课时6:利用硬件断点快速分析某加壳APP的jni函数地址防追踪技巧
未分类 •
无法直接跟踪到, 主要因为, method 对象, 直接通过偏移去拿到对象后,通过地址去绑定, 这是一个策略. demo,
这种定位 安全性会高一一些, 可以绕过常规的地址.绑定追踪的一个方法. 不同的兼容安卓的版本和兼容性.
没有修改rom , API 那么就和官方的rom 的AOSP 保持一致.
课时1, 单条 svc call 的汇编指令的追踪的位置.
1, 知道svc call 的 发生位置.
知道位置后, 就和函数的hook 相同了. 难题, 怎么定位 svc call 在内存中的地址,
定位 App ,中的 SVC #0, 寄存器,
内存遍历, stalker , /unidbg/等等 扫描, svc syscall 的 内存的汇编指令的字节序列, 快速的定位出来所有的, 所有可能的, 也有可能漏掉, 漏掉情况, 后面再说.
使用 Frida 的 Memory API 定位内存中的 SVC 指令的两个方法.
1, 以模块起始地址为检索区间
问题, 针对加壳, 自定义 linker, 之类的 so 存在漏报
2, 以内存可以执行段为检索区间.
优势: 只要时机得当,就不会遗漏任何内存中的SVC syscall 指令.
init, init_array, JNI_OnLoad, 甚至是, 特定的JNI交互等等. 时机非常关键. 时机不对, 会漏掉,
如何找准时机,
init, init_array可以从Linker出发
JNI_OnLoad 可以从 dlsym定位
特定 JNI 交互,可以从 JniEnv 入手
既然过了, frida 的检测, 那么,可以找到 frida 检测发生的地方.
function scan(address: NativePointerValue, size: number | UInt64, pattern: string, callbacks: MemoryScanCallbacks): void;
syscall, 代表的是 字节序列,
通过 把 libc.so 基本库文件, 拿到本地, IDA反汇编后,的 关联的 c 源文件列表,就知道了它的用途.
| 类别 | 文件示例 | 功能简述 |
|---|---|---|
| 程序启动与初始化 | crtbegin_so.c, libc_init_common.cpp, __libc_init_main_thread.cpp | 初始化运行时环境、构造线程、注册构造器与析构器,启动主程序入口。 |
| 内存管理 | malloc_common.cpp, malloc_info.cpp, brk.cpp, mremap.cpp, ftruncate.cpp | 实现动态内存分配(malloc/free)、堆空间管理、内存映射、分配信息输出。 |
| 系统调用封装 | fork.cpp, exec.cpp, clone.cpp, open.cpp, readlink.cpp, ptrace.cpp | 包装内核系统调用,如创建进程、执行程序、文件操作、调试等。 |
| 线程与同步 | __cxa_thread_atexit_impl.cpp, thread_private.cpp, atomics_arm.c, semaphore.cpp | 实现线程私有析构钩子、线程局部存储、原子操作、信号量等同步机制。 |
| 信号处理 | sigaction.cpp, signal.cpp, sigqueue.cpp, __libc_current_sigrtmin.cpp | 提供完整的 POSIX 信号注册、发送、屏蔽与处理接口。 |
| 字符串与字符处理 | strchr.cpp, strnlen.c, strsignal.cpp, wchar.cpp, wctype.cpp | 实现 C 字符串函数和宽字符(Unicode)处理能力。 |
| 时间管理 | clock.cpp, clock_nanosleep.cpp, posix_timers.cpp, sys_time.cpp | 提供高精度计时、睡眠、POSIX 定时器与系统时间管理。 |
| 网络通信 | socket.cpp, accept.cpp, connect.cpp, arpa_inet.cpp, netdb.cpp, NetdClient.cpp | 实现套接字操作、IP 地址转换、与 Android 网络守护进程通信等。 |
| 系统信息与配置 | getauxval.cpp, getpagesize.cpp, sysconf.cpp, sysinfo.cpp, system_properties.cpp | 获取系统配置参数、内核属性、页大小、共享库辅助值等。 |
| 环境与路径管理 | environ.cpp, clearenv.cpp, getcwd.cpp, __bionic_get_shell_path.cpp | 管理环境变量、当前工作目录与系统路径。 |
| 调试与错误处理 | assert.cpp, abort.cpp, fortify.cpp, android_set_abort_message.cpp | 实现断言、程序终止、运行时保护(Fortify)、错误信息传递。 |
| 本地化支持 | locale.cpp, langinfo.cpp, nl_types.cpp, icu.cpp | 提供本地语言、区域信息支持,包括 ICU 支持。 |
| 文件与目录操作 | mkdir.cpp, rmdir.cpp, chmod.cpp, stat.cpp, access.cpp | 实现对文件与目录的创建、权限管理、属性读取等。 |
| 进程间通信(IPC) | sys_msg.cpp, sys_sem.cpp, sys_shm.cpp, eventfd_read.cpp | 支持 Linux IPC,包括消息队列、信号量、共享内存、eventfd 等机制。 |
| ARM 架构支持 | __aeabi.c, atexit_legacy.c, exidx_dynamic.c, libgcc_compat.c | 实现 ARM ABI 接口、异常表注册、兼容 GCC 运行时符号。 |
课时 16 , 3w 班,
day16,
这里就是对 jni_Onload, 执行前的时机, 进行一个hook
确保我们能够hook上他们.
day17
func_type: DT_INIT
so_name: libnative-lib.so
so_path: /data/app/com.frida.fridadetection-13oEjyEBgSSw4T_e3gl1OQ==/lib/arm64/libnative-lib.so
func_offset: 0x21b8
func_type: function
so_name: libnative-lib.so
so_path: /data/app/com.frida.fridadetection-13oEjyEBgSSw4T_e3gl1OQ==/lib/arm64/libnative-lib.so
func_offset: 0x21bc
func_type: function
so_name: libnative-lib.so
so_path: /data/app/com.frida.fridadetection-13oEjyEBgSSw4T_e3gl1OQ==/lib/arm64/libnative-lib.so
func_offset: 0x21c0
find a svc syscall->{"address":"0x76c998c088","name":"0x1088","moduleName":"libnative-lib.so","fileName":"","lineNumber":0}
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
76c998c088 01 00 00 d4 a0 03 1c f8 ad 03 5c b8 ed 1f 00 b9 ..........\.....
76c998c098 ad 05 00 71 ed 17 00 b9 c1 01 00 54 01 00 00 14 ...q.......T....
76c998c0a8 a8 43 5f 38 e9 17 40 f9 2a 05 00 91 ea 17 00 f9 .C_8..@.*.......
76c998c0b8 28 01 00 39 a8 43 5f 38 08 29 00 71 e8 13 00 b9 (..9.C_8.).q....
76c998c0c8 61 00 00 54 01 00 00 14 10 00 00 14 0a 00 00 14 a..T............
76c998c0d8 e8 1f 40 b9 a8 00 00 35 01 00 00 14 e8 03 1f 2a ..@....5.......*
76c998c0e8 e8 37 00 b9 0f 00 00 14 08 00 80 12 e8 37 00 b9 .7...........7..
76c998c0f8 0c 00 00 14 01 00 00 14 e8 23 40 b9 08 05 00 11 .........#@.....
76c998c108 e8 23 00 b9 bd ff ff 17 e8 17 40 f9 e9 03 1f 2a .#........@....*
76c998c118 09 01 00 39 e9 23 40 b9 e9 37 00 b9 01 00 00 14 ...9.#@..7......
76c998c128 e8 37 40 b9 49 d0 3b d5 29 15 40 f9 aa 83 5f f8 .7@.I.;.).@..._.
76c998c138 29 01 0a eb e8 0f 00 b9 e9 03 00 f9 c1 00 00 54 )..............T
76c998c148 01 00 00 14 e0 0f 40 b9 fd 7b 4a a9 ff c3 02 91 ......@..{J.....
76c998c158 c0 03 5f d6 d9 fe ff 97 ff c3 00 d1 fd 7b 02 a9 .._..........{..
76c998c168 fd 83 00 91 08 00 00 b0 08 91 0c 91 e2 03 7e b2 ..............~.
76c998c178 e0 0b 00 f9 e0 0b 40 f9 e0 07 00 f9 e0 07 40 f9 ......@.......@.
find a svc syscall->{"address":"0x76c998c444","name":"0x1444","moduleName":"libnative-lib.so","fileName":"","lineNumber":0}
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
76c998c444 01 00 00 d4 e0 57 00 f9 e8 57 40 f9 ec 03 08 2a .....W...W@....*
76c998c454 ec 77 00 b9 ec 77 40 b9 8c 05 00 71 ec 43 00 b9 .w...w@....q.C..
76c998c464 cb 15 00 54 01 00 00 14 01 00 00 14 e0 77 40 b9 ...T.........w@.
76c998c474 e1 83 05 91 e2 03 17 32 d5 fe ff 97 00 04 00 71 .......2.......q
76c998c484 e0 3f 00 b9 8b 14 00 54 01 00 00 14 e8 83 05 91 .?.....T........
76c998c494 e9 27 40 f9 28 01 00 f9 08 00 00 b0 08 0d 0d 91 .'@.(...........
76c998c4a4 e8 73 00 f9 28 01 40 f9 ea 73 40 f9 28 09 00 f9 .s..(.@..s@.(...
76c998c4b4 2a 05 00 f9 20 09 40 f9 21 05 40 f9 14 fe ff 97 *... .@.!.@.....
76c998c4c4 60 03 00 b4 01 00 00 14 e8 83 05 91 e9 27 40 f9 `............'@.
76c998c4d4 28 11 00 f9 08 00 00 b0 08 25 0d 91 28 0d 00 f9 (........%..(...
76c998c4e4 28 11 40 f9 2a 0d 40 f9 28 19 00 f9 2a 15 00 f9 (.@.*.@.(...*...
76c998c4f4 20 19 40 f9 21 15 40 f9 05 fe ff 97 80 01 00 b5 .@.!.@.........
76c998c504 01 00 00 14 01 00 00 b0 21 b0 0d 91 02 00 00 b0 ........!.......
76c998c514 42 18 0f 91 03 00 00 b0 63 d8 0d 91 e0 07 1f 32 B.......c......2
76c998c524 ef fd ff 97 e0 3b 00 b9 01 00 00 14 00 e4 00 6f .....;.........o
76c998c534 e8 2b 40 f9 00 3d 80 3d 00 39 80 3d 00 35 80 3d .+@..=.=.9.=.5.=
find a svc syscall->{"address":"0x76c998c810","name":"0x1810","moduleName":"libnative-lib.so","fileName":"","lineNumber":0}
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
76c998c810 01 00 00 d4 a0 03 1c f8 a8 03 5c f8 e8 23 00 f9 ..........\..#..
76c998c820 e8 23 40 f9 08 05 00 f1 e8 17 00 f9 60 01 00 54 .#@.........`..T
76c998c830 01 00 00 14 e8 1f 40 f9 a8 00 00 b5 01 00 00 14 ......@.........
76c998c840 08 00 80 92 e8 33 00 f9 20 00 00 14 e8 1f 40 f9 .....3.. .....@.
76c998c850 e8 33 00 f9 1d 00 00 14 a8 43 5f 38 08 29 00 71 .3.......C_8.).q
76c998c860 e8 27 00 b9 a1 00 00 54 01 00 00 14 e8 1f 40 f9 .'.....T......@.
76c998c870 e8 33 00 f9 15 00 00 14 a8 43 5f 38 e9 2b 40 f9 .3.......C_8.+@.
76c998c880 2a 05 00 91 ea 2b 00 f9 28 01 00 39 e9 1f 40 f9 *....+..(..9..@.
76c998c890 29 05 00 91 e9 1f 00 f9 01 00 00 14 e8 1f 40 f9 ).............@.
76c998c8a0 e9 4f 40 b9 29 05 00 71 ea 03 09 2a 08 01 0a eb .O@.)..q...*....
76c998c8b0 e8 0f 00 f9 6b f7 ff 54 01 00 00 14 e8 1f 40 f9 ....k..T......@.
76c998c8c0 e8 33 00 f9 01 00 00 14 e8 33 40 f9 49 d0 3b d5 .3.......3@.I.;.
76c998c8d0 29 15 40 f9 aa 83 5f f8 29 01 0a eb e8 0b 00 f9 ).@..._.).......
76c998c8e0 e9 07 00 f9 c1 00 00 54 01 00 00 14 e0 0b 40 f9 .......T......@.
76c998c8f0 fd 7b 4d a9 ff 83 03 91 c0 03 5f d6 f1 fc ff 97 .{M......._.....
76c998c900 fc 0f 1e f8 fd 7b 01 a9 fd 43 00 91 ff 83 0c d1 .....{...C......
find a svc syscall->{"address":"0x76c998caa4","name":"0x1aa4","moduleName":"libnative-lib.so","fileName":"","lineNumber":0}
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
76c998caa4 01 00 00 d4 e0 4f 00 f9 e8 4f 40 f9 e9 03 08 2a .....O...O@....*
76c998cab4 e9 57 00 b9 e9 57 40 b9 29 09 00 34 01 00 00 14 .W...W@.)..4....
76c998cac4 00 e4 00 6f e8 23 40 f9 00 3d 80 3d 00 39 80 3d ...o.#@..=.=.9.=
76c998cad4 00 35 80 3d 00 31 80 3d 00 2d 80 3d 00 29 80 3d .5.=.1.=.-.=.).=
76c998cae4 00 25 80 3d 00 21 80 3d 00 1d 80 3d 00 19 80 3d .%.=.!.=...=...=
76c998caf4 00 15 80 3d 00 11 80 3d 00 0d 80 3d 00 09 80 3d ...=...=...=...=
76c998cb04 00 05 80 3d 00 01 80 3d e0 57 40 b9 e9 43 04 91 ...=...=.W@..C..
76c998cb14 e2 03 18 32 e1 03 09 aa e9 13 00 f9 0e ff ff 97 ...2............
76c998cb24 08 00 00 f0 08 0d 40 f9 e9 13 40 f9 e1 1f 40 f9 ......@...@...@.
76c998cb34 29 00 00 f9 e8 6b 00 f9 28 00 40 f9 fe 6b 40 f9 )....k..(.@..k@.
76c998cb44 28 08 00 f9 3e 04 00 f9 28 08 40 f9 21 04 40 f9 (...>...(.@.!.@.
76c998cb54 e0 0f 00 f9 e0 03 08 aa 6d fc ff 97 20 02 00 b5 ........m... ...
76c998cb64 01 00 00 14 08 00 00 f0 08 11 40 f9 e9 43 04 91 ..........@..C..
76c998cb74 ea 1f 40 f9 49 11 00 f9 48 0d 00 f9 48 11 40 f9 ..@.I...H...H.@.
76c998cb84 49 0d 40 f9 48 19 00 f9 49 15 00 f9 40 19 40 f9 I.@.H...I...@.@.
76c998cb94 41 15 40 f9 5e fc ff 97 a0 01 00 b4 01 00 00 14 A.@.^...........
find a svc syscall->{"address":"0x76c998cde8","name":"0x1de8","moduleName":"libnative-lib.so","fileName":"","lineNumber":0}
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
76c998cde8 01 00 00 d4 e0 3f 00 f9 08 00 00 f0 08 19 40 f9 .....?........@.
76c998cdf8 e9 5f 00 f9 e8 5b 00 f9 e8 5f 40 f9 e9 5b 40 f9 ._...[..._@..[@.
76c998ce08 e8 67 00 f9 e9 63 00 f9 e0 67 40 f9 e1 63 40 f9 .g...c...g@..c@.
76c998ce18 be fb ff 97 e0 02 00 b4 01 00 00 14 01 00 00 b0 ................
76c998ce28 21 0c 0d 91 02 00 00 b0 42 04 10 91 e8 07 1f 32 !.......B......2
76c998ce38 e3 43 09 91 e0 03 08 2a e8 1b 00 b9 a7 fb ff 97 .C.....*........
76c998ce48 01 00 00 b0 21 b0 0d 91 02 00 00 b0 42 18 0f 91 ....!.......B...
76c998ce58 03 00 00 b0 63 60 10 91 e8 1b 40 b9 e0 17 00 b9 ....c`....@.....
76c998ce68 e0 03 08 2a 9d fb ff 97 e0 13 00 b9 01 00 00 14 ...*............
76c998ce78 01 00 00 14 7c ff ff 17 01 00 00 14 e0 1f 40 f9 ....|.........@.
76c998ce88 7a fb ff 97 5e d0 3b d5 de 17 40 f9 a8 83 5e f8 z...^.;...@...^.
76c998ce98 c8 03 08 eb e0 0f 00 b9 e8 03 00 f9 c1 00 00 54 ...............T
76c998cea8 01 00 00 14 ff 83 0d 91 fd 7b 41 a9 fc 07 42 f8 .........{A...B.
76c998ceb8 c0 03 5f d6 81 fb ff 97 ff 83 01 d1 fd 7b 05 a9 .._..........{..
76c998cec8 fd 43 01 91 48 d0 3b d5 08 15 40 f9 a8 83 1f f8 .C..H.;...@.....
76c998ced8 e8 03 1f aa a8 03 1f f8 a8 83 1e f8 e9 03 1f 32 ...............2 // 在arm64 下面是 4个字节对齐的,这里是不正确的, 肯定是不正确的.0x26e5 所以,我们这里可以把他们排除掉
find a svc syscall->{"address":"0x76c998d6e5","name":"0x26e5","moduleName":"libnative-lib.so","fileName":"","lineNumber":0}
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
76c998d6e5 01 00 00 d4 f8 ff ff 70 00 00 00 00 4c 0c 1d 10 .......p....L...
76c998d6f5 9e 02 9d 04 00 00 00 00 00 00 00 1c 00 00 00 6c ...............l
76c998d705 01 00 00 24 f9 ff ff 7c 00 00 00 00 4c 0c 1d 10 ...$...|....L...
76c998d715 9e 02 9d 04 00 00 00 00 00 00 00 1c 00 00 00 8c ................
76c998d725 01 00 00 80 f9 ff ff 40 00 00 00 00 48 0c 1d 10 .......@....H...
76c998d735 9e 02 9d 04 00 00 00 00 00 00 00 14 00 00 00 ac ................
76c998d745 01 00 00 a0 f9 ff ff d0 00 00 00 00 44 0e 20 00 ............D. .
76c998d755 00 00 00 14 00 00 00 c4 01 00 00 58 fa ff ff 04 ...........X....
76c998d765 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 dc ................
76c998d775 01 00 00 44 fa ff ff 04 00 00 00 00 00 00 00 00 ...D............
76c998d785 00 00 00 14 00 00 00 f4 01 00 00 30 fa ff ff 04 ...........0....
76c998d795 00 00 00 00 00 00 00 00 00 00 00 1c 00 00 00 0c ................
76c998d7a5 02 00 00 1c fa ff ff 9c 00 00 00 00 4c 0c 1d 10 ............L...
76c998d7b5 9e 02 9d 04 00 00 00 00 00 00 00 1c 00 00 00 2c ...............,
76c998d7c5 02 00 00 98 fa ff ff 4c 00 00 00 00 4c 0c 1d 10 .......L....L...
76c998d7d5 9e 02 9d 04 00 00 00 00 00 00 00 1c 00 00 00 4c ...............L // 在arm64 下面是 4个字节对齐的,这里是不正确的, 肯定是不正确的.0x36e5 所以,我们这里可以把他们排除掉
find a svc syscall->{"address":"0x76c998e6e5","name":"0x36e5","moduleName":"libnative-lib.so","fileName":"","lineNumber":0}
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
76c998e6e5 01 00 00 d4 f8 ff ff 70 00 00 00 00 4c 0c 1d 10 .......p....L...
76c998e6f5 9e 02 9d 04 00 00 00 00 00 00 00 1c 00 00 00 6c ...............l
76c998e705 01 00 00 24 f9 ff ff 7c 00 00 00 00 4c 0c 1d 10 ...$...|....L...
76c998e715 9e 02 9d 04 00 00 00 00 00 00 00 1c 00 00 00 8c ................
76c998e725 01 00 00 80 f9 ff ff 40 00 00 00 00 48 0c 1d 10 .......@....H...
76c998e735 9e 02 9d 04 00 00 00 00 00 00 00 14 00 00 00 ac ................
76c998e745 01 00 00 a0 f9 ff ff d0 00 00 00 00 44 0e 20 00 ............D. .
76c998e755 00 00 00 14 00 00 00 c4 01 00 00 58 fa ff ff 04 ...........X....
76c998e765 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 dc ................
76c998e775 01 00 00 44 fa ff ff 04 00 00 00 00 00 00 00 00 ...D............
76c998e785 00 00 00 14 00 00 00 f4 01 00 00 30 fa ff ff 04 ...........0....
76c998e795 00 00 00 00 00 00 00 00 00 00 00 1c 00 00 00 0c ................
76c998e7a5 02 00 00 1c fa ff ff 9c 00 00 00 00 4c 0c 1d 10 ............L...
76c998e7b5 9e 02 9d 04 00 00 00 00 00 00 00 1c 00 00 00 2c ...............,
76c998e7c5 02 00 00 98 fa ff ff 4c 00 00 00 00 4c 0c 1d 10 .......L....L...
76c998e7d5 9e 02 9d 04 00 00 00 00 00 00 00 1c 00 00 00 4c ...............L
search svc syscall over
我们只是关心打开过的文件, 和 readlink at , 解析.
