通过函数地址去hook函数

• 已知：函数的（二进制内偏移量）地址
• 想要：去hook拦截函数
• 举例说明
  • akd中函数___lldb_unnamed_symbol2575$$akd的二进制内偏移量是：0xa0460
    • 思路：动态计算加上模块后的真实函数地址，再去hook
    • 核心代码：

      console.log("dynamicDebug/frida/scripts/fridaStalker_akdSymbol2575.js");
      // var akdSymbol2575_functionAddress = 0x1000a0460;
      var akdSymbol2575_functionAddress = 0xa0460;
      // arm64 akd: ___lldb_unnamed_symbol2575$$akd
      const moduleName = "akd";
      const moduleBaseAddress = Module.findBaseAddress(moduleName);
      console.log("moduleName=", moduleName, "moduleBaseAddress=", moduleBaseAddress);
      const functionRealAddress = moduleBaseAddress.add(akdSymbol2575_functionAddress);
      console.log("functionRealAddress=", functionRealAddress);
      Interceptor.attach(functionRealAddress, {
          onEnter: function(args) {
              var arg0 = args[0]
              var arg1 = args[1]
              var arg2 = args[2]
              console.log("arg0=" + arg0 + ", arg1=" + arg1 + ", arg2=" + arg2);
              var curTid = Process.getCurrentThreadId();
              console.log("curTid=", curTid);
      ...
      

      • 输出

        dynamicDebug/frida/scripts/fridaStalker_akdSymbol2575.js
        moduleName= akd moduleBaseAddress= 0x102b40000
        functionRealAddress= 0x102be0460
        arg0=0xfffffffffffffffe, arg1=0x16d346838, arg2=0x16d346838
        curTid= 35847
        ...
        

    • 完整代码和输出，详见
      • ___lldb_unnamed_symbol2575$$akd · Frida逆向实例和工具函数