怎么hook C++类的方法?

技能讨论
1

看了《iOS应用逆向工程》这书,后里面有hook OC类方法,但是怎么才能hook C++类的方法呢?

1 个赞
2

MSHookFunction

static void (*original_CFShow)(CFTypeRef obj); // a function pointer to store the original CFShow().
void replaced_CFShow(CFTypeRef obj) { // our replacement of CFShow().
printf(“Calling original CFShow(%p)…”, obj);
original_CFShow(obj); // calls the original CFShow.
printf(" done.\n");
}

// hook CFShow to our own implementation.
MSHookFunction(CFShow, replaced_CFShow, &original_CFShow);
http://iphonedevwiki.net/index.php/MobileSubstrate

3

大致的方法就是@hali 提到的MSHookFunction,但这里面还有坑。你直接说具体的例子吧,别人也好直接给出代码

4

什么坑,请提醒,免得日后掉坑里面:lol:

5

就是当hook的是个private symbol时,需要用MSFindSymbol来找到符号地址,直接dlopen或extern是不行的

1 个赞
6

大神 hook framework 是c的方法时,MSHookFunction也是卸载tweak.xm里面么?还是小白一个啊,不知道怎么下手,一直报错,可否写个小小的demo,我现在要hook的是CFNetwork里面CHTTP发送http request的方法,参照http://iphonedevwiki.net/index.php/MobileSubstrate一直报错

7

假如你要hook的C函数原型是void Foo(int bar),那么参考其官方文档,MSHookFunction的写法是:

#include <substrate.h>

void (*oldFoo)(int);

void newFoo(int bar)
{
    printf("Foo is hooked");
    oldFoo(bar);
}

%ctor
{
    MSHookFunction(&Foo, &newFoo, &oldFoo);
}
1 个赞
8

大神 我的还在报错 求解答

Making all for tweak hookCFNetWork...
 Preprocessing Tweak.xm...
 Compiling Tweak.xm...
 Linking tweak hookCFNetWork...
Undefined symbols for architecture armv7:
  "_CFHTTPMessageCreateRequest", referenced from:
      _logosLocalCtor_98f13708() in Tweak.xm.cb47dfa8.o
     (maybe you meant: _original_CFHTTPMessageCreateRequest, __Z35replaced_CFHTTPMessageCreateRequestPK13__CFAllocatorlPK10__CFStringS4_ )
ld: symbol(s) not found for architecture armv7
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [obj/hookCFNetWork.dylib.ba964c90.unsigned] Error 1
make[1]: *** [internal-library-all_] Error 2

我的Tweak.xm

#include <CFNetwork/CFHTTPMessage.h>
#include <CoreFoundation/CFBase.h>
#include <CoreFoundation/CFURL.h>
#include <substrate.h>

CFHTTPMessageRef (*original_CFHTTPMessageCreateRequest)(CFAllocatorRef alloc,CFIndex statusCode,CFStringRef statusDescription,CFStringRef httpVersion);
CFHTTPMessageRef replaced_CFHTTPMessageCreateRequest(CFAllocatorRef alloc,CFIndex statusCode,CFStringRef statusDescription,CFStringRef httpVersion)
{
   printf("http request is send\n");
   return original_CFHTTPMessageCreateRequest(alloc,statusCode,statusDescription,httpVersion);
}
%ctor
{
  MSHookFunction((void *)CFHTTPMessageCreateRequest,(void *)replaced_CFHTTPMessageCreateRequest,(void * *)&original_CFHTTPMessageCreateRequest);
}

Makefile里面

THEOS_DEVICE_IP= 10.1.29.13
ARCHS = armv7
include theos/makefiles/common.mk

TWEAK_NAME = hookCFNetWork
hookCFNetWork_FILES = Tweak.xm
hookCFNetwork_FRAMEWORKS= CFNetwork CoreFoundation
include $(THEOS_MAKE_PATH)/tweak.mk

after-install::
        install.exec "killall -9 com.apple.mobilephone"

手机是iphone4s 系统7.0 sdk是7.1跪求大神指点

9

这是常见的未定义字符错误,提示找不到CFHTTPMessageCreateRequest。这个符号应该是来自CoreServices的,你试试看把Makefile的

hookCFNetwork_FRAMEWORKS= CFNetwork CoreFoundation

改成

hookCFNetwork_FRAMEWORKS= CFNetwork CoreFoundation CoreServices
10

改了还是报一样的错误噢大神 CFHTTPMessageCreateRequest是CFNetwork框架里面的 头文件是CFHTTPMessage.h 是用来创建http请求的

11

刚注意到,你的Makefile里没指定SDK啊,在ARCHS下面加一行

TARGET = iphone:7.0:7.0
12

不好意思。。。忘了 现在加上去了还是报这个错误:3_41:我都不好意思打扰你了大神

THEOS_DEVICE_IP= 10.1.29.13
ARCHS = armv7
TARGET = iphone:7.1:7.0
include theos/makefiles/common.mk

TWEAK_NAME = hookCFNetWork
hookCFNetWork_FILES = Tweak.xm
hookCFNetwork_FRAMEWORKS= CFNetwork CoreFoundation CoreServices Foundation

include $(THEOS_MAKE_PATH)/tweak.mk

after-install::
install.exec “killall -9 com.apple.mobilephone”

13

CoreServices加上去不对,iOS里没这个framework,我完全复制粘贴你的代码,把CoreServices去掉后编译通过了……你去掉CoreServices试试,如果还报错的话把错误po上来

14

确实没CoreServices这个framework 不过去掉了还是报错 错误一直没变 然后我新建了个工程 复制代码过去编译成功了。。。。:3_45: 我也不晓得为什么 谢谢大神了 非常感谢这么耐心的指点

16
  1. getifaddrs并不是一个private symbol,你不需要MSFindSymbol;
  2. 第22行,你通过MSFindSymbol找到的symbol应该是MSHookFunction的第一个参数,不是第三个参数;
  3. 编译不通过,还有什么比把错误po上来更方便别人查错的?
17

非常感谢,根据编译错误提示强制转换函数类型后,已能编译通过
但运行时异常退出,还请帮忙看看

#include <substrate.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <ifaddrs.h>
#include <string>
#include <arpa/inet.h>


int *(*original_getifaddrs)(struct ifaddrs **ifap);

int *new_getifaddrs(struct ifaddrs **ifap)
{
        NSLog(@"new getifaddress");
        return original_getifaddrs(ifap);
}

%ctor {
        NSLog(@"This is inject ");
        MSImageRef image;
        image = MSGetImageByName("usr/lib/system/libsystem_info.dylib");

        original_getifaddrs = (int *(*)(struct ifaddrs **))MSFindSymbol(image, "_getifmaddrs");
        MSHookFunction((void*)&original_getifaddrs, (void *)&new_getifaddrs,(void **)&original_getifaddrs);
}

异常日志如下:
Path: /var/mobile/Applications/827F81BC-6F6E-47C1-9A9C-D42416D54ECC/D5.app/D5
Identifier: D5
Version: ??? (???)
Code Type: ARM (Native)
Parent Process: launchd [1]

Date/Time: 2014-05-08 11:15:36.817 +0800
OS Version: iOS 6.1.5 (10B400)
Report Version: 104

Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000001
Crashed Thread: 0

Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 Testday.dylib 0x00163ee8 0x163000 + 3816
1 dyld 0x2fef25b6 ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&) + 154
2 dyld 0x2fef26c4 ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 16
3 dyld 0x2feefa3a ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 382
4 dyld 0x2feef874 ImageLoader::runInitializers(ImageLoader::LinkContext const&, ImageLoader::InitializerTimingList&) + 36
5 dyld 0x2fee8ff4 dyld::runInitializers(ImageLoader*) + 72
6 dyld 0x2feeca3e dlopen + 1158
7 libdyld.dylib 0x3bc58946 dlopen + 46
8 SubstrateLoader.dylib 0x0013f1ae 0x13d000 + 8622
9 SubstrateLoader.dylib 0x0013f474 0x13d000 + 9332
10 dyld 0x2fef25b6 ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&) + 154
11 dyld 0x2fef26c4 ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 16
12 dyld 0x2feefa3a ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 382

18

下次粘贴代码时注意格式。你的问题在于MSHookFunction用错了,好好看一下saurik提供的官方文档吧,不然你还是记不住

20

楼主你好,我也基本是个小白,正好要开发基于cfnetwork层的网络请求时间监听,能给发个hook 底层的小demo或者类么,18211130861@126.com, 3Q,

21 
请问我这样hook c的接口哪块有问题吗?MGCopyAnswer应该是private symbol吧?

现在编译通过了,但是hook失败了,也没有报错原因
环境是:ios8.3,iphone5
NSString* (OrigMGCopyAnswer)(NSString);

NSString* HookMGCopyAnswer(NSString* key)
{
    printf("MGCopyAnswer is hooked.");
    return OrigMGCopyAnswer(key);
}

%ctor
{
    printf("MGCopyAnswer is init.");
    MSImageRef image = MSGetImageByName("/usr/lib/libMobileGestalt.dylib");
    MSHookFunction((void *)MSFindSymbol(image, "MGCopyAnswer"), (void *)HookMGCopyAnswer, (void **)&OrigMGCopyAnswer);
    %init;
}

以及makefile
THEOS_DEVICE_IP = localhost
THEOS_DEVICE_PORT = 2222
ARCHS = armv7 arm64
TARGET = iphone:latest:8.0

include /opt/theos/makefiles/common.mk

TWEAK_NAME = PreferencesCrack
PreferencesCrack_FILES = Tweak.xm
PreferencesCrack_LIBRARIES = MobileGestalt

include $(THEOS_MAKE_PATH)/tweak.mk

after-install::
install.exec "killall -9 SpringBoard"