I'm a developer

ElfHook

by asLody

asLody / ElfHook

modify PLT to hook api, supported android 5\6.

198 Stars 106 Forks Last release: Not found 25 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

0x01 Brief About ElfHook

  这份ElfHook的代码参考boyliang的AllHookInOne, 修复AllHookInOne的 ElfHook中的一些问题,同时也解决我们项目中遇到的一些问题。

  • NOT DT_HAST in .dynmaic section,but .gun.hash instead.

  • NOT DTREL and DTRELSZ in .dynmaic section, but DTANDROIDREL and DTANDROIDRELSZ instead.

  • 计算动态库加载的baseaddr是错误的,应该使用biasaddr来计算出ehdr、phdr和shdr之外的所有地址。

  • 替换函数时,修改page的读写权限时,在SEAndroid上PROTEXEC和PROTWRITE同时设置可能会导致异常,

  • after hook "dlopen" function, how to get base_addr from return value of old dlopen in new dlopen function.

  • support aarch64 (arm64-v8a)

ref:

 AllHookInOne : [https://github.com/boyliang/AllHookInOne.git]

 AllHookInOne说明 : [http://bbs.pediy.com/showthread.php?p=1328038]

 bionic : [https://android.googlesource.com/platform/bionic]

0x02 How To Build

Export android ndk path

export -p PATH=$PATH:$ANDROID_NDK

Build

make

make clean

make install # copy libElfHook.so to jniLibs dir in Demo.

or

ndk-build NDKPROJECTPATH=. NDKOUT=./objs NDKLIBSOUT=./bin APPBUILDSCRIPT=./Android.mk APPPLATFORM=android-23 APPABI=arm64-v8a,armeabi-v7a APPSTL=stlport_static

0x03 How To Use

elfmodule is a shared library or executable, elfhooker is wrapper of hook function.

  • bool elfhooker::phraseproc_maps()

phrase /proc/self/maps to create all elf modules have been loadded

  • void elfhooker::dumpmodule_list()

print all elf moudle's info, base addr and full path.

  • void elfhooker::setprehookcb( prehookcb ):

set a callback function, which would be invoked before hooked. if it return false, prehook_cb function like this:

bool prehookcb(const char* modulename, const char* func_name);

 module_name: the full filename of shared library or executable.

 func_name: function name would be hooked.

  • void elfhooker::hookallmodules(const char *funcname, void *pfnnew, void** ppfnold)

hook a function of all the modules, MUST call phraseprocmaps() before hookallmodules()

 func_name: the name of function that will be hooked.

 pfn_new: new function pointer

 ppfnold: return raw function pointer, ppfnold MUST NOT be NULL

  • bool elfhooker::hook(elfmodule *module, const char* funcname, void *pfnnew, void **ppfn_old)

hook a function of a single module.

 module: pointer of elf_module.

 other parameters is the same as hookallmodules()

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.