forked from lidongyooo/GumTrace
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexample.js
More file actions
48 lines (39 loc) · 1.55 KB
/
example.js
File metadata and controls
48 lines (39 loc) · 1.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
let traceSoName = 'libGumTrace.so'
let targetSo = 'libtarget.so'
let gumtrace_init = null
let gumtrace_run = null
let gumtrace_unrun = null
function loadGumTrace() {
let dlopen = new NativeFunction(Module.findGlobalExportByName('dlopen'), 'pointer', ['pointer', 'int'])
let dlsym = new NativeFunction(Module.findGlobalExportByName('dlsym'), 'pointer', ['pointer', 'pointer'])
let soHandle = dlopen(Memory.allocUtf8String('/data/local/tmp/' + traceSoName), 2)
console.log('GumTrace loaded:', soHandle)
gumtrace_init = new NativeFunction(dlsym(soHandle, Memory.allocUtf8String('init')), 'void', ['pointer', 'pointer', 'int', 'int'])
gumtrace_run = new NativeFunction(dlsym(soHandle, Memory.allocUtf8String('run')), 'void', [])
gumtrace_unrun = new NativeFunction(dlsym(soHandle, Memory.allocUtf8String('unrun')), 'void', [])
}
function startTrace() {
loadGumTrace()
let moduleNames = Memory.allocUtf8String(targetSo)
let outputPath = Memory.allocUtf8String('/data/data/com.example.app/trace.log')
let threadId = 0 // 0 = 当前线程
let options = 0 // 1 = DEBUG 模式
gumtrace_init(moduleNames, outputPath, threadId, options)
gumtrace_run()
}
function stopTrace() {
gumtrace_unrun()
}
// 示例:hook 目标函数,在其执行期间进行追踪
let targetModule = Process.findModuleByName(targetSo)
Interceptor.attach(targetModule.base.add(0x1234), {
onEnter() {
startTrace()
this.tracing = true
},
onLeave() {
if (this.tracing) {
stopTrace()
}
}
})