lief-project / LIEF

LIEF - Library to Instrument Executable Formats (C++, Python, Rust)
https://lief.re
Apache License 2.0
4.47k stars 622 forks source link

Not called any func of libnary so injected when use add_library #204

Closed henrytom1703 closed 6 years ago

henrytom1703 commented 6 years ago

Hello guys. Cannot call JNI_OnLoad function of libtest-lib.so after injected libtest-lib.so into libnative-lib.so. Anyone, who can help me fix it: Thanks Here my source code: Android App:

public class MainActivity extends Activity {

    static {
        System.loadLibrary("native-lib");
    }
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
 }
}

native-lib.cpp (libnative-lib.so)

#include <jni.h>
#include <string>
#include <android/log.h>

JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM *vm, void *) {
    JNIEnv *env;
    if (vm->GetEnv(reinterpret_cast<void **>(&env), JNI_VERSION_1_6) != JNI_OK) {
        return JNI_EVERSION;
    } //if
  Log("called ");
    return JNI_VERSION_1_6;
}

Lib inject so: test-lib.cpp (libtest-lib.so)

#include <jni.h>
#include <string>
#include <android/log.h>

JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM *vm, void *) {
    JNIEnv *env;
    if (vm->GetEnv(reinterpret_cast<void **>(&env), JNI_VERSION_1_6) != JNI_OK) {
        return JNI_EVERSION;
    } //if
  Log("called test lib so");
    return JNI_VERSION_1_6;
}

python code inject:

import lief

def inject():
    libnative = lief.parse("F:\\test1\\libnative-lib.so")
    libnative.add_library("libtest-lib.so") # Injection!
    libnative.write("F:\\test2\\libnative-lib.so")

adb shell:

adb push "F:\\test2\\libnative-lib.so" /data/local/tmp/libnative-lib.so
cp  /data/local/tmp/libnative-lib.so /data/app/com.test.app.checker-1/lib/arm/libnative-lib.so
chmod 777  /data/app/com.test.app.checker-1/lib/arm/libnative-lib.so

Rooted device: HTC one m9

henrytom1703 commented 6 years ago

Hello @romainthomas Can you help me? Here new log. How to fix it? 08-15 11:10:59.748 25982-25982/com.oang.app.checker I/ng.app.checker: type=1400 audit(0.0:81346): avc: denied { execute } for path="/data/local/tmp/lib/armeabi-v7a/libtest-lib.so" dev="mmcblk0p47" ino=393263 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1

I also tried setenforce But It's not working:

su
setenforce 0

Thanks

romainthomas commented 6 years ago

You need to patch the SELinux context of /data/local/tmp/lib/armeabi-v7a/libtest-lib.so using chcon

henrytom1703 commented 6 years ago

@romainthomas Could you give me a command line? I tried But It;s not working. here log:

1|root@htc_m8:/ # su -c 'chcon -R /data/local/tmp/lib/armeabi-v7a/libtest-lib.so'
usage: chcon [-hRv] CONTEXT FILE...

Change the SELinux security context of listed file[s].

-h change symlinks instead of what they point to.
-R recurse into subdirectories.
-v verbose output.

chcon: Need 2 arguments

Thanks,

romainthomas commented 6 years ago

Yes chcon needs a Selinux context...

henrytom1703 commented 6 years ago

@romainthomas Do you know how to find a correct Selinux context? Could you provide me a command line? Thanks