Android-DLL-Injector icon indicating copy to clipboard operation
Android-DLL-Injector copied to clipboard

Published 20 hours ago verified publisher icon reveny

Overriding got table

Open nitanmarcel opened this issue 1 year ago • 3 comments

Could the app also be edited to override GOT tables so we can intercept function calls? Obviously speaking about the ptrace injection , since LD_PRELOAD automatically do that .

I've tried doing myself but all of this overcomes me so I gave up after a few attempts.

nitanmarcel avatar Apr 23 '23 09:04 nitanmarcel

Well if you are talking about patching memory such as overwriting a function with a nop instruction to make it not execute then yes, you can use ptrace_write for that. I don't recommend doing it with ptrace though. There is a system call called process_vm_writev you should look into that for what you want to do.

reveny avatar Apr 26 '23 06:04 reveny

Well if you are talking about patching memory such as overwriting a function with a nop instruction to make it not execute then yes, you can use ptrace_write for that. I don't recommend doing it with ptrace though. There is a system call called process_vm_writev you should look into that for what you want to do.

Found a way of doing what I need with funchook, so I can intercepting function calls and editing their value which works perfectly fine. Thanks for suggestion anyway :)

Only issue I have is that I need to manually open the so file and dlsym to load it into the program but that works fine.

Leaving here the code for this if anyone is interested

#include <dlfcn.h>

typedef void* funchook_t;
typedef int (*funchook_prepare_t)(funchook_t*, void**, void*);
typedef int (*funchook_install_t)(funchook_t, int);

void* (*funchook_create)();
funchook_prepare_t funchook_prepare;
funchook_install_t funchook_install;

int load_funchook() {
    void* handle = dlopen("/data/local/tmp/libfunchook.so", RTLD_LAZY);

    if (!handle) {
        // handle error
        return -1;
    }

    funchook_create = (void* (*)()) dlsym(handle, "funchook_create");
    funchook_prepare = (funchook_prepare_t) dlsym(handle, "funchook_prepare");
    funchook_install = (funchook_install_t) dlsym(handle, "funchook_install");

    if (!funchook_create || !funchook_prepare || !funchook_install) {
        dlclose(handle);
        return -1;
    }
    return 0;
}

void __attribute__((constructor)) init()
{
	int fh = load_funchook();
    if (fh == -1)
		LOGE("Failed to load funchook");
    else
		LOGI("Loaded funchook");
}

nitanmarcel avatar Apr 26 '23 09:04 nitanmarcel

Another solution that I've found very useful, and which will support all the arches supported by this is bytehook . Only issue is that not being inline, it can only inject only at the start of a function. Another library (this one supports inline hooks) is ShadowHook but only supports armeabi-v7a and arm64-v8a. But they both can now be used starting with the last commits since the hooks need to be done after the library has been constructed (in a separate function for example)

nitanmarcel avatar Apr 30 '23 12:04 nitanmarcel