update sky-take-out

_posts/2024-08-08-Android实战(持续更新).md

@@ -288,6 +288,7 @@ function hookDlopen_so() {
       onEnter: function(args){
         this.name = args[0].readCString()
         console.log(`dlopen onEnter: ${this.name}`)
+
 		},
 		onLeave: function (retval) {
           console.log(`dlopen onLeave: ${this.name}`)
@@ -322,15 +323,30 @@ Interceptor.attach(addr,{
 方法一：hook pthread_create
 
 ```js
-function hook_pthread_addr = Module.findExportByName("libc.so","pthread_create");
-Intercept.attach(pthread_create_addr,{
-    onEnter:function(args){
-        console.log("funcAddr:",args[2],"soName:",Process.findModuleByaddress(args[2]).name)
-    },
-    onLeave:function(retval){
+// 通过截获pthread_create，无效，可能是由于注入时机不对
+function search_thread() {
+  let pthread_create_addr = Module.findExportByName("libc.so", "pthread_create");
+  Interceptor.attach(pthread_create_addr, {
+    onEnter: function (args) {
+      // console.log("funcAddr:", args[2], "soName:", Process.findModuleByAddress(args[2]).name)
+      let soName = Process.findModuleByAddress(args[2]).name
+      let addr = args[2]
+      console.log("funcAddr:", args[2], "soName:", Process.findModuleByAddress(args[2]).name);
+      if (soName.indexOf("libmsaoaidsec.so") != -1) {
 
+          // Interceptor.replace(args[2], new NativeCallback(
+          //   function () {
+          //     console.log("replace success!")
+          //   }, 'void', ["void"]
+          // ));
+      }
+
+    },
+    onLeave: function (retval) {
+
     }
-})
+  })
+}
 ```
 
 方法二：自实现一个pthread_create并替换
@@ -360,23 +376,30 @@ let pthread_create = Module.findExportByName(null, "pthread_create")
 方法一：干掉该so文件开启的所有线程，可能会误伤（但是概率很小）
 
 ```js
-function hook_pthread_addr = Module.findExportByName("libc.so","pthread_create");
-Intercept.attach(pthread_create_addr,{
-    onEnter:function(args){
-        var soName = Process.findModuleByaddress(args[2]).name
-        if(soName.indexOf("xxx.so")!=-1){
-            Interceptor.replace(args[2],new NativeCallBack(
-                function(){
-                    console.log("replace success!")
-                },'void',["void"]
-            ));
-        }
+// 通过截获pthread_create，无效，可能是由于注入时机不对
+function search_thread() {
+  let pthread_create_addr = Module.findExportByName("libc.so", "pthread_create");
+  Interceptor.attach(pthread_create_addr, {
+    onEnter: function (args) {
+      // console.log("funcAddr:", args[2], "soName:", Process.findModuleByAddress(args[2]).name)
+      let soName = Process.findModuleByAddress(args[2]).name
+      let addr = args[2]
+      console.log("funcAddr:", args[2], "soName:", Process.findModuleByAddress(args[2]).name);
+      if (soName.indexOf("libmsaoaidsec.so") != -1) {
 
+          // Interceptor.replace(args[2], new NativeCallback(
+          //   function () {
+          //     console.log("replace success!")
+          //   }, 'void', ["void"]
+          // ));
+      }
+
     },
-    onLeave:function(retval){
-        
+    onLeave: function (retval) {
+
     }
-})
+  })
+}
 ```
 
 方法二：精确打击
@@ -432,6 +455,87 @@ function hook_func(secmodule,offset) {
 }
 ```
 
+方法三：
+```js
+// 破坏时机选择init_proc时机，比较早的一个点
+function hook_in_initProx(soName = '') {
+  Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"), {
+    onEnter: function (args) {
+      var pathptr = args[0];
+      if (pathptr !== undefined && pathptr != null) {
+        var path = ptr(pathptr).readCString();
+        // console.log(path)
+        if (path.indexOf(soName) >= 0) {
+          locate_init()
+        }
+      }
+    }
+  });
+}
+
+function locate_init() {
+  let secmodule = null
+  Interceptor.attach(Module.findExportByName(null, "__system_property_get"), {
+    // _system_property_get("ro.build.version.sdk", v1);
+    onEnter: function (args) {
+      secmodule = Process.findModuleByName("libmsaoaidsec.so")
+      var name = args[0];
+      if (name !== undefined && name != null) {
+        name = ptr(name).readCString();
+        if (name.indexOf("ro.build.version.sdk") >= 0) {
+          // 这是.init_proc刚开始执行的地方，是一个比较早的时机点
+          // do something
+          hook_pthread_create()
+        }
+      }
+    }
+  });
+}
+let i = 0;
+function hook_pthread_create() {
+  //只有三条检测线程被干掉之后才开始hook
+  if (i >= 3) {
+    hook()
+  }
+
+  let baseAddress = Process.findModuleByName("libmsaoaidsec.so").base;
+  console.log("libmsaoaidsec.so --- " + baseAddress);
+
+  Interceptor.replace(Module.findExportByName("libc.so", "pthread_create"), new NativeCallback(function (attr, start_routine, arg1, arg2) {
+    // console.log("The thread function address is ", arg1)
+    let func_addr = arg1.sub(baseAddress); // 计算相对地址
+
+    // 判断 func_addr 的值是否为指定的偏移
+    if (func_addr.equals(ptr(0x1B8D4)) || func_addr.equals(ptr(0x26E5C)) || func_addr.equals(ptr(0x1c544))) {
+      i++
+      console.log(func_addr, i)
+
+      //假装成功创建线程
+      return 0
+    }
+
+
+    // 获取系统库中的 pthread_create 函数并调用
+    let pthread_create = new NativeFunction(Module.findExportByName("libc.so", "pthread_create"), 'int', ['pointer', 'pointer', 'pointer', 'pointer']);
+    return pthread_create(attr, start_routine, arg1, arg2);
+  }, 'int', ['pointer', 'pointer', 'pointer', 'pointer']));
+}
+
+function hook() {
+  // 在这里我们可以添加一些java层的hook代码，因为这个时候我们已经绕过了
+}
+
+
+function main() {
+  // hookDlopen_so()
+  // analyse_with_strace()
+  search_thread()
+  // hook_in_initProx("libmsaoaidsec.so")
+}
+```
+
+
+
 
 
 ##### 问题：干掉线程影响app正常工作