console.log("Starting libusb_submit_transfer hook script..."); // libusb_transfer结构体定义 (根据libusb源码) /* struct libusb_transfer { libusb_device_handle *dev_handle; // 0x00 uint8_t flags; // 0x08 (64位) / 0x04 (32位) unsigned char endpoint; // 0x09 / 0x05 unsigned char type; // 0x0A / 0x06 unsigned int timeout; // 0x0C / 0x08 enum libusb_transfer_status status; // 0x10 / 0x0C int length; // 0x14 / 0x10 int actual_length; // 0x18 / 0x14 libusb_transfer_cb_fn callback; // 0x20 / 0x18 void *user_data; // 0x28 / 0x1C unsigned char *buffer; // 0x30 / 0x20 int num_iso_packets; // 0x38 / 0x24 struct libusb_iso_packet_descriptor iso_packet_desc[0]; // 0x40 / 0x28 }; */ // 传输类型枚举 const LIBUSB_TRANSFER_TYPE = { 0: "LIBUSB_TRANSFER_TYPE_CONTROL", 1: "LIBUSB_TRANSFER_TYPE_ISOCHRONOUS", 2: "LIBUSB_TRANSFER_TYPE_BULK", 3: "LIBUSB_TRANSFER_TYPE_INTERRUPT" }; // 传输状态枚举 const LIBUSB_TRANSFER_STATUS = { 0: "LIBUSB_TRANSFER_COMPLETED", 1: "LIBUSB_TRANSFER_ERROR", 2: "LIBUSB_TRANSFER_TIMED_OUT", 3: "LIBUSB_TRANSFER_CANCELLED", 4: "LIBUSB_TRANSFER_STALL", 5: "LIBUSB_TRANSFER_NO_DEVICE", 6: "LIBUSB_TRANSFER_OVERFLOW" }; // 传输标志 const LIBUSB_TRANSFER_FLAGS = { 1: "LIBUSB_TRANSFER_SHORT_NOT_OK", 2: "LIBUSB_TRANSFER_FREE_BUFFER", 4: "LIBUSB_TRANSFER_FREE_TRANSFER", 8: "LIBUSB_TRANSFER_ADD_ZERO_PACKET" }; function parseTransferFlags(flags) { var flagStrings = []; for (var flag in LIBUSB_TRANSFER_FLAGS) { if (flags & parseInt(flag)) { flagStrings.push(LIBUSB_TRANSFER_FLAGS[flag]); } } return flagStrings.length > 0 ? flagStrings.join(" | ") : "None"; } function dumpBuffer(buffer, length, maxBytes = 64) { if (!buffer || buffer.isNull()) { console.log("Buffer is NULL"); return; } try { var nLen = length.toInt32 ? length.toInt32() : parseInt(length); var bytesToPrint = Math.min(nLen, maxBytes); if (buffer && nLen > 0) { console.log("数据十六进制输出(前" + bytesToPrint + "字节):"); // 最原始的读取方法 var hexOutput = ""; for (var i = 0; i < bytesToPrint; i++) { try { // 尝试使用ptr对象的属性 var byteValue = buffer.add(i).readU8(); var hexByte = byteValue.toString(16).padStart(2, "0"); hexOutput += hexByte + " "; if ((i + 1) % 16 === 0) { hexOutput += "\n"; } } catch (readErr) { console.log("读取字节" + i + "时出错:", readErr); break; } } console.log(hexOutput); if (nLen > maxBytes) { console.log("... (truncated, showing " + bytesToPrint + " of " + nLen + " bytes)"); } } else { console.log('buffer 指针无效 或 length <= 0'); } } catch (e) { console.log('读取buffer时出错:', e); console.log('错误详情:', e.stack || e.toString()); } } // Hook libusb_submit_transfer const submit_transfer_symbol = DebugSymbol.fromName("libusb_submit_transfer"); console.log("libusb_submit_transfer symbol info:", submit_transfer_symbol); if (submit_transfer_symbol && submit_transfer_symbol.address && !submit_transfer_symbol.address.isNull()) { Interceptor.attach(submit_transfer_symbol.address, { onEnter: function(args) { console.log("\n================================"); console.log("[LIBUSB] libusb_submit_transfer called"); console.log("================================"); var transfer = args[0]; if (!transfer || transfer.isNull()) { console.log("Transfer structure is NULL!"); return; } try { // 检测系统架构 var ptrSize = Process.pointerSize; var is64bit = (ptrSize === 8); // 根据实际的libusb_transfer结构体布局调整偏移量 // 64位系统的正确偏移量 if (is64bit) { var dev_handle = transfer.readPointer(); // 0x00 var flags = transfer.add(8).readU8(); // 0x08 var endpoint = transfer.add(9).readU8(); // 0x09 var type = transfer.add(10).readU8(); // 0x0A var timeout = transfer.add(12).readU32(); // 0x0C var status = transfer.add(16).readU32(); // 0x10 var length = transfer.add(20).readU32(); // 0x14 var actual_length = transfer.add(24).readU32(); // 0x18 var callback = transfer.add(32).readPointer(); // 0x20 var user_data = transfer.add(40).readPointer(); // 0x28 var buffer = transfer.add(48).readPointer(); // 0x30 var num_iso_packets = transfer.add(56).readU32(); // 0x38 } else { // 32位系统的偏移量 var dev_handle = transfer.readPointer(); // 0x00 var flags = transfer.add(4).readU8(); // 0x04 var endpoint = transfer.add(5).readU8(); // 0x05 var type = transfer.add(6).readU8(); // 0x06 var timeout = transfer.add(8).readU32(); // 0x08 var status = transfer.add(12).readU32(); // 0x0C var length = transfer.add(16).readU32(); // 0x10 var actual_length = transfer.add(20).readU32(); // 0x14 var callback = transfer.add(24).readPointer(); // 0x18 var user_data = transfer.add(28).readPointer(); // 0x1C var buffer = transfer.add(32).readPointer(); // 0x20 var num_iso_packets = transfer.add(36).readU32(); // 0x24 } console.log("Transfer Structure Details:"); console.log(" - Architecture: " + (is64bit ? "64-bit" : "32-bit")); console.log(" - Transfer Address: " + transfer); console.log(" - Device Handle: " + dev_handle); console.log(" - Flags: 0x" + flags.toString(16) + " (" + parseTransferFlags(flags) + ")"); console.log(" - Endpoint: 0x" + endpoint.toString(16) + " (" + (endpoint & 0x80 ? "IN" : "OUT") + ", EP" + (endpoint & 0x7F) + ")"); console.log(" - Type: " + type + " (" + (LIBUSB_TRANSFER_TYPE[type] || "Unknown") + ")"); console.log(" - Timeout: " + timeout + " ms"); console.log(" - Status: " + status + " (" + (LIBUSB_TRANSFER_STATUS[status] || "Unknown") + ")"); console.log(" - Length: " + length + " bytes"); console.log(" - Actual Length: " + actual_length + " bytes"); console.log(" - Callback: " + callback); console.log(" - User Data: " + user_data); console.log(" - Buffer: " + buffer); console.log(" - Num ISO Packets: " + num_iso_packets); // 调试:打印buffer指针的具体值 console.log(" - Buffer pointer value: " + buffer.toString()); console.log(" - Buffer is null: " + buffer.isNull()); // 如果有数据缓冲区,打印前64字节 if (!buffer.isNull() && length > 0) { console.log("\nBuffer Data:"); dumpBuffer(buffer, length); } else { console.log("\nBuffer is null or length is 0"); console.log(" - Buffer null check: " + buffer.isNull()); console.log(" - Length: " + length); } // 对于同步传输,打印更多详细信息 if (num_iso_packets > 0) { console.log("\nIsochronous Transfer - Packet Count: " + num_iso_packets); // 可以进一步解析ISO包描述符 } } catch (e) { console.log("Error reading transfer structure: " + e.message); console.log('错误详情:', e.stack || e.toString()); } }, onLeave: function(retval) { console.log("\n[LIBUSB] libusb_submit_transfer returned: " + retval); if (retval.toInt32() !== 0) { console.log(" - Error occurred during transfer submission"); } console.log("================================\n"); } }); console.log("Successfully hooked libusb_submit_transfer"); } else { console.log("libusb_submit_transfer not found"); } console.log("libusb_submit_transfer hook script loaded successfully!");