首页
社区
课程
招聘
[求助]VirtualApp 开源项目有段代码 看不太懂。。
发表于: 2021-4-24 00:18 4181

[求助]VirtualApp 开源项目有段代码 看不太懂。。

2021-4-24 00:18
4181

//search_memory_syscall 这段代码看不太懂。。。
看名字应该是从加载的so中 搜索syscall??
搜索到syscall,这个insn是什么?是syscall的函数吗?
为什么根据这个调用MSHookFunction???

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
VirtualApp/lib/src/main/jni/Foundation/IORelocator64.cpp
 findSyscalls("/system/lib64/libc.so", on_found_syscall_aarch64);
 findSyscalls("/system/bin/linker64", on_found_linker_syscall_arch64);
 
 
 
 
VirtualApp/lib/src/main/jni/Foundation/syscall/BinarySyscallFinder.cpp
void findSyscalls(const char *path, bool (*callback)(const char *, int, void *)) {
    FILE *f;
    if ((f = fopen("/proc/self/maps", "r")) == NULL) {
        return;
    }
    char buf[PATH_MAX + 100], perm[5], dev[6], mapname[PATH_MAX];
    addr_t begin, end, inode, foo;
 
    while (!feof(f)) {
        if (fgets(buf, sizeof(buf), f) == 0)
            break;
        mapname[0] = '\0';
        sscanf(buf, "%lx-%lx %4s %lx %5s %ld %s", &begin, &end, perm,
               &foo, dev, &inode, mapname);
        if (strstr(buf, path) && has_code(perm)) {
            search_memory_syscall(path, begin, end, callback);
        }
    }
    fclose(f);
}
 
 
void
search_memory_syscall(const char *path, addr_t begin, addr_t end,
                      bool (*callback)(const char *, int, void *)) {
    addr_t start = begin;
    addr_t limit = end - sizeof(int32_t) * 2;
    do {
        int32_t *insn = reinterpret_cast<int32_t *>(start);
        if (insn[1] == AARCH64_SVC_0 && AARCH64_IS_MOV(insn[0])) {
            unsigned syscall_num = (unsigned) ((insn[0] >> 5) & 0xFFFF);
 
            ##此处的insn是什么?????
            if (!(*callback)(path, syscall_num, insn)) {
                break;
            }
        }
        start += sizeof(int32_t);
    } while (start < limit);
}
 
 
bool on_found_syscall_aarch64(const char *path, int num, void *func) {
    static int pass = 0;
    switch (num) {
        case __NR_fchmodat:
            MSHookFunction(func, (void *) new_fchmodat, (void **) &orig_fchmodat);
            pass++;
            break;
        case __NR_faccessat:
            MSHookFunction(func, (void *) new_faccessat, (void **) &orig_faccessat);
            pass++;
            break;
        case __NR_statfs:
            MSHookFunction(func, (void *) new___statfs, (void **) &orig___statfs);
            pass++;
            break;
        case __NR_getcwd:
            MSHookFunction(func, (void *) new_getcwd, (void **) &orig_getcwd);
            pass++;
            break;
        case __NR_openat:
            MSHookFunction(func, (void *) new_openat, (void **) &orig_openat);
            pass++;
            break;
    }
    if (pass == 5) {
        return BREAK_FIND_SYSCALL;
    }
    return CONTINUE_FIND_SYSCALL;
}

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2021-4-24 00:20 被duoduo231编辑 ,原因: aa
收藏
免费 0
支持
分享
最新回复 (3)
雪    币: 2888
活跃值: (6646)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2

void

search_memory_syscall(const char *path, addr_t begin, addr_t end,

                      bool (*callback)(const char *int, void *)) {

    addr_t start = begin;

    addr_t limit = end - sizeof(int32_t) * 2;

    do {

        int32_t *insn = reinterpret_cast<int32_t *>(start);

        if (insn[1== AARCH64_SVC_0 && AARCH64_IS_MOV(insn[0])) {

            unsigned syscall_num = (unsigned) ((insn[0] >> 5) & 0xFFFF);

 

            ##此处的insn是什么?????

            if (!(*callback)(path, syscall_num, insn)) {

                break;

            }

        }

        start += sizeof(int32_t);

    while (start < limit);

}


addr_t start = begin;//开始地址

int32_t *insn = reinterpret_cast<int32_t *>(start);// 把地址指针转换成int32_t

insn[1== AARCH64_SVC_0 && AARCH64_IS_MOV(insn[0])// 如果insn[1]是svc EL0且insn[0]是mov 执行操作

(*callback)(path, syscall_num, insn)// 回调函数, 参数(const char *int, void *)


简而言之 insn 是地址参数

2021-4-24 01:57
0
雪    币: 29
活跃值: (5647)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
就是根据linker和libc内syscall函数指令的opcode来搜索要hook的syscall,找到之后就调用MSHookFunction进行hook
2021-4-24 14:40
0
雪    币: 122
活跃值: (536)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
insn一般指的是【指令】本身吧  这里的insn是一个指令数组,貌似是一个方法内的一组指令  以上是我猜的
2021-4-26 18:54
0
游客
登录 | 注册 方可回帖
返回
//