whale icon indicating copy to clipboard operation
whale copied to clipboard
verified publisher icon asLody

Hook android.app.LoadedApk$makeApplicationy以及android.app.ActivityThread$main必现崩溃

Open WindySha opened this issue 6 years ago • 1 comments

机型:Meizu pro6s, android 7.1.1, sansung S8 android 8.0

XposedHelpers.findAndHookMethod("android.app.LoadedApk", classLoader, "makeApplication", boolean.class, Instrumentation.class,
                new XC_MethodHook() {
                    @Override
                    protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                        Log.e("wind", "wind -- beforeHookedMethod LoadedApk makeApplication  ");
                        super.beforeHookedMethod(param);
                    }
        });

在Application的attachBaseContext中hook LoadedApk的makeApplication方法出现崩溃(在Application onCreate中hook没有问题) 崩溃日志:

 --------- beginning of crash
2019-02-21 14:47:48.499 30290-30290/com.storm.wind.explib A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 30290 (orm.wind.explib)
2019-02-21 14:47:48.500 982-982/? D/AEE_AED: $===AEE===AEE===AEE===$
2019-02-21 14:47:48.500 982-982/? D/AEE_AED: p 2 poll events 1 revents 1
2019-02-21 14:47:48.501 982-982/? D/AEE_AED: PPM cpu cores:10, online:6
2019-02-21 14:47:48.501 982-982/? D/AEE_AED: aed_main_fork_worker: generator 0xe8194e88, worker 0xffbcd564, recv_fd 0
2019-02-21 14:47:48.503 30305-30305/? I/AEE_AED: handle_request(0)
2019-02-21 14:47:48.503 30305-30305/? I/AEE_AED: check process 30290 name:orm.wind.explib
2019-02-21 14:47:48.503 30305-30305/? I/AEE_AED: tid 30290 abort msg address:0x00000000, si_code:1 (request from 30290:10252)
2019-02-21 14:47:48.503 30305-30305/? W/AEE_AED: debuggerd: handling request: pid=30290 uid=10252 gid=10252 tid=30290
2019-02-21 14:47:48.505 30305-30305/? I/AEE_AED: [preset_info] pid: 30290, tid: 30290, name: orm.wind.explib  >>> com.storm.wind.explib <<<
2019-02-21 14:47:48.505 30305-30305/? D/AEE_AED: ptrace_siblings
2019-02-21 14:47:48.506 352-352/? D/MALI: eglCreateImageKHR:513: [Crop] 0 0 0 0  img[1080 1920] 
2019-02-21 14:47:48.521 30305-30305/? D/AEE_AED: debuggerd: drop privileges
2019-02-21 14:47:48.521 1004-1397/? D/FlymeTrafficTracking: tag  (243) android Thread-8 uid 1000
2019-02-21 14:47:48.521 1004-1397/? D/FlymeTrafficTracking: set tracking tag android 8000ffff
2019-02-21 14:47:48.527 352-352/? D/BufferQueueProducer: [FrameBufferSurface_0](this:0x75716f6800,id:0,api:1,p:352,c:352) queueBuffer: fps=2.71 dur=16225.70 max=15470.13 min=15.45
2019-02-21 14:47:48.535 1373-1373/? D/SystemServicesProxy: getTopMostTask: tasks: 1329
2019-02-21 14:47:48.535 1632-1632/? W/recents.Component: create a new LoadPlan to load thumbnail -- background
2019-02-21 14:47:48.565 1632-1632/? I/recents.TaskLoadPlan: 		 load thumbnail from system
2019-02-21 14:47:48.571 30305-30305/? I/AEE_AED: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2019-02-21 14:47:48.572 30305-30305/? I/AEE_AED: Build fingerprint: 'Meizu/meizu_PRO6/PRO6:7.1.1/NMF26O/1531990520:user/release-keys'
2019-02-21 14:47:48.572 30305-30305/? I/AEE_AED: Revision: '0'
2019-02-21 14:47:48.572 30305-30305/? I/AEE_AED: ABI: 'arm'
2019-02-21 14:47:48.572 30305-30305/? I/AEE_AED: pid: 30290, tid: 30290, name: orm.wind.explib  >>> com.storm.wind.explib <<<
2019-02-21 14:47:48.572 30305-30305/? I/AEE_AED: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
2019-02-21 14:47:48.572 30305-30305/? I/AEE_AED:     r0 00000000  r1 00000000  r2 2f39d396  r3 fffa4c10
2019-02-21 14:47:48.572 30305-30305/? I/AEE_AED:     r4 7080a880  r5 33333333  r6 742f8897  r7 00000000
2019-02-21 14:47:48.572 30305-30305/? I/AEE_AED:     r8 ed685400  r9 ed685400  sl 709415c0  fp 00000006
2019-02-21 14:47:48.572 30305-30305/? I/AEE_AED:     ip 12c03f20  sp fffa49d8  lr ed23ebcb  pc ed5113ca  cpsr 600e0030
2019-02-21 14:47:48.576 30305-30305/? I/AEE_AED: backtrace:
2019-02-21 14:47:48.576 30305-30305/? I/AEE_AED:     #00 pc 003843ca  /system/lib/libart.so (_ZN3art25GetCalleeSaveMethodCallerEPPNS_9ArtMethodENS_7Runtime14CalleeSaveTypeEb+181)
2019-02-21 14:47:48.576 30305-30305/? I/AEE_AED:     #01 pc 003f7f35  /system/lib/libart.so (artQuickResolutionTrampoline+528)
2019-02-21 14:47:48.576 30305-30305/? I/AEE_AED:     #02 pc 000aea13  /system/lib/libart.so (art_quick_resolution_trampoline+34)
2019-02-21 14:47:48.576 30305-30305/? I/AEE_AED:     #03 pc 742f8895  /data/dalvik-cache/arm/system@[email protected] (offset 0x2f6f000)
2019-02-21 14:47:48.580 1632-1632/? I/recents.TaskLoadPlan: 		 load thumbnail from system
2019-02-21 14:47:48.581 1632-1632/? I/recents.TaskLoadPlan: 		 load thumbnail from system
2019-02-21 14:47:48.582 1632-1632/? I/recents.TaskLoadPlan: 		 load thumbnail from system
2019-02-21 14:47:48.583 1632-1632/? I/recents.TaskLoadPlan: 		 load thumbnail from system
2019-02-21 14:47:48.583 1632-1632/? W/recents.Performance: preload while task Change spend : 49
2019-02-21 14:47:48.674 1004-1349/? D/PerfServiceManager: [PerfService] MESSAGE_TIMEOUT:107 

XposedHelpers.findAndHookMethod("android.app.ActivityThread", classLoader, "main", String[].class,
                    new XC_MethodHook() {
                        @Override
                        protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                            Log.e("wind", "wind -- beforeHookedMethod ActivityThread main object ");
                            super.beforeHookedMethod(param);
                        }
                    });

在任意位置hook ActivityThread的main方法,必先崩溃,崩溃日志: (app中hook ActivityThread的main方法,其实是徒劳的,因为肯定调用不到,此处只是上报此类问题,并无该需求场景)

2019-02-21 14:50:20.314 1632-1632/? I/recents.TaskLoadPlan: 		 load thumbnail from system
2019-02-21 14:50:20.314 1632-1632/? W/recents.Performance: preload while task Change spend : 54
2019-02-21 14:50:20.337 30746-30746/? I/AEE_AED: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2019-02-21 14:50:20.337 30746-30746/? I/AEE_AED: Build fingerprint: 'Meizu/meizu_PRO6/PRO6:7.1.1/NMF26O/1531990520:user/release-keys'
2019-02-21 14:50:20.337 30746-30746/? I/AEE_AED: Revision: '0'
2019-02-21 14:50:20.338 30746-30746/? I/AEE_AED: ABI: 'arm'
2019-02-21 14:50:20.338 30746-30746/? I/AEE_AED: pid: 30731, tid: 30731, name: orm.wind.explib  >>> com.storm.wind.explib <<<
2019-02-21 14:50:20.338 30746-30746/? I/AEE_AED: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2f39d392
2019-02-21 14:50:20.338 30746-30746/? I/AEE_AED:     r0 2f39d382  r1 2f39d397  r2 73bfa029  r3 0000ffff
2019-02-21 14:50:20.338 30746-30746/? I/AEE_AED:     r4 2f39d396  r5 fffa5028  r6 fffa5068  r7 ed6ed140
2019-02-21 14:50:20.338 30746-30746/? I/AEE_AED:     r8 00000000  r9 ed23bb97  sl fffa29cc  fp 00000000
2019-02-21 14:50:20.338 30746-30746/? I/AEE_AED:     ip 00000021  sp fffa28f8  lr ed23ebef  pc ed23ec04  cpsr 00070030
2019-02-21 14:50:20.342 30746-30746/? I/AEE_AED: backtrace:
2019-02-21 14:50:20.342 30746-30746/? I/AEE_AED:     #00 pc 000b1c04  /system/lib/libart.so (_ZN3art9ArtMethod23GetOatQuickMethodHeaderEj+111)
2019-02-21 14:50:20.343 30746-30746/? I/AEE_AED:     #01 pc 0032ac11  /system/lib/libart.so (_ZN3art12StackVisitor9WalkStackEb+120)
2019-02-21 14:50:20.343 30746-30746/? I/AEE_AED:     #02 pc 0032e991  /system/lib/libart.so (_ZNK3art6Thread24CreateInternalStackTraceILb0EEEP8_jobjectRKNS_33ScopedObjectAccessAlreadyRunnableE+56)
2019-02-21 14:50:20.343 30746-30746/? I/AEE_AED:     #03 pc 002b6821  /system/lib/libart.so (_ZN3artL32Throwable_nativeFillInStackTraceEP7_JNIEnvP7_jclass+28)

WindySha avatar Feb 21 '19 07:02 WindySha

已复现,预计需要2天

asLody avatar Feb 22 '19 09:02 asLody