frida hook native non exported functions

Question

i am reversing this android app for learning purposes and the app implements all of the interesting functionality on the native layer, so i ran the app on a arm android studio image and reversed the shared library .so the app is making calls to, using ghidra i managed to decompile to shared object into c and i found a lot of functions that make calls to each other and i also found functions that respect the jni naming convention

i can hook any of the above exports successfully yet when i try to hook the below functions i get a export not found how can i hook these native functions?

Answer 1

I assume you are using frida's method Module.findExportByName. This way only works for exported functions. The method visible in the Ghidra screen-shot you have posted however seems to be an internal function that do not even have a name.

The shown name like FUN_002d5044 is generated by Ghidra as the function has no name. It basically means "unnamed function at address 0x002d5044".

Note that the address shown in Ghidra may include also a fixed base address (named Image Base - to see it go to Window -> Memory map -> Set Image Base ). If the Image base is not 0 you have to substract this values from the shown address to get the address you can use for hooking.

You should be able to hook an unnamed function directly by using it's address and the base address of the module it is implemented in.

You just have to insert the correct moduleName in the following code:

const ghidraImageBase = 0x00040000; // example value get the real value in Ghidra from Window -> Memory map -> Set Image Base
const moduleName = "insert module name here";
const moduleBaseAddress = Module.findBaseAddress(moduleName);
const functionRealAddress = moduleBaseAddress.add(0x002d5044 - ghidraImageBase);
Interceptor.attach(functionRealAddress, {
                   onEnter: function(args) {
                       ...
                   }
});