fishhook 用于替換 iOS 程序中動(dòng)態(tài)庫(kù)的符號(hào)，常被用來(lái) hook 系統(tǒng)中的 C 函數(shù)。

fishhook 的實(shí)現(xiàn)得益于 iOS 的動(dòng)態(tài)鏈接機(jī)制，相關(guān)信息可以參考：iOS 系統(tǒng)的延遲綁定機(jī)制，而在此之前，你還需要了解 Mach-O 文件，詳情可參考這篇文章：Mach-O 文件探索。

對(duì)于程序引用的動(dòng)態(tài)庫(kù)中的函數(shù)，鏈接器會(huì)將它的地址放在 __la_symbol_ptr 中，而對(duì)于動(dòng)態(tài)庫(kù)的全局?jǐn)?shù)據(jù)，則是放在 __nl_symbol_ptr 中，所以整個(gè) fishhook 的核心工作就是替換 __la_symbol_ptr 以及 __nl_symbol_ptr 的內(nèi)容。

下面是一段官方示例代碼，它告訴我們?nèi)绾斡谜_的姿勢(shì)來(lái)使用 fishhook：

#import <UIKit/UIKit.h>
#import "AppDelegate.h"
#import "fishhook.h"

static int (*orig_close)(int);
static int (*orig_open)(const char *, int, ...);

int my_close(int fd) {
    printf("Calling real close(%d)\n", fd);
    return orig_close(fd);
}

int my_open(const char *path, int oflag, ...) {
    va_list ap = {0};
    mode_t mode = 0;
    
    if ((oflag & O_CREAT) != 0) {
        // mode only applies to O_CREAT
        va_start(ap, oflag);
        mode = va_arg(ap, int);
        va_end(ap);
        printf("Calling real open('%s', %d, %d)\n", path, oflag, mode);
        return orig_open(path, oflag, mode);
    } else {
        printf("Calling real open('%s', %d)\n", path, oflag);
        return orig_open(path, oflag, mode);
    }
}

int main(int argc, char * argv[]) {
    @autoreleasepool {
        rebind_symbols((struct rebinding[2]){{"close", my_close, (void *)&orig_close}, {"open", my_open, (void *)&orig_open}}, 2);
        
        // Open our own binary and print out first 4 bytes (which is the same
        // for all Mach-O binaries on a given architecture)
        int fd = open(argv[0], O_RDONLY);
        uint32_t magic_number = 0;
        read(fd, &magic_number, 4);
        printf("Mach-O Magic Number: %x \n", magic_number);
        close(fd);
        
        return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
    }
}

上述代碼的作用就是將系統(tǒng)的 open 函數(shù)以及 close 函數(shù)替換成我們自己的實(shí)現(xiàn)，整個(gè)過(guò)程由 rebind_symbols 函數(shù)完成。

int rebind_symbols(struct rebinding rebindings[], size_t rebindings_nel) {
  int retval = prepend_rebindings(&_rebindings_head, rebindings, rebindings_nel);
  if (retval < 0) {
    return retval;
  }
  // If this was the first call, register callback for image additions (which is also invoked for
  // existing images, otherwise, just run on existing images
  if (!_rebindings_head->next) {
    _dyld_register_func_for_add_image(_rebind_symbols_for_image);
  } else {
    uint32_t c = _dyld_image_count();
    for (uint32_t i = 0; i < c; i++) {
      _rebind_symbols_for_image(_dyld_get_image_header(i), _dyld_get_image_vmaddr_slide(i));
    }
  }
  return retval;
}

rebind_symbols 函數(shù)的處理流程如下：

1. 使用 prepend_rebindings 函數(shù)來(lái)處理我們傳入的綁定信息，fishhook 會(huì)將它們組織成一個(gè)鏈表，并用 _rebindings_head 指向鏈表的頭部，接下來(lái)會(huì)判斷用戶是否是第一次進(jìn)行符號(hào)替換。

2. 如果是第一次替換符號(hào)，則調(diào)用 _dyld_register_func_for_add_image 注冊(cè)回調(diào)函數(shù) _rebind_symbols_for_image，之后程序每次加載動(dòng)態(tài)庫(kù)時(shí)都會(huì)去調(diào)用 _rebind_symbols_for_image。當(dāng)注冊(cè)成功時(shí)，對(duì)于那些已經(jīng)加載的動(dòng)態(tài)庫(kù)也會(huì)觸發(fā)回調(diào)，所以不用擔(dān)心注冊(cè)的時(shí)機(jī)。

3. 如果不是第一次替換符號(hào)，那么就遍歷程序已經(jīng)加載的動(dòng)態(tài)庫(kù)，對(duì)其調(diào)用 _rebind_symbols_for_image 函數(shù)。

_rebind_symbols_for_image 函數(shù)如下，它實(shí)際上是調(diào)用 rebind_symbols_for_image ：

static void _rebind_symbols_for_image(const struct mach_header *header,
                                      intptr_t slide) {
    rebind_symbols_for_image(_rebindings_head, header, slide);
}

rebind_symbols_for_image 的代碼：

static void rebind_symbols_for_image(struct rebindings_entry *rebindings,
                                     const struct mach_header *header,
                                     intptr_t slide) {
  Dl_info info;
  if (dladdr(header, &info) == 0) {
    return;
  }

  segment_command_t *cur_seg_cmd;
  segment_command_t *linkedit_segment = NULL;
  struct symtab_command* symtab_cmd = NULL;
  struct dysymtab_command* dysymtab_cmd = NULL;

  uintptr_t cur = (uintptr_t)header + sizeof(mach_header_t);
  for (uint i = 0; i < header->ncmds; i++, cur += cur_seg_cmd->cmdsize) {
    cur_seg_cmd = (segment_command_t *)cur;
    if (cur_seg_cmd->cmd == LC_SEGMENT_ARCH_DEPENDENT) {
      if (strcmp(cur_seg_cmd->segname, SEG_LINKEDIT) == 0) {
        linkedit_segment = cur_seg_cmd;
      }
    } else if (cur_seg_cmd->cmd == LC_SYMTAB) {
      symtab_cmd = (struct symtab_command*)cur_seg_cmd;
    } else if (cur_seg_cmd->cmd == LC_DYSYMTAB) {
      dysymtab_cmd = (struct dysymtab_command*)cur_seg_cmd;
    }
  }

  if (!symtab_cmd || !dysymtab_cmd || !linkedit_segment ||
      !dysymtab_cmd->nindirectsyms) {
    return;
  }

  // Find base symbol/string table addresses
  uintptr_t linkedit_base = (uintptr_t)slide + linkedit_segment->vmaddr - linkedit_segment->fileoff;
  nlist_t *symtab = (nlist_t *)(linkedit_base + symtab_cmd->symoff);
  char *strtab = (char *)(linkedit_base + symtab_cmd->stroff);

  // Get indirect symbol table (array of uint32_t indices into symbol table)
  uint32_t *indirect_symtab = (uint32_t *)(linkedit_base + dysymtab_cmd->indirectsymoff);

  cur = (uintptr_t)header + sizeof(mach_header_t);
  for (uint i = 0; i < header->ncmds; i++, cur += cur_seg_cmd->cmdsize) {
    cur_seg_cmd = (segment_command_t *)cur;
    if (cur_seg_cmd->cmd == LC_SEGMENT_ARCH_DEPENDENT) {
      if (strcmp(cur_seg_cmd->segname, SEG_DATA) != 0 &&
          strcmp(cur_seg_cmd->segname, SEG_DATA_CONST) != 0) {
        continue;
      }
      for (uint j = 0; j < cur_seg_cmd->nsects; j++) {
        section_t *sect =
          (section_t *)(cur + sizeof(segment_command_t)) + j;
        if ((sect->flags & SECTION_TYPE) == S_LAZY_SYMBOL_POINTERS) {
          perform_rebinding_with_section(rebindings, sect, slide, symtab, strtab, indirect_symtab);
        }
        if ((sect->flags & SECTION_TYPE) == S_NON_LAZY_SYMBOL_POINTERS) {
          perform_rebinding_with_section(rebindings, sect, slide, symtab, strtab, indirect_symtab);
        }
      }
    }
  }
}

rebind_symbols_for_image 函數(shù)看上去有點(diǎn)長(zhǎng)，但是如果你靜下心來(lái)觀察的話，發(fā)現(xiàn)它還是沒(méi)有超過(guò)80行。。。。。。不過(guò)不要緊，我們慢慢往下看。

函數(shù)中經(jīng)常出現(xiàn)的變量類型如 mach_header、segment_command、symtab_command 等都可以在系統(tǒng)的 loader.h 文件中找到相應(yīng)的定義，所以這里不做過(guò)多的解釋，想要了解更多的話請(qǐng)參考：Mach-O 文件探索。

rebind_symbols_for_image 首先會(huì)在程序的 load commands 中尋找符號(hào)表、動(dòng)態(tài)符號(hào)表以及 LINKEDIT 段所對(duì)應(yīng)的加載命令，它們包含程序動(dòng)態(tài)鏈接過(guò)程的關(guān)鍵信息：

Dl_info info;
  if (dladdr(header, &info) == 0) {
    return;
  }

  segment_command_t *cur_seg_cmd;
  segment_command_t *linkedit_segment = NULL;
  struct symtab_command* symtab_cmd = NULL;
  struct dysymtab_command* dysymtab_cmd = NULL;

  uintptr_t cur = (uintptr_t)header + sizeof(mach_header_t);
  for (uint i = 0; i < header->ncmds; i++, cur += cur_seg_cmd->cmdsize) {
    cur_seg_cmd = (segment_command_t *)cur;
    if (cur_seg_cmd->cmd == LC_SEGMENT_ARCH_DEPENDENT) {
      if (strcmp(cur_seg_cmd->segname, SEG_LINKEDIT) == 0) {
        linkedit_segment = cur_seg_cmd;
      }
    } else if (cur_seg_cmd->cmd == LC_SYMTAB) {
      symtab_cmd = (struct symtab_command*)cur_seg_cmd;
    } else if (cur_seg_cmd->cmd == LC_DYSYMTAB) {
      dysymtab_cmd = (struct dysymtab_command*)cur_seg_cmd;
    }
  }

  if (!symtab_cmd || !dysymtab_cmd || !linkedit_segment ||
      !dysymtab_cmd->nindirectsyms) {
    return;
  }

在確認(rèn)上述信息齊全之后，會(huì)去計(jì)算它們的虛擬地址：

  // Find base symbol/string table addresses
  uintptr_t linkedit_base = (uintptr_t)slide + linkedit_segment->vmaddr - linkedit_segment->fileoff;
  nlist_t *symtab = (nlist_t *)(linkedit_base + symtab_cmd->symoff);
  char *strtab = (char *)(linkedit_base + symtab_cmd->stroff);

  // Get indirect symbol table (array of uint32_t indices into symbol table)
  uint32_t *indirect_symtab = (uint32_t *)(linkedit_base + dysymtab_cmd->indirectsymoff);

值得一提的是這行代碼：

uintptr_t linkedit_base = (uintptr_t)slide + linkedit_segment->vmaddr - linkedit_segment->fileoff;

因?yàn)榈刂房臻g加載隨機(jī)化的緣故，系統(tǒng)在加載程序時(shí)，會(huì)在其原有的地址空間上進(jìn)行偏移操作，而這個(gè) slide 正是偏移的大小，所以 linkedit_base 代表的是程序被加載后的基地址。

接下來(lái)，rebind_symbols_for_image 會(huì)在 __DATA 段中尋找類型為 S_LAZY_SYMBOL_POINTERS 以及 S_NON_LAZY_SYMBOL_POINTERS 的節(jié)，二者分別包含我們要替換的 __la_symbol_ptr 以及 __nl_symbol_ptr，然后調(diào)用 perform_rebinding_with_section 函數(shù)：

 cur = (uintptr_t)header + sizeof(mach_header_t);
  for (uint i = 0; i < header->ncmds; i++, cur += cur_seg_cmd->cmdsize) {
    cur_seg_cmd = (segment_command_t *)cur;
    if (cur_seg_cmd->cmd == LC_SEGMENT_ARCH_DEPENDENT) {
      if (strcmp(cur_seg_cmd->segname, SEG_DATA) != 0 &&
          strcmp(cur_seg_cmd->segname, SEG_DATA_CONST) != 0) {
        continue;
      }
      for (uint j = 0; j < cur_seg_cmd->nsects; j++) {
        section_t *sect =
          (section_t *)(cur + sizeof(segment_command_t)) + j;
        if ((sect->flags & SECTION_TYPE) == S_LAZY_SYMBOL_POINTERS) {
          perform_rebinding_with_section(rebindings, sect, slide, symtab, strtab, indirect_symtab);
        }
        if ((sect->flags & SECTION_TYPE) == S_NON_LAZY_SYMBOL_POINTERS) {
          perform_rebinding_with_section(rebindings, sect, slide, symtab, strtab, indirect_symtab);
        }
      }
    }
  }

perform_rebinding_with_section 函數(shù)也是整個(gè) fishhook 的核心代碼，負(fù)責(zé)完成符號(hào)的替換：

static void perform_rebinding_with_section(struct rebindings_entry *rebindings,
                                           section_t *section,
                                           intptr_t slide,
                                           nlist_t *symtab,
                                           char *strtab,
                                           uint32_t *indirect_symtab) {
  uint32_t *indirect_symbol_indices = indirect_symtab + section->reserved1;
  void **indirect_symbol_bindings = (void **)((uintptr_t)slide + section->addr);
  for (uint i = 0; i < section->size / sizeof(void *); i++) {
    uint32_t symtab_index = indirect_symbol_indices[i];
    if (symtab_index == INDIRECT_SYMBOL_ABS || symtab_index == INDIRECT_SYMBOL_LOCAL ||
        symtab_index == (INDIRECT_SYMBOL_LOCAL   | INDIRECT_SYMBOL_ABS)) {
      continue;
    }
    uint32_t strtab_offset = symtab[symtab_index].n_un.n_strx;
    char *symbol_name = strtab + strtab_offset;
    if (strnlen(symbol_name, 2) < 2) {
      continue;
    }
    struct rebindings_entry *cur = rebindings;
    while (cur) {
      for (uint j = 0; j < cur->rebindings_nel; j++) {
        if (strcmp(&symbol_name[1], cur->rebindings[j].name) == 0) {
          if (cur->rebindings[j].replaced != NULL &&
              indirect_symbol_bindings[i] != cur->rebindings[j].replacement) {
            *(cur->rebindings[j].replaced) = indirect_symbol_bindings[i];
          }
          indirect_symbol_bindings[i] = cur->rebindings[j].replacement;
          goto symbol_loop;
        }
      }
      cur = cur->next;
    }
  symbol_loop:;
  }
}

這里最關(guān)鍵的就是下面兩行代碼的解讀：

uint32_t *indirect_symbol_indices = indirect_symtab + section->reserved1;
void **indirect_symbol_bindings = (void **)((uintptr_t)slide + section->addr);

indirect_symtab 是動(dòng)態(tài)符號(hào)表的地址，表中包含動(dòng)態(tài)符號(hào)在符號(hào)表中的索引。那么 section->reserved1 又是代表什么呢？這里的 section 實(shí)際上是指 __DATA 段中包含 __la_symbol_ptr 以及 __nl_symbol_ptr 的 section，它們會(huì)在 reserved1 字段中記錄自身所包含的動(dòng)態(tài)符號(hào)在 indirect_symtab 的起始索引，因此通過(guò) indirect_symbol_indices 便可以得到 section 所包含的動(dòng)態(tài)符號(hào)在符號(hào)表中的索引信息。

indirect_symbol_bindings 則是代表程序偏移后的相關(guān) section 的虛擬地址，fishhook 會(huì)在其中尋找指向目標(biāo)動(dòng)態(tài)符號(hào)的指針，然后將其指向我們自己的符號(hào)。

uint32_t symtab_index = indirect_symbol_indices[i];
    if (symtab_index == INDIRECT_SYMBOL_ABS || symtab_index == INDIRECT_SYMBOL_LOCAL ||
        symtab_index == (INDIRECT_SYMBOL_LOCAL   | INDIRECT_SYMBOL_ABS)) {
      continue;
    }
    uint32_t strtab_offset = symtab[symtab_index].n_un.n_strx;
    char *symbol_name = strtab + strtab_offset;
    if (strnlen(symbol_name, 2) < 2) {
      continue;
    }

symtab_index 表示動(dòng)態(tài)符號(hào)在符號(hào)表中的索引，據(jù)此我們可以得到動(dòng)態(tài)符號(hào)的名字，接下來(lái)就是遍歷用戶傳來(lái)的綁定信息，若是和動(dòng)態(tài)符號(hào)相匹配，則進(jìn)行替換：

 while (cur) {
      for (uint j = 0; j < cur->rebindings_nel; j++) {
        if (strcmp(&symbol_name[1], cur->rebindings[j].name) == 0) {
          if (cur->rebindings[j].replaced != NULL &&
              indirect_symbol_bindings[i] != cur->rebindings[j].replacement) {
            *(cur->rebindings[j].replaced) = indirect_symbol_bindings[i];
          }
          indirect_symbol_bindings[i] = cur->rebindings[j].replacement;
          goto symbol_loop;
        }
      }
      cur = cur->next;
    }
  symbol_loop:;

這里引用下 fishhook 官方的流程圖：

最后的感慨：fishhook 真是有創(chuàng)意！