上一篇分析了fishHook原理,本文在fishHook原理基礎(chǔ)上進行fishHook源碼分析。
從fishHook使用的入口函數(shù)rebind_symbols開始分析:
int rebind_symbols_image(void *header,
intptr_t slide,
struct rebinding rebindings[],
size_t rebindings_nel);int rebind_symbols(struct rebinding rebindings[], size_t rebindings_nel) {
//prepend_rebindings的函數(shù)會將整個 rebindings 數(shù)組添加到 _rebindings_head 這個鏈表的頭部
//Fishhook采用鏈表的方式來存儲每一次調(diào)用rebind_symbols傳入的參數(shù),每次調(diào)用钝鸽,就會在鏈表的頭部插入一個節(jié)點,鏈表的頭部是:_rebindings_head
int retval = prepend_rebindings(&_rebindings_head, rebindings, rebindings_nel);
//根據(jù)上面的prepend_rebinding來做判斷州丹,如果小于0的話,直接返回一個錯誤碼回去
if (retval < 0) {
return retval;
}
//根據(jù)_rebindings_head->next是否為空判斷是不是第一次調(diào)用劫谅。
if (!_rebindings_head->next) {
//第一次調(diào)用的話透典,調(diào)用_dyld_register_func_for_add_image注冊監(jiān)聽方法.
//已經(jīng)被dyld加載的image會立刻進入回調(diào)饰及。
//之后的image會在dyld裝載的時候觸發(fā)回調(diào)。
_dyld_register_func_for_add_image(_rebind_symbols_for_image);
} else {
//遍歷已經(jīng)加載的image,進行的hook
uint32_t c = _dyld_image_count();
for (uint32_t i = 0; i < c; i++) {
_rebind_symbols_for_image(_dyld_get_image_header(i), _dyld_get_image_vmaddr_slide(i));
}
}
return retval;
}
一.rebind_symbols_image
調(diào)用prepend_rebindings函數(shù),將調(diào)用外界調(diào)用rebind_symbol函數(shù)傳入的參數(shù)rebindings,nel封裝成rebindings_entry結(jié)構(gòu)體指針,
int retval = prepend_rebindings(&_rebindings_head, rebindings, rebindings_nel);
struct rebindings_entry {
struct rebinding *rebindings;
size_t rebindings_nel;
struct rebindings_entry *next;
};
static struct rebindings_entry *_rebindings_head;
并添加到_rebindings_head鏈表(采用鏈表的方式來存儲每一次調(diào)用rebind_symbols傳入的參數(shù)漩勤,每次調(diào)用寓涨,就會在鏈表的頭部插入一個節(jié)點)
!_rebindings_head->next判斷是否是第一次調(diào)用rebind_symbols鸵熟。
如果是第一次調(diào)用,則調(diào)用dyld的_dyld_register_func_for_add_image注冊監(jiān)聽方法,已經(jīng)被dyld加載的image會立刻進入回調(diào)_rebind_symbols_for_image,未加載的image會在dyld裝載的時候觸發(fā)回調(diào)梭冠。
不是第一次調(diào)用,直接獲取所有images,循環(huán)images,對每一個images手動調(diào)用_rebind_symbols_for_image形娇。
if (!_rebindings_head->next) {
//判斷是否第一次調(diào)用的話锰霜,調(diào)用_dyld_register_func_for_add_image注冊監(jiān)聽方法.
//已經(jīng)被dyld加載的image會立刻進入回調(diào)。
//之后的image會在dyld裝載的時候觸發(fā)回調(diào)桐早。
_dyld_register_func_for_add_image(_rebind_symbols_for_image);
} else {
//遍歷已經(jīng)加載的image癣缅,進行的hook
uint32_t c = _dyld_image_count();
for (uint32_t i = 0; i < c; i++) {
_rebind_symbols_for_image(_dyld_get_image_header(i), _dyld_get_image_vmaddr_slide(i));
}
}
在_rebind_symbols_for_image函數(shù)中又調(diào)用rebind_symbols_for_image
static void _rebind_symbols_for_image(const struct mach_header *header,
intptr_t slide) {
rebind_symbols_for_image(_rebindings_head, header, slide);
}
二.在rebind_symbols_for_image函數(shù)中,首先調(diào)用dladdr獲取符號信息。
Dl_info info;
if (dladdr(header, &info) == 0) {
return;
}
關(guān)于dladdr函數(shù),這里進行補充說用:
dladdr() - 獲取某個地址的符號信息
dladdr() 是使用戶能夠直接訪問動態(tài)鏈接設(shè)備(在編譯程序或ld 命令行上使用-ldl 選項)的一系列例行程序之一哄酝。進程可通過dladdr() 獲取有關(guān)最近定義給定address 的符號的信息友存。dladdr() 可確定指定的address 是否位于構(gòu)成進程的進址空間的其中一個加載模塊(可執(zhí)行庫或共享庫)內(nèi)。如果某個地址位于在其上面映射加載模塊的基址和為該加載模塊映射的最高虛擬地址之間(包括兩端)陶衅,則認為該地址在加載模塊的范圍內(nèi)屡立。如果某個加載模塊符合這個條件,則會搜索其動態(tài)符號表搀军,以查找與指定的address 最接近的符號膨俐。最接近的符號是指其值
等于,或最為接近但小于指定的address 的符號罩句。
dlip 是指向Dl_info 結(jié)構(gòu)的指針焚刺。該結(jié)構(gòu)必須由用戶分配。如果指定的address 在其中一個加載模塊的范圍內(nèi)门烂,則
結(jié)構(gòu)成員由dladdr() 設(shè)置乳愉。
Dl_info 結(jié)構(gòu)包含下列成員:
struct {
const char *dli_fname;
void *dli_fbase;
const char *dli_sname;
void dli_saddr;
size_t dli_size; / ELF only /
int dli_bind; / ELF only */
int dli_type;
};
Dl_info 結(jié)構(gòu)包含以下字段:
dli_fname 一個指針,指向包含address的加載模塊的文件名屯远。每次調(diào)用dladdr() 后蔓姚,該內(nèi)存位置的內(nèi)容都可能發(fā)生更改。
dli_fbase 加載模塊的句柄慨丐。該句柄可用作dlsym() 的第一個參數(shù)赂乐。
dli_sname 一個指針,指向與指定的address最接近的符號的名稱咖气。該符號要么帶有相同的地址挨措,要么是帶有低位地址的最接近符號。
兩次調(diào)用dladdr() 后崩溪,該內(nèi)存位置的內(nèi)容可能發(fā)生更改浅役。
Section 3-264 Hewlett-Packard Company ? 1 ? HP-UX 11i Version 3: February 2007
dladdr(3C) dladdr(3C)
dli_saddr 最接近符號的實際地址。對于代碼符號伶唯,它包含最接近代碼符號的OPD(正式Plabel 描
述符)的地址觉既。
dli_size (僅限ELF 進程)動態(tài)符號表中定義的最接近符號的大小。
dli_bind (僅限ELF 進程)動態(tài)符號表中定義的最接近符號的綁定屬性。其值用于ELF 符號表
(請參閱<elf.h> )中的符號的綁定瞪讼。
dli_type 最接近符號的類型钧椰。對于ELF 進程,這與動態(tài)符號表中的類型的值相同符欠。其值用于ELF
符號表(請參閱<elf.h> )中的符號的類型嫡霞。對于SOM 進程,這可能包括<dl.h> 中定義
的值TYPE_DAT A 或TYPE_PROCEDURE 希柿。
返回值
如果指定的address 不在其中一個加載模塊的范圍內(nèi)诊沪,則返回0 ;且不修改Dl_info 結(jié)構(gòu)的內(nèi)容曾撤。否則端姚,將返回
一個非零值,同時設(shè)置Dl_info 結(jié)構(gòu)的字段挤悉。
診斷信息
如果在包含address 的加載模塊內(nèi)渐裸,找不到其值小于或等于address 的符號,則dli_sname 装悲、dli_saddr 和dli_size
字段將設(shè)置為0 橄仆; dli_bind 字段設(shè)置為STB_LOCAL , dli_type 字段設(shè)置為STT_NOTYPE 衅斩。
對于a.out 盆顾,通常只導(dǎo)出一部分可見符號:尤其是鏈接了a.out 的加載模塊引用的那些符號∥钒穑可以使用鏈接程序
(請參閱ld(1) )來控制任何共享庫或a.out 的輸出符號的確切集合您宪。
錯誤
如果dladdr() 失敗,則隨后對dlerrno() 的調(diào)用返回下列值之一:
[RTLD_ERR_BAD_DLL] 加載模塊中的符號地址無效奠涌。
[RTLD_ERR_CANT_APPLY_RELOC] 不能在庫中進行重定位宪巨。
[RTLD_ERR_DLADDR_NOTFOUND] 在所有加載模塊中都找不到該地址。
[RTLD_ERR_NO_MEMORY] 內(nèi)存不足溜畅。
[RTLD_ERR_SETCANCELSTATE_FAILED] 進入或退出dladdr() 時__thread_setcancelstate 失敗捏卓。
[RTLD_ERR_SIGENABLE_FAILED] 退出dladdr() 時sigenable 失敗。
[RTLD_ERR_SIGINHIBIT_FAILED] 進入dladdr() 時siginhibit 失敗慈格。
通過后怠晴,接下來從從MachO查找
segment_command_t *cur_seg_cmd;
segment_command_t *linkedit_segment = NULL;
struct symtab_command* symtab_cmd = NULL;
struct dysymtab_command* dysymtab_cmd = NULL;
定義變量保存loadCommand中的_linkedit、LC_SYMTAB浴捆、LC_DYSYMTAB段
uintptr_t cur = (uintptr_t)header + sizeof(mach_header_t);
for (uint i = 0; i < header->ncmds; i++, cur += cur_seg_cmd->cmdsize) {
cur_seg_cmd = (segment_command_t *)cur;
if (cur_seg_cmd->cmd == LC_SEGMENT_ARCH_DEPENDENT) {
if (strcmp(cur_seg_cmd->segname, SEG_LINKEDIT) == 0) {
linkedit_segment = cur_seg_cmd;
}
} else if (cur_seg_cmd->cmd == LC_SYMTAB) {
symtab_cmd = (struct symtab_command*)cur_seg_cmd;
} else if (cur_seg_cmd->cmd == LC_DYSYMTAB) {
dysymtab_cmd = (struct dysymtab_command*)cur_seg_cmd;
}
}
先跳過matchO的header從LoadCommands開始循環(huán)查找,loadCommands中的每一個段的數(shù)據(jù)結(jié)構(gòu)如下:
struct segment_command_64 { /* for 64-bit architectures */
uint32_t cmd; /* LC_SEGMENT_64 */
uint32_t cmdsize; /* includes sizeof section_64 structs */
char segname[16]; /* segment name */
uint64_t vmaddr; /* memory address of this segment */
uint64_t vmsize; /* memory size of this segment */
uint64_t fileoff; /* file offset of this segment */
uint64_t filesize; /* amount to map from the file */
vm_prot_t maxprot; /* maximum VM protection */
vm_prot_t initprot; /* initial VM protection */
uint32_t nsects; /* number of sections in segment */
uint32_t flags; /* flags */
};
查找_linkedit蒜田、LC_SYMTAB、LC_DYSYMTAB,只需要將LoadCommands循環(huán)取出判斷cmd和segname,即可找到這幾個段的位置选泻。
//如果剛才獲取的冲粤,有一項為空就直接返回
if (!symtab_cmd || !dysymtab_cmd || !linkedit_segment ||
!dysymtab_cmd->nindirectsyms) {
return;
}
在fishHook原理中,我們知道fishHook在Hook的過程中,涉及到四個表,而這四個表的查找與這幾個段有關(guān),所以如果哪一項不存在美莫,就直接返回。
uintptr_t linkedit_base = (uintptr_t)slide + linkedit_segment->vmaddr - linkedit_segment->fileoff;
鏈接時程序的基址 = __LINKEDIT.VM_Address -__LINKEDIT.File_Offset + silde的改變值
struct symtab_command {
uint32_t cmd; /* LC_SYMTAB */
uint32_t cmdsize; /* sizeof(struct symtab_command) */
uint32_t symoff; /* symbol table offset */
uint32_t nsyms; /* number of symbol table entries */
uint32_t stroff; /* string table offset */
uint32_t strsize; /* string table size in bytes */
};
LC_SYMTAB段中,symoff,stroff分別記錄了符號表(Symbol Table)和字符串表(String Table)在文件中的偏移梯捕,因此加上基地址,可以分別得到符號表和字符串標的地址厢呵。
nlist_t *symtab = (nlist_t *)(linkedit_base + symtab_cmd->symoff);
char *strtab = (char *)(linkedit_base + symtab_cmd->stroff);
struct dysymtab_command {
uint32_t cmd; /* LC_DYSYMTAB */
uint32_t cmdsize; /* sizeof(struct dysymtab_command) */
uint32_t ilocalsym; /* index to local symbols */
uint32_t nlocalsym; /* number of local symbols */
uint32_t iextdefsym;/* index to externally defined symbols */
uint32_t nextdefsym;/* number of externally defined symbols */
uint32_t iundefsym; /* index to undefined symbols */
uint32_t nundefsym; /* number of undefined symbols */
uint32_t tocoff; /* file offset to table of contents */
uint32_t ntoc; /* number of entries in table of contents */
uint32_t modtaboff; /* file offset to module table */
uint32_t nmodtab; /* number of module table entries */
uint32_t extrefsymoff; /* offset to referenced symbol table */
uint32_t nextrefsyms; /* number of referenced symbol table entries */
uint32_t indirectsymoff; /* file offset to the indirect symbol table */
uint32_t nindirectsyms; /* number of indirect symbol table entries */
uint32_t extreloff; /* offset to external relocation entries */
uint32_t nextrel; /* number of external relocation entries */
uint32_t locreloff; /* offset to local relocation entries */
uint32_t nlocrel; /* number of local relocation entries */
};
而在LC_DYSYMTAB段中indirectsymoff記錄了Dynamic Symbol Table(indirect symbols)在文件中的偏移值,因此加上基地址,可以得到Dynamic Symbol Table(indirect symbols)的地址。
uint32_t *indirect_symtab = (uint32_t *)(linkedit_base + dysymtab_cmd->indirectsymoff);
cur = (uintptr_t)header + sizeof(mach_header_t);
for (uint i = 0; i < header->ncmds; i++, cur += cur_seg_cmd->cmdsize) {
cur_seg_cmd = (segment_command_t *)cur;
if (cur_seg_cmd->cmd == LC_SEGMENT_ARCH_DEPENDENT) {
//尋找到data段
if (strcmp(cur_seg_cmd->segname, SEG_DATA) != 0 &&
strcmp(cur_seg_cmd->segname, SEG_DATA_CONST) != 0) {
continue;
}
for (uint j = 0; j < cur_seg_cmd->nsects; j++) {
section_t *sect =
(section_t *)(cur + sizeof(segment_command_t)) + j;
//找懶加載表
if ((sect->flags & SECTION_TYPE) == S_LAZY_SYMBOL_POINTERS) {
perform_rebinding_with_section(rebindings, sect, slide, symtab, strtab, indirect_symtab);
}
//非懶加載表
if ((sect->flags & SECTION_TYPE) == S_NON_LAZY_SYMBOL_POINTERS) {
perform_rebinding_with_section(rebindings, sect, slide, symtab, strtab, indirect_symtab);
}
}
}
}
遍歷LoadCommands,找到LoadCommands的LC_SEGMENT(_DATA)段,循環(huán)該段的所有section,對每個section比對類型標識:
struct section_64 { /* for 64-bit architectures */
char sectname[16]; /* name of this section */
char segname[16]; /* segment this section goes in */
uint64_t addr; /* memory address of this section */
uint64_t size; /* size in bytes of this section */
uint32_t offset; /* file offset of this section */
uint32_t align; /* section alignment (power of 2) */
uint32_t reloff; /* file offset of relocation entries */
uint32_t nreloc; /* number of relocation entries */
uint32_t flags; /* flags (section type and attributes)*/
uint32_t reserved1; /* reserved (for offset or index) */
uint32_t reserved2; /* reserved (for count or sizeof) */
uint32_t reserved3; /* reserved */
};
for (uint j = 0; j < cur_seg_cmd->nsects; j++) {
section_t *sect =
(section_t *)(cur + sizeof(segment_command_t)) + j;
//找懶加載表
if ((sect->flags & SECTION_TYPE) == S_LAZY_SYMBOL_POINTERS) {
perform_rebinding_with_section(rebindings, sect, slide, symtab, strtab, indirect_symtab);
}
//非懶加載表
if ((sect->flags & SECTION_TYPE) == S_NON_LAZY_SYMBOL_POINTERS) {
perform_rebinding_with_section(rebindings, sect, slide, symtab, strtab, indirect_symtab);
}
}
找到懶加載表(la_symbol_ptr)和非懶加載表(nl_symbol_ptr),調(diào)用perform_rebinding_with_section函數(shù),將涉及的幾個表傳入,進行Hook操作傀顾。
三.perform_rebinding_with_section
nl_symbol_ptr和la_symbol_ptr section中的reserved1字段指明對應(yīng)的indirect symbol table的起始index
uint32_t *indirect_symbol_indices = indirect_symtab + section->reserved1;
slide+section->addr 就是符號對應(yīng)的存放函數(shù)實現(xiàn)的數(shù)組也就是我相應(yīng)的__nl_symbol_ptr和__la_symbol_ptr相應(yīng)的函數(shù)指針都在這里面了襟铭,所以可以去尋找到函數(shù)的地址
void **indirect_symbol_bindings = (void **)((uintptr_t)slide + section->addr);
遍歷section里面的每一個符號,并讀取indirect table中的數(shù)據(jù)
uint32_t symtab_index = indirect_symbol_indices[i];
以symtab_index作為下標,訪問symbol table
uint32_t strtab_offset = symtab[symtab_index].n_un.n_strx;
獲取到字符串表中的symbol_name
char *symbol_name = strtab + strtab_offset;
//判斷是否函數(shù)的名稱是否有兩個字符锣笨,為啥是兩個,因為函數(shù)前面有個_道批,所以方法的名稱最少要1個
bool symbol_name_longer_than_1 = symbol_name[0] && symbol_name[1];
最后進行方法替換:
while (cur) {
for (uint j = 0; j < cur->rebindings_nel; j++) {
//這里if的條件就是判斷從symbol_name[1]兩個函數(shù)的名字是否都是一致的错英,以及判斷兩個
if (symbol_name_longer_than_1 &&
strcmp(&symbol_name[1], cur->rebindings[j].name) == 0) {
//判斷replaced的地址不為NULL以及我方法的實現(xiàn)和rebindings[j].replacement的方法不一致
if (cur->rebindings[j].replaced != NULL &&
indirect_symbol_bindings[i] != cur->rebindings[j].replacement) {
//讓rebindings[j].replaced保存indirect_symbol_bindings[i]的函數(shù)地址
*(cur->rebindings[j].replaced) = indirect_symbol_bindings[i];
}
//將替換后的方法給原先的方法,也就是替換內(nèi)容為自定義函數(shù)地址
indirect_symbol_bindings[i] = cur->rebindings[j].replacement;
goto symbol_loop;
}
}
cur = cur->next;
}
