Android Native program reverse entry (1)-Native program startup process, androidnative

Android Native program reverse entry (1)-Native program startup process, androidnative

In August, the sun was yellow. Who said the world is not gold? The little birds nap in the shade, and the children roll in the grass. In August, the sun was yellow. Who said the world is not gold? The golden forests, the golden grass, and the birds play a pleasant voice: The Golden huts, the golden masayun, and the Golden laughter of the old peasants. -- Sun of Xu Zhimo in August

Ilocker: Follow Android Security (New entry, 0 basics) QQ: 2597294287

When a native program is generated, a link script is input in the Link stage, specifying the program's entry function in the script.

 

As you can see, in the default link script armelf_linux_eabi.x, the entry function is specified as "_ start ".

Search for ldscripts in the ndk directory. All the link scripts are in this directory.

The _ start function is defined in Crtbegin. c (under the bionic directory of libc.

 

In _ start, _ libc_init is called again, and the address of the main function is passed in as a parameter.

Look at the source code of _ libc_init (in the Libc_init_static.cpp file under the bionic directory of libc ):

 

Perform initialization in _ libc_init, call preinit_array and init_array, and call the main function passed in by the slingshot parameter.

The above description targets static link programs, and the dynamic link programs are slightly different.

For Dynamic Links (specify-Bdynamic in the gcc command line), In the generated executable file. the file path of the interpreter is saved in interp. The default value is "/system/bin/linker ".

When you execute a dynamic link program, the system will parse the ELF File and find the program interpreter saved in. interp, that is, android linker. Then, execute linker. linker loads a series of so dependencies of the program, and then calls the executable program.

The linker entry function _ start is not in Crtbegin. c, but in the begin. S file of the linker source code.

 

Call the _ linker_init function to perform the linker auto-lifting and initialization, finally, the address of the entry function of the original native program is returned (from the ELF Header of the native program ).

Mov pc, r0, jump to the native program's entry function (_ start) to execute, the next execution process is the same as above. _ Start call _ libc_init. The _ libc_init of the Dynamic Link program is defined in the Libc_init_dynamic.cpp file (the _ libc_init of the static link program is defined in the Libc_init_static.cpp file ).

 

It seems simpler than the static link program's _ libc_init, because some initialization work is completed by linker.

Summary: The entry functions of the static link and the dynamic link native program are both _ start. Before executing _ start, a dynamically linked program needs to load the dependent library by linker and perform initialization.

Learning Materials: Android software security and Reverse Analysis