Android Hook frame ADBI Source Analysis (ii)

Second, libbase

In fact, after loading so library, the hook function we can fully implement in the dynamic library itself. The ADBI author has written a generic hook framework tool, the Libbase library, to facilitate our use.
Libbase is still solving two problems: 1. Gets the address of the target function to hook, 2. A binary patch for the function is an inline hook.

The method of getting the address of a hook function is not mentioned here. Look directly at the inline hook part, which is implemented in the BASE\HOOK.C hook () function, first look at the hook_t structure:

struct hook_t {unsignedintjump[3];//Jump Instruction (ARM)Unsignedintstore[3];//original instruction (ARM)unsigned char jumpt[ -];//Jump Instruction (THUMB)unsigned char storet[ -];//original instruction (THUMB)UnsignedintOrig;//Hook function addressUnsignedintPatch;//Patch addressunsigned char Thumb;//Patch code instruction set, 1 thumb,2 for Armunsigned char name[ -];//The name of the hook functionvoid *data;};

hook_t is a standard inline hook structure that holds information such as the jump instruction/jump address/Instruction set/hook function name. Because ARM uses arm and thumb two instruction sets, the code needs to be differentiated:

if 4 0 ) {    /**/Else  {     /*  */ }

The basis for this judgment is that when the compiler compiles a function using the thumb instruction set, it automatically assigns the last position ' 1 ' of the true mapped address to the symbolic address, which allows for a seamless integration of the thumb instruction set function with the arm instruction set code.
Let's take a look at the processing flow of the arm instruction set branch, which is a core part of the problem resolution:

if(Addr%4==0) {log ("ARM using 0x%lx\n", (unsignedLong) hook_arm) H->thumb =0; H->patch = (unsignedint) Hook_arm; H->orig =addr; H->jump[0] =0xe59ff000;//LDR pc, [pc, #0]h->jump[1] = h->Patch; H->jump[2] = h->Patch;  for(i =0; I <3; i++) H->store[i] = ((int*) h->orig)    [i];  for(i =0; I <3; i++)                                                      ((int*) h->orig) [I] = h->jump[i];}

First, the hook_t structure is populated, and the first for loop is saved at the original address at a total of 12 bytes of 3 instructions. The second for loop is covered with a new jump instruction, and the key three instructions are saved in jump[0]-[2]:

Jump[0] Assignment 0xe59ff000, translated into arm assembly for LDR PC,[PC, #0], because the PC register readout value is the current instruction address plus 8, so this instruction is actually the value of jump[2] loaded into the PC register.
JUMP[2] The address of the hook function is saved. JUMP[1] is used only for 4-byte placeholders. The thumb branching principle is consistent with arm branching and is no longer analyzed.

Next we notice that the function finally calls a Hook_cacheflush () function:

int int) h->orig+sizeof(h->jumpt));

We know that modern processors have instruction caches that are used to improve execution efficiency. We modified the instructions in memory, in order to prevent the existence of the cache, so that we modify the instructions do not execute, the cache needs to be refreshed:

voidInline Hook_cacheflush (unsignedintBegin, unsignedintend) {    Const intSyscall =0xf0002; __asm __volatile ("mov r0,%0\n"        "mov r1,%1\n"        "mov r7,%2\n"        "mov r2, #0x0 \ n"        "Svc 0x00000000\n"        :        :   "R"(begin),"R"(end),"R"(syscall):"R0","R1","R7"        );}

Resources

[1].ADBI Source Https://github.com/crmulliner/adbi
[2].minghuasweblog,arm Cache Flush on mmap ' d buffers with __clear_cache (), March 29, 2013

Android Hook frame ADBI Source Analysis (ii)