首页 > 其他分享 >Android 系统调用拦截hook

Android 系统调用拦截hook

时间:2022-10-24 10:00:11浏览次数:55  
标签:__ 调用 libc hook exit bionic Android include xsexit

本文ASOP源码版本8.1,下面是相关改动文件

Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)

	modified:   bionic/libc/Android.bp
	modified:   bionic/libc/SYSCALLS.TXT
	deleted:    bionic/libc/arch-arm/syscalls/__exit.S
	deleted:    bionic/libc/arch-arm/syscalls/_exit.S
	deleted:    bionic/libc/arch-arm64/syscalls/__exit.S
	deleted:    bionic/libc/arch-arm64/syscalls/_exit.S
	modified:   bionic/libc/include/stdlib.h
	modified:   bionic/libc/include/unistd.h
	modified:   bionic/libc/libc.map.txt
	modified:   bionic/libc/stdlib/exit.c

Untracked files:
  (use "git add <file>..." to include in what will be committed)

	bionic/libc/arch-arm/syscalls/__xsexit.S
	bionic/libc/arch-arm/syscalls/_xsexit.S
	bionic/libc/arch-arm64/syscalls/__xsexit.S
	bionic/libc/arch-arm64/syscalls/_xsexit.S
	bionic/libc/bionic/__exit.cpp
	bionic/libc/bionic/_exit.cpp
	bionic/libc/include/sys/exit.h

下面以_exit exit Exit 函数为例,这些函数本来直接是汇编代码,现在我们需要添加一个中间层,然后再调用原本的汇编代码

1. 添加中间层

新建bionic/libc/include/sys/exit.h

#ifndef _SYS_EXIT_H_
#define _SYS_EXIT_H_

#include <linux/unistd.h>
#include <sys/cdefs.h>

__BEGIN_DECLS

void _exit (int status);
void __exit (int status);
void _Exit (int status);

__END_DECLS

#endif /* _SYS_EXIT_H_ */

新建 bionic/libc/bionic/_exit.cpp

#include <unistd.h>
#include <async_safe/log.h>
#include <sys/exit.h>

extern "C" __noreturn void _xsexit(int);

void _exit(int status) {
    async_safe_format_log(ANDROID_LOG_DEBUG, "_exit", "pid %d comm %s\n", getpid(), comm);
    _xsexit(status);
}

void _Exit(int status) {
    async_safe_format_log(ANDROID_LOG_DEBUG, "_Exit", "pid %d", getpid());
    _xsexit(status);
}

新建 bionic/libc/bionic/__exit.cpp

#include <unistd.h>
#include <async_safe/log.h>
#include <sys/exit.h>


extern "C" __noreturn void __xsexit(int); 

void __exit(int status) {
    async_safe_format_log(ANDROID_LOG_DEBUG,"__exit", "pid %d", getpid());
    __xsexit(status);  
}

同时在stdlib.hunistd.h 中引入新增的sys/exit.h,这一步是为了让系统调用走我们的函数,还不是直接去汇编

原本是汇编__exitbionic/libc/arch-arm/syscalls/_exit.S中,在我们重命名成了__xsexit,然后做了一个C的__exit函数冒充,然后再调用重命名后的__xsexit

diff --git a/bionic/libc/include/unistd.h b/bionic/libc/include/unistd.h
index e024527ef2..a4685af4df 100644
--- a/bionic/libc/include/unistd.h
+++ b/bionic/libc/include/unistd.h
@@ -42,6 +42,8 @@
 #include <bits/seek_constants.h>
 #include <bits/sysconf.h>
 
+#include <sys/exit.h>
+
 __BEGIN_DECLS

2. 修改汇编

主要是将bionic/libc/arch-arm/syscalls/_exit.Sbionic/libc/arch-arm/syscalls/__exit.S 改个名字

mv bionic/libc/arch-arm/syscalls/_exit.S bionic/libc/arch-arm/syscalls/_xsexit.S
mv bionic/libc/arch-arm/syscalls/__exit.S bionic/libc/arch-arm/syscalls/__xsexit.S

然后将两个汇编文件的ENTRY修改修改下, __exit改成文件名同样的__xsexit, 可以看到对应的调用编号是__NR_exit

// bionic/libc/arch-arm/syscalls/__xsexit.S
/* Generated by gensyscalls.py. Do not edit. */

#include <private/bionic_asm.h>

ENTRY(__xsexit)
    mov     ip, r7
    .cfi_register r7, ip
    ldr     r7, =__NR_exit
    swi     #0
    mov     r7, ip
    .cfi_restore r7
    cmn     r0, #(MAX_ERRNO + 1)
    bxls    lr
    neg     r0, r0
    b       __set_errno_internal
END(__xsexit)

修改libc.map.txt

diff --git a/bionic/libc/libc.map.txt b/bionic/libc/libc.map.txt
index c271a57e4f..83e4f4b28f 100644
--- a/bionic/libc/libc.map.txt
+++ b/bionic/libc/libc.map.txt
@@ -19,7 +19,7 @@ LIBC {
     __dn_skipname;
     __epoll_pwait; # arm x86 mips introduced=21
     __errno;
-    __exit; # arm x86 mips introduced=21
+    __xsexit; # arm x86 mips introduced=21
     __fadvise64; # x86 mips introduced=21
     __fbufsize; # introduced=23
     __fcntl64; # arm x86 mips
@@ -205,7 +205,7 @@ LIBC {
     __waitid; # arm x86 mips
     _ctype_; # var
     _Exit; # introduced=21
-    _exit;
+    _xsexit;
     _flush_cache; # mips
     _flushlbf; # introduced=23
     _getlong;

修改bionic/libc/SYSCALLS.TXT,这一部是把我们改后的汇编关联到内核的系统调用编号

diff --git a/bionic/libc/SYSCALLS.TXT b/bionic/libc/SYSCALLS.TXT
index d674630ac0..0f9e5269c5 100644
--- a/bionic/libc/SYSCALLS.TXT
+++ b/bionic/libc/SYSCALLS.TXT
@@ -309,8 +309,10 @@ int __epoll_pwait:epoll_pwait(int, struct epoll_event*, int, int, const sigset_t
 
 int eventfd:eventfd2(unsigned int, int)  all
 
-void _exit|_Exit:exit_group(int)  all
-void __exit:exit(int)  all
+#void _exit|_Exit:exit_group(int)  all
+#void __exit:exit(int)  all
+void _xsexit|_Exit:exit_group(int) all
+void __xsexit:exit(int)  all

最后把你新增的文件添加到libc的Android.bp中

diff --git a/bionic/libc/Android.bp b/bionic/libc/Android.bp
index a0d1f237cc..b44c6598fd 100644
--- a/bionic/libc/Android.bp
+++ b/bionic/libc/Android.bp
@@ -809,7 +809,9 @@ cc_library_static {
         "bionic/__strcpy_chk.cpp",
         "bionic/strchr.cpp",
         "bionic/strnlen.c",
-        "bionic/strrchr.cpp",
+        "bionic/strrchr.cpp", 
+        "bionic/_exit.cpp",
+        "bionic/__exit.cpp",
     ],

最终效果截图

标签:__,调用,libc,hook,exit,bionic,Android,include,xsexit
From: https://www.cnblogs.com/tangshunhui/p/16820417.html

相关文章

  • 打开Android Studio时提示:adb.exe使用的5037端口被占用了
    打开AndroidStudio时报如下错误提示:方法一1、根据提示查看adb的端口号5037被谁占用cmd打开命令窗口,运行netstat-aon|findstr“5037”找出相应的pid号;2、然后在......
  • java后台远程调用获取文件
    模拟本地服务为文件服务器(两种提供方式):假设本地文件为服务器,提供文件获取服务方法一:直接将输出流放入response里面作为响应@RequestMapping(value="/getUrlDownload",m......
  • destoon列表中调用tag标签
    destoon列表中调用tag标签。1、打开文件api/extend.func.php,在文件最后添加函数:functionhot_tag($tag){$tag=explode('',$tag);return$tag;}2、在列表......
  • destoon实现调用热门关键字的方法
    destoon调用热门关键字的方法是根据数据库里面的保存的搜索的关键字来显示的。每个模块下面都有各自的关键字下面是调用的标签:<!--{tag("moduleid=$searchid&table=keywor......
  • android实现网格布局
    效果图  添加依赖implementation'com.github.mtjsoft:GridPager:v3.7.0'layout文件<?xmlversion="1.0"encoding="utf-8"?><LinearLayoutxmlns:android="h......
  • Android 获取应用使用情况
    效果图   先建个Unit文件夹,把下面的文件都放进去创建文件DateTransUtilspackagecn.xrick.applicationusetime.Unit;importandroid.util.Log;importjava......
  • android实现pdf阅读器
    添加依赖implementation'com.github.barteksc:android-pdf-viewer:3.1.0-beta.1'MainActivity文件importandroidx.appcompat.app.AppCompatActivity;importan......
  • android获取传感器数据
    效果图  MainActivity源码importandroidx.appcompat.app.AppCompatActivity;importandroid.annotation.SuppressLint;importandroid.content.Context;impor......
  • Android实现类似微信的设置界面
    效果图  导入包implementation'de.hdodenhof:circleimageview:3.1.0'implementation'com.leon:lsettingviewlibrary:1.7.0'layout文件<?xmlversio......
  • android实现全局字体
    效果图  在theme中添加  <itemname="android:fontFamily">@font/a</item> res目录下面创建font,放入名字为a.ttf的字体在manifest中用这个theme即可全局......