-
-
[原创]如何在toolchain4编译环境上使用Substrate框架,产生针对某个应用程序的hook动态库
-
发表于:
2013-12-29 14:51
10300
-
[原创]如何在toolchain4编译环境上使用Substrate框架,产生针对某个应用程序的hook动态库
头文件:
将iOS中的
/Library/Frameworks/CydiaSubstrate.framework/Headers/CydiaSubstrate.h
复制到编译环境目录
toolchain4/sys/usr/include
库文件:
将iOS中的
/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
复制到编译环境目录
toolchain4/sys/usr/lib目录下改名为libsubstrate.dylib
因为在iOS系统中
/usr/lib/libsubstrate.dylib是一个符号连接指向/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
写个测试程序:
/*
testsubstrate.c
used to log which files is opened by fopen in target process.
arm-apple-darwin9-gcc testsubstrate.c -dynamiclib -o testlib.dylib -lsubstrate -init _substrateInit
*/
#include <stdio.h>
#include <stdlib.h>
#include “CydiaSubstrate.h”
#define BUFSIZE 256
FILE *(*org_fopen)(const char *path, const char *mode);
FILE *hLog = NULL;
bool log_open(void)
{
if(hLog == NULL){
char pathBuffer[BUFSIZE];
snprintf(pathBuffer, sizeof(pathBuffer), “%s/Library/hooks-%li.log”, getenv(“HOME”), time(NULL));
hLog = fopen(pathBuffer, “wb+”);
}
return hLog != NULL;
}
void log_progress(const char *msg, …)
{
va_list varargs;
va_start(varargs, msg);
if(log_open()){
char msgbuf[0x1000];
vsnprintf(msgbuf, sizeof(msgbuf), msg, varargs);
fprintf(hLog, “%s”, msgbuf);
fflush(hLog);
fsync(fileno(hLog));
}
va_end(varargs);
}
FILE *my_fopen(const char *path, const char *mode)
{
FILE *fp;
log_progress(“fopen(%s, %s)”, path, mode);
fp = org_fopen(path, mode);
log_progress(“=%d\n”, fp);
return fp;
}
int substrateInit(void)
{
log_progress(“substrateInit\n”);
MSHookFunction(fopen, my_fopen, (void **)&org_fopen);
return 0;
}
编译命令:
arm-apple-darwin9-gcc testsubstrate.c -dynamiclib -o testlib.dylib -lsubstrate -init _substrateInit
这样就生成了动态库文件:testlib.dylib
按照substrate框架,为了对某个应用程序进行过滤,需要写个同名的plist文件:testlib.plist
<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “59aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3q4H3M7r3I4W2i4K6u0W2j5$3!0E0i4K6u0r3c8q4c8p5M7#2)9J5c8W2m8J5L8%4m8W2M7Y4c8&6e0r3W2K6N6q4)9J5k6o6q4Q4x3X3f1H3i4K6u0W2k6s2c8V1i4@1f1J5i4K6R3H3i4K6W2p5i4K6t1$3k6%4c8Q4x3@1t1`.
<plist version=”1.0″>
<dict>
<key>Filter</key>
<dict>
<key>Bundles</key>
<array>
<string>com.luckoo.tdbeta</string>
</array>
</dict>
</dict>
</plist>
然后将这两个文件复制到iOS设备的/Library/MobileSubstrate/DynamicLibraries目录下
重启目标程序:com.luckoo.tdbeta
然后在/private/var/mobile/Applications/39809BB6-96CE-4DE5-8701-44B3AB7738D2/Library目录下看到文件:hooks-1388226641.log
(因为sandbox机制,只能将log文件放在应用程序的目录下,尝试过写别的目录,程序会直接退出)
内容如下:
substrateInit
fopen(/private/var/mobile/Applications/39809BB6-96CE-4DE5-8701-44B3AB7738D2/tdbeta.app/Data/Managed/mscorlib.dll, rb)=19687164
fopen(/var/mobile/Applications/39809BB6-96CE-4DE5-8701-44B3AB7738D2/tdbeta.app/Data/Managed/mono/gac/policy.2.0.mscorlib/0.0.0.0__7cec85d7bea7798e/policy.2.0.mscorlib.dll, rb)=0
fopen(/var/mobile/Applications/39809BB6-96CE-4DE5-8701-44B3AB7738D2/tdbeta.app/Data/mainData, rb)=19687164
fopen(/var/mobile/Applications/39809BB6-96CE-4DE5-8701-44B3AB7738D2/tdbeta.app/Data/mainData, rb)=19687164
fopen(/var/mobile/Applications/39809BB6-96CE-4DE5-8701-44B3AB7738D2/Library/Caches/com.luckoo.tdbeta/com.apple.opengl/shaders.maps, r+)=19810092
fopen(/var/mobile/Applications/39809BB6-96CE-4DE5-8701-44B3AB7738D2/Library/Caches/com.luckoo.tdbeta/com.apple.opengl/shaders.data, r+)=19810956
fopen(/var/mobile/Applications/39809BB6-96CE-4DE5-8701-44B3AB7738D2/tdbeta.app/Data/Managed/UnityEngine.dll, rb)=19243932
fopen(/var/mobile/Applications/39809BB6-96CE-4DE5-8701-44B3AB7738D2/tdbeta.app/Data/Managed/Assembly-CSharp-firstpass.dll, rb)=19243932
fopen(/var/mobile/Applications/39809BB6-96CE-4DE5-8701-44B3AB7738D2/tdbeta.app/Data/Managed/Assembly-CSharp.dll, rb)=19243932
fopen(/var/mobile/Applications/39809BB6-96CE-4DE5-8701-44B3AB7738D2/tdbeta.app/Data/Managed/mono/gac/policy.2.0.System/0.0.0.0__7cec85d7bea7798e/policy.2.0.System.dll, rb)=0
…
substrate项目的源码位于:
944K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3N6A6N6s2N6W2j5W2)9J5k6i4y4S2N6i4u0A6K9#2)9J5k6h3y4G2L8g2)9J5c8Y4y4#2j5Y4y4@1M7X3q4@1k6g2)9J5k6h3N6A6N6l9`.`.
git clone git://git.saurik.com/substrate.git
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
