看了《iOS应用逆向工程》这书,后里面有hook OC类方法,但是怎么才能hook C++类的方法呢?
MSHookFunction
static void (*original_CFShow)(CFTypeRef obj); // a function pointer to store the original CFShow().
void replaced_CFShow(CFTypeRef obj) { // our replacement of CFShow().
printf(“Calling original CFShow(%p)…”, obj);
original_CFShow(obj); // calls the original CFShow.
printf(" done.\n");
}
…
// hook CFShow to our own implementation.
MSHookFunction(CFShow, replaced_CFShow, &original_CFShow);
http://iphonedevwiki.net/index.php/MobileSubstrate
大致的方法就是@hali 提到的MSHookFunction,但这里面还有坑。你直接说具体的例子吧,别人也好直接给出代码
什么坑,请提醒,免得日后掉坑里面:lol:
就是当hook的是个private symbol时,需要用MSFindSymbol来找到符号地址,直接dlopen或extern是不行的
大神 hook framework 是c的方法时,MSHookFunction也是卸载tweak.xm里面么?还是小白一个啊,不知道怎么下手,一直报错,可否写个小小的demo,我现在要hook的是CFNetwork里面CHTTP发送http request的方法,参照http://iphonedevwiki.net/index.php/MobileSubstrate一直报错
假如你要hook的C函数原型是void Foo(int bar),那么参考其官方文档,MSHookFunction的写法是:
#include <substrate.h>
void (*oldFoo)(int);
void newFoo(int bar)
{
printf("Foo is hooked");
oldFoo(bar);
}
%ctor
{
MSHookFunction(&Foo, &newFoo, &oldFoo);
}
大神 我的还在报错 求解答
Making all for tweak hookCFNetWork...
Preprocessing Tweak.xm...
Compiling Tweak.xm...
Linking tweak hookCFNetWork...
Undefined symbols for architecture armv7:
"_CFHTTPMessageCreateRequest", referenced from:
_logosLocalCtor_98f13708() in Tweak.xm.cb47dfa8.o
(maybe you meant: _original_CFHTTPMessageCreateRequest, __Z35replaced_CFHTTPMessageCreateRequestPK13__CFAllocatorlPK10__CFStringS4_ )
ld: symbol(s) not found for architecture armv7
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [obj/hookCFNetWork.dylib.ba964c90.unsigned] Error 1
make[1]: *** [internal-library-all_] Error 2
我的Tweak.xm
#include <CFNetwork/CFHTTPMessage.h>
#include <CoreFoundation/CFBase.h>
#include <CoreFoundation/CFURL.h>
#include <substrate.h>
CFHTTPMessageRef (*original_CFHTTPMessageCreateRequest)(CFAllocatorRef alloc,CFIndex statusCode,CFStringRef statusDescription,CFStringRef httpVersion);
CFHTTPMessageRef replaced_CFHTTPMessageCreateRequest(CFAllocatorRef alloc,CFIndex statusCode,CFStringRef statusDescription,CFStringRef httpVersion)
{
printf("http request is send\n");
return original_CFHTTPMessageCreateRequest(alloc,statusCode,statusDescription,httpVersion);
}
%ctor
{
MSHookFunction((void *)CFHTTPMessageCreateRequest,(void *)replaced_CFHTTPMessageCreateRequest,(void * *)&original_CFHTTPMessageCreateRequest);
}
Makefile里面
THEOS_DEVICE_IP= 10.1.29.13
ARCHS = armv7
include theos/makefiles/common.mk
TWEAK_NAME = hookCFNetWork
hookCFNetWork_FILES = Tweak.xm
hookCFNetwork_FRAMEWORKS= CFNetwork CoreFoundation
include $(THEOS_MAKE_PATH)/tweak.mk
after-install::
install.exec "killall -9 com.apple.mobilephone"
手机是iphone4s 系统7.0 sdk是7.1跪求大神指点
这是常见的未定义字符错误,提示找不到CFHTTPMessageCreateRequest。这个符号应该是来自CoreServices的,你试试看把Makefile的
hookCFNetwork_FRAMEWORKS= CFNetwork CoreFoundation
改成
hookCFNetwork_FRAMEWORKS= CFNetwork CoreFoundation CoreServices
改了还是报一样的错误噢大神 CFHTTPMessageCreateRequest是CFNetwork框架里面的 头文件是CFHTTPMessage.h 是用来创建http请求的
刚注意到,你的Makefile里没指定SDK啊,在ARCHS下面加一行
TARGET = iphone:7.0:7.0
不好意思。。。忘了 现在加上去了还是报这个错误:3_41:我都不好意思打扰你了大神
THEOS_DEVICE_IP= 10.1.29.13
ARCHS = armv7
TARGET = iphone:7.1:7.0
include theos/makefiles/common.mk
TWEAK_NAME = hookCFNetWork
hookCFNetWork_FILES = Tweak.xm
hookCFNetwork_FRAMEWORKS= CFNetwork CoreFoundation CoreServices Foundation
include $(THEOS_MAKE_PATH)/tweak.mk
after-install::
install.exec “killall -9 com.apple.mobilephone”
CoreServices加上去不对,iOS里没这个framework,我完全复制粘贴你的代码,把CoreServices去掉后编译通过了……你去掉CoreServices试试,如果还报错的话把错误po上来
确实没CoreServices这个framework 不过去掉了还是报错 错误一直没变 然后我新建了个工程 复制代码过去编译成功了。。。。:3_45: 我也不晓得为什么 谢谢大神了 非常感谢这么耐心的指点
- getifaddrs并不是一个private symbol,你不需要MSFindSymbol;
- 第22行,你通过MSFindSymbol找到的symbol应该是MSHookFunction的第一个参数,不是第三个参数;
- 编译不通过,还有什么比把错误po上来更方便别人查错的?
非常感谢,根据编译错误提示强制转换函数类型后,已能编译通过
但运行时异常退出,还请帮忙看看
#include <substrate.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <ifaddrs.h>
#include <string>
#include <arpa/inet.h>
int *(*original_getifaddrs)(struct ifaddrs **ifap);
int *new_getifaddrs(struct ifaddrs **ifap)
{
NSLog(@"new getifaddress");
return original_getifaddrs(ifap);
}
%ctor {
NSLog(@"This is inject ");
MSImageRef image;
image = MSGetImageByName("usr/lib/system/libsystem_info.dylib");
original_getifaddrs = (int *(*)(struct ifaddrs **))MSFindSymbol(image, "_getifmaddrs");
MSHookFunction((void*)&original_getifaddrs, (void *)&new_getifaddrs,(void **)&original_getifaddrs);
}
异常日志如下:
Path: /var/mobile/Applications/827F81BC-6F6E-47C1-9A9C-D42416D54ECC/D5.app/D5
Identifier: D5
Version: ??? (???)
Code Type: ARM (Native)
Parent Process: launchd [1]
Date/Time: 2014-05-08 11:15:36.817 +0800
OS Version: iOS 6.1.5 (10B400)
Report Version: 104
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000001
Crashed Thread: 0
Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 Testday.dylib 0x00163ee8 0x163000 + 3816
1 dyld 0x2fef25b6 ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&) + 154
2 dyld 0x2fef26c4 ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 16
3 dyld 0x2feefa3a ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 382
4 dyld 0x2feef874 ImageLoader::runInitializers(ImageLoader::LinkContext const&, ImageLoader::InitializerTimingList&) + 36
5 dyld 0x2fee8ff4 dyld::runInitializers(ImageLoader*) + 72
6 dyld 0x2feeca3e dlopen + 1158
7 libdyld.dylib 0x3bc58946 dlopen + 46
8 SubstrateLoader.dylib 0x0013f1ae 0x13d000 + 8622
9 SubstrateLoader.dylib 0x0013f474 0x13d000 + 9332
10 dyld 0x2fef25b6 ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&) + 154
11 dyld 0x2fef26c4 ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 16
12 dyld 0x2feefa3a ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 382
下次粘贴代码时注意格式。你的问题在于MSHookFunction用错了,好好看一下saurik提供的官方文档吧,不然你还是记不住
楼主你好,我也基本是个小白,正好要开发基于cfnetwork层的网络请求时间监听,能给发个hook 底层的小demo或者类么,18211130861@126.com, 3Q,
请问我这样hook c的接口哪块有问题吗?MGCopyAnswer应该是private symbol吧?
现在编译通过了,但是hook失败了,也没有报错原因
环境是:ios8.3,iphone5
NSString* (OrigMGCopyAnswer)(NSString);
NSString* HookMGCopyAnswer(NSString* key)
{
printf("MGCopyAnswer is hooked.");
return OrigMGCopyAnswer(key);
}
%ctor
{
printf("MGCopyAnswer is init.");
MSImageRef image = MSGetImageByName("/usr/lib/libMobileGestalt.dylib");
MSHookFunction((void *)MSFindSymbol(image, "MGCopyAnswer"), (void *)HookMGCopyAnswer, (void **)&OrigMGCopyAnswer);
%init;
}
以及makefile
THEOS_DEVICE_IP = localhost
THEOS_DEVICE_PORT = 2222
ARCHS = armv7 arm64
TARGET = iphone:latest:8.0
include /opt/theos/makefiles/common.mk
TWEAK_NAME = PreferencesCrack
PreferencesCrack_FILES = Tweak.xm
PreferencesCrack_LIBRARIES = MobileGestalt
include $(THEOS_MAKE_PATH)/tweak.mk
after-install::
install.exec "killall -9 SpringBoard"