Android 5.1.1 AUTO模式时，后加载so无法hook #17

0x6666 · 2021-11-26T10:41:24Z

手机：Xiaomi MI NOTE Pro
系统：Android 5.1.1
bhook： 1.0.3

bytehook_init(BYTEHOOK_MODE_AUTOMATIC, true);
bytehook_hook_all(nullptr, "getaddrinfo", (void*)MY_getaddrinfo, hookCallbac, nullptr);

以上代码执行完后再加载webview，无法hook libwebviewchromium.so
但是，先在加载webview后再执行以上代码，则可以hook到libwebviewchromium.so

The text was updated successfully, but these errors were encountered:

caikelun · 2021-11-29T03:16:31Z

手机：Xiaomi MI NOTE Pro 系统：Android 5.1.1 bhook： 1.0.3
bytehook_init(BYTEHOOK_MODE_AUTOMATIC, true);
bytehook_hook_all(nullptr, "getaddrinfo", (void*)MY_getaddrinfo, hookCallbac, nullptr);
以上代码执行完后再加载webview，无法hook libwebviewchromium.so 但是，先在加载webview后再执行以上代码，则可以hook到libwebviewchromium.so

收到，感谢反馈，我调试一下。

caikelun · 2021-12-06T05:31:42Z

@0x6666 我没找到和你一样的机型。我在 nexus5(Android 5.1.1) 上试了，无论在 bytehook_hook_all 之前或之后加载 libwebviewchromium.so，都可以 hook 到 libwebviewchromium.so 中的 getaddrinfo。你可以把 bytehook 的日志打开，观察下 hook 之前和之后加载libwebviewchromium.so的执行流程区别，或者把日志在这里贴一下。

0x6666 · 2021-12-06T09:16:57Z

...
...
2021-12-06 16:53:46.449 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: created for GOT 7fa3359be8, orig func 7fa74a2c84
2021-12-06 16:53:46.449 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: add(new) func, GOT 7fa3359be8, func 7f915b401c
2021-12-06 16:53:46.449 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: del func, GOT 7fa3359be8, func 7f915b401c
2021-12-06 16:53:46.449 15718-15718/cc.dns.demo I/bytehook_tag: DL monitor: post init, OK
2021-12-06 16:53:46.469 15718-15718/cc.dns.demo I/bytehook_tag: trampo: created for GOT 7f9ac73de0 at 7f8fc07690, size 104 + 16 = 120
2021-12-06 16:53:46.469 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: created for GOT 7f9ac73de0, orig func 7fb1eb74b0
2021-12-06 16:53:46.469 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: add(new) func, GOT 7f9ac73de0, func 7f9155246c
2021-12-06 16:53:46.469 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: verify OK: getaddrinfo in libc.so
2021-12-06 16:53:46.469 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: auto REPLACE. GOT 7f9ac73de0: 7fb1eb74b0 -> 7f8fc07690, getaddrinfo, /data/app/com.google.android.webview-2/lib/arm64/libwebviewchromium.so
2021-12-06 16:53:46.469 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: hook OK. GOT 7f9ac73de0: + 7f9155246c, getaddrinfo, /data/app/com.google.android.webview-2/lib/arm64/libwebviewchromium.so
2021-12-06 16:53:46.489 15718-15718/cc.dns.demo I/bytehook_tag: trampo: created for GOT 7f9ac73de8 at 7f8fc07708, size 104 + 16 = 120
2021-12-06 16:53:46.489 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: created for GOT 7f9ac73de8, orig func 7fb1eb61d0
2021-12-06 16:53:46.489 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: add(new) func, GOT 7f9ac73de8, func 7f915527a4
2021-12-06 16:53:46.489 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: verify OK: freeaddrinfo in libc.so
2021-12-06 16:53:46.489 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: auto REPLACE. GOT 7f9ac73de8: 7fb1eb61d0 -> 7f8fc07708, freeaddrinfo, /data/app/com.google.android.webview-2/lib/arm64/libwebviewchromium.so
2021-12-06 16:53:46.489 15718-15718/cc.dns.demo I/bytehook_tag: hook chain: hook OK. GOT 7f9ac73de8: + 7f915527a4, freeaddrinfo, /data/app/com.google.android.webview-2/lib/arm64/libwebviewchromium.so

以上是先加载libwebviewchromium.so的部分日志。

后加载libwebviewchromium.so，日志会停留在DL monitor: post init, OK，加载so的过程或者之后没有任何日志。
后加载的过程中bh_dl_monitor_proxy_dlopen和bh_dl_monitor_stub_android_dlopen_ext没有回调。
bh_dl_monitor_proxy_loader_dlopen和bh_dl_monitor_proxy_loader_android_dlopen_ext也没有（我注释了__ANDROID_API_O__的限制）

caikelun · 2021-12-06T12:56:03Z

Android 5.x 应该只可能走dlopen 和 android_dlopen_ext。bytehook 内部对这两个函数做了 hook_all（hook 到 bh_dl_monitor_proxy_dlopen 和 bh_dl_monitor_proxy_android_dlopen_ext）。可以看下日志，判断下这两个函数都hook到哪些 caller so 上了。

另外，你本地代码是否修改过其他地方？换个其他5.1.1的设备也能重现问题吗？

0x6666 · 2021-12-07T02:01:30Z

init.log

这是初始化的完整日志，看起来dlopen相关函数没hook到
我只有在调试bhook的的时候才会编译其源码，其他时候都是直接用仓库里的包，以上日志也是用仓库的包输出的
我手上暂时也没有其他5.x了

Crash Thread-> [pid:15662]:[pname:com.example_for_hidden.ph] [tid:16061]:[tname:sps-core] x0 00000071217f7d90 x1 000000710b01e350 x2 0000000000000000 x3 0000000000000000 x4 8080808080000000 x5 0000000000000000 x6 0000008080808080 x7 fefefefeff6e722d x8 726569727261626f x9 00000071ddf30280 x10 0000000a30203020 x11 0000000000000000 x12 000000000000018c x13 98e1752cb5d3e1ab x14 007491a877137aec x15 ffffffffffffffff x16 00000071637dbf20 x17 000000726dc6087c x18 000000711de9e000 x19 0000000000000000 x20 0000000000000000 x21 00000071d66640e0 x22 726569727261626f x23 00000071d6664108 x24 00000071217fc000 x25 00000071d66640e8 x26 0000000000000001 x27 0000000000000000 x28 00000000655785c7 x29 00000071217f7dc0 sp 00000071217f7d90 lr 00000071637d450c pc 00000071637d4530 stack: #00 pc 000000000000a530 /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/split_config.arm64_v8a.apk!liblubanhook.so (offset 0x1b17000) (bh_elf_manager_refresh+1436) (BuildId: 8bf4f411698f5d0194eb5f99234231ec40b3f469) bytedance#1 pc 0000000000008560 /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/split_config.arm64_v8a.apk!liblubanhook.so (offset 0x1b17000) (BuildId: 8bf4f411698f5d0194eb5f99234231ec40b3f469) bytedance#2 pc 000000000000108c /apex/com.android.runtime/lib64/bionic/libdl.so (dlclose+8) (BuildId: 0ef8b9fd3ba84892809321b735317a50) #03 pc 0000000000155264 /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/split_config.arm64_v8a.apk!libexample_for_hidden.so (offset 0x2299000) (BuildId: 606487eb6a92f9fcc2f957ccd85c2943a22edc26) bytedance#4 pc 00000000001577e8 /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/split_config.arm64_v8a.apk!libexample_for_hidden.so (offset 0x2299000) (BuildId: 606487eb6a92f9fcc2f957ccd85c2943a22edc26) #05 pc 00000000000dd730 /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/split_config.arm64_v8a.apk!libexample_for_hidden.so (offset 0x2299000) (BuildId: 606487eb6a92f9fcc2f957ccd85c2943a22edc26) bytedance#6 pc 000000000011fa70 /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/split_config.arm64_v8a.apk!libexample_for_hidden.so (offset 0x2299000) (BuildId: 606487eb6a92f9fcc2f957ccd85c2943a22edc26) #07 pc 000000000005bedc /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/split_config.arm64_v8a.apk!libexample_for_hidden.so (offset 0x2299000) (BuildId: 606487eb6a92f9fcc2f957ccd85c2943a22edc26) bytedance#8 pc 000000000002ffc4 /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/split_config.arm64_v8a.apk!libexample_for_hidden.so (offset 0x2299000) (BuildId: 606487eb6a92f9fcc2f957ccd85c2943a22edc26) bytedance#9 pc 000000000002fbb4 /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/split_config.arm64_v8a.apk!libexample_for_hidden.so (offset 0x2299000) (BuildId: 606487eb6a92f9fcc2f957ccd85c2943a22edc26) bytedance#10 pc 000000000002f4e4 /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/split_config.arm64_v8a.apk!libexample_for_hidden.so (offset 0x2299000) (BuildId: 606487eb6a92f9fcc2f957ccd85c2943a22edc26) bytedance#11 pc 00000000001b2978 /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/split_config.arm64_v8a.apk!libexample_for_hidden.so (offset 0x2299000) (BuildId: 606487eb6a92f9fcc2f957ccd85c2943a22edc26) bytedance#12 pc 00000000002daf18 /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/oat/arm64/base.odex (art_jni_trampoline+152) bytedance#13 pc 0000000000913f54 /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/oat/arm64/base.odex (com.example_for_hidden.example_for_hidden.wvvvuwwu.vwvvvuvuv+84) bytedance#14 pc 00000000008f018c /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/oat/arm64/base.odex (com.example_for_hidden.example_for_hidden.uvuuwwuww.vuwuwuuuw.vvwvwwwwu+1084) bytedance#15 pc 00000000008f0ffc /data/app/~~4OPpN4vZ38SuvHU2NPnRnA==/com.example_for_hidden.ph-SPA1I_lJ-Zc2SPOE9_ucRQ==/oat/arm64/base.odex (com.example_for_hidden.example_for_hidden.uvuuwwuww.vuwuwuuuw.handleMessage+620) bytedance#16 pc 00000000006a4cf8 /system/framework/arm64/boot-framework.oat (android.os.Handler.dispatchMessage+136) (BuildId: adacda98a7a45bd33ea7f02316d4c011be2906a6) bytedance#17 pc 000000000074044c /system/framework/arm64/boot-framework.oat (android.os.Looper.loop+2220) (BuildId: adacda98a7a45bd33ea7f02316d4c011be2906a6) bytedance#18 pc 00000000006a6ea0 /system/framework/arm64/boot-framework.oat (android.os.HandlerThread.run+544) (BuildId: adacda98a7a45bd33ea7f02316d4c011be2906a6) bytedance#19 pc 0000000000133564 /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+548) (BuildId: 2cc47e90cab939f919f347ffb2e8950a) bytedance#20 pc 00000000001a8a78 /apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+200) (BuildId: 2cc47e90cab939f919f347ffb2e8950a) bytedance#21 pc 0000000000555830 /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeVirtualOrInterfaceWithJValues<art::ArtMethod*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, art::ArtMethod*, jvalue const*)+460) (BuildId: 2cc47e90cab939f919f347ffb2e8950a) bytedance#22 pc 00000000005a3fb8 /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallback(void*)+1308) (BuildId: 2cc47e90cab939f919f347ffb2e8950a) bytedance#23 pc 00000000000da278 /apex/com.android.runtime/lib64/bionic/libc.so!libc.so (offset 0xd2000) (__pthread_start(void*)+64) (BuildId: 1ca28d785d6567d2b225cf978ef04de5) bytedance#24 pc 000000000007a448 /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 1ca28d785d6567d2b225cf978ef04de5)

tyrionchen mentioned this issue Feb 22, 2022

c++在Andorid 11上hook android_dlopen_ext会崩溃 #28

Closed

cmzy mentioned this issue Mar 28, 2023

#Bugfix [Crash]: Crashed on multi thread: #70

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Android 5.1.1 AUTO模式时，后加载so无法hook #17

Android 5.1.1 AUTO模式时，后加载so无法hook #17

0x6666 commented Nov 26, 2021 •

edited

Loading

caikelun commented Nov 29, 2021

caikelun commented Dec 6, 2021

0x6666 commented Dec 6, 2021 •

edited

Loading

caikelun commented Dec 6, 2021

0x6666 commented Dec 7, 2021

Android 5.1.1 AUTO模式时，后加载so无法hook #17

Android 5.1.1 AUTO模式时，后加载so无法hook #17

Comments

0x6666 commented Nov 26, 2021 • edited Loading

caikelun commented Nov 29, 2021

caikelun commented Dec 6, 2021

0x6666 commented Dec 6, 2021 • edited Loading

caikelun commented Dec 6, 2021

0x6666 commented Dec 7, 2021

0x6666 commented Nov 26, 2021 •

edited

Loading

0x6666 commented Dec 6, 2021 •

edited

Loading