iOS中的Hook(待完成)

通过张图来了解hook的概念



简单的说就是一种程序的运行流程或者代码执行过程的一种技术.
hook在iOS开发者也比较常见比如,运用Objc的runtime机制动态改变方法的地址.

例子:替换UIImage imageNamed的方法

UIImage(Swizzle)

//为了避免在并发,我们在load方法中调用
+(void)load {
Method new = class_getClassMethod(self, @selector(imageNamed:));
Method orgin = class_getClassMethod(self, @selector(imageWithName:));
method_exchangeImplementations(new, orgin);
}

+ (UIImage *)imageWithName:(NSString *)name {
//想要实现的逻辑
return image;
}

在如facebook推出的fishhook框架,根据Mach-O加载原理,修改懒加载和非懒加载表的指针.

分析案例Demo

#import <dlfcn.h>
#import <UIKit/UIKit.h>
#import "AppDelegate.h"
#import "fishhook.h"

static int (*orig_close)(int);
static int (*orig_open)(const char *, int, ...);

int my_close(int fd) {
printf("Calling real close(%d)\n", fd);
return orig_close(fd);
}

int my_open(const char *path, int oflag, ...) {
va_list ap = {0};
mode_t mode = 0;

if ((oflag & O_CREAT) != 0) {
// mode only applies to O_CREAT
va_start(ap, oflag);
mode = va_arg(ap, int);
va_end(ap);
printf("Calling real open('%s', %d, %d)\n", path, oflag, mode);
return orig_open(path, oflag, mode);
} else {
printf("Calling real open('%s', %d)\n", path, oflag);
return orig_open(path, oflag, mode);
}
}

int main(int argc, char * argv[])
{
@autoreleasepool {
//替换close=>my_close open=>my_open
rebind_symbols((struct rebinding[2]){{"close", my_close, (void *)&orig_close}, {"open", my_open, (void *)&orig_open}}, 2);

// Open our own binary and print out first 4 bytes (which is the same
// for all Mach-O binaries on a given architecture)
int fd = open(argv[0], O_RDONLY);
uint32_t magic_number = 0;
read(fd, &magic_number, 4);
printf("Mach-O Magic Number: %x \n", magic_number);
close(fd);

return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
}
}

还有越狱开发中的Substrate.