# 13.反HOOK防护（一）：基于Fishhook

> 我们需要防护别人的Hook，但是保留自己的Hook。

## 1.1 在哪里防护

### a.Framework里

* 工程中的`Load`在`Framework`里的`Load`之后调用
* 别人注入的Hook代码的`Load`在`Framework`之后，工程之前
  * 有点疑问，这里的`Framework`是动态库么？

## 1.2 操作一下

### a. 创建一个Framework

### b. 引入fishhook、objc/message.h

### c. 在Framework中创建一个类，防护 `method_exchangeImplementations`

```cpp
+ (void)load {
    struct rebinding exchange;

    exchange.name = "method_exchangeImplementations";
    exchange.replacement = my_axchange;
    exchange.replaced = (void *)&sysExchangePoint;

    struct rebinding bds[] = { exchange };

    rebind_symbols(bds, 1);
}

// 保存原函数的指针，这个可以暴露给自己使用
void (*sysExchangePoint)(Method _Nonnull methA, Method _Nonnull methB);

void my_axchange(Method _Nonnull methA, Method _Nonnull methB) {
    NSLog(@"⚠️检测到了Hook！");
}
```

### d. 注入

> [04.利用Xcode进行重签名与调试](/wiki/ni-xiang/04.-li-yong-xcode-jin-hang-zhong-qian-ming-yu-tiao-shi.md)
>
> [05.dylib注入](/wiki/ni-xiang/05.dylib-zhu-ru.md)

效果：

![1](/files/-M_uxpdRJhcezFw0lfeo)

## 1.3 缺点

### a. 字符串

因为我们用到了`method_exchangeImplementations`这样一个字符串，一旦被逆向工程师找到，很容易定位到防护代码。

### b. 时间

这个防护方案是基于调用时间来进行防护的，如果找到`fishhook`的相关调用，进行相关操作，会被破解掉。

### c. get set IMP 没处理


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ryukiedev.gitbook.io/wiki/ni-xiang/13.-fan-hook-fang-hu-yi-ji-yu-fishhook.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.