ShadowHook Version
2.0.0
Android OS Version
12
Android ABIs
armeabi-v7a
Device Manufacturers and Models
xiaomi MIUI 13
Describe the Bug
按照demo中的代码,对系统函数binder.getCallingUid进行hook,代码如下:
typedef jint (*android_runtime_func_getCallingUid)(void *);
// Proxy function
jint android_runtime_func_getCallingUid_proxy(void *thiz) {
// do something
jint oriUid = ((android_runtime_func_getCallingUid)orig)(thiz);
// do something
jint retUid = 10001;
LOGE("hook getCallingUid Success,ori = %d,ret =%d",oriUid,retUid);
return retUid;
}
void do_hook() {
stub = shadowhook_hook_sym_name(
"libbinder.so",
"_ZNK7android14IPCThreadState13getCallingUidEv",
(void *)android_runtime_func_getCallingUid_proxy,
(void **)&orig);
if(stub == NULL)
{
int err_num = shadowhook_get_errno();
const char *err_msg = shadowhook_to_errmsg(err_num);
LOGE("hook error %d - %s", err_num, err_msg);
}
else
{
LOGE("hook success");
}
}
hook成功后,仅接着调用Binder.getCallingUid执行了代理函数,后面再调Binder.getCallingUid就没有进入代理函数了。
ShadowHook Version
2.0.0
Android OS Version
12
Android ABIs
armeabi-v7a
Device Manufacturers and Models
xiaomi MIUI 13
Describe the Bug
按照demo中的代码,对系统函数binder.getCallingUid进行hook,代码如下:
typedef jint (*android_runtime_func_getCallingUid)(void *);
// Proxy function
jint android_runtime_func_getCallingUid_proxy(void *thiz) {
// do something
jint oriUid = ((android_runtime_func_getCallingUid)orig)(thiz);
// do something
jint retUid = 10001;
LOGE("hook getCallingUid Success,ori = %d,ret =%d",oriUid,retUid);
return retUid;
}
void do_hook() {
stub = shadowhook_hook_sym_name(
"libbinder.so",
"_ZNK7android14IPCThreadState13getCallingUidEv",
(void *)android_runtime_func_getCallingUid_proxy,
(void **)&orig);
}
hook成功后,仅接着调用Binder.getCallingUid执行了代理函数,后面再调Binder.getCallingUid就没有进入代理函数了。