无法使用 MSHookFunction 挂钩某些库调用
我在使用 MobileSubstrate 的 MSHookFunction() 挂钩某些库函数调用时遇到问题。 例如,挂钩 memcpy 和 memset 会导致应用程序启动时崩溃,但挂钩 memcmp 工作正常。
我认为这是因为挂钩代码本身使用了这些函数调用?
有没有办法在iOS上挂接memcpy和memset?
I'm having trouble using MobileSubstrate's MSHookFunction() to hook certain library function calls.
For example, hooking memcpy and memset causes a crash on app launch however hooking memcmp works fine.
I assume that this is because the hooking code itself uses those function calls?
Is there any way to hook memcpy and memset on iOS?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我一直没有弄清楚这件事的真相。我在想,也许 MobileSubstrate 会调用我试图挂钩的同一内存页面中的函数,因此内存保护会变得一团糟。
我通过编写自己的挂钩函数解决了这个问题。
I never got to the bottom of this. I was thinking that maybe MobileSubstrate calls functions in the same memory page that I'm trying to hook and therefore the mem protections get all messed up.
I got around this by writing my own hooking function.
我对 memcpy 和 opendir 遇到了同样的情况。
iPhone 5、iOS6.1.2
MSHookFunction 有时会返回奇数 (xxxx3) 地址作为原始例程的地址。对于ARM来说这简直是无稽之谈。
I got the same situation for memcpy and opendir.
iPhone 5, iOS6.1.2
MSHookFunction sometimes returns odd (xxxx3) address as original routine's address. It's nonsense for ARM.
我也遇到过这个问题,我认为失败的原因是加载器作为 memcpy 的 dlsym 返回的函数实际上不是一个真正的函数,而是它的一个存根。我已经转储了地址和字节,对 libsystem_c 进行了缓存,并验证了以下函数是否由 dlsym(RTLD_DEFAULT, "memcpy") 返回给我,
如您所见,这段代码是与 PC 相关的,这可能就是 MSHook 失败的原因。
如果您尝试挂钩真正的函数,即该存根调用的函数,它会起作用。
I've encountered this one as well and I think the reason for the failure is that the function that the loader returns as dlsym for memcpy is actually not a real function, but a stub for it. I've dumped the address and the bytes, decached the libsystem_c and verified that this following function is returned to me by dlsym(RTLD_DEFAULT, "memcpy")
As you can see this code is PC relative and this is probably why the MSHook fails.
If you try to hook the real function instead, the one that this stub calls - it works.