强大的Fishhook

       
字数统计: 2k字   |   阅读时长: 9min

在iOS中,如果我们需要替换一个函数的实现,我们会想到通过Method Swizzle来实现,其实也就是通过runtime提供的API在运行时将函数的实现给替换了,正是因为Objective-C是动态语言,所以我们可以通过runtime做各种事情。。。但是如果是静态语言(C),我们是否也可以将函数hook住呢?

答案也是肯定的,Facebook提供了一个强大的库Fishhook,静态语言我们也仍然可以hook住接下来,我们就来分析下这个强大的库是如何实现的

先来看下官方的解释:

dyld 通过更新 Mach-O 二进制文件 __DATA 段中的指针来绑定 lazynon-lazy 的符号(在 Mach-O 中,相对应的就是 _nl_symbol_ptr(non-lazy符号表)和 _la_symbol_ptr(lazy符号表), 这两个指针表,保存了与符号表表对应的函数指针。
) ,fishhook 先确定某一个符号在 __DATA 段中的位置,然后保存原符号对应的函数指针,并使用新的函数指针覆盖原有符号的函数指针,实现重绑定。

##源码
fishhook.h文件中,只有很少的东西,两个函数接口和一个结构体

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

struct rebinding {
  const char *name;  
  void *replacement;  // 被替换的函数
  void **replaced;    // 替换函数
};

/*
 * For each rebinding in rebindings, rebinds references to external, indirect
 * symbols with the specified name to instead point at replacement for each
 * image in the calling process as well as for all future images that are loaded
 * by the process. If rebind_functions is called more than once, the symbols to
 * rebind are added to the existing list of rebindings, and if a given symbol
 * is rebound more than once, the later rebinding will take precedence.
 */

int rebind_symbols(struct rebinding rebindings[], size_t rebindings_nel);

/*
 * Rebinds as above, but only in the specified image. The header should point
 * to the mach-o header, the slide should be the slide offset. Others as above.
 */

int rebind_symbols_image(void *header,
                         intptr_t slide,
                         struct rebinding rebindings[],
                         size_t rebindings_nel);

rebind_symbols

先来看一下rebind_symbols函数

int rebind_symbols(struct rebinding rebindings[], size_t rebindings_nel);

这个方法便是我们用于实现hook的方法,我们来看下实现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
int rebind_symbols(struct rebinding rebindings[], size_t rebindings_nel) {
  int retval = prepend_rebindings(&_rebindings_head, rebindings, rebindings_nel);
  if (retval < 0) {
    return retval;
  }
  // If this was the first call, register callback for image additions (which is also invoked for
  // existing images, otherwise, just run on existing images
  if (!_rebindings_head->next) {
    _dyld_register_func_for_add_image(_rebind_symbols_for_image);
  } else {
    uint32_t c = _dyld_image_count();
    for (uint32_t i = 0; i < c; i++) {
      _rebind_symbols_for_image(_dyld_get_image_header(i), _dyld_get_image_vmaddr_slide(i));
    }
  }
  return retval;
}

这个函数传递了一个rebinding结构体数组,以及数组的个数,在 rebind_symbols 函数中,首先调用了 prepend_rebindings 函数,传入了 _rebindings_headrebindings 数组,以及数组个数 . 如果retval小于0,则直接返回retval ,如果retval大于0,并且_rebindings_head->next 为空,则直接调用_dyld_register_func_for_add_image 注册回调函数_rebind_symbols_for_image , 如果_rebindings_head->next 不为空,则直接执行回调函数

dyld 加载镜像(image ,在 Mach-O 中,所有的可执行文件、dylib、Bundle 都是 image)时,会为增加的镜像注册回调函数并执行(包括已经存在的镜像)。传入镜像的mach_headerslide,同时也会为所有已加载的 image 执行回调。

prepend_rebindings

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
static int prepend_rebindings(struct rebindings_entry **rebindings_head,
                              struct rebinding rebindings[],
                              size_t nel) {
  struct rebindings_entry *new_entry = (struct rebindings_entry *) malloc(sizeof(struct rebindings_entry));
  if (!new_entry) {
    return -1;
  }
  new_entry->rebindings = (struct rebinding *) malloc(sizeof(struct rebinding) * nel);
  if (!new_entry->rebindings) {
    free(new_entry);
    return -1;
  }
  memcpy(new_entry->rebindings, rebindings, sizeof(struct rebinding) * nel);
  new_entry->rebindings_nel = nel;
  new_entry->next = *rebindings_head;
  *rebindings_head = new_entry;
  return 0;
}

1
2
3
4
5
6
7
struct rebindings_entry {
  struct rebinding *rebindings;
  size_t rebindings_nel;
  struct rebindings_entry *next;
};

static struct rebindings_entry *_rebindings_head;

首先定义一个 rebindings_entry 类型的 new_entry 结构体,并初始化,给 new_entry 以及 new_entry->rebindings 分配内存。 然后通过memcpy 函数拷贝传入的 rebindings数组 到 new_entry->rebindings 中 , 同时给 new_entry->rebindings_nel 赋值数组的个数,将 new_entry->next 赋值_rebindings_head 内的值 ,最后再使 _rebindings_headnew_entry 指向同一个地址 , 也就是将new_entry 添加到 _rebings_head 这个链表的头部

rebind _symbols _for _image

1
2
3
4
5
static void _rebind_symbols_for_image(const struct mach_header *header,
                                      intptr_t slide) {
    rebind_symbols_for_image(_rebindings_head, header, slide);
}

_rebind_symbols_for_image 函数中仅仅是调了rebind_symbols_for_image

rebind_symbols_for_image 才是核心函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
static void rebind_symbols_for_image(struct rebindings_entry *rebindings,
                                     const struct mach_header *header,
                                     intptr_t slide) {
  Dl_info info;
  if (dladdr(header, &info) == 0) {
    return;
  }

  segment_command_t *cur_seg_cmd;                 // segment_command_64
  segment_command_t *linkedit_segment = NULL;     //segment_command_64
  struct symtab_command* symtab_cmd = NULL;       // LC_SYMTAB
  struct dysymtab_command* dysymtab_cmd = NULL;   // LC_DYSYMTAB

  uintptr_t cur = (uintptr_t)header + sizeof(mach_header_t);
  for (uint i = 0; i < header->ncmds; i++, cur += cur_seg_cmd->cmdsize) {
    cur_seg_cmd = (segment_command_t *)cur;
    if (cur_seg_cmd->cmd == LC_SEGMENT_ARCH_DEPENDENT) {
      if (strcmp(cur_seg_cmd->segname, SEG_LINKEDIT) == 0) {
  	    //遍历寻找__LINKEDIT
        linkedit_segment = cur_seg_cmd;
      }
    } else if (cur_seg_cmd->cmd == LC_SYMTAB) {
      //遍历寻找lc_symtab
      symtab_cmd = (struct symtab_command*)cur_seg_cmd;
    } else if (cur_seg_cmd->cmd == LC_DYSYMTAB) {
   	  //遍历寻找lc_dysymtab
      dysymtab_cmd = (struct dysymtab_command*)cur_seg_cmd;
    }
  }

  if (!symtab_cmd || !dysymtab_cmd || !linkedit_segment ||
      !dysymtab_cmd->nindirectsyms) {
    return;
  }

================================Import=======================================

  // Find base symbol/string table addresses
  uintptr_t linkedit_base = (uintptr_t)slide + linkedit_segment->vmaddr - linkedit_segment->fileoff;
  nlist_t *symtab = (nlist_t *)(linkedit_base + symtab_cmd->symoff);
  char *strtab = (char *)(linkedit_base + symtab_cmd->stroff);

  // Get indirect symbol table (array of uint32_t indices into symbol table)
  uint32_t *indirect_symtab = (uint32_t *)(linkedit_base + dysymtab_cmd->indirectsymoff);

=============================================================================

  cur = (uintptr_t)header + sizeof(mach_header_t);
  for (uint i = 0; i < header->ncmds; i++, cur += cur_seg_cmd->cmdsize) {
    cur_seg_cmd = (segment_command_t *)cur;
    if (cur_seg_cmd->cmd == LC_SEGMENT_ARCH_DEPENDENT) {
      if (strcmp(cur_seg_cmd->segname, SEG_DATA) != 0 &&
          strcmp(cur_seg_cmd->segname, SEG_DATA_CONST) != 0) {
        continue;
      }
      for (uint j = 0; j < cur_seg_cmd->nsects; j++) {
        section_t *sect =
          (section_t *)(cur + sizeof(segment_command_t)) + j;
        if ((sect->flags & SECTION_TYPE) == S_LAZY_SYMBOL_POINTERS) {
        // sect为Section,symtab为符号表,strtab字符串表,indirect_symtab动态符号表(indirect symbol table)
          perform_rebinding_with_section(rebindings, sect, slide, symtab, strtab, indirect_symtab);
        }
        if ((sect->flags & SECTION_TYPE) == S_NON_LAZY_SYMBOL_POINTERS) {
          perform_rebinding_with_section(rebindings, sect, slide, symtab, strtab, indirect_symtab);
        }
      }
    }
  }
}

这个函数主要是在寻找__LINKEDITLC_DYSYMTABLC_SYMTAB的信息, 并计算符号表的地址

__LINKEDIT段: 含有为动态链接库使用的原始数据,比如符号,字符串,重定位表条目等等

ASLRAddress space layout randomization,将可执行程序随机加载载到内存中,这里的随机只是偏移,而不是打乱,就是通过内核将Mach-O的段偏移某个随机(slide)系数. 也就是说程序的基址等于__LINKEDIT的地址减去偏移量,然后再加上ASLR造成的偏移

1
2
3
4
5
6
7
8
9
10
11
// 链接时程序的基址 = slider(ASLR偏移) + __LINKEDIT内存地址 - __LINKEDIT文件偏移
uintptr_t linkedit_base = (uintptr_t)slide + linkedit_segment->vmaddr - linkedit_segment->fileoff;

// 符号表的地址 = 基址 + 符号表偏移量
nlist_t *symtab = (nlist_t *)(linkedit_base + symtab_cmd->symoff);

// 字符串表的地址 = 基址 + 字符串表偏移量
char *strtab = (char *)(linkedit_base + symtab_cmd->stroff);

// 动态符号表地址 = 基址 + 动态符号表偏移量
uint32_t *indirect_symtab = (uint32_t *)(linkedit_base + dysymtab_cmd->indirectsymoff);

之后然后再次遍loadcommands,查找整个镜像中的 SECTION_TYPES_LAZY_SYMBOL_POINTERS 或者 S_NON_LAZY_SYMBOL_POINTERSsection,并调用perform_rebinding_with_section __nl_symbol_ptr以及__la_symbol_ptr进行rebind

perform _rebinding _with _section

接下来还有一个很重要的函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
static void perform_rebinding_with_section(struct rebindings_entry *rebindings,
                                           section_t *section,
                                           intptr_t slide,
                                           nlist_t *symtab,
                                           char *strtab,
                                           uint32_t *indirect_symtab) {
                                           
    // `nl_symbol_ptr`和`la_symbol_ptr`section中的`reserved1`字段指明对应的`indirect symbol table`起始的index
    // 动态符号表中第一个解析的符号的起始地址
  uint32_t *indirect_symbol_indices = indirect_symtab + section->reserved1;
  void **indirect_symbol_bindings = (void **)((uintptr_t)slide + section->addr);
  for (uint i = 0; i < section->size / sizeof(void *); i++) {
    uint32_t symtab_index = indirect_symbol_indices[i];
    if (symtab_index == INDIRECT_SYMBOL_ABS || symtab_index == INDIRECT_SYMBOL_LOCAL ||
        symtab_index == (INDIRECT_SYMBOL_LOCAL   | INDIRECT_SYMBOL_ABS)) {
      continue;
    }
    uint32_t strtab_offset = symtab[symtab_index].n_un.n_strx;
    char *symbol_name = strtab + strtab_offset;
    if (strnlen(symbol_name, 2) < 2) {
      continue;
    }
    struct rebindings_entry *cur = rebindings;
    while (cur) {
      for (uint j = 0; j < cur->rebindings_nel; j++) {
        if (strcmp(&symbol_name[1], cur->rebindings[j].name) == 0) {
          if (cur->rebindings[j].replaced != NULL &&
              indirect_symbol_bindings[i] != cur->rebindings[j].replacement) {
            *(cur->rebindings[j].replaced) = indirect_symbol_bindings[i];
          }
          indirect_symbol_bindings[i] = cur->rebindings[j].replacement;
          goto symbol_loop;
        }
      }
      cur = cur->next;
    }
  symbol_loop:;
  }
}

  • 通过 indirect_symtab + section->reserved1 获取 indirect_symbol_indices,也就是符号表的数组

  • 通过 (void **)((uintptr_t)slide + section->addr) 获取函数指针列表 indirect_symbol_bindings

  • 遍历符号表数组 indirect_symbol_indices 中的所有符号表中,获取其中的符号表索引 symtab_index

  • 通过符号表索引 symtab_index 获取符号表中某一个 n_list 结构体,得到字符串表中的索引 symtab[symtab _index].n_un.n_strx

  • 最后在字符串表中获得符号的名字 char *symbol_name

最后就是将符号表中的 symbol_namerebinding 中的名字 name 进行比较,如果匹配,进行实现替换,达到函数替换的目的

总结

程序运行时,动态链接的 C 函数地址会记录在__DATA segmentla_symbol_ptr中;初始时,程序只知道函数的符号名而不知道函数的实现地址;首次调用时,程序通过__TEXT segment中的stub_helper取得绑定信息,通过dyld_stub_binder来更新la_symbol_ptr中的符号实现地址;这样,再次调用时,就可以通过la_symbol_ptr直接找到函数的实现;如果要实现函数的替换,只需要修改__la_symbol_ptr中的符号实现地址.

本文作者: Aeron_Xie
最后更新: 2023年03月25日 22:39:55
本文链接: http://aeronxie.github.io/post/fc046380.html
版权声明: 本作品采用 CC BY-NC-SA 4.0 许可协议进行许可,转载请注明出处!

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

    			  jsonContent:
				meta: false
				pages: false
				posts:
				  title: true
				  date: true
				  path: true
				  text: false
				  raw: false
				  content: false
				  slug: false
				  updated: false
				  comments: false
				  link: false
				  permalink: false
				  excerpt: false
				  categories: false
				  tags: true


喜欢各种新鲜事物,会 Android \ Swift \ Python \ Java \ C \ Javascript \ Objective-C 单词的拼写~~~~