The virtualhook_mono_so from cjyanyi

virtualhook_mono_so's Introduction

VirtualHook

Introduction

VirtualHook is a tool for hooking application without root permission. It is based on two projects:

VirtualApp. It's a plugin framework which allows running applications in its virtual space.
YAHFA. It's a hook framework for ART which allows hooking Java method of the application.

Currently VirtualHook supports:

Android 5.0(API 21)
Android 5.1(API 22)
Android 6.0(API 23)
EXPERIMENTAL Android 7.0(API 24)
EXPERIMENTAL Android 7.1(API 25)

Build

Import and build the project in Android Studio(with Instant Run disabled). There are four modules:

app. This is the VirtualApp application module.
lib. This is the VirtualApp library module.
YAHFA. This is the YAHFA hook module.
demoHookPlugin. This is a demo hook plugin which compiles to an APK.

Hooking Native Methods

VirtualApp comes with native method hooking ability in the first place, which is done with the following function:

namespace Cydia{
    void MSHookFunction(void *symbol, void *replace, void **result);
}

To utilize that, you can use dlsym() to find the symbol and then hook your targets. Here's a demo which hooks __system_property_get.

virtualhook_mono_so's People

Contributors

Stargazers

Watchers

virtualhook_mono_so's Issues

调起Unity App后，无法Hook Unity里的mono.so

调起Unity App后，我通过jni hook mono里方法，可是并没有被执行到

static int* (*old_mono_image_open_from_data_with_name) (char *data, unsigned int data_len, int need_copy, int *status, int refonly, const char *filename);

static int* new_mono_image_open_from_data_with_name(char *data, unsigned int data_len, int need_copy, int *status, int refonly, const char *filename) {
    /*for(int i=0; i<propLen; i++) {
        Prop *prop = &props[i];
        if(!strcmp(prop->key, name)) {
            size_t valueLen = strlen(prop->value);
            // Hope there'd be no overflow here!
            strcpy(value, prop->value);
            return valueLen;
        }
    }*/
    LOGI("hook mono_image_open_from_data_with_name");
    return old_mono_image_open_from_data_with_name(data, data_len, need_copy, status, refonly, filename);
}

void hookMonoImageOpenFromDataWithName(MSHookType hookFunc) {
    void *target = findSymbol("libmono.so", "mono_image_open_from_data_with_name");
    hookFunc(target, (void *)&new_mono_image_open_from_data_with_name, (void **)&old_mono_image_open_from_data_with_name);
}

我hook自定义的so和系统的so都是成功的

然后我尝试动态调用mono.so里的_mono_get_root_domain_方法

    mono_get_root_domain_func getRootDomainFunc = findSymbol("libmono.so", "mono_get_root_domain");
    LOGI("mono_get_root_domain_func %s", func);
    MonoDomain *domain = getRootDomainFunc();
    if (!domain)
    {
        LOGI("loadDll err get root domain");
        return;
    }

发现_domain_为空，会不会有可能两个mono.so加载到不同的内存去了呢？

Recommend Projects