frida -U -f 进程名 --no-pause -l hook脚本时报“Process crashed: Illegal instruction”-看雪学苑-看雪-安全培训|安全招聘|www.kanxue.com

frida -U -f 进程名 --no-pause -l hook脚本时报“Process crashed: Illegal instruction”

cowkx 2021-6-30 3929

我在用frida -U -f 进程名 --no-pause -l hook脚本命令启动程序并hook时frida报"Process crashed: Illegal instruction"。后面我发现要hook的应用对libart.so中的一些函数进行了inline hook，不知道与这个是否有关。而我需要hook的位置会在程序启动过程中触发，启动完了就过了时机了。路过的大神能忙指点指点吗，小女在此先谢过了
具体报错如下：
Spawned 进程名略. Use %resume to let the main thread start executing!
[Pixel::进程名略]-> %resume
[Pixel::进程名略]-> Process crashed: Illegal instruction

Build fingerprint: 'google/sailfish/sailfish:9/PQ3A.190705.001/5565753:user/release-keys'
Revision: '0'
ABI: 'arm'
pid: 20084, tid: 20084, name: re-initialized> >>> <pre-initialized> <<<
signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0xea7ea000
r0 7194f354 r1 12c459c0 r2 12e87010 r3 713d5870
r4 acc2f3ff r5 12e87010 r6 12c459c0 r7 12c45b08
r8 00000000 r9 e70c7000 r10 12e87058 r11 00000001
ip 7131d358 sp ffdd8110 lr 73510b1f pc ea7ea000

backtrace:

#00 pc 00000000  <anonymous:ea7ea000>
#01 pc 00756b1d  /system/framework/arm/boot-framework.oat (offset 0x3ab000) (android.app.ActivityThread$H.handleMessage+6140)
#02 pc 0090e701  /system/framework/arm/boot-framework.oat (offset 0x765000) (android.os.Handler.dispatchMessage+136)
#03 pc 00910dfb  /system/framework/arm/boot-framework.oat (offset 0x765000) (android.os.Looper.loop+1162)
#04 pc 0075fdf3  /system/framework/arm/boot-framework.oat (offset 0x3ab000) (android.app.ActivityThread.main+674)
#05 pc 0040d575  /system/lib/libart.so (offset 0x344000) (art_quick_invoke_stub_internal+68)
#06 pc 003e6c93  /system/lib/libart.so (offset 0x344000) (art_quick_invoke_static_stub+222)
#07 pc 000a1027  /system/lib/libart.so (offset 0x95000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+154)
#08 pc 00347ac5  /system/lib/libart.so (offset 0x305000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+52)
#09 pc 00348f15  /system/lib/libart.so (offset 0x305000) (art::InvokeMethod(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned int)+1024)
#10 pc 002fb0c5  /system/lib/libart.so (offset 0x2b0000) (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*)+40)
#11 pc 0011226f  /system/framework/arm/boot.oat (offset 0x10c000) (java.lang.Class.getDeclaredMethodInternal [DEDUPED]+110)
#12 pc 00a0aa33  /system/framework/arm/boot-framework.oat (offset 0x765000) (com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run+114)
#13 pc 00a1091d  /system/framework/arm/boot-framework.oat (offset 0x765000) (com.android.internal.os.ZygoteInit.main+2836)
#14 pc 0040d575  /system/lib/libart.so (offset 0x344000) (art_quick_invoke_stub_internal+68)
#15 pc 003e6c93  /system/lib/libart.so (offset 0x344000) (art_quick_invoke_static_stub+222)
#16 pc 000a1027  /system/lib/libart.so (offset 0x95000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+154)
#17 pc 00347ac5  /system/lib/libart.so (offset 0x305000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+52)
#18 pc 003478ef  /system/lib/libart.so (offset 0x305000) (art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+310)
#19 pc 0028eb11  /system/lib/libart.so (offset 0x1d6000) (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+444)
#20 pc 0006cb4b  /system/lib/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+30)
#21 pc 0006eda3  /system/lib/libandroid_runtime.so (android::AndroidRuntime::start(char const*, android::Vector<android::String8> const&, bool)+458)
#22 pc 00001989  /system/bin/app_process32 (main+728)
#23 pc 0008ae3d  /system/lib/libc.so (offset 0x66000) (__libc_init+48)
#24 pc 0000166f  /system/bin/app_process32 (_start_main+38)
#25 pc 00000306  <anonymous:eac9b000>

[Pixel::进程名略]->

2条回答

mb_izaswxak 2021-6-30

个人观点：你先把你自己的关于native HOOK的代码先去，然后运行看看，如果不崩说明是你代码的问题，如果崩了就有可能是反frida

cowkx: 已经能确定不是自身Hook代码问题，想知道具体anti hook是什么，怎么去掉

回复 2021-7-1

cowkx 2021-7-1 2021-7-1编辑

我dump出libart.so，用比较工具查看发现以下函数开头被修改了，高手能看出它什么目的吗？
EXPORT _ZN3art11ClassLinkerC2EPNS_11InternTableE
EXPORT _ZN3art11ClassLinker22FixupStaticTrampolinesENS_6ObjPtrINS_6mirror5ClassEEE
EXPORT _ZN3art2gc4Heap13PreZygoteForkEv
WEAK _ZN3art9hiddenapi6detail19GetMemberActionImplINS_8ArtFieldEEENS0_6ActionEPT_NS_20HiddenApiAccessFlags7ApiListES4_NS0_12AccessMethodE
WEAK _ZN3art9hiddenapi6detail19GetMemberActionImplINS_9ArtMethodEEENS0_6ActionEPT_NS_20HiddenApiAccessFlags7ApiListES4_NS0_12AccessMethodE
EXPORT _ZN3art6mirror5Class15IsInSamePackageENS_6ObjPtrIS1_EE
EXPORT _ZN3art14OatFileManager24SetOnlyUseSystemOatFilesEv
EXPORT _ZN3art7Runtime4InitEONS_18RuntimeArgumentMapE

cowkx: 我把应用对libart.so libandroid_runtime.so所做的inline hook都做了还原，已经可以"frida -U -f 进程名 --no-pause -l 脚本"了，但是依然没有解决最终问题。hook一个java方法，它明明在另一个方法的调用栈中，但是hook确没有反应，不知为何。ida动态调试时会在调试得到不同地方时，程序报无反应，让选择关闭还是等待，这是哪类反调试呢，怎么确定反调是代码的位置呢？(很多so, 有3个进程)

回复 2021-7-1