第一种方法编译Android源码

编译Android源码，修改libart，打印动态注册doCommandNative时的地址
修改如下

  static jint RegisterNativeMethods(JNIEnv* env, jclass java_class, const JNINativeMethod* methods,
                                    jint method_count, bool return_errors) {
    if (UNLIKELY(method_count < 0)) {
      JavaVmExtFromEnv(env)->JniAbortF("RegisterNatives", "negative method count: %d",
                                       method_count);
      return JNI_ERR;  // Not reached except in unit tests.
    }
    CHECK_NON_NULL_ARGUMENT_FN_NAME("RegisterNatives", java_class, JNI_ERR);
    ScopedObjectAccess soa(env);
    mirror::Class* c = soa.Decode(java_class);
    if (UNLIKELY(method_count == 0)) {
      LOG(WARNING) << "JNI RegisterNativeMethods: attempt to register 0 native methods for "
          << PrettyDescriptor(c);
      return JNI_OK;
    }
    CHECK_NON_NULL_ARGUMENT_FN_NAME("RegisterNatives", methods, JNI_ERR);
    for (jint i = 0; i < method_count; ++i) {
      const char* name = methods[i].name;
      const char* sig = methods[i].signature;
      const void* fnPtr = methods[i].fnPtr;
+     LOG(WARNING) << "JNI RegisterNativeMethods name:" << name << " sig:" << sig << " fnPtr:" << fnPtr;
      if (UNLIKELY(name == nullptr)) {
        ReportInvalidJNINativeMethod(soa, c, "method name", i, return_errors);
        return JNI_ERR;
      } else if (UNLIKELY(sig == nullptr)) {
        ReportInvalidJNINativeMethod(soa, c, "method signature", i, return_errors);
        return JNI_ERR;
      } else if (UNLIKELY(fnPtr == nullptr)) {
        ReportInvalidJNINativeMethod(soa, c, "native function", i, return_errors);
        return JNI_ERR;
      }
      bool is_fast = false;

对应的源码地址
http://androidxref.com/6.0.1_r10/xref/art/runtime/jni_internal.cc#2080

第二种方法使用frida hook libart.so

https://github.com/lasting-yang/frida_hook_libart

Interceptor.attach(addrRegisterNativeMethods, {
    onEnter: function(args) {
        console.log("[RegisterNativeMethods] method_count:", args[3]);
        var methods_ptr = ptr(args[2]);

        var method_count = parseInt(args[3]);
        for (var i = 0; i < method_count; i++) {
            var name_ptr = Memory.readPointer(methods_ptr.add(i*12));
            var sig_ptr = Memory.readPointer(methods_ptr.add(i*12 + 4));
            var fnPtr_ptr = Memory.readPointer(methods_ptr.add(i*12 + 8));

            var name = Memory.readCString(name_ptr);
            var sig  = Memory.readCString(sig_ptr);
            console.log("[RegisterNativeMethods] name:", name, "sig", sig, "fnPtr", fnPtr_ptr);

        }
    },
    onLeave: function(retval) {}
});

打印调用RegisterNativeMethods动态注册的函数地址

第一种方法编译Android源码

第二种方法使用frida hook libart.so

你可能感兴趣的:(打印调用RegisterNativeMethods动态注册的函数地址)