Become an AceSign inSign up
asLody/ ElfHook
C++ Java C elf Android
View on GitHub
Need help with ElfHook?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

asLody
201 Stars 108 Forks 25 Commits 1 Opened issues

Description

modify PLT to hook api, supported android 5\6.

Services available

!
?

Need anything else?

Contributors list

挖xxx wadahana
# 158,477
C++
C
elf
Android
 24 commits

0x01 Brief About ElfHook

  这份ElfHook的代码参考boyliang的AllHookInOne, 修复AllHookInOne的 ElfHook中的一些问题,同时也解决我们项目中遇到的一些问题。

  • NOT DT_HAST in .dynmaic section,but .gun.hash instead.

  • NOT DTREL and DTRELSZ in .dynmaic section, but DTANDROIDREL and DTANDROIDRELSZ instead.

  • 计算动态库加载的baseaddr是错误的,应该使用biasaddr来计算出ehdr、phdr和shdr之外的所有地址。

  • 替换函数时,修改page的读写权限时,在SEAndroid上PROTEXEC和PROTWRITE同时设置可能会导致异常,

  • after hook "dlopen" function, how to get base_addr from return value of old dlopen in new dlopen function.

  • support aarch64 (arm64-v8a)

ref:

 AllHookInOne : [https://github.com/boyliang/AllHookInOne.git]

 AllHookInOne说明 : [http://bbs.pediy.com/showthread.php?p=1328038]

 bionic : [https://android.googlesource.com/platform/bionic]

0x02 How To Build

Export android ndk path

export -p PATH=$PATH:$ANDROID_NDK

Build

make

make clean

make install # copy libElfHook.so to jniLibs dir in Demo.

or

ndk-build NDKPROJECTPATH=. NDKOUT=./objs NDKLIBSOUT=./bin APPBUILDSCRIPT=./Android.mk APPPLATFORM=android-23 APPABI=arm64-v8a,armeabi-v7a APPSTL=stlport_static

0x03 How To Use

elfmodule is a shared library or executable, elfhooker is wrapper of hook function.

  • bool elfhooker::phraseproc_maps()

phrase /proc/self/maps to create all elf modules have been loadded

  • void elfhooker::dumpmodule_list()

print all elf moudle's info, base addr and full path.

  • void elfhooker::setprehookcb( prehookcb ):

set a callback function, which would be invoked before hooked. if it return false, prehook_cb function like this:

bool prehookcb(const char* modulename, const char* func_name);

 module_name: the full filename of shared library or executable.

 func_name: function name would be hooked.

  • void elfhooker::hookallmodules(const char *funcname, void *pfnnew, void** ppfnold)

hook a function of all the modules, MUST call phraseprocmaps() before hookallmodules()

 func_name: the name of function that will be hooked.

 pfn_new: new function pointer

 ppfnold: return raw function pointer, ppfnold MUST NOT be NULL

  • bool elfhooker::hook(elfmodule *module, const char* funcname, void *pfnnew, void **ppfn_old)

hook a function of a single module.

 module: pointer of elf_module.

 other parameters is the same as hookallmodules()

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.