如何查找native服务的接口实现

以Netd为例：

首先adb看一下服务的接口：

接口文件是INetd，去源码找一下INetd.aidl

已经确定了接口API，对于native服务端的实现，一般的继承顺序为：

根据继承关系，对于BnXxx/XxxService 对象，含有三张虚表

虚表1

	虚表1（来自IXxx）
01	destructor
02	destructor
03	android::BnInterface::onAsBinder(void)
04	getInterfaceDescriptor()
05 ~ (04+n)	n个接口 ... ...
05+n	getInterfaceVersion(void)
06+n	queryLocalInterface(const String16& _descriptor)
07+n	onTransact(uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)

虚表2

	虚表2（来自BBinder）
01	queryLocalInterface(const String16& _descriptor)
02	getInterfaceDescriptor()
03	android::BBinder::isBinderAlive(void)
04	android::BBinder::pingBinder(void)
05	android::BBinder::dump(int,android::Vector<android::String16> const&)
06	android::BBinder::transact(uint,android::Parcel const&,android::Parcel*,uint)
07	android::BBinder::linkToDeath(android::sp<android::IBinder::DeathRecipient> const&,void *,uint)
08	android::BBinder::unlinkToDeath(android::wp<android::IBinder::DeathRecipient> const&,void ,uint,android::wp<android::IBinder::DeathRecipient>)
09	android::IBinder::checkSubclass(void const*)
10	android::BBinder::attachObject(void const,void ,void ,void ()(void const,void ,void *))
11	android::BBinder::findObject(void const*)
12	android::BBinder::detachObject(void const*)
13	android::BBinder::localBinder(void)
14	android::IBinder::remoteBinder(void)

虚表3

	虚表3（来自RefBase）
01	destructor
02	destructor
03	android::RefBase::onFirstRef(void)
04	android::RefBase::onLastStrongRef(void const*)
05	android::RefBase::onIncStrongAttempted(uint,void const*)
06	android::RefBase::onLastWeakRef(void const*)

下面在IDA中查找其具体API地址。先从手机中CP出system目录，在/system/bin 下面找到netd可执行程序，IDA打开。搜索BnNetd虚表中的函数，直接搜“BnNetd::onTransact”

查找引用定位虚表，一般虚表位于.data.rel.ro节中

定位到.data.rel.ro中的这一项，当虚表顺序满足Bn对象的虚表顺序时，这就是Bn对象的虚表（第二张虚表几乎全为导入函数，辨识度很高）

虚表一：

虚表二：

虚表三：

虚表一中getInterfaceVersion函数上面就是接口函数列表，IDA没有识别为函数，且还需要对该列表进行重命名，写一个IDA脚本来完成：


import idc
import ida_funcs
import ida_bytes
import ida_idaapi



ApiLists = '''
android::net::INetdDefault::isAlive(bool *)	.text	00000000000158D8	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::firewallReplaceUidChain(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,bool,std::__1::vector<int,std::__1::allocator<int>> const&,bool *)	.text	00000000000158E0	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::bandwidthEnableDataSaver(bool,bool *)	.text	00000000000158E8	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::networkCreatePhysical(int,int)	.text	00000000000158F0	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::networkCreateVpn(int,bool)	.text	00000000000158F8	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::networkDestroy(int)	.text	0000000000015900	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::networkAddInterface(int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015908	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::networkRemoveInterface(int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015910	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::networkAddUidRanges(int,std::__1::vector<android::net::UidRangeParcel,std::__1::allocator<android::net::UidRangeParcel>> const&)	.text	0000000000015918	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::networkRemoveUidRanges(int,std::__1::vector<android::net::UidRangeParcel,std::__1::allocator<android::net::UidRangeParcel>> const&)	.text	0000000000015920	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::networkRejectNonSecureVpn(bool,std::__1::vector<android::net::UidRangeParcel,std::__1::allocator<android::net::UidRangeParcel>> const&)	.text	0000000000015928	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::socketDestroy(std::__1::vector<android::net::UidRangeParcel,std::__1::allocator<android::net::UidRangeParcel>> const&,std::__1::vector<int,std::__1::allocator<int>> const&)	.text	0000000000015930	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::tetherApplyDnsInterfaces(bool *)	.text	0000000000015938	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::tetherGetStats(std::__1::vector<android::net::TetherStatsParcel,std::__1::allocator<android::net::TetherStatsParcel>> *)	.text	0000000000015940	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::interfaceAddAddress(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int)	.text	0000000000015948	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::interfaceDelAddress(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int)	.text	0000000000015950	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::getProcSysNet(int,int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>*)	.text	0000000000015958	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::setProcSysNet(int,int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015960	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipSecSetEncapSocketOwner(android::os::ParcelFileDescriptor const&,int)	.text	0000000000015968	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::ipSecAllocateSpi(int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int,int *)	.text	0000000000015970	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipSecAddSecurityAssociation(int,int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int,int,int,int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::vector<uchar,std::__1::allocator<uchar>> const&,int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::vector<uchar,std::__1::allocator<uchar>> const&,int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::vector<uchar,std::__1::allocator<uchar>> const&,int,int,int,int,int)	.text	0000000000015978	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipSecDeleteSecurityAssociation(int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int,int,int,int)	.text	0000000000015980	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipSecApplyTransportModeTransform(android::os::ParcelFileDescriptor const&,int,int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int)	.text	0000000000015988	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipSecRemoveTransportModeTransform(android::os::ParcelFileDescriptor const&)	.text	0000000000015990	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::ipSecAddSecurityPolicy(int,int,int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int,int,int,int)	.text	0000000000015998	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipSecUpdateSecurityPolicy(int,int,int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int,int,int,int)	.text	00000000000159A0	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipSecDeleteSecurityPolicy(int,int,int,int,int,int)	.text	00000000000159A8	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::ipSecAddTunnelInterface(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int,int,int)	.text	00000000000159B0	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipSecUpdateTunnelInterface(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int,int,int)	.text	00000000000159B8	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipSecRemoveTunnelInterface(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	00000000000159C0	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::wakeupAddInterface(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int,int)	.text	00000000000159C8	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::wakeupDelInterface(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int,int)	.text	00000000000159D0	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::setIPv6AddrGenMode(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int)	.text	00000000000159D8	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::idletimerAddInterface(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	00000000000159E0	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::idletimerRemoveInterface(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	00000000000159E8	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::strictUidCleartextPenalty(int,int)	.text	00000000000159F0	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::clatdStart(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>*)	.text	00000000000159F8	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::clatdStop(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015A00	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipfwdEnabled(bool *)	.text	0000000000015A08	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::ipfwdGetRequesterList(std::__1::vector<std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>,std::__1::allocator<std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>>> *)	.text	0000000000015A10	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipfwdEnableForwarding(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015A18	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipfwdDisableForwarding(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015A20	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipfwdAddInterfaceForward(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015A28	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::ipfwdRemoveInterfaceForward(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015A30	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::bandwidthSetInterfaceQuota(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,long)	.text	0000000000015A38	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::bandwidthRemoveInterfaceQuota(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015A40	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::bandwidthSetInterfaceAlert(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,long)	.text	0000000000015A48	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::bandwidthRemoveInterfaceAlert(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015A50	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::bandwidthSetGlobalAlert(long)	.text	0000000000015A58	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::bandwidthAddNaughtyApp(int)	.text	0000000000015A60	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::bandwidthRemoveNaughtyApp(int)	.text	0000000000015A68	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::bandwidthAddNiceApp(int)	.text	0000000000015A70	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::bandwidthRemoveNiceApp(int)	.text	0000000000015A78	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::tetherStart(std::__1::vector<std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>,std::__1::allocator<std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>>> const&)	.text	0000000000015A80	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::tetherStop(void)	.text	0000000000015A88	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::tetherIsEnabled(bool *)	.text	0000000000015A90	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::tetherInterfaceAdd(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015A98	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::tetherInterfaceRemove(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015AA0	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::tetherInterfaceList(std::__1::vector<std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>,std::__1::allocator<std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>>> *)	.text	0000000000015AA8	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::tetherDnsSet(int,std::__1::vector<std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>,std::__1::allocator<std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>>> const&)	.text	0000000000015AB0	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::tetherDnsList(std::__1::vector<std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>,std::__1::allocator<std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>>> *)	.text	0000000000015AB8	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::networkAddRoute(int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015AC0	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::networkRemoveRoute(int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015AC8	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::networkAddLegacyRoute(int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int)	.text	0000000000015AD0	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::networkRemoveLegacyRoute(int,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int)	.text	0000000000015AD8	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::networkGetDefault(int *)	.text	0000000000015AE0	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::networkSetDefault(int)	.text	0000000000015AE8	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::networkClearDefault(void)	.text	0000000000015AF0	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::networkSetPermissionForNetwork(int,int)	.text	0000000000015AF8	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::networkSetPermissionForUser(int,std::__1::vector<int,std::__1::allocator<int>> const&)	.text	0000000000015B00	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::networkClearPermissionForUser(std::__1::vector<int,std::__1::allocator<int>> const&)	.text	0000000000015B08	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::trafficSetNetPermForUids(int,std::__1::vector<int,std::__1::allocator<int>> const&)	.text	0000000000015B10	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::networkSetProtectAllow(int)	.text	0000000000015B18	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::networkSetProtectDeny(int)	.text	0000000000015B20	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::networkCanProtect(int,bool *)	.text	0000000000015B28	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::firewallSetFirewallType(int)	.text	0000000000015B30	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::firewallSetInterfaceRule(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int)	.text	0000000000015B38	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::firewallSetUidRule(int,int,int)	.text	0000000000015B40	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::firewallEnableChildChain(int,bool)	.text	0000000000015B48	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::interfaceGetList(std::__1::vector<std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>,std::__1::allocator<std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>>> *)	.text	0000000000015B50	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::interfaceGetCfg(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,android::net::InterfaceConfigurationParcel *)	.text	0000000000015B58	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::interfaceSetCfg(android::net::InterfaceConfigurationParcel const&)	.text	0000000000015B60	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::interfaceSetIPv6PrivacyExtensions(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,bool)	.text	0000000000015B68	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::interfaceClearAddrs(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015B70	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::interfaceSetEnableIPv6(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,bool)	.text	0000000000015B78	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::interfaceSetMtu(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,int)	.text	0000000000015B80	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::tetherAddForward(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015B88	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::tetherRemoveForward(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015B90	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::setTcpRWmemorySize(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)	.text	0000000000015B98	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::registerUnsolicitedEventListener(android::sp<android::net::INetdUnsolicitedEventListener> const&)	.text	0000000000015BA0	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::firewallAddUidInterfaceRules(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&,std::__1::vector<int,std::__1::allocator<int>> const&)	.text	0000000000015BA8	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::firewallRemoveUidInterfaceRules(std::__1::vector<int,std::__1::allocator<int>> const&)	.text	0000000000015BB0	00000008			R	.	.	.	.	.	.
android::net::INetdDefault::trafficSwapActiveStatsMap(void)	.text	0000000000015BB8	00000008			R	.	.	.	.	T	.
android::net::INetdDefault::getOemNetd(android::sp<android::IBinder> *)	.text	0000000000015BC0	00000008			R	.	.	.	.	.	.
'''

reals = []

def getName():
    apis = ApiLists.split("\n")
    for name in apis:
        for func in name.split("::"):
            if func.find("(") != -1:
                reals.append(func.split("(")[0])
    for i, name in enumerate(reals):
        print(str(i + 1) + " -> " + name)


def changeName(start_addr, end_addr):
    '''
    :param start_addr: 接口在虚表中的起始地址
    :param end_addr:   接口在虚表中的终点位置
    :return: None
    '''
    addrs = []
    for addr in range(start_addr, end_addr, 8):
        addrs.append(addr)

    for i,addr in enumerate(addrs):
        # 读取接口函数地址
        funcaddr = idc.get_qword(addr)

        # 将地址转化为函数
        ida_funcs.add_func(funcaddr)

        # 修改函数名称
        bsuccess = idc.set_name(funcaddr, reals[i])
        print("0x%X  -> %s  %s" % (funcaddr, reals[i], str(bsuccess)))

        # 设置虚表中的项为函数偏移
        bsuccess = idc.op_plain_offset(addr,0,0)
        print("op_plain_offset -> " + str(bsuccess))


if __name__ == '__main__':
    getName()
    changeName(0x8E768, 0x8EA58)

跑一下脚本：