-
Notifications
You must be signed in to change notification settings - Fork 40
/
call_function_hook.js
49 lines (39 loc) · 1.48 KB
/
call_function_hook.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
"use strict";
require("./lib/common");
(function () {
console.log(`[*] Current frida verison: ${Frida.version} on ${Process.arch}\n`);
const PACKAGE_NAME = "__PACKAGE_NAME__";
const APP_FILES_PATH = `/data/data/${PACKAGE_NAME}/files`;
const adjustFunctionAddress = function (address) {
// Check thumb mode or ARM mode.
try {
// Still unstable.
Instruction.parse(address);
} catch (e) {
// Thumb mode here.
address = address.add(1);
}
return address;
};
const call_function_symbol = "__dl__ZN6soinfo13call_functionEPKcPFvvE";
let call_function_ptr = adjustFunctionAddress(
DebugSymbol.getFunctionByName(call_function_symbol));
console.log(`[*] Found ${call_function_symbol} at ${call_function_ptr}`);
Interceptor.attach(call_function_ptr, {
// http://androidxref.com/6.0.0_r5/xref/bionic/linker/linker.cpp#2219
// void soinfo::call_function(const char* function_name __unused, linker_function_t function) {
onEnter: function (args) {
this.function_address = args[2];
if (!this.function_address)
return;
let range = Process.findRangeByAddress(this.function_address);
// range.file would not be null.
console.log(`[*] Calling ${this.function_address} at ${range.file.path}`);
// TODO:
// - Patch function_address to infinite loop then use IDA Pro to attach.
},
onLeave: function (retval) {
// TODO:
}
});
})();