There are a lot of online materials that explain fishhook principles, either in general, in general, in general, or simply too much code. This article goes deep into the bottom compilation, from the shallow to the deep, through a main context to analyze fishhook, play fishhook!
What is a fishhook? good
Hook profile
Fishhook is facebook’s open source third-party framework. Hook, hook, hook, hook, hook, hook, hook, hook, hook, hook In the computer, it is possible to hook a program (called a hook program) or a function to extend the function or change the process of the program. For example, it is often used to do “retrograde development” in iOS development.
Hook Usage Scenarios
Buried point
Intercept user interface such as gesture interaction or access to a specified page, and conduct user behavior statistical analysis.
Application of reinforcement
Prevent hackers from using Hook technology to break/break your application, to harden the application, such as pTrace debugging protection, hide protection, injection countermeasures.
Application isolation
In a nutshell, it is to isolate applications in the security area, such as mobile office applications, which can hook intercept network, screen capture, clipboard and other interfaces to prevent data leakage.
Hook technology
method swizzle
OC’s runtime feature is used to dynamically modify the ID /selector parameter in the objc_msgSend function to change the corresponding relationship between the ID and the selector, so as to exchange the method corresponding to the ID, so as to realize hook. This is why OC is a dynamic language. For example, often use:
fishhook
As we all know, C language is a static language, and static language variables, functions and their parameters are determined after the compilation, and cannot be modified. However, fishhook can dynamically modify C functions while the program is running. For example, wechat memory monitoring uses Fishhook to hook malloc/free function to monitor heap memory allocation.
Cydia
.
We will not elaborate here, but focus on fishhook;
How to use fishhook in actual combat?
Fishhok can hook C functions, so we need to use NSLog in the Foundation. Framework to test how to use this function.
Static void (*sys_nslog)(NSString *format,...) ; Void hook_nslog(NSString *format,...) {format = [format stringByAppendingString:@"❤️ (⚫︎ー⚫) balalala~"]; sys_nslog(format); } - (void)viewDidLoad { [super viewDidLoad]; // * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Tap the screen to output logs. //2. Fishhook NSLog to change the log content! // Struct rebinding nslog_reb; nslog_reb.name = "NSLog"; nslog_reb.replacement = hook_nslog; nslog_reb.replaced = (void *)&sys_nslog; Struct rebinding rebs[] = {nslog_reb}; // Pass the struct array address and the number of its member variables rebind_symbols(rebs, 1); } // touch the view - (void)touches the view :(NSSet< touches *> *)touches the view :(UIEvent *) {touch the view (@click!! ); }Copy the codeThe output is as follows:
** Can you hook all C functions with fishhook? ** Can you hook all C functions with fishhook? ** ** ** ** ** ** ** *
Static void func(void) {printf("%s \n", __func__); } static void hook_func(void) {printf("%s \n", __func__); } - (void)viewDidLoad { [super viewDidLoad]; // * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Tap the screen to output logs. //2. Fishhook NSLog to change the log content! //3. Hook custom function func to see if the function name is sent to change!! func(); //hook NSLog struct rebinding nslog_reb; nslog_reb.name = "NSLog"; nslog_reb.replacement = hook_nslog; nslog_reb.replaced = (void *)&sys_nslog; //hook func struct rebinding func_reb; func_reb.name = "func"; func_reb.replacement = hook_func; func_reb.replaced = nil; struct rebinding rebs[] = {nslog_reb, func_reb}; rebind_symbols(rebs, 2); func(); }Copy the codeHere are the results:
Fishhook cannot hook custom function!! why????
Why does fishhook principle exploration work
Why fishhook can only hook dynamic link library functions, but not custom functions!! Using Hopper Disassembler to disassemble the above code executable, the custom function func assembles the result as follows:
The func function has not been fishhook. Don’t worry, look down, look at the func function in the code segment or data segment?
Use MachOView to see if func is in the code segment or the data segment, as shown below:
Custom functions in the code snippet, the code snippet has read-only executable permission, sofishhookCan’thookCustom functions! theNSLogIn code segment or data segment??
Use MachOView to see the specific segments, as shown below;
The NSLog function symbol is located in the data segment, so fishhook is able to hook the NSLog in the Foundation. Framework for one important reason: the function symbol is located in the data segment, and only the content in the data segment can be modified!!
Why are function symbols in the data segment?
Read the picture below:
In a word: The actual function symbol NSLog is located in the external dynamic link library Foundation. Framework. It belongs to the external symbol. The _NSLog_ptr needs to be re-” symbol rebound “when the executable is loaded into memory to correct its address contents to perform a true NSLog implementation.
Let’s see what section NSLog is in, as shown below:
In the _la_symbol_ptr segment, it is a “lazy symbol”, even if it is needed to load!! The opposite is “non-lazily loaded symbol”, as shown below:
Also in the data segment, the content is null, that is, after the program starts to “symbol rebinding”.
How can lazy load symbols be loaded?
NSLog for lazy loading jumps to 0x100002394, 0x100002394 to 0x100002384, then to dyLD_STUB_binder, which means dyld for pile binding and dyLD symbol rebinding!!
How does Dyld relate to Fishhook?
The dyld dynamic loader provides an interface for obtaining mirror data, such as Mach-O header and ASLR, so that all data related to function symbols, such as lazy load symbols and non-lazy load symbols, can be obtained from the information in Mach-O.
How to determine the function symbol address?
This is thefishhookThe important process, is the symbol search process, very simple, a picture can be understood, as follows:
The process is as follows:
- Load symbol table lazily
Lazy Symbol Pointer TableAnd the indirect symbol tableIndirect Symbol TableOne to one correspondence of symbols in; - The indirect symbol table holds the function symbol in the symbol table
Symbol TableThe offset in; - Each entry in the symbol table is
struct nlistStructure that holds function symbols in the string tableString TableThe offset in; - The final function symbol for the function name of is found by the offset from the string table
By traversing the above process, the corresponding relationship between the function symbol and the function name can be established, and the final function symbol can be found through the function name, and then the pointer of the function symbol can be modified to point to its own implementation. Therefore, the struct rebinding in the function interface rebind_symbols provided by Fishhook needs to provide the function name, as follows:
struct rebinding {
const char *name;// Name of the function
void *replacement;// New function pointer
void **replaced;// A pointer to the original function address
};
Copy the codeconclusion
There are several reasons why fishhook can hook C functions:
- The function symbol is an external symbol, located in the dynamic link library, and thus in the data segment, only the contents of the data segment can be modified;
dyldProvides an interface for obtaining mirror information, such asMach-O header,ASLRAnd so on, then you can get all the information related to symbols such as lazy-loaded symbol table, non-lazy-loaded symbol table, indirect symbol table, symbol table, string table, etc.- By traversing the function symbol to establish the corresponding relationship between the function symbol and the function name, you can find the final function symbol address through the function name, and you can modify the content of the function symbol to point to your own implementation.
Thinking and exploration
fishhookTo be able tohookCStudent: Function, can youhookC++Function?LinuxCan the systemhookC/C++Function?
Make learning fun!!
Reference
Hook glibc function by modifying the GOT table
IOS hook C++ try
Explore mach-o files
Self Cultivation for a Programmer
fishhook
IOS wechat memory monitoring