Hook open/execve signal 5 (SIGTRAP), code 1 (TRAP_BRKPT)

ztony478 commented 3 years ago

1 keywords Dobby: commit 0aec6c146a3140b917d42850f3c48d19e6c64746 ndk: 19.1.5304403 sdk: 30 rom: LineageOS_14.1 （Android 7.1.1） Device: XiaoMi 5

2 code

int (*orig_open)(const char *pathname, int flags, ...);
static int fake_open(const char *pathname, int flags, ...) {
    mode_t mode = 0;
    if (flags & O_CREAT) {
        va_list args;
        va_start(args, flags);
        mode = (mode_t)va_arg(args, int);
        va_end(args);
    }

    int result = orig_open(pathname, flags, mode);
    if (result != -1) {
        LOGD("[-] trace open handle: %s", pathname);
    }
    return result;
}

int (*orig_execve)(const char* __file, char* const* __argv, char* const** __envp);
static int fake_execve(const char* __file, char* const* __argv, char* const** __envp) {
    LOGD("invoke cmd [%s]", __file);
    return orig_execve(__file, __argv, __envp);
}

__attribute__((__constructor__)) static void __init__() {
#if 1
    DobbyHook((void *)DobbySymbolResolver(NULL, "open"), (void *)fake_open, (void **)&orig_open);
    DobbyHook((void *)DobbySymbolResolver(NULL, "execve"), (void *)fake_execve, (void **)&orig_execve);
#endif

#if 0
    int (*p_orig_open)(const char *pathname, int flags, ...) = open;
    DobbyHook((void *)p_orig_open, (void *)fake_open, (void **)&orig_open);
    DobbyHook((void *)execve, (void *)fake_execve, (void **)&orig_execve);
#endif
}

3 exception --------- beginning of crash 12-17 00:00:22.199 F/libc ( 8948): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x6c2fe0a2e1bd81 in tid 8948 (m.zhy.dobbytest) 12-17 00:00:22.199 W/ ( 433): debuggerd: handling request: pid=8948 uid=10068 gid=10068 tid=8948 12-17 00:00:22.258 F/DEBUG ( 8964): 12-17 00:00:22.258 F/DEBUG ( 8964): LineageOS Version: '14.1-20191204-UNOFFICIAL-gemini' 12-17 00:00:22.258 F/DEBUG ( 8964): Build fingerprint: 'Xiaomi/gemini/gemini:7.0/NRD90M/V8.2.1.0.NAACNEB:user/release-keys' 12-17 00:00:22.258 F/DEBUG ( 8964): Revision: '0' 12-17 00:00:22.258 F/DEBUG ( 8964): ABI: 'arm64' 12-17 00:00:22.258 F/DEBUG ( 8964): pid: 8948, tid: 8948, name: m.zhy.dobbytest >>> com.zhy.dobbytest <<< 12-17 00:00:22.258 F/DEBUG ( 8964): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6c2fe0a2e1bd81 12-17 00:00:22.258 F/DEBUG ( 8964): x0 696c2fe0a2e1bd69 x1 0000000000000000 x2 0000007ff0e84ab8 x3 0000007ff0e84ab4 12-17 00:00:22.258 F/DEBUG ( 8964): x4 0000000000000025 x5 0000000000000000 x6 0000000000001c01 x7 00000000000f0d89 12-17 00:00:22.258 F/DEBUG ( 8964): x8 0000007f6b6b9000 x9 0000007f842ac6bc x10 0000007f842ac6c4 x11 0000000000000000 12-17 00:00:22.258 F/DEBUG ( 8964): x12 0000000000002e62 x13 0000007ff0e83b48 x14 0001c41c79000000 x15 003b9aca00000000 12-17 00:00:22.258 F/DEBUG ( 8964): x16 0000007f842ccc18 x17 0000007f85f3de34 x18 00000000ffffffff x19 0000007f8989f706 12-17 00:00:22.258 F/DEBUG ( 8964): x20 0000007f842c8d90 x21 0000007f8989f029 x22 0000000000000001 x23 0000000000000002 12-17 00:00:22.258 F/DEBUG ( 8964): x24 0000000000000000 x25 0000007f896cb3e9 x26 0000007f84277060 x27 0000007f898c5000 12-17 00:00:22.258 F/DEBUG ( 8964): x28 0000000000000000 x29 0000007ff0e84780 x30 0000007f842789e0 12-17 00:00:22.258 F/DEBUG ( 8964): sp 0000007ff0e84720 pc 0000007f84278ed4 pstate 0000000060000000 12-17 00:00:22.262 F/DEBUG ( 8964): 12-17 00:00:22.262 F/DEBUG ( 8964): backtrace: 12-17 00:00:22.262 F/DEBUG ( 8964): #00 pc 000000000001aed4 /data/app/com.zhy.dobbytest-1/base.apk (offset 0x37000) 12-17 00:00:22.262 F/DEBUG ( 8964): #01 pc 000000000001a9dc /data/app/com.zhy.dobbytest-1/base.apk (offset 0x37000) 12-17 00:00:22.262 F/DEBUG ( 8964): #02 pc 000000000001be3c /data/app/com.zhy.dobbytest-1/base.apk (offset 0x37000) 12-17 00:00:22.262 F/DEBUG ( 8964): #03 pc 000000000001b198 /data/app/com.zhy.dobbytest-1/base.apk (offset 0x37000) 12-17 00:00:22.262 F/DEBUG ( 8964): #04 pc 00000000000190c0 /data/app/com.zhy.dobbytest-1/base.apk (offset 0x37000) 12-17 00:00:22.262 F/DEBUG ( 8964): #05 pc 000000000000cb7c /system/bin/linker64 (dlZN6soinfo10call_arrayEPKcPPFvvEmb+360) 12-17 00:00:22.262 F/DEBUG ( 8964): #06 pc 000000000000ab7c /system/bin/linker64 (dlZ9do_dlopenPKciPK17android_dlextinfoPv+2212) 12-17 00:00:22.262 F/DEBUG ( 8964): #07 pc 0000000000007308 /system/bin/linker64 (__dl_android_dlopen_ext+60) 12-17 00:00:22.262 F/DEBUG ( 8964): #08 pc 000000000000405c /system/lib64/libnativeloader.so (_ZN7android17OpenNativeLibraryEP7_JNIEnviPKcP8_jobjectP8_jstring+224) 12-17 00:00:22.262 F/DEBUG ( 8964): #09 pc 00000000002f11c8 /system/lib64/libart.so (_ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP8jstringPS9+1080) 12-17 00:00:22.262 F/DEBUG ( 8964): #10 pc 000000000000427c /system/lib64/libopenjdkjvm.so (JVM_NativeLoad+280) 12-17 00:00:22.262 F/DEBUG ( 8964): #11 pc 00000000720c3ac0 /data/dalvik-cache/arm64/system@framework@boot.oat (offset 0x54f000) 12-17 00:00:22.362 W/ActivityManager( 1394): Force finishing activity com.zhy.dobbytest/.MainActivity 12-17 00:00:22.363 W/ ( 433): debuggerd: resuming target 8948 12-17 00:00:22.364 I/BootReceiver( 1394): Copying /data/tombstones/tombstone_09 to DropBox (SYSTEM_TOMBSTONE) 12-17 00:00:22.377 I/ActivityManager( 1394): Process com.zhy.dobbytest (pid 8948) has died 12-17 00:00:22.377 D/ActivityManager( 1394): cleanUpApplicationRecord -- 8948 12-17 00:00:22.379 I/Zygote ( 558): Process 8948 exited due to signal (11)

4 不使用 DobbySymbolResolver后的代码以及崩溃日志

int (*orig_open)(const char *pathname, int flags, ...);
static int fake_open(const char *pathname, int flags, ...) {
    mode_t mode = 0;
    if (flags & O_CREAT) {
        va_list args;
        va_start(args, flags);
        mode = (mode_t)va_arg(args, int);
        va_end(args);
    }

    int result = orig_open(pathname, flags, mode);
    if (result != -1) {
        LOGD("[-] trace open handle: %s", pathname);
    }
    return result;
}

int (*orig_execve)(const char* __file, char* const* __argv, char* const** __envp);
static int fake_execve(const char* __file, char* const* __argv, char* const** __envp) {
    LOGD("invoke cmd [%s]", __file);
    return orig_execve(__file, __argv, __envp);
}

__attribute__((__constructor__)) static void __init__() {
#if 0
    DobbyHook((void *)DobbySymbolResolver(NULL, "open"), (void *)fake_open, (void **)&orig_open);
    DobbyHook((void *)DobbySymbolResolver(NULL, "execve"), (void *)fake_execve, (void **)&orig_execve);
#endif

#if 1
    int (*p_orig_open)(const char *pathname, int flags, ...) = open;
    DobbyHook((void *)p_orig_open, (void *)fake_open, (void **)&orig_open);
    DobbyHook((void *)execve, (void *)fake_execve, (void **)&orig_execve);
#endif
}

log: 12-17 00:06:51.541 I/Dobby ( 9055): [] [DobbyHook] Initialize at 0x7f85f42b34 12-17 00:06:51.541 I/Dobby ( 9055): [] ================ FunctionInlineReplaceRouting Start ================ 12-17 00:06:51.541 I/Dobby ( 9055): [] Set trampoline target => 0x7f84285194 12-17 00:06:51.541 I/Dobby ( 9055): [] [assembler] Create fixed address at 0x7f85f42b34 12-17 00:06:51.541 I/Dobby ( 9055): [] Initialize assembler code buffer at 0x7f858d07a0 12-17 00:06:51.541 I/Dobby ( 9055): [] Trampoline use [Adrp, Add, Br] combine 12-17 00:06:51.541 I/Dobby ( 9055): [] [trampoline] Generate trampoline buffer 0x7f85f42b34 -> 0x7f84285194 12-17 00:06:51.541 I/Dobby ( 9055): [] Initialize assembler code buffer at 0x7f858d07a0 12-17 00:06:51.541 I/Dobby ( 9055): [] [assembler] Finalize assembler at 0x7f842ed000 12-17 00:06:51.541 I/Dobby ( 9055): [] [insn relocate] origin 0x7f85f42b34 - 12 12-17 00:06:51.541 I/Dobby ( 9055): [] [insn relocate] relocated 0x7f842ed000 - 28 12-17 00:06:51.541 I/Dobby ( 9055): [] [intercept routing] Active patch 0x7f85f42b34 12-17 00:06:51.541 I/Dobby ( 9055): [] ================ FunctionInlineReplaceRouting End ================ 12-17 00:06:51.541 I/Dobby ( 9055): [] [DobbyHook] Initialize at 0x7f85f8be60 12-17 00:06:51.541 I/Dobby ( 9055): [] ================ FunctionInlineReplaceRouting Start ================ 12-17 00:06:51.541 I/Dobby ( 9055): [] Set trampoline target => 0x7f84285340 12-17 00:06:51.541 I/Dobby ( 9055): [] [assembler] Create fixed address at 0x7f85f8be60 12-17 00:06:51.541 I/Dobby ( 9055): [] Initialize assembler code buffer at 0x7f858d07a0 12-17 00:06:51.541 I/Dobby ( 9055): [] Trampoline use [Adrp, Add, Br] combine 12-17 00:06:51.541 I/Dobby ( 9055): [] [trampoline] Generate trampoline buffer 0x7f85f8be60 -> 0x7f84285340 12-17 00:06:51.541 I/Dobby ( 9055): [] Initialize assembler code buffer at 0x7f858d07a0 12-17 00:06:51.541 I/Dobby ( 9055): [] [assembler] Finalize assembler at 0x7f842ed020 12-17 00:06:51.542 I/Dobby ( 9055): [] [insn relocate] origin 0x7f85f8be60 - 12 12-17 00:06:51.542 I/Dobby ( 9055): [] [insn relocate] relocated 0x7f842ed020 - 28 12-17 00:06:51.542 I/Dobby ( 9055): [] [intercept routing] Active patch 0x7f85f8be60 12-17 00:06:51.542 I/Dobby ( 9055): [] ================ FunctionInlineReplaceRouting End ================ 12-17 00:06:51.542 D/test ( 9071): invoke cmd [/system/bin/sh] 12-17 00:06:51.543 D/test ( 9055): [-] trace open handle: /dev/ashmem --------- beginning of crash 12-17 00:06:51.549 F/libc ( 9055): Fatal signal 5 (SIGTRAP), code 1 in tid 9055 (m.zhy.dobbytest) 12-17 00:06:51.550 W/ ( 433): debuggerd: handling request: pid=9055 uid=10068 gid=10068 tid=9055 12-17 00:06:51.609 F/DEBUG ( 9073): 12-17 00:06:51.609 F/DEBUG ( 9073): LineageOS Version: '14.1-20191204-UNOFFICIAL-gemini' 12-17 00:06:51.609 F/DEBUG ( 9073): Build fingerprint: 'Xiaomi/gemini/gemini:7.0/NRD90M/V8.2.1.0.NAACNEB:user/release-keys' 12-17 00:06:51.609 F/DEBUG ( 9073): Revision: '0' 12-17 00:06:51.609 F/DEBUG ( 9073): ABI: 'arm64' 12-17 00:06:51.609 F/DEBUG ( 9073): pid: 9055, tid: 9055, name: m.zhy.dobbytest >>> com.zhy.dobbytest <<< 12-17 00:06:51.609 F/DEBUG ( 9073): signal 5 (SIGTRAP), code 1 (TRAP_BRKPT), fault addr 0x7f842853d8 12-17 00:06:51.609 F/DEBUG ( 9073): x0 0000000000000100 x1 0000007ff0e85c58 x2 0000000000000000 x3 0000000000000008 12-17 00:06:51.609 F/DEBUG ( 9073): x4 0000000000000000 x5 5f494e4a00000000 x6 000000804a4e495f x7 5e484d48ff63606e 12-17 00:06:51.609 F/DEBUG ( 9073): x8 0000000000000000 x9 00000000ffffffff x10 0000000000000003 x11 000000555555a008 12-17 00:06:51.609 F/DEBUG ( 9073): x12 0000000000000000 x13 00000000000000b9 x14 0000007f89611f50 x15 a8fdc7c9ff735215 12-17 00:06:51.609 F/DEBUG ( 9073): x16 0000007f85fe22f8 x17 0000005555557e84 x18 00000000ffffffff x19 0000007ff0e85ee8 12-17 00:06:51.609 F/DEBUG ( 9073): x20 0000007f85896a00 x21 0000007f8583e180 x22 0000007f842853b4 x23 b89d37411731f0f4 12-17 00:06:51.609 F/DEBUG ( 9073): x24 0000007ff0e85f9c x25 0000007f7b5fcd80 x26 0000007f858e9040 x27 000000000000001d 12-17 00:06:51.609 F/DEBUG ( 9073): x28 0000007f85896a00 x29 0000007ff0e85d80 x30 0000007f842853d8 12-17 00:06:51.609 F/DEBUG ( 9073): sp 0000007ff0e85d60 pc 0000007f842853d8 pstate 0000000060000000 12-17 00:06:51.611 F/DEBUG ( 9073): 12-17 00:06:51.611 F/DEBUG ( 9073): backtrace: 12-17 00:06:51.611 F/DEBUG ( 9073): #00 pc 00000000000163d8 /data/app/com.zhy.dobbytest-2/base.apk (offset 0x27000) 12-17 00:06:51.611 F/DEBUG ( 9073): #01 pc 00000000002f15e8 /system/lib64/libart.so (_ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP8jstringPS9+2136) 12-17 00:06:51.611 F/DEBUG ( 9073): #02 pc 000000000000427c /system/lib64/libopenjdkjvm.so (JVM_NativeLoad+280) 12-17 00:06:51.611 F/DEBUG ( 9073): #03 pc 00000000720c3ac0 /data/dalvik-cache/arm64/system@framework@boot.oat (offset 0x54f000) 12-17 00:06:51.706 W/ActivityManager( 1394): Force finishing activity com.zhy.dobbytest/.MainActivity 12-17 00:06:51.707 W/ ( 433): debuggerd: resuming target 9055 12-17 00:06:51.708 I/BootReceiver( 1394): Copying /data/tombstones/tombstone_00 to DropBox (SYSTEM_TOMBSTONE) 12-17 00:06:51.721 I/ActivityManager( 1394): Process com.zhy.dobbytest (pid 9055) has died 12-1 7 00:06:51.721 D/ActivityManager( 1394): cleanUpApplicationRecord -- 9055 12-17 00:06:51.722 I/Zygote ( 558): Process 9055 exited due to signal (5)

附件中是so文件 lib.zip

jmpews commented 3 years ago

在 pixel 2, Android 10 与 meizu, Android 9 均未复现, 请尝试更换版本试下？
可以进 telegram group 具体询问

ztony478 commented 3 years ago

方便的话，我直接送两部手机给你吧。也算为 dobby 做贡献了

helengray commented 2 months ago

@ztony478 这个最后是怎么解决的

jmpews / Dobby

Hook open/execve signal 5 (SIGTRAP), code 1 (TRAP_BRKPT) #120