根据论坛上的方法,一直注入不成功,求解答,
inject.c
int main(int argc, char** argv){
pid_t target_pid= find_pid_of("/system/bin/servicemanager");
//int success = inject_remote_process(target_pid, "/dev/libhello.so", "hook_entry","this is a msg", strlen("this is a msg"));
int success = inject_remote_process(target_pid,"/dev/libtestso.so","_init","this is a msg", strlen("this is a msg"));
if(success != 0){
LOGD("inject_remote_process failed");
}else{
LOGD("inject success");
}
return success;
}
libtest.so
#include <stdio.h>
#include <unistd.h>
#include<android/log.h>
#define LOGTAG "injectso"
#define LOGW(a) __android_log_write(ANDROID_LOG_ERROR,LOGTAG,a);
void _init(char *args) __attribute__((constructor));
void _init(char *args){
LOGW("hey i am running");
}
mk代码:
LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
LOCAL_SRC_FILES:= \
inject.c \
shellcode.s
LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog
LOCAL_MODULE:=inject
LOCAL_STATIC_LIBRARIES := libc
LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES)
LOCAL_MODULE_TAGS := debug
include $(BUILD_EXECUTABLE)
shellcode.s
.global _dlopen_addr_s
.global _dlopen_param1_s
.global _dlopen_param2_s
.global _dlsym_addr_s
.global _dlsym_param2_s
.global _dlclose_addr_s
.global _inject_start_s
.global _inject_end_s
.global _inject_function_param_s
.global _saved_cpsr_s
.global _saved_r0_pc_s
.data
_inject_start_s:
@ debug loop
3:
@sub r1, r1, #0
@B 3b
@ dlopen
ldr r1, _dlopen_param2_s
ldr r0, _dlopen_param1_s
ldr r3, _dlopen_addr_s
blx r3
subs r4, r0, #0
beq 2f
@dlsym
ldr r1, _dlsym_param2_s
ldr r3, _dlsym_addr_s
blx r3
subs r3, r0, #0
beq 1f
@call our function
ldr r0, _inject_function_param_s
blx r3
subs r0, r0, #0
beq 2f
1:
@dlclose
mov r0, r4
ldr r3, _dlclose_addr_s
blx r3
2:
@restore context
ldr r1, _saved_cpsr_s
msr cpsr_cf, r1
ldr sp, _saved_r0_pc_s
ldmfd sp, {r0-pc}
_dlopen_addr_s:
.word 0x11111111
_dlopen_param1_s:
.word 0x11111111
_dlopen_param2_s:
.word 0x2
_dlsym_addr_s:
.word 0x11111111
_dlsym_param2_s:
.word 0x11111111
_dlclose_addr_s:
.word 0x11111111
_inject_function_param_s:
.word 0x11111111
_saved_cpsr_s:
.word 0x11111111
_saved_r0_pc_s:
.word 0x11111111
_inject_end_s:
.space 0x400, 0
.end
apk中调用
Runtime.getRuntime().exec("su -c /dev/inject");
在dev下的inject和libtestso都是777的权限
[注意]APP应用上架合规检测服务,协助应用顺利上架!