SeeFlowerX · December 28, 2022 07:06
diff --git a/hook_snprintf_with_filter.js b/hook_snprintf_with_filter.js
 // 有时候想hook一下libc中的函数，但是调用太多分不出来，我们可以使用lr来判断，通过下面的typescript脚本实现了对来自特定so特定偏移的调用
 function hook_snprintf(){
    let libc = Process.getModuleByName("libc.so");
    let libdemo = Process.getModuleByName("libdemo.so");
    let symbol = "snprintf";
    let symbol_addr = libc.getExportByName(symbol);
    log(`[${symbol}_addr] ${symbol_addr}`);
    Interceptor.attach(symbol_addr, {
        onEnter: function(args){
            this.result = args[0];
            let ctx = this.context as Arm64CpuContext;
            let [need_log, prefix_log] = hook_filter(ctx, libdemo, 0xC6AC);
            this.need_log = need_log;
            this.prefix_log = prefix_log;
        }, onLeave: function(retval){
            if (this.need_log){
                let text = this.result.readCString();
                log(`[${symbol}] ${this.prefix_log}${text}`);
            }
        }
    })
 }

 function hook_filter(ctx: Arm64CpuContext, lib_module: Module, offset: number): [boolean, string]{
    let need_log = false;
    let prefix_log = "";
    let lr = ctx.lr;
    let base_addr = lib_module.base;
    let end_addr = base_addr.add(lib_module.size);
    if (lr.compare(base_addr) > 0 && lr.compare(end_addr) < 0){
        let back_offset = lr.sub(base_addr);
        if (offset == 0){
            need_log = true;
        } else if (back_offset.equals(offset)) {
            need_log = true;
        }
        if (need_log) {
            prefix_log = `[${lib_module.name}!0x${back_offset.toString(16)}] `;
        }
    }
    return [need_log, prefix_log];
 }

 // 直接获取 lr 的信息
 export function get_lr_info(ctx: Arm64CpuContext) {
    let mm = new ModuleMap();
    let lr_info = mm.find(ctx.lr);
    if (lr_info == null) return "";
    return ` ${lr_info.name}!${ctx.lr.sub(lr_info.base)}`;
 }
	// 有时候想hook一下libc中的函数，但是调用太多分不出来，我们可以使用lr来判断，通过下面的typescript脚本实现了对来自特定so特定偏移的调用
	function hook_snprintf(){
	let libc = Process.getModuleByName("libc.so");
	let libdemo = Process.getModuleByName("libdemo.so");
	let symbol = "snprintf";
	let symbol_addr = libc.getExportByName(symbol);
	log(`[${symbol}_addr] ${symbol_addr}`);
	Interceptor.attach(symbol_addr, {
	onEnter: function(args){
	this.result = args[0];
	let ctx = this.context as Arm64CpuContext;
	let [need_log, prefix_log] = hook_filter(ctx, libdemo, 0xC6AC);
	this.need_log = need_log;
	this.prefix_log = prefix_log;
	}, onLeave: function(retval){
	if (this.need_log){
	let text = this.result.readCString();
	log(`[${symbol}] ${this.prefix_log}${text}`);
	}
	}
	})
	}

	function hook_filter(ctx: Arm64CpuContext, lib_module: Module, offset: number): [boolean, string]{
	let need_log = false;
	let prefix_log = "";
	let lr = ctx.lr;
	let base_addr = lib_module.base;
	let end_addr = base_addr.add(lib_module.size);
	if (lr.compare(base_addr) > 0 && lr.compare(end_addr) < 0){
	let back_offset = lr.sub(base_addr);
	if (offset == 0){
	need_log = true;
	} else if (back_offset.equals(offset)) {
	need_log = true;
	}
	if (need_log) {
	prefix_log = `[${lib_module.name}!0x${back_offset.toString(16)}] `;
	}
	}
	return [need_log, prefix_log];
	}

	// 直接获取 lr 的信息
	export function get_lr_info(ctx: Arm64CpuContext) {
	let mm = new ModuleMap();
	let lr_info = mm.find(ctx.lr);
	if (lr_info == null) return "";
	return ` ${lr_info.name}!${ctx.lr.sub(lr_info.base)}`;
	}