The change of Android7.0 to Dlopen

Two memory segments

In the same process space dlopen a. So file, theoretically in memory is the same piece of area, but the actual debugging found in Android7.0 (read "/proc/self/maps"), read the same. So memory actually appeared two segments!

This was not seen in the low version of Android (such as 4.x).

Some of the following blog analysis, and Android7.0 on the dlopen of the rewrite, may be different namespaces under the reading results are not the same, may be a security promotion.

Android 7.0 Behavioral Changes

NDK app link to platform library

Different Android 7.0 Dlopen

7.0 references to already loaded. So/hook

As a result of the above analysis, the Dlopen. So files in their own code are loaded in different memory segments, so they cannot be directly hook, to get the memory address of the. So that the target program loads.

You can use BASE_ADDR + offset to get the address of the target method, base_addr by looking for "/proc/self/maps" to get

This method comes from Android inject to get the address    void* get_module_base (int pid, const char* module_name) {    FILE *fp;    Long addr = 0;    char *pch;    Char filename[32];    Char line[1024];    if (PID < 0) {/        * Self process *        /snprintf (filename, sizeof (filename), "/proc/self/maps", PID);    }    else {        snprintf (filename, sizeof (filename), "/proc/%d/maps", PID);    }    fp = fopen (filename, "R");    if (fp = NULL) {        while (fgets (line, sizeof (line), FP)) {            if (strstr (line, module_name)) {                pch = Strtok (lin E, "-");                Addr = Strtoul (PCH, NULL, +);                if (addr = = 0x8000)                    addr = 0;                break;            }        }        Fclose (FP);    }    return (void *) addr;

Reference blog:

How to hook Dlopen and dlsym underlying functions

The change of Android7.0 to Dlopen