int my_epoll_wait(int epfd, struct epoll_event *events, int maxevents, int timeout) { int (*orig_epoll_wait) (int epfd, struct epoll_event *events, int maxevents, int timeout); orig_epoll_wait = (void*)eph.orig; // remove hook for epoll_wait hook_precall(&eph); int res = orig_epoll_wait(epfd, events, maxevents, timeout); if (counter) { hook_postcall(&eph); adbi_log_printf("epoll_wait() called\n"); counter--; // resolve symbols from DVM dexstuff_resolv_dvm(&d); // insert hooks do_patch(); if (!counter) adbi_log_printf("removing hook for epoll_wait() on next event\n"); } return res; }
int my_epoll_wait(int epfd, struct epoll_event *events, int maxevents, int timeout) { int (*orig_epoll_wait)(int epfd, struct epoll_event *events, int maxevents, int timeout); orig_epoll_wait = (void*)eph.orig; hook_precall(&eph); int res = orig_epoll_wait(epfd, events, maxevents, timeout); if (counter) { hook_postcall(&eph); LOGI("epoll_wait() called\n"); counter--; if (!counter) LOGI("removing hook for epoll_wait()\n"); } return res; }
void* coverage(void* a, void* b, void* c, void* d, void* e, void* f, void* g, void* h, void* i, void* j, void* k, void* l, void* m, void* n, void* o, void* p, void* q, void* r) { void *result; coverage_ptr = (void *) hook_array[i].orig; log("[*]\tHit no_proto 0x%x\n", no_proto_ptr) hook_precall(&hook_array[i]); result = no_proto_ptr( a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r); hook_postcall(&hook_array[i]); return result; }
NFCSTATUS my_phLibNfc_RemoteDev_CheckPresence(phLibNfc_Handle hTargetDev, pphLibNfc_RspCb_t pPresenceChk_RspCb, void* pRspCbCtx ) { orig_phLibNfc_RemoteDev_CheckPresence = (void*) hook_phLibNfc_RemoteDev_CheckPresence.orig; log("%s enter\n", __func__) log("orig_phLibNfc_RemoteDev_CheckPresence = %x\n", orig_phLibNfc_RemoteDev_CheckPresence) struct special_phLibNfc_RemoteDev_CheckPresence_t *d = (struct special_phLibNfc_RemoteDev_CheckPresence_t*)hook_phLibNfc_RemoteDev_CheckPresence.data; d->orig_cb = pPresenceChk_RspCb; // FIXME d->my_cb = my_cb_phLibNfc_RemoteDev_CheckPresence; // FIXME d->hTargetDev = hTargetDev; d->pRspCbCtx = pRspCbCtx; log("cb for presence: %x\n",pPresenceChk_RspCb ) if (fake_card_state > 1) { // && fake_card_state != 9) { //log("fake_card_state 1->2\n") //fake_card_state = 2; // trigger callback in msgrcv(..) wrapper.msg.eMsgType = 0xffffff03; ptr_phDal4Nfc_msgsnd = msgsend; if (ptr_phDal4Nfc_msgsnd != NULL) { ptr_phDal4Nfc_msgsnd(global_msqid, (struct msgbuf *)&wrapper, sizeof(phLibNfc_Message_t), 0); } //pPresenceChk_RspCb(pRspCbCtx, NFCSTATUS_SUCCESS); return 0xd; } hook_precall(&hook_phLibNfc_RemoteDev_CheckPresence); NFCSTATUS res = orig_phLibNfc_RemoteDev_CheckPresence(hTargetDev,my_cb_phLibNfc_RemoteDev_CheckPresence,pRspCbCtx); hook_postcall(&hook_phLibNfc_RemoteDev_CheckPresence); log("%s result = %x\n", __func__, res) return res; }
int my_blow(int a ) // FIXME { int res; int i; orig_blow = (void*) hook_blow.orig; log("%s enter\n", __func__) // log("orig_blow = %x\n", orig_blow) //struct special_blow_t *d = (struct special_blow_t*)hook_blow.data; hook_precall(&hook_blow); log("calling hooked function\n") log("address: %x - param: %d", orig_blow, a ) log("\n"); /* for(i = 0 ; i < 0x42; i++) { */ /* log("%0.2x ", *((char *) (orig_blow + i -1)) ) */ /* if( i!=0 && (i % 4) == 1) */ /* log("\n") */ /* } */ log("\n"); res = orig_blow(a+3); log("hooked function finished\n") hook_postcall(&hook_blow); log("%s result = %x\n", __func__, res) return res; }
int my_epoll_wait(int epfd, struct epoll_event *events, int maxevents, int timeout) { int (*orig_epoll_wait) (int epfd, struct epoll_event *events, int maxevents, int timeout); orig_epoll_wait = (void*)eph.orig; // remove hook for epoll_wait hook_precall(&eph); int res = orig_epoll_wait(epfd, events, maxevents, timeout); if (counter) { hook_postcall(&eph); adbi_log_printf("epoll_wait() called\n"); counter--; if (!counter) adbi_log_printf("removing hook for epoll_wait() on next event\n"); } return res; }
int my_epoll_wait(int epfd, struct epoll_event *events, int maxevents, int timeout) { adbi_log_printf("epoll_wait() called\n"); int (*orig_epoll_wait) (int epfd, struct epoll_event *events, int maxevents, int timeout); orig_epoll_wait = (void*)eph.orig; hook_precall(&eph); // remove hook (see github) int res = orig_epoll_wait(epfd, events, maxevents, timeout); if ( hook_counter-- ) { adbi_log_printf("starting hooked code execution ..."); hook_postcall(&eph); dexstuff_resolv_dvm(&dexEnv); JavaVM *gVm = aitk_resolve_local_jvm(); if (gVm) { JNIEnv *jniEnv = aitk_resolve_local_jenv(gVm); if (jniEnv) { //FIXME: cookie is 0, but seems to work so far int cookie = dexstuff_loaddex(&dexEnv, SEND_RAW_PDU_DEXFILE); ddi_log_printf("send_raw_pdu.dex: %x\n", cookie); void *dex_SendRawPdu = dexstuff_defineclass(&dexEnv, SEND_RAW_PDU_CLASS, cookie); ddi_log_printf("SendRawPdu (dex): %x\n", dex_SendRawPdu); void *dex_SubmitPduFactory = dexstuff_defineclass(&dexEnv, SUBMIT_PDU_FACTORY_CLASS, cookie); ddi_log_printf("SubmitPduFactory (dex): %x\n", dex_SubmitPduFactory); void *dex_AitkSubmitPdu = dexstuff_defineclass(&dexEnv, AITK_SUBMIT_PDU_CLASS, cookie); ddi_log_printf("AitkSubmitPdu (dex): %x\n", dex_AitkSubmitPdu); void *dex_AitkGsmInboundSmsHandler = dexstuff_defineclass(&dexEnv, AITK_GSM_SMS_HANDLER_CLASS, cookie); ddi_log_printf("AitkGsmInboundSmsHandler (dex): %x\n", dex_AitkGsmInboundSmsHandler); if (dex_SendRawPdu) { jclass jcl_SendRawPdu = (*jniEnv)->FindClass(jniEnv, SEND_RAW_PDU_CLASS); ddi_log_printf("SendRawPdu (Java): %x\n", jcl_SendRawPdu); if (jcl_SendRawPdu) { jmethodID jinit_SendRawPdu = (*jniEnv)->GetMethodID(jniEnv, jcl_SendRawPdu, "<init>", "()V"); ddi_log_printf("SendRawPdu (<init>): %x\n", jinit_SendRawPdu); if (jinit_SendRawPdu) { jobject jobj_SendRawPdu = (*jniEnv)->NewObject(jniEnv, jcl_SendRawPdu, jinit_SendRawPdu); ddi_log_printf("SendRawPdu instance: %x\n", jobj_SendRawPdu); } } } } } dalvik_hook_setup(&dvkhook_dispatchMessageRadioSpecific, "Lcom/android/internal/telephony/gsm/GsmInboundSmsHandler;", "dispatchMessageRadioSpecific", "(Lcom/android/internal/telephony/SmsMessageBase;)I", 2, hook_fn_dispatchMessageRadioSpecific); dalvik_hook(&dexEnv, &dvkhook_dispatchMessageRadioSpecific); adbi_log_printf("removing hook for epoll_wait() on next event\n"); } return res; }