><li>56</li><li>57</li><li>58</li><li>59</li><li>60</li><li>61</li><li>62</li><li>63</li><li>64</li><li>65</li><li>66</li><li>67</li><li>68</li><li>69</li><li>70</li></ul> 其實這裡發生了“連鎖反應”,ClassLinker::ResolveType走的流程,跟ResolveMethod是非常類似的,有興趣的朋友可以跟一下。
找到解析後的klass,再經過一輪瘋狂的搜尋,把找到的resolved通過DexCache::SetResolvedMethod覆寫掉之前的“替身”。當再下次再通過ResolveMethod解析方法時,就可以直接把該方法傳回,不需要再解析了。
我們回過頭來再重新“複現”一下這個過程,當我們首次調用某個類方法,其過程如下所示:
- 調用ResolutionMethod的entrypoint,進入art_quick_resolution_trampoline;
- art_quick_resolution_trampoline跳轉到artQuickResolutionTrampoline;
- artQuickResolutionTrampoline調用ClassLinker::ResolveMethod解析類方法;
- ClassLinker::ResolveMethod調用ClassLinkder::ResolveType解析類,再從解析好的類尋找真正的方法;
- 調用DexCache::SetResolvedMethod,用真正的方法覆寫掉“替身”方法;
- 調用真正方法的entrypoint代碼;
也許你會問,為什麼要把過程搞得這麼繞? 一切都是為了延遲加載,提高啟動速度,這個過程跟ELF Linker的PLT/GOT符号重定向的過程是何其相似啊,是以技術都是想通的,一通百明。
0x3 Hook ArtMethod
通過上述ArtMethod加載和執行兩個流程的分析,對于如何Hook ArtMethod,我想到了兩個方案,分别
- 修改DexCach裡的methods,把裡面的entrypoint修改為自己的,做一個中轉處理;
- 直接修改加載後的ArtMethod的entrypoint,同樣做一個中轉處理;
上面兩個方法都是可行的,但由于我希望整個項目可以在NDK環境(而不是在源碼下)下編譯,因為就采用了方案2,因為通過JNI的接口就可以直接擷取解析之後的ArtMethod,可以減少很多檔案依賴。
回到前面的調用約定,每個ArtMethod都有兩個約定,按道理我們應該準備兩個中轉函數的,但這裡我們不考慮強制解析模式執行,是以隻要處理好entry_point_from_compiled_code的中轉即可。
首先,我們找到對應的方法,先儲存其entrypoint,然後再把我們的中轉函數art_quick_dispatcher覆寫,代碼如下所示:
<code class="hljs cpp has-numbering"><span class="hljs-keyword">extern</span> <span class="hljs-keyword">int</span> __attribute__ ((visibility (<span class="hljs-string">"hidden"</span>))) art_java_method_hook(JNIEnv* env, HookInfo *info) {
<span class="hljs-keyword">const</span> <span class="hljs-keyword">char</span>* classDesc = info->classDesc;
<span class="hljs-keyword">const</span> <span class="hljs-keyword">char</span>* methodName = info->methodName;
<span class="hljs-keyword">const</span> <span class="hljs-keyword">char</span>* methodSig = info->methodSig;
<span class="hljs-keyword">const</span> <span class="hljs-keyword">bool</span> isStaticMethod = info->isStaticMethod;
<span class="hljs-comment">// TODO we can find class by special classloader what do just like dvm</span>
jclass claxx = env->FindClass(classDesc);
<span class="hljs-keyword">if</span>(claxx == NULL){
LOGE(<span class="hljs-string">"[-] %s class not found"</span>, classDesc);
<span class="hljs-keyword">return</span> -<span class="hljs-number">1</span>;
}
jmethodID methid = isStaticMethod ?
env->GetStaticMethodID(claxx, methodName, methodSig) :
env->GetMethodID(claxx, methodName, methodSig);
<span class="hljs-keyword">if</span>(methid == NULL){
LOGE(<span class="hljs-string">"[-] %s->%s method not found"</span>, classDesc, methodName);
<span class="hljs-keyword">return</span> -<span class="hljs-number">1</span>;
}
ArtMethod *artmeth = <span class="hljs-keyword">reinterpret_cast</span><ArtMethod *>(methid);
<span class="hljs-keyword">if</span>(art_quick_dispatcher != artmeth->GetEntryPointFromCompiledCode()){
uint64_t (*entrypoint)(ArtMethod* method, Object *thiz, u4 *arg1, u4 *arg2);
entrypoint = (uint64_t (*)(ArtMethod*, Object *, u4 *, u4 *))artmeth->GetEntryPointFromCompiledCode();
info->entrypoint = (<span class="hljs-keyword">const</span> <span class="hljs-keyword">void</span> *)entrypoint;
info->nativecode = artmeth->GetNativeMethod();
artmeth->SetEntryPointFromCompiledCode((<span class="hljs-keyword">const</span> <span class="hljs-keyword">void</span> *)art_quick_dispatcher);
<span class="hljs-comment">// save info to nativecode :)</span>
artmeth->SetNativeMethod((<span class="hljs-keyword">const</span> <span class="hljs-keyword">void</span> *)info);
LOGI(<span class="hljs-string">"[+] %s->%s was hooked\n"</span>, classDesc, methodName);
}<span class="hljs-keyword">else</span>{
LOGW(<span class="hljs-string">"[*] %s->%s method had been hooked"</span>, classDesc, methodName);
}
<span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;
}</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li></ul> 我們關鍵的資訊通過ArtMethod::SetNativeMethod儲存起來了。
考慮到ART特殊的調用約定,art_quick_dispatcher隻能用彙編實作了,把寄存器适當的調整一下,再跳轉到另一個函數artQuickToDispatcher,這樣就可以很友善用c/c++通路參數了。
先看一下art_quick_dispatcher函數的實作如下:
<code class="hljs avrasm has-numbering"><span class="hljs-comment">/*
* Art Quick Dispatcher.
* On entry:
* r0 = method pointer
* r1 = arg1
* r2 = arg2
* r3 = arg3
* [sp] = method pointer
* [sp + 4] = addr of thiz
* [sp + 8] = addr of arg1
* [sp + 12] = addr of arg2
* [sp + 16] = addr of arg3
* and so on
*/</span>
<span class="hljs-preprocessor">.extern</span> artQuickToDispatcher
ENTRY art_quick_dispatcher
<span class="hljs-keyword">push</span> {<span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, lr} @ sp - <span class="hljs-number">12</span>
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r0</span>, <span class="hljs-built_in">r0</span> @ pass <span class="hljs-built_in">r0</span> to method
str <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#(12 + 4)]</span>
str <span class="hljs-built_in">r2</span>, [sp, <span class="hljs-preprocessor">#(12 + 8)]</span>
str <span class="hljs-built_in">r3</span>, [sp, <span class="hljs-preprocessor">#(12 + 12)]</span>
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r1</span>, <span class="hljs-built_in">r9</span> @ pass <span class="hljs-built_in">r1</span> to thread
<span class="hljs-keyword">add</span> <span class="hljs-built_in">r2</span>, sp, <span class="hljs-preprocessor">#(12 + 4) @ pass r2 to args array</span>
<span class="hljs-keyword">add</span> <span class="hljs-built_in">r3</span>, sp, <span class="hljs-preprocessor">#12 @ pass r3 to old SP</span>
blx artQuickToDispatcher @ (Method* method, Thread*, u4 **, u4 **)
<span class="hljs-keyword">pop</span> {<span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, pc} @ return on success, <span class="hljs-built_in">r0</span> <span class="hljs-keyword">and</span> <span class="hljs-built_in">r1</span> hold the result
END art_quick_dispatcher</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li></ul> 我把r2指向參數數組,這樣就我們就可以非常友善的通路所有參數了。另外,我用r3儲存了舊的sp位址,這樣是為後面調用原來的entrypoint做準備的。我們先看看artQuickToDispatcher的實作:
<code class="hljs coffeescript has-numbering">extern <span class="hljs-string">"C"</span> uint64_t artQuickToDispatcher(ArtMethod* method, Thread *self, u4 **args, u4 **old_sp){
HookInfo *info = (HookInfo *)method->GetNativeMethod();
LOGI(<span class="hljs-string">"[+] entry ArtHandler %s->%s"</span>, info->classDesc, info->methodName);
<span class="hljs-regexp">//</span> If it <span class="hljs-keyword">not</span> <span class="hljs-keyword">is</span> static method, <span class="hljs-keyword">then</span> args[<span class="hljs-number">0</span>] was pointing to <span class="hljs-keyword">this</span>
<span class="hljs-keyword">if</span>(!info->isStaticMethod){
Object *thiz = reinterpret_cast<Object *>(args[<span class="hljs-number">0</span>]);
<span class="hljs-keyword">if</span>(thiz != NULL){
char *bytes = get_chars_from_utf16<span class="hljs-function"><span class="hljs-params">(thiz->GetClass()->GetName())</span>;
<span class="hljs-title">LOGI</span><span class="hljs-params">(<span class="hljs-string">"[+] thiz class is %s"</span>, bytes)</span>;
<span class="hljs-title">delete</span> <span class="hljs-title">bytes</span>;
}
}
<span class="hljs-title">const</span> <span class="hljs-title">void</span> *<span class="hljs-title">entrypoint</span> = <span class="hljs-title">info</span>-></span>entrypoint;
method->SetNativeMethod(info->nativecode); <span class="hljs-regexp">//</span>restore nativecode <span class="hljs-keyword">for</span> JNI method
uint64_t res = art_quick_call_entrypoint(method, self, args, old_sp, entrypoint);
JValue* result = (JValue* )&res;
<span class="hljs-keyword">if</span>(result != NULL){
Object *obj = result->l;
char *raw_class_name = get_chars_from_utf16<span class="hljs-function"><span class="hljs-params">(obj->GetClass()->GetName())</span>;
<span class="hljs-title">if</span><span class="hljs-params">(strcmp(raw_class_name, <span class="hljs-string">"java.lang.String"</span>) == <span class="hljs-number">0</span>)</span>{
<span class="hljs-title">char</span> *<span class="hljs-title">raw_string_value</span> = <span class="hljs-title">get_chars_from_utf16</span><span class="hljs-params">((String *)obj)</span>;
<span class="hljs-title">LOGI</span><span class="hljs-params">(<span class="hljs-string">"result-class %s, result-value \"%s\""</span>, raw_class_name, raw_string_value)</span>;
<span class="hljs-title">free</span><span class="hljs-params">(raw_string_value)</span>;
}<span class="hljs-title">else</span>{
<span class="hljs-title">LOGI</span><span class="hljs-params">(<span class="hljs-string">"result-class %s"</span>, raw_class_name)</span>;
}
<span class="hljs-title">free</span><span class="hljs-params">(raw_class_name)</span>;
}
// <span class="hljs-title">entrypoid</span> <span class="hljs-title">may</span> <span class="hljs-title">be</span> <span class="hljs-title">replaced</span> <span class="hljs-title">by</span> <span class="hljs-title">trampoline</span>, <span class="hljs-title">only</span> <span class="hljs-title">once</span>.
// <span class="hljs-title">if</span><span class="hljs-params">(method->IsStatic() && !method->IsConstructor())</span>{
<span class="hljs-title">entrypoint</span> = <span class="hljs-title">method</span>-></span>GetEntryPointFromCompiledCode();
<span class="hljs-keyword">if</span>(entrypoint != (<span class="hljs-reserved">const</span> <span class="hljs-reserved">void</span> *)art_quick_dispatcher){
LOGW(<span class="hljs-string">"[*] entrypoint was replaced. %s->%s"</span>, info->classDesc, info->methodName);
method->SetEntryPointFromCompiledCode((<span class="hljs-reserved">const</span> <span class="hljs-reserved">void</span> *)art_quick_dispatcher);
info->entrypoint = entrypoint;
info->nativecode = method->GetNativeMethod();
}
method->SetNativeMethod((<span class="hljs-reserved">const</span> <span class="hljs-reserved">void</span> *)info);
<span class="hljs-regexp">//</span> }
<span class="hljs-keyword">return</span> res;
}
</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li><li>47</li><li>48</li><li>49</li><li>50</li><li>51</li><li>52</li><li>53</li></ul> 這裡參數解析就不詳細說了,接下來是最棘手的問題——如何重新調回原來的entrypoint。
這裡的關鍵點是要還原之前的堆棧布局,art_quick_call_entrypoint就是負責完成這個工作的,其實作如下所示:
<code class="hljs avrasm has-numbering"><span class="hljs-comment">/*
*
* Art Quick Call Entrypoint
* On entry:
* r0 = method pointer
* r1 = thread pointer
* r2 = args arrays pointer
* r3 = old_sp
* [sp] = entrypoint
*/</span>
ENTRY art_quick_call_entrypoint
<span class="hljs-keyword">push</span> {<span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, lr} @ sp - <span class="hljs-number">12</span>
<span class="hljs-keyword">sub</span> sp, <span class="hljs-preprocessor">#(40 + 20) @ sp - 40 - 20</span>
str <span class="hljs-built_in">r0</span>, [sp, <span class="hljs-preprocessor">#(40 + 0)] @ var_40_0 = method_pointer</span>
str <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#(40 + 4)] @ var_40_4 = thread_pointer</span>
str <span class="hljs-built_in">r2</span>, [sp, <span class="hljs-preprocessor">#(40 + 8)] @ var_40_8 = args_array</span>
str <span class="hljs-built_in">r3</span>, [sp, <span class="hljs-preprocessor">#(40 + 12)] @ var_40_12 = old_sp</span>
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r0</span>, sp
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r1</span>, <span class="hljs-built_in">r3</span>
ldr <span class="hljs-built_in">r2</span>, =<span class="hljs-number">40</span>
blx memcpy @ memcpy(dest, src, size_of_byte)
ldr <span class="hljs-built_in">r0</span>, [sp, <span class="hljs-preprocessor">#(40 + 0)] @ restore method to r0</span>
ldr <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#(40 + 4)]</span>
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r1</span> @ restore thread to <span class="hljs-built_in">r9</span>
ldr <span class="hljs-built_in">r5</span>, [sp, <span class="hljs-preprocessor">#(40 + 8)] @ pass r5 to args_array</span>
ldr <span class="hljs-built_in">r1</span>, [<span class="hljs-built_in">r5</span>] @ restore arg1
ldr <span class="hljs-built_in">r2</span>, [<span class="hljs-built_in">r5</span>, <span class="hljs-preprocessor">#4] @ restore arg2</span>
ldr <span class="hljs-built_in">r3</span>, [<span class="hljs-built_in">r5</span>, <span class="hljs-preprocessor">#8] @ restore arg3</span>
ldr <span class="hljs-built_in">r5</span>, [sp, <span class="hljs-preprocessor">#(40 + 20 + 12)] @ pass ip to entrypoint</span>
blx <span class="hljs-built_in">r5</span>
<span class="hljs-keyword">add</span> sp, <span class="hljs-preprocessor">#(40 + 20)</span>
<span class="hljs-keyword">pop</span> {<span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, pc} @ return on success, <span class="hljs-built_in">r0</span> <span class="hljs-keyword">and</span> <span class="hljs-built_in">r1</span> hold the result
END art_quick_call_entrypoint</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li></ul> 這裡我偷懶了,直接申請了10個參數的空間,再使用之前傳進入來的old_sp進行恢複,使用memcpy直接複制40位元組。之後就是還原r0, r1, r2, r3, r9的值了。調用entrypoint完後,結果儲存在r0和r1,再傳回給artQuickToDispatcher。
至此,整個ART Hook就分析完畢了。
0x4 4.4與5.X上實作的差別
我的整個方案都是在4.4上測試的,主要是因為我隻有4.4的源碼,而且硬碟空間不足,實在裝不下5.x的源碼了。但整個思路,是完全可以套用用5.X上。另外,5.X的實作代碼比4.4上複雜了很多,否能像我這樣在NDK下編譯完成就不知道了。
正常的4.4模拟器是以dalvik啟動的,要到設定裡改為art,這裡會要求進行重新開機,但一般無效,我們手動關閉再重新打開就OK了,但需要等上一段時間才可以。
0x5 結束
雖然這篇文章隻是介紹了Art Hook的技術方案,但其中的技術原理,對于如何在ART上進行代碼加強、動态代碼還原等等也是很有啟發性。
老樣子,整個項目的代碼,我已經送出到https://github.com/boyliang/AllHookInOne,大家遇到什麼問題,歡迎提問,有問題記得回報。
對了,請用https://github.com/boyliang/ndk-patch給你的NDK打一下patch。
原文位址: http://blog.csdn.net/l173864930/article/details/45035521
![ZjDroid工具介紹及脫殼詳細示例[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)