AOSP Android10 hook dlsym

[ndl1302732]

1 keywords: AOSP Android10 hook dlsym

2 代码如下 typedef void ( PFN_DLSYM)(void handle, const char symbol); PFN_DLSYM pOrgDlsym = NULL;

void fake_dlsym(void handle, const char symbol){ void result = pOrgDlsym(handle, symbol); return result; }

static void hook(){ DobbyHook((void )dlsym, (void )fake_dlsym, (void **)&pOrgDlsym); }

3 崩溃信息如下 2020-08-20 18:30:14.596 7851-7851/? A/DEBUG: 2020-08-20 18:30:14.596 7851-7851/? A/DEBUG: Build fingerprint: 'google/sailfish/sailfish:10/QP1A.190711.020/eng.androi.20200820.023521:userdebug/test-keys' 2020-08-20 18:30:14.597 7851-7851/? A/DEBUG: Revision: '0' 2020-08-20 18:30:14.597 7851-7851/? A/DEBUG: ABI: 'arm' 2020-08-20 18:30:14.597 7851-7851/? A/DEBUG: Timestamp: 2020-08-20 18:30:14+0800 2020-08-20 18:30:14.597 7851-7851/? A/DEBUG: pid: 7812, tid: 7812, name: com.xx.xx.xx >>> com.xx.xx.xx <<< 2020-08-20 18:30:14.597 7851-7851/? A/DEBUG: uid: 10104 2020-08-20 18:30:14.597 7851-7851/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe140e3c6 2020-08-20 18:30:14.597 7851-7851/? A/DEBUG: r0 e140e3c6 r1 0000000a r2 ce22edd5 r3 ff8ded98 2020-08-20 18:30:14.597 7851-7851/? A/DEBUG: r4 ce228995 r5 e1447510 r6 f3f4901b r7 ff8dedd0 2020-08-20 18:30:14.597 7851-7851/? A/DEBUG: r8 ce228995 r9 ce228995 r10 f6d89140 r11 f6d8faa0 2020-08-20 18:30:14.597 7851-7851/? A/DEBUG: ip ce24fd70 sp ff8dedc8 lr ce22f1bb pc ce22f1bc 2020-08-20 18:30:14.835 7851-7851/? A/DEBUG: backtrace: 2020-08-20 18:30:14.835 7851-7851/? A/DEBUG: #00 pc 000131bc /data/app/com.xx.xx.xx-DsFl5CxNFilbSq3W-A_NAg==/lib/arm/libinjectCamera.so (CodeBuffer::Emit32(int)+28) (BuildId: 501d605789fe041158230902e6ab5b477d8790c8) 2020-08-20 18:30:14.835 7851-7851/? A/DEBUG: #01 pc 000127f7 /data/app/com.xx.xx.xx-DsFl5CxNFilbSq3W-A_NAg==/lib/arm/libinjectCamera.so (generate_thumb_trampoline(unsigned int, unsigned int)+70) (BuildId: 501d605789fe041158230902e6ab5b477d8790c8) 2020-08-20 18:30:14.835 7851-7851/? A/DEBUG: #02 pc 00012797 /data/app/com.xx.xx.xx-DsFl5CxNFilbSq3W-A_NAg==/lib/arm/libinjectCamera.so (InterceptRouting::GenerateTrampolineBuffer(void, void)+54) (BuildId: 501d605789fe041158230902e6ab5b477d8790c8) 2020-08-20 18:30:14.835 7851-7851/? A/DEBUG: #03 pc 00012cb3 /data/app/com.xx.xx.xx-DsFl5CxNFilbSq3W-A_NAg==/lib/arm/libinjectCamera.so (FunctionInlineReplaceRouting::BuildReplaceRouting()+26) (BuildId: 501d605789fe041158230902e6ab5b477d8790c8) 2020-08-20 18:30:14.835 7851-7851/? A/DEBUG: #04 pc 0001220d /data/app/com.xx.xx.xx-DsFl5CxNFilbSq3W-A_NAg==/lib/arm/libinjectCamera.so (DobbyHook+128) (BuildId: 501d605789fe041158230902e6ab5b477d8790c8) 2020-08-20 18:30:14.835 7851-7851/? A/DEBUG: #05 pc 0000cb45 /data/app/com.xx.xx.xx-DsFl5CxNFilbSq3W-A_NAg==/lib/arm/libinjectCamera.so (BuildId: 501d605789fe041158230902e6ab5b477d8790c8)

[jmpews]

1. cmake 添加 -DDOBBY_DEBUG=ON 获取 dump 信息.
2. 在 lldb 中 disassemble 该函数.

以上两种方式皆可. 贴一下结果. 谢谢.

[ndl1302732]

1 最近的堆栈

00 pc 0001332c /data/app/com.xx.xx.xx-Y3Pcp5VnIrzHXx1MbVmxwg==/lib/arm/libinjectCamera.so (CodeBuffer::Emit32(int)+28) (BuildId: 4e2ef33d7d3943a9215af15ff3194064fdab415f)

01 pc 00012967 /data/app/com.xx.xx.xx-Y3Pcp5VnIrzHXx1MbVmxwg==/lib/arm/libinjectCamera.so (generate_thumb_trampoline(unsigned int, unsigned int)+70) (BuildId: 4e2ef33d7d3943a9215af15ff3194064fdab415f)

我从IDA里面把响应代码抠出来了，你看下是不是想要这个东西

2 请搜索如下关键字 CodeBuffer::Emit32(int)+28 搜索 "crash_28" generate_thumb_trampoline(unsigned int, unsigned int)+70 搜索 "crash_70"

---

.text:00012920 ; _DWORD fastcall generate_thumb_trampoline(void *, unsigned int) .text:00012920 EXPORT _Z25generate_thumb_trampolinejj .text:00012920 _Z25generate_thumb_trampolinejj ; CODE XREF: generate_thumb_trampoline(uint,uint)+8↑j .text:00012920 ; DATA XREF: LOAD:00000F40↑o ... .text:00012920 .text:00012920 var_44 = -0x44 .text:00012920 var_3C = -0x3C .text:00012920 var_38 = -0x38 .text:00012920 var_34 = -0x34 .text:00012920 var_28 = -0x28 .text:00012920 var_24 = -0x24 .text:00012920 var_20 = -0x20 .text:00012920 var_1C = -0x1C .text:00012920 var_18 = -0x18 .text:00012920 var_C = -0xC .text:00012920 .text:00012920 ; unwind { // j_gxx_personality_v0 .text:00012920 B0 B5 PUSH {R4,R5,R7,LR} .text:00012922 02 AF ADD R7, SP, #8 .text:00012924 90 B0 SUB SP, SP, #0x40 .text:00012926 0C 46 MOV R4, R1 .text:00012928 01 46 MOV R1, R0 ; void * .text:0001292A 1D 48 LDR R0, =(__stack_chk_guard_ptr - 0x12930) .text:0001292C 78 44 ADD R0, PC ; stack_chk_guard_ptr .text:0001292E 05 68 LDR R5, [R0] ; stack_chk_guard .text:00012930 28 68 LDR R0, [R5] .text:00012932 0F 90 STR R0, [SP,#0x48+var_C] .text:00012934 0B A8 ADD R0, SP, #0x48+var_1C ; this .text:00012936 F9 F7 66 E9 BLX jZN2zz3arm19ThumbTurboAssemblerC2EPv ; zz::arm::ThumbTurboAssembler::ThumbTurboAssembler(void *) .text:0001293A 1A 49 LDR R1, =(_ZTVN2zz3arm8RegisterE_ptr - 0x12946) .text:0001293C 00 23 MOVS R3, #0 .text:0001293E 0F 22 MOVS R2, #0xF .text:00012940 04 93 STR R3, [SP,#0x48+var_38] .text:00012942 79 44 ADD R1, PC ; _ZTVN2zz3arm8RegisterE_ptr .text:00012944 09 68 LDR R1, [R1] ; `vtable for'zz::arm::Register .text:00012946 08 31 ADDS R1, #8 .text:00012948 09 91 STR R1, [SP,#0x48+var_24] .text:0001294A 0A 92 STR R2, [SP,#0x48+var_20] .text:0001294C CD E9 01 12 STRD.W R1, R2, [SP,#4] .text:00012950 4F F0 C0 72 MOV.W R2, #0x1800000 .text:00012954 08 92 STR R2, [SP,#0x48+var_28] .text:00012956 05 93 STR R3, [SP,#0x48+var_34] .text:00012958 03 91 STR R1, [SP,#0x48+var_3C] .text:0001295A 09 A9 ADD R1, SP, #0x48+var_24 .text:0001295C 01 AA ADD R2, SP, #0x48+var_44 .text:0001295E F9 F7 58 E9 BLX j__ZN2zz3arm14ThumbAssembler6t2_ldrENS0_8RegisterERKNS0_10MemOperandE ; zz::arm::ThumbAssembler::t2_ldr(zz::arm::Register,zz::arm::MemOperand const&) .text:00012962 0C 98 LDR R0, [SP,#0x48+var_18] ; this .text:00012964 21 46 MOV R1, R4 ; int .text:00012966 F9 F7 5A E9 BLX j__ZN10CodeBuffer6Emit32Ei ; CodeBuffer::Emit32(int) ---> (crash_70) .text:0001296A 0B A8 ADD R0, SP, #0x48+var_1C ; this

---

.text:00013310 EXPORT _ZN10CodeBuffer6Emit32Ei .text:00013310 _ZN10CodeBuffer6Emit32Ei ; CODE XREF: CodeBuffer::Emit32(int)+8↑j .text:00013310 ; DATA XREF: LOAD:00000F60↑o ... .text:00013310 ; __unwind { .text:00013310 B0 B5 PUSH {R4,R5,R7,LR} .text:00013312 02 AF ADD R7, SP, #8 .text:00013314 05 46 MOV R5, R0 .text:00013316 00 68 LDR R0, [R0] .text:00013318 0C 46 MOV R4, R1 .text:0001331A C1 69 LDR R1, [R0,#0x1C] .text:0001331C 28 46 MOV R0, R5 .text:0001331E 88 47 BLX R1 .text:00013320 01 1D ADDS R1, R0, #4 .text:00013322 28 68 LDR R0, [R5] .text:00013324 42 69 LDR R2, [R0,#0x14] .text:00013326 28 46 MOV R0, R5 .text:00013328 90 47 BLX R2 .text:0001332A A8 68 LDR R0, [R5,#8] .text:0001332C 10 C0 STMIA R0!, {R4} -----> (crash_28) .text:0001332E A8 60 STR R0, [R5,#8] .text:00013330 B0 BD POP {R4,R5,R7,PC}

[ndl1302732]

如果不对，我再按你说的那个重新编译下

[jmpews]

1. 是 disassemble 一下你的系统上的那个 dlsym 函数. 我看下这个函数的指令
2. 好像你的 -DDOBBY_DEBUG=ON 没有开启 debug log.

[ndl1302732]

请问 "cmake 添加 -DDOBBY_DEBUG=ON 获取 dump 信息." 获取dump信息是指获取那方面信息，是dobby日志输出么，还是崩溃堆栈。 我加上了-DDOBBY_DEBUG=ON 然后重新编译测试。具体流程如下：

1 编译脚本如下： cmake .. \ -DCMAKE_TOOLCHAIN_FILE=$ANDROID_NDK/build/cmake/android.toolchain.cmake \ -DCMAKE_BUILD_TYPE=Release \ -DCMAKE_SYSTEM_NAME=Android \ -DCMAKE_ANDROID_ARCH_ABI="armeabi-v7a" \ -DCMAKE_ANDROID_NDK=$ANDROID_NDK \ -DCMAKE_SYSTEM_VERSION=21 \ -DANDROID_TOOLCHAIN=clang \ -DCMAKE_ANDROID_NDK_TOOLCHAIN_VERSION=clang \ -DDynamicBinaryInstrument=ON \ -DNearBranch=ON \ -DPlugin.SymbolResolver=ON \ -DDOBBY_DEBUG=ON

2 替换libdobby.a静态库

3 Dobby输出日志如下 2020-08-21 11:14:46.288 8931-8931/? I/Dobby: [] Initialize DobbyHook => 0xf017b01b => 0xc945da49 2020-08-21 11:14:46.288 8931-8931/? I/Dobby: [] FunctionInlineReplaceRouting: >>>>> start <<<<< 2020-08-21 11:14:46.288 8931-8931/? I/Dobby: [] Set trampoline target => 0xc945da49 2020-08-21 11:14:46.288 8931-8931/? I/Dobby: [] Generate trampoline => 0xc945da49 2020-08-21 11:14:46.288 8931-8931/? I/Dobby: [*] Assembler buffer at 0xdc613680

4 崩溃如下： 2020-08-21 11:14:46.288 8931-8931/? A/libc: Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdc613686 in tid 8931 (com.xx.xx.xx), pid 8931 (com.xx.xx.xx) 2020-08-21 11:14:46.343 8970-8970/? A/DEBUG: 2020-08-21 11:14:46.343 8970-8970/? A/DEBUG: Build fingerprint: 'google/sailfish/sailfish:10/QP1A.190711.020/eng.androi.20200820.023521:userdebug/test-keys' 2020-08-21 11:14:46.343 8970-8970/? A/DEBUG: Revision: '0' 2020-08-21 11:14:46.343 8970-8970/? A/DEBUG: ABI: 'arm' 2020-08-21 11:14:46.344 8970-8970/? A/DEBUG: Timestamp: 2020-08-21 11:14:46+0800 2020-08-21 11:14:46.344 8970-8970/? A/DEBUG: pid: 8931, tid: 8931, name: com.xx.xx.xx >>> com.xx.xx.xx <<< 2020-08-21 11:14:46.344 8970-8970/? A/DEBUG: uid: 10104 2020-08-21 11:14:46.344 8970-8970/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdc613686 2020-08-21 11:14:46.344 8970-8970/? A/DEBUG: r0 dc613686 r1 0000000a r2 c9463f45 r3 ff99c990 2020-08-21 11:14:46.344 8970-8970/? A/DEBUG: r4 c945da49 r5 ebc3dfd0 r6 f017b01b r7 ff99c9c8 2020-08-21 11:14:46.344 8970-8970/? A/DEBUG: r8 c945da49 r9 c945da49 r10 f1f89140 r11 f1f8faa0 2020-08-21 11:14:46.344 8970-8970/? A/DEBUG: ip c9484d70 sp ff99c9c0 lr c946432b pc c946432c 2020-08-21 11:14:46.583 8970-8970/? A/DEBUG: backtrace: 2020-08-21 11:14:46.583 8970-8970/? A/DEBUG: #00 pc 0001332c /data/app/com.xx.xx.xx-xhKAHYGRZhP0ym1OUcTF5g==/lib/arm/libinjectCamera.so (CodeBuffer::Emit32(int)+28) (BuildId: 4e2ef33d7d3943a9215af15ff3194064fdab415f) 2020-08-21 11:14:46.583 8970-8970/? A/DEBUG: #01 pc 00012967 /data/app/com.xx.xx.xx-xhKAHYGRZhP0ym1OUcTF5g==/lib/arm/libinjectCamera.so (generate_thumb_trampoline(unsigned int, unsigned int)+70) (BuildId: 4e2ef33d7d3943a9215af15ff3194064fdab415f)

5 获取dlsym反汇编代码 a dlsym_VA = 0xf017b01b b 对应模块为libdl.so f017a000-f017b000 r--p 00000000 fd:00 277 /apex/com.android.runtime/lib/bionic/libdl.so f017b000-f017c000 r-xp 00001000 fd:00 277 /apex/com.android.runtime/lib/bionic/libdl.so f017c000-f017d000 r--p 00002000 fd:00 277 /apex/com.android.runtime/lib/bionic/libdl.so

c offset = 0xf017b01b - f017a000 = 101B 

d adb pull /apex/com.android.runtime/lib/bionic/libdl.so
e IDA 打开libdl.so 查看dlsym的代码如下
    .text:0000101A
    .text:0000101A                             WEAK dlsym
    .text:0000101A             dlsym                                   ; DATA XREF: LOAD:00000294↑o
    .text:0000101A 80 B5                       PUSH            {R7,LR}
    .text:0000101C 72 46                       MOV             R2, LR
    .text:0000101E 00 F0 B8 E8                 BLX             __loader_dlsym
    .text:00001022 80 BD                       POP             {R7,PC}
    .text:00001022             ; End of function dlsym

[jmpews]

ok 尽量今天修复.

[jmpews]

fixed

[ndl1302732]

好的，我抽时间测试下

[ndl1302732]

测试了下还是报之前的错误 2020-08-25 10:25:36.186 26353-26353/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xebbfe906 2020-08-25 10:25:36.186 26353-26353/? A/DEBUG: r0 ebbfe906 r1 0000000a r2 c9563315 r3 ff99c980 2020-08-25 10:25:36.186 26353-26353/? A/DEBUG: r4 c955cd69 r5 ebc1c0f0 r6 f017b01b r7 ff99c9b8 2020-08-25 10:25:36.186 26353-26353/? A/DEBUG: r8 c955cd69 r9 c955cd69 r10 f1f89140 r11 f1f8faa0 2020-08-25 10:25:36.186 26353-26353/? A/DEBUG: ip c9583d50 sp ff99c9b0 lr c956373d pc c956373e 2020-08-25 10:25:36.419 26353-26353/? A/DEBUG: backtrace: 2020-08-25 10:25:36.419 26353-26353/? A/DEBUG: #00 pc 0001373e /data/app/com.xx.xx.xx-pU6M8LBFsgUZcwN-yeU5-Q==/lib/arm/libinjectCamera.so (CodeBuffer::Emit32(int)+28) (BuildId: 16f87517b957ba88e02e28a7f584cf1bc88ef185) 2020-08-25 10:25:36.419 26353-26353/? A/DEBUG: #01 pc 00012cbd /data/app/com.xx.xx.xx-pU6M8LBFsgUZcwN-yeU5-Q==/lib/arm/libinjectCamera.so (generate_thumb_trampoline(unsigned int, unsigned int)+76) (BuildId: 16f87517b957ba88e02e28a7f584cf1bc88ef185) 2020-08-25 10:25:36.419 26353-26353/? A/DEBUG: #02 pc 00012c57 /data/app/com.xx.xx.xx-pU6M8LBFsgUZcwN-yeU5-Q==/lib/arm/libinjectCamera.so (InterceptRouting::GenerateTrampolineBuffer(void, void)+54) (BuildId: 16f87517b957ba88e02e28a7f584cf1bc88ef185) 2020-08-25 10:25:36.420 26353-26353/? A/DEBUG: #03 pc 000131f3 /data/app/com.xx.xx.xx-pU6M8LBFsgUZcwN-yeU5-Q==/lib/arm/libinjectCamera.so (FunctionInlineReplaceRouting::BuildReplaceRouting()+26) (BuildId: 16f87517b957ba88e02e28a7f584cf1bc88ef185)

[ndl1302732]

执行git pull更新源代码，编译静态库， 然后替换app里面使用的静态库 补充信息如下 1 dlsym_VA=0xf017b01b

2 sailfish:/ # cat /proc/26429/maps | grep dl.so f017a000-f017b000 r--p 00000000 fd:00 277 /apex/com.android.runtime/lib/bionic/libdl.so f017b000-f017c000 r-xp 00001000 fd:00 277 /apex/com.android.runtime/lib/bionic/libdl.so f017c000-f017d000 r--p 00002000 fd:00 277 /apex/com.android.runtime/lib/bionic/libdl.so

.text:0000101A .text:0000101A WEAK dlsym .text:0000101A dlsym ; DATA XREF: LOAD:00000294↑o .text:0000101A 80 B5 PUSH {R7,LR} .text:0000101C 72 46 MOV R2, LR .text:0000101E 00 F0 B8 E8 BLX __loader_dlsym .text:00001022 80 BD POP {R7,PC} .text:00001022 ; End of function dlsym

[jmpews]

我这看起来没有什么问题, 一样的指令, 你可以看看是否能把你的工程发我试下.

[ndl1302732]

稍后发你

[ndl1302732]

源代码，包括编译好的apk下载链接如下 链接：https://pan.baidu.com/s/1hopmAJRRKVpyZvnbzIVW6g 提取码：k5rc

MyApp.java中加载so static { System.loadLibrary("injectCamera"); }

camera.cpp中 JNI_OnLoad函数调用hook()，看hook函数即可

[ndl1302732]

之前我写native inline hook检测时，碰到过一个问题，在Android10上，有时代码段没有读权限(很奇怪!)。导致读取函数前几条机器码时会报内存非法访问。需要mprotect一下，给个读的权限。不知道这个问题是不是也没读权限导致的。供参考

[jmpews]

ok 收到 我测下

[jmpews]

你可能使用的旧版本, 我引用你的 libdobby.a 会 crash.

如果直接引用 latest commit 的 source. 没有任何问题.

[jmpews]

@ndl1302732 你可以再试下或者重新编译 latest commit.

[ndl1302732]

pull最新的代码，替换静态库，在Pixel Android10上面还是崩溃 问下代码仓库地址是这个么:git clone https://github.com/jmpews/Dobby.git --depth=1 是我下错了代码??

[ndl1302732]

一 代码下载方式 git clone https://github.com/jmpews/Dobby.git --depth=1 git clone --depth 1 git@github.com:jmpews/Dobby.git 从上述两个仓库分别下载代码，编译，替换静态库，在阿里云测上的如下机器测试，都会崩溃

二 测试机器列表 华为-TAS-AL00（mate30） 小米-MI 9 一加-GM1900(一加7)

三 apk提取方式 链接：https://pan.baidu.com/s/1hTYVgrVp7IRxOZpi7PjpkA 提取码：ri87 我放到百度网盘上了，但是我自己打不开这个链接，你要是也打不开，可以留个QQ，我直接发你

[ndl1302732]

上述机器版本都是android10

[ndl1302732]

大佬可以把你编译好的动态库静态库以及头文件打包放到github上么，这样可以直接测试你编译的二进制包

[jmpews]

858982985

[jmpews]

我也是 Android 10

[jmpews]

fixed