首页
社区
课程
招聘
[旧帖] [求助]android 注入 0.00雪花
发表于: 2013-4-23 17:08 2144

[旧帖] [求助]android 注入 0.00雪花

2013-4-23 17:08
2144
根据论坛上的方法,一直注入不成功,求解答,
inject.c
      int main(int argc, char** argv){
        pid_t target_pid= find_pid_of("/system/bin/servicemanager");
        //int success = inject_remote_process(target_pid, "/dev/libhello.so", "hook_entry","this is a msg", strlen("this is a msg"));
       int success = inject_remote_process(target_pid,"/dev/libtestso.so","_init","this is a msg", strlen("this is a msg"));
   if(success != 0){
           LOGD("inject_remote_process failed");
   }else{
           LOGD("inject success");
   }
   return success;
}

libtest.so
      

     #include <stdio.h>
#include <unistd.h>
#include<android/log.h>

#define LOGTAG "injectso"
#define LOGW(a)  __android_log_write(ANDROID_LOG_ERROR,LOGTAG,a);

void _init(char *args) __attribute__((constructor));
void _init(char *args){
        LOGW("hey i am running");
}

mk代码:
   LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)

LOCAL_SRC_FILES:= \
        inject.c \
        shellcode.s
LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog
LOCAL_MODULE:=inject

LOCAL_STATIC_LIBRARIES := libc

LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES)
LOCAL_MODULE_TAGS := debug

include $(BUILD_EXECUTABLE)

shellcode.s
.global _dlopen_addr_s
.global _dlopen_param1_s
.global _dlopen_param2_s

.global _dlsym_addr_s
.global _dlsym_param2_s

.global _dlclose_addr_s

.global _inject_start_s
.global _inject_end_s

.global _inject_function_param_s

.global _saved_cpsr_s
.global _saved_r0_pc_s

.data

_inject_start_s:
        @ debug loop
3:
        @sub r1, r1, #0
        @B 3b

        @ dlopen
        ldr r1, _dlopen_param2_s
        ldr r0, _dlopen_param1_s
        ldr r3, _dlopen_addr_s
        blx r3
        subs r4, r0, #0
        beq        2f

        @dlsym
        ldr r1, _dlsym_param2_s
        ldr r3, _dlsym_addr_s
        blx r3
        subs r3, r0, #0
        beq 1f

        @call our function
        ldr r0, _inject_function_param_s
        blx r3
        subs r0, r0, #0
        beq 2f

1:
        @dlclose
        mov r0, r4
        ldr r3, _dlclose_addr_s
        blx r3

2:
        @restore context
        ldr r1, _saved_cpsr_s
        msr cpsr_cf, r1
        ldr sp, _saved_r0_pc_s
        ldmfd sp, {r0-pc}

_dlopen_addr_s:
.word 0x11111111

_dlopen_param1_s:
.word 0x11111111

_dlopen_param2_s:
.word 0x2

_dlsym_addr_s:
.word 0x11111111

_dlsym_param2_s:
.word 0x11111111

_dlclose_addr_s:
.word 0x11111111

_inject_function_param_s:
.word 0x11111111

_saved_cpsr_s:
.word 0x11111111

_saved_r0_pc_s:
.word 0x11111111

_inject_end_s:

.space 0x400, 0

.end

apk中调用
   Runtime.getRuntime().exec("su -c /dev/inject");

     
    在dev下的inject和libtestso都是777的权限

[注意]APP应用上架合规检测服务,协助应用顺利上架!

收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 7
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
su -c "/dev/inject" 这样的命令才可以执行,你可以在adb shell里试试
所以你在apk中调用应该是这样写: Runtime.getRuntime().exec("su -c \"/dev/inject\"");

不过如果是真写程序,建议定义一个变量 private static final String injectCmd = "\"/dev/inject\"";
免得以后修改到处改
2013-11-28 10:38
0
游客
登录 | 注册 方可回帖
返回
//