通过dlopen、dlsym获取共享库函数地址、全局变量是一种经常使用到的编程技巧,尤其是在Hook框架中。然而无论是dlsym还是一些常用框架(如Nougat_dlfunctions
),都只能搜索.dynsym段,而无法搜索.symtab段。因此实现.symtab段搜索是一个亟待解决的问题。
本文将介绍在Nougat_dlfunctions框架基础上,如何实现搜索.symtab段的功能。(如果对FastHook不了解,请查阅FastHook——一种高效稳定、简洁易用的Android Hook框架)
项目地址:Enhanced_dlfunctions
ELF文件实际是个表结构,以段为单位,每个段存储不同的信息,段与段之间以索引来关联形成一个表。所以只要有一个头,就可以通过这些关系访问所有的段,这个头便是ELF文件头。下面我们来看看需要获取那些信息:
1. 获取so加载的地址,存储在load_addr
2. 重新映射so,获取ELF文件头
3. 获取.shstrtab段。
4.获取.dynsym段、.dynstr段、.symtab段、.strtab段
1. 先查询.dynsym段。遍历.dymsym所有符号,查找符号名与给定字符串一致的符号。用load_addr、bias结合符号偏移来获取实际地址。
2. 如果.dynsym段找不到目标符号且.symtab段存在时,遍历.symtab所有符号,查找符号名与给定字符串一致的符号。用load_addr、bias结合符号偏移来获取实际地址。
Nougat_dlfunctions只支持arm平台,而我在实际工作中也不涉及到x86平台,所以Enhanced dlfunctions暂时只支持arm32和arm64,如果要兼容x86等其他平台也不难,不需要改实现,主要就是elf.h一些结构体的不同。
void *enhanced_dlopen(const char *libpath, int flags) {
FILE *maps;
char buff[256];
struct ctx *ctx = 0;
off_t load_addr, size;
int k, fd = -1, found = 0;
void *shoff;
Elf_Ehdr *elf = (Elf_Ehdr *) MAP_FAILED;
#define fatal(fmt, args...) do { log_err(fmt,##args); goto err_exit; } while(0)
maps = fopen("/proc/self/maps", "r");
if (!maps) fatal("failed to open maps");
while (!found && fgets(buff, sizeof(buff), maps))
if (strstr(buff, "r-xp") && strstr(buff, libpath)) found = 1;
fclose(maps);
if (!found) fatal("%s not found in my userspace", libpath);
if (sscanf(buff, "%lx", &load_addr) != 1)
fatal("failed to read load address for %s", libpath);
log_info("%s loaded in Android at 0x%08lx", libpath, load_addr);
/* Now, mmap the same library once again */
fd = open(libpath, O_RDONLY);
if (fd < 0) fatal("failed to open %s", libpath);
size = lseek(fd, 0, SEEK_END);
if (size <= 0) fatal("lseek() failed for %s", libpath);
elf = (Elf_Ehdr *) mmap(0, size, PROT_READ, MAP_SHARED, fd, 0);
close(fd);
fd = -1;
if (elf == MAP_FAILED) fatal("mmap() failed for %s", libpath);
ctx = (struct ctx *) calloc(1, sizeof(struct ctx));
if (!ctx) fatal("no memory for %s", libpath);
ctx->load_addr = (void *) load_addr;
shoff = ((void *) elf) + elf->e_shoff;
Elf_Shdr *shstrtab = (Elf_Shdr *)(shoff + elf->e_shstrndx * elf->e_shentsize);
char * shstr = malloc(shstrtab->sh_size);
memcpy(shstr, ((void *) elf) + shstrtab->sh_offset, shstrtab->sh_size);
for (k = 0; k < elf->e_shnum; k++, shoff += elf->e_shentsize) {
Elf_Shdr *sh = (Elf_Shdr *) shoff;
log_dbg("%s: k=%d shdr=%p type=%d", __func__, k, sh, sh->sh_type);
switch (sh->sh_type) {
case SHT_DYNSYM:
if (ctx->dynsym) fatal("%s: duplicate DYNSYM sections", libpath); /* .dynsym */
ctx->dynsym = malloc(sh->sh_size);
if (!ctx->dynsym) fatal("%s: no memory for .dynsym", libpath);
memcpy(ctx->dynsym, ((void *) elf) + sh->sh_offset, sh->sh_size);
ctx->dynsym_num = (sh->sh_size / sizeof(Elf_Sym));
break;
case SHT_SYMTAB:
if (ctx->symtab) fatal("%s: duplicate SYMTAB sections", libpath); /* .symtab */
ctx->symtab = malloc(sh->sh_size);
if (!ctx->symtab) fatal("%s: no memory for .symtab", libpath);
memcpy(ctx->symtab, ((void *) elf) + sh->sh_offset, sh->sh_size);
ctx->symtab_num = (sh->sh_size / sizeof(Elf_Sym));
break;
case SHT_STRTAB:
if(!strcmp(shstr+sh->sh_name,".dynstr")) {
if (ctx->dynstr) break; /* .dynstr is guaranteed to be the first STRTAB */
ctx->dynstr = malloc(sh->sh_size);
if (!ctx->dynstr) fatal("%s: no memory for .dynstr", libpath);
memcpy(ctx->dynstr, ((void *) elf) + sh->sh_offset, sh->sh_size);
}else if(!strcmp(shstr+sh->sh_name,".strtab")) {
if (ctx->strtab) break;
ctx->strtab = malloc(sh->sh_size);
if (!ctx->strtab) fatal("%s: no memory for .strtab", libpath);
memcpy(ctx->strtab, ((void *) elf) + sh->sh_offset, sh->sh_size);
}
break;
case SHT_PROGBITS:
if (!ctx->dynstr || !ctx->dynsym || ctx->bias) break;
/* won't even bother checking against the section name */
ctx->bias = (off_t) sh->sh_addr - (off_t) sh->sh_offset;
break;
}
}
munmap(elf, size);
elf = 0;
if (!ctx->dynstr || !ctx->dynsym) fatal("dynamic sections not found in %s", libpath);
#undef fatal
log_dbg("%s: ok, dynsym = %p, dynstr = %p symtab = %p strtab = %p", libpath, ctx->dynsym, ctx->dynstr, ctx->symtab, ctx->strtab);
return ctx;
}
maps = fopen("/proc/self/maps", "r");
while (!found && fgets(buff, sizeof(buff), maps))
if (strstr(buff, "r-xp") && strstr(buff, libpath)) found = 1;
fclose(maps);
if (sscanf(buff, "%lx", &load_addr) != 1)
fatal("failed to read load address for %s", libpath);
fd = open(libpath, O_RDONLY);
size = lseek(fd, 0, SEEK_END);
elf = (Elf_Ehdr *) mmap(0, size, PROT_READ, MAP_SHARED, fd, 0);
Elf_Shdr *shstrtab = (Elf_Shdr *)(shoff + elf->e_shstrndx * elf->e_shentsize);
char * shstr = malloc(shstrtab->sh_size);
memcpy(shstr, ((void *) elf) + shstrtab->sh_offset, shstrtab->sh_size);
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2019-3-22 13:41
被图灵技师编辑
,原因:
