hook_constructors

hook linker中的init和init_array

function hook_constructor() {
  if (Process.pointerSize == 4) {
    var linker = Process.findModuleByName("linker");
  } else {
    var linker = Process.findModuleByName("linker64");
  }

  var addr_call_function = null;
  var addr_g_ld_debug_verbosity = null;
  var addr_async_safe_format_log = null;
  var linker_log = null;
  console.log("linker:", linker.base);
  if (linker) {
    var symbols = linker.enumerateSymbols();
    for (var i = 0; i < symbols.length; i++) {
      var name = symbols[i].name;
      // console.log(name)
      if (name.indexOf("call_function") >= 0) {
        addr_call_function = symbols[i].address;
      } else if (name.indexOf("g_ld_debug_verbosity") >= 0) {
        addr_g_ld_debug_verbosity = symbols[i].address;

        ptr(addr_g_ld_debug_verbosity).writeInt(2);
      } else if (
        name.indexOf("async_safe_format_log") >= 0 &&
        name.indexOf("va_list") >= 0
      ) {
        addr_async_safe_format_log = symbols[i].address;
        console.log("addr_async_safe_format_log", addr_async_safe_format_log);
      } else if (
        name.indexOf("linker") >= 0 &&
        name.indexOf("log") >= 0 &&
        name.indexOf("va_list") < 0 &&
        name.indexOf("cpp") < 0 &&
        name.indexOf("logger") < 0
      ) {
        console.log("name:", name);
        linker_log = symbols[i].address;
      }
    }
  }
  // if(addr_async_safe_format_log){
  //     Interceptor.attach(addr_async_safe_format_log,{
  //         onEnter: function(args){
  //             this.log_level  = args[0];
  //             this.tag = ptr(args[1]).readCString()
  //             this.fmt = ptr(args[2]).readCString()
  //             // console.log("this.fmt",this.fmt)
  //             if(this.fmt.indexOf("c-tor") >= 0 && this.fmt.indexOf('Done') < 0){
  //                 console.log("c-tor")
  //                 console.log(this.tag)
  //                 console.log(this.fmt)
  //                 console.log(ptr(args[3]))
  //                 this.function_type = ptr(args[4]).readCString(), // func_type
  //                 console.log(this.function_type)
  //                 // this.so_path = ptr(args[5]).readCString();
  //                 // console.log(this.so_path)
  //                 // var strs = new Array(); //定义一数组
  //                 // strs = this.so_path.split("/"); //字符分割
  //                 // this.so_name = strs.pop();
  //                 // this.func_offset  = ptr(args[4]).sub(Module.findBaseAddress(this.so_name))
  //                 //  console.log("func_type:", this.function_type,
  //                 //     '\nso_name:',this.so_name,
  //                 //     '\nso_path:',this.so_path,
  //                 //     '\nfunc_offset:',this.func_offset
  //                 //  );
  //             }
  //         },
  //         onLeave: function(retval){

  //         }
  //     })
  // }
  if (linker_log) {
    Interceptor.attach(linker_log, {
      onEnter: function (args) {
        this.log_level = args[0];
        this.fmt = ptr(args[1]).readCString();
        this.tag = ptr(args[2]).readCString();
        // console.log("this.tag",this.tag)
        if (
          this.fmt.indexOf("Calling") >= 0 &&
          this.fmt.indexOf("for") >= 0 &&
          this.tag.indexOf("DT_INIT_ARRAY") >= 0
        ) {
          // console.log("c-tor")
          console.log("this.tag", this.tag);
          console.log("this.fmt", this.fmt);
          console.log("this.path", ptr(args[5]).readCString());
          console.log("size:", args[3]);
          (this.array_addr = ptr(args[4])), // func_type
            console.log("array addr:", this.array_addr);
          // this.so_path = ptr(args[5]).readCString();
          // console.log(this.so_path)
          // var strs = new Array(); //定义一数组
          // strs = this.so_path.split("/"); //字符分割
          // this.so_name = strs.pop();
          // this.func_offset  = ptr(args[4]).sub(Module.findBaseAddress(this.so_name))
          //  console.log("func_type:", this.function_type,
          //     '\nso_name:',this.so_name,
          //     '\nso_path:',this.so_path,
          //     '\nfunc_offset:',this.func_offset
          //  );
          var libDexHelperaddr = Process.findModuleByName("libDexHelper.so");
          console.log("libDexHelperaddr:", libDexHelperaddr.base);
          this.pid = Process.getCurrentThreadId();
          Stalker.follow(this.pid, {
            events: {
              // 暂时不需要这些 events
              call: false,
              ret: false,
              exec: false,

              block: false,
              compile: false,
            },
            onReceive: function (events) {},

            transform: function (iterator) {
              var instruction = iterator.next();
              const startAddress = instruction.address;
            //   console.log("instruction:",instruction)
              // 从ida里面 找到 Java_com_baidu_searchbox_NativeBds_dae1 函数的 代码 在 0xE84 和 0x126C 之间
              var isModule =
                startAddress.compare(libDexHelperaddr.base) >= 0 &&
                startAddress.compare(libDexHelperaddr.base.add(0x102638)) < 0;
              do {
                if (isModule) {
                  console.log(
                    instruction.address.sub(libDexHelperaddr.base) + "\t:\t" + instruction
                    
                    // if(instruction.)
                  );
                }
                iterator.keep();
              } while ((instruction = iterator.next()) !== null);
            },

            onCallSummary: function (summary) {},
          });
        }
      },
      onLeave: function (retval) {},
    });
  }
}
function main() {
  hook_constructor();
}
setImmediate(main);
JAVASCRIPT