如果你想要追踪 init_proc、init_array 这些 SO 初始化函数的执行情况,那么就需要使用模块监听器,在模块加载的第一时间开始 trace。
memory.addModuleListener(new ModuleListener() {
@Override
public void onLoaded(Emulator<?> emulator, Module module) {
if(module.name.contains("signer")){
emulator.traceCode(module.base, module.base+module.size);
}
}
});//这函数不能写在vm.loadLibrary() 下面 否则就打印不了
DalvikModule dm = vm.loadLibrary("signer", true); // 加载 so
监听 JNI_Onload
如果你觉得目标函数可能依赖 JNI_OnLoad 得到的某些数据,那么可以把 traceCode 提到 call JNI_OnLoad 前。
emulator.traceCode(module.base, module.base+module.size);
dm.callJNI_OnLoad(emulator); // 调用目标 SO 的 JNI_OnLoad
package com.xxx;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.ModuleListener;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.file.FileResult;
import com.github.unidbg.file.IOResolver;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.AbstractJni;
import com.github.unidbg.linux.android.dvm.DalvikModule;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.memory.Memory;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.PrintStream;
public class AAA extends AbstractJni implements IOResolver {
@Override
public FileResult resolve(Emulator emulator, String pathname, int oflags) {
System.out.println("file open:"+pathname);
return null;
}
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
private final Memory memory;
private PrintStream traceStream;
private AAA(){
emulator = AndroidEmulatorBuilder
.for32Bit()
.setProcessName("xxx")
.addBackendFactory(new Unicorn2Factory(true))
.build();
emulator.getBackend().registerEmuCountHook(100000);
emulator.getSyscallHandler().setVerbose(true);
emulator.getSyscallHandler().setEnableThreadDispatcher(true);
memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
memory.setCallInitFunction(true);
memory.addModuleListener(new ModuleListener() {
@Override
public void onLoaded(Emulator<?> emulator, Module module) {
if(module.name.contains("xxx")){
try {
emulator.traceCode(module.base, module.base+module.size).setRedirect(new PrintStream(new FileOutputStream("trace111111.txt"),true));
} catch (FileNotFoundException e) {
e.printStackTrace();
}
}
}
});
vm = emulator.createDalvikVM(new File("unidbg-android/src/test/resources/xxx"));
vm.setJni(this);
vm.setVerbose(true);
emulator.getSyscallHandler().addIOResolver(this);// 设置文件处理器
DalvikModule dm = vm.loadLibrary("xxx", true);
module = dm.getModule();
dm.callJNI_OnLoad(emulator); // 调用目标 SO 的 JNI_OnLoad
}
public static void main(String[] args){
AAA xxx= new AAA();
}
}
参考 https://t.zsxq.com/0fyWyFzZH