Mark: "original" Android Java virtual machine to intercept technical analysis
Author: cockroaches. 1
Time: 2013-10-10, 21:44:03
Recent decompiled jinshan drug gangsters, analyze its advertising is how to implement interception function. According to the introduction of jinshan drug gangsters, USES the Java virtual machine to intercept technology, with a curious to study. In the process of check code, will see many hook Java classes, such as ActivityThread, ServiceManager, etc. In the compilation of source code, I mainly tracked about iphonesubinfo intercept service implementation. And test pass through the code and share achievements.
1. The Java virtual machine to intercept technology overall process.
1) first by ptrace injection so to the remote process, for example, jinshan is injected libksrootclient. So to the remote process.
2) in remote process call through ptrace_call libksrootclient in a static method, the method is mainly finished loading encapsulate Java function class jars, and call the class method in jars, finish the hook Java layer in the process of work. As in the loading of the jinshan drug gangsters jars: ksremote jar
2. The key technology
1) so injection
So the first step to intercept injection Java virtual machine technology, injection or not determines the success at the back of the interception function.
2) implement interception Java API function module, and export the jar package.
Such as mobile phone IMEI/reading if you want to monitor whether ismi, phone number and sim card number. Through source code analysis, access to the information need of TelephonyManager class related method, method of main is by getting iphonesubinfo service class provides functions. So if intercepted by iphonesubinfo service function, can successfully get application whether read equipment information.
In Java layer, access to services is by ServiceManager getService method of obtaining, analyzing getService method, this method will first query whether there is any service from sCache, if there is a service that is returned directly. Therefore, if the alteration of sCache iphonesubinfo ibinder references, can realize interception function.
3) through JNI in injection so dynamic loading jars, and implement the key classes of jars, complete Hook Java layer.
JNI dynamic loading jars principle can view the posts "Android JNI calling jar package".
About android intercept technology in summary:
1. The android API interceptor technology has two modes, one is to intercept C layer API, another kind is to intercept the Java layer API.
2. C layer intercept API
In C layer intercepts API interception is the most common research way libbinder. So the ioctl call. In binder communication, user space and kernel space need the ioctl system call, if the system calls, then the argument parsing, can achieve the function of lbe active defense. The premise is must be very familiar with binder mechanism and binder data transmission formats.
3. The Java virtual machine to intercept technology (Java layer intercept)
Java layer intercepts the need to realize the key method of interception, the way of intercepting the parameters on a large scale does not need to parse.
For example, I in the process of implement interception read imei, simply by intercepting directly returns false, where the Java API application access the imei become null.
