更换hook方式为uprobe

Author: AndroidReverser-Test

README.md

@@ -3,16 +3,12 @@
 
 
 # 如何使用？
-在要进行trace的手游的私有目录(即/data/data/包名/files/)下创建test_trace.txt文件，并向其中输入要trace的类名即可，类名的获取以PtraceIl2cppDumper这个项目dump下来的为准，输入样例如：echo "test_clazz_name" >> test_trace.txt, 推荐使用echo向文件输入要trace的类，程序是默认定时获取test_trace.txt文件的最后一行的内容来作为类名进行trace。然后再通过任意ptrace注入器将本项目编译生成的so注入至游戏进程后可在logcat中使用Test-Log进行过滤查看结果。
+首先要成功加载[Kernel-Trace](https://github.com/AndroidReverser-Test/Kernel-Trace)项目提供的kpm模块。
+然后在要进行trace的手游的私有目录(即/data/data/包名/files/)下创建test_trace.txt文件，并向其中输入要trace的类名即可，类名的获取以[PtraceIl2cppDumper](https://github.com/AndroidReverser-Test/PtraceIl2cppDumper)这个项目dump下来的为准，输入样例如：echo "test_clazz_name" >> test_trace.txt, 推荐使用echo向文件输入要trace的类，程序是默认定时获取test_trace.txt文件的最后一行的内容来作为类名进行trace。然后再通过任意ptrace注入器将本项目编译生成的so注入至游戏进程后，查看[Kernel-Trace](https://github.com/AndroidReverser-Test/Kernel-Trace)的输出即可获取trace结果。
 
 # 如何构建
 克隆本项目后，使用androidStudio打开，然后等待项目配置自动完成，之后在本项目目录下使用gradlew :app:externalNativeBuildRelease命令进行编译，编译完成后会在<项目目录>\app\build\intermediates\cmake\release\obj\arm64-v8a下生成相应so文件。
 
-# 已知的问题
-部分游戏可能会在trace时崩溃，这与hook框架有关
-
 
 # 感谢
-[Zygisk-Il2CppDumper](https://github.com/Perfare/Zygisk-Il2CppDumper)
-[Dobby](https://github.com/jmpews/Dobby)
-[Android_InlineHook](https://github.com/zhuotong/Android_InlineHook)
+[Zygisk-Il2CppDumper](https://github.com/Perfare/Zygisk-Il2CppDumper)

app/build.gradle.kts

@@ -45,5 +45,4 @@ android {
 }
 
 dependencies {
-    implementation("io.github.vvb2060.ndk:dobby:+")
 }

app/src/main/cpp/CMakeLists.txt

@@ -37,13 +37,10 @@ add_library(${CMAKE_PROJECT_NAME} SHARED
         il2cpp_trace.cpp
         ${xdl-src})
 
-find_package(dobby REQUIRED CONFIG)
-
 
 # Specifies libraries CMake should link to your target library. You
 # can link libraries from various origins, such as libraries defined in this
 # build script, prebuilt third-party libraries, or Android system libraries.
 target_link_libraries(${CMAKE_PROJECT_NAME}
         # List libraries link to the target library
-        dobby::dobby
         log)

app/src/main/cpp/il2cpp_trace.cpp

@@ -7,7 +7,7 @@
 #include <map>
 #include "log.h"
 #include "xdl.h"
-#include "dobby.h"
+#include "uprobe_trace_user.h"
 #include "il2cpp_trace.h"
 
 #define DO_API(r, n, p) r (*n) p
@@ -17,8 +17,8 @@
 #undef DO_API
 
 char data_dir_path[PATH_MAX];
+char module_path[PATH_MAX];
 static uint64_t il2cpp_base = 0;
-uint64_t funaddrs[MAX_HOOK_FUN_NUM];
 int hook_fun_num=0;
 std::map<long,std::string> fun_name_dict;
 
@@ -47,7 +47,9 @@ int init_il2cpp_fun(){
             Dl_info dlInfo;
             if (dladdr((void *) il2cpp_capture_memory_snapshot, &dlInfo)) {
                 il2cpp_base = reinterpret_cast<uint64_t>(dlInfo.dli_fbase);
+                strcpy(module_path,dlInfo.dli_fname);
                 LOGD("il2cpp_base: 0x%llx", il2cpp_base);
+                LOGD("module_path: %s", module_path);
             }
         }
         return flag;
@@ -93,42 +95,35 @@ char *get_trace_info(char *trace_file_path){
     return last_line;
 }
 
-void trace_call_back(RegisterContext *ctx, const HookEntryInfo *info){
-    long fun_offset = (uint64_t)info->target_address-il2cpp_base;
-    LOGD("%s is calling,offset:0x%llx",fun_name_dict[fun_offset].c_str(),fun_offset);
-    return;
-}
-
-void check_fun_instruction(){
-    for (int i = 0; i < hook_fun_num; i++) {
-        uint32_t *fun_instructions = static_cast<uint32_t *>((void *)funaddrs[i]);
-        if(fun_instructions[1]==0xd65f03c0){//RET
-            LOGW("pass hook fun 0x%llx",funaddrs[i]-il2cpp_base);
-            funaddrs[i] = 0;
-        }
-    }
-    LOGD("check all fun instruction");
-}
+//void check_fun_instruction(){
+//    for (int i = 0; i < hook_fun_num; i++) {
+//        uint32_t *fun_instructions = static_cast<uint32_t *>((void *)funaddrs[i]);
+//        if(fun_instructions[1]==0xd65f03c0){//RET
+//            LOGW("pass hook fun 0x%llx",funaddrs[i]-il2cpp_base);
+//            funaddrs[i] = 0;
+//        }
+//    }
+//    LOGD("check all fun instruction");
+//}
 
 void hook_all_fun(){
-    for (int i = 0; i < hook_fun_num; i++) {
-        if(funaddrs[i]==0){
-            continue;
-        }
-//        LOGD("fun 0x%llx hook",funaddrs[i]-il2cpp_base);
-        if(DobbyInstrument((void *)funaddrs[i], trace_call_back)!=0){
-            LOGD("fun 0x%llx hook error",funaddrs[i]-il2cpp_base);
+    for (auto it = fun_name_dict.begin(); it != fun_name_dict.end(); ++it) {
+        unsigned long fun_offset = it->first;
+        std::string fun_name = it->second;
+        int set_uprobe_ret = set_fun_info2(fun_offset,(char*)fun_name.c_str());
+        if(set_uprobe_ret!=SET_TRACE_SUCCESS){
+            LOGE("set uprobe in fun_name:%s,fun_offset:0x%llx",fun_name.c_str(),fun_offset);
         }
-
     }
-    LOGD("success hook all fun");
+    LOGD("success hook fun num:%d",hook_fun_num);
 }
 
 void clear_all_hook(){
-    for (int i = 0; i < hook_fun_num; i++) {
-        DobbyDestroy ((void *)funaddrs[i]);
+    int clear_ret = clear_all_uprobes();
+    if(clear_ret!=SET_TRACE_SUCCESS){
+        LOGE("clear all uprobes error");
     }
-    LOGD("success clear all fun");
+    LOGD("success clear all uprobes");
     hook_fun_num = 0;
     fun_name_dict.clear();
 }
@@ -138,7 +133,7 @@ void check_all_methods(void *klass,char *clazzName) {
     long fun_offset;
     while (auto method = il2cpp_class_get_methods(klass, &iter)) {
         //TODO attribute
-        if (method->methodPointer && hook_fun_num<MAX_HOOK_FUN_NUM) {
+        if (method->methodPointer && hook_fun_num<MAX_HOOK_NUM) {
             fun_offset = (uint64_t)method->methodPointer - il2cpp_base;
             if(fun_name_dict.find(fun_offset) != fun_name_dict.end()){
                 continue;
@@ -148,7 +143,6 @@ void check_all_methods(void *klass,char *clazzName) {
             snprintf(full_name,MAX_FULL_NAME_LEN,"%s::%s",clazzName,method_name);
             std::string mfull_name(full_name);
             fun_name_dict[fun_offset]=mfull_name;
-            funaddrs[hook_fun_num] = (uint64_t)method->methodPointer;
             hook_fun_num++;
         }
     }
@@ -171,6 +165,16 @@ void start_trace(char* data_dir_path){
     }
     LOGD("success get il2cpp api fun");
 
+    int set_module_base_ret = set_module_base(il2cpp_base);
+    int set_target_file_ret = set_target_file(module_path);
+    int set_target_uid_ret = set_target_uid(getuid());
+
+    if (set_module_base_ret!=SET_TRACE_SUCCESS || set_target_file_ret!=SET_TRACE_SUCCESS || set_target_uid_ret!=SET_TRACE_SUCCESS){
+        LOGE("init uprobe hook error");
+        return;
+    }
+    LOGD("init uprobe hook success");
+
 
     strcpy(trace_file_path,data_dir_path);
     strcat(trace_file_path,"/files/test_trace.txt");
@@ -200,7 +204,7 @@ void start_trace(char* data_dir_path){
             }
             for (int i = 0; i < all_type_infos_count; ++i) {
                 if(strcmp(all_type_infos[i].name,tmp_info)==0){
-                    if(hook_fun_num==MAX_HOOK_FUN_NUM){
+                    if(hook_fun_num==MAX_HOOK_NUM){
                         break;
                     }
                     LOGD("trace %s",all_type_infos[i].name);

app/src/main/cpp/il2cpp_trace.h

@@ -4,7 +4,6 @@
 #include <stdint.h>
 
 #define MAX_FULL_NAME_LEN 200
-#define MAX_HOOK_FUN_NUM 10000
 
 struct Il2CppMetadataField
 {

app/src/main/cpp/uprobe_trace_user.h

@@ -0,0 +1,50 @@
+#include <sys/syscall.h>
+#include <unistd.h>
+
+
+#define TRACE_FLAG 511
+#define MAX_HOOK_NUM 1000
+#define SET_TRACE_SUCCESS 1000
+#define SET_TRACE_ERROR 1001
+
+enum trace_info {
+    SET_TARGET_FILE,
+    SET_MODULE_BASE,
+    SET_FUN_INFO,
+    SET_TARGET_UID,
+    CLEAR_UPROBE,
+};
+
+//	unsigned long start, size_t len, unsigned char *vec
+
+int set_module_base(unsigned long module_base){
+    int ret = syscall(__NR_mincore,module_base,TRACE_FLAG+SET_MODULE_BASE,"");
+    return ret;
+}
+
+int set_target_uid(uid_t uid){
+    int ret = syscall(__NR_mincore,uid,TRACE_FLAG+SET_TARGET_UID,"");
+    return ret;
+}
+
+int set_target_file(char* file_name){
+    int ret = syscall(__NR_mincore,0,TRACE_FLAG+SET_TARGET_FILE,file_name);
+    return ret;
+}
+
+int set_fun_info(unsigned long fun_offset,char *fun_name){
+    int ret = syscall(__NR_mincore,fun_offset,TRACE_FLAG+SET_FUN_INFO,fun_name);
+    return ret;
+}
+
+//set_fun_info函数设置成功但失效的情况下再用这个函数
+//，最好在一个程序内不要与set_fun_info函数同时使用
+int set_fun_info2(unsigned long fun_offset,char *fun_name){
+    int ret = syscall(__NR_mincore,fun_offset-0x1000,TRACE_FLAG+SET_FUN_INFO,fun_name);
+    return ret;
+}
+
+int clear_all_uprobes(){
+    int ret = syscall(__NR_mincore,0,TRACE_FLAG+CLEAR_UPROBE,"");
+    return ret;
+}