Android for arm上的so注入(inject)和挂钩(hook)
Posted Mark_YPQ
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Android for arm上的so注入(inject)和挂钩(hook)相关的知识,希望对你有一定的参考价值。
对于Android for arm上的so注入(inject)和挂钩(hook),网上已有牛人给出了代码-libinject(http://bbs.pediy.com/showthread.php?t=141355)。由于实现中的ptrace函数是依赖于平台的,所以不经改动只能用于arm平台。本文将之扩展了一下,使它能够通用于android的x86和arm平台。Arm平台部分基本重用了libinject中的代码,其中因为汇编不好移植且容易出错,所以把shellcode.s用ptrace_call替换掉了,另外保留了mmap,用来传字符串参数,当然也可以通过栈来传,但栈里和其它东西混一起,一弄不好就会隔儿了,所以还是保险点好。最后注意设备要root。
首先创建目录及文件:
jni
inject.c
Android.mk
Application.mk
inject.c:
[cpp] view plain copy print ?
- #include <stdio.h>
- #include <stdlib.h>
- #include <asm/user.h>
- #include <asm/ptrace.h>
- #include <sys/ptrace.h>
- #include <sys/wait.h>
- #include <sys/mman.h>
- #include <dlfcn.h>
- #include <dirent.h>
- #include <unistd.h>
- #include <string.h>
- #include <elf.h>
- #include <android/log.h>
- #if defined(__i386__)
- #define pt_regs user_regs_struct
- #endif
- #define ENABLE_DEBUG 1
- #if ENABLE_DEBUG
- #define LOG_TAG "INJECT"
- #define LOGD(fmt, args...) __android_log_print(ANDROID_LOG_DEBUG,LOG_TAG, fmt, ##args)
- #define DEBUG_PRINT(format,args...) \\
- LOGD(format, ##args)
- #else
- #define DEBUG_PRINT(format,args...)
- #endif
- #define CPSR_T_MASK ( 1u << 5 )
- const char *libc_path = "/system/lib/libc.so";
- const char *linker_path = "/system/bin/linker";
- int ptrace_readdata(pid_t pid, uint8_t *src, uint8_t *buf, size_t size)
- uint32_t i, j, remain;
- uint8_t *laddr;
- union u
- long val;
- char chars[sizeof(long)];
- d;
- j = size / 4;
- remain = size % 4;
- laddr = buf;
- for (i = 0; i < j; i ++)
- d.val = ptrace(PTRACE_PEEKTEXT, pid, src, 0);
- memcpy(laddr, d.chars, 4);
- src += 4;
- laddr += 4;
- if (remain > 0)
- d.val = ptrace(PTRACE_PEEKTEXT, pid, src, 0);
- memcpy(laddr, d.chars, remain);
- return 0;
- int ptrace_writedata(pid_t pid, uint8_t *dest, uint8_t *data, size_t size)
- uint32_t i, j, remain;
- uint8_t *laddr;
- union u
- long val;
- char chars[sizeof(long)];
- d;
- j = size / 4;
- remain = size % 4;
- laddr = data;
- for (i = 0; i < j; i ++)
- memcpy(d.chars, laddr, 4);
- ptrace(PTRACE_POKETEXT, pid, dest, d.val);
- dest += 4;
- laddr += 4;
- if (remain > 0)
- d.val = ptrace(PTRACE_PEEKTEXT, pid, dest, 0);
- for (i = 0; i < remain; i ++)
- d.chars[i] = *laddr ++;
- ptrace(PTRACE_POKETEXT, pid, dest, d.val);
- return 0;
- #if defined(__arm__)
- int ptrace_call(pid_t pid, uint32_t addr, long *params, uint32_t num_params, struct pt_regs* regs)
- uint32_t i;
- for (i = 0; i < num_params && i < 4; i ++)
- regs->uregs[i] = params[i];
- //
- // push remained params onto stack
- //
- if (i < num_params)
- regs->ARM_sp -= (num_params - i) * sizeof(long) ;
- ptrace_writedata(pid, (void *)regs->ARM_sp, (uint8_t *)¶ms[i], (num_params - i) * sizeof(long));
- regs->ARM_pc = addr;
- if (regs->ARM_pc & 1)
- /* thumb */
- regs->ARM_pc &= (~1u);
- regs->ARM_cpsr |= CPSR_T_MASK;
- else
- /* arm */
- regs->ARM_cpsr &= ~CPSR_T_MASK;
- regs->ARM_lr = 0;
- if (ptrace_setregs(pid, regs) == -1
- || ptrace_continue(pid) == -1)
- printf("error\\n");
- return -1;
- int stat = 0;
- waitpid(pid, &stat, WUNTRACED);
- while (stat != 0xb7f)
- if (ptrace_continue(pid) == -1)
- printf("error\\n");
- return -1;
- waitpid(pid, &stat, WUNTRACED);
- return 0;
- #elif defined(__i386__)
- long ptrace_call(pid_t pid, uint32_t addr, long *params, uint32_t num_params, struct user_regs_struct * regs)
- regs->esp -= (num_params) * sizeof(long) ;
- ptrace_writedata(pid, (void *)regs->esp, (uint8_t *)params, (num_params) * sizeof(long));
- Android进程注入
在 Qt Creator 中启动应用程序之前,如何将我在 Qt for Android 中的 .so 文件复制到 android-build/libs/arm64-v8a 中
Android 逆向Android 进程注入工具开发 ( Visual Studio 开发 Android NDK 应用 | VS 自带的 Android 平台应用创建与配置 )
Android 逆向Android 进程注入工具开发 ( SO 进程注入环境及 root 权限获取 | 进程注入时序分析 )