第一種方法編譯Android源碼
編譯Android源碼,修改libart尤筐,打印動態(tài)注冊doCommandNative時的地址
修改如下
static jint RegisterNativeMethods(JNIEnv* env, jclass java_class, const JNINativeMethod* methods,
jint method_count, bool return_errors) {
if (UNLIKELY(method_count < 0)) {
JavaVmExtFromEnv(env)->JniAbortF("RegisterNatives", "negative method count: %d",
method_count);
return JNI_ERR; // Not reached except in unit tests.
}
CHECK_NON_NULL_ARGUMENT_FN_NAME("RegisterNatives", java_class, JNI_ERR);
ScopedObjectAccess soa(env);
mirror::Class* c = soa.Decode<mirror::Class*>(java_class);
if (UNLIKELY(method_count == 0)) {
LOG(WARNING) << "JNI RegisterNativeMethods: attempt to register 0 native methods for "
<< PrettyDescriptor(c);
return JNI_OK;
}
CHECK_NON_NULL_ARGUMENT_FN_NAME("RegisterNatives", methods, JNI_ERR);
for (jint i = 0; i < method_count; ++i) {
const char* name = methods[i].name;
const char* sig = methods[i].signature;
const void* fnPtr = methods[i].fnPtr;
+ LOG(WARNING) << "JNI RegisterNativeMethods name:" << name << " sig:" << sig << " fnPtr:" << fnPtr;
if (UNLIKELY(name == nullptr)) {
ReportInvalidJNINativeMethod(soa, c, "method name", i, return_errors);
return JNI_ERR;
} else if (UNLIKELY(sig == nullptr)) {
ReportInvalidJNINativeMethod(soa, c, "method signature", i, return_errors);
return JNI_ERR;
} else if (UNLIKELY(fnPtr == nullptr)) {
ReportInvalidJNINativeMethod(soa, c, "native function", i, return_errors);
return JNI_ERR;
}
bool is_fast = false;
對應(yīng)的源碼地址
http://androidxref.com/6.0.1_r10/xref/art/runtime/jni_internal.cc#2080
第二種方法使用frida hook libart.so
https://github.com/lasting-yang/frida_hook_libart
Interceptor.attach(addrRegisterNativeMethods, {
onEnter: function(args) {
console.log("[RegisterNativeMethods] method_count:", args[3]);
var methods_ptr = ptr(args[2]);
var method_count = parseInt(args[3]);
for (var i = 0; i < method_count; i++) {
var name_ptr = Memory.readPointer(methods_ptr.add(i*12));
var sig_ptr = Memory.readPointer(methods_ptr.add(i*12 + 4));
var fnPtr_ptr = Memory.readPointer(methods_ptr.add(i*12 + 8));
var name = Memory.readCString(name_ptr);
var sig = Memory.readCString(sig_ptr);
console.log("[RegisterNativeMethods] name:", name, "sig", sig, "fnPtr", fnPtr_ptr);
}
},
onLeave: function(retval) {}
});
