0x1 開始
Anddroid上的ART從5.0之後變成默認的選擇,可見ART的重要性,目前關於Dalvik Hook方面研究的文章很多,但我在網上卻找不到關於ART Hook相關的文章,甚至連鼎鼎大名的XPosed和Cydia Substrate到目前為止也不支持ART的Hook。當然我相信,技術方案他們肯定是的,估計卡在機型適配上的了。
既然網上找不到相關的資料,於是我決定自己花些時間去研究一下,終於黃天不負有心人,我找到了一個切實可行的方法,即本文所介紹的方法。
應該說明的是本文所介紹的方法肯定不是最好的,但大家看完本文之後,如果能啟發大家找到更好的ART Hook方法,那我拋磚引壞話的目的就達到了。廢話不多說,我們開始吧。
運行環境: 4.4.2 ART模式的模擬器 開發環境: Mac OS X 10.10.3
0x2 ART類方法加載及執行
在ART中類方法的執行要比在Dalvik中要復雜得多,Dalvik如果除去JIT部分,可以理解為是一個解析執行的虛擬機,而ART則同時包含本地指令執行和解析執行兩種模式,同時所生成的oat文件也包含兩種類型,分別是portable和quick。portable和quick的主要區別是對於方法的加載機制不相同,quick大量使用了Lazy Load機制,因此應用的啟動速度更快,但加載流程更復雜。其中quick是作為默認選項,因此本文所涉及的技術分析都是基於quick類型的。
由於ART存在本地指令執行和解析執行兩種模式,因此類方法之間並不是能直接跳轉的,而是通過一些預先定義的bridge函數進行狀態和上下文的切換,這裡引用一下老羅博客中的示意圖:
![執行示意圖](https://www.android5.online/Android/UploadFiles_5356/201702/2017022314281812.png "\")
<�喎?/kf/ware/vc/" target="_blank" class="keylink">vcD4NCjxwPrWx1rTQ0MSzuPa3vbeoyrGjrMjnufu1scewysexvrXY1rjB7ta00NDEo8q9o6zU8rvh1rTQ0DxzdHJvbmc+QXJ0TWV0aG9kOjpHZXRFbnRyeVBvaW50RnJvbUNvbXBpbGVkQ29kZSgpPC9zdHJvbmc+1rjP8rXEuq/K/aOst/HU8tTy1rTQ0DxzdHJvbmc+QXJ0TWV0aG9kOjpHZXRFbnRyeVBvaW50RnJvbUludGVycHJldGVyKCk8L3N0cm9uZz7WuM/ytcS6r8r9oaPS8rTLw7+49re9t6ijrLa809DBvbj2yOu/2rXjo6y31rHwsaO05tTaPHN0cm9uZz5BcnRNZXRob2Q6OmVudHJ5X3BvaW50X2Zyb21fY29tcGlsZWRfY29kZV88L3N0cm9uZz66zTxzdHJvbmc+QXJ0TWV0aG9kOjplbnRyeV9wb2ludF9mcm9tX2ludGVycHJldGVyXzwvc3Ryb25nPqGjwcu94tXi0ru147fHs6PW2NKqo6y688PmztLDx9b30qq+zcrH1NrV4sG9uPbI67/a1/bOxNXCoaM8L3A+DQo8cD7U2r2yyvbUrcDt1q7HsKOs0OjSqs/IsNHS1M/Cwb249sH3s8zBy73ix+Wz/qOs1eLA77XExNrI3dKq1bm/qsrHt8ezo8XTtPO1xKOsztLV67bUSG9va7XEudi8/LXjo6y88sP3tvPSqrXEw+jK9tK7z8KjrLWru7nKx8e/wdK9qNLptPO80silwM/C3rXEsqm/zcDvz7i2wdK7z8LG5NbQudjT2kFSVLXEvLjGqs7E1cKhozwvcD4NCjxzdHJvbmc+QXJ0TWV0aG9kvNPU2MH3s8w8L3N0cm9uZz4NCjxwPtXiuPa5/bPMt6LJ+tTab2F0sbvXsNTYvfjE2rTmsqK9+NDQwOC3vbeowbS907XEyrG68qOswOC3vbeowbS907XEtPrC69TaYXJ0L3J1bnRpbWUvY2xhc3NfbGlua2VyLmNj1tC1xExpbmtDb2Rlo6zI58/Cy/nKvqO6PC9wPg0KPHByZSBjbGFzcz0="brush:java;">
static void LinkCode(SirtRef& method, const OatFile::OatClass* oat_class, uint32_t method_index)
SHARED_LOCKS_REQUIRED(Locks::mutator_lock_) {
// Method shouldn't have already been linked.
DCHECK(method->GetEntryPointFromCompiledCode() == NULL);
// Every kind of method should at least get an invoke stub from the oat_method.
// non-abstract methods also get their code pointers.
const OatFile::OatMethod oat_method = oat_class->GetOatMethod(method_index);
// 這裡默認會把method::entry_point_from_compiled_code_設置oatmethod的code
oat_method.LinkMethod(method.get());
// Install entry point from interpreter.
Runtime* runtime = Runtime::Current();
bool enter_interpreter = NeedsInterpreter(method.get(), method->GetEntryPointFromCompiledCode()); //判斷方法是否需要解析執行
// 設置解析執行的入口點
if (enter_interpreter) {
method->SetEntryPointFromInterpreter(interpreter::artInterpreterToInterpreterBridge);
} else {
method->SetEntryPointFromInterpreter(artInterpreterToCompiledCodeBridge);
}
// 下面是設置本地指令執行的入口點
if (method->IsAbstract()) {
method->SetEntryPointFromCompiledCode(GetCompiledCodeToInterpreterBridge());
return;
}
// 這裡比較難理解,如果是靜態方法,但不是clinit,但需要把entry_point_from_compiled_code_設置為GetResolutionTrampoline的返回值
if (method->IsStatic() && !method->IsConstructor()) {
// For static methods excluding the class initializer, install the trampoline.
// It will be replaced by the proper entry point by ClassLinker::FixupStaticTrampolines
// after initializing class (see ClassLinker::InitializeClass method).
method->SetEntryPointFromCompiledCode(GetResolutionTrampoline(runtime->GetClassLinker()));
} else if (enter_interpreter) {
// Set entry point from compiled code if there's no code or in interpreter only mode.
method->SetEntryPointFromCompiledCode(GetCompiledCodeToInterpreterBridge());
}
if (method->IsNative()) {
// Unregistering restores the dlsym lookup stub.
method->UnregisterNative(Thread::Current());
}
// Allow instrumentation its chance to hijack code.
runtime->GetInstrumentation()->UpdateMethodsCode(method.get(),method->GetEntryPointFromCompiledCode());
}
通過上面的代碼我們可以得到,一個ArtMethod的入口主要有以下幾種:
Interpreter2Interpreter對應artInterpreterToInterpreterBridge(art/runtime/interpreter/interpreter.cc); Interpreter2CompledCode對應artInterpreterToCompiledCodeBridge(/art/runtime/entrypoints/interpreter/interpreter_entrypoints.cc); CompliedCode2Interpreter對應art_quick_to_interpreter_bridge(art/runtime/arch/arm/quick_entrypoints_arm.S); CompliedCode2ResolutionTrampoline對應art_quick_resolution_trampoline(art/runtime/arch/arm/quick_entrypoints_arm.S); CompliedCode2CompliedCode這個入口是直接指向oat中的指令,詳細可見OatMethod::LinkMethod;
其中調用約定主要有兩種,分別是:
typedef void (
EntryPointFromInterpreter)(Thread* self, MethodHelper& mh, const DexFile::CodeItem* code_item, ShadowFrame* shadow_frame, JValue* result), 這種對應上述1,3兩種入口;
剩下的2,4,5三種入口對應的是CompledCode的入口,代碼中並沒有直接給出,但我們通過分析ArtMethod::Invoke的方法調用,就可以知道其調用約定了。Invoke過程中會調用art_quick_invoke_stub(/art/runtime/arch/arm/quick_entrypoints_arm.S),代碼如下所示:
/*
* Quick invocation stub.
* On entry:
* r0 = method pointer
* r1 = argument array or NULL for no argument methods
* r2 = size of argument array in bytes
* r3 = (managed) thread pointer
* [sp] = JValue* result
* [sp + 4] = result type char
*/
ENTRY art_quick_invoke_stub
push {r0, r4, r5, r9, r11, lr} @ spill regs
.save {r0, r4, r5, r9, r11, lr}
.pad #24
.cfi_adjust_cfa_offset 24
.cfi_rel_offset r0, 0
.cfi_rel_offset r4, 4
.cfi_rel_offset r5, 8
.cfi_rel_offset r9, 12
.cfi_rel_offset r11, 16
.cfi_rel_offset lr, 20
mov r11, sp @ save the stack pointer
.cfi_def_cfa_register r11
mov r9, r3 @ move managed thread pointer into r9
mov r4, #SUSPEND_CHECK_INTERVAL @ reset r4 to suspend check interval
add r5, r2, #16 @ create space for method pointer in frame
and r5, #0xFFFFFFF0 @ align frame size to 16 bytes
sub sp, r5 @ reserve stack space for argument array
add r0, sp, #4 @ pass stack pointer + method ptr as dest for memcpy
bl memcpy @ memcpy (dest, src, bytes)
ldr r0, [r11] @ restore method*
ldr r1, [sp, #4] @ copy arg value for r1
ldr r2, [sp, #8] @ copy arg value for r2
ldr r3, [sp, #12] @ copy arg value for r3
mov ip, #0 @ set ip to 0
str ip, [sp] @ store NULL for method* at bottom of frame
ldr ip, [r0, #METHOD_CODE_OFFSET] @ get pointer to the code
blx ip @ call the method
mov sp, r11 @ restore the stack pointer
ldr ip, [sp, #24] @ load the result pointer
strd r0, [ip] @ store r0/r1 into result pointer
pop {r0, r4, r5, r9, r11, lr} @ restore spill regs
.cfi_adjust_cfa_offset -24
bx lr
END art_quick_invoke_stub
“ldr ip, [r0, #METHOD_CODE_OFFSET]”其實就是把ArtMethod::entry_point_from_compiled_code_賦值給ip,然後通過blx直接調用。通過這段小小的匯編代碼,我們得出如下堆棧的布局:
-(low)
| caller(Method *) | <- sp
| arg1 | <- r1
| arg2 | <- r2
| arg3 | <- r3
| ... |
| argN |
| callee(Method *) | <- r0
+(high)
這種調用約定並不是平時我們所見的調用約定,主要體現在參數當超過4時,並不是從sp開始保存,而是從sp + 20這個位置開始存儲,所以這就是為什麼在代碼裡entry_point_from_compiled_code_的類型是void *的原因了,因為無法用代碼表示。
理解好這個調用約定對我們方案的實現至頭重要。
ArtMethod執行流程
上面詳細講述了類方法加載和鏈接的過程,但在實際執行的過程中,其實還不是直接調用ArtMethod的entry_point(解析執行和本地指令執行的入口),為了加快執行速度,ART為oat文件中的每個dex創建了一個DexCache(art/runtime/mirror/dex_cache.h)結構,這個結構會按dex的結構生成一系列的數組,這裡我們只分析它裡面的methods字段。 DexCache初始化的方法是Init,實現如下:
void DexCache::Init(const DexFile* dex_file,
String* location,
ObjectArray* strings,
ObjectArray* resolved_types,
ObjectArray* resolved_methods,
ObjectArray* resolved_fields,
ObjectArray* initialized_static_storage) {
//...
//...
Runtime* runtime = Runtime::Current();
if (runtime->HasResolutionMethod()) {
// Initialize the resolve methods array to contain trampolines for resolution.
ArtMethod* trampoline = runtime->GetResolutionMethod();
size_t length = resolved_methods->GetLength();
for (size_t i = 0; i < length; i++) {
resolved_methods->SetWithoutChecks(i, trampoline);
}
}
}
根據dex方法的個數,產生相應長度resolved_methods數組,然後每一個都用Runtime::GetResolutionMethod()返回的結果進行填充,這個方法是由Runtime::CreateResolutionMethod產生的,代碼如下:
mirror::ArtMethod* Runtime::CreateResolutionMethod() {
mirror::Class* method_class = mirror::ArtMethod::GetJavaLangReflectArtMethod();
Thread* self = Thread::Current();
SirtRef
method(self, down_cast(method_class->AllocObject(self)));
method->SetDeclaringClass(method_class);
// TODO: use a special method for resolution method saves
method->SetDexMethodIndex(DexFile::kDexNoIndex);
// When compiling, the code pointer will get set later when the image is loaded.
Runtime* r = Runtime::Current();
ClassLinker* cl = r->GetClassLinker();
method->SetEntryPointFromCompiledCode(r->IsCompiler() ? NULL : GetResolutionTrampoline(cl));
return method.get();
}
從method->SetDexMethodIndex(DexFile::kDexNoIndex)這句得知,所有的ResolutionMethod的methodIndexDexFile::kDexNoIndex。而ResolutionMethod的entrypoint就是我們上面入口分析中的第4種情況,GetResolutionTrampoline最終返回的入口為art_quick_resolution_trampoline(art/runtime/arch/arm/quick_entrypoints_arm.S)。我們看一下其實現代碼:
.extern artQuickResolutionTrampoline
ENTRY art_quick_resolution_trampoline
SETUP_REF_AND_ARGS_CALLEE_SAVE_FRAME
mov r2, r9 @ pass Thread::Current
mov r3, sp @ pass SP
blx artQuickResolutionTrampoline @ (Method* called, receiver, Thread*, SP)
cbz r0, 1f @ is code pointer null? goto exception
mov r12, r0
ldr r0, [sp, #0] @ load resolved method in r0
ldr r1, [sp, #8] @ restore non-callee save r1
ldrd r2, [sp, #12] @ restore non-callee saves r2-r3
ldr lr, [sp, #44] @ restore lr
add sp, #48 @ rewind sp
.cfi_adjust_cfa_offset -48
bx r12 @ tail-call into actual code
1:
RESTORE_REF_AND_ARGS_CALLEE_SAVE_FRAME
DELIVER_PENDING_EXCEPTION
END art_quick_resolution_trampoline
調整好寄存器後,直接跳轉至artQuickResolutionTrampoline(art/runtime/entrypoints/quick/quick_trampoline_entrypoints.cc),接下來我們分析這個方法的實現(大家不要暈了。。。,我會把無關緊要的代碼去掉):
// Lazily resolve a method for quick. Called by stub code.
extern C const void* artQuickResolutionTrampoline(mirror::ArtMethod* called,
mirror::Object* receiver,
Thread* thread, mirror::ArtMethod** sp)
SHARED_LOCKS_REQUIRED(Locks::mutator_lock_) {
FinishCalleeSaveFrameSetup(thread, sp, Runtime::kRefsAndArgs);
// Start new JNI local reference state
JNIEnvExt* env = thread->GetJniEnv();
ScopedObjectAccessUnchecked soa(env);
ScopedJniEnvLocalRefState env_state(env);
const char* old_cause = thread->StartAssertNoThreadSuspension(Quick method resolution set up);
// Compute details about the called method (avoid GCs)
ClassLinker* linker = Runtime::Current()->GetClassLinker();
mirror::ArtMethod* caller = QuickArgumentVisitor::GetCallingMethod(sp);
InvokeType invoke_type;
const DexFile* dex_file;
uint32_t dex_method_idx;
if (called->IsRuntimeMethod()) {
//...
//...
} else {
invoke_type = kStatic;
dex_file = &MethodHelper(called).GetDexFile();
dex_method_idx = called->GetDexMethodIndex();
}
//...
// Resolve method filling in dex cache.
if (called->IsRuntimeMethod()) {
called = linker->ResolveMethod(dex_method_idx, caller, invoke_type);
}
const void* code = NULL;
if (LIKELY(!thread->IsExceptionPending())) {
//...
linker->EnsureInitialized(called_class, true, true);
//...
}
// ...
return code;
}
inline bool ArtMethod::IsRuntimeMethod() const {
return GetDexMethodIndex() == DexFile::kDexNoIndex;
}
called->IsRuntimeMethod()用於判斷當前方法是否為ResolutionMethod。如果當前ResolutionMethod,那麼就走ClassLinker::ResolveMethod流程去獲取真正的方法,見代碼:
mirror::ArtMethod* ClassLinker::ResolveMethod(const DexFile& dex_file,
uint32_t method_idx,
mirror::DexCache* dex_cache,
mirror::ClassLoader* class_loader,
const mirror::ArtMethod* referrer,
InvokeType type) {
DCHECK(dex_cache != NULL);
// Check for hit in the dex cache.
mirror::ArtMethod* resolved = dex_cache->GetResolvedMethod(method_idx);
if (resolved != NULL) {
return resolved;
}
// Fail, get the declaring class.
const DexFile::MethodId& method_id = dex_file.GetMethodId(method_idx);
mirror::Class* klass = ResolveType(dex_file, method_id.class_idx_, dex_cache, class_loader);
if (klass == NULL) {
DCHECK(Thread::Current()->IsExceptionPending());
return NULL;
}
// Scan using method_idx, this saves string compares but will only hit for matching dex
// caches/files.
switch (type) {
case kDirect: // Fall-through.
case kStatic:
resolved = klass->FindDirectMethod(dex_cache, method_idx);
break;
case kInterface:
resolved = klass->FindInterfaceMethod(dex_cache, method_idx);
DCHECK(resolved == NULL || resolved->GetDeclaringClass()->IsInterface());
break;
case kSuper: // Fall-through.
case kVirtual:
resolved = klass->FindVirtualMethod(dex_cache, method_idx);
break;
default:
LOG(FATAL) << Unreachable - invocation type: << type;
}
if (resolved == NULL) {
// Search by name, which works across dex files.
const char* name = dex_file.StringDataByIdx(method_id.name_idx_);
std::string signature(dex_file.CreateMethodSignature(method_id.proto_idx_, NULL));
switch (type) {
case kDirect: // Fall-through.
case kStatic:
resolved = klass->FindDirectMethod(name, signature);
break;
case kInterface:
resolved = klass->FindInterfaceMethod(name, signature);
DCHECK(resolved == NULL || resolved->GetDeclaringClass()->IsInterface());
break;
case kSuper: // Fall-through.
case kVirtual:
resolved = klass->FindVirtualMethod(name, signature);
break;
}
}
if (resolved != NULL) {
// Be a good citizen and update the dex cache to speed subsequent calls.
dex_cache->SetResolvedMethod(method_idx, resolved);
return resolved;
} else {
// ...
}
}
其實這裡發生的是一個“連鎖反應”。ClassLinker::ResolveType走的其實是類似解析流程,有興趣的朋友可以跟一下。
找到解析後的klass,再經過一輪瘋狂的搜索,把找到的resolved通過DexCache::SetResolvedMethod覆蓋掉之前的“替身”。當再下次再通過ResolveMethod解析方法時,就可以直接把該方法返回,不需要再解析了。
我們回過頭來再重新“復現”一下這個過程,當我們首次調用某個類方法,其過程如下所示:
調用ResolutionMethod的entrypoint,進入art_quick_resolution_trampoline; art_quick_resolution_trampoline跳轉到artQuickResolutionTrampoline; artQuickResolutionTrampoline調用ClassLinker::ResolveMethod解析類方法; ClassLinker::ResolveMethod調用ClassLinkder::ResolveType解析類,再從解析好的類尋找真正的方法; 調用DexCache::SetResolvedMethod,用真正的方法覆蓋掉“替身”方法; 調用真正方法的entrypoint代碼;
也許你會問,為什麼要把過程搞得這麼繞? 一切都是為了延遲加載,提高啟動速度,這個過程跟ELF Linker的PLT/GOT符號重定向的過程是何其相似啊,所以技術都是想通的,一通百明。
0x3 Hook ArtMethod
通過上述ArtMethod加載和執行兩個流程的分析,對於如何Hook ArtMethod,我想到了兩個方案,分別
修改DexCach裡的methods,把裡面的entrypoint修改為自己的,做一個中轉處理; 直接修改加載後的ArtMethod的entrypoint,同樣做一個中轉處理;
上面兩個方法都是可行的,但由於我希望整個項目可以在NDK環境(而不是在源碼下)下編譯,因為就采用了方案2,因為通過JNI的接口就可以直接獲取解析之後的ArtMethod,可以減少很多文件依賴。
回到前面的調用約定,每個ArtMethod都有兩個約定,按道理我們應該准備兩個中轉函數的,但這裡我們不考慮強制解析模式執行,所以只要處理好entry_point_from_compiled_code的中轉即可。
首先,我們找到對應的方法,先保存其entrypoint,然後再把我們的中轉函數art_quick_dispatcher覆蓋,代碼如下所示:
extern int __attribute__ ((visibility (hidden))) art_java_method_hook(JNIEnv* env, HookInfo *info) {
const char* classDesc = info->classDesc;
const char* methodName = info->methodName;
const char* methodSig = info->methodSig;
const bool isStaticMethod = info->isStaticMethod;
// TODO we can find class by special classloader what do just like dvm
jclass claxx = env->FindClass(classDesc);
if(claxx == NULL){
LOGE([-] %s class not found, classDesc);
return -1;
}
jmethodID methid = isStaticMethod ?
env->GetStaticMethodID(claxx, methodName, methodSig) :
env->GetMethodID(claxx, methodName, methodSig);
if(methid == NULL){
LOGE([-] %s->%s method not found, classDesc, methodName);
return -1;
}
ArtMethod *artmeth = reinterpret_cast(methid);
if(art_quick_dispatcher != artmeth->GetEntryPointFromCompiledCode()){
uint64_t (*entrypoint)(ArtMethod* method, Object *thiz, u4 *arg1, u4 *arg2);
entrypoint = (uint64_t (*)(ArtMethod*, Object *, u4 *, u4 *))artmeth->GetEntryPointFromCompiledCode();
info->entrypoint = (const void *)entrypoint;
info->nativecode = artmeth->GetNativeMethod();
artmeth->SetEntryPointFromCompiledCode((const void *)art_quick_dispatcher);
// save info to nativecode :)
artmeth->SetNativeMethod((const void *)info);
LOGI([+] %s->%s was hooked
, classDesc, methodName);
}else{
LOGW([*] %s->%s method had been hooked, classDesc, methodName);
}
return 0;
}
我們關鍵的信息保存在通過ArtMethod::SetNativeMethod保存起來了。
考慮到ART特殊的調用約定,art_quick_dispatcher只能用匯編實現了,把寄存器適當的調整了一下,再跳轉到另一個函數artQuickToDispatcher,這樣就可以很方便用c/c++訪問參數了。
先看一下art_quick_dispatcher函數的實現如下:
/*
* Art Quick Dispatcher.
* On entry:
* r0 = method pointer
* r1 = arg1
* r2 = arg2
* r3 = arg3
* [sp] = method pointer
* [sp + 4] = addr of thiz
* [sp + 8] = addr of arg1
* [sp + 12] = addr of arg2
* [sp + 16] = addr of arg3
* and so on
*/
.extern artQuickToDispatcher
ENTRY art_quick_dispatcher
push {r4, r5, lr} @ sp - 12
mov r0, r0 @ pass r0 to method
str r1, [sp, #(12 + 4)]
str r2, [sp, #(12 + 8)]
str r3, [sp, #(12 + 12)]
mov r1, r9 @ pass r1 to thread
add r2, sp, #(12 + 4) @ pass r2 to args array
add r3, sp, #12 @ pass r3 to old SP
blx artQuickToDispatcher @ (Method* method, Thread*, u4 **, u4 **)
pop {r4, r5, pc} @ return on success, r0 and r1 hold the result
END art_quick_dispatcher
我把r2指向參數數組,這樣就我們就可以非常方便的訪問所有參數了。另外,我用r3保存了舊的sp地址,這樣是為後面調用原來的entrypoint做准備的。我們先看看artQuickToDispatcher的實現:
extern C uint64_t artQuickToDispatcher(ArtMethod* method, Thread *self, u4 **args, u4 **old_sp){
HookInfo *info = (HookInfo *)method->GetNativeMethod();
LOGI([+] entry ArtHandler %s->%s, info->classDesc, info->methodName);
// If it not is static method, then args[0] was pointing to this
if(!info->isStaticMethod){
Object *thiz = reinterpret_cast
這裡參數解析就不詳細說了,接下來是最棘手的事情,如何重新調回原來的entrypoint。
這裡的關鍵是要還原之前的堆棧布局,art_quick_call_entrypoint就是負責完成這個工作的,其實現如下所示:
/*
*
* Art Quick Call Entrypoint
* On entry:
* r0 = method pointer
* r1 = thread pointer
* r2 = args arrays pointer
* r3 = old_sp
* [sp] = entrypoint
*/
ENTRY art_quick_call_entrypoint
push {r4, r5, lr} @ sp - 12
sub sp, #(40 + 20) @ sp - 40 - 20
str r0, [sp, #(40 + 0)] @ var_40_0 = method_pointer
str r1, [sp, #(40 + 4)] @ var_40_4 = thread_pointer
str r2, [sp, #(40 + 8)] @ var_40_8 = args_array
str r3, [sp, #(40 + 12)] @ var_40_12 = old_sp
mov r0, sp
mov r1, r3
ldr r2, =40
blx memcpy @ memcpy(dest, src, size_of_byte)
ldr r0, [sp, #(40 + 0)] @ restore method to r0
ldr r1, [sp, #(40 + 4)]
mov r9, r1 @ restore thread to r9
ldr r5, [sp, #(40 + 8)] @ pass r5 to args_array
ldr r1, [r5] @ restore arg1
ldr r2, [r5, #4] @ restore arg2
ldr r3, [r5, #8] @ restore arg3
ldr r5, [sp, #(40 + 20 + 12)] @ pass ip to entrypoint
blx r5
add sp, #(40 + 20)
pop {r4, r5, pc} @ return on success, r0 and r1 hold the result
END art_quick_call_entrypoint
這裡我偷懶了,直接申請了10個參數的空間,再使用之前傳進入來的old_sp進行恢復,使用memcpy直接復制40字節。之後就是還原r0, r1, r2, r3, r9的值了。調用entrypoint完後,結果保存在r0和r1,再返回給artQuickToDispatcher。
至此,整個ART Hook就分析完畢了。
0x4 4.4與5.X上實現的區別
我的整個方案都是在4.4上測試的,主要是因為我只有4.4的源碼,而且硬盤空間不足,實在裝不下5.x的源碼了。但整個思路,是完全可以套用用5.X上。另外,5.X的實現代碼比4.4上復雜了很多,否能像我這樣在NDK下編譯完成就不知道了。
正常的4.4模擬器是以dalvik啟動的,要到設置裡改為art,這裡會要求進行重啟,但一般無效,我們手動關閉再重新打開就OK了,但需要等上一段時間才可以。
0x5 結束
雖然這篇文章只是介紹了Art Hook的技術方案,但其中的技術原理,對於如何在ART上進行代碼加固、動態代碼原理等等也是很有啟發性。
