首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. Android安全
    3. 发新帖
[求助]Android4.3 hook binder server
发表于: 2015-5-31 20:05 13961

[求助]Android4.3 hook binder server

步平凡 活跃值
2015-5-31 20:05
13961
通过网上部分代码的结合,我做了一个拦截任意binder server的服务,来过滤一些特殊的binder请求。我的主要目标对象是system_server进程,用自己写的BBinder来替换掉系统原来的BBinder,我现在测试要替换的是PackageManagerServcie。

下面是JAVA部分的代码。
package com.bigcharge.framework;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

import com.bigcharge.core.SysLog;

import android.content.Context;
import android.content.Intent;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageInfo;
import android.content.pm.ParceledListSlice;
import android.net.Uri;
import android.os.Binder;
import android.os.Bundle;
import android.os.IBinder;
import android.os.Parcel;
import android.os.Parcelable;
import android.os.RemoteException;
import android.os.UserHandle;

public final class ProxyPackageManagerServcie extends Binder {
	private static final String TAG = "ProxyPackageManagerServcie";
	private static final String DESCRIPTOR = "android.content.pm.IPackageManager";
	private static TransActionPackage mTransAction;
	private Context mContext;
	static {
		mTransAction = new TransActionPackage();
		mTransAction.updateCodes();
	}

	private IBinder mBinder;

	public ProxyPackageManagerServcie(IBinder binder, Context context) {
		mBinder = binder;
		mContext = context;
	}

	@SuppressWarnings("unchecked")
	@Override
	protected boolean onTransact(int code, Parcel data, Parcel reply, int flags)
			throws RemoteException {
		boolean bk = false;

		mTransAction.checkCode(code);

		if (mTransAction.isCode(code,
				TransActionPackage.TRANSACTION_getInstalledApplications)) {
			ParceledListSlice<ApplicationInfo> _result;
			List<ApplicationInfo> list;
			ArrayList<ApplicationInfo> newlist;
			
			bk = mBinder.transact(code, data, reply, flags);
			int pos = reply.dataPosition();
			SysLog.logD(TAG, "[+]old dataPosition:"+pos);
			reply.readException();
			if ((0 != reply.readInt())) {
				_result = android.content.pm.ParceledListSlice.CREATOR.createFromParcel(reply);
				list = _result.getList();
				int length = list.size();
				SysLog.logD(TAG, "[+]old size:"+length);
				int hidesize = 0;
				int newsize = 0;
				for(int i=0;i<length;++i){
					ApplicationInfo info = list.get(i);
					if (isHideProcess(info.packageName)) {
						hidesize++;
					}
				}
				newsize = length - hidesize;
				SysLog.logD(TAG, "[+]new size:"+newsize);
				newlist = new ArrayList<ApplicationInfo>(newsize);
				for(int i=0;i<length;++i){
					ApplicationInfo info = list.get(i);
					if (!isHideProcess(info.packageName)) {
						newlist.add(info);
					}
				}
				ParceledListSlice<ApplicationInfo> plist = new ParceledListSlice<ApplicationInfo>(
						newlist);
//只要执行下面这部分,重新打包Parcel的过程就出异常,下面会贴上异常的log。
				reply.setDataPosition(pos);
				reply.setDataSize(0);
//				reply.setDataPosition(0);
				reply.writeNoException();
				if((plist!=null)){
					reply.writeInt(1);
					plist.writeToParcel(reply, android.os.Parcelable.PARCELABLE_WRITE_RETURN_VALUE);
					SysLog.logD(TAG, "[+]new reply over");
				}else{
					reply.writeInt(0);
				}
				
				return true;
			} else {
				reply.setDataPosition(0);
				return bk;
			}
		} else {
			bk = mBinder.transact(code, data, reply, flags);
		}

		return bk;
	}

	private boolean isHideProcess(String packageName) {
		if ("com.myhide.app".equals(packageName)) {
			return true;
		}
		return false;
	}
}


下面是异常的log
F/libc    (  682): @@@ ABORTING: invalid address or address of corrupt block 0x60d0e4c0 passed to dlfree
F/libc    (  682): Fatal signal 11 (SIGSEGV) at 0xdeadbaad (code=1), thread 1658 (Binder_7)
F/libc    (  682): Unable to open connection to debuggerd: Connection refused
W/Sensors ( 1149): sensorservice died [0x5c307618]
W/Sensors ( 3259): sensorservice died [0x5c2f3988]
W/AudioFlinger(  267): power manager service died !!!
I/Atfwd_Sendcmd(  319): AtCmdFwd : binderDied
W/Sensors ( 1032): sensorservice died [0x5c125a10]
W/Sensors ( 1161): sensorservice died [0x5c135fc8]
E/WifiManager( 1225): Channel connection lost
E/WifiManager( 2254): Channel connection lost
W/Sensors ( 2954): sensorservice died [0x5c1402f0]
E/WifiManager( 1032): Channel connection lost
V/AudioPolicyManagerBase(  267): releaseOutput() 2
V/AudioPolicyManagerBase(  267): releaseOutput() 2
E/WifiManager( 2745): Channel connection lost
E/WifiManager( 2788): Channel connection lost
I/ServiceManager(  253): service 'LEDService' died
I/ServiceManager(  253): service 'dbinfo' died
I/ServiceManager(  253): service 'telephony.registry' died
I/ServiceManager(  253): service 'scheduling_policy' died
I/ServiceManager(  253): service 'power' died
I/ServiceManager(  253): service 'appops' died
I/ServiceManager(  253): service 'multiwindow' died
I/ServiceManager(  253): service 'usagestats' died
I/ServiceManager(  253): service 'wfd' died
I/ServiceManager(  253): service 'wifi' died
I/ServiceManager(  253): service 'wifip2p' died
I/ServiceManager(  253): service 'sec_analytics' died
I/ServiceManager(  253): service 'connectivity' died
I/ServiceManager(  253): service 'content' died
I/ServiceManager(  253): service 'user' died
I/ServiceManager(  253): service 'vibrator' died
I/ServiceManager(  253): service 'meminfo' died
I/ServiceManager(  253): service 'sensorservice' died
I/ServiceManager(  253): service 'battery' died
I/ServiceManager(  253): service 'cpuinfo' died
I/ServiceManager(  253): service 'batteryinfo' died
I/ServiceManager(  253): service 'container_service' died
I/ServiceManager(  253): service 'permission' died
I/ServiceManager(  253): service 'account' died
I/ServiceManager(  253): service 'DirEncryptService' died
I/ServiceManager(  253): service 'CustomFrequencyManagerService' died
I/ServiceManager(  253): service 'entropy' died
I/ServiceManager(  253): service 'samsung.smartfaceservice' died
I/ServiceManager(  253): service 'dreams' died
I/ServiceManager(  253): service 'edmnativehelper' died
I/ServiceManager(  253): service 'window' died
E/WifiManager( 1149): Channel connection lost
E/WifiManager( 1124): Channel connection lost

一直没搞明白Parcel的重新打包的操作有什么异常。此方法在4.3以下的都是正常的。

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (9)
熟如陌路
雪    币: 97
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
帮顶,这个拦截任意binder server的服务需要root权限吗?
2015-6-1 10:02
0
步平凡
雪    币: 34
活跃值: (50)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
3
需要ROOT权限进行注入才能HOOK BINDER SERVER。
2015-6-1 18:53
0
熟如陌路
雪    币: 97
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
好的  谢谢  这样使用起来就有些局限了
2015-6-1 23:14
0
步平凡
雪    币: 34
活跃值: (50)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
5
我不这么觉得,hook技术本来就需要root权限。得到root权限后有很多种方法可以让你永久获得ROOT权限。仅需一次ROOT权限的执行就可以了。
2015-6-3 22:58
0
netsniffer
雪    币: 53
活跃值: (280)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
6
主要是parcel中的读写位置要正确,否则数据读写会错乱,当然系统就蹦了

//只要执行下面这部分,重新打包Parcel的过程就出异常,下面会贴上异常的log。
        reply.setDataPosition(0);
        reply.setDataSize(0);
2015-6-9 21:04
0
步平凡
雪    币: 34
活跃值: (50)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
7
已经找到问题了。方法是在hook端构造一个Parcel去访问真实的server,待返回正确的数据后,再去填写app端传递过来的Parcel。这样就不会造成Parcel重写导致的内存异常。
2015-6-11 09:46
0
ydyyes
雪    币: 26
活跃值: (25)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
8
我在C层进行hook的,现在4.4上有无限重启的问题,问题楼主,java层的hook 4.4及以上支持怎么样
2015-6-14 12:39
0
步平凡
雪    币: 34
活跃值: (50)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
9
4.4改动很多,从java层到native层都有改动,hook java层目前我没发现什么问题,情况还是很理想。
2015-6-29 13:18
0
highbury
雪    币: 12
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
10
请教一下楼主最后怎么实现reply打包的,我现在要做一个权限拦截控制的程序,方便加一下我Q吗?259052745
2015-6-29 16:48
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//