我正在做一些关于挂钩 android 原生库的练习。我写了这个脚本:
function processJniOnLoad(libraryName) {
const funcSym = "Java_com_mobisec_gonative_FlagChecker_helloFromTheOtherSide";
const funcPtr = Module.findExportByName(libraryName, funcSym);
const membase = Module.findBaseAddress(libraryName);
console.log("Base address is " + membase);
console.log("[+] Hooking " + funcSym + "() @ " + funcPtr + "...");
Module.enumerateExports(libraryName, { onMatch: function(e) { console.log("type " + e.type + " name of function = " + e.name + " " + e.address); }, onComplete: function() { } });
}
function waitForLibLoading(libraryName) {
console.log("loaded !!");
var isLibLoaded = false;
Interceptor.attach(Module.findExportByName(null, "open"), {
onEnter: function (args) {
var libraryPath = Memory.readCString(args[0]);
console.log(libraryPath);
if (libraryPath.includes(libraryName)) {
console.log("[+] Loading library " + libraryPath + "...");
isLibLoaded = true;
}
},
onLeave: function (args) {
if (isLibLoaded) {
processJniOnLoad(libraryName);
isLibLoaded = false;
}
}
});
}
waitForLibLoading("libnative-lib.so");
但它不能工作(基地址为空,...),结果如下:
loaded !!
/proc/self/cmdline
/data/app/com.mobisec.gonative-U8SZLMGh96sgK6qTGxmRqQ==/base.apk
/data/app/com.mobisec.gonative-U8SZLMGh96sgK6qTGxmRqQ==/lib/x86/libnative-lib.so
[+] Loading library /data/app/com.mobisec.gonative-U8SZLMGh96sgK6qTGxmRqQ==/lib/x86/libnative-lib.so...
Base address is null
[+] Hooking Java_com_mobisec_gonative_FlagChecker_helloFromTheOtherSide() @ null...
但是当我通过键入所有命令手动执行此操作时,它的工作:
[Google Pixel::com.mobisec.gonative]-> const membase = Module.findBaseAddress("libnative-lib.so");
[Google Pixel::com.mobisec.gonative]-> console.log("Base address is " + membase);
Base address is 0xc935a000
[Google Pixel::com.mobisec.gonative]-> Module.findExportByName("libnative-lib.so","Java_com_mobisec_gonative_FlagChecke r_helloFromTheOtherSide")
"0xc935a630"
[Google Pixel::com.mobisec.gonative]->
那么为什么我的脚本失败了?