frida_scripts/soInitInfo.js at main · uforever/frida_scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
// 添加一些不需要hook的so
const soNameSet = new Set([
  "libandroid.so",
  "libc.so",
  "libc++.so",
  "libcutils.so",
  "libgui.so",
  "libui.so",
  "libdl.so",
  "liblog.so",
  "libutils.so",
  "libexpat.so",
  "libm.so",
  "libperfctl.so",
  "libEGL.so",
  "javalib.odex",
  "system@priv-app@RtMiCloudSDK@RtMiCloudSDK.apk@classes.dex",
  "android.hardware.graphics.mapper@4.0-impl-mediatek.so",
]);

function hookSoInit() {
  // /system/bin/linker64
  const linker = (Process.pointerSize == 8) ?
    Process.findModuleByName("linker64") : Process.findModuleByName("linker");
  if (linker) {
    const symbols = linker.enumerateSymbols();
    // void soinfo::call_constructors()
    for (const symbol of symbols) {
      if (symbol.name.includes("call_constructors")) {

        console.log(`
[+] hook Native Function
- module: linker
- function: call_constructors`);

        Interceptor.attach(symbol.address, {
          onEnter: function (args) {
            const soinfo = args[0];
            const soName = soinfo.add(408).readPointer().readCString();

            if (!soNameSet.has(soName)) {
              soNameSet.add(soName);
              const module = Process.findModuleByName(soName);
              if (module) {
                const base = module.base;
                const initProc = soinfo.add(184).readPointer();
                const initArray = soinfo.add(152).readPointer();
                const initArrayCount = soinfo.add(160).readU64();

                const initArrayFuncs = Array.from({ length: initArrayCount }, (_, index) =>
                  initArray.add(Process.pointerSize * index).readPointer().sub(base)
                );

                console.log(`
[*] call_constructors onEnter
- so_name: ${soName}
- init_proc: ${(initProc == 0x0) ? "null" : initProc.sub(base)}
- init_array: ${(initArray == 0x0) ? "null" : initArray.sub(base)}
- init_array_count: ${initArrayCount}
  ${initArrayFuncs.join(', ')}`);
              }
            }
          }
        });
      }
    }
  }
}

setImmediate(hookSoInit);