hook系统函数（参数特别多）是否拿到的参数值不对？

Question

hook系统函数（参数特别多）是否拿到的参数值不对？

Closed this issue 6 months ago · 0 comments

public class MainActivity extends AppCompatActivity {
    private static final String TAG = "MainActivityLog";

    @Override
    protected void onCreate(@Nullable Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        try {
            testRegisterReceiver();
        } catch (ClassNotFoundException e) {
            throw new RuntimeException(e);
        }
    }

    private final BroadcastReceiver mReceiver = new BroadcastReceiver() {
        @Override
        public void onReceive(Context context, Intent intent) {
            Log.i(TAG, "onReceive");
        }
    };

    private void testRegisterReceiver() throws ClassNotFoundException {
        IntentFilter filter = new IntentFilter();
        filter.addAction(Intent.ACTION_SCREEN_OFF);
        registerReceiver(mReceiver, filter);
    }
}

public class App extends Application {
    private static final String TAG = "AppLog";

    @Override
    public void onCreate() {
        super.onCreate();
        initPine();
    }

    private void initPine() {
        Reflection.unseal(this);
        try {
            PineConfig.debug = true;
            PineConfig.debuggable = false;
            Class<?> appThreadClass = Class.forName("android.app.ActivityThread$ApplicationThread");
            Class<?> intentReceiverClass = Class.forName("android.content.IIntentReceiver");
            XposedHelpers.findAndHookMethod(appThreadClass, "scheduleRegisteredReceiver",
                    intentReceiverClass, Intent.class, int.class, String.class, Bundle.class, boolean.class,
                    boolean.class, boolean.class, int.class, int.class, int.class, String.class, new XC_MethodHook() {
                        @Override
                        protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                            super.beforeHookedMethod(param);
                            Log.i(TAG, "testApp scheduleRegisteredReceiver, intent = " + param.args[1] +
                                    ", ordered = " + param.args[5] + " assumeDelivered = " + param.args[7]);
                        }
                    });
            Class<?> activityManagerProxyClass = Reflect.on(ActivityManager.class).call("getService")
                    .get().getClass();
            XposedHelpers.findAndHookMethod(activityManagerProxyClass, "finishReceiver", IBinder.class, int.class,
                    String.class, Bundle.class, boolean.class, int.class, new XC_MethodHook() {
                        @Override
                        protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                            super.beforeHookedMethod(param);
                            Log.i(TAG, "testApp finishReceiver called");
                        }
                    });
        } catch (Exception e) {
            Log.e(TAG, "initPine failed", e);
        }
    }
}

上述代码 arm64 上注册息屏广播会发生 anr，但发现在 arm 上正常，而在 arm64 上会出现 anr，我分析 anr 的原因是因为 finishReceiver 没有调用，查看 android 14 的源码发现，当 assumeDelivered 是 true 时不会调用 finishReceiver，而 arm64 拿到的参数刚好是 true，而 arm 下确是 false，我不是很确定是系统问题还是 arm64 下 hook scheduleRegisteredReceiver 函数拿到的参数不对，造成调用原函数也传了错误的参数。

frida 在 arm64 模拟器上也是 false。