Modify Android phone kernel, bypass anti-debug

0x1. Mobile device Environment Model Number:nexus 5 OS version:android 4.4.4 ktu84p Kernel version:3.4.0-gd59db4e

0x2. The Android kernel extracts the boot partition file to find the Android device. The devices of the Qualcomm chip can be searched by the following command. Cd/home/androidcode/androiddevlop/modifynexus5boot

ADB shell

Ls-al/dev/block/platform/msm_sdcc.1/by-name

Under Root, use DD to dump it into the SDcard folder of the Nexus 5 phone, and then export it to the file/home/androidcode/androiddevlop/modifynexus5boot: adb shell su

DD if=/dev/block/mmcblk0p19 of=/sdcard/boot.img

Exit exit

ADB pull/sdcard/boot.img boot.img

Using the Abootimg tool to unpack the Boot.img file, the Zimage file obtained after unpacking is the kernel file for Android. Abootimg Tool's GitHub Address: https://github.com/ggrandou/abootimg abootimg Tool Direct installation command: sudo apt-get install build-essential Abootimg abootimg-x boot.img Ls-al

Copy the Zimage file as a file named Kernel.gz, and use the WinHex tool to find the hexadecimal 1F 8B 08 00, and then delete the previous data section, so that the kernel.gz file becomes the standard gzip compressed file, so you can use Gunzip/gzip command to unzip the kernel file. CP./zimage./kernel.gz

# Remove the garbage data from the kernel.gz in the unpacked kernel file

Gzip-d kernel_new.gz

Ls-al

To find hexadecimal data using Winhex:

Remove the previous junk data from the unpacked kernel file kernel.gz, and then resave the modified kernel.gz file as kernel_new.gz.

The modified gzip format of the kernel_new.gz file is decompressed to get the kernel_new kernel file:

Tip: For extracting gzip-formatted files, you can either use the gzip command or use the Gunzip command, all the same. Instructions for using the parameters of the Gzip/gunzip command are as follows: $ gzip-h usage:gzip [OPTION] ... [FILE] ... Compress or uncompress files (by default, Compress files In-place).

Mandatory arguments to long options is Mandatory for short options too.

 -C,--stdout      write on standard output, keep original files unchanged  -D,--dec ompress  decompress   F,--force       force overwrite of output file and Compre SS links   H,--help        give this help   K,--keep   & nbsp;    Keep (don ' t delete) input files   L,--list        List compressed file contents   L,--license     display software license  -N,--NO-NAME&N bsp;    do not save or restore the original name and time stamp  -N,--NAME    &N bsp;   Save or restore the original name and time stamp   Q,--quiet       s Uppress all warnings  -R,--recursive   operate recursively on directories  -S,--suffix=suf  u Se suffix SUF on compressed files  -T,--test        Test compressed file www.lenk8888.cn        Integrity  -V,--verbose     verbose mode  -V,--version      Display version www.chuangshi88.cn number  -1,--fast        Compress faster  -9,--best        compress www.lieqibiji.com/better  - -rsyncable       Make rsync-friendly www.yghrcp88.cn archive

With no file, or if file is-, read standard input.

Report bugs to <[email Protected]>.

The description of the gzip file format and the source code analysis can be referred to the gzip file format parsing and source codes, to conduct in-depth research and learning.

0x3. The reverse modification of the Android kernel file will drag the extracted Android kernel file kernel_new into Ida Pro for analysis and set the processor type to arm Little-endian.

Fill in the 0xc0008000 in the ROM start address and loading address, then click OK.

Ida shows the effect as shown, there is no function name, inconvenient to locate code, display unfriendly need to add the kernel symbol of the Android kernel.

To get all the kernel symbol information in the Android kernel, you can remove the information masking of the Android kernel symbol by modifying the value of the/proc/sys/kernel/kptr_restrict in the Andriod device under root permissions.     adb Shell su # view default cat/proc/sys/kernel/kptr_restrict # Turn off kernel symbol masking echo 0 >/proc/sys/kernel/kptr_restrict # View the modified values Cat/proc/sys/kernel/kptr_restrict cat/proc/kallsyms

After shutting down the kernel symbol of the Android device, execute the cat/proc/kallsyms again and discover that the hidden kernel symbol information is displayed.

Under root, dump the kernel symbol information from the Android device and export it to the/home/androidcode/androiddevlop/modifynexus5boot/syms.txt file. As a result, the kernel symbol information for the Android kernel file is saved in the Syms.txt file. # cat/proc/kallsyms >/sdcard/syms.txt # Exit $ exit $ adb pull/sdcard/syms.txt syms.txt

We have already dump the kernel symbol information in the Androd kernel file, which will be useful. Therefore, you can see the corresponding function name by importing the kernel symbol information that you extracted earlier into IDA. The following Python script is required: ksyms = open ("C:\Users\Fly2016\Desktop\Android kernel extraction and reverse \syms.txt") for line in ksyms:addr = Int (lin e[0:8],16) name = line[11:] Idaapi.set_debug_name (addr,name) Makenameex (Addr,name,sn_nowarn) Message (" %08x:%sn "% (addr,name))

Running the above Python script in Ida's File->script command, you can then successfully add the kernel symbol information in Ida to enable IDA to display the correct function name for the system call.

The name of the hidden system function call in the Android kernel is displayed in Ida.

Now to talk about modifying the Android kernel file bypass anti-debugging, a lot of Android reinforcement will be by looking at the current process of/proc/pid/status state information, to determine whether the current process is debugging the basis. If the current process is being debugged by the debugger, then cat/proc/self/status displays the status as shown, and the more common Android anti-debugging is the difference between the debug state and the non-debug state by the value of Tracerpid and the non-debug state of this value is 0 and the debug state is not 0, To determine if the debugger is being debugged.

Here to modify the Android kernel bypass anti-debugging is just to consider the value of   tracerpid is different from this situation, really also go through these detection of anti-debugging or need to start with specific Android hardened detection logic code, Maybe now some Android hardening will also detect the difference in the value of the state! Modify the Android kernel bypass Android hardened anti-debugging, in fact, or rely on specific open source Android kernel code for the analysis, otherwise do not know where the value of/proc/pid/status based on the debug state changes in the code location, So here by modifying the Android kernel file bypass anti-debugging or based on the Android kernel source file/kernel/msm/fs/proc/array.c code implementation in contrast to the modification. /KERNEL/MSM/FS/PROC/ARRAY.C file, detect debug Modify Tracerpid value of Android kernel source code:/*  * The Task State array is a strange "bitmap" of &NB Sp;* reasons to sleep. Thus "Running" is zero, and  * you can test for combinations of others with  * simple bit tests.  */Static const char * Const task_state_array[] = {  "R (running)",  /*   0 */  "S (SL eeping) ",  /*   1 */ " D (disk Sleep) ", /*   2 */ " T (Stopped) ",  & nbsp;/*   4 */  "t (Tracing stop)", /*   8 */  "Z (Zombie)",  /*  16 */   "X (Dead)",  /*  */  "x (Dead)",   /*  */  "K (Wakekill)",   /* */  "W (Waking)",   /* 256 */};

Static inline const char *get_task_state (struct task_struct *tsk) {unsigned int state = (Tsk->state & Task_report ) |  tsk->exit_state; const char * Const *P = &task_state_array[0];

BUILD_BUG_ON (1 + ilog2 (task_state_max)! = Array_size (Task_state_array));

while (state) {p++;  State >>= 1; } return *p; }

static inline void task_state (struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *p) {  struct Group_info *group_info;  int g;  struct fdtable *FDT = NULL;  const struct CRED *cred; pid_t Ppid, Tpid;

 rcu_read_lock ();  ppid = Pid_alive (P)?   task_tgid_nr_ns (Rcu_dereference (p->real_parent ), NS): 0;  tpid = 0;  if (Pid_alive (p)) {  struct task_struct *tracer = Ptrace_parent (P);   if (tracer)     //reverse Android kernel files need to be concerned about the place    tpid = Task_pid_nr_ns (tracer, NS);  }  cred = Get_task_cred (p);  seq_printf (M,    "state:\t%s\n"    "tgid:\t%d\n"    "pid:\t%d\n"    " ppid:\t%d\n "  " tracerpid:\t%d\n "  " uid:\t%d\t%d\t%d\t%d\n "  " gid:\t%d\t%d\t%d\t% D\n ",   get_task_state (p),   task_tgid_nr_ns (P, NS),   pid_nr_ns (PID, NS),    ppid, Tpid,   cred->uid, Cred->euid, Cred->suid, Cred->fsuid,   cred->gid, Cred->egid, Cred->sgid, cred->fsgid);

Task_lock (P);  if (p->files) FDT = files_fdtable (p->files);  seq_printf (M, "fdsize:\t%d\n" "groups:\t", Fdt fdt->max_fds:0); Rcu_read_unlock ();

Group_info = cred->group_info; Task_unlock (P);

for (g = 0; g < min (group_info->ngroups, ngroups_small); g++) seq_printf (M, "%d", Group_at (Group_info, g)); Put_cred (cred);

SEQ_PUTC (m, ' \ n '); }

Therefore, through the above Android kernel source code implementation can know, the location is we should modify the place:

Through the study of the Android kernel source code, we know where we have modified it in the Android kernel file, and in Ida we search for Tracerpid by string to find the set of feature strings mentioned above.

In Ida, you can navigate to the location of the code we need to focus on by referencing the feature string.

Analyze the code location of the Android kernel to modify the Tracerpid value based on the detection debug state through Ida's F5 function.

Through Ida's detailed look, we need to focus on the arm assembly instructions at the code location.

By reverse analyzing the code flow you can know that as long as the rom:c02ba5c0 EC FE FF 0A BEQ jmp_c02ba178 is changed directly to the address c02ba178 execution, there is no opportunity to execute the following code to bypass anti-debug detection. By using Ida's binary modification function, the ARM assembly code is modified, and the modified code is as follows:

Android kernel file kernel_new before and after the changes in the code comparison results:

0x4. The reverse modification of the Android kernel is brushed back to the Android device for the modified Android kernel file kernel_new gzip compressed processing to get the compressed file kernel_new.gz. #-N,--no-name do not save or restore the original name and time stamp #-F,--force force overwrite of output File and Compress links #-9,--best compress better gzip-n-f-9 kernel_new

Use the Winhex tool to overwrite the kernel_new.gz file's binary data to the original Zimage file at 1F 8B 08 00 where the start to the end (the new kernel_new.gz file must be more than the original Kernel_ new.gz file small, and back to write back can not change the size of the original Zimage file and modify the original Zimage file in the back of the content, otherwise it will be very troublesome), then got the Zimage file. The above sentence may not be very good to understand, but also very well understood, you can refer to the author Lcweik gives an example of understanding:

Viewing the size of the kernel_new.gz file with the Winhex tool is the starting offset of the position at 1F 8B 08 00 in the 0x6ab190,zimage file as 0X48B4, so zimage in the Kernel_ file The start position of the new.gz file is offset to 0x48b4 and the end position is offset to 0x6afa43. Use the Winhex tool to remove data from 0x48b4~0x6afa43 in the Zimage file and copy all the data in the kernel_new.gz file into the 0x48b4~0x6afa43 range. That is, the position after the offset 0x48b3 in the Zimage file begins overwriting.

Use the ABOOTIMG Packaging tool to re-package the unpacked boot.img files. Abootimg--create myboot.img-f bootimg.cfg-k zimage-r initrd.img

The myboot.img image file will be modified to be repackaged and updated on the Android device. ADB reboot bootloader fastboot Flash boot myboot.img

0x5. It is dangerous to modify the binary files of the Android kernel directly, which can easily cause the Android device to become brick. If the unfortunate Android device becomes brick, simply re-enter the original boot.img image file that you backed up in the previous steps into your Android device. ADB reboot bootloader fastboot Flash boot boot.img

0x6. Reverse modify the Android kernel summary. This post is mainly for reference: reverse modification of the phone core, bypassing the anti-debugging, the original author method is very detailed, but my steps in some places and the original author of the different. 1. Different ways to find the target code and the target function, the original author by turning off the Android device kernel symbol screen and then get the key functions Proc_pid_status_ and Proc_pid_status_ (get the debugger process PID) of the address of the system call, Find locations in Ida to locate critical code that requires reverse analysis.

2. In modifying the binary code to bypass the anti-debugging method, I and the original author changes in a slightly different place, the original author's changes such as.

3. Follow the author's steps to modify the Andorid kernel successfully bypass the anti-debug ear detection, but I follow my own improved operation, modify the Android kernel success but the brush machine restarts directly brick, haha. To tell the truth, so the reverse modification of the Android kernel bypass anti-debugging just provide a way of thinking, the actual work is thankless and to really go around this anti-debug detection also needs to modify other places, and other detection location modification is not convenient. This open case of anti-debugging detection, in fact, the manual patch memory is also very simple thing.

0x7. On the calculation of ARM assembly BL instruction The change of BL class instruction under ARM assembly and the calculation of the offset can be referred to as follows: "Help" arm instruction BL instruction corresponding machine code problem, arm jump instruction bl/blx Offset value calculation rule, As mentioned in the preceding procedure, we refer to the change of Class B jump instruction. Remind two points: 1. Be very good at using Ida to show the features of the arm instruction machine code, 2. In-memory arm instructions are stored at the small end.

Modify Android phone kernel, bypass anti-debug