Android Art Hook 技術方案

by 低端碼農 at 2015.4.13
www.im-boy.net

0x1 開始

Anddroid上的ART從5.0之后變成默認的選擇，可見ART的重要性，目前關于Dalvik Hook方面研究的文章很多，但我在網上卻找不到關于ART Hook相關的文章，甚至連鼎鼎大名的XPosed和Cydia Substrate到目前為止也不支持ART的Hook。當然我相信，技術方案他們肯定是的，估計卡在機型適配上的了。

既然網上找不到相關的資料，于是我決定自己花些時間去研究一下，終于黃天不負有心人，我找到了一個切實可行的方法，即本文所介紹的方法。

應該說明的是本文所介紹的方法肯定不是最好的，但大家看完本文之后，如果能啟發大家找到更好的ART Hook方法，那我拋磚引玉的目的就達到了。廢話不多說，我們開始吧。

• 運行環境: 4.4.2 ART模式的模擬器
• 開發環境: Mac OS X 10.10.3

0x2 ART類方法加載及執行

在ART中類方法的執行要比在Dalvik中要復雜得多，Dalvik如果除去JIT部分，可以理解為是一個解析執行的虛擬機，而ART則同時包含本地指令執行和解析執行兩種模式，同時所生成的oat文件也包含兩種類型，分別是portable和quick。portable和quick的主要區別是對于方法的加載機制不相同，quick大量使用了Lazy Load機制，因此應用的啟動速度更快，但加載流程更復雜。其中quick是作為默認選項，因此本文所涉及的技術分析都是基于quick類型的。

由于ART存在本地指令執行和解析執行兩種模式，因此類方法之間并不是能直接跳轉的，而是通過一些預先定義的bridge函數進行狀態和上下文的切換，這里引用一下老羅博客中的示意圖：

當執行某個方法時，如果當前是本地指令執行模式，則會執行ArtMethod::GetEntryPointFromCompiledCode()指向的函數，否則則執行ArtMethod::GetEntryPointFromInterpreter()指向的函數。因此每個方法，都有兩個入口點，分別保存在ArtMethod::entry_point_from_compiled_code_和ArtMethod::entry_point_from_interpreter_。了解這一點非常重要，后面我們主要就是在這兩個入口做文章。

在講述原理之前，需要先把以下兩個流程了解清楚，這里的內容要展開是非常龐大的，我針對Hook的關鍵點，簡明扼要的描述一下，但還是強烈建議大家去老羅的博客里細讀一下其中關于ART的幾篇文章。

• ArtMethod加載流程

這個過程發生在oat被裝載進內存并進行類方法鏈接的時候，類方法鏈接的代碼在art/runtime/class_linker.cc中的LinkCode，如下所示：

<code class="hljs lasso has-numbering">static <span class="hljs-literal">void</span> LinkCode(SirtRef<span class="hljs-subst"><</span>mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">>&</span> method, const OatFile<span class="hljs-tag">::OatClass</span><span class="hljs-subst">*</span> oat_class, uint32_t method_index)SHARED_LOCKS_REQUIRED(Locks<span class="hljs-tag">::mutator_lock_</span>) {<span class="hljs-comment">// Method shouldn't have already been linked.</span>DCHECK(method<span class="hljs-subst">-></span>GetEntryPointFromCompiledCode() <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span>);<span class="hljs-comment">// Every kind of method should at least get an invoke stub from the oat_method.</span><span class="hljs-comment">// non-abstract methods also get their code pointers.</span>const OatFile<span class="hljs-tag">::OatMethod</span> oat_method <span class="hljs-subst">=</span> oat_class<span class="hljs-subst">-></span>GetOatMethod(method_index);<span class="hljs-comment">// 這里默認會把method::entry_point_from_compiled_code_設置oatmethod的code</span>oat_method<span class="hljs-built_in">.</span>LinkMethod(method<span class="hljs-built_in">.</span>get());<span class="hljs-comment">// Install entry point from interpreter.</span>Runtime<span class="hljs-subst">*</span> runtime <span class="hljs-subst">=</span> Runtime<span class="hljs-tag">::Current</span>();bool enter_interpreter <span class="hljs-subst">=</span> NeedsInterpreter(method<span class="hljs-built_in">.</span>get(), method<span class="hljs-subst">-></span>GetEntryPointFromCompiledCode()); <span class="hljs-comment">//判斷方法是否需要解析執行</span><span class="hljs-comment">// 設置解析執行的入口點</span><span class="hljs-keyword">if</span> (enter_interpreter) {method<span class="hljs-subst">-></span>SetEntryPointFromInterpreter(interpreter<span class="hljs-tag">::artInterpreterToInterpreterBridge</span>);} <span class="hljs-keyword">else</span> {method<span class="hljs-subst">-></span>SetEntryPointFromInterpreter(artInterpreterToCompiledCodeBridge);}<span class="hljs-comment">// 下面是設置本地指令執行的入口點</span><span class="hljs-keyword">if</span> (method<span class="hljs-subst">-></span>IsAbstract()) {method<span class="hljs-subst">-></span>SetEntryPointFromCompiledCode(GetCompiledCodeToInterpreterBridge());<span class="hljs-keyword">return</span>;}<span class="hljs-comment">// 這里比較難理解，如果是靜態方法，但不是clinit，但需要把entry_point_from_compiled_code_設置為GetResolutionTrampoline的返回值</span><span class="hljs-keyword">if</span> (method<span class="hljs-subst">-></span>IsStatic() <span class="hljs-subst">&&</span> <span class="hljs-subst">!</span>method<span class="hljs-subst">-></span>IsConstructor()) {<span class="hljs-comment">// For static methods excluding the class initializer, install the trampoline.</span><span class="hljs-comment">// It will be replaced by the proper entry point by ClassLinker::FixupStaticTrampolines</span><span class="hljs-comment">// after initializing class (see ClassLinker::InitializeClass method).</span>method<span class="hljs-subst">-></span>SetEntryPointFromCompiledCode(GetResolutionTrampoline(runtime<span class="hljs-subst">-></span>GetClassLinker()));} <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (enter_interpreter) {<span class="hljs-comment">// Set entry point from compiled code if there's no code or in interpreter only mode.</span>method<span class="hljs-subst">-></span>SetEntryPointFromCompiledCode(GetCompiledCodeToInterpreterBridge());}<span class="hljs-keyword">if</span> (method<span class="hljs-subst">-></span>IsNative()) {<span class="hljs-comment">// Unregistering restores the dlsym lookup stub.</span>method<span class="hljs-subst">-></span>UnregisterNative(<span class="hljs-keyword">Thread</span><span class="hljs-tag">::Current</span>());}<span class="hljs-comment">// Allow instrumentation its chance to hijack code.</span>runtime<span class="hljs-subst">-></span>GetInstrumentation()<span class="hljs-subst">-></span>UpdateMethodsCode(method<span class="hljs-built_in">.</span>get(),method<span class="hljs-subst">-></span>GetEntryPointFromCompiledCode()); }</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li><li>47</li><li>48</li></ul>

通過上面的代碼我們可以得到，一個ArtMethod的入口主要有以下幾種：

Interpreter2Interpreter對應artInterpreterToInterpreterBridge(art/runtime/interpreter/interpreter.cc);

Interpreter2CompledCode對應artInterpreterToCompiledCodeBridge(/art/runtime/entrypoints/interpreter/interpreter_entrypoints.cc);

CompliedCode2Interpreter對應art_quick_to_interpreter_bridge(art/runtime/arch/arm/quick_entrypoints_arm.S);

CompliedCode2ResolutionTrampoline對應art_quick_resolution_trampoline(art/runtime/arch/arm/quick_entrypoints_arm.S);

CompliedCode2CompliedCode這個入口是直接指向oat中的指令，詳細可見OatMethod::LinkMethod;

其中調用約定主要有兩種，分別是：

typedef void (EntryPointFromInterpreter)(Thread* self, MethodHelper& mh, const DexFile::CodeItem* code_item, ShadowFrame* shadow_frame, JValue* result), 這種對應上述1，3兩種入口；

剩下的2，4，5三種入口對應的是CompledCode的入口，代碼中并沒有直接給出，但我們通過分析ArtMethod::Invoke的方法調用，就可以知道其調用約定了。Invoke過程中會調用art_quick_invoke_stub(/art/runtime/arch/arm/quick_entrypoints_arm.S)，代碼如下所示：

<code class="hljs avrasm has-numbering"> <span class="hljs-comment">/** Quick invocation stub.* On entry:* r0 = method pointer* r1 = argument array or NULL for no argument methods* r2 = size of argument array in bytes* r3 = (managed) thread pointer* [sp] = JValue* result* [sp + 4] = result type char*/</span> ENTRY art_quick_invoke_stub <span class="hljs-keyword">push</span> {<span class="hljs-built_in">r0</span>, <span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r11</span>, lr} @ spill regs <span class="hljs-preprocessor">.save</span> {<span class="hljs-built_in">r0</span>, <span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r11</span>, lr} <span class="hljs-preprocessor">.pad</span> <span class="hljs-preprocessor">#24</span> <span class="hljs-preprocessor">.cfi</span>_adjust_cfa_offset <span class="hljs-number">24</span> <span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r0</span>, <span class="hljs-number">0</span> <span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r4</span>, <span class="hljs-number">4</span> <span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r5</span>, <span class="hljs-number">8</span> <span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r9</span>, <span class="hljs-number">12</span> <span class="hljs-preprocessor">.cfi</span>_rel_offset <span class="hljs-built_in">r11</span>, <span class="hljs-number">16</span> <span class="hljs-preprocessor">.cfi</span>_rel_offset lr, <span class="hljs-number">20</span> <span class="hljs-keyword">mov</span> <span class="hljs-built_in">r11</span>, sp @ save the stack pointer <span class="hljs-preprocessor">.cfi</span>_def_cfa_register <span class="hljs-built_in">r11</span> <span class="hljs-keyword">mov</span> <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r3</span> @ move managed thread pointer into <span class="hljs-built_in">r9</span> <span class="hljs-keyword">mov</span> <span class="hljs-built_in">r4</span>, <span class="hljs-preprocessor">#SUSPEND_CHECK_INTERVAL @ reset r4 to suspend check interval</span> <span class="hljs-keyword">add</span> <span class="hljs-built_in">r5</span>, <span class="hljs-built_in">r2</span>, <span class="hljs-preprocessor">#16 @ create space for method pointer in frame</span> <span class="hljs-keyword">and</span> <span class="hljs-built_in">r5</span>, <span class="hljs-preprocessor">#0xFFFFFFF0 @ align frame size to 16 bytes</span> <span class="hljs-keyword">sub</span> sp, <span class="hljs-built_in">r5</span> @ reserve stack space for argument array <span class="hljs-keyword">add</span> <span class="hljs-built_in">r0</span>, sp, <span class="hljs-preprocessor">#4 @ pass stack pointer + method ptr as dest for memcpy</span> bl memcpy @ memcpy (dest, src, bytes) ldr <span class="hljs-built_in">r0</span>, [<span class="hljs-built_in">r11</span>] @ restore method* ldr <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#4] @ copy arg value for r1</span> ldr <span class="hljs-built_in">r2</span>, [sp, <span class="hljs-preprocessor">#8] @ copy arg value for r2</span> ldr <span class="hljs-built_in">r3</span>, [sp, <span class="hljs-preprocessor">#12] @ copy arg value for r3</span> <span class="hljs-keyword">mov</span> ip, <span class="hljs-preprocessor">#0 @ set ip to 0</span> str ip, [sp] @ store NULL for method* at bottom of frame ldr ip, [<span class="hljs-built_in">r0</span>, <span class="hljs-preprocessor">#METHOD_CODE_OFFSET] @ get pointer to the code</span> blx ip @ <span class="hljs-keyword">call</span> the method <span class="hljs-keyword">mov</span> sp, <span class="hljs-built_in">r11</span> @ restore the stack pointer ldr ip, [sp, <span class="hljs-preprocessor">#24] @ load the result pointer</span> strd <span class="hljs-built_in">r0</span>, [ip] @ store <span class="hljs-built_in">r0</span>/<span class="hljs-built_in">r1</span> into result pointer <span class="hljs-keyword">pop</span> {<span class="hljs-built_in">r0</span>, <span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r11</span>, lr} @ restore spill regs <span class="hljs-preprocessor">.cfi</span>_adjust_cfa_offset -<span class="hljs-number">24</span> bx lr END art_quick_invoke_stub</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li></ul>

“ldr ip, [r0, #METHOD_CODE_OFFSET]”其實就是把ArtMethod::entry_point_from_compiled_code_賦值給ip，然后通過blx直接調用。通過這段小小的匯編代碼，我們得出如下堆棧的布局：

<code class="hljs oxygene has-numbering"> -(low)| caller(<span class="hljs-function"><span class="hljs-keyword">Method</span> *) | <- <span class="hljs-title">sp</span> | <span class="hljs-title">arg1</span> | <- <span class="hljs-title">r1</span>| <span class="hljs-title">arg2</span> | <- <span class="hljs-title">r2</span>| <span class="hljs-title">arg3</span> | <- <span class="hljs-title">r3</span>| ... | | <span class="hljs-title">argN</span> || <span class="hljs-title">callee</span><span class="hljs-params">(<span class="hljs-keyword">Method</span> *)</span> | <- <span class="hljs-title">r0</span>+<span class="hljs-params">(high)</span></span></code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li></ul>

這種調用約定并不是平時我們所見的調用約定，主要體現在參數當超過4時，并不是從sp開始保存，而是從sp + 20這個位置開始存儲，所以這就是為什么在代碼里entry_point_from_compiled_code_的類型是void *的原因了，因為無法用代碼表示。

理解好這個調用約定對我們方案的實現至關重要。

• ArtMethod執行流程

上面詳細講述了類方法加載和鏈接的過程，但在實際執行的過程中，其實還不是直接調用ArtMethod的entry_point(解析執行和本地指令執行的入口)，為了加快執行速度，ART為oat文件中的每個dex創建了一個DexCache（art/runtime/mirror/dex_cache.h）結構，這個結構會按dex的結構生成一系列的數組，這里我們只分析它里面的methods字段。 DexCache初始化的方法是Init，實現如下：

<code class="hljs r has-numbering">void DexCache::Init(const DexFile* dex_file,String* location,ObjectArray<String>* strings,ObjectArray<Class>* resolved_types,ObjectArray<ArtMethod>* resolved_methods,ObjectArray<ArtField>* resolved_fields,ObjectArray<StaticStorageBase>* initialized_static_storage) {//<span class="hljs-keyword">...</span>//<span class="hljs-keyword">...</span>Runtime* runtime = Runtime::Current();<span class="hljs-keyword">if</span> (runtime->HasResolutionMethod()) {// Initialize the resolve methods array to contain trampolines <span class="hljs-keyword">for</span> resolution.ArtMethod* trampoline = runtime->GetResolutionMethod();size_t length = resolved_methods->GetLength();<span class="hljs-keyword">for</span> (size_t i = <span class="hljs-number">0</span>; i < length; i++) {resolved_methods->SetWithoutChecks(i, trampoline);}} }</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li></ul>

根據dex方法的個數，產生相應長度resolved_methods數組，然后每一個都用Runtime::GetResolutionMethod()返回的結果進行填充，這個方法是由Runtime::CreateResolutionMethod產生的，代碼如下：

<code class="hljs lasso has-numbering">mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*</span> Runtime<span class="hljs-tag">::CreateResolutionMethod</span>() {mirror<span class="hljs-tag">::Class</span><span class="hljs-subst">*</span> method_class <span class="hljs-subst">=</span> mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-tag">::GetJavaLangReflectArtMethod</span>();<span class="hljs-keyword">Thread</span><span class="hljs-subst">*</span> <span class="hljs-built_in">self</span> <span class="hljs-subst">=</span> <span class="hljs-keyword">Thread</span><span class="hljs-tag">::Current</span>();SirtRef<span class="hljs-subst"><</span>mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">></span>method(<span class="hljs-built_in">self</span>, down_cast<span class="hljs-subst"><</span>mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*></span>(method_class<span class="hljs-subst">-></span>AllocObject(<span class="hljs-built_in">self</span>)));method<span class="hljs-subst">-></span>SetDeclaringClass(method_class);<span class="hljs-comment">// TODO: use a special method for resolution method saves</span>method<span class="hljs-subst">-></span>SetDexMethodIndex(DexFile<span class="hljs-tag">::kDexNoIndex</span>);<span class="hljs-comment">// When compiling, the code pointer will get set later when the image is loaded.</span>Runtime<span class="hljs-subst">*</span> r <span class="hljs-subst">=</span> Runtime<span class="hljs-tag">::Current</span>();ClassLinker<span class="hljs-subst">*</span> cl <span class="hljs-subst">=</span> r<span class="hljs-subst">-></span>GetClassLinker();method<span class="hljs-subst">-></span>SetEntryPointFromCompiledCode(r<span class="hljs-subst">-></span>IsCompiler() <span class="hljs-subst">?</span> <span class="hljs-built_in">NULL</span> : GetResolutionTrampoline(cl));<span class="hljs-keyword">return</span> method<span class="hljs-built_in">.</span>get(); }</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li></ul>

從method->SetDexMethodIndex(DexFile::kDexNoIndex)這句得知，所有的ResolutionMethod的methodIndexDexFile::kDexNoIndex。而ResolutionMethod的entrypoint就是我們上面入口分析中的第4種情況，GetResolutionTrampoline最終返回的入口為art_quick_resolution_trampoline(art/runtime/arch/arm/quick_entrypoints_arm.S)。我們看一下其實現代碼：

<code class="hljs avrasm has-numbering"> <span class="hljs-preprocessor">.extern</span> artQuickResolutionTrampoline ENTRY art_quick_resolution_trampolineSETUP_REF_AND_ARGS_CALLEE_SAVE_FRAME<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r2</span>, <span class="hljs-built_in">r9</span> @ pass Thread::Current<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r3</span>, sp @ pass SPblx artQuickResolutionTrampoline @ (Method* called, receiver, Thread*, SP)cbz <span class="hljs-built_in">r0</span>, <span class="hljs-number">1</span>f @ is code pointer null? goto exception<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r12</span>, <span class="hljs-built_in">r0</span>ldr <span class="hljs-built_in">r0</span>, [sp, <span class="hljs-preprocessor">#0] @ load resolved method in r0</span>ldr <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#8] @ restore non-callee save r1</span>ldrd <span class="hljs-built_in">r2</span>, [sp, <span class="hljs-preprocessor">#12] @ restore non-callee saves r2-r3</span>ldr lr, [sp, <span class="hljs-preprocessor">#44] @ restore lr</span><span class="hljs-keyword">add</span> sp, <span class="hljs-preprocessor">#48 @ rewind sp</span><span class="hljs-preprocessor">.cfi</span>_adjust_cfa_offset -<span class="hljs-number">48</span>bx <span class="hljs-built_in">r12</span> @ tail-<span class="hljs-keyword">call</span> into actual code <span class="hljs-number">1</span>:RESTORE_REF_AND_ARGS_CALLEE_SAVE_FRAMEDELIVER_PENDING_EXCEPTION END art_quick_resolution_trampoline </code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li></ul>

調整好寄存器后，直接跳轉至artQuickResolutionTrampoline(art/runtime/entrypoints/quick/quick_trampoline_entrypoints.cc)，接下來我們分析這個方法的實現（大家不要暈了。。。，我會把無關緊要的代碼去掉）：

<code class="hljs r has-numbering">// Lazily resolve a method <span class="hljs-keyword">for</span> quick. Called by stub code. extern <span class="hljs-string">"C"</span> const void* artQuickResolutionTrampoline(mirror::ArtMethod* called,mirror::Object* receiver,Thread* thread, mirror::ArtMethod** sp)SHARED_LOCKS_REQUIRED(Locks::mutator_lock_) {FinishCalleeSaveFrameSetup(thread, sp, Runtime::kRefsAndArgs);// Start new JNI local reference stateJNIEnvExt* env = thread->GetJniEnv();ScopedObjectAccessUnchecked soa(env);ScopedJniEnvLocalRefState env_state(env);const char* old_cause = thread->StartAssertNoThreadSuspension(<span class="hljs-string">"Quick method resolution set up"</span>);// Compute details about the called method (avoid GCs)ClassLinker* linker = Runtime::Current()->GetClassLinker();mirror::ArtMethod* caller = QuickArgumentVisitor::GetCallingMethod(sp);InvokeType invoke_type;const DexFile* dex_file;uint32_t dex_method_idx;<span class="hljs-keyword">if</span> (called->IsRuntimeMethod()) {//<span class="hljs-keyword">...</span>//<span class="hljs-keyword">...</span>} <span class="hljs-keyword">else</span> {invoke_type = kStatic;dex_file = &MethodHelper(called).GetDexFile();dex_method_idx = called->GetDexMethodIndex();}//<span class="hljs-keyword">...</span>// Resolve method filling <span class="hljs-keyword">in</span> dex cache.<span class="hljs-keyword">if</span> (called->IsRuntimeMethod()) {called = linker->ResolveMethod(dex_method_idx, caller, invoke_type);}const void* code = <span class="hljs-literal">NULL</span>;<span class="hljs-keyword">if</span> (LIKELY(!thread->IsExceptionPending())) {//<span class="hljs-keyword">...</span>linker->EnsureInitialized(called_class, true, true);//<span class="hljs-keyword">...</span>}// <span class="hljs-keyword">...</span><span class="hljs-keyword">return</span> code; } </code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li></ul><code class="hljs objectivec has-numbering"><span class="hljs-keyword">inline</span> <span class="hljs-keyword">bool</span> ArtMethod::IsRuntimeMethod() <span class="hljs-keyword">const</span> {<span class="hljs-keyword">return</span> GetDexMethodIndex() == DexFile::kDexNoIndex; }</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li></ul>

called->IsRuntimeMethod()用于判斷當前方法是否為ResolutionMethod。如果是，那么就走ClassLinker::ResolveMethod流程去獲取真正的方法，見代碼：

<code class="hljs lasso has-numbering">mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*</span> ClassLinker<span class="hljs-tag">::ResolveMethod</span>(const DexFile<span class="hljs-subst">&</span> dex_file,uint32_t method_idx,mirror<span class="hljs-tag">::DexCache</span><span class="hljs-subst">*</span> dex_cache,mirror<span class="hljs-tag">::ClassLoader</span><span class="hljs-subst">*</span> class_loader,const mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*</span> <span class="hljs-keyword">referrer</span>,InvokeType <span class="hljs-keyword">type</span>) {DCHECK(dex_cache <span class="hljs-subst">!=</span> <span class="hljs-built_in">NULL</span>);<span class="hljs-comment">// Check for hit in the dex cache.</span>mirror<span class="hljs-tag">::ArtMethod</span><span class="hljs-subst">*</span> resolved <span class="hljs-subst">=</span> dex_cache<span class="hljs-subst">-></span>GetResolvedMethod(method_idx);<span class="hljs-keyword">if</span> (resolved <span class="hljs-subst">!=</span> <span class="hljs-built_in">NULL</span>) {<span class="hljs-keyword">return</span> resolved;}<span class="hljs-comment">// Fail, get the declaring class.</span>const DexFile<span class="hljs-tag">::MethodId</span><span class="hljs-subst">&</span> method_id <span class="hljs-subst">=</span> dex_file<span class="hljs-built_in">.</span>GetMethodId(method_idx);mirror<span class="hljs-tag">::Class</span><span class="hljs-subst">*</span> klass <span class="hljs-subst">=</span> ResolveType(dex_file, method_id<span class="hljs-built_in">.</span>class_idx_, dex_cache, class_loader);<span class="hljs-keyword">if</span> (klass <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span>) {DCHECK(<span class="hljs-keyword">Thread</span><span class="hljs-tag">::Current</span>()<span class="hljs-subst">-></span>IsExceptionPending());<span class="hljs-keyword">return</span> <span class="hljs-built_in">NULL</span>;}<span class="hljs-comment">// Scan using method_idx, this saves string compares but will only hit for matching dex</span><span class="hljs-comment">// caches/files.</span>switch (<span class="hljs-keyword">type</span>) {<span class="hljs-keyword">case</span> kDirect: <span class="hljs-comment">// Fall-through.</span><span class="hljs-keyword">case</span> kStatic:resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindDirectMethod(dex_cache, method_idx);break;<span class="hljs-keyword">case</span> kInterface:resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindInterfaceMethod(dex_cache, method_idx);DCHECK(resolved <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span> <span class="hljs-subst">||</span> resolved<span class="hljs-subst">-></span>GetDeclaringClass()<span class="hljs-subst">-></span>IsInterface());break;<span class="hljs-keyword">case</span> kSuper: <span class="hljs-comment">// Fall-through.</span><span class="hljs-keyword">case</span> kVirtual:resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindVirtualMethod(dex_cache, method_idx);break;default:<span class="hljs-keyword">LOG</span>(FATAL) <span class="hljs-subst"><<</span> <span class="hljs-string">"Unreachable - invocation type: "</span> <span class="hljs-subst"><<</span> <span class="hljs-keyword">type</span>;}<span class="hljs-keyword">if</span> (resolved <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span>) {<span class="hljs-comment">// Search by name, which works across dex files.</span>const char<span class="hljs-subst">*</span> name <span class="hljs-subst">=</span> dex_file<span class="hljs-built_in">.</span>StringDataByIdx(method_id<span class="hljs-built_in">.</span>name_idx_);std<span class="hljs-tag">::string</span> signature(dex_file<span class="hljs-built_in">.</span>CreateMethodSignature(method_id<span class="hljs-built_in">.</span>proto_idx_, <span class="hljs-built_in">NULL</span>));switch (<span class="hljs-keyword">type</span>) {<span class="hljs-keyword">case</span> kDirect: <span class="hljs-comment">// Fall-through.</span><span class="hljs-keyword">case</span> kStatic:resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindDirectMethod(name, signature);break;<span class="hljs-keyword">case</span> kInterface:resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindInterfaceMethod(name, signature);DCHECK(resolved <span class="hljs-subst">==</span> <span class="hljs-built_in">NULL</span> <span class="hljs-subst">||</span> resolved<span class="hljs-subst">-></span>GetDeclaringClass()<span class="hljs-subst">-></span>IsInterface());break;<span class="hljs-keyword">case</span> kSuper: <span class="hljs-comment">// Fall-through.</span><span class="hljs-keyword">case</span> kVirtual:resolved <span class="hljs-subst">=</span> klass<span class="hljs-subst">-></span>FindVirtualMethod(name, signature);break;}}<span class="hljs-keyword">if</span> (resolved <span class="hljs-subst">!=</span> <span class="hljs-built_in">NULL</span>) {<span class="hljs-comment">// Be a good citizen and update the dex cache to speed subsequent calls.</span>dex_cache<span class="hljs-subst">-></span>SetResolvedMethod(method_idx, resolved);<span class="hljs-keyword">return</span> resolved;} <span class="hljs-keyword">else</span> {<span class="hljs-comment">// ...</span>} } </code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li><li>47</li><li>48</li><li>49</li><li>50</li><li>51</li><li>52</li><li>53</li><li>54</li><li>55</li><li>56</li><li>57</li><li>58</li><li>59</li><li>60</li><li>61</li><li>62</li><li>63</li><li>64</li><li>65</li><li>66</li><li>67</li><li>68</li><li>69</li><li>70</li></ul>

其實這里發生了“連鎖反應”，ClassLinker::ResolveType走的流程，跟ResolveMethod是非常類似的，有興趣的朋友可以跟一下。
找到解析后的klass，再經過一輪瘋狂的搜索，把找到的resolved通過DexCache::SetResolvedMethod覆蓋掉之前的“替身”。當再下次再通過ResolveMethod解析方法時，就可以直接把該方法返回，不需要再解析了。

我們回過頭來再重新“復現”一下這個過程，當我們首次調用某個類方法，其過程如下所示：

調用ResolutionMethod的entrypoint，進入art_quick_resolution_trampoline；

art_quick_resolution_trampoline跳轉到artQuickResolutionTrampoline；

artQuickResolutionTrampoline調用ClassLinker::ResolveMethod解析類方法；

ClassLinker::ResolveMethod調用ClassLinkder::ResolveType解析類，再從解析好的類尋找真正的方法；

調用DexCache::SetResolvedMethod，用真正的方法覆蓋掉“替身”方法；

調用真正方法的entrypoint代碼；

也許你會問，為什么要把過程搞得這么繞？ 一切都是為了延遲加載，提高啟動速度，這個過程跟ELF Linker的PLT/GOT符號重定向的過程是何其相似啊，所以技術都是想通的，一通百明。

0x3 Hook ArtMethod

通過上述ArtMethod加載和執行兩個流程的分析，對于如何Hook ArtMethod，我想到了兩個方案，分別

修改DexCach里的methods，把里面的entrypoint修改為自己的，做一個中轉處理；

直接修改加載后的ArtMethod的entrypoint，同樣做一個中轉處理；

上面兩個方法都是可行的，但由于我希望整個項目可以在NDK環境(而不是在源碼下)下編譯，因為就采用了方案2，因為通過JNI的接口就可以直接獲取解析之后的ArtMethod，可以減少很多文件依賴。

回到前面的調用約定，每個ArtMethod都有兩個約定，按道理我們應該準備兩個中轉函數的，但這里我們不考慮強制解析模式執行，所以只要處理好entry_point_from_compiled_code的中轉即可。

首先，我們找到對應的方法，先保存其entrypoint，然后再把我們的中轉函數art_quick_dispatcher覆蓋，代碼如下所示：

<code class="hljs cpp has-numbering"><span class="hljs-keyword">extern</span> <span class="hljs-keyword">int</span> __attribute__ ((visibility (<span class="hljs-string">"hidden"</span>))) art_java_method_hook(JNIEnv* env, HookInfo *info) {<span class="hljs-keyword">const</span> <span class="hljs-keyword">char</span>* classDesc = info->classDesc;<span class="hljs-keyword">const</span> <span class="hljs-keyword">char</span>* methodName = info->methodName;<span class="hljs-keyword">const</span> <span class="hljs-keyword">char</span>* methodSig = info->methodSig;<span class="hljs-keyword">const</span> <span class="hljs-keyword">bool</span> isStaticMethod = info->isStaticMethod;<span class="hljs-comment">// TODO we can find class by special classloader what do just like dvm</span>jclass claxx = env->FindClass(classDesc);<span class="hljs-keyword">if</span>(claxx == NULL){LOGE(<span class="hljs-string">"[-] %s class not found"</span>, classDesc);<span class="hljs-keyword">return</span> -<span class="hljs-number">1</span>;}jmethodID methid = isStaticMethod ?env->GetStaticMethodID(claxx, methodName, methodSig) :env->GetMethodID(claxx, methodName, methodSig);<span class="hljs-keyword">if</span>(methid == NULL){LOGE(<span class="hljs-string">"[-] %s->%s method not found"</span>, classDesc, methodName);<span class="hljs-keyword">return</span> -<span class="hljs-number">1</span>;}ArtMethod *artmeth = <span class="hljs-keyword">reinterpret_cast</span><ArtMethod *>(methid);<span class="hljs-keyword">if</span>(art_quick_dispatcher != artmeth->GetEntryPointFromCompiledCode()){uint64_t (*entrypoint)(ArtMethod* method, Object *thiz, u4 *arg1, u4 *arg2);entrypoint = (uint64_t (*)(ArtMethod*, Object *, u4 *, u4 *))artmeth->GetEntryPointFromCompiledCode();info->entrypoint = (<span class="hljs-keyword">const</span> <span class="hljs-keyword">void</span> *)entrypoint;info->nativecode = artmeth->GetNativeMethod();artmeth->SetEntryPointFromCompiledCode((<span class="hljs-keyword">const</span> <span class="hljs-keyword">void</span> *)art_quick_dispatcher);<span class="hljs-comment">// save info to nativecode :)</span>artmeth->SetNativeMethod((<span class="hljs-keyword">const</span> <span class="hljs-keyword">void</span> *)info);LOGI(<span class="hljs-string">"[+] %s->%s was hooked\n"</span>, classDesc, methodName);}<span class="hljs-keyword">else</span>{LOGW(<span class="hljs-string">"[*] %s->%s method had been hooked"</span>, classDesc, methodName);}<span class="hljs-keyword">return</span> <span class="hljs-number">0</span>; }</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li></ul>

我們關鍵的信息通過ArtMethod::SetNativeMethod保存起來了。

考慮到ART特殊的調用約定，art_quick_dispatcher只能用匯編實現了，把寄存器適當的調整一下，再跳轉到另一個函數artQuickToDispatcher，這樣就可以很方便用c/c++訪問參數了。

先看一下art_quick_dispatcher函數的實現如下：

<code class="hljs avrasm has-numbering"><span class="hljs-comment">/** Art Quick Dispatcher.* On entry:* r0 = method pointer* r1 = arg1* r2 = arg2* r3 = arg3* [sp] = method pointer* [sp + 4] = addr of thiz* [sp + 8] = addr of arg1* [sp + 12] = addr of arg2* [sp + 16] = addr of arg3* and so on*/</span><span class="hljs-preprocessor">.extern</span> artQuickToDispatcher ENTRY art_quick_dispatcher<span class="hljs-keyword">push</span> {<span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, lr} @ sp - <span class="hljs-number">12</span><span class="hljs-keyword">mov</span> <span class="hljs-built_in">r0</span>, <span class="hljs-built_in">r0</span> @ pass <span class="hljs-built_in">r0</span> to methodstr <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#(12 + 4)]</span>str <span class="hljs-built_in">r2</span>, [sp, <span class="hljs-preprocessor">#(12 + 8)]</span>str <span class="hljs-built_in">r3</span>, [sp, <span class="hljs-preprocessor">#(12 + 12)]</span><span class="hljs-keyword">mov</span> <span class="hljs-built_in">r1</span>, <span class="hljs-built_in">r9</span> @ pass <span class="hljs-built_in">r1</span> to thread<span class="hljs-keyword">add</span> <span class="hljs-built_in">r2</span>, sp, <span class="hljs-preprocessor">#(12 + 4) @ pass r2 to args array</span><span class="hljs-keyword">add</span> <span class="hljs-built_in">r3</span>, sp, <span class="hljs-preprocessor">#12 @ pass r3 to old SP</span>blx artQuickToDispatcher @ (Method* method, Thread*, u4 **, u4 **)<span class="hljs-keyword">pop</span> {<span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, pc} @ return on success, <span class="hljs-built_in">r0</span> <span class="hljs-keyword">and</span> <span class="hljs-built_in">r1</span> hold the result END art_quick_dispatcher</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li></ul>

我把r2指向參數數組，這樣就我們就可以非常方便的訪問所有參數了。另外，我用r3保存了舊的sp地址，這樣是為后面調用原來的entrypoint做準備的。我們先看看artQuickToDispatcher的實現：

<code class="hljs coffeescript has-numbering">extern <span class="hljs-string">"C"</span> uint64_t artQuickToDispatcher(ArtMethod* method, Thread *self, u4 **args, u4 **old_sp){HookInfo *info = (HookInfo *)method->GetNativeMethod();LOGI(<span class="hljs-string">"[+] entry ArtHandler %s->%s"</span>, info->classDesc, info->methodName);<span class="hljs-regexp">//</span> If it <span class="hljs-keyword">not</span> <span class="hljs-keyword">is</span> static method, <span class="hljs-keyword">then</span> args[<span class="hljs-number">0</span>] was pointing to <span class="hljs-keyword">this</span><span class="hljs-keyword">if</span>(!info->isStaticMethod){Object *thiz = reinterpret_cast<Object *>(args[<span class="hljs-number">0</span>]);<span class="hljs-keyword">if</span>(thiz != NULL){char *bytes = get_chars_from_utf16<span class="hljs-function"><span class="hljs-params">(thiz->GetClass()->GetName())</span>;<span class="hljs-title">LOGI</span><span class="hljs-params">(<span class="hljs-string">"[+] thiz class is %s"</span>, bytes)</span>;<span class="hljs-title">delete</span> <span class="hljs-title">bytes</span>;}}<span class="hljs-title">const</span> <span class="hljs-title">void</span> *<span class="hljs-title">entrypoint</span> = <span class="hljs-title">info</span>-></span>entrypoint;method->SetNativeMethod(info->nativecode); <span class="hljs-regexp">//</span>restore nativecode <span class="hljs-keyword">for</span> JNI methoduint64_t res = art_quick_call_entrypoint(method, self, args, old_sp, entrypoint);JValue* result = (JValue* )&res;<span class="hljs-keyword">if</span>(result != NULL){Object *obj = result->l;char *raw_class_name = get_chars_from_utf16<span class="hljs-function"><span class="hljs-params">(obj->GetClass()->GetName())</span>;<span class="hljs-title">if</span><span class="hljs-params">(strcmp(raw_class_name, <span class="hljs-string">"java.lang.String"</span>) == <span class="hljs-number">0</span>)</span>{<span class="hljs-title">char</span> *<span class="hljs-title">raw_string_value</span> = <span class="hljs-title">get_chars_from_utf16</span><span class="hljs-params">((String *)obj)</span>;<span class="hljs-title">LOGI</span><span class="hljs-params">(<span class="hljs-string">"result-class %s, result-value \"%s\""</span>, raw_class_name, raw_string_value)</span>;<span class="hljs-title">free</span><span class="hljs-params">(raw_string_value)</span>;}<span class="hljs-title">else</span>{<span class="hljs-title">LOGI</span><span class="hljs-params">(<span class="hljs-string">"result-class %s"</span>, raw_class_name)</span>;}<span class="hljs-title">free</span><span class="hljs-params">(raw_class_name)</span>;}// <span class="hljs-title">entrypoid</span> <span class="hljs-title">may</span> <span class="hljs-title">be</span> <span class="hljs-title">replaced</span> <span class="hljs-title">by</span> <span class="hljs-title">trampoline</span>, <span class="hljs-title">only</span> <span class="hljs-title">once</span>. // <span class="hljs-title">if</span><span class="hljs-params">(method->IsStatic() && !method->IsConstructor())</span>{<span class="hljs-title">entrypoint</span> = <span class="hljs-title">method</span>-></span>GetEntryPointFromCompiledCode();<span class="hljs-keyword">if</span>(entrypoint != (<span class="hljs-reserved">const</span> <span class="hljs-reserved">void</span> *)art_quick_dispatcher){LOGW(<span class="hljs-string">"[*] entrypoint was replaced. %s->%s"</span>, info->classDesc, info->methodName);method->SetEntryPointFromCompiledCode((<span class="hljs-reserved">const</span> <span class="hljs-reserved">void</span> *)art_quick_dispatcher);info->entrypoint = entrypoint;info->nativecode = method->GetNativeMethod();}method->SetNativeMethod((<span class="hljs-reserved">const</span> <span class="hljs-reserved">void</span> *)info);<span class="hljs-regexp">//</span> }<span class="hljs-keyword">return</span> res; } </code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li><li>47</li><li>48</li><li>49</li><li>50</li><li>51</li><li>52</li><li>53</li></ul>

這里參數解析就不詳細說了，接下來是最棘手的問題——如何重新調回原來的entrypoint。

這里的關鍵點是要還原之前的堆棧布局，art_quick_call_entrypoint就是負責完成這個工作的，其實現如下所示：

<code class="hljs avrasm has-numbering"><span class="hljs-comment">/*** Art Quick Call Entrypoint* On entry:* r0 = method pointer* r1 = thread pointer* r2 = args arrays pointer* r3 = old_sp* [sp] = entrypoint*/</span> ENTRY art_quick_call_entrypoint<span class="hljs-keyword">push</span> {<span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, lr} @ sp - <span class="hljs-number">12</span><span class="hljs-keyword">sub</span> sp, <span class="hljs-preprocessor">#(40 + 20) @ sp - 40 - 20</span>str <span class="hljs-built_in">r0</span>, [sp, <span class="hljs-preprocessor">#(40 + 0)] @ var_40_0 = method_pointer</span>str <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#(40 + 4)] @ var_40_4 = thread_pointer</span>str <span class="hljs-built_in">r2</span>, [sp, <span class="hljs-preprocessor">#(40 + 8)] @ var_40_8 = args_array</span>str <span class="hljs-built_in">r3</span>, [sp, <span class="hljs-preprocessor">#(40 + 12)] @ var_40_12 = old_sp</span><span class="hljs-keyword">mov</span> <span class="hljs-built_in">r0</span>, sp<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r1</span>, <span class="hljs-built_in">r3</span>ldr <span class="hljs-built_in">r2</span>, =<span class="hljs-number">40</span>blx memcpy @ memcpy(dest, src, size_of_byte)ldr <span class="hljs-built_in">r0</span>, [sp, <span class="hljs-preprocessor">#(40 + 0)] @ restore method to r0</span>ldr <span class="hljs-built_in">r1</span>, [sp, <span class="hljs-preprocessor">#(40 + 4)]</span><span class="hljs-keyword">mov</span> <span class="hljs-built_in">r9</span>, <span class="hljs-built_in">r1</span> @ restore thread to <span class="hljs-built_in">r9</span>ldr <span class="hljs-built_in">r5</span>, [sp, <span class="hljs-preprocessor">#(40 + 8)] @ pass r5 to args_array</span>ldr <span class="hljs-built_in">r1</span>, [<span class="hljs-built_in">r5</span>] @ restore arg1ldr <span class="hljs-built_in">r2</span>, [<span class="hljs-built_in">r5</span>, <span class="hljs-preprocessor">#4] @ restore arg2</span>ldr <span class="hljs-built_in">r3</span>, [<span class="hljs-built_in">r5</span>, <span class="hljs-preprocessor">#8] @ restore arg3</span>ldr <span class="hljs-built_in">r5</span>, [sp, <span class="hljs-preprocessor">#(40 + 20 + 12)] @ pass ip to entrypoint</span>blx <span class="hljs-built_in">r5</span><span class="hljs-keyword">add</span> sp, <span class="hljs-preprocessor">#(40 + 20)</span><span class="hljs-keyword">pop</span> {<span class="hljs-built_in">r4</span>, <span class="hljs-built_in">r5</span>, pc} @ return on success, <span class="hljs-built_in">r0</span> <span class="hljs-keyword">and</span> <span class="hljs-built_in">r1</span> hold the result END art_quick_call_entrypoint</code><ul class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li></ul>

這里我偷懶了，直接申請了10個參數的空間，再使用之前傳進入來的old_sp進行恢復，使用memcpy直接復制40字節。之后就是還原r0, r1, r2, r3, r9的值了。調用entrypoint完后，結果保存在r0和r1，再返回給artQuickToDispatcher。

至此，整個ART Hook就分析完畢了。

0x4 4.4與5.X上實現的區別

我的整個方案都是在4.4上測試的，主要是因為我只有4.4的源碼，而且硬盤空間不足，實在裝不下5.x的源碼了。但整個思路，是完全可以套用用5.X上。另外，5.X的實現代碼比4.4上復雜了很多，否能像我這樣在NDK下編譯完成就不知道了。

正常的4.4模擬器是以dalvik啟動的，要到設置里改為art，這里會要求進行重啟，但一般無效，我們手動關閉再重新打開就OK了，但需要等上一段時間才可以。

0x5 結束

雖然這篇文章只是介紹了Art Hook的技術方案，但其中的技術原理，對于如何在ART上進行代碼加固、動態代碼還原等等也是很有啟發性。

老樣子，整個項目的代碼，我已經提交到https://github.com/boyliang/AllHookInOne，大家遇到什么問題，歡迎提問，有問題記得反饋。

對了，請用https://github.com/boyliang/ndk-patch給你的NDK打一下patch。

原文地址：　http://blog.csdn.net/l173864930/article/details/45035521

總結

以上是生活随笔為你收集整理的Android Art Hook 技术方案的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。