Attack Android injection "3", attack android "3"
I continue to detail the technical solution for Injection through ptrace in "II". In this chapter, I will introduce a unique Injection Technology on Android, named -- Component Injection. As the name suggests, this method is related to Android components. For details, see the following description.
The principle of Component Injection is described as follows in the android developer documentation for android: process:
android:process
The name of a process where all components of the application shoshould run. Each component can override this default by setting its own
process
Attribute.
By default, Android creates a process for an application when the first of its components needs to run. all components then run in that process. the name of the default process matches the package name set by
<manifest>
Element.
By setting this attribute to a process name that's shared with another application, you can arrange for components of both applications to run in the same process-but only if the two applications also share a user ID and be signed with the same certificate.
If the name assigned to this attribute begins with a colon (':'), a new process, private to the application, is created when it's needed. if the process name begins with a lowercase character, a global process of that name is created. A global process can be shared with other applications, cing resource usage.
From the description, we can find that when two applications have the same and identical shareduserID as their signatures, the android: process of only one component is the same, then the interaction between the two components can occur in the same process. The same process mentioned here is actually the effect of process injection.
Example 2 example 2 contains two parts of code: com. demo. host and com. demo. inject. Their code is very simple, as shown below:
Com. demo. host: Check the configuration of manifest. xml of the host.
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.demo.host" android:sharedUserId="com.demo" android:versionCode="1" android:versionName="1.0" > <application android:name=".DemoApplication" android:allowBackup="true" android:icon="@drawable/ic_launcher" android:label="@string/app_name" android:process="com.demo" android:theme="@style/AppTheme" > <activity android:name=".MainActivity" > <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> </activity> </application> <uses-sdk android:minSdkVersion="8" android:targetSdkVersion="9" /></manifest>
Key code
package com.demo.host;import android.app.Activity;import android.content.ContentResolver;import android.net.Uri;import android.os.Bundle;import android.util.Log;/** * * @author boyliang * */public final class MainActivity extends Activity {private static int sA = 1;public static void setA(int a) {sA = a;}public static int getA() {return sA;}@Overrideprotected void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);ContentResolver resolver = getContentResolver();Uri uri = Uri.parse("content://demo_contentprovider");resolver.query(uri, null, null, null, null);new Thread() {public void run() {while (true) {Log.i("TTT", "" + getA());setA(getA() + 1);try {Thread.sleep(1000);} catch (InterruptedException e) {e.printStackTrace();}}};}.start();}}
When the host is started, it immediately calls the ContentResolver query, which is the ContentProvider component in Inject.
Com. demo. injectmanifest. xml
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.demo.inject" android:sharedUserId="com.demo" android:versionCode="1" android:versionName="1.0" > <application android:allowBackup="true" android:icon="@drawable/ic_launcher" android:label="@string/app_name" android:process="com.demo" android:theme="@style/AppTheme" > <provider android:name=".DemoContentProvider" android:authorities="demo_contentprovider" android:exported="false" /> </application> <uses-sdk android:minSdkVersion="8" android:targetSdkVersion="9" /></manifest>
Key code
<span style="white-space:pre"></span>@Overridepublic Cursor query(Uri arg0, String[] arg1, String arg2, String[] arg3, String arg4) {final Timer timer = new Timer("demo");timer.schedule(new TimerTask() {@Overridepublic void run() {try {Log.i("TTT", ">>>>>>>>>>>>>I am in, I am a bad boy!!!!<<<<<<<<<<<<<<\n");//Class<?> MainActivity_class = Class.forName("com.demo.host.MainActivity");Context context = ContexHunter.getContext();ClassLoader classloader = context.getClass().getClassLoader();Class<?> MainActivity_class = classloader.loadClass("com.demo.host.MainActivity");Method setA_method = MainActivity_class.getDeclaredMethod("setA", int.class);setA_method.invoke(null, 998);} catch (Exception e) {e.printStackTrace();}timer.cancel();}}, 5000);return null;}
In inject, after the query is called, wait for 5 s and then call the MainActivity. setA method of the host through reflection to modify the printed value.
By bypassing the ClassLoader parent-parent delegation, careful friends will find that in the inject code, the MainActivity Class is not obtained directly through the Class. forName ("com. demo. host. mainActivity ") is obtained, but the global Context (Application Object) is obtained first, and then its ClassLoader is called to obtain it indirectly. Why? I know that every class in Java is loaded through the Parent-Child delegation mechanism. For details, see http://blog.csdn.net/xyang81/article/details/7292.pdf:
When we try to find MainActivity THROUGH Class. forNmae in DemoContentProvider, ClassNotFoundException will inevitably be thrown. The only feasible solution is to find the PathClassLoader of the host and then find the MainActivity through this ClassLoader. The variables we need to find must meet the following conditions:
- This variable must be generated by the host;
- This variable must be global, and its reference will be saved in BootClassLoader (that is, a reference in Android SDK );
- It can be read through the reflection mechanism;
Naturally, I think of the host Application object. By reading the source code, we can find that the Application object can be read in the following way:
- For System_Process, you can obtain
Context context = ActivityThread.mSystemContext
- If it is a non-System_Process (a common Android process), you can obtain
Context context = ((ApplicationThread)RuntimeInit.getApplicationObject()).app_obj.this$0
After understanding the above principles, let's look at the output of the example:
I/TTT ( 633): com.demo.inject starts.I/TTT ( 633): com.demo.host startsI/TTT ( 633): 1I/TTT ( 633): 2I/TTT ( 633): 3I/TTT ( 633): 4I/TTT ( 633): 5I/TTT ( 633): >>>>>>>>>>>>>I am in, I am a bad boy!!!!<<<<<<<<<<<<<<I/TTT ( 633): 998I/TTT ( 633): 999I/TTT ( 633): 1000I/TTT ( 633): 1001I/TTT ( 633): 1002I/TTT ( 633): 1003
From the first two lines, we can see that both components run in the same process. Since 5th seconds, the printed data has changed, proving that our injection logic has taken effect. The sample code in this article, you can go to the example. However, if it is used in combination with the MaskterKey vulnerability, the effect is amazing. We know that the Zygote process will receive commands from system_process. The key information includes uid, gid, gids, classpath, runtime-init, and so on, this information determines the container loaded by the Zygote sub-process and the uid of the sub-process.
Through the MasterKey vulnerability, we can forge the system's Setting package. The configuration of Setting and system_process exactly meets the ComponentInjection condition I mentioned. Therefore, this method can be injected into the system_process process, control the parameters passed to Zygote. Classpath and runtime-init are the configurations for loading containers, classpath is the path to a dex file, and runtime-init is the class name of its main function, by specifying the container for each App, you can cleverly control the processes of all common users.
LBE used this technology to implement active defense.
This chapter introduces a unique Android injection technology, and uses some tips to bypass Java's dual-parent delegation mechanism. In addition, you can easily find the method of the Application object, which can be crucial in Android development. In the next "4", I will introduce in detail how to use JNI to obtain the JNIEnv pointer, and then use JNI to find DexCloassLoader to load the DEX file.
I know about the attacking giants.
Mountain O group or fellow group:
The chance of death from the armor of Arni is almost nonexistent.
You Neil rushed into the giant group to save Hoover and Reena. The three were missing outside the wall.
The purpose of kidnapping Allen is to say that you need the power of Alan! I did not explain it.
Why can it become a giant?
There are two types of giant chemicals. The first one is typical of Allen and is injected with giant chemicals.
The second is a typical example of unil. After being transformed into a giant, it is restored to humans.
According to the speculation of the Investigation Corps, brainless giants are likely to be humans. It was transformed into a giant by a beast giant!
Where did Alan's father go?
Whereabouts unknown! Dad is a giant researcher. If he doesn't die, he must be preparing for the Giants and thinking personally.
Why are there giants in the walls?
In the case of the mountain Olympics group, the Investigation Corps said that when Maria fell into the army, she entered.
The brainless giant appeared after he climbed into the wall,
So I guess the villagers in your home village have been turned into giants.
Conway's testimony shows that a giant's face looks like she's mom.
The cartoon is not decrypted yet! Still in encryption mode,
Only reveal the story of hyrista. Recently, comics may reveal related secrets.
The story of the attacking giant after Episode 11
Ah, what they said is complicated. In fact, it is a virus that was previously made by humans. It will make people a giant, but it fails. It has infected many people and has no consciousness, alan, they inject the virus of success. The Giants who eat people are actually the ones who were infected before. Alan turned into a giant and attacked the woman. Then, after being preached by someone, he recovered his consciousness, and then block the hole with the rock. It's that simple.