[分享]Android权限hook-Android安全-看雪-安全社区|安全招聘|kanxue.com

[分享]Android权限hook

发表于: 2016-2-3 14:16 4566

[分享]Android权限hook

步平凡

2016-2-3 14:16

4566

很久没来看雪了。
下面讲的不是hook技术，只是对hook权限管理做一下说明。
我相信大家hook系统最大的目的就是管理权限了。
每个app运行的时候都会有一个ActivityThread，而安卓管理这么多ActivityThread的权限，就是通过ActivityManagerService。这是一个系统级的Binder服务，运行在system server进程中。
这样我们就可以去GrepCode.com看个究竟了。

在com.android.server.am.ActivityManagerService中搜索setSystemProcess我们可以看到如下代码：

public static void More ...setSystemProcess() {
         try {
             ActivityManagerService m = mSelf;
 
             ServiceManager.addService(Context.ACTIVITY_SERVICE, m, true);
             ServiceManager.addService(ProcessStats.SERVICE_NAME, m.mProcessStats);
             ServiceManager.addService("meminfo", new MemBinder(m));
             ServiceManager.addService("gfxinfo", new GraphicsBinder(m));
             ServiceManager.addService("dbinfo", new DbBinder(m));
             if (MONITOR_CPU_USAGE) {
                 ServiceManager.addService("cpuinfo", new CpuBinder(m));
             }
             ServiceManager.addService("permission", new PermissionController(m));
 
             ApplicationInfo info =
                 mSelf.mContext.getPackageManager().getApplicationInfo(
                             "android", STOCK_PM_FLAGS);
             mSystemThread.installSystemApplicationInfo(info);
 
             synchronized (mSelf) {
                 ProcessRecord app = mSelf.newProcessRecordLocked(info,
                         info.processName, false);
                 app.persistent = true;
                 app.pid = MY_PID;
                 app.maxAdj = ProcessList.SYSTEM_ADJ;
                 app.makeActive(mSystemThread.getApplicationThread(), mSelf.mProcessStats);
                 mSelf.mProcessNames.put(app.processName, app.uid, app);
                 synchronized (mSelf.mPidsSelfLocked) {
                     mSelf.mPidsSelfLocked.put(app.pid, app);
                 }
                 mSelf.updateLruProcessLocked(app, false, null);
                 mSelf.updateOomAdjLocked();
             }
         } catch (PackageManager.NameNotFoundException e) {
             throw new RuntimeException(
                     "Unable to find android system package", e);
         }
     }

还有下面的代码，都在ActivityManagerService中

// =========================================================
     // PERMISSIONS
     // =========================================================
 
     static class More ...PermissionController extends IPermissionController.Stub {
         ActivityManagerService mActivityManagerService;
         More ...PermissionController(ActivityManagerService activityManagerService) {
             mActivityManagerService = activityManagerService;
         }
 
         @Override
         public boolean More ...checkPermission(String permission, int pid, int uid) {
             return mActivityManagerService.checkPermission(permission, pid,
                     uid) == PackageManager.PERMISSION_GRANTED;
         }
     }

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・1

免费・0

支持