Skip to content

yuzehome/HookZz

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

此分支为重构分支仅支持 [Android|iOS]|[ARM64] | 转到分支MASTER(need update)

What is HookZz ?

a hook framework for arm/arm64/ios/android

ref to: frida-gum and minhook and substrate.

special thanks to frida-gum perfect code and modular architecture, frida is aircraft carrier, HookZz is boat, but still with some tricks

Features

  • Static Binary Instrumentation for Mach-O [doing]

  • GOT hook with pre_call & post_call

  • replace function with replace_call

  • wrap function with pre_call and post_call

  • dynamic binary instrumentation with dbi_call

  • the power to hook short function

  • the power to access registers directly(ex: rs->general.regs.x15)

  • runtime code patch

  • it's cute, 100kb

Compile

git clone --depth 1 [email protected]:jmpews/HookZz.git --branch master-c

build for iOS/ARM64

mkdir build
cd build
cmake .. \
-DCMAKE_TOOLCHAIN_FILE=cmake/ios.toolchain.cmake \
-DIOS_PLATFORM=OS \
-DIOS_ARCH=arm64 \
-DENABLE_ARC=FALSE \
-DENABLE_BITCODE=OFF \
-DCXX=OFF \
-DX_ARCH=arm64 \
-DX_PLATFORM=iOS \
-DX_SHARED=ON \
-DX_LOG=ON \
-DCMAKE_VERBOSE_MAKEFILE=OFF
make

if you want generate Xcode Project, just replace with cmake -G Xcode .

build for Android/ARM64

mkdir build
cd build
export ANDROID_NDK=/Users/jmpews/Library/Android/sdk/ndk-bundle
cmake .. \
-DCMAKE_TOOLCHAIN_FILE=$ANDROID_NDK/build/cmake/android.toolchain.cmake \
-DANDROID_NDK=$ANDROID_NDK \
-DCMAKE_BUILD_TYPE=Release \
-DANDROID_ABI=arm64-v8a \
-DCXX=OFF \
-DX_ARCH=arm64 \
-DX_PLATFORM=Android \
-DX_SHARED=ON \
-DX_LOG=ON \
-DCMAKE_VERBOSE_MAKEFILE=OFF

Demo

Android/ARMv8

https://github.com/jmpews/HookZzAndroidDemo

Usage

0. near jump

this trick is used to hook short function. it will use b xxx replace

ldr x17, #8
br x17
.long 0x1111
.long 0x1111

if you want enable near jump, just add zz_enable_near_jump(); before hook funciton, and stop with zz_disable_near_jump();

1. replace hook function

RetStatus ZzReplace(void *function_address, void *replace_call, void **origin_call);

size_t (*origin_fread)(void * ptr, size_t size, size_t nitems, FILE * stream);
size_t (fake_fread)(void * ptr, size_t size, size_t nitems, FILE * stream) {
    printf("[FileMonitor|fread|model|%p] >>> %ld, %ld\n", ptr, size, nitems);
    return origin_fread(ptr, size, nitems, stream);
}

void hook_fread() { ZzReplace((void *)fread, (void *)fake_fread, (void **)&origin_fread); }

2. wrap hook function

RetStatus ZzWrap(void *function_address, PRECALL pre_call, POSTCALL post_call);

void open_pre_call(RegState *rs, ThreadStackPublic *tsp, CallStackPublic *csp, const HookEntryInfo *info) {
    char *path = (char *)rs->ZREG(0);
    int oflag  = (int)rs->ZREG(1);

    if (pathFilter(path))
        return;
    
    switch (oflag) {
    case O_RDONLY:
        printf("[FileMonitor|open|R] >>> %s\n", path);
        break;
    case O_WRONLY:
        printf("[FileMonitor|open|W] >>> %s\n", path);
        break;
    case O_RDWR:
        printf("[FileMonitor|open|RW] >>> %s\n", path);
        break;
    default:
        printf("[FileMonitor|open|-] >>> %s\n", path);
        break;
    }
}

void open_post_call(RegState *rs, ThreadStackPublic *tsp, CallStackPublic *csp, const HookEntryInfo *info) {
}

void hook_open() { ZzWrap((void *)open, open_pre_call, open_post_call); }

3. dynamic binary instrumentation

RetStatus ZzDynamicBinaryInstrumentation(void *inst_address, DBICALL dbi_call);

void catchDecrypt(RegState *rs, const HookEntryInfo *info) {
  printf("descrypt catch by HookZz\n");
}

__attribute__((constructor)) void initlializeTemplate() {
    struct mach_header *mainHeader = (struct mach_header *)_dyld_get_image_header(0);
    int slide                      = _dyld_get_image_vmaddr_slide(0);
    uintptr_t targetVmAddr         = 0x1001152BC;
    uintptr_t finalAddr            = targetVmAddr + slide - 0x0000000000002170;
    
    printf(">>> ASLR: 0x%x\n", slide);
    printf(">>> decrypt address: %p\n", (void *)finalAddr);
    ZzDynamicBinaryInstrumentation((void *)finalAddr, catchDecrypt);
}

Contact me

recommend_email: [email protected]
QQ: 858982985

qrcode

About

a hook framework for arm/arm64/ios/android

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C++ 57.3%
  • C 38.7%
  • CMake 2.6%
  • Other 1.4%