Android under so injection summary

Source: Internet
Author: User

/*
* Cockroach Number One
* Original link: http://www.sanwho.com/133.html
* Reprint please indicate the source
*/

Android under so injection is based on ptrace system calls, so to learn the so injection under Android, you first need to understand the use of ptrace.

Ptrace usage can refer to the blog: http://blog.sina.com.cn/s/blog_4ac74e9a0100n7w1.html, you can also enter the man ptrace command under Ubuntu to see the specific description.

Android in Process system call hijacking can refer to the blog: http://www.kanxue.com/bbs/showthread.php?t=180461, which is an example of Android simple ptrace monitoring remote process monitoring call.

The Android system is based on a Linux system that can be injected into the Linux system via Ptrace system calls. The Ptrace injection process is generally as follows:

(1) Load based on Shellcode

[1] Writing Shellcode,shellcode is the use of assembly language to write a assembler, the program to load the so library, so library functions to find and execute functions in the library.

[2] Pid,attach to remote process via remote process.

[3] Gets the remote process register value and saves it so that the original state of the recovery process is completed after injection.

[4] Gets the remote process system call Mmap, Dlopen, Dlsym call address.

[5] calls the remote process mmap allocates a piece of storage space and writes Shellcode, so library paths, and function call parameters in space.

[6] Executes the remote process Shellcode code.

[7] Restore the remote process register.

[8]detach remote process.

Based on Shellcode injection can see snow Furukawa elder brother wrote Libinject, website: http://bbs.pediy.com/showthread.php?t=141355

(2) Direct loading

[1] pid,attach to remote process via remote process.

[2] Gets the remote process register value and saves it so that the original state of the recovery process is completed after injection.

[3] Gets the remote process system call Mmap, Dlopen, Dlsym call address.

[4] Call the remote process mmap allocate a piece of storage space and write the so library path and function call parameters in the space.

[5] Execute remote process dlopen, load so library.

[6] Executing the remote process dlsym, get the function address that needs to be executed in the so library.

[7] Executes a function in the remote process.

[7] Restore the remote process register.

[8] Detach the remote process.

The current version of Android so injected is basically based on the libinject of the oldest brother. For so injection of the project, you can also refer to the master wash an open source project, website: https://code.google.com/p/libandroidinjector/downloads/list. Wash Master injections need to modify elf files.

Provides a small test library for easy test so injection success, with the following code:

1 #include <unstd.h> 2   3 #include <stdio.h> 4   5 #include <android/log.h> 6   7 #define Log_ta G    "Test" 8   9 __attribute__ ((constructor))   void   inject () {Ten  __android_log_print (Android _log_debug,log_tag, "Hello,i am  injected." );   

Description: If the function is set to the constructor property, the function will be executed automatically before the main () function executes. So in the so injection test, just inject the so library with the code compiled above, and you can test whether to inject into the remote process without invoking the related function of the injected so.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.