移植前需要注意的
开始初步移植 JAVA层
package com.jiqiu;
import android.app.ActivityThread;
import android.os.Looper;
import java.io.BufferedReader;
import java.io.FileReader;
import java.io.File;
public class Unpacker {
// public static String UNPACK_CONFIG = "/data/local/tmp/unpacker.config";
//去指纹位置2,修改配置名文件,不一定需要config尾缀
public static String UNPACK_CONFIG = "/data/local/tmp/gagaga";
public static int UNPACK_INTERVAL = 10 * 1000;
public static Thread unpackerThread = null;
public static boolean shouldUnpack() {
boolean should_unpack = false;
String processName = ActivityThread.currentProcessName();
BufferedReader br = null;
try {
br = new BufferedReader(new FileReader(UNPACK_CONFIG));
String line;
while ((line = br.readLine()) != null) {
if (line.equals(processName)) {
should_unpack = true;
break;
}
}
br.close();
}
catch (Exception ignored) {
}
return should_unpack;
}
public static void unpack() {
if (Unpacker.unpackerThread != null) {
return;
}
if (!shouldUnpack()) {
return;
}
//开启线程调用
Unpacker.unpackerThread = new Thread() {
@Override public void run() {
while (true) {
try {
Thread.sleep(UNPACK_INTERVAL);
}
catch (InterruptedException e) {
e.printStackTrace();
}
Unpacker.unpackNative();
}
}
};
Unpacker.unpackerThread.start();
}
public static native void unpackNative();
}
NATIVE层移植
--- a/dex2oat/dex2oat.cc
+++ b/dex2oat/dex2oat.cc
@@ -1036,6 +1036,8 @@ class Dex2Oat final {
CompilerFilter::NameOfFilter(compiler_options_->GetCompilerFilter()));
key_value_store_->Put(OatHeader::kConcurrentCopying,
kUseReadBarrier ? OatHeader::kTrueValue : OatHeader::kFalseValue);
+
+
if (invocation_file_.get() != -1) {
std::ostringstream oss;
for (int i = 0; i < argc; ++i) {
@@ -1089,7 +1091,23 @@ class Dex2Oat final {
*out = true;
}
}
-
+ //patch by Youlor
+ //++++++++++++++++++++++++++++
+ const char* UNPACK_CONFIG = "/data/local/tmp/gagaga";
+ bool ShouldUnpack() {
+ std::ifstream config(UNPACK_CONFIG);
+ std::string line;
+ if(config) {
+ while (std::getline(config, line)) {
+ std::string package_name = line.substr(0, line.find(':'));
+ if (oat_location_.find(package_name) != std::string::npos) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+ //++++++++++++++++++++++++++++
// Parse the arguments from the command line. In case of an unrecognized option or impossible
// values/combinations, a usage error will be displayed and exit() is called. Thus, if the method
// returns, arguments have been successfully parsed.
@@ -1240,7 +1258,14 @@ class Dex2Oat final {
ProcessOptions(parser_options.get());
// Insert some compiler things.
+
InsertCompileOptions(argc, argv);
+ //patch by Youlor
+ //++++++++++++++++++++++++++++
+ if (ShouldUnpack()) {
+ compiler_options_->SetCompilerFilter(CompilerFilter::kVerify);
+ }
+ //++++++++++++++++++++++++++++
}
拷贝youpk项目到art/runtime目录下
// Check whether the oat output files are writable, and open them for later. Also open a swap
diff --git a/libdexfile/Android.bp b/libdexfile/Android.bp
index 30d1bcd..2ff2f10 100644
--- a/libdexfile/Android.bp
+++ b/libdexfile/Android.bp
@@ -95,7 +95,7 @@ cc_defaults {
},
},
generated_sources: ["dexfile_operator_srcs"],
- export_include_dirs: ["."],
+ export_include_dirs: [".","dex"],
}
art各生命周期函数插桩
artmethod.cc注册函数
--- a/runtime/runtime.cc
+++ b/runtime/runtime.cc
@@ -15,7 +15,9 @@
*/
#include "runtime.h"
-
+//add
+#include "unpacker/unpacker.h"
+//addend
// sys/mount.h has to come before linux/fs.h due to redefinition of MS_RDONLY, MS_BIND, etc
#include <sys/mount.h>
#ifdef __linux__
@@ -1907,6 +1909,10 @@ void Runtime::RegisterRuntimeNativeMethods(JNIEnv* env) {
register_org_apache_harmony_dalvik_ddmc_DdmServer(env);
register_org_apache_harmony_dalvik_ddmc_DdmVmInternal(env);
register_sun_misc_Unsafe(env);
+
+ //add
+ Unpacker::register_cn_youlor_Unpacker(env);
+ //addend
}
std::ostream& operator<<(std::ostream& os, const DeoptimizationKind& kind) {
修改art/runtime下的Android.bp 使其走向选择分支解释模式
--- a/runtime/Android.bp
+++ b/runtime/Android.bp
@@ -350,6 +352,9 @@ libart_cc_defaults {
// ART is allowed to link to libicuuc directly
// since they are in the same module
"-DANDROID_LINK_SHARED_ICU4C",
+ "-Wno-error",
+ "-DART_USE_CXX_INTERPRETER=1",
],
},
class_linker.h增加友元函数,使其可以访问内部的dex缓存字段
--- a/runtime/class_linker.h
+++ b/runtime/class_linker.h
@@ -1385,6 +1385,9 @@ class ClassLinker {
class FindVirtualMethodHolderVisitor;
friend class AppImageLoadingHelper;
+ //add
+ friend class Unpacker;
+ //addend
friend class ImageDumper; // for DexLock
friend struct linker::CompilationHelper; // For Compile in ImageTest.
friend class linker::ImageWriter; // for GetClassRoots
diff --git a/runtime/interpreter/interpreter_switch_impl-inl.h b/runtime/interpreter/interpreter_switch_impl-inl.h
index 36cfee4..b6e5ff6 100644
修改artmethod 增加判断分支(这里和youpk原版移植方式一样)
diff --git a/runtime/art_method.cc b/runtime/art_method.cc
index 0890da8..2cd96d2 100644
--- a/runtime/art_method.cc
+++ b/runtime/art_method.cc
@@ -50,7 +50,9 @@
#include "runtime_callbacks.h"
#include "scoped_thread_state_change-inl.h"
#include "vdex_file.h"
-
+//add
+#include "unpacker/unpacker.h"
+//addend
namespace art {
using android::base::StringPrintf;
@@ -322,13 +324,28 @@ void ArtMethod::Invoke(Thread* self, uint32_t* args, uint32_t args_size, JValue*
// If the runtime is not yet started or it is required by the debugger, then perform the
// Invocation by the interpreter, explicitly forcing interpretation over JIT to prevent
// cycling around the various JIT/Interpreter methods that handle method invocation.
- if (UNLIKELY(!runtime->IsStarted() ||
- (self->IsForceInterpreter() && !IsNative() && !IsProxyMethod() && IsInvokable()) ||
- Dbg::IsForcedInterpreterNeededForCalling(self, this))) {
+
+// if (UNLIKELY(!runtime->IsStarted() ||
+// (self->IsForceInterpreter() && !IsNative() && !IsProxyMethod() && IsInvokable()) ||
+// Dbg::IsForcedInterpreterNeededForCalling(self, this))) {
+//add
+ if (UNLIKELY(!runtime->IsStarted() || Dbg::IsForcedInterpreterNeededForCalling(self, this)
+ || (Unpacker::isFakeInvoke(self, this) && !this->IsNative()))) {
+
+ //addend
if (IsStatic()) {
art::interpreter::EnterInterpreterFromInvoke(
self, this, nullptr, args, result, /*stay_in_interpreter=*/ true);
} else {
+ //patch by Youlor
+ //++++++++++++++++++++++++++++
+ //如果是主动调用fake invoke并且是native方法则不执行
+ if (Unpacker::isFakeInvoke(self, this) && this->IsNative()) {
+ // Pop transition.
+ self->PopManagedStackFragment(fragment);
+ return;
+ }
+ //++++++++++++++++++++++++++++
mirror::Object* receiver =
reinterpret_cast<StackReference<mirror::Object>*>(&args[0])->AsMirrorPtr();
art::interpreter::EnterInterpreterFromInvoke(
diff --git a/runtime/class_linker.h b/runtime/class_linker.h
解释器分支移植
--- a/runtime/interpreter/interpreter_switch_impl-inl.h
+++ b/runtime/interpreter/interpreter_switch_impl-inl.h
@@ -18,7 +18,9 @@
#define ART_RUNTIME_INTERPRETER_INTERPRETER_SWITCH_IMPL_INL_H_
#include "interpreter_switch_impl.h"
-
+//add
+#include "unpacker/unpacker.h"
+//addend
#include "base/enums.h"
#include "base/globals.h"
#include "base/memory_tool.h"
@@ -225,6 +227,7 @@ class InstructionHandler {
if (!CheckForceReturn()) {
return false;
}
+
if (UNLIKELY(instrumentation->HasDexPcListeners())) {
uint8_t opcode = inst->Opcode(inst_data);
bool is_move_result_object = (opcode == Instruction::MOVE_RESULT_OBJECT);
@@ -243,6 +246,8 @@ class InstructionHandler {
return false;
}
}
+
+ //addend
return true;
}
@@ -2643,12 +2648,25 @@ ATTRIBUTE_NO_SANITIZE_ADDRESS void ExecuteSwitchImplCpp(SwitchImplContext* ctx)
<< "Entered interpreter from invoke without retry instruction being handled!";
bool const interpret_one_instruction = ctx->interpret_one_instruction;
+
+ //add
+ int inst_count=-1;
+ //addend
while (true) {
dex_pc = inst->GetDexPc(insns);
shadow_frame.SetDexPC(dex_pc);
TraceExecution(shadow_frame, inst, dex_pc);
inst_data = inst->Fetch16(0);
{
+ //add
+ inst_count++;
+ bool dumped = Unpacker::beforeInstructionExecute(self, shadow_frame.GetMethod(),
+ dex_pc, inst_count);
+
+ if(dumped) {
+ return;
+ }
+ //addend
bool exit_loop = false;
InstructionHandler<do_access_check, transaction_active> handler(
ctx, instrumentation, self, shadow_frame, dex_pc, inst, inst_data, exit_loop);
@@ -2662,6 +2680,7 @@ ATTRIBUTE_NO_SANITIZE_ADDRESS void ExecuteSwitchImplCpp(SwitchImplContext* ctx)
continue;
}
}
+
switch (inst->Opcode(inst_data)) {
#define OPCODE_CASE(OPCODE, OPCODE_NAME, pname, f, i, a, e, v)
case OPCODE: {
@@ -2681,6 +2700,13 @@ DEX_INSTRUCTION_LIST(OPCODE_CASE)
if (UNLIKELY(interpret_one_instruction)) {
break;
}
+ //patch by Youlor
+ //++++++++++++++++++++++++++++
+ bool dumped = Unpacker::afterInstructionExecute(self, shadow_frame.GetMethod(), dex_pc, inst_count);
+ if (dumped) {
+ return ;
+ }
+ //++++++++++++++++++++++++++++
}
// Record where we stopped.
shadow_frame.SetDexPC(inst->GetDexPc(insns));
diff --git a/runtime/runtime.cc b/runtime/runtime.cc
index 51a40e7..275324c 100644
成品测试
关于Youpk与FART检测的思路
youpk独特检测思路
fart8独特检测思路
共同监测点
文件落地的检测,比如fart选择落地在sdcard下的文件夹,厂商可以选择对sdcard做扫描,来判断该机器是否是脱壳机,以及自己私有目录下异常文件的扫描(以及user落地后无法提取)。
导出函数的名字,以及导出函数数量的api的检测
aosp的检测 以及机型的检测
附件:提供下载
看雪ID:mb_qzwrkwda
https://bbs.kanxue.com/user-home-967562.htm
#
原文始发于微信公众号(看雪学苑):移植 Youpk 到 Aosp10
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论