Xposed Framework in Android---an analysis of the principle of a shelled artifact Zjdroid tool based on xposed

Source: Internet
Author: User

First, preface

In the previous article, we introduced how to use the xposed framework to modify geo-location information to carry out its own hidden functions, this article will continue to introduce the xposed framework of another function is to implement the application of the simple shelling, in fact, it is the role of xposed is not actually, the main module is good to write, Mainly using xposed hook technology to achieve, the following first to introduce this Shell module tool zjdroid principle, because he is open source, so we directly analyze the source code can, source: https://github.com/halfkiss/ Zjdroid but unfortunately, he only disclosed the Java layer of code, and native layer of code is not public, but the analysis of the source will find the most important function is in the native layer, but it does not matter, and so on when I give you the analysis of the bottom of the approximate implementation of the program can be.


Two, zjdroid principle analysis

Here is a detailed analysis of the Zjdroid tool source Bar, he is an Eclipse project import is very simple, based on the experience of the previous xposed module, we know that it is very easy to find the entry code, in the assets directory has a xposed_ The module's entry class is recorded in the init file:



We can go directly to this class:


See, follow the uniform Rules, implement the Ixposedhookloadpackage interface, implement the Handleloadpackage callback method, the following continue to analyze the entry method Modulecontext:


Here the OnCreate method of intercepting application is started, and this method is generally the starting method of each application, it is reasonable to do interception operation here, after looking at what to do after interception, that is, the implementation of the Applicationoncreatehook class:


This is where the real interception is started, with the addition of a broadcast, which means that every application in the device goes back to register for the broadcast when it is started, and each application receives it if a subsequent broadcast of the corresponding action is sent. So here we can see that the core work has been done after this broadcast, and then continue to look at the definition of the broadcast:


Sure enough here, you can see the first will be sent by the broadcast of the intent to carry some data over, mainly two data:

One is the process ID: This function is mainly to filter other applications, only to deal with the logic of the application, because the broadcast after the transmission of all the applications can be received, but our shelling sometimes certainly only for an application, then only need to be in the application of the broadcast receive processing.

one is the command string : This is to send a broadcast can support a variety of functions, later analysis can also see that there are indeed many features.

Then we get the command and start to construct a command executor class, where the command pattern in design mode is used. Let's continue to see what kinds of command actuator classes are available:


In this method, we begin to analyze what kinds of command classes are supported here:

First command: Dump_dexinfo

Get information about the application runtime in-memory Dex: Dumpdexinfocommandhandler


Enter the method in a detailed look:


See, the implementation of the logic here is still relatively simple, all through the reflection mechanism to obtain each application's Dex file corresponding to the Dexfile type object, here the work and we introduced the Android in the plug-in development is already familiar with, Load the Pathclassloader class by applying the default class to get the Dexpathlist class, and then get the specific Dexfile object. Here is the value of this Dex file corresponding to the cookie, this value is very important, is the basic information of subsequent command operations, he represents the bottom of each application of the Dex file corresponding to the unique ID value, the system will maintain a map structure to save the data, The system then uses this cookie value to find the corresponding Dex file information.

Command usage:am broadcast-a com.zjdroid.invoke--ei Target [pid]--es cmd ' {"Action": "Dump_dexinfo"} '

Here is the command way to send a broadcast through--EI carrying the target process ID is an int type, carrying the command string through--es


Second command: Dump_dexfile

This command is also an important command for subsequent shelling, that is, dump out the application in memory of the Dex file: Dumpdexfilecommandhandler


Here you can see the dump out of the application's memory data, first need to pass in the source application of Dex data is the APK file, which is generally stored in the/data/app/ xxx.apk directory, and then it is here to build a dump after the Dex file path, through the source view is in the/data/data/xxx/files/dexdump.odex. Then continue to view the core code of dump:


See here is a core approach, but unfortunately this method is native, and this tool does not expose the native layer of code, but through the parameters passed here can be learned, The underlying should be a libdvm.so or libart.so library to get the specific function, and then get the information through Dex's corresponding cookie value.

Command usage:am broadcast-a com.zjdroid.invoke--ei Target [pid]--es cmd ' {' Action ': ' Dump_dexfile ', ' dexpath ': ' * * * *} '

Note that the Dexpath parameter here represents the Dex file that needs shelling, that is, the application file.


Third command: Backsmali

This command is actually similar to the above command function, but here the command is a layer of operation is to convert the Dex file into a Smali file, so here is no longer detailed, we can get the Dex file, and then the tool to get the Smali file is also possible.

Command usage:am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Backsmali ', ' dexpath ': ' * * * *} '

Note that the Dexpath parameter here represents the Dex file that needs shelling, that is, the application file. The resulting Smali folder is placed below the/data/data/xxx/smali.


Fourth command: Dump_mem

This command is used to dump the memory block data that is specified at the beginning and the length of the Application Runtime: Dumpmemcommandhandler

Unfortunately this method is also native layer, but this operation is relatively simple, we know each application Runtime memory address is in the /proc/[pid]/maps file:


It is also very easy to find the memory address and then copy the memory data using memcpy.

Command usage:am broadcast-a com.zjdroid.invoke--ei Target [pid]--es cmd ' {"Action": "Dump_mem", "Start": 111, "Length": 23} ' /c2>

Note that the start and length here are decimal, not hexadecimal data formats.


Fifth command: Dump_heap

This command can dump the VM's heap memory information, the file can be analyzed using the Java heap tool, and for this command we should also know that the implementation logic is also in the native layer, and this code logic should be similar to the one above the command, But for this command I have not thought of specific ideas, sad ah, if you know the students will tell ha!

Command usage:am broadcast-a com.zjdroid.invoke--ei Target [pid]--es cmd ' {"Action": "Dump_heap"} '


Sixth command: Dump_class

This command is primarily used to dump the class information in the Dex file, which is also very simple, because there is a hidden method in the Dexfile object that can get all the class names in the Dex file: getclassnamelist


Here you can see that the incoming parameter of this method is the cookie value corresponding to a DEX file.

Command usage:am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Dump_class ', ' dexpath ': ' * * * *} '

The Dexpath here is the Dex file path that needs to get all the class information, that is, the app's apk file path.


Seventh command: Invoke

This command is for the runtime to invoke the Lua script dynamically, and I do not understand the purpose of this command, which can invoke Java code dynamically through a LUA script. Usage Scenario: The decryption function can be invoked dynamically to complete the decryption. Specific logic can be triggered dynamically. The code is not analyzed, because I think this command should not be used

Command usage:am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Invoke ', ' filepath ': ' * * *} '

The filepath here is the path where the Lua script files are stored.


All of Zjdroid's commands have been introduced here, and there are two very important print log tags:

First:adb logcat-s zjdroid-shell-{package name}

This tag allows you to see the results of each command executed above, making it easier to see the status of the command execution.

Second:adb logcat-s zjdroid-apimonitor-{package name}

This tag can listen to which API information is called by the package name application, which is a bit like the role of a run-time permission request. This is very simple to do, you can directly through the method provided by xposed to intercept some of the system's sensitive API and then add the monitoring code.


Iii. Summary of the order

Above from the point of view of the source of the full analysis of the function of zjdroid tools, the following to summarize:

1. Get apk currently loading dex file information
Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Dump_dexinfo '} '

2. Get the specified Dex file to contain the Loadable class name
Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Dump_class ', ' dexpath ': ' * * * *} '

3. Dynamically decompile the specified Dex according to the Dalvik related memory pointer and save as a file
Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Backsmali ', ' dexpath ': ' * * * *} '

4. Dump specifies the data in Dex memory and saves it to a file (the data is in ODEX format and can be deserialized on the PC)
Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Dump_dex ', ' dexpath ': ' * * * *} '

5. Dump specifies the memory space area data to the file
Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Dump_mem ', ' Start ': 1234567, ' length ': 123} '

6, Dump Dalvik stack information to the file, the file can be analyzed by the Java Heap Analysis tool processing
Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Dump_heap '} '

7. Runtime invoke Lua script dynamically
This feature makes it possible to invoke Java code dynamically through a LUA script. Usage Scenario: The decryption function can be invoked dynamically to complete the decryption. Specific logic can be triggered dynamically.
Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Invoke ', ' filepath ': ' * * *} '

8, related command execution results view
1. Results of command execution

adb shell logcat-s zjdroid-shell-{package name}

2, sensitive API call monitoring output results

adb shell logcat-s zjdroid-apimonitor-{package name}


Iv. Case Use Analysis

Below we are going to use a case to see how this tool is used, what effect, we use an application to do the case, is the fishing talent v1.0.1 version, the specific apk file can go online search ha. After we install the game, and then by the way the above Zjdroid module tool is also installed, and then the restart takes effect.

We'd better open a CMD window to see the print results, but from the above command we should be able to see the package name and process ID of the game, so how do you get the two data? In fact, I have already introduced many times in the previous article, with a command:adb shell dumpsys activity top But this time need to run up to the fishing talent game:


See here, it is very simple to get the game's package name: Org.cocos2d.fishingjoy3 and Process id=25304, these two data is very important can be stored here first, and then can be used later.


Let's take a look at some of the sensitive API data used by this app, using the commands above to view the logs:

ADB Shell Logcat-s zjdroid-apimonitor-org.cocos2d.fishingjoy3


See, here again network request information, network switch broadcast and other data, feel still pretty useful this tool.


Here's a look at the Dex file information for this app, which can be used with the following command:

Am broadcast-a com.zjdroid.invoke--ei target 25304--es cmd ' {action:dump_dexinfo} '

Here are the results after running:

At this point, the operation does not see the actual effect, because we need to log in order to see the data, because the above command to run the results are required to be seen through this log:adb logcat-s Zjdroid-shell-org.cocos2d.fishingjoy3


Here you can see the specific information, see there is a filepath this is our follow up some commands need to use the Dex path, so be sure to write down, the following command will be used.


Next look at a command that dumps all the class names in the game:

Am broadcast-a com.zjdroid.invoke--ei target 25304--es cmd ' {' Action ': ' Dump_class ', ' dexpath ': '/data/app/ org.cocos2d.fishingjoy3-1.apk "}"

The path here is the APK path obtained above, so we still need to pass the above log command to see:


See, this is where all the class names included in the game are exported.


In the end, this is the most critical, but also the focus of this article is the most practical function of the tool, is to carry out the application of shelling, and the game is also to strengthen the process, we can decompile to see this game:


You will find that there are not a few classes, and there is a application class, then you can assume that the game is reinforced, this article does not describe the use of the reinforcement platform to operate, and no longer use IDA and other tools to dynamically debug shelling, here directly using this tool to operate. We can get his Smali code directly for subsequent code reading, that is, using this command:

Am broadcast-a com.zjdroid.invoke--ei target 25304--es cmd ' {action:backsmali, ' dexpath ': '/data/app/ org.cocos2d.fishingjoy3-1.apk "}"

The results of the operation of this command are viewed through the log:


And this Smali folder is stored in the application of the /data/app/org.cocos2d.fishingjoy3/smali , we can copy him out:


Here we can see the success of the shelling, generated the game of all the Smali file code. In fact, this shelling operation and our previous introduction to the use of the IDA tool shelling principle is similar, because the application, no matter how to harden, will eventually use a system function to load the Dex file into memory, and before loading is sure to decrypt the operation, we just after the load before the decryption to intercept.


v. Summary

All right, here we go. Based on the xposed framework of the shelling artifact Zjdroid implementation principles and specific usage. And here also feel the xposed framework of the strong, of course, this is only part of the framework can also be used to write game plug-ins and other operations. So good worship of this framework, but also read the framework of the source bar, learn not to finish the stuff! Write good tired good hard, remember to small make a point praise it!!

Click here for more information:

Focus on the public, the latest technology dry real-time push

Sweep and make a small series
Add the Note: "Code beautiful" or not pass!

Xposed Framework in Android---an analysis of the principle of a shelled artifact Zjdroid tool based on xposed

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.