首页
社区
课程
招聘
[原创] 安卓GDB硬件断点使用说明,结合krhook的进行了功能演示
发表于: 2021-10-6 21:08 13442

[原创] 安卓GDB硬件断点使用说明,结合krhook的进行了功能演示

2021-10-6 21:08
13442

安卓GDB硬件断点使用说明,结合krhook的进行了功能演示

前言

前段时间做了内核层堆栈回溯的功能,打算进一步参考rwProcMem33做硬件断点的功能, 设置任意断点然后堆栈回溯。
在这之前了解了下GDB的相关功能,发现也有硬件断点的功能,但是会被Ptrace住。但是不管怎样先学学原理吧。因此这是一篇过渡文章

 

关于krhook相关功能说明可以参考:

 

https://github.com/yhnu/op7t/tree/dev/kr_offline

准备工作

  1. Linux内核要在2.6.37以后的版本才支持对ARM添加硬件断点

    我们使用的内核版本是4.14.117,因此完全支持的

  2. GDB要在7.3以后的版本才支持对ARM添加硬件断点(我们使用最新的ndk-23)

    因为工作环境使用比较老的NDK版本,因此会出现下面的错误

    20211006121214

  3. 内核的编译选项需要开启硬件断点支持

    硬件断点的功能主要由kernel的ptrace模块针对arm硬件中断进行了封装处理, 但是需要开启对应宏编译, 如果想自己实现硬件断点也可以参考对应的实现

    1
    2
    3
    # https://github.com/yhnu/op7t/blob/dev/blu7t/op7-r70/arch/arm64/kernel/ptrace.c
    CONFIG_COMPAT=y
    CONFIG_HAVE_HW_BREAKPOINT=y

小试牛刀

  1. 使用ndk编译下面的示例代码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    // hello.cpp
    #include <stdio.h>
    #include <unistd.h>
     
    char gBuf[1024] = "1024";
    int gInt = 0;
    int main(int argc, char const *argv[])
    {
        printf("gBuf=%p %p %d\n", gBuf, &gInt, getpid());
        while(1) {
            gInt++;
            // printf("gBuf=%p %d\n", gBuf, gInt);
            sleep(5);
        }
        return 0;
    }
  2. 将64位gdbserver和hello push to /data/local/tmp

    1
    2
    adb push android-arm64/gdbserver/gdbserver /data/local/tmp
    adb push hello /data/local/tmp
  3. android启动对应gdbserver

    1
    2
    3
    4
    5
    6
    OnePlus7T:/data/local/tmp # ./gdbserver :1234 hello
    warning: Found custom handler for signal 39 (Unknown signal 39) preinstalled.
    Some signal dispositions inherited from the environment (SIG_DFL/SIG_IGN)
    won't be propagated to spawned programs.
    Process /data/local/tmp/hello created; pid = 8022
    Listening on port 1234
  4. pc连接安卓gdbserver

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    adb forward tcp:1234 tcp:1234
    #gdb: aliased to /opt/android-ndk-r21e//prebuilt/darwin-x86_64/bin/gdb
    ➜  op7t git:(dev) ✗ gdb
    GNU gdb (GDB) 8.3
    Copyright (C) 2019 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    Type "show copying" and "show warranty" for details.
    This GDB was configured as "x86_64-apple-darwin14.5.0".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
        <http://www.gnu.org/software/gdb/documentation/>.
     
    For help, type "help".
    Type "apropos word" to search for commands related to "word".
    (gdb) target remote :1234
    Remote debugging using :1234
    Reading /data/local/tmp/hello from remote target...
    warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
    Reading /data/local/tmp/hello from remote target...
    Reading symbols from target:/data/local/tmp/hello...
    Reading /system/bin/linker64 from remote target...
    Reading /system/bin/linker64 from remote target...
    Reading symbols from target:/system/bin/linker64...
    (No debugging symbols found in target:/system/bin/linker64)
    0x0000007fbf634a50 in __dl__start () from target:/system/bin/linker64
    (gdb) b *main #set breakpoint
    Breakpoint 1 at 0x5555555754: file F:/F2021-07/ak47hook/hello/hello.c, line 7.
    (gdb) c       #run
    Continuing.
    Reading /system/lib64/libandroid.so from remote target...
    Reading /apex/com.android.runtime/lib64/bionic/libm.so from remote target...
    Reading /apex/com.android.runtime/lib64/bionic/libdl.so from remote target...
    Reading /apex/com.android.runtime/lib64/bionic/libc.so from remote target...
     
    #trigger the breakpoint
     
    Breakpoint 1, main (argc=0, argv=0x0) at F:/F2021-07/ak47hook/hello/hello.c:7
    7    F:/F2021-07/ak47hook/hello/hello.c: No such file or directory.
     
    (gdb) hbreak *sleep #trigger the hard breakpoint
    Hardware assisted breakpoint 3 at 0x7fbc9ea430
    (gdb) c
    Continuing.
     
    Breakpoint 3, 0x0000007fbc9ea430 in sleep () from target:/apex/com.android.runtime/lib64/bionic/libc.so
    (gdb)

使用GDB分析下krhook的相关demo

  1. 通过上面的示例我们已经验证的工具的正确性,下面我们来结合krhook的UserSpace StackWalk功能达到回溯对战的目的

    1
    2
    3
    4
    5
    6
    7
    8
    9
    OnePlus7T:/data/local/tmp # ps -ef|grep krhook
    u0_a226       6239   757 0 09:05:48 ?     00:27:42 com.DefaultCompany.krhook_unity3d
    root          8117  6707 0 17:18:29 pts/1 00:00:00 grep krhook
    OnePlus7T:/data/local/tmp # ./gdbserver :1234 --attach 6239 #the app status will be trace stopped
    warning: Found custom handler for signal 39 (Unknown signal 39) preinstalled.
    Some signal dispositions inherited from the environment (SIG_DFL/SIG_IGN)
    won't be propagated to spawned programs.
    Attached; pid = 6239
    Listening on port 1234
  2. 使用krhook了解到PC调用链为 stack:0x7277206388|0x718592ac18|0x718594c568。。。

    1
    4,1005409478,695976246251,-;[20211006_17:24:08.100513]@4 [e]openat [/storage/emulated/0/Android/data/com.DefaultCompany.krhook_unity3d/files/a.txt] current->pid:[8235] ppid:[8278] uid:[10226] tgid:[8206] stack:0x7277206388|0x718592ac18|0x718594c568|0x718639f054|0x7186392930|0x7186390a6c|0x718638c93c|0x718638c8b0|0x71863bf918|0x7185eb0fd8|0x7185ebd290|0x7185ec061c|0x7185d0e8b0|0x7185d0e980|0x718580e750|0x7185cf90b8|0x718600ed38|0x71861e63fc|0x7185811ab0|0x7185d08388|0x7185d0683c|0x7185d060cc|0x718577084c|0x7185cf77e4|0x718578c230|0x71859c0eac|0x7185923f04|0x718b43b1d0|0x71f4176ac6|0xea33e188d80cff79|0xffffffffffffffff|
  3. 开始下硬件断点

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    ➜  op7t git:(dev) ✗ gdb
    GNU gdb (GDB) 8.3
    Copyright (C) 2019 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    Type "show copying" and "show warranty" for details.
    This GDB was configured as "x86_64-apple-darwin14.5.0".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
        <http://www.gnu.org/software/gdb/documentation/>.
     
    For help, type "help".
    Type "apropos word" to search for commands related to "word".
    (gdb)
    (gdb)
    (gdb) target remote :1234
    Remote debugging using :1234
    (gdb) b *0x718594c564
    Breakpoint 1 at 0x718594c564
    (gdb) c
    Continuing.
    [Switching to Thread 8206.8235]
     
    Thread 13 "UnityMain" hit Breakpoint 1, 0x000000718594c564 in il2cpp::icalls::mscorlib::System::IO::MonoIO::Open40(char16_t*, int, int, int, int, int*) ()
    from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    (gdb) b *0x718594c564 #普通断点
    Breakpoint 1 at 0x718594c564
     
    (gdb) hbreak *0x718592ac14 #硬件短点
    Hardware assisted breakpoint 2 at 0x718592ac14
    (gdb) c
    Continuing.
     
    Thread 13 "UnityMain" hit Breakpoint 2, 0x000000718592ac14 in il2cpp::os::File::Open(std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char> > const&, int, int, int, int, int*) ()
    from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    (gdb) bt #对应堆栈
    (gdb) bt
    #0  0x000000718592ac14 in il2cpp::os::File::Open(std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char> > const&, int, int, int, int, int*) ()
    from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #1  0x000000718594c568 in il2cpp::icalls::mscorlib::System::IO::MonoIO::Open40(char16_t*, int, int, int, int, int*) () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #2  0x000000718639f054 in MonoIO_Open_m194115823A6163255C8845AB97ADF010DAD88E22 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #3  0x0000007186392930 in MonoIO_Open_m75D574F44B3C1E6FA4E245D48D5AC73F70BE16B7 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #4  0x0000007186390a6c in FileStream__ctor_mBC5F76C88DBC8C81D1F83407197D75F36E1ADBD7 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #5  0x000000718638c93c in FileStream__ctor_mB254658F1E758D76B41C942CB91BDF38FD544C83 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #6  0x000000718638c8b0 in File_Open_mDA5EB4A312EAEBF8543B13C572271FB5F673A501 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #7  0x00000071863bf918 in FileOpenTest_FileOpen_m76B8151D8C479F745ECF6F56D62D556DB2435397 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #8  0x0000007185eb0fd8 in UnityAction_Invoke_mC9FF5AA1F82FDE635B3B6644CE71C94C31C3E71A () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #9  0x0000007185ebd290 in InvokableCall_Invoke_m0B9E7F14A2C67AB51F01745BD2C6C423114C9394 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #10 0x0000007185ec061c in UnityEvent_Invoke_mB2FA1C76256FE34D5E7F84ABE528AC61CE8A0325 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #11 0x0000007185d0e8b0 in Button_Press_m33BA6E9820146E8EED7AB489A8846D879B76CF41 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #12 0x0000007185d0e980 in Button_OnPointerClick_m4C4EDB8613C2C5B391EFD3A29C58B0AA00DD9B91 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #13 0x000000718580e750 in InterfaceActionInvoker1<PointerEventData_tC18994283B7753E430E316A62D9E45BA6D644C63*>::Invoke(unsigned int, Il2CppClass*, Il2CppObject*, PointerEventData_tC18994283B7753E430E316A62D9E45BA6D644C63*)
        () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #14 0x0000007185cf90b8 in ExecuteEvents_Execute_m24768528CCF25F4ADB0E66538ABF950C8EE2E9B0 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #15 0x000000718600ed38 in EventFunction_1_Invoke_mB923A0E7E49A56D420C97EB6D98A660EAF8A348D_gshared () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #16 0x00000071861e63fc in ExecuteEvents_Execute_TisRuntimeObject_m69C612263456A3111F97114B38B8A0E2E16E4347_gshared () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #17 0x0000007185811ab0 in ExecuteEvents_Execute_TisIPointerClickHandler_t337D40B4F0C87DA190B55BF225ADB716F4ADCA13_mB8A59713F468FB6A061C8A5DF7FF205EE1C9A855(GameObject_tBD1244AD56B4E59AAD76E5E7C9282EC5CE434F0F*, BaseEventData_t46C9D2AE3183A742EDE89944AF64A23DBF1B80A5*, EventFunction_1_t7BFB6A90DB6AE5607866DE2A89133CA327285B1E*, MethodInfo const*) ()
    from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #18 0x0000007185d08388 in StandaloneInputModule_ProcessTouchPress_m46FBF040EAB0A0F8D832FEB600EF0B9C48E13F61 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #19 0x0000007185d0683c in StandaloneInputModule_ProcessTouchEvents_m74C783AF0B4D517978ECCE3E8A1081F49D174F69 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #20 0x0000007185d060cc in StandaloneInputModule_Process_mF637455BCED017FB359E090B58F15C490EFD2B54 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #21 0x000000718577084c in VirtActionInvoker0::Invoke(unsigned int, Il2CppObject*) () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #22 0x0000007185cf77e4 in EventSystem_Update_m12CAEF521A10D406D1A6EA01E00DD851683C7208 () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #23 0x000000718578c230 in RuntimeInvoker_TrueVoid_t22962CB4C05B1D89B55A6E1139F0E87A90987017(void (*)(), MethodInfo const*, void*, void**) ()
    from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #24 0x00000071859c0eac in il2cpp::vm::Runtime::Invoke(MethodInfo const*, void*, void**, Il2CppException**) () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #25 0x0000007185923f04 in il2cpp_runtime_invoke () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
    #26 0x000000718b43b1d0 in scripting_method_invoke(ScriptingMethodPtr, ScriptingObjectPtr, ScriptingArguments&, ScriptingExceptionPtr*, bool) ()
    from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libunity.so
    #27 0x000000718b44b6dc in ScriptingInvocation::Invoke(ScriptingExceptionPtr*, bool) () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libunity.so
    #28 0x000000718b455c54 in MonoBehaviour::CallUpdateMethod(int) () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libunity.so
    #29 0x000000718b052eb4 in void BaseBehaviourManager::CommonUpdate<BehaviourManager>() () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libunity.so
    #30 0x000000718b052dd4 in BehaviourManager::Update() () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libunity.so
    #31 0x000000718b1f9224 in InitPlayerLoopCallbacks()::UpdateScriptRunBehaviourUpdateRegistrator::Forward() () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libunity.so
    #32 0x000000718b1ef754 in ExecutePlayerLoop(NativePlayerLoopSystem*) () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libunity.so
    #33 0x000000718b1ef7ac in ExecutePlayerLoop(NativePlayerLoopSystem*) () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libunity.so
    #34 0x000000718b1efa10 in PlayerLoop() () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libunity.so
    #35 0x000000718b4d1c58 in UnityPlayerLoop() () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libunity.so
    #36 0x000000718b4fe390 in nativeRender(_JNIEnv*, _jobject*) () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libunity.so
    #37 0x00000071ea78b630 in art_jni_trampoline () from target:/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/oat/arm64/base.odex
    #38 0x000000009b94c5ec in com.unity3d.player.UnityPlayer.access$300 ()
    #39 0x000000009b94db00 in com.unity3d.player.UnityPlayer$e$1.handleMessage ()
    #40 0x000000009b94e2d0 in android.os.Handler.dispatchMessage ()
    #41 0x00000071f598c338 in art_quick_invoke_stub () from target:/apex/com.android.runtime/lib64/libart.so
    #42 0x00000071f599aff0 in art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*) () from target:/apex/com.android.runtime/lib64/libart.so
    #43 0x00000071f5b3894c in art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*) () from target:/apex/com.android.runtime/lib64/libart.so
    #44 0x00000071f5b33bac in bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*) ()
    from target:/apex/com.android.runtime/lib64/libart.so
    #45 0x00000071f5df6138 in MterpInvokeVirtual () from target:/apex/com.android.runtime/lib64/libart.so
    #46 0x00000071f5986818 in mterp_op_invoke_virtual () from target:/apex/com.android.runtime/lib64/libart.so
    #47 0x00000071f5df8ea8 in MterpInvokeStatic () from target:/apex/com.android.runtime/lib64/libart.so
    #48 0x00000071f5986998 in mterp_op_invoke_static () from target:/apex/com.android.runtime/lib64/libart.so
    #49 0x00000071f5b09c60 in art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) [clone .llvm.12938883504528282530] ()
    from target:/apex/com.android.runtime/lib64/libart.so
    #50 0x00000071f5de76a0 in artQuickToInterpreterBridge () from target:/apex/com.android.runtime/lib64/libart.so
    #51 0x00000071f599546c in art_quick_to_interpreter_bridge () from target:/apex/com.android.runtime/lib64/libart.so
    #52 0x00000071f598c338 in art_quick_invoke_stub () from target:/apex/com.android.runtime/lib64/libart.so
    #53 0x00000071f599aff0 in art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*) () from target:/apex/com.android.runtime/lib64/libart.so
    #54 0x00000071f5d06040 in art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*) ()
    from target:/apex/com.android.runtime/lib64/libart.so

    20211006174153

硬件断点内核工作原理

通过阅读下面的几篇文章并结合源码我们就能够理解背后的工作原理了,然后再去看rwProcMem33的代码也就不会感觉特别困难了

 

20211006205229

 

https://www.kernel.org/doc/ols/2009/ols2009-pages-149-158.pdf

 

https://lwn.net/Articles/317153/

 

https://lwn.net/Articles/353050/

总结

通过上面的简单使用,我们已经简单了解如何通过gdb进行硬件断点的使用。 后续会从内核层讲讲ptrace的相关代码,逆向不易,互勉。


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 6
支持
分享
最新回复 (9)
雪    币: 12502
活跃值: (3068)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
2
armv8并不生效。。只有arm32生效。
2022-3-9 10:43
0
雪    币: 116
活跃值: (1012)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
虽然不懂 还是支持一下
2022-3-10 15:08
0
雪    币: 1
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
4
以前在某个群里面和这个rwProcMem33的博主讨论过一些,博主使用的是内核模块而我在之前也分析过安卓的硬断。
arm下ptrace(PTRACE_GETHBPREGS,...)
arm64下(PTRACE_GETREGSET, ...)
而且内核要开启CONFIG_HAVE_HW_BREAKPOINT这个选项(最近出厂的安卓机搭载的高版本内核似乎默认就是开启的)
2022-3-11 15:16
0
雪    币: 2978
活跃值: (7983)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
5
向大佬学习
2022-4-10 15:51
0
雪    币: 2468
活跃值: (5088)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
6
自己编译aosp10,是可以v8 v7都行
2022-4-10 18:40
0
雪    币: 12502
活跃值: (3068)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
7
KerryS 自己编译aosp10,是可以v8 v7都行
啥手机。。1+8已经拉闸了。。
2022-4-29 00:02
0
雪    币: 2468
活跃值: (5088)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
8
aosp10,pixel2,编译的时候选userdebug
2022-4-29 01:07
0
雪    币: 754
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
10
krhook 项目没了。。
2023-8-24 18:27
0
游客
登录 | 注册 方可回帖
返回
//