首頁
社區(qū)
課程
招聘
frida -U -f 進(jìn)程名 --no-pause -l hook腳本時(shí)報(bào)“Process crashed: Illegal instruction”
cowkx 2021-6-30 3856

我在用frida -U -f 進(jìn)程名 --no-pause -l hook腳本 命令啟動(dòng)程序并hook時(shí)frida報(bào)"Process crashed: Illegal instruction"。后面我發(fā)現(xiàn)要hook的應(yīng)用對(duì)libart.so中的一些函數(shù)進(jìn)行了inline hook,不知道與這個(gè)是否有關(guān)。而我需要hook的位置會(huì)在程序啟動(dòng)過程中觸發(fā),啟動(dòng)完了就過了時(shí)機(jī)了。路過的大神能忙指點(diǎn)指點(diǎn)嗎,小女在此先謝過了
具體報(bào)錯(cuò)如下:
Spawned 進(jìn)程名略. Use %resume to let the main thread start executing!
[Pixel::進(jìn)程名略]-> %resume
[Pixel::進(jìn)程名略]-> Process crashed: Illegal instruction



 

Build fingerprint: 'google/sailfish/sailfish:9/PQ3A.190705.001/5565753:user/release-keys'
Revision: '0'
ABI: 'arm'
pid: 20084, tid: 20084, name: re-initialized> >>> <pre-initialized> <<<
signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0xea7ea000
r0 7194f354 r1 12c459c0 r2 12e87010 r3 713d5870
r4 acc2f3ff r5 12e87010 r6 12c459c0 r7 12c45b08
r8 00000000 r9 e70c7000 r10 12e87058 r11 00000001
ip 7131d358 sp ffdd8110 lr 73510b1f pc ea7ea000

 

backtrace:

#00 pc 00000000  <anonymous:ea7ea000>
#01 pc 00756b1d  /system/framework/arm/boot-framework.oat (offset 0x3ab000) (android.app.ActivityThread$H.handleMessage+6140)
#02 pc 0090e701  /system/framework/arm/boot-framework.oat (offset 0x765000) (android.os.Handler.dispatchMessage+136)
#03 pc 00910dfb  /system/framework/arm/boot-framework.oat (offset 0x765000) (android.os.Looper.loop+1162)
#04 pc 0075fdf3  /system/framework/arm/boot-framework.oat (offset 0x3ab000) (android.app.ActivityThread.main+674)
#05 pc 0040d575  /system/lib/libart.so (offset 0x344000) (art_quick_invoke_stub_internal+68)
#06 pc 003e6c93  /system/lib/libart.so (offset 0x344000) (art_quick_invoke_static_stub+222)
#07 pc 000a1027  /system/lib/libart.so (offset 0x95000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+154)
#08 pc 00347ac5  /system/lib/libart.so (offset 0x305000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+52)
#09 pc 00348f15  /system/lib/libart.so (offset 0x305000) (art::InvokeMethod(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned int)+1024)
#10 pc 002fb0c5  /system/lib/libart.so (offset 0x2b0000) (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*)+40)
#11 pc 0011226f  /system/framework/arm/boot.oat (offset 0x10c000) (java.lang.Class.getDeclaredMethodInternal [DEDUPED]+110)
#12 pc 00a0aa33  /system/framework/arm/boot-framework.oat (offset 0x765000) (com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run+114)
#13 pc 00a1091d  /system/framework/arm/boot-framework.oat (offset 0x765000) (com.android.internal.os.ZygoteInit.main+2836)
#14 pc 0040d575  /system/lib/libart.so (offset 0x344000) (art_quick_invoke_stub_internal+68)
#15 pc 003e6c93  /system/lib/libart.so (offset 0x344000) (art_quick_invoke_static_stub+222)
#16 pc 000a1027  /system/lib/libart.so (offset 0x95000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+154)
#17 pc 00347ac5  /system/lib/libart.so (offset 0x305000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+52)
#18 pc 003478ef  /system/lib/libart.so (offset 0x305000) (art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+310)
#19 pc 0028eb11  /system/lib/libart.so (offset 0x1d6000) (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+444)
#20 pc 0006cb4b  /system/lib/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+30)
#21 pc 0006eda3  /system/lib/libandroid_runtime.so (android::AndroidRuntime::start(char const*, android::Vector<android::String8> const&, bool)+458)
#22 pc 00001989  /system/bin/app_process32 (main+728)
#23 pc 0008ae3d  /system/lib/libc.so (offset 0x66000) (__libc_init+48)
#24 pc 0000166f  /system/bin/app_process32 (_start_main+38)
#25 pc 00000306  <anonymous:eac9b000>

 

[Pixel::進(jìn)程名略]->

收藏
2條回答
mb_izaswxak 2021-6-30

個(gè)人觀點(diǎn):你先把你自己的關(guān)于native HOOK的代碼先去,然后運(yùn)行看看,如果不崩說明是你代碼的問題,如果崩了就有可能是反frida

回復(fù)
cowkx: 已經(jīng)能確定不是自身Hook代碼問題,想知道具體anti    hook是什么,怎么去掉
回復(fù) 2021-7-1
cowkx 2021-7-1 2021-7-1編輯

我dump出libart.so,用比較工具查看發(fā)現(xiàn)以下函數(shù)開頭被修改了,高手能看出它什么目的嗎?
EXPORT _ZN3art11ClassLinkerC2EPNS_11InternTableE
EXPORT _ZN3art11ClassLinker22FixupStaticTrampolinesENS_6ObjPtrINS_6mirror5ClassEEE
EXPORT _ZN3art2gc4Heap13PreZygoteForkEv
WEAK _ZN3art9hiddenapi6detail19GetMemberActionImplINS_8ArtFieldEEENS0_6ActionEPT_NS_20HiddenApiAccessFlags7ApiListES4_NS0_12AccessMethodE
WEAK _ZN3art9hiddenapi6detail19GetMemberActionImplINS_9ArtMethodEEENS0_6ActionEPT_NS_20HiddenApiAccessFlags7ApiListES4_NS0_12AccessMethodE
EXPORT _ZN3art6mirror5Class15IsInSamePackageENS_6ObjPtrIS1_EE
EXPORT _ZN3art14OatFileManager24SetOnlyUseSystemOatFilesEv
EXPORT _ZN3art7Runtime4InitEONS_18RuntimeArgumentMapE

回復(fù)
cowkx: 我把應(yīng)用對(duì)libart.so  libandroid_runtime.so所做的inline  hook都做了還原,已經(jīng)可以"frida  -U  -f    進(jìn)程名  --no-pause  -l  腳本"了,但是依然沒有解決最終問題。hook一個(gè)java方法,它明明在另一個(gè)方法的調(diào)用棧中,但是hook確沒有反應(yīng),不知為何。ida動(dòng)態(tài)調(diào)試時(shí)會(huì)在調(diào)試得到不同地方時(shí),程序報(bào)無反應(yīng),讓選擇關(guān)閉還是等待,這是哪類反調(diào)試呢,怎么確定反調(diào)是代碼的位置呢?(很多so,  有3個(gè)進(jìn)程)
回復(fù) 2021-7-1