Android方法调用追踪技术详解<\/h1>

1. 前言<\/h2>
本文是《追踪Android方法调用》系列的第二部分，重点介绍如何通过Frida工具hook关键ART函数来追踪Android应用中的各种方法调用关系，包括：<\/p>
Java->Java调用<\/li>
Java->JNI调用<\/li>
JNI->Java调用<\/li>
JNI->JNI调用<\/li> <\/ul>
2. 核心原理分析<\/h2>
所有方法调用最终都会进入ArtMethod::Invoke<\/code>函数，但直接hook该函数存在局限性。更深入的追踪需要关注解释执行逻辑中的关键函数：<\/p>

ArtInterpreterToInterpreterBridge<\/code>：处理Java->Java调用<\/li>
ArtInterpreterToCompiledCodeBridge<\/code>：处理Java->JNI调用<\/li>
<\/ul>
3. hook ArtMethod::Invoke<\/h2>
3.1 函数签名<\/h3>
void<\/span> ArtMethod::<\/span>Invoke(Thread*<\/span> self, uint32_t<\/span>*<\/span> args, uint32_t<\/span> args_size, JValue*<\/span> result, const<\/span> char<\/span>*<\/span> shorty)
<\/span><\/span><\/code><\/pre>3.2 参数解析<\/h3>
通过shorty<\/code>参数可以解析传入参数的类型和值：<\/p>
function<\/span> parse_arg_arrays<\/span>(arg_arrays<\/span>:<\/span> NativePointer<\/span>, shorty<\/span>:<\/span> string<\/span>) {
<\/span><\/span>  let<\/span> result<\/span>:<\/span>any<\/span> =<\/span> {};
<\/span><\/span>  let<\/span> count<\/span> =<\/span> 0<\/span>
<\/span><\/span>  let<\/span> j<\/span> =<\/span> 0<\/span>;
<\/span><\/span>  let<\/span> tmp_shorty<\/span> =<\/span> shorty<\/span>.slice<\/span>(1<\/span>);
<\/span><\/span>  for<\/span> (let<\/span> i<\/span> of<\/span> tmp_shorty<\/span>) {
<\/span><\/span>    switch<\/span> (i<\/span>) {
<\/span><\/span>      case<\/span> 'Z'<\/span>:<\/span> case<\/span> 'B'<\/span>:<\/span> case<\/span> 'C'<\/span>:<\/span> case<\/span> 'S'<\/span>:<\/span> case<\/span> 'I'<\/span>:<\/span> case<\/span> 'F'<\/span>:<\/span> case<\/span> 'L'<\/span>:<\/span>
<\/span><\/span>        result<\/span>[`arg<\/span>${<\/span>j<\/span>}<\/span>`<\/span>] =<\/span> "0x"<\/span> +<\/span> arg_arrays<\/span>.add<\/span>(count<\/span>).readU32<\/span>().toString<\/span>(16<\/span>)
<\/span><\/span>        count<\/span> +=<\/span> 4<\/span>; j<\/span> +=<\/span> 1<\/span>; break<\/span>;
<\/span><\/span>      case<\/span> 'D'<\/span>:<\/span> case<\/span> 'J'<\/span>:<\/span>
<\/span><\/span>        result<\/span>[`arg<\/span>${<\/span>j<\/span>}<\/span>`<\/span>] =<\/span> "0x"<\/span> +<\/span> arg_arrays<\/span>.add<\/span>(count<\/span>).readU64<\/span>().toString<\/span>(16<\/span>)
<\/span><\/span>        count<\/span> +=<\/span> 8<\/span>; j<\/span> +=<\/span> 1<\/span>; break<\/span>;
<\/span><\/span>      case<\/span> 'V'<\/span>:<\/span> break<\/span>;
<\/span><\/span>      default<\/span>:<\/span> console<\/span>.log<\/span>("error shorty:"<\/span>, i<\/span>); break<\/span>
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>  return<\/span> result<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 获取方法名<\/h3>
通过ArtMethod::PrettyMethod<\/code>获取被调用方法名：<\/p>
function<\/span> find_func<\/span>(so_name<\/span>:<\/span> string<\/span>, export_name<\/span>:<\/span> string<\/span>, ret_type<\/span>:<\/span> any<\/span>, args_type<\/span>:<\/span> any<\/span>) {
<\/span><\/span>  let<\/span> addr<\/span> =<\/span> Module<\/span>.findExportByName<\/span>(so_name<\/span>, export_name<\/span>);
<\/span><\/span>  let<\/span> called_name<\/span> =<\/span> null<\/span>;
<\/span><\/span>  if<\/span> (addr<\/span>) {
<\/span><\/span>    called_name<\/span> =<\/span> new<\/span> NativeFunction<\/span>(addr<\/span>, ret_type<\/span>, args_type<\/span>);
<\/span><\/span>  }
<\/span><\/span>  return<\/span> called_name<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>let<\/span> pretty_method_func<\/span>:<\/span> any<\/span> =<\/span> find_func<\/span>("libart.so"<\/span>, "_ZN3art9ArtMethod12PrettyMethodEb"<\/span>, 
<\/span><\/span>                                      ["pointer"<\/span>, "pointer"<\/span>, "pointer"<\/span>], ["pointer"<\/span>, "bool"<\/span>]);
<\/span><\/span><\/code><\/pre>3.4 完整hook代码<\/h3>
export<\/span> function<\/span> hook_ArtMethod_Invoke<\/span>() {
<\/span><\/span>    let<\/span> module<\/span> =<\/span> Process<\/span>.findModuleByName<\/span>("libart.so"<\/span>);
<\/span><\/span>    let<\/span> symbols<\/span> =<\/span> module<\/span> ?<\/span> module<\/span>.enumerateSymbols<\/span>() :<\/span> [];
<\/span><\/span>    let<\/span> addr_artmethod_invoke<\/span> =<\/span> null<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 查找ArtMethod::Invoke符号
<\/span><\/span><\/span><\/span>    for<\/span> (let<\/span> symbol<\/span> of<\/span> symbols<\/span>) {
<\/span><\/span>        if<\/span> (symbol<\/span>.name<\/span>.indexOf<\/span>("_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc"<\/span>) >=<\/span> 0<\/span>) {
<\/span><\/span>            addr_artmethod_invoke<\/span> =<\/span> symbol<\/span>.address<\/span>;
<\/span><\/span>            break<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    if<\/span> (addr_artmethod_invoke<\/span>) {
<\/span><\/span>        Interceptor<\/span>.attach<\/span>(addr_artmethod_invoke<\/span>, {
<\/span><\/span>            onEnter<\/span>:<\/span> function<\/span> (args<\/span>) {
<\/span><\/span>                this<\/span>.artmethod<\/span> =<\/span> args<\/span>[0<\/span>];
<\/span><\/span>                this<\/span>.tid<\/span> =<\/span> args<\/span>[1<\/span>].add<\/span>(0x10<\/span>).readU32<\/span>();
<\/span><\/span>                this<\/span>.arg_arrays<\/span> =<\/span> args<\/span>[2<\/span>];
<\/span><\/span>                this<\/span>.shorty<\/span> =<\/span> args<\/span>[5<\/span>].readCString<\/span>();
<\/span><\/span>                
<\/span><\/span>                let<\/span> func_name<\/span> =<\/span> readStdString<\/span>(pretty_method_func<\/span>(ptr<\/span>(this<\/span>.artmethod<\/span>), 1<\/span>));
<\/span><\/span>                this<\/span>.hooked<\/span> =<\/span> 0<\/span>;
<\/span><\/span>                
<\/span><\/span>                if<\/span> (func_name<\/span>?<\/span>.includes<\/span>("com.example"<\/span>)) {
<\/span><\/span>                    this<\/span>.hooked<\/span> =<\/span> 1<\/span>;
<\/span><\/span>                    let<\/span> artmethod_args<\/span> =<\/span> parse_arg_arrays<\/span>(this<\/span>.arg_arrays<\/span>, this<\/span>.shorty<\/span>);
<\/span><\/span>                    console<\/span>.log<\/span>("[+] ["<\/span> +<\/span> this<\/span>.threadId<\/span> +<\/span> "] ArtMethod::Invoke onEnter:"<\/span>, 
<\/span><\/span>                              ptr<\/span>(this<\/span>.artmethod<\/span>), func_name<\/span>);
<\/span><\/span>                    
<\/span><\/span>                    if<\/span> (Object.keys<\/span>(artmethod_args<\/span>).length<\/span> ><\/span> 0<\/span>) {
<\/span><\/span>                        console<\/span>.log<\/span>("----------args----------\n"<\/span>, 
<\/span><\/span>                                  JSON<\/span>.stringify<\/span>(artmethod_args<\/span>), "\n----------end-----------"<\/span>);
<\/span><\/span>                    }
<\/span><\/span>                }
<\/span><\/span>            },
<\/span><\/span>            onLeave<\/span>:<\/span> function<\/span> (retval<\/span>) {
<\/span><\/span>                \/\/ 可在此处处理返回值
<\/span><\/span><\/span><\/span>            }
<\/span><\/span>        });
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.5 局限性<\/h3>

无法捕获Java->Java的直接调用（绕过ArtMethod::Invoke）<\/li>
无法获取调用者(caller)信息<\/li>
<\/ul>
4. 处理Java层调用追踪<\/h2>
4.1 ShadowFrame结构分析<\/h3>
ShadowFrame内存布局：<\/p>
ShadowFrame*<\/span> link_;           \/\/ 指向调用者frame
<\/span><\/span><\/span><\/span>ArtMethod*<\/span> method_;           \/\/ 当前方法
<\/span><\/span><\/span><\/span>JValue*<\/span> result_register_;     \/\/ 结果寄存器
<\/span><\/span><\/span><\/span>const<\/span> uint16_t<\/span>*<\/span> dex_pc_ptr_;   \/\/ dex pc指针
<\/span><\/span><\/span><\/span>const<\/span> uint16_t<\/span>*<\/span> dex_instructions_; \/\/ dex指令
<\/span><\/span><\/span><\/span>LockCountData lock_count_data_; \/\/ 锁计数数据(指针大小)
<\/span><\/span><\/span><\/span>const<\/span> uint32_t<\/span> number_of_vregs_; \/\/ 虚拟寄存器数量
<\/span><\/span><\/span><\/span>uint32_t<\/span> dex_pc_;             \/\/ dex pc值
<\/span><\/span><\/span><\/span>int16_t<\/span> cached_hotness_countdown_;
<\/span><\/span>int16_t<\/span> hotness_countdown_;   \/\/ 热度计数
<\/span><\/span><\/span><\/span>uint32_t<\/span> frame_flags_;        \/\/ 帧标志
<\/span><\/span><\/span><\/span>uint32_t<\/span> vregs_[0<\/span>];           \/\/ 虚拟寄存器数组
<\/span><\/span><\/span><\/code><\/pre>4.2 参数解析关键点<\/h3>

vregs_<\/code>包含参数和局部变量<\/li>
实际参数数量由CodeItem中的ins_size_<\/code>决定<\/li>
参数位置：vregs[number_of_vregs_ - ins_size : number_of_vregs]<\/code><\/li>
<\/ul>
4.3 hook ArtInterpreterToInterpreterBridge<\/h3>
用于追踪Java->Java调用：<\/p>
void<\/span> ArtInterpreterToInterpreterBridge<\/span>(Thread*<\/span> self,
<\/span><\/span>                                     const<\/span> CodeItemDataAccessor&<\/span> accessor,
<\/span><\/span>                                     ShadowFrame*<\/span> shadow_frame,
<\/span><\/span>                                     JValue*<\/span> result);
<\/span><\/span><\/code><\/pre>通过shadow_frame->link_<\/code>可以获取调用者信息。<\/p>
4.4 hook ArtInterpreterToCompiledCodeBridge<\/h3>
用于追踪Java->JNI调用：<\/p>
void<\/span> ArtInterpreterToCompiledCodeBridge<\/span>(Thread*<\/span> self,
<\/span><\/span>                                      ArtMethod*<\/span> caller,
<\/span><\/span>                                      ShadowFrame*<\/span> shadow_frame,
<\/span><\/span>                                      uint16_t<\/span> arg_offset,
<\/span><\/span>                                      JValue*<\/span> result);
<\/span><\/span><\/code><\/pre>该函数直接提供了caller<\/code>参数，无需通过link_<\/code>解析。<\/p>
5. 处理JNI层调用追踪<\/h2>
5.1 挑战<\/h3>

ArtInterpreterToXxxBridge<\/code>无法监测JNI层发起的调用<\/li>
JNI调用会通过art_quick_invoke_stub<\/code>和art_quick_invoke_static_stub<\/code><\/li>
<\/ul>
5.2 解决方案<\/h3>
hook InvokeWithArgArray<\/code>函数，其签名：<\/p>
void<\/span> InvokeWithArgArray(const<\/span> ScopedObjectAccessAlreadyRunnable&<\/span> soa,
<\/span><\/span>                       ArtMethod*<\/span> method,
<\/span><\/span>                       ArgArray*<\/span> arg_array,
<\/span><\/span>                       JValue*<\/span> result,
<\/span><\/span>                       const<\/span> char<\/span>*<\/span> shorty)
<\/span><\/span><\/code><\/pre>可以使用类似ArtMethod::Invoke<\/code>的参数解析方法来处理。<\/p>
6. 读取内存字符串<\/h2>
当参数类型为java.lang.String<\/code>时，需要特殊处理：<\/p>
\/\/ 在parse_arg_arrays函数中添加字符串处理
<\/span><\/span><\/span><\/span>case<\/span> 'L'<\/span>:<\/span>
<\/span><\/span>    if<\/span> (func_name<\/span>.includes<\/span>("java.lang.String"<\/span>)) {
<\/span><\/span>        let<\/span> str_ptr<\/span> =<\/span> arg_arrays<\/span>.add<\/span>(count<\/span>).readPointer<\/span>();
<\/span><\/span>        if<\/span> (!<\/span>str_ptr<\/span>.isNull<\/span>()) {
<\/span><\/span>            let<\/span> is_compressed<\/span> =<\/span> str_ptr<\/span>.add<\/span>(8<\/span>).readU32<\/span>() &<\/span> 1<\/span>;
<\/span><\/span>            let<\/span> count<\/span> =<\/span> str_ptr<\/span>.add<\/span>(12<\/span>).readU32<\/span>();
<\/span><\/span>            let<\/span> value_ptr<\/span> =<\/span> str_ptr<\/span>.add<\/span>(16<\/span>);
<\/span><\/span>            
<\/span><\/span>            if<\/span> (is_compressed<\/span>) {
<\/span><\/span>                result<\/span>[`arg<\/span>${<\/span>j<\/span>}<\/span>`<\/span>] =<\/span> value_ptr<\/span>.readUtf8String<\/span>(count<\/span>);
<\/span><\/span>            } else<\/span> {
<\/span><\/span>                result<\/span>[`arg<\/span>${<\/span>j<\/span>}<\/span>`<\/span>] =<\/span> value_ptr<\/span>.readUtf16String<\/span>(count<\/span>);
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    count<\/span> +=<\/span> 4<\/span>; j<\/span> +=<\/span> 1<\/span>; break<\/span>;
<\/span><\/span><\/code><\/pre>7. 完整实现<\/h2>
完整代码可参考GitHub仓库：

https:\/\/github.com\/youncyb\/trace_android_call<\/a><\/p>
8. 参考资源<\/h2>

纯frida实现smali追踪<\/a><\/li>
使用Frida打印Java类函数调用关系<\/a><\/li>
[libc++'s implementation of std::string](libc++'s implementation of std::string)<\/li>
<\/ol>
9. 总结<\/h2>
本文详细介绍了通过Frida hook ART关键函数来追踪Android方法调用的技术，包括：<\/p>

参数解析技术<\/li>
ShadowFrame结构分析<\/li>
Java和JNI调用的不同处理方式<\/li>
内存字符串读取方法<\/li>
<\/ul>
这套技术可以用于Android应用逆向分析、安全审计和性能优化等多个领域。<\/p>
Android方法调用追踪技术详解<\/h1>

3. hook ArtMethod::Invoke<\/h2>

4. 处理Java层调用追踪<\/h2>

7. 完整实现<\/h2> 完整代码可参考GitHub仓库： https:\/\/github.com\/youncyb\/trace_android_call<\/a><\/p>

7. 完整实现<\/h2>
完整代码可参考GitHub仓库：
https:\/\/github.com\/youncyb\/trace_android_call<\/a><\/p>
