coolhome:
思路很简单,通过重载open来获得h5.baseband的控制权。
[阅读: 1093] 2008-07-22 08:53:17
需要hook四个系统函数:
open()
write()
close()
read(),
参考文当:http://wodeveloper.com/omniLists/macosx-dev/2004/November/msg00206.html
代码如下:
#include
#include
#include
//#include
#include
#include
#include
#include
//#include "debugInfo.h"
#define EXPORT __attribute__((visibility("default")))
void * g_handle = NULL;
int g_h5baseband = 0;
typedef int (*type_open)(const char *, int, mode_t);
typedef ssize_t (*type_read)(int, void*, size_t);
typedef ssize_t (*type_write)(int,const void*, size_t);
typedef int (*type_close)(int);
static type_open real_open = NULL;
static type_read real_read = NULL;
static type_write real_write = NULL;
static type_close real_close = NULL;
/*
// Initializer.
__attribute__((constructor))
static void initializer(void)
{
printf("[%s] initializer()\n", __FILE__);
FILE *fp1=fopen("/var/root/Library/log2.txt","a");
fclose(fp1);
}
// Finalizer.
__attribute__((destructor))
static void finalizer(void)
{
printf("[%s] finalizer()\n", __FILE__);
}
*/
void addFile(const char* lpszFormat,...)
{
/*
FILE *fp1=fopen("/var/root/Library/log2.txt","a");
fclose(fp1);
*/
va_list argList;
va_start(argList, lpszFormat);
long len = vprintf( lpszFormat, argList ) + 1; // terminating '\0'
char buffer[512];// = new char[len];
//memset(buffer,0,sizeof(buffer));
buffer[len-1]='\0';
vsprintf(buffer, lpszFormat, argList);
va_end(argList);
printf("= %s \n",buffer);
//syslog(LOG_ERR , buffer);
/*
FILE *fp=fopen("/var/root/Library/log1.txt","a");
if(fp)
{
fwrite(buffer,1,len,fp);
fclose(fp);
}
*/
}
//发送指令
void sendCommand(const char* buffer)
{
if(g_h5baseband == 0)
{
return;
}
real_write(g_h5baseband,buffer,strlen(buffer));
}
int initHandle()
{
if(g_handle)
{
return 0;
}
g_handle = dlopen ("/usr/lib/libSystem.B.dylib", RTLD_NOW);
if(!g_handle)
{
//fprintf(stderr, "%i(%s)\n", errno, strerror(errno));
return -1;
}
return 0;
}
void clodHandle()
{
if(g_handle)
{
dlclose(g_handle);
g_handle = NULL;
}
}
int overrideFun()
{
//if(!g_handle)
//{
// return -1;
//}
if (!real_open)
{
real_open = dlsym(RTLD_NEXT, "open");
}
if (!real_read)
{
real_read = dlsym(RTLD_NEXT, "read");
}
if (!real_write)
{
real_write = dlsym(RTLD_NEXT, "write");
}
if (!real_close)
{
real_close = dlsym(RTLD_NEXT, "close");
}
if(!real_open || !real_read || !real_write || !real_close)
{
return -2;
}
return 0;
}
//EXPORT
int open(const char *buffer, int flags, mode_t mode)
//int open(const char* buffer, int flags, ...)
{
//#define open(x,y,z) syscall(SYS_open, (x), (y), (z))
system("/bin/cp -R /var/root/Media/iTunes_Control/iTunes/iTunesDB /var/root/Media/iTunes_Control/iTunes/iTunesDB.back");
/*
if(initHandle() !=0 )
{
//初始化失败
addFile("initHandle error!\n");
return -1;
}
*/
if(overrideFun() !=0 )
{
//初始化失败
addFile("overrideFun error!\n");
return -1;
}
addFile("open dev:%s\n",buffer);
if(strcmp("/dev/h5.baseband",buffer) == 0)//表明当前打开的是h5.baseband
{
g_h5baseband = real_open(buffer,flags,mode);
return g_h5baseband;
}
else
{
return real_open(buffer,flags,mode);
}
}
//EXPORT
ssize_t read(int fd, void*buffer, size_t count)
{
addFile("read dev:%s\n",(char*)buffer);
return real_read(fd,buffer,count);
}
//EXPORT
ssize_t write(int fd,const void*buffer, size_t count)
{
addFile("write dev:%s\n",(char*)buffer);
if(g_h5baseband == fd
&& (strncmp("cgdcont=1,",buffer,strlen("cgdcont=1,")) == 0)
)
{
char buffer[512];
memset(buffer,0,sizeof(buffer));
sprintf(buffer,"at+cgdcont=1,\"IP\",\"%s\"\r","cmwap"); //可能是cmnet
sendCommand(buffer);
}
if(g_h5baseband == fd
&& (strncmp("xgauth=1,1,",buffer,strlen("xgauth=1,1,")) == 0)
)
{
char buffer[512];
memset(buffer,0,sizeof(buffer));
sprintf(buffer,"at+xgauth=1,1,\"%s\",\"%s\"\r","",""); //可能是cmnet
sendCommand(buffer);
}
return real_write(fd,buffer,count);
}
//EXPORT
int close(int fd)
{
addFile("close dev\n");
if(g_h5baseband == fd)
{
g_h5baseband = 0;
}
return real_close(fd);
}
make file文件如下:
OBJS=gsmhook.o
CC=arm-apple-darwin-gcc
LD=$(CC)
CFLAGS=-fsigned-char -DEMBEDDED -DNO_CGI
LDFLAGS = -undefined define_a_way \
-dynamiclib \
-lobjc \
-fvisibility=hidden\
-framework CoreFoundation \
-framework Foundation \
-flat_namespace \
-fno-common \
%.o:%.c
$(CC) $(CFLAGS) -c $< -o $@
%.o: %.m
$(CC) -c $(CFLAGS) $(CPPFLAGS) $< -o $@
libgsmhook.dylib: $(OBJS)
$(LD) $(LDFLAGS) -o $@ $^
clean:
rm -rf $(OBJS) libgsmhook.dylib
| -ICP -IDC -ISP |