1// Hook JNI RegisterNatives via JNIEnv 函数表(偏移 215,跨版本稳定)
2const env = Java.vm.getEnv();
3const RegisterNatives = env.handle.readPointer().add(215 * Process.pointerSize).readPointer();
4
5Interceptor.attach(RegisterNatives, {
6 onEnter(args) {
7 const env = Java.vm.tryGetEnv();
8 if (!env) return;
9
10 const className = env.getClassName(args[1]);
11 const methods = args[2];
12 const nMethods = args[3].toInt32();
13
14 for (let i = 0; i < nMethods; i++) {
15 const base = methods.add(i * Process.pointerSize * 3);
16 const name = base.readPointer().readCString();
17 const sig = base.add(Process.pointerSize).readPointer().readCString();
18 const fnPtr = base.add(Process.pointerSize * 2).readPointer();
19
20 const mod = Process.findModuleByAddress(fnPtr);
21 const modName = mod ? mod.name : "unknown";
22 const off = mod ? fnPtr.sub(mod.base) : ptr(0);
23
24 console.log(`[RegisterNatives] ${className}.${name}${sig} => ${fnPtr} (${modName}+0x${off.toString(16)})`);
25 }
26 }
27});