├── app ├── .gitignore ├── release │ ├── app-release.apk │ └── output.json ├── src │ └── main │ │ ├── res │ │ ├── values │ │ │ ├── strings.xml │ │ │ ├── colors.xml │ │ │ └── styles.xml │ │ ├── mipmap-hdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ ├── mipmap-mdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ ├── mipmap-xhdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ ├── mipmap-xxhdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ ├── mipmap-xxxhdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ ├── mipmap-anydpi-v26 │ │ │ ├── ic_launcher.xml │ │ │ └── ic_launcher_round.xml │ │ ├── layout │ │ │ └── activity_main.xml │ │ ├── drawable-v24 │ │ │ └── ic_launcher_foreground.xml │ │ └── drawable │ │ │ └── ic_launcher_background.xml │ │ ├── assets │ │ ├── arm64-v8a │ │ │ ├── injector │ │ │ └── libnative-lib.so │ │ └── armeabi-v7a │ │ │ ├── injector │ │ │ └── libnative-lib.so │ │ ├── cpp │ │ ├── native-lib.h │ │ ├── Inject.h │ │ ├── native-lib.cpp │ │ └── Inject.cpp │ │ ├── AndroidManifest.xml │ │ └── java │ │ └── cn │ │ └── hluwa │ │ └── injector │ │ └── MainActivity.java ├── proguard-rules.pro ├── build.gradle └── CMakeLists.txt ├── README ├── settings.gradle ├── gradle └── wrapper │ ├── gradle-wrapper.jar │ └── gradle-wrapper.properties ├── .idea ├── caches │ └── build_file_checksums.ser ├── vcs.xml ├── runConfigurations.xml ├── gradle.xml ├── misc.xml └── codeStyles │ └── Project.xml ├── .gitignore ├── gradle.properties ├── gradlew.bat └── gradlew /app/.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | tested in LG G5 Android 7.0 -------------------------------------------------------------------------------- /settings.gradle: -------------------------------------------------------------------------------- 1 | include ':app' 2 | -------------------------------------------------------------------------------- /app/release/app-release.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/release/app-release.apk -------------------------------------------------------------------------------- /app/src/main/res/values/strings.xml: -------------------------------------------------------------------------------- 1 | 2 | injector 3 | 4 | -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /.idea/caches/build_file_checksums.ser: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/.idea/caches/build_file_checksums.ser -------------------------------------------------------------------------------- /app/src/main/assets/arm64-v8a/injector: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/assets/arm64-v8a/injector -------------------------------------------------------------------------------- /app/src/main/assets/armeabi-v7a/injector: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/assets/armeabi-v7a/injector -------------------------------------------------------------------------------- /app/src/main/res/mipmap-hdpi/ic_launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/res/mipmap-hdpi/ic_launcher.png -------------------------------------------------------------------------------- /app/src/main/res/mipmap-mdpi/ic_launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/res/mipmap-mdpi/ic_launcher.png -------------------------------------------------------------------------------- /app/src/main/res/mipmap-xhdpi/ic_launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/res/mipmap-xhdpi/ic_launcher.png -------------------------------------------------------------------------------- /app/src/main/assets/arm64-v8a/libnative-lib.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/assets/arm64-v8a/libnative-lib.so -------------------------------------------------------------------------------- /app/src/main/res/mipmap-xxhdpi/ic_launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/res/mipmap-xxhdpi/ic_launcher.png -------------------------------------------------------------------------------- /app/src/main/res/mipmap-xxxhdpi/ic_launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/res/mipmap-xxxhdpi/ic_launcher.png -------------------------------------------------------------------------------- /app/src/main/assets/armeabi-v7a/libnative-lib.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/assets/armeabi-v7a/libnative-lib.so -------------------------------------------------------------------------------- /app/src/main/res/mipmap-hdpi/ic_launcher_round.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/res/mipmap-hdpi/ic_launcher_round.png -------------------------------------------------------------------------------- /app/src/main/res/mipmap-mdpi/ic_launcher_round.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/res/mipmap-mdpi/ic_launcher_round.png -------------------------------------------------------------------------------- /app/src/main/res/mipmap-xhdpi/ic_launcher_round.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/res/mipmap-xhdpi/ic_launcher_round.png -------------------------------------------------------------------------------- /app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png -------------------------------------------------------------------------------- /app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CrackerCat/Android-Injector/HEAD/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.iml 2 | .gradle 3 | /local.properties 4 | /.idea/libraries 5 | /.idea/modules.xml 6 | /.idea/workspace.xml 7 | .DS_Store 8 | /build 9 | /captures 10 | .externalNativeBuild 11 | -------------------------------------------------------------------------------- /.idea/vcs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /app/src/main/res/values/colors.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | #3F51B5 4 | #303F9F 5 | #FF4081 6 | 7 | -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | #Sun Aug 19 01:52:16 CST 2018 2 | distributionBase=GRADLE_USER_HOME 3 | distributionPath=wrapper/dists 4 | zipStoreBase=GRADLE_USER_HOME 5 | zipStorePath=wrapper/dists 6 | distributionUrl=https\://services.gradle.org/distributions/gradle-4.4-all.zip 7 | -------------------------------------------------------------------------------- /app/src/main/cpp/native-lib.h: -------------------------------------------------------------------------------- 1 | // 2 | // Created by hluwa on 2018/8/19. 3 | // 4 | 5 | #ifndef JNITEST_NATIVE_LIB_H 6 | #define JNITEST_NATIVE_LIB_H 7 | 8 | #include 9 | #include 10 | 11 | JNIEXPORT jint JNI_OnLoad(JavaVM *vm, void *); 12 | 13 | #endif //JNITEST_NATIVE_LIB_H 14 | -------------------------------------------------------------------------------- /app/src/main/res/mipmap-anydpi-v26/ic_launcher.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /app/src/main/res/mipmap-anydpi-v26/ic_launcher_round.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /app/src/main/res/layout/activity_main.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | -------------------------------------------------------------------------------- /app/release/output.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "outputType": { 4 | "type": "APK" 5 | }, 6 | "apkInfo": { 7 | "type": "MAIN", 8 | "splits": [], 9 | "versionCode": 1, 10 | "versionName": "1.0", 11 | "enabled": true, 12 | "outputFile": "app-release.apk", 13 | "fullName": "release", 14 | "baseName": "release" 15 | }, 16 | "path": "app-release.apk", 17 | "properties": {} 18 | } 19 | ] -------------------------------------------------------------------------------- /app/src/main/res/values/styles.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /.idea/runConfigurations.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 11 | 12 | -------------------------------------------------------------------------------- /.idea/gradle.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 17 | 18 | -------------------------------------------------------------------------------- /gradle.properties: -------------------------------------------------------------------------------- 1 | # Project-wide Gradle settings. 2 | # IDE (e.g. Android Studio) users: 3 | # Gradle settings configured through the IDE *will override* 4 | # any settings specified in this file. 5 | # For more details on how to configure your build environment visit 6 | # http://www.gradle.org/docs/current/userguide/build_environment.html 7 | # Specifies the JVM arguments used for the daemon process. 8 | # The setting is particularly useful for tweaking memory settings. 9 | org.gradle.jvmargs=-Xmx1536m 10 | # When configured, Gradle will run in incubating parallel mode. 11 | # This option should only be used with decoupled projects. More details, visit 12 | # http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects 13 | # org.gradle.parallel=true 14 | -------------------------------------------------------------------------------- /app/proguard-rules.pro: -------------------------------------------------------------------------------- 1 | # Add project specific ProGuard rules here. 2 | # You can control the set of applied configuration files using the 3 | # proguardFiles setting in build.gradle. 4 | # 5 | # For more details, see 6 | # http://developer.android.com/guide/developing/tools/proguard.html 7 | 8 | # If your project uses WebView with JS, uncomment the following 9 | # and specify the fully qualified class name to the JavaScript interface 10 | # class: 11 | #-keepclassmembers class fqcn.of.javascript.interface.for.webview { 12 | # public *; 13 | #} 14 | 15 | # Uncomment this to preserve the line number information for 16 | # debugging stack traces. 17 | #-keepattributes SourceFile,LineNumberTable 18 | 19 | # If you keep the line number information, uncomment this to 20 | # hide the original source file name. 21 | #-renamesourcefileattribute SourceFile 22 | -------------------------------------------------------------------------------- /app/src/main/AndroidManifest.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 6 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /app/build.gradle: -------------------------------------------------------------------------------- 1 | apply plugin: 'com.android.application' 2 | 3 | android { 4 | compileSdkVersion 28 5 | defaultConfig { 6 | applicationId "cn.hluwa.injector" 7 | minSdkVersion 15 8 | targetSdkVersion 28 9 | versionCode 1 10 | versionName "1.0" 11 | testInstrumentationRunner "android.support.test.runner.AndroidJUnitRunner" 12 | externalNativeBuild { 13 | cmake { 14 | cppFlags "" 15 | abiFilters 'armeabi-v7a', "arm64-v8a" 16 | targets "injector", "native-lib" 17 | arguments "-DANDROID_PIE=on" 18 | } 19 | } 20 | } 21 | buildTypes { 22 | release { 23 | minifyEnabled false 24 | proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' 25 | } 26 | } 27 | externalNativeBuild { 28 | cmake { 29 | path "CMakeLists.txt" 30 | 31 | } 32 | } 33 | } 34 | 35 | dependencies { 36 | implementation fileTree(dir: 'libs', include: ['*.jar']) 37 | implementation 'com.android.support:appcompat-v7:28.0.0-rc01' 38 | implementation 'com.android.support.constraint:constraint-layout:1.1.2' 39 | testImplementation 'junit:junit:4.12' 40 | androidTestImplementation 'com.android.support.test:runner:1.0.2' 41 | androidTestImplementation 'com.android.support.test.espresso:espresso-core:3.0.2' 42 | } 43 | -------------------------------------------------------------------------------- /.idea/misc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 17 | 27 | 28 | 29 | 30 | 31 | 32 | 34 | -------------------------------------------------------------------------------- /.idea/codeStyles/Project.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 15 | 16 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /app/src/main/res/drawable-v24/ic_launcher_foreground.xml: -------------------------------------------------------------------------------- 1 | 7 | 12 | 13 | 19 | 22 | 25 | 26 | 27 | 28 | 34 | 35 | -------------------------------------------------------------------------------- /app/src/main/cpp/Inject.h: -------------------------------------------------------------------------------- 1 | // 2 | // Created by hluwa on 2018/8/19. 3 | // 4 | 5 | #ifndef JNITEST_INJECT_H 6 | #define JNITEST_INJECT_H 7 | 8 | #define CPSR_T_MASK ( 1u << 5 ) 9 | #define REMOTE_STR_BUF_SIZE 0x10000 10 | #define HANDLES_LIST_SIZE 128 11 | 12 | #ifdef __aarch64__ 13 | #define LIBC_PATH "/system/lib64/libc.so" 14 | #define LINKER_PATH "/system/bin/linker64" 15 | #define ARGS_REG_NUM 8 16 | #define pt_regs user_pt_regs 17 | #define PTRACE_SETREGS PTRACE_SETREGSET 18 | #define PTRACE_GETREGS PTRACE_GETREGSET 19 | #define uregs regs 20 | #define ARM_sp sp 21 | #define ARM_pc pc 22 | #define ARM_lr regs[30] 23 | #define ARM_cpsr pstate 24 | #else 25 | #define LIBC_PATH "/system/lib/libc.so" 26 | #define LINKER_PATH "/system/bin/linker" 27 | #define ARGS_REG_NUM 4 28 | #endif 29 | 30 | #include 31 | 32 | void *get_module_base(pid_t pid, const char *module_name); 33 | 34 | typedef enum { 35 | HLUWA_STATUS_FAILD, 36 | HLUWA_STATUS_SUCCESS, 37 | HLUWA_STATUS_CALL_ADDR, 38 | HLUWA_STATUS_DLOPEN_ERROR, 39 | HLUWA_STATUS_DLSYM_ERROR 40 | } inject_status; 41 | 42 | 43 | class Inject { 44 | public: 45 | pid_t pid; 46 | void *remote_buf; 47 | 48 | Inject(pid_t pid); 49 | 50 | ~Inject(); 51 | 52 | inject_status status; 53 | 54 | void *call_addr(void *remote_addr, void **args, int argc); 55 | 56 | void *call_sym(char *module, char *sym, void **args, int argc); 57 | 58 | void *get_remote_addr(const char *module_name, void *local_addr); 59 | 60 | void *loadlibrary(char *libfile); 61 | 62 | void *write_string(char *string); 63 | 64 | private: 65 | int buf_cursor; 66 | 67 | int attach(); 68 | 69 | int detach(); 70 | 71 | void *dlopen_addr; 72 | void *dlsym_addr; 73 | void *dlclose_addr; 74 | int handles_cursor; 75 | 76 | int getregs(struct pt_regs *regs); 77 | 78 | int setregs(struct pt_regs *regs); 79 | 80 | int write_data(uint8_t *dest, uint8_t *data, size_t size); 81 | 82 | int read_data(uint8_t *src, uint8_t *buf, size_t size); 83 | 84 | int read_string(uint8_t *remote_addr, uint8_t *dest, size_t max_len); 85 | 86 | int cont(); 87 | 88 | void *handles[HANDLES_LIST_SIZE]; 89 | }; 90 | 91 | 92 | #endif //JNITEST_INJECT_H 93 | -------------------------------------------------------------------------------- /app/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # For more information about using CMake with Android Studio, read the 2 | # documentation: https://d.android.com/studio/projects/add-native-code.html 3 | 4 | # Sets the minimum version of CMake required to build the native library. 5 | 6 | cmake_minimum_required(VERSION 3.4.1) 7 | 8 | set(CMAKE_VERBOSE_MAKEFILE on) 9 | set(EXECUTABLE_OUTPUT_PATH "${CMAKE_CURRENT_SOURCE_DIR}/src/main/assets/${ANDROID_ABI}") 10 | set(CMAKE_LIBRARY_OUTPUT_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}/src/main/assets/${ANDROID_ABI}") 11 | 12 | add_library( # Sets the name of the library. 13 | native-lib 14 | 15 | # Sets the library as a shared library. 16 | SHARED 17 | 18 | # Provides a relative path to your source file(s). 19 | src/main/cpp/native-lib.cpp 20 | src/main/cpp/Inject.cpp) 21 | 22 | add_executable(injector 23 | src/main/cpp/native-lib.cpp 24 | src/main/cpp/Inject.cpp) 25 | target_include_directories (injector PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}) 26 | 27 | # Searches for a specified prebuilt library and stores the path as a 28 | # variable. Because CMake includes system libraries in the search path by 29 | # default, you only need to specify the name of the public NDK library 30 | # you want to add. CMake verifies that the library exists before 31 | # completing its build. 32 | 33 | find_library( # Sets the name of the path variable. 34 | log-lib 35 | 36 | # Specifies the name of the NDK library that 37 | # you want CMake to locate. 38 | log ) 39 | 40 | # Specifies libraries CMake should link to your target library. You 41 | # can link multiple libraries, such as libraries you define in this 42 | # build script, prebuilt third-party libraries, or system libraries. 43 | 44 | target_link_libraries( # Specifies the target library. 45 | native-lib 46 | 47 | # Links the target library to the log library 48 | # included in the NDK. 49 | ${log-lib} ) 50 | 51 | target_link_libraries( # Specifies the target library. 52 | injector 53 | 54 | # Links the target library to the log library 55 | # included in the NDK. 56 | ${log-lib} ) -------------------------------------------------------------------------------- /gradlew.bat: -------------------------------------------------------------------------------- 1 | @if "%DEBUG%" == "" @echo off 2 | @rem ########################################################################## 3 | @rem 4 | @rem Gradle startup script for Windows 5 | @rem 6 | @rem ########################################################################## 7 | 8 | @rem Set local scope for the variables with windows NT shell 9 | if "%OS%"=="Windows_NT" setlocal 10 | 11 | set DIRNAME=%~dp0 12 | if "%DIRNAME%" == "" set DIRNAME=. 13 | set APP_BASE_NAME=%~n0 14 | set APP_HOME=%DIRNAME% 15 | 16 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 17 | set DEFAULT_JVM_OPTS= 18 | 19 | @rem Find java.exe 20 | if defined JAVA_HOME goto findJavaFromJavaHome 21 | 22 | set JAVA_EXE=java.exe 23 | %JAVA_EXE% -version >NUL 2>&1 24 | if "%ERRORLEVEL%" == "0" goto init 25 | 26 | echo. 27 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 28 | echo. 29 | echo Please set the JAVA_HOME variable in your environment to match the 30 | echo location of your Java installation. 31 | 32 | goto fail 33 | 34 | :findJavaFromJavaHome 35 | set JAVA_HOME=%JAVA_HOME:"=% 36 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe 37 | 38 | if exist "%JAVA_EXE%" goto init 39 | 40 | echo. 41 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 42 | echo. 43 | echo Please set the JAVA_HOME variable in your environment to match the 44 | echo location of your Java installation. 45 | 46 | goto fail 47 | 48 | :init 49 | @rem Get command-line arguments, handling Windows variants 50 | 51 | if not "%OS%" == "Windows_NT" goto win9xME_args 52 | 53 | :win9xME_args 54 | @rem Slurp the command line arguments. 55 | set CMD_LINE_ARGS= 56 | set _SKIP=2 57 | 58 | :win9xME_args_slurp 59 | if "x%~1" == "x" goto execute 60 | 61 | set CMD_LINE_ARGS=%* 62 | 63 | :execute 64 | @rem Setup the command line 65 | 66 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar 67 | 68 | @rem Execute Gradle 69 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% 70 | 71 | :end 72 | @rem End local scope for the variables with windows NT shell 73 | if "%ERRORLEVEL%"=="0" goto mainEnd 74 | 75 | :fail 76 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of 77 | rem the _cmd.exe /c_ return code! 78 | if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 79 | exit /b 1 80 | 81 | :mainEnd 82 | if "%OS%"=="Windows_NT" endlocal 83 | 84 | :omega 85 | -------------------------------------------------------------------------------- /app/src/main/java/cn/hluwa/injector/MainActivity.java: -------------------------------------------------------------------------------- 1 | package cn.hluwa.injector; 2 | 3 | import android.app.Activity; 4 | import android.os.Bundle; 5 | import android.util.Log; 6 | 7 | import java.io.BufferedReader; 8 | import java.io.DataOutputStream; 9 | import java.io.File; 10 | import java.io.FileOutputStream; 11 | import java.io.IOException; 12 | import java.io.InputStream; 13 | import java.io.InputStreamReader; 14 | import java.io.OutputStream; 15 | 16 | public class MainActivity extends Activity { 17 | 18 | 19 | static { 20 | Log.d("jnitest", "test: "); 21 | } 22 | 23 | @Override 24 | protected void onCreate(Bundle savedInstanceState) { 25 | super.onCreate(savedInstanceState); 26 | setContentView(R.layout.activity_main); 27 | String outDir = getFilesDir().getAbsolutePath(); 28 | try { 29 | writeAsset(outDir + "/injector32", "armeabi-v7a/injector"); 30 | writeAsset(outDir + "/injector64", "arm64-v8a/injector"); 31 | writeAsset(outDir + "/libshell32.so", "armeabi-v7a/libnative-lib.so"); 32 | writeAsset(outDir + "/libshell64.so", "arm64-v8a/libnative-lib.so"); 33 | String cmd = String.format("chmod 755 %s\n chmod 755 %s", outDir + "/injector32", outDir + "/injector64"); 34 | exec(cmd); 35 | } catch (IOException e) { 36 | e.printStackTrace(); 37 | } 38 | 39 | if (FindProcess("zygote")) { 40 | String cmd = ""; 41 | cmd += outDir + "/injector32 " + outDir + "/libshell32.so &\n"; 42 | exec(cmd); 43 | Log.d("inject", cmd); 44 | } 45 | if (FindProcess("zygote64")) { 46 | String cmd = ""; 47 | cmd += outDir + "/injector64 " + outDir + "/libshell64.so &\n"; 48 | exec(cmd); 49 | Log.d("inject", cmd); 50 | } 51 | // getAssets().open() 52 | 53 | } 54 | 55 | public boolean FindProcess(String name) { 56 | String[] ps = exec("ps | grep " + name).split("\n"); 57 | for (String line : ps) { 58 | if (line.endsWith(name)) { 59 | return true; 60 | } 61 | } 62 | return false; 63 | } 64 | 65 | public void writeAsset(String outfile, String assetfile) throws IOException { 66 | File file = new File(outfile); 67 | file.mkdirs(); 68 | if (file.exists()) { 69 | file.delete(); 70 | } 71 | InputStream inputStream = getAssets().open(assetfile); 72 | byte data[] = new byte[inputStream.available()]; 73 | inputStream.read(data, 0, data.length); 74 | OutputStream outputStream = new FileOutputStream(file); 75 | outputStream.write(data); 76 | inputStream.close(); 77 | outputStream.close(); 78 | Log.d("inject", "writeAsset: " + assetfile); 79 | } 80 | 81 | public static String exec(String cmd) { 82 | Process process = null; 83 | DataOutputStream os = null; 84 | BufferedReader is = null; 85 | String result = ""; 86 | try { 87 | process = Runtime.getRuntime().exec("su"); //切换到root帐号 88 | os = new DataOutputStream(process.getOutputStream()); 89 | is = new BufferedReader(new InputStreamReader(process.getInputStream())); 90 | os.writeBytes(cmd + "\n"); 91 | os.writeBytes("exit\n"); 92 | os.flush(); 93 | // process.waitFor(); 94 | String line; 95 | while ((line = is.readLine()) != null) { 96 | result = result + line + "\n"; 97 | } 98 | } catch (Exception e) { 99 | return ""; 100 | } finally { 101 | try { 102 | if (os != null) { 103 | os.close(); 104 | } 105 | process.destroy(); 106 | } catch (Exception e) { 107 | } 108 | } 109 | return result; 110 | } 111 | } 112 | -------------------------------------------------------------------------------- /gradlew: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | ############################################################################## 4 | ## 5 | ## Gradle start up script for UN*X 6 | ## 7 | ############################################################################## 8 | 9 | # Attempt to set APP_HOME 10 | # Resolve links: $0 may be a link 11 | PRG="$0" 12 | # Need this for relative symlinks. 13 | while [ -h "$PRG" ] ; do 14 | ls=`ls -ld "$PRG"` 15 | link=`expr "$ls" : '.*-> \(.*\)$'` 16 | if expr "$link" : '/.*' > /dev/null; then 17 | PRG="$link" 18 | else 19 | PRG=`dirname "$PRG"`"/$link" 20 | fi 21 | done 22 | SAVED="`pwd`" 23 | cd "`dirname \"$PRG\"`/" >/dev/null 24 | APP_HOME="`pwd -P`" 25 | cd "$SAVED" >/dev/null 26 | 27 | APP_NAME="Gradle" 28 | APP_BASE_NAME=`basename "$0"` 29 | 30 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 31 | DEFAULT_JVM_OPTS="" 32 | 33 | # Use the maximum available, or set MAX_FD != -1 to use that value. 34 | MAX_FD="maximum" 35 | 36 | warn () { 37 | echo "$*" 38 | } 39 | 40 | die () { 41 | echo 42 | echo "$*" 43 | echo 44 | exit 1 45 | } 46 | 47 | # OS specific support (must be 'true' or 'false'). 48 | cygwin=false 49 | msys=false 50 | darwin=false 51 | nonstop=false 52 | case "`uname`" in 53 | CYGWIN* ) 54 | cygwin=true 55 | ;; 56 | Darwin* ) 57 | darwin=true 58 | ;; 59 | MINGW* ) 60 | msys=true 61 | ;; 62 | NONSTOP* ) 63 | nonstop=true 64 | ;; 65 | esac 66 | 67 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar 68 | 69 | # Determine the Java command to use to start the JVM. 70 | if [ -n "$JAVA_HOME" ] ; then 71 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 72 | # IBM's JDK on AIX uses strange locations for the executables 73 | JAVACMD="$JAVA_HOME/jre/sh/java" 74 | else 75 | JAVACMD="$JAVA_HOME/bin/java" 76 | fi 77 | if [ ! -x "$JAVACMD" ] ; then 78 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME 79 | 80 | Please set the JAVA_HOME variable in your environment to match the 81 | location of your Java installation." 82 | fi 83 | else 84 | JAVACMD="java" 85 | which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 86 | 87 | Please set the JAVA_HOME variable in your environment to match the 88 | location of your Java installation." 89 | fi 90 | 91 | # Increase the maximum file descriptors if we can. 92 | if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then 93 | MAX_FD_LIMIT=`ulimit -H -n` 94 | if [ $? -eq 0 ] ; then 95 | if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then 96 | MAX_FD="$MAX_FD_LIMIT" 97 | fi 98 | ulimit -n $MAX_FD 99 | if [ $? -ne 0 ] ; then 100 | warn "Could not set maximum file descriptor limit: $MAX_FD" 101 | fi 102 | else 103 | warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" 104 | fi 105 | fi 106 | 107 | # For Darwin, add options to specify how the application appears in the dock 108 | if $darwin; then 109 | GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" 110 | fi 111 | 112 | # For Cygwin, switch paths to Windows format before running java 113 | if $cygwin ; then 114 | APP_HOME=`cygpath --path --mixed "$APP_HOME"` 115 | CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` 116 | JAVACMD=`cygpath --unix "$JAVACMD"` 117 | 118 | # We build the pattern for arguments to be converted via cygpath 119 | ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` 120 | SEP="" 121 | for dir in $ROOTDIRSRAW ; do 122 | ROOTDIRS="$ROOTDIRS$SEP$dir" 123 | SEP="|" 124 | done 125 | OURCYGPATTERN="(^($ROOTDIRS))" 126 | # Add a user-defined pattern to the cygpath arguments 127 | if [ "$GRADLE_CYGPATTERN" != "" ] ; then 128 | OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" 129 | fi 130 | # Now convert the arguments - kludge to limit ourselves to /bin/sh 131 | i=0 132 | for arg in "$@" ; do 133 | CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` 134 | CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option 135 | 136 | if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition 137 | eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` 138 | else 139 | eval `echo args$i`="\"$arg\"" 140 | fi 141 | i=$((i+1)) 142 | done 143 | case $i in 144 | (0) set -- ;; 145 | (1) set -- "$args0" ;; 146 | (2) set -- "$args0" "$args1" ;; 147 | (3) set -- "$args0" "$args1" "$args2" ;; 148 | (4) set -- "$args0" "$args1" "$args2" "$args3" ;; 149 | (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; 150 | (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; 151 | (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; 152 | (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; 153 | (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; 154 | esac 155 | fi 156 | 157 | # Escape application args 158 | save () { 159 | for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done 160 | echo " " 161 | } 162 | APP_ARGS=$(save "$@") 163 | 164 | # Collect all arguments for the java command, following the shell quoting and substitution rules 165 | eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" 166 | 167 | # by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong 168 | if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then 169 | cd "$(dirname "$0")" 170 | fi 171 | 172 | exec "$JAVACMD" "$@" 173 | -------------------------------------------------------------------------------- /app/src/main/res/drawable/ic_launcher_background.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 10 | 15 | 20 | 25 | 30 | 35 | 40 | 45 | 50 | 55 | 60 | 65 | 70 | 75 | 80 | 85 | 90 | 95 | 100 | 105 | 110 | 115 | 120 | 125 | 130 | 135 | 140 | 145 | 150 | 155 | 160 | 165 | 170 | 171 | -------------------------------------------------------------------------------- /app/src/main/cpp/native-lib.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "native-lib.h" 8 | #include 9 | #include 10 | #include "Inject.h" 11 | 12 | JavaVM *gJavaVM = NULL; 13 | JNIEnv *gJNIEnv = NULL; 14 | jobject sClassLoader = NULL; 15 | 16 | int find_pid_of(const char *process_name) { 17 | int id; 18 | pid_t pid = -1; 19 | DIR *dir; 20 | FILE *fp; 21 | char filename[32]; 22 | char cmdline[256]; 23 | 24 | struct dirent *entry; 25 | 26 | if (process_name == NULL) 27 | return -1; 28 | 29 | dir = opendir("/proc/"); 30 | if (dir == NULL) 31 | return -1; 32 | 33 | while ((entry = readdir(dir)) != NULL) { 34 | id = atoi(entry->d_name); 35 | if (id != 0) { 36 | sprintf(filename, "/proc/%d/cmdline", id); 37 | fp = fopen(filename, "r"); 38 | if (fp) { 39 | fgets(cmdline, sizeof(cmdline), fp); 40 | fclose(fp); 41 | 42 | if (strcmp(process_name, cmdline) == 0) { 43 | /* process found */ 44 | pid = id; 45 | break; 46 | } 47 | } 48 | } 49 | } 50 | 51 | closedir(dir); 52 | return pid; 53 | } 54 | 55 | 56 | jint (*GetCreatedJavaVMs)(JavaVM **, jsize, jsize *) = NULL; 57 | 58 | static void init_gvar() { 59 | #ifdef __aarch64__ 60 | #define ART_PATH "/system/lib64/libart.so" 61 | #define DVM_PATH "/system/lib64/libdvm.so" 62 | #else 63 | #define ART_PATH "/system/lib/libart.so" 64 | #define DVM_PATH "/system/lib/libdvm.so" 65 | #endif 66 | 67 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", "init"); 68 | jsize size = 0; 69 | void *handle = NULL; 70 | if (access(DVM_PATH, F_OK) == 0) { 71 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", "init_dvm"); 72 | handle = dlopen(DVM_PATH, RTLD_NOW | RTLD_GLOBAL); 73 | } else if (access(ART_PATH, F_OK) == 0) { 74 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", "init_art"); 75 | handle = dlopen(ART_PATH, RTLD_NOW | RTLD_GLOBAL); 76 | } 77 | if (!handle) { 78 | return; 79 | } 80 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", "init_dlopen VM => %p", handle); 81 | GetCreatedJavaVMs = (jint (*)(JavaVM **, jsize, jsize *)) dlsym(handle, 82 | "JNI_GetCreatedJavaVMs"); 83 | if (!GetCreatedJavaVMs) { 84 | return; 85 | } 86 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", "init_dlsym GetCreatedJavaVMs => %p", 87 | GetCreatedJavaVMs); 88 | GetCreatedJavaVMs(&gJavaVM, 1, &size); 89 | if (size >= 1) { 90 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", "init_GetCreatedJavaVMs => %p", &gJavaVM); 91 | gJavaVM->GetEnv((void **) &gJNIEnv, JNI_VERSION_1_6); 92 | if (gJNIEnv) { 93 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", "init_GetEnv => %p", &gJNIEnv); 94 | jclass dex_class_loader = gJNIEnv->FindClass("java/lang/ClassLoader"); 95 | if (dex_class_loader) { 96 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", 97 | "init_FindClass ClassLoader => %p", &dex_class_loader); 98 | jmethodID get_system_class_loader = gJNIEnv->GetStaticMethodID(dex_class_loader, 99 | "getSystemClassLoader", 100 | "()Ljava/lang/ClassLoader;"); 101 | if (get_system_class_loader) { 102 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", 103 | "init_GetMethodID getSystemClassLoader => %p", 104 | get_system_class_loader); 105 | sClassLoader = gJNIEnv->CallStaticObjectMethod(dex_class_loader, 106 | get_system_class_loader); 107 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", 108 | "init_CallMethod getSystemClassLoader=> %p", &sClassLoader); 109 | } 110 | } 111 | } 112 | } 113 | } 114 | 115 | jobject load_module(char *filepath) { 116 | 117 | if (sClassLoader) { 118 | jclass path_class_loader = gJNIEnv->FindClass("dalvik/system/PathClassLoader"); 119 | if (path_class_loader) { 120 | jmethodID cort = gJNIEnv->GetMethodID(path_class_loader, "", 121 | "(Ljava/lang/String;Ljava/lang/ClassLoader;)V"); 122 | if (cort) { 123 | return gJNIEnv->NewObject(path_class_loader, cort, gJNIEnv->NewStringUTF(filepath), 124 | sClassLoader); 125 | } 126 | 127 | } 128 | } 129 | return NULL; 130 | } 131 | 132 | int entry() { 133 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", "entry_3"); 134 | init_gvar(); 135 | jobject loader = load_module("/data/app/cn.hluwa.injector-1/base.apk"); 136 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", "loader = %p", loader); 137 | jclass clazz = gJNIEnv->FindClass("java/lang/ClassLoader"); 138 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", "clazz = %p", clazz); 139 | jmethodID forclass = gJNIEnv->GetMethodID(clazz, "loadClass", 140 | "(Ljava/lang/String;)Ljava/lang/Class;"); 141 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", "loadClass = %p", forclass); 142 | if (!forclass) { 143 | return 0x100; 144 | } 145 | jstring MainActivity = gJNIEnv->NewStringUTF("cn.hluwa.injector.MainActivity"); 146 | jobject cls = gJNIEnv->CallObjectMethod(loader, forclass, MainActivity); 147 | // jclass cls = gJNIEnv->FindClass("cn/hluwa/injector/MainActivity"); 148 | __android_log_print(ANDROID_LOG_DEBUG, "jnitest", "cls = %p", cls); 149 | // gJNIEnv->CallStaticVoidMethod() 150 | return 0x100; 151 | } 152 | 153 | #if defined(__aarch64__) 154 | #define ZYGOTE_NAME "zygote64" 155 | #define SO_PATH "/data/local/libnative-lib64.so" 156 | #else 157 | #define ZYGOTE_NAME "zygote" 158 | #define SO_PATH "/data/local/libnative-lib.so" 159 | #endif 160 | 161 | #define __DEBUG__ 0 162 | 163 | int main(int argc, char *args[]) { 164 | char *load_file; 165 | if (__DEBUG__) 166 | load_file = SO_PATH; 167 | else { 168 | if (argc < 2) { 169 | return -1; 170 | } 171 | load_file = args[1]; 172 | } 173 | system("su -c setenforce 0"); 174 | Inject *injector = new Inject(find_pid_of(ZYGOTE_NAME)); 175 | injector->call_sym(load_file, "_Z5entryv", NULL, 0); 176 | delete injector; 177 | return 0; 178 | } -------------------------------------------------------------------------------- /app/src/main/cpp/Inject.cpp: -------------------------------------------------------------------------------- 1 | // 2 | // Created by hluwa on 2018/8/19. 3 | // 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #include "Inject.h" 16 | 17 | 18 | Inject::Inject(pid_t pid) : pid(pid) { 19 | this->dlopen_addr = 0; 20 | this->dlsym_addr = 0; 21 | this->remote_buf = 0; 22 | this->buf_cursor = 0; 23 | this->handles_cursor = 0; 24 | memset(this->handles, 0, HANDLES_LIST_SIZE * sizeof(void *)); 25 | this->attach(); 26 | void *malloc_addr = this->get_remote_addr(LIBC_PATH, (void *) malloc); 27 | void *args[1] = { 28 | (void *) REMOTE_STR_BUF_SIZE 29 | }; 30 | this->remote_buf = this->call_addr(malloc_addr, args, 1); 31 | } 32 | 33 | Inject::~Inject() { 34 | if (this->remote_buf) { 35 | void *free_addr = this->get_remote_addr(LIBC_PATH, (void *) free); 36 | void *args[1] = { 37 | this->remote_buf 38 | }; 39 | this->call_addr(free_addr, args, 1); 40 | } 41 | if (this->handles) { 42 | for (int i = 0; i < HANDLES_LIST_SIZE; i++) { 43 | if (!this->dlclose_addr) { 44 | this->dlclose_addr = this->get_remote_addr(LINKER_PATH, (void *) dlclose); 45 | } 46 | if (this->handles[i]) { 47 | void *args[1] = { 48 | this->handles[i] 49 | }; 50 | this->call_addr(this->dlclose_addr, args, 1); 51 | } 52 | 53 | } 54 | } 55 | this->detach(); 56 | } 57 | 58 | 59 | int Inject::detach() { 60 | if (ptrace(PTRACE_DETACH, this->pid, NULL, 0) < 0) { 61 | this->status = HLUWA_STATUS_FAILD; 62 | return -1; 63 | } 64 | this->status = HLUWA_STATUS_SUCCESS; 65 | return 0; 66 | } 67 | 68 | int Inject::attach() { 69 | if (ptrace(PTRACE_ATTACH, this->pid, NULL, 0) < 0) { 70 | this->status = HLUWA_STATUS_FAILD; 71 | return -1; 72 | } 73 | this->status = HLUWA_STATUS_SUCCESS; 74 | return 0; 75 | } 76 | 77 | int Inject::getregs(struct pt_regs *regs) { 78 | #if defined (__aarch64__) 79 | int regset = NT_PRSTATUS; 80 | struct iovec ioVec; 81 | 82 | ioVec.iov_base = regs; 83 | ioVec.iov_len = sizeof(*regs); 84 | if (ptrace(PTRACE_GETREGSET, pid, (void *) regset, &ioVec) < 0) { 85 | this->status = HLUWA_STATUS_FAILD; 86 | return -1; 87 | } 88 | this->status = HLUWA_STATUS_SUCCESS; 89 | return 0; 90 | #else 91 | int res = ptrace(PTRACE_GETREGS, this->pid, NULL, regs); 92 | if (res < 0) { 93 | this->status = HLUWA_STATUS_FAILD; 94 | return -1; 95 | } 96 | this->status = HLUWA_STATUS_SUCCESS; 97 | return res; 98 | 99 | #endif 100 | } 101 | 102 | int Inject::setregs(struct pt_regs *regs) { 103 | #if defined (__aarch64__) 104 | int regset = NT_PRSTATUS; 105 | struct iovec ioVec; 106 | 107 | ioVec.iov_base = regs; 108 | ioVec.iov_len = sizeof(*regs); 109 | int res = ptrace(PTRACE_SETREGSET, pid, (void *) regset, &ioVec); 110 | if (res < 0) { 111 | this->status = HLUWA_STATUS_FAILD; 112 | return -1; 113 | } 114 | this->status = HLUWA_STATUS_SUCCESS; 115 | return res; 116 | #else 117 | int res = ptrace(PTRACE_SETREGS, this->pid, NULL, regs); 118 | if (res < 0) { 119 | this->status = HLUWA_STATUS_FAILD; 120 | return -1; 121 | } 122 | this->status = HLUWA_STATUS_SUCCESS; 123 | return res; 124 | 125 | #endif 126 | } 127 | 128 | int Inject::cont() { 129 | int res = ptrace(PTRACE_CONT, this->pid, NULL, 0); 130 | if (res < 0) { 131 | return -1; 132 | } 133 | 134 | return res; 135 | } 136 | 137 | int Inject::read_data(uint8_t *src, uint8_t *buf, size_t size) { 138 | uint32_t i, j, remain; 139 | uint8_t *laddr; 140 | 141 | union u { 142 | long val; 143 | char chars[sizeof(long)]; 144 | } d; 145 | 146 | j = size / 4; 147 | remain = size % 4; 148 | 149 | laddr = buf; 150 | 151 | for (i = 0; i < j; i++) { 152 | d.val = ptrace(PTRACE_PEEKTEXT, this->pid, src, 0); 153 | memcpy(laddr, d.chars, 4); 154 | src += 4; 155 | laddr += 4; 156 | } 157 | 158 | if (remain > 0) { 159 | d.val = ptrace(PTRACE_PEEKTEXT, this->pid, src, 0); 160 | memcpy(laddr, d.chars, remain); 161 | } 162 | 163 | return 0; 164 | } 165 | 166 | int Inject::read_string(uint8_t *remote_addr, uint8_t *dest, size_t max_len) { 167 | bool eos = false; 168 | while (!eos) { 169 | union u { 170 | long val; 171 | char chars[sizeof(long)]; 172 | } d; 173 | 174 | d.val = ptrace(PTRACE_PEEKTEXT, this->pid, remote_addr, 0); 175 | remote_addr += 4; 176 | for (int i = 0; i < 4; i++) { 177 | if (d.chars[i] == 0x0 || max_len <= 1) { 178 | *dest = 0; 179 | eos = true; 180 | break; 181 | } 182 | *dest = d.chars[i]; 183 | dest++; 184 | max_len--; 185 | } 186 | } 187 | return 0; 188 | } 189 | 190 | int Inject::write_data(uint8_t *dest, uint8_t *data, size_t size) { 191 | uint32_t i, j, remain; 192 | uint8_t *laddr; 193 | 194 | union u { 195 | long val; 196 | char chars[sizeof(long)]; 197 | } d; 198 | 199 | j = size / 4; 200 | remain = size % 4; 201 | 202 | laddr = data; 203 | 204 | for (i = 0; i < j; i++) { 205 | memcpy(d.chars, laddr, 4); 206 | ptrace(PTRACE_POKETEXT, this->pid, dest, d.val); 207 | 208 | dest += 4; 209 | laddr += 4; 210 | } 211 | 212 | if (remain > 0) { 213 | d.val = ptrace(PTRACE_PEEKTEXT, this->pid, dest, 0); 214 | for (i = 0; i < remain; i++) { 215 | d.chars[i] = *laddr++; 216 | } 217 | 218 | ptrace(PTRACE_POKETEXT, this->pid, dest, d.val); 219 | } 220 | 221 | return 0; 222 | } 223 | 224 | void *Inject::write_string(char *str) { 225 | unsigned long result; 226 | int len = strlen(str) + 1; 227 | if (this->remote_buf && len + this->buf_cursor >= REMOTE_STR_BUF_SIZE) { 228 | this->status = HLUWA_STATUS_FAILD; 229 | return 0; 230 | } 231 | result = (unsigned long) this->remote_buf + (unsigned long) this->buf_cursor; 232 | this->write_data((uint8_t *) result, (uint8_t *) str, len); 233 | this->buf_cursor += len; 234 | this->status = HLUWA_STATUS_SUCCESS; 235 | printf("write_string: %s, to: %p\n", str, (void *) result); 236 | return (void *) result; 237 | } 238 | 239 | void *Inject::call_sym(char *module, char *sym, void **args, int argc) { 240 | if (!this->dlsym_addr) { 241 | this->dlsym_addr = get_remote_addr(LINKER_PATH, (void *) dlsym); 242 | } 243 | void *soinfo = this->loadlibrary(module); 244 | if (soinfo) { 245 | void *args[2] = { 246 | soinfo, 247 | this->write_string(sym) 248 | }; 249 | void *sym_addr = this->call_addr(this->dlsym_addr, args, 2); 250 | printf("entry sym_addr = %p\n", sym_addr); 251 | if (sym_addr) { 252 | this->status = HLUWA_STATUS_SUCCESS; 253 | return this->call_addr(sym_addr, args, argc); 254 | } else { 255 | char buf[256] = ""; 256 | void *err_str = this->call_addr(this->get_remote_addr(LINKER_PATH, (void *) dlerror), 257 | NULL, 0); 258 | this->read_string((uint8_t *) err_str, (uint8_t *) buf, 256); 259 | printf("dlerror: %s\n", buf); 260 | this->status = HLUWA_STATUS_DLSYM_ERROR; 261 | return 0; 262 | } 263 | 264 | } 265 | this->status = HLUWA_STATUS_DLOPEN_ERROR; 266 | return 0; 267 | } 268 | 269 | void *Inject::call_addr(void *remote_addr, void **args, int argc) { 270 | struct pt_regs return_regs = {0}; 271 | printf("remote_addr = %p, argc = %d\n", remote_addr, argc); 272 | struct pt_regs orig_regs, regs = {0}; 273 | this->status = HLUWA_STATUS_CALL_ADDR; 274 | this->getregs(®s); 275 | memcpy(&orig_regs, ®s, sizeof(struct pt_regs)); 276 | for (int i = 0; i < ARGS_REG_NUM; i++) { 277 | if (i < argc) { 278 | printf("arg[%d]: %p\n", i, args[i]); 279 | regs.uregs[i] = (unsigned long) args[i]; 280 | } 281 | } 282 | if (argc > ARGS_REG_NUM) { 283 | regs.ARM_sp -= (argc - ARGS_REG_NUM) * sizeof(void *); 284 | this->write_data((uint8_t *) regs.ARM_sp, (uint8_t *) &args[ARGS_REG_NUM], 285 | (argc - ARGS_REG_NUM) * sizeof(void *)); 286 | } 287 | regs.ARM_lr = 0x11001010; 288 | regs.ARM_pc = (unsigned long) remote_addr; 289 | if (regs.ARM_pc & 1) { 290 | regs.ARM_pc &= (~1u); 291 | regs.ARM_cpsr |= CPSR_T_MASK; 292 | } else { 293 | regs.ARM_cpsr &= ~CPSR_T_MASK; 294 | } 295 | this->setregs(®s); 296 | this->cont(); 297 | int stat = 0; 298 | waitpid(this->pid, &stat, WUNTRACED); 299 | while (stat != 0xb7f && return_regs.ARM_lr != 0x11001010) { 300 | if (this->cont() == -1) { 301 | printf("error\n"); 302 | this->status = HLUWA_STATUS_FAILD; 303 | return 0; 304 | } 305 | waitpid(this->pid, &stat, WUNTRACED); 306 | this->getregs(&return_regs); 307 | printf("pc = %p\n", (void *) return_regs.ARM_pc); 308 | } 309 | this->getregs(&return_regs); 310 | printf("result = %p\n", (void *) return_regs.uregs[0]); 311 | this->setregs(&orig_regs); 312 | this->status = HLUWA_STATUS_SUCCESS; 313 | return (void *) return_regs.uregs[0]; 314 | } 315 | 316 | void *Inject::loadlibrary(char *libfile) { 317 | if (!this->dlopen_addr) { 318 | this->dlopen_addr = this->get_remote_addr(LINKER_PATH, (void *) dlopen); 319 | } 320 | void *remote_str = this->write_string(libfile); 321 | char buf[256] = {0}; 322 | void *args[2] = { 323 | remote_str, 324 | (void *) (RTLD_NOW | RTLD_LOCAL) 325 | }; 326 | void *handle = this->call_addr(this->dlopen_addr, args, 2); 327 | if (!handle) { 328 | void *err_str = this->call_addr(this->get_remote_addr(LINKER_PATH, (void *) dlerror), NULL, 329 | 0); 330 | this->read_string((uint8_t *) err_str, (uint8_t *) buf, 256); 331 | printf("dlerror: %s\n", buf); 332 | this->status = HLUWA_STATUS_DLOPEN_ERROR; 333 | } else { 334 | this->handles[this->handles_cursor++] = handle; 335 | this->status = HLUWA_STATUS_SUCCESS; 336 | } 337 | printf("loadLibrary: %s, to: %p\n", libfile, (void *) handle); 338 | return handle; 339 | } 340 | 341 | void *Inject::get_remote_addr(const char *module_name, void *local_addr) { 342 | void *local_handle, *remote_handle; 343 | 344 | local_handle = get_module_base(-1, module_name); 345 | remote_handle = get_module_base(this->pid, module_name); 346 | printf("module_name = %s, local_handle = %p, remote_handle = %p, local_addr = %p\n", 347 | module_name, local_handle, remote_handle, local_addr); 348 | void *ret_addr = (void *) ((unsigned long) local_addr + (unsigned long) remote_handle - 349 | (unsigned long) local_handle); 350 | return ret_addr; 351 | } 352 | 353 | void *get_module_base(pid_t pid, const char *module_name) { 354 | FILE *fp; 355 | long addr = 0; 356 | char *pch; 357 | char filename[32]; 358 | char line[1024]; 359 | 360 | if (pid < 0) { 361 | snprintf(filename, sizeof(filename), "/proc/self/maps"); 362 | } else { 363 | snprintf(filename, sizeof(filename), "/proc/%d/maps", pid); 364 | } 365 | fp = fopen(filename, "r"); 366 | if (fp != NULL) { 367 | while (fgets(line, sizeof(line), fp)) { 368 | if (strstr(line, module_name)) { 369 | pch = strtok(line, "-"); 370 | addr = strtoul(pch, NULL, 16); 371 | break; 372 | } 373 | } 374 | fclose(fp); 375 | } 376 | return (void *) addr; 377 | } --------------------------------------------------------------------------------