本篇介绍
frida 也支持hook native,本篇看下如何hook native
hook native函数
这次hook下设置,首先看下用了哪些so:
objection -g com.android.settings explore
memory list modules
这时候输出如下:
Name Base Size Path
-------------------------------------------------------- ------------ ------------------- ------------------------------------------------------------------------------
app_process64 0x5839cc7000 40960 (40.0 KiB) /system/bin/app_process64
linker64 0x72c2ba8000 200704 (196.0 KiB) /system/bin/linker64
libandroid_runtime.so 0x72be415000 1699840 (1.6 MiB) /system/lib64/libandroid_runtime.so
libbinder.so 0x72bd6dd000 663552 (648.0 KiB) /system/lib64/libbinder.so
libcutils.so 0x72bde01000 73728 (72.0 KiB) /system/lib64/libcutils.so
libhidlbase.so 0x72bf785000 757760 (740.0 KiB) /system/lib64/libhidlbase.so
liblog.so 0x72bc441000 73728 (72.0 KiB) /system/lib64/liblog.so
libnativeloader.so 0x72bea00000 221184 (216.0 KiB) /apex/com.android.art/lib64/libnativeloader.so
libutils.so 0x72bea5e000 122880 (120.0 KiB) /system/lib64/libutils.so
libwilhelm.so 0x72bf602000 253952 (248.0 KiB) /system/lib64/libwilhelm.so
libc++.so 0x72be806000 720896 (704.0 KiB) /system/lib64/libc++.so
libc.so 0x72be659000 913408 (892.0 KiB) /apex/com.android.runtime/lib64/bionic/libc.so
libm.so 0x72c0b02000 225280 (220.0 KiB) /apex/com.android.runtime/lib64/bionic/libm.so
libdl.so 0x72bfcde000 20480 (20.0 KiB) /apex/com.android.runtime/lib64/bionic/libdl.so
libbase.so 0x72bdf41000 249856 (244.0 KiB) /system/lib64/libbase.so
libharfbuzz_ng.so 0x72c0640000 729088 (712.0 KiB) /system/lib64/libharfbuzz_ng.so
libhwui.so 0x72bc510000 7782400 (7.4 MiB) /system/lib64/libhwui.so
libminikin.so 0x72bcd8e000 172032 (168.0 KiB) /system/lib64/libminikin.so
libnativehelper.so 0x72be151000 32768 (32.0 KiB) /apex/com.android.art/lib64/libnativehelper.so
libz.so 0x72bdb54000 98304 (96.0 KiB) /system/lib64/libz.so
libziparchive.so 0x72bcfd3000 65536 (64.0 KiB) /system/lib64/libziparchive.so
libandroidicu.so 0x72c0ac5000 212992 (208.0 KiB) /apex/com.android.art/lib64/libandroidicu.so
libbpf_android.so 0x72be624000 53248 (52.0 KiB) /system/lib64/libbpf_android.so
libnetdbpf.so 0x72bfe8a000 159744 (156.0 KiB) /system/lib64/libnetdbpf.so
libnetdutils.so 0x72bee82000 81920 (80.0 KiB) /system/lib64/libnetdutils.so
libmemtrack.so 0x72c0130000 16384 (16.0 KiB) /system/lib64/libmemtrack.so
libandroidfw.so 0x72bce8f000 450560 (440.0 KiB) /system/lib64/libandroidfw.so
libappfuse.so 0x72bc3c9000 57344 (56.0 KiB) /system/lib64/libappfuse.so
libcrypto.so 0x72bd445000 1126400 (1.1 MiB) /system/lib64/libcrypto.so
libdebuggerd_client.so 0x72be92f000 40960 (40.0 KiB) /system/lib64/libdebuggerd_client.so
libui.so 0x72bcf47000 290816 (284.0 KiB) /system/lib64/libui.so
libgraphicsenv.so 0x72bd1cd000 57344 (56.0 KiB) /system/lib64/libgraphicsenv.so
libgui.so 0x72c09c0000 1003520 (980.0 KiB) /system/lib64/libgui.so
libmediandk.so 0x72c094d000 204800 (200.0 KiB) /system/lib64/libmediandk.so
libsensor.so 0x72bf000000 98304 (96.0 KiB) /system/lib64/libsensor.so
libinput.so 0x72bfa87000 225280 (220.0 KiB) /system/lib64/libinput.so
libcamera_client.so 0x72bf981000 491520 (480.0 KiB) /system/lib64/libcamera_client.so
libcamera_metadata.so 0x72c0c6c000 53248 (52.0 KiB) /system/lib64/libcamera_metadata.so
libsqlite.so 0x72bfaca000 1208320 (1.2 MiB) /system/lib64/libsqlite.so
libEGL.so 0x72c0183000 229376 (224.0 KiB) /system/lib64/libEGL.so
libGLESv1_CM.so 0x72befad000 36864 (36.0 KiB) /system/lib64/libGLESv1_CM.so
libGLESv2.so 0x72bdcd9000 106496 (104.0 KiB) /system/lib64/libGLESv2.so
libGLESv3.so 0x72bdf89000 106496 (104.0 KiB) /system/lib64/libGLESv3.so
libincfs.so 0x72c039b000 135168 (132.0 KiB) /system/lib64/libincfs.so
libdataloader.so 0x72be5c2000 65536 (64.0 KiB) /system/lib64/libdataloader.so
libvulkan.so 0x72bd047000 159744 (156.0 KiB) /system/lib64/libvulkan.so
libETC1.so 0x72c1019000 16384 (16.0 KiB) /system/lib64/libETC1.so
libhardware.so 0x72be968000 12288 (12.0 KiB) /system/lib64/libhardware.so
libhardware_legacy.so 0x72bdd43000 28672 (28.0 KiB) /system/lib64/libhardware_legacy.so
libselinux.so 0x72bff0d000 110592 (108.0 KiB) /system/lib64/libselinux.so
libmedia.so 0x72bd20d000 659456 (644.0 KiB) /system/lib64/libmedia.so
libmedia_helper.so 0x72bd114000 98304 (96.0 KiB) /system/lib64/libmedia_helper.so
libmediametrics.so 0x72bf89e000 86016 (84.0 KiB) /system/lib64/libmediametrics.so
libmeminfo.so 0x72bfd9b000 53248 (52.0 KiB) /system/lib64/libmeminfo.so
libaudioclient.so 0x72bda1a000 798720 (780.0 KiB) /system/lib64/libaudioclient.so
libaudiofoundation.so 0x72be027000 94208 (92.0 KiB) /system/lib64/libaudiofoundation.so
libaudiopolicy.so 0x72bffcd000 24576 (24.0 KiB) /system/lib64/libaudiopolicy.so
libusbhost.so 0x72bd878000 20480 (20.0 KiB) /system/lib64/libusbhost.so
libpdfium.so 0x72bf064000 4988928 (4.8 MiB) /system/lib64/libpdfium.so
libimg_utils.so 0x72bff88000 122880 (120.0 KiB) /system/lib64/libimg_utils.so
libnetd_client.so 0x72be2d4000 36864 (36.0 KiB) /system/lib64/libnetd_client.so
libprocessgroup.so 0x72c0d80000 258048 (252.0 KiB) /system/lib64/libprocessgroup.so
libnativebridge_lazy.so 0x72bd7b4000 20480 (20.0 KiB) /system/lib64/libnativebridge_lazy.so
libnativeloader_lazy.so 0x72bea9b000 16384 (16.0 KiB) /system/lib64/libnativeloader_lazy.so
libmemunreachable.so 0x72be34f000 200704 (196.0 KiB) /system/lib64/libmemunreachable.so
libvintf.so 0x72bfc32000 569344 (556.0 KiB) /system/lib64/libvintf.so
libnativedisplay.so 0x72beb4d000 77824 (76.0 KiB) /system/lib64/libnativedisplay.so
libnativewindow.so 0x72bdb2a000 28672 (28.0 KiB) /system/lib64/libnativewindow.so
libdl_android.so 0x72bfd44000 12288 (12.0 KiB) /apex/com.android.runtime/lib64/bionic/libdl_android.so
libstatslog.so 0x72c070f000 73728 (72.0 KiB) /system/lib64/libstatslog.so
libstatssocket.so 0x72bcd12000 24576 (24.0 KiB) /apex/com.android.os.statsd/lib64/libstatssocket.so
libtimeinstate.so 0x72bdf27000 49152 (48.0 KiB) /system/lib64/libtimeinstate.so
server_configurable_flags.so 0x72bdd80000 20480 (20.0 KiB) /system/lib64/server_configurable_flags.so
libstatspull.so 0x72c078d000 266240 (260.0 KiB) /apex/com.android.os.statsd/lib64/libstatspull.so
libvndksupport.so 0x72bdd1b000 16384 (16.0 KiB) /system/lib64/libvndksupport.so
libnativebridge.so 0x72c08a5000 24576 (24.0 KiB) /apex/com.android.art/lib64/libnativebridge.so
libmedia_codeclist.so 0x72bcf2e000 65536 (64.0 KiB) /system/lib64/libmedia_codeclist.so
libaudiomanager.so 0x72bebb6000 20480 (20.0 KiB) /system/lib64/libaudiomanager.so
libdatasource.so 0x72be8cc000 81920 (80.0 KiB) /system/lib64/libdatasource.so
libstagefright.so 0x72c0e41000 1830912 (1.7 MiB) /system/lib64/libstagefright.so
libstagefright_foundation.so 0x72bd18a000 212992 (208.0 KiB) /system/lib64/libstagefright_foundation.so
libstagefright_http_support.so 0x72bd9ef000 16384 (16.0 KiB) /system/lib64/libstagefright_http_support.so
libdng_sdk.so 0x72c0c80000 778240 (760.0 KiB) /system/lib64/libdng_sdk.so
libexpat.so 0x72c0856000 139264 (136.0 KiB) /system/lib64/libexpat.so
libjpeg.so 0x72c0067000 319488 (312.0 KiB) /system/lib64/libjpeg.so
libpiex.so 0x72c01da000 102400 (100.0 KiB) /system/lib64/libpiex.so
libpng.so 0x72bf6c4000 217088 (212.0 KiB) /system/lib64/libpng.so
libbinder_ndk.so 0x72beb27000 73728 (72.0 KiB) /system/lib64/libbinder_ndk.so
libheif.so 0x72bfd14000 40960 (40.0 KiB) /system/lib64/libheif.so
libprotobuf-cpp-lite.so 0x72be381000 483328 (472.0 KiB) /system/lib64/libprotobuf-cpp-lite.so
libft2.so 0x72bdb9d000 593920 (580.0 KiB) /system/lib64/libft2.so
libsync.so 0x72befc2000 16384 (16.0 KiB) /system/lib64/libsync.so
libicuuc.so 0x72bebc1000 1789952 (1.7 MiB) /apex/com.android.art/lib64/libicuuc.so
libicui18n.so 0x72c03cb000 2543616 (2.4 MiB) /apex/com.android.art/lib64/libicui18n.so
libbpf.so 0x72be1d8000 36864 (36.0 KiB) /system/lib64/libbpf.so
android.hardware.memtrack@1.0.so 0x72bd0e5000 81920 (80.0 KiB) /system/lib64/android.hardware.memtrack@1.0.so
libprocinfo.so 0x72bce03000 16384 (16.0 KiB) /system/lib64/libprocinfo.so
android.hardware.graphics.allocator@2.0.so 0x72bd006000 90112 (88.0 KiB) /system/lib64/android.hardware.graphics.allocator@2.0.so
android.hardware.graphics.allocator@3.0.so 0x72bf963000 90112 (88.0 KiB) /system/lib64/android.hardware.graphics.allocator@3.0.so
android.hardware.graphics.allocator@4.0.so 0x72c00c3000 86016 (84.0 KiB) /system/lib64/android.hardware.graphics.allocator@4.0.so
android.hardware.graphics.common-V1-ndk_platform.so 0x72c076a000 24576 (24.0 KiB) /system/lib64/android.hardware.graphics.common-V1-ndk_platform.so
android.hardware.graphics.common@1.2.so 0x72bde86000 12288 (12.0 KiB) /system/lib64/android.hardware.graphics.common@1.2.so
android.hardware.graphics.mapper@2.0.so 0x72bedc7000 102400 (100.0 KiB) /system/lib64/android.hardware.graphics.mapper@2.0.so
android.hardware.graphics.mapper@2.1.so 0x72c08e5000 106496 (104.0 KiB) /system/lib64/android.hardware.graphics.mapper@2.1.so
android.hardware.graphics.mapper@3.0.so 0x72bf85c000 114688 (112.0 KiB) /system/lib64/android.hardware.graphics.mapper@3.0.so
android.hardware.graphics.mapper@4.0.so 0x72bce49000 151552 (148.0 KiB) /system/lib64/android.hardware.graphics.mapper@4.0.so
libgralloctypes.so 0x72be193000 77824 (76.0 KiB) /system/lib64/libgralloctypes.so
android.hardware.graphics.bufferqueue@1.0.so 0x72bd903000 245760 (240.0 KiB) /system/lib64/android.hardware.graphics.bufferqueue@1.0.so
android.hardware.graphics.bufferqueue@2.0.so 0x72bdfc5000 217088 (212.0 KiB) /system/lib64/android.hardware.graphics.bufferqueue@2.0.so
android.hardware.graphics.common@1.1.so 0x72bef5b000 12288 (12.0 KiB) /system/lib64/android.hardware.graphics.common@1.1.so
android.hidl.token@1.0-utils.so 0x72be0e8000 20480 (20.0 KiB) /system/lib64/android.hidl.token@1.0-utils.so
android.frameworks.bufferhub@1.0.so 0x72bd659000 139264 (136.0 KiB) /system/lib64/android.frameworks.bufferhub@1.0.so
libbufferhub.so 0x72be744000 61440 (60.0 KiB) /system/lib64/libbufferhub.so
libbufferhubqueue.so 0x72bcdc1000 114688 (112.0 KiB) /system/lib64/libbufferhubqueue.so
libpdx_default_transport.so 0x72c0d4c000 155648 (152.0 KiB) /system/lib64/libpdx_default_transport.so
libandroid_runtime_lazy.so 0x72bfe7b000 16384 (16.0 KiB) /system/lib64/libandroid_runtime_lazy.so
libmediadrm.so 0x72bd891000 188416 (184.0 KiB) /system/lib64/libmediadrm.so
libmedia_omx.so 0x72be080000 192512 (188.0 KiB) /system/lib64/libmedia_omx.so
libmedia_jni_utils.so 0x72bd6ab000 12288 (12.0 KiB) /system/lib64/libmedia_jni_utils.so
libmediandk_utils.so 0x72bd144000 16384 (16.0 KiB) /system/lib64/libmediandk_utils.so
libbacktrace.so 0x72bf918000 163840 (160.0 KiB) /system/lib64/libbacktrace.so
android.hardware.configstore@1.0.so 0x72bc4dc000 147456 (144.0 KiB) /system/lib64/android.hardware.configstore@1.0.so
android.hardware.configstore-utils.so 0x72bff7d000 12288 (12.0 KiB) /system/lib64/android.hardware.configstore-utils.so
libSurfaceFlingerProp.so 0x72bfa20000 114688 (112.0 KiB) /system/lib64/libSurfaceFlingerProp.so
android.hardware.graphics.common@1.0.so 0x72bd3b9000 12288 (12.0 KiB) /system/lib64/android.hardware.graphics.common@1.0.so
android.system.suspend@1.0.so 0x72bfdd2000 122880 (120.0 KiB) /system/lib64/android.system.suspend@1.0.so
libpcre2.so 0x72bf668000 331776 (324.0 KiB) /system/lib64/libpcre2.so
libpackagelistparser.so 0x72be137000 12288 (12.0 KiB) /system/lib64/libpackagelistparser.so
capture_state_listener-aidl-V1-cpp.so 0x72c0c0c000 40960 (40.0 KiB) /system/lib64/capture_state_listener-aidl-V1-cpp.so
libaudioutils.so 0x72bd581000 139264 (136.0 KiB) /system/lib64/libaudioutils.so
libmediautils.so 0x72c0202000 221184 (216.0 KiB) /system/lib64/libmediautils.so
libnblog.so 0x72bcc85000 204800 (200.0 KiB) /system/lib64/libnblog.so
libvibrator.so 0x72bfe0b000 49152 (48.0 KiB) /system/lib64/libvibrator.so
libcgrouprc.so 0x72bc411000 20480 (20.0 KiB) /system/lib64/libcgrouprc.so
libhidl-gen-utils.so 0x72bdef0000 57344 (56.0 KiB) /system/lib64/libhidl-gen-utils.so
libtinyxml2.so 0x72bead1000 106496 (104.0 KiB) /system/lib64/libtinyxml2.so
android.hardware.media.omx@1.0.so 0x72bd3c6000 466944 (456.0 KiB) /system/lib64/android.hardware.media.omx@1.0.so
libstagefright_framecapture_utils.so 0x72bdc49000 167936 (164.0 KiB) /system/lib64/libstagefright_framecapture_utils.so
libcodec2.so 0x72c0176000 12288 (12.0 KiB) /system/lib64/libcodec2.so
libcodec2_vndk.so 0x72be20f000 606208 (592.0 KiB) /system/lib64/libcodec2_vndk.so
libmedia_omx_client.so 0x72bd8c8000 24576 (24.0 KiB) /system/lib64/libmedia_omx_client.so
libsfplugin_ccodec.so 0x72c02ea000 593920 (580.0 KiB) /system/lib64/libsfplugin_ccodec.so
libsfplugin_ccodec_utils.so 0x72bf706000 303104 (296.0 KiB) /system/lib64/libsfplugin_ccodec_utils.so
libstagefright_codecbase.so 0x72c0b77000 32768 (32.0 KiB) /system/lib64/libstagefright_codecbase.so
libstagefright_omx_utils.so 0x72be9cd000 24576 (24.0 KiB) /system/lib64/libstagefright_omx_utils.so
libRScpp.so 0x72c024c000 274432 (268.0 KiB) /system/lib64/libRScpp.so
libhidlallocatorutils.so 0x72c0bfa000 12288 (12.0 KiB) /system/lib64/libhidlallocatorutils.so
libhidlmemory.so 0x72bef09000 28672 (28.0 KiB) /system/lib64/libhidlmemory.so
android.hidl.allocator@1.0.so 0x72bf55d000 90112 (88.0 KiB) /system/lib64/android.hidl.allocator@1.0.so
android.hardware.cas.native@1.0.so 0x72bd950000 98304 (96.0 KiB) /system/lib64/android.hardware.cas.native@1.0.so
android.hardware.drm@1.0.so 0x72bf590000 434176 (424.0 KiB) /system/lib64/android.hardware.drm@1.0.so
android.hardware.common-V1-ndk_platform.so 0x72bd0b3000 16384 (16.0 KiB) /system/lib64/android.hardware.common-V1-ndk_platform.so
android.hardware.media@1.0.so 0x72c098c000 12288 (12.0 KiB) /system/lib64/android.hardware.media@1.0.so
android.hidl.token@1.0.so 0x72bdde7000 94208 (92.0 KiB) /system/lib64/android.hidl.token@1.0.so
libmediadrmmetrics_lite.so 0x72c0010000 122880 (120.0 KiB) /system/lib64/libmediadrmmetrics_lite.so
android.hardware.drm@1.1.so 0x72be7a3000 290816 (284.0 KiB) /system/lib64/android.hardware.drm@1.1.so
android.hardware.drm@1.2.so 0x72c0dd8000 425984 (416.0 KiB) /system/lib64/android.hardware.drm@1.2.so
android.hardware.drm@1.3.so 0x72bee19000 151552 (148.0 KiB) /system/lib64/android.hardware.drm@1.3.so
libunwindstack.so 0x72bd5cf000 454656 (444.0 KiB) /system/lib64/libunwindstack.so
android.hardware.configstore@1.1.so 0x72bf8e1000 118784 (116.0 KiB) /system/lib64/android.hardware.configstore@1.1.so
libspeexresampler.so 0x72bee4a000 20480 (20.0 KiB) /system/lib64/libspeexresampler.so
android.hardware.media.bufferpool@2.0.so 0x72bccca000 217088 (212.0 KiB) /system/lib64/android.hardware.media.bufferpool@2.0.so
libion.so 0x72c0ba3000 16384 (16.0 KiB) /system/lib64/libion.so
libfmq.so 0x72bd9a7000 16384 (16.0 KiB) /system/lib64/libfmq.so
libstagefright_bufferpool@2.0.1.so 0x72be306000 172032 (168.0 KiB) /system/lib64/libstagefright_bufferpool@2.0.1.so
android.hardware.media.c2@1.0.so 0x72bd2dd000 589824 (576.0 KiB) /system/lib64/android.hardware.media.c2@1.0.so
libcodec2_client.so 0x72bfa46000 151552 (148.0 KiB) /system/lib64/libcodec2_client.so
libstagefright_bufferqueue_helper.so 0x72c0801000 90112 (88.0 KiB) /system/lib64/libstagefright_bufferqueue_helper.so
libstagefright_omx.so 0x72bd7ec000 299008 (292.0 KiB) /system/lib64/libstagefright_omx.so
libstagefright_xmlparser.so 0x72bcd48000 90112 (88.0 KiB) /system/lib64/libstagefright_xmlparser.so
android.hidl.memory@1.0.so 0x72bed87000 143360 (140.0 KiB) /system/lib64/android.hidl.memory@1.0.so
android.hidl.memory.token@1.0.so 0x72c0923000 81920 (80.0 KiB) /system/lib64/android.hidl.memory.token@1.0.so
android.hardware.cas@1.0.so 0x72be980000 262144 (256.0 KiB) /system/lib64/android.hardware.cas@1.0.so
liblzma.so 0x72bc48c000 180224 (176.0 KiB) /system/lib64/liblzma.so
libdexfile_support.so 0x72be058000 20480 (20.0 KiB) /system/lib64/libdexfile_support.so
android.hidl.safe_union@1.0.so 0x72bde79000 12288 (12.0 KiB) /system/lib64/android.hidl.safe_union@1.0.so
android.hardware.media.c2@1.1.so 0x72bdc88000 196608 (192.0 KiB) /system/lib64/android.hardware.media.c2@1.1.so
libcodec2_hidl_client@1.0.so 0x72beec9000 110592 (108.0 KiB) /system/lib64/libcodec2_hidl_client@1.0.so
libcodec2_hidl_client@1.1.so 0x72bfec5000 16384 (16.0 KiB) /system/lib64/libcodec2_hidl_client@1.1.so
libart.so 0x702bd17000 6946816 (6.6 MiB) /apex/com.android.art/lib64/libart.so
libartpalette.so 0x72c165b000 16384 (16.0 KiB) /apex/com.android.art/lib64/libartpalette.so
libsigchain.so 0x72c16ba000 20480 (20.0 KiB) /system/lib64/libsigchain.so
libartbase.so 0x72c14c5000 491520 (480.0 KiB) /apex/com.android.art/lib64/libartbase.so
libdexfile.so 0x72c15ea000 270336 (264.0 KiB) /apex/com.android.art/lib64/libdexfile.so
libdexfile_external.so 0x72c155a000 28672 (28.0 KiB) /apex/com.android.art/lib64/libdexfile_external.so
libprofile.so 0x72c1489000 217088 (212.0 KiB) /apex/com.android.art/lib64/libprofile.so
libartpalette-system.so 0x72c1369000 24576 (24.0 KiB) /system/lib64/libartpalette-system.so
libtombstoned_client.so 0x72c138c000 24576 (24.0 KiB) /system/lib64/libtombstoned_client.so
boot.oat 0x70512000 3153920 (3.0 MiB) /apex/com.android.art/javalib/arm64/boot.oat
boot-core-libart.oat 0x70814000 417792 (408.0 KiB) /apex/com.android.art/javalib/arm64/boot-core-libart.oat
boot-core-icu4j.oat 0x7087a000 991232 (968.0 KiB) /apex/com.android.art/javalib/arm64/boot-core-icu4j.oat
boot-okhttp.oat 0x7096c000 253952 (248.0 KiB) /apex/com.android.art/javalib/arm64/boot-okhttp.oat
boot-bouncycastle.oat 0x709aa000 135168 (132.0 KiB) /apex/com.android.art/javalib/arm64/boot-bouncycastle.oat
boot-apache-xml.oat 0x709cb000 32768 (32.0 KiB) /apex/com.android.art/javalib/arm64/boot-apache-xml.oat
boot-framework.oat 0x718ff000 11661312 (11.1 MiB) /system/framework/arm64/boot-framework.oat
boot-ext.oat 0x7241e000 122880 (120.0 KiB) /system/framework/arm64/boot-ext.oat
boot-telephony-common.oat 0x7243c000 45056 (44.0 KiB) /system/framework/arm64/boot-telephony-common.oat
boot-voip-common.oat 0x72447000 36864 (36.0 KiB) /system/framework/arm64/boot-voip-common.oat
boot-ims-common.oat 0x72450000 20480 (20.0 KiB) /system/framework/arm64/boot-ims-common.oat
boot-framework-atb-backward-compatibility.oat 0x72455000 20480 (20.0 KiB) /system/framework/arm64/boot-framework-atb-backward-compatibility.oat
libadbconnection.so 0x7024989000 65536 (64.0 KiB) /apex/com.android.art/lib64/libadbconnection.so
libadbconnection_client.so 0x702494a000 221184 (216.0 KiB) /apex/com.android.adbd/lib64/libadbconnection_client.so
libriru_6011.so 0x7024744000 1085440 (1.0 MiB) /system/lib64/libriru_6011.so
libperfetto_hprof.so 0x70245d4000 368640 (360.0 KiB) /apex/com.android.art/lib64/libperfetto_hprof.so
libandroid.so 0x7024588000 143360 (140.0 KiB) /system/lib64/libandroid.so
libxml2.so 0x7024445000 1261568 (1.2 MiB) /system/lib64/libxml2.so
libpowermanager.so 0x7024401000 77824 (76.0 KiB) /system/lib64/libpowermanager.so
libaaudio.so 0x70243d5000 28672 (28.0 KiB) /system/lib64/libaaudio.so
libaaudio_internal.so 0x702434a000 311296 (304.0 KiB) /system/lib64/libaaudio_internal.so
libamidi.so 0x7024331000 36864 (36.0 KiB) /system/lib64/libamidi.so
libcamera2ndk.so 0x70242c3000 249856 (244.0 KiB) /system/lib64/libcamera2ndk.so
libjnigraphics.so 0x7024282000 24576 (24.0 KiB) /system/lib64/libjnigraphics.so
libOpenMAXAL.so 0x702426f000 16384 (16.0 KiB) /system/lib64/libOpenMAXAL.so
libOpenSLES.so 0x7024208000 16384 (16.0 KiB) /system/lib64/libOpenSLES.so
libRS.so 0x7024110000 73728 (72.0 KiB) /system/lib64/libRS.so
libutilscallstack.so 0x70241e3000 24576 (24.0 KiB) /system/lib64/libutilscallstack.so
android.hardware.renderscript@1.0.so 0x702414c000 417792 (408.0 KiB) /system/lib64/android.hardware.renderscript@1.0.so
libstdc++.so 0x70240de000 16384 (16.0 KiB) /system/lib64/libstdc++.so
libwebviewchromium_plat_support.so 0x70240ac000 20480 (20.0 KiB) /system/lib64/libwebviewchromium_plat_support.so
libicu_jni.so 0x7024060000 53248 (52.0 KiB) /apex/com.android.art/lib64/libicu_jni.so
libjavacore.so 0x7024002000 245760 (240.0 KiB) /apex/com.android.art/lib64/libjavacore.so
libandroidio.so 0x7023fe7000 16384 (16.0 KiB) /apex/com.android.art/lib64/libandroidio.so
libopenjdk.so 0x7022785000 221184 (216.0 KiB) /apex/com.android.art/lib64/libopenjdk.so
libopenjdkjvm.so 0x7022745000 40960 (40.0 KiB) /apex/com.android.art/lib64/libopenjdkjvm.so
libart-compiler.so 0x70223e0000 3485696 (3.3 MiB) /apex/com.android.art/lib64/libart-compiler.so
libvixl.so 0x70221a0000 2113536 (2.0 MiB) /apex/com.android.art/lib64/libvixl.so
libjavacrypto.so 0x7017229000 294912 (288.0 KiB) /apex/com.android.conscrypt/lib64/libjavacrypto.so
libcrypto.so 0x7017284000 1126400 (1.1 MiB) /system/lib64/libcrypto.so
libssl.so 0x70173c7000 339968 (332.0 KiB) /system/lib64/libssl.so
libc++.so 0x7017143000 720896 (704.0 KiB) /system/lib64/libc++.so
libmedia_jni.so 0x70130b9000 540672 (528.0 KiB) /system/lib64/libmedia_jni.so
libmediadrmmetrics_consumer.so 0x701305d000 28672 (28.0 KiB) /system/lib64/libmediadrmmetrics_consumer.so
libmtp.so 0x7013000000 237568 (232.0 KiB) /system/lib64/libmtp.so
libsonivox.so 0x7013166000 614400 (600.0 KiB) /system/lib64/libsonivox.so
libmediadrmmetrics_full.so 0x7012fd8000 147456 (144.0 KiB) /system/lib64/libmediadrmmetrics_full.so
libasyncio.so 0x7012d71000 12288 (12.0 KiB) /system/lib64/libasyncio.so
libprotobuf-cpp-full.so 0x7012d81000 2232320 (2.1 MiB) /system/lib64/libprotobuf-cpp-full.so
libsoundpool.so 0x7012d0c000 90112 (88.0 KiB) /system/lib64/libsoundpool.so
libaudioeffect_jni.so 0x7012cc5000 49152 (48.0 KiB) /system/lib64/libaudioeffect_jni.so
librs_jni.so 0x7012c9a000 73728 (72.0 KiB) /system/lib64/librs_jni.so
android.hidl.base-V1.0-java.odex 0x7010a91000 20480 (20.0 KiB) /system/framework/oat/arm64/android.hidl.base-V1.0-java.odex
android.hidl.manager-V1.0-java.odex 0x7010a54000 20480 (20.0 KiB) /system/framework/oat/arm64/android.hidl.manager-V1.0-java.odex
android.test.base.odex 0x7010a09000 20480 (20.0 KiB) /system/framework/oat/arm64/android.test.base.odex
android.hardware.graphics.mapper@3.0-impl-qti-display.so 0x7010390000 45056 (44.0 KiB) /vendor/lib64/hw/android.hardware.graphics.mapper@3.0-impl-qti-display.so
libutils.so 0x7010697000 122880 (120.0 KiB) /apex/com.android.vndk.v30/lib64/libutils.so
libcutils.so 0x701085a000 73728 (72.0 KiB) /apex/com.android.vndk.v30/lib64/libcutils.so
libhardware.so 0x701081c000 12288 (12.0 KiB) /apex/com.android.vndk.v30/lib64/libhardware.so
libhidlbase.so 0x7010543000 757760 (740.0 KiB) /apex/com.android.vndk.v30/lib64/libhidlbase.so
libqdMetaData.so 0x70107c3000 20480 (20.0 KiB) /vendor/lib64/libqdMetaData.so
libgrallocutils.so 0x70106d4000 45056 (44.0 KiB) /vendor/lib64/libgrallocutils.so
libgralloccore.so 0x70102b5000 40960 (40.0 KiB) /vendor/lib64/libgralloccore.so
vendor.qti.hardware.display.mapper@3.0.so 0x7010419000 114688 (112.0 KiB) /vendor/lib64/vendor.qti.hardware.display.mapper@3.0.so
vendor.qti.hardware.display.mapperextensions@1.0.so 0x7010312000 167936 (164.0 KiB) /vendor/lib64/vendor.qti.hardware.display.mapperextensions@1.0.so
android.hardware.graphics.mapper@2.0.so 0x70102d6000 102400 (100.0 KiB) /apex/com.android.vndk.v30/lib64/android.hardware.graphics.mapper@2.0.so
android.hardware.graphics.mapper@2.1.so 0x70103cf000 106496 (104.0 KiB) /apex/com.android.vndk.v30/lib64/android.hardware.graphics.mapper@2.1.so
android.hardware.graphics.mapper@3.0.so 0x701091a000 114688 (112.0 KiB) /apex/com.android.vndk.v30/lib64/android.hardware.graphics.mapper@3.0.so
vendor.qti.hardware.display.mapperextensions@1.1.so 0x7010500000 143360 (140.0 KiB) /vendor/lib64/vendor.qti.hardware.display.mapperextensions@1.1.so
libc++.so 0x701070e000 720896 (704.0 KiB) /apex/com.android.vndk.v30/lib64/libc++.so
libprocessgroup.so 0x7010940000 258048 (252.0 KiB) /apex/com.android.vndk.v30/lib64/libprocessgroup.so
libbase.so 0x7010480000 249856 (244.0 KiB) /apex/com.android.vndk.v30/lib64/libbase.so
libgralloc.qti.so 0x70108f7000 32768 (32.0 KiB) /vendor/lib64/libgralloc.qti.so
libion.so 0x7010638000 16384 (16.0 KiB) /apex/com.android.vndk.v30/lib64/libion.so
android.hardware.graphics.common@1.0.so 0x7010673000 12288 (12.0 KiB) /apex/com.android.vndk.v30/lib64/android.hardware.graphics.common@1.0.so
android.hardware.graphics.common@1.1.so 0x701047b000 12288 (12.0 KiB) /apex/com.android.vndk.v30/lib64/android.hardware.graphics.common@1.1.so
android.hardware.graphics.common@1.2.so 0x70104ce000 12288 (12.0 KiB) /apex/com.android.vndk.v30/lib64/android.hardware.graphics.common@1.2.so
libgralloctypes.so 0x7010883000 77824 (76.0 KiB) /apex/com.android.vndk.v30/lib64/libgralloctypes.so
android.hardware.graphics.mapper@4.0.so 0x7010995000 151552 (148.0 KiB) /apex/com.android.vndk.v30/lib64/android.hardware.graphics.mapper@4.0.so
android.hardware.graphics.common-V1-ndk_platform.so 0x70109dc000 24576 (24.0 KiB) /apex/com.android.vndk.v30/lib64/android.hardware.graphics.common-V1-ndk_pl...
android.hardware.common-V1-ndk_platform.so 0x7010376000 16384 (16.0 KiB) /apex/com.android.vndk.v30/lib64/android.hardware.common-V1-ndk_platform.so
libEGL_adreno.so 0x7010021000 45056 (44.0 KiB) /vendor/lib64/egl/libEGL_adreno.so
libadreno_utils.so 0x700ffc3000 94208 (92.0 KiB) /vendor/lib64/libadreno_utils.so
libgsl.so 0x701006e000 2125824 (2.0 MiB) /vendor/lib64/libgsl.so
libz.so 0x700ff99000 98304 (96.0 KiB) /apex/com.android.vndk.v30/lib64/libz.so
libGLESv2_adreno.so 0x700ee18000 4059136 (3.9 MiB) /vendor/lib64/egl/libGLESv2_adreno.so
libllvm-glnext.so 0x700f207000 13905920 (13.3 MiB) /vendor/lib64/libllvm-glnext.so
libGLESv1_CM_adreno.so 0x700edc3000 241664 (236.0 KiB) /vendor/lib64/egl/libGLESv1_CM_adreno.so
eglSubDriverAndroid.so 0x700ed49000 77824 (76.0 KiB) /vendor/lib64/egl/eglSubDriverAndroid.so
vendor.qti.hardware.display.mapper@2.0.so 0x700ed9b000 118784 (116.0 KiB) /vendor/lib64/vendor.qti.hardware.display.mapper@2.0.so
libcompiler_rt.so 0x700ec8a000 544768 (532.0 KiB) /system/lib64/libcompiler_rt.so
libwebviewchromium_loader.so 0x700ec7b000 16384 (16.0 KiB) /system/lib64/libwebviewchromium_loader.so
frida-agent-64.so 0x6fcb683000 22749184 (21.7 MiB) /data/local/tmp/re.frida.server/frida-agent-64.so
org.apache.http.legacy.odex 0x701a484000 339968 (332.0 KiB) /system/framework/oat/arm64/org.apache.http.legacy.odex
system_ext@priv-app@Settings@Settings.apk@classes.dex 0x701a148000 1486848 (1.4 MiB) /data/dalvik-cache/arm64/system_ext@priv-app@Settings@Settings.apk@classes....
libstats_jni.so 0x701b858000 12288 (12.0 KiB) /apex/com.android.os.statsd/lib64/libstats_jni.so
gralloc.msmnile.so 0x6fbc923000 45056 (44.0 KiB) /vendor/lib64/hw/gralloc.msmnile.so
linux-vdso.so.1 0x72c2ba7000 4096 (4.0 KiB) linux-vdso.so.1
这时候就以hook liblog 为例子,打印log一般用的接口是__android_log_print, 那就hook下这个接口, 首先准备好hook 脚本:
function hook_native() {
var addr = Module.getExportByName("liblog.so", "__android_log_print")
Interceptor.attach(addr, {
onEnter: function (args) {
console.log("args 1 ", args[0])
console.log("args 2 ", args[1].readCString())
console.log("args 3 ", args[2].readCString())
}, onLeave: function (retval) {
console.log("retval is ", retval)
}
})
}
function main() {
hook_native()
}
setImmediate(main)
这儿就是打印下参数和返回值,这时候操作下设置,显示如下:
shanks@BINDERLI-MB0 frida-agent-example % frida -UF -p 25064 -l hook.js
____
/ _ | Frida 15.1.24 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Pixel 4 (id=9A291FFAZ00BWF)
[Pixel 4::PID::25064 ]-> args 1 0x6
args 2 MediaPlayerNative
args 3 error (%d, %d)
retval is 0x1
args 1 0x5
args 2 MediaPlayer-JNI
args 3 MediaPlayer finalized without being released
retval is 0x1
如果不确定目标应用使用了哪些符号,可以借助frida-trace工具, 比如执行 frida-trace -UF com.android.settings -I liblog.so
就会输出调用栈:
/* TID 0x6226 */
12345 ms __android_log_buf_write()
12345 ms | __android_log_is_loggable()
12345 ms | | __android_log_get_minimum_priority()
12346 ms | __android_log_write_log_message()
12346 ms | | __android_log_logd_logger()
12346 ms | | | __android_log_is_debuggable()
12347 ms __android_log_buf_write()
12347 ms | __android_log_is_loggable()
12347 ms | | __android_log_get_minimum_priority()
12347 ms | __android_log_write_log_message()
12347 ms | | __android_log_logd_logger()
12347 ms | | | __android_log_is_debuggable()
12347 ms __android_log_buf_write()
12347 ms | __android_log_is_loggable()
12347 ms | | __android_log_get_minimum_priority()
12348 ms | __android_log_write_log_message()
12348 ms | | __android_log_logd_logger()
12348 ms | | | __android_log_is_debuggable()
这样就知道调用了__android_log_buf_write,如果函数的符号是没有导出的,这时候可以通过IDA看下相对地址, 就可以继续hook了,下面再示范下__android_log_buf_write, 通过工具查看地址相对liblog的偏移是0x6760, 原型如下:
int __android_log_buf_write(int bufID, int prio, const char* tag, const char* msg)
那么写脚本如下:
function hook_native() {
var addr = Module.getBaseAddress("liblog.so")
addr = addr.add('0x6760');
Interceptor.attach(addr, {
onEnter: function (args) {
console.log("args 1 ", args[0])
console.log("args 2 ", args[1])
console.log("args 3 ", args[2].readCString())
console.log("args 4 ", args[3].readCString())
}, onLeave: function (retval) {
console.log("retval is ", retval)
}
})
}
function main() {
hook_native()
}
setImmediate(main)
再次hook,结果如下:
shanks@BINDERLI-MB0 frida-agent-example % frida -UF com.android.settings -l hook.js
____
/ _ | Frida 15.1.24 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Pixel 4 (id=9A291FFAZ00BWF)
[Pixel 4::Settings ]-> args 1 0x0
args 2 0x5
args 3 ContextualCardManager
args 4 Legacy suggestion contextual card enabled, skipping contextual cards.
retval is 0x1
args 1 0x0
args 2 0x3
args 3 AvatarViewMixin
args 4 Feature disabled by config. Skipping
retval is 0x1
args 1 0x0
args 2 0x3
args 3 ControllerRendererPool
args 4 Controller is already there.
retval is 0x1
这样就愉快地完成hook了。
