Git Product home page Git Product logo

elfhook's Introduction

0x01 Brief About ElfHook

  ElfHooK, came from boyliang's AllHookInOne, fix some bug, dealing with new problem in aarch64.

  • NOT DT_HAST in .dynmaic section,but .gun.hash instead.

  • NOT DT_REL and DT_RELSZ in .dynmaic section, but DT_ANDROID_REL and DT_ANDROID_RELSZ instead.

  • use base_addr to caculate symbol table's offset is wrong,replace it with bias_addr。

  • when modify memory page’s read-write permission,set PROT_EXEC and PROT_WRITE together in SEAndroid WILLcrash.

  • after hook "dlopen" function, caculate base_addr from return value of old dlopen (it's pointer to soinfo).

  • support aarch64 (arm64-v8a)

ref:

 AllHookInOne : [https://github.com/boyliang/AllHookInOne.git]

 AllHookInOne description : [http://bbs.pediy.com/showthread.php?p=1328038]

 bionic : [https://android.googlesource.com/platform/bionic]

0x02 How To Build

Export android ndk path

export -p PATH=$PATH:$ANDROID_NDK

Build

make

make clean

make install # copy libElfHook.so to jniLibs dir in Demo.

or

ndk-build NDK_PROJECT_PATH=. NDK_OUT=./objs NDK_LIBS_OUT=./bin APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-23 APP_ABI=arm64-v8a,armeabi-v7a APP_STL=stlport_static

use NDK r11b

0x03 How To Use

elf_module is a shared library or executable, elf_hooker is wrapper of hook function.

  • bool elf_hooker::phrase_proc_maps()

phrase /proc/self/maps to create all elf modules have been loadded

  • void elf_hooker::dump_module_list()

print all elf moudle's info, base addr and full path.

  • void elf_hooker::set_prehook_cb( prehook_cb ):

set a callback function, which would be invoked before hooked. The function with func_name will not be hooked, if it return false. prehook_cb function like this:

bool prehook_cb(const char* module_name, const char* func_name);

 module_name: the full filename of shared library or executable.

 func_name: function name would be hooked.

  • void elf_hooker::hook_all_modules(const char *func_name, void *pfn_new, void** ppfn_old)

hook a function of all the modules, MUST call phrase_proc_maps() before hook_all_modules()

 func_name: the name of function that will be hooked.

 pfn_new: new function pointer

 ppfn_old: return raw function pointer, ppfn_old MUST NOT be NULL

  • bool elf_hooker::hook(elf_module *module, const char* func_name, void *pfn_new, void **ppfn_old)

hook a function of a single module.

 module: pointer of elf_module.

 other parameters is the same as hook_all_modules()

elfhook's People

Contributors

wadahana avatar

Watchers

James Cloos avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.