android so壳入口浅析
本文转自http://www.9hao.info/pages/2014/08/android-soke-ru-kou-q
前言
开年来开始接触一些加固样本,基本都对了so进行了处理,拖入ida一看,要么没有 JNI_OnLoad ,要么 JNI_OnLoad 汇编代码羞涩难懂,让人无法下手。 JNI_OnLoad 是真正入口么?
先看看几个文档
1 摘自属性服务一节(《深入理解Android卷1》)
利用gcc的constructor属性,这个属性指明了一个__libc_prenit函数(这个函数内部就将完成共享内存到本地进程的映射工作)。用法:当bionic libc库被加载时,将自动调用__libc_prenit函数。这样在bionic libc动态库被装载时,系统属性缓冲区地址就被确定了,后续的API调用就能找对位置了。 /* We flag the __libc_preinit function as a constructor to ensure * that its address is listed in libc.so's .init_array section. * This ensures that the function is called by the dynamic linker * as soon as the shared library is loaded. */ //constructor属性指示加载器加载该库之后,首先调用__libc_prenit函数。这一点和windows上的动态库的DllMain函数类似 void __attribute__((constructor)) __libc_prenit(void);
从英文说明里面提到到.init_array section,我们可以搜索一下这一节的说明
2 .init_array section
.init_array contains pointers to blocks of code that need to be executed when an application is being initialized (before main() is called). It is used for a number of things, but the primary use is in C++ for running static constructors; a secondary use that is sometimes used is to initialize IO systems in the C library. If you are not using C++ you may (depending on your C library) be able to live without it entirely; but you’d need to hack your startup code to deal with this. .init_array probably ends up in ram because its marked read/write — that happens because in a dynamic linking environment the dynamic linker has to fix up all the pointers it contains before it can be used. In a static environment you might be able to get away with forcing it into a read-only section. 来源: <http://blog.sina.com.cn/s/blog_a9303fd901019kvq.html>
3 摘自dlopen小结(《程序员的自我修养》)
动态连接器在加载模块时,会执行".init"段的代码,用以完成模块的初始化工作,dlopen的加载过程基本跟动态连接器一致,在完成装载、映射和重定向以后,就会执行".init"段的代码然后返回
看完这个3段资料,我们可以知道在系统加载so,在完成装载、映射和重定向以后,就首先执行.init和.init_array段的代码.
探本溯源,在源码中追踪
我们先从System.loadLibrary ->Runtime.loadLibrary
public void loadLibrary(String libName) { loadLibrary(libName, VMStack.getCallingClassLoader()); } /* * Loads and links a library without security checks. */ void loadLibrary(String libraryName, ClassLoader loader) { 代码略... String error = nativeLoad(filename, loader); 代码略... }
-> nativeLoad
static void Dalvik_java_lang_Runtime_nativeLoad(const u4* args, JValue* pResult) { 代码略... StringObject* fileNameObj = (StringObject*) args[0]; success = dvmLoadNativeCode(fileName, classLoader, &reason); 代码略... }
来源: <http://androidxref.com/4.1.2/xref/dalvik/vm/native/java_lang_Runtime.cpp#72>
bool dvmLoadNativeCode(const char* pathName, Object* classLoader, char** detail) { 代码略... handle = dlopen(pathName, RTLD_LAZY); 代码略... vonLoad = dlsym(handle, "JNI_OnLoad"); if (vonLoad == NULL) { ALOGD("No JNI_OnLoad found in %s %p, skipping init", pathName, classLoader); } else { /* * Call JNI_OnLoad. We have to override the current class * loader, which will always be "null" since the stuff at the * top of the stack is around Runtime.loadLibrary(). (See * the comments in the JNI FindClass function.) */ OnLoadFunc func = (OnLoadFunc)vonLoad; Object* prevOverride = self->classLoaderOverride; self->classLoaderOverride = classLoader; oldStatus = dvmChangeStatus(self, THREAD_NATIVE); if (gDvm.verboseJni) { ALOGI("[Calling JNI_OnLoad for \"%s\"]", pathName); } version = (*func)(gDvmJni.jniVm, NULL); dvmChangeStatus(self, oldStatus); self->classLoaderOverride = prevOverride; } 代码略... }
来源: <http://androidxref.com/4.1.2/xref/dalvik/vm/Native.cpp#318>
通过dvmLoadNativeCode函数我们知道系统用dlopen加载so完成后,会查看有没有JNI_OnLoad函数,有的话就调用.
我们再到dlopen函数探个究竟:
void *dlopen(const char *filename, int flag) { soinfo *ret; pthread_mutex_lock(&dl_lock); /*find_library 会判断so是否已经加载,如果没有加载,对so进行加载,完成一些初始化工作,有兴趣的读者可自行分析 */ ret = find_library(filename); if (unlikely(ret == NULL)) { set_dlerror(DL_ERR_CANNOT_LOAD_LIBRARY); } else { call_constructors_recursive(ret); ret->refcount++; } pthread_mutex_unlock(&dl_lock); return ret; }
void call_constructors_recursive(soinfo *si) { if (si->constructors_called) return; // Set this before actually calling the constructors, otherwise it doesn't // protect against recursive constructor calls. One simple example of // constructor recursion is the libc debug malloc, which is implemented in // libc_malloc_debug_leak.so: // 1. The program depends on libc, so libc's constructor is called here. // 2. The libc constructor calls dlopen() to load libc_malloc_debug_leak.so. // 3. dlopen() calls call_constructors_recursive() with the newly created // soinfo for libc_malloc_debug_leak.so. // 4. The debug so depends on libc, so call_constructors_recursive() is // called again with the libc soinfo. If it doesn't trigger the early- // out above, the libc constructor will be called again (recursively!). si->constructors_called = 1; if (si->flags & FLAG_EXE) { TRACE("[ %5d Calling preinit_array @ 0x%08x [%d] for '%s' ]\n", pid, (unsigned)si->preinit_array, si->preinit_array_count, si->name); call_array(si->preinit_array, si->preinit_array_count, 0); TRACE("[ %5d Done calling preinit_array for '%s' ]\n", pid, si->name); } else { if (si->preinit_array) { DL_ERR("%5d Shared library '%s' has a preinit_array table @ 0x%08x." " This is INVALID.", pid, si->name, (unsigned)si->preinit_array); } } 代码略... if (si->init_func) { TRACE("[ %5d Calling init_func @ 0x%08x for '%s' ]\n", pid, (unsigned)si->init_func, si->name); si->init_func(); TRACE("[ %5d Done calling init_func for '%s' ]\n", pid, si->name); } if (si->init_array) { TRACE("[ %5d Calling init_array @ 0x%08x [%d] for '%s' ]\n", pid, (unsigned)si->init_array, si->init_array_count, si->name); //遍历函数数组并执行 call_array(si->init_array, si->init_array_count, 0); TRACE("[ %5d Done calling init_array for '%s' ]\n", pid, si->name); //ps:看到这么多TRACE这么多调试信息,我们把调试开关打开,是不是能拿到诸多信息? } } 来源: <http://androidxref.com/4.1.2/xref/bionic/linker/linker.c#1519>
通过可以函数我们知道si->init_func和si->init_array存在的时候,会执行指向的函数
(不知道大家注意到么si->flags & FLAG_EXE时,还有si->preinit_array? 以后会不会有这方面的东西?)
再找下 si->init_func和si->init_array 的赋值
case DT_INIT: si->init_func = (void (*)(void))(si->base + *d); DEBUG("%5d %s constructors (init func) found at %p\n", pid, si->name, si->init_func); case DT_INIT_ARRAY: si->init_array = (unsigned *)(si->base + *d); DEBUG("%5d %s constructors (init_array) found at %p\n", pid, si->name, si->init_array); break;
DEBUG里面说明了constructors (init func)和constructors (init_array)。
我们再看看一份文档Android Dynamic Linker Design Notes
DT_INIT Points to the address of an initialization function that must be called when the file is loaded. DT_INIT_ARRAY Points to an array of function addresses that must be called, in-order, to perform initialization. Some of the entries in the array can be 0 or -1, and should be ignored. Note: this is generally stored in a .init_array section
通过层层分析,我们很清楚知道了系统加载so,在完成装载、映射和重定向以后,就首先执行.init和.init_array段的代码.
前面有一篇文章我已经对so加壳进行简单说明
把源码的dlopen复制出来修改,在把自己so加载起来的时候 ,把自己内存里面某部分地址解密后,用自己的dlopen打开返回一个soinfo结构体 然后把当前soinfo结构体替换原来的soinfo结构体
小结
系统加载so,在完成装载、映射和重定向以后,就首先执行.init和.init_array段的代码,之后如果存在JNI_OnLoad 就调用该函数.我们要对一个so进行分析,需要先看看有没有.init_array section和.init section,so加壳一般会在初始化函数进行脱壳操作。
如何在.init和.init_array段添加我们的函数
[1] 共享构造函数,在函数声明时加上"__attribute__((constructor))"属性 void __attribute__((constructor)) init_function(void); 对应有共享虚构函数,在程序exit()或者dlclose()返回前执行 void __attribute__((destructor)) fini_function(void); [2]c++ 静态构造函数
在.init和.init_array下断点
init_array 用ida可以看到, 可以对里面的函数数组下断点 init ida有时没识别出来,可用readelf查看入口点 xxx@xx:~$ readelf -a '/home/xxx/桌面/libsecexe.so' 0x00000010 (SYMBOLIC) 0x0 0x0000000c (INIT) 0x11401 0x00000019 (INIT_ARRAY) 0x28ca4 0x0000001b (INIT_ARRAYSZ) 8 (bytes) 0x0000001a (FINI_ARRAY) 0x28cac 0x0000001c (FINI_ARRAYSZ) 12 (bytes) 0x00000004 (HASH) 0xf4 我们看到 INIT 入口为 0x11401 (ps:有时你在0x11401是数据,你需要make code,由于对齐关系,要从0x11401+1开始) 样本:梆梆 爱加密
参考:
[1] 《深入理解Android卷1》
[2] 《程序员的自我修养-链接、装载与库》
[3] android linker 浅析
[4] Android Dynamic Linker Design Notes