之前在so注入的时候,能够得到入口函数的地址,使用的代码时Qever大牛的,后来在测试了代码的时候,出现了如下的问题:
root@android:/data/local/tmp # ll
-rwxrwxrwx root root 506668 2016-03-18 03:01 aapt
-rwxrwxrwx root root 13716 2016-03-18 03:01 box
-rwxrwxrwx root root 13572 2017-02-15 05:37 inject
-rwxrwxrwx root root 13452 2017-02-15 05:37 libqever.so
-rwxrwxrwx root root 8708 2016-03-18 03:01 mtools
root@android:/data/local/tmp # chmod 777 inject
root@android:/data/local/tmp # ./inject
Usage:
./inject [lib] [entry] [target]
lib the lib(*.so) to be injected
default is "/data/local/tmp/libqever.so"
entry the entry of lib
default is "entry"
target the target process to be injected, pid or name
default is "com.crackme"
root@android:/data/local/tmp # ./inject com.crackme
[E]Can't find the process com.crackme
255|root@android:/data/local/tmp # ./inject com.crackme
library path = com.crackme
以上是启动注入模块。在启动之前,我先启动了apk,之后调用了./inject 但是得到了如下的提示
130|root@android:/ # logcat |grep "INJECT"
D/INJECT ( 940): [+] Injecting process: 922
D/INJECT ( 940): [+] get_remote_addr: local[40020000], remote[40020000]
D/INJECT ( 940): [+] Remote mmap address: 4003bf43
D/INJECT ( 940): [+] Calling mmap in target process.
D/INJECT ( 940): [+] Target process returned from mmap, return value=5230c000, pc=0
D/INJECT ( 940): [+] get_remote_addr: local[40000000], remote[40000000]
D/INJECT ( 940): [+] get_remote_addr: local[40000000], remote[40000000]
D/INJECT ( 940): [+] get_remote_addr: local[40000000], remote[40000000]
D/INJECT ( 940): [+] get_remote_addr: local[40000000], remote[40000000]
D/INJECT ( 940): [+] Get imports: dlopen: 400050ad, dlsym: 40005019, dlclose: 40004f59, dlerror: 40004f49
D/INJECT ( 940): [+] Calling dlopen in target process.
D/INJECT ( 940): [+] Target process returned from dlopen, return value=0, pc=0
D/INJECT ( 940): [+] Calling dlsym in target process.
D/INJECT ( 940): [+] Target process returned from dlsym, return value=0, pc=0
D/INJECT ( 940): hook_entry_addr = 0x0
D/INJECT ( 940): [+] Calling hook_entry in target process.
D/INJECT ( 940): [+] Target process returned from hook_entry, return value=5230c200, pc=0
D/INJECT ( 940): [+] Calling dlclose in target process.
D/INJECT ( 940): [+] Target process returned from dlclose, return value=0, pc=0
这里的hook_entry_addr =0x0,也就是说,虽然注入了,但是没拿到对应的入口函数,注入程序如下:
#define DEFAULT_LIBS "/data/local/tmp/libqever.so"
#define DEFAULT_ENTRY "entry" 这里是加载的libqever.so中的入口函数名称,
#define DEFAULT_TARGET "com.crackme"
void Usage(char * prog)
{
printf("Usage:\n");
printf(" %s [lib] [entry] [target]\n", prog);
printf(" lib the lib(*.so) to be injected\n");
printf(" default is \"%s\"\n", DEFAULT_LIBS);
printf(" entry the entry of lib\n");
printf(" default is \"%s\"\n", DEFAULT_ENTRY);
printf(" target the target process to be injected, pid or name\n");
printf(" default is \"%s\"\n", DEFAULT_TARGET);
}
int main(int argc, char** argv) {
char * libs = DEFAULT_LIBS;
char * entry = DEFAULT_ENTRY;
char * target = DEFAULT_TARGET;
pid_t target_pid = 0;
switch(argc){
case 1:
Usage(argv[0]);
return 0;
case 4:
target_pid = atoi(argv[3]);
if(target_pid == 0){
target = argv[3];
}
case 3:
entry = argv[2];
case 2:
libs = argv[1];
}
if(target_pid == 0){
target_pid = find_pid_of(target);
}
if (-1 == target_pid) {
printf("[E]Can't find the process %s\n", target);
return -1;
}
//这里是主要注入的方法
inject_remote_process(target_pid, libs, entry, "I'm parameter!", strlen("I'm parameter!"));
return 0;
}
试了好几次,还是不能拿到入口函数的地址,希望得到指点一下,谢谢~
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
QEver
QEver
