bytedance/android-inline-hook

Hook dlopen function crashes on mumu emulator

Soon-gz opened this issue · 3 comments

Soon-gz commented

ShadowHook Version

1.0.3

Android OS Version

6.0.1

Android ABIs

armeabi-v7a

Device Manufacturers and Models

MuMu

Describe the Bug

1、application中初始化shadow
2、mainactivity statsic中load native-lib.so
3、native-lib.so的JNI_Onload中hook dlopen,代码使用的是unittest中的dlopen示例

============shadowhook_tag的日志如下==========
shadowhook_tag: shadowhook: shadowhook init(mode: UNIQUE, debuggable: true), return: 0, real-init: yes
shadowhook_tag: sdk_verison : 23
shadowhook_tag: shadowhook: hook_sym_name(linker, __dl__Z9do_dlopenPKciPK17android_dlextinfo, 0xc60151d) ...
shadowhook_tag: task: hook dlopen/do_dlopen internal. target-address f7768ca0
shadowhook_tag: switch: get dlinfo info: target_addr f7768ca0, sym_name __dl__Z9do_dlopenPKciPK17android_dlextinfo, sym_sz 522, load_bias f775d000, pathname /system/bin/linker
shadowhook_tag: exit: gap, f779ad10 - f779b000 (load_bias f775d000, 3dd10 - 3e000), NFZ 1, READABLE 1
shadowhook_tag: exit: gap, f77a21d0 - f77a3000 (load_bias f775d000, 451d0 - 46000), NFZ 0, READABLE 1
shadowhook_tag: exit: gap fill zero, f779ad10 - f779b000 (load_bias f775d000, 3dd10 - 3e000), READABLE 1
shadowhook_tag: exit: gap resize, f779ad10 - f779aff8 (load_bias f775d000, 3dd10 - 3dff8)
shadowhook_tag: exit: in-library alloc, at f779ad18 (load_bias f775d000, 3dd18), len 8
shadowhook_tag: exit: alloc in library, exit f779ad18, pc f7768ca8, distance 32070, range [-2000000, 1fffffc]
shadowhook_tag: a32 rewrite: type 0, inst 83535657
shadowhook_tag: a32: hook (WITH EXIT) OK. target f7768ca0 -> exit f779ad18 -> new c107749 -> enter ef3d0000 -> remaining f7768ca4
shadowhook_tag: switch: hook(invisible) in UNIQUE mode OK: target_addr f7768ca0, new_addr c107749
shadowhook_tag: linker: hook dlopen OK, return: 0
shadowhook_tag: switch: get dlinfo info: target_addr f7768ca0, sym_name __dl__Z9do_dlopenPKciPK17android_dlextinfo, sym_sz 522, load_bias f775d000, pathname /system/bin/linker
shadowhook_tag: exit: gap, f779ad10 - f779b000 (load_bias f775d000, 3dd10 - 3e000), NFZ 1, READABLE 1
shadowhook_tag: exit: gap, f77a21d0 - f77a3000 (load_bias f775d000, 451d0 - 46000), NFZ 0, READABLE 1
shadowhook_tag: exit: gap resize, f779ad10 - f779aff8 (load_bias f775d000, 3dd10 - 3dff8)
shadowhook_tag: exit: in-library alloc, at f779ad20 (load_bias f775d000, 3dd20), len 8
shadowhook_tag: exit: alloc in library, exit f779ad20, pc f7768ca8, distance 32078, range [-2000000, 1fffffc]
shadowhook_tag: a32 rewrite: type 1, inst ea00c81c
shadowhook_tag: a32: hook (WITH EXIT) OK. target f7768ca0 -> exit f779ad20 -> new c60151d -> enter ef3d0100 -> remaining f7768ca4
shadowhook_tag: switch: hook in UNIQUE mode OK: target_addr f7768ca0, new_addr c60151d
shadowhook_tag: shadowhook: hook_sym_name(linker, __dl__Z9do_dlopenPKciPK17android_dlextinfo, 0xc60151d) OK. return: 0xf3b375b0. 0 - OK

===========报错堆栈信息如下==================
2022-09-21 16:50:24.659 3113-3113/com.test.unity A/libc: Fatal signal 4 (SIGILL), code 2, fault addr 0xf7768ca8 in tid 3113 (com.test.unity)
2022-09-21 16:50:24.761 314-314/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2022-09-21 16:50:24.761 314-314/? A/DEBUG: Build fingerprint: 'OnePlus/OnePlus2/OnePlus2:6.0.1/MMB29M/1447841200:user/release-keys'
2022-09-21 16:50:24.761 314-314/? A/DEBUG: Revision: '0'
2022-09-21 16:50:24.761 314-314/? A/DEBUG: ABI: 'x86'
2022-09-21 16:50:24.761 314-314/? A/DEBUG: pid: 3113, tid: 3113, name: com.test.unity >>> com.test.unity <<<
2022-09-21 16:50:24.761 314-314/? A/DEBUG: signal 4 (SIGILL), code 2 (ILL_ILLOPN), fault addr 0xf7768ca8
2022-09-21 16:50:24.763 314-314/? A/DEBUG: eax 00000000 ebx f779cfe4 ecx 0000006c edx 0000000b
2022-09-21 16:50:24.763 314-314/? A/DEBUG: esi f3b37760 edi f779d034
2022-09-21 16:50:24.763 314-314/? A/DEBUG: xcs 00000023 xds 0000002b xes 0000002b xfs 0000006b xss 0000002b
2022-09-21 16:50:24.763 314-314/? A/DEBUG: eip f7768ca8 ebp ffa6c324 esp ffa5d8f4 flags 00010202
2022-09-21 16:50:24.763 314-314/? A/DEBUG: backtrace:
2022-09-21 16:50:24.763 314-314/? A/DEBUG: #00 pc 00000ca8 /system/bin/linker (offset 0xb000)
2022-09-21 16:50:24.763 314-314/? A/DEBUG: #1 pc 0000002a
2022-09-21 16:50:24.782 314-314/? A/DEBUG: Tombstone written to: /data/tombstones/tombstone_01
2022-09-21 16:50:24.782 314-314/? E/DEBUG: AM write failed: Broken pipe
2022-09-21 16:50:24.785 740-760/system_process I/BootReceiver: Copying /data/tombstones/tombstone_01 to DropBox (SYSTEM_TOMBSTONE)
2022-09-21 16:50:24.787 740-3134/system_process W/ActivityManager: Force finishing activity com.test.unity/com.unity3d.player.UnityPlayerActivity
2022-09-21 16:50:24.787 740-3134/system_process E/JavaBinder: !!! FAILED BINDER TRANSACTION !!! (parcel size = 116)

caikelun commented

这里说明一下,shadowhook只支持arm和arm64,不支持x86和x86_64。所以shadowhook也不支持houdini,houdini环境中系统库包括linker都是x86架构的。你在houdini环境里hook app中包含的arm/arm64库应该是可以的。

mumu之类的模拟器都是基于android-x86和houdini的。

caikelun commented

如果需要支持模拟器,shadowhook需要先支持x86和x86_64的inlinehook,然后在运行时动态判断ELF架构类型。
目前我们还没有支持模拟器的计划。

Soon-gz commented

好的,谢谢