├── ELFARM32_lod.py
├── README.md
├── driver test
    └── jni
    │   ├── Android.mk
    │   ├── Application.mk
    │   ├── bin_wrapper.c
    │   ├── dump_host.c
    │   ├── dump_test.c
    │   └── ptrace_trace.c
└── driver
    ├── Makefile
    └── REHelper.c


/ELFARM32_lod.py:
--------------------------------------------------------------------------------
  1 | # For protected ELF32 file
  2 | # Author: ThomasKing
  3 | # Date: 2015.01.02
  4 | 
  5 | import struct
  6 | import sys
  7 | import os
  8 | 
  9 | ELF_MAGIC = '\x7f\x45\x4c\x46'
 10 | DT_STRTAB = 5
 11 | DT_STRSZ  = 10
 12 | DT_SYMTAB = 6
 13 | DT_REL 	  = 17
 14 | DT_RELSZ  = 18
 15 | DT_JMPREL	= 23
 16 | DT_PLTRELSZ	= 2
 17 | DT_HASH   = 4
 18 | DT_INIT_ARRAY = 25
 19 | DT_INIT_ARRAYSZ = 27
 20 | DT_FINI_ARRAY = 26
 21 | DT_FINI_ARRAYSZ = 28
 22 | DT_PREINIT_ARRAY = 32
 23 | DT_PREINIT_ARRAYSZ = 33
 24 | 
 25 | try:
 26 | 	from awesome_print import ap as pp
 27 | except:
 28 | 	from pprint import pprint as pp
 29 | 
 30 | try:
 31 | 	from idaapi import *
 32 | 	from idautils import *
 33 | 	from idc import *
 34 | 	IN_IDA = True
 35 | except:
 36 | 	print "Not running in IDA?"
 37 | 	IN_IDA = False
 38 | 
 39 | def SearchGotEnd(data, start, end, rels):
 40 | 	for i in range(end, start, -1):
 41 | 		num = struct.unpack('<I', data[i - 4 : i])
 42 | 		for j in range(len(rels)):
 43 | 			if num == rels[j].r_offset:
 44 | 				return i
 45 | 	return 0
 46 | 	
 47 | def SearchPltStart(data):
 48 | 	return data.find('\x04\xE0\x2D\xE5\x04\xE0\x9F\xE5\x0E\xE0\x8F\xE0\x08\xF0\xBE\xE5')
 49 | 	
 50 | def SearchTextEnd(data):
 51 | 	return data.find('\x08\x00\x00\x00\x04\x00\x00\x00\x01\x00\x00\x00Android')
 52 | 	
 53 | def SearchRODATA(data, start, end):
 54 | 	ret_start = -1
 55 | 	ret_len	= -1
 56 | 	for i in range(end - start):
 57 | 		if data[start + i].isalnum():
 58 | 			ret_start = start + i
 59 | 			break;
 60 | 	if ret_start == -1:
 61 | 		return [ret_start, ret_len]
 62 | 	'''
 63 | 	current = ret_start
 64 | 	while(current < end):
 65 | 		if not data[current].isalnum():
 66 | 			hitEndding = True
 67 | 			for i in range(24):
 68 | 				if data[current + i].isalnum():
 69 | 					hitEndding = False
 70 | 					break;
 71 | 			if hitEndding:
 72 | 				ret_len = current - ret_start
 73 | 				break;
 74 | 		current = current + 1
 75 | 	'''
 76 | 	return [ret_start & ~0x3, (ret_len + 0x3) & ~0x3]
 77 | 
 78 | class RelInfo:
 79 | 	def __init__(self, name, r_offset, is_fun):
 80 | 		self.name = name
 81 | 		self.r_offset = r_offset
 82 | 		self.is_fun = is_fun
 83 | 
 84 | class Section:
 85 | 	def __init__(self, name, vaddr, vend, attr):
 86 | 		self.name = name
 87 | 		self.vaddr = vaddr
 88 | 		self.vend = vend
 89 | 		self.attr = attr
 90 | 		
 91 | class ELF32Ehdr:
 92 | 	def __init__(self, e_entry, e_phoff, e_phnum):
 93 | 		self.e_entry = e_entry
 94 | 		self.e_phoff = e_phoff
 95 | 		self.e_phnum = e_phnum
 96 | 		
 97 | class ELF32Phdr:
 98 | 	def __init__(self, p_type, p_offset, p_vaddr, p_filesz, p_memsz, p_flags):
 99 | 		self.p_type   = p_type
100 | 		self.p_offset = p_offset
101 | 		self.p_vaddr  = p_vaddr
102 | 		self.p_filesz = p_filesz
103 | 		self.p_memsz  = p_memsz
104 | 		self.p_flags  = p_flags
105 | 		
106 | class ELFImage:
107 | 	def __init__(self, f):
108 | 		f.seek(16, 0)
109 | 		(e_type,   e_machine, e_version,  e_entry,  
110 | 		 e_phoff,  e_shoff,   e_flags,    e_ehsize, 
111 | 		 e_phentsize, e_phnum,  e_shentsize, 
112 | 		 e_shnum,  e_shstrndx) = struct.unpack('<HHIIIIIHHHHHH', f.read(36))
113 | 		self.ehdr = ELF32Ehdr(e_entry, e_phoff, e_phnum)
114 | 		
115 | 		self.static_compile = True
116 | 		self.loads = []
117 | 		f.seek(e_phoff, 0)
118 | 		for i in range(e_phnum):
119 | 			(p_type, p_offset, p_vaddr, p_paddr, 
120 | 			p_filesz, p_memsz, p_flags, p_align) = struct.unpack('<IIIIIIII', f.read(32))
121 | 			if p_type == 1:
122 | 				self.loads.append(ELF32Phdr(p_type, p_offset, p_vaddr, p_filesz, p_memsz, p_flags))
123 | 			if p_type == 2:
124 | 				self.dynamic = ELF32Phdr(p_type, p_offset, p_vaddr, p_filesz, p_memsz, p_flags)
125 | 				self.static_compile = False
126 | 			if p_type == 0x70000001:
127 | 				self.arm_exidx = ELF32Phdr(p_type, p_offset, p_vaddr, p_filesz, p_memsz, p_flags)
128 | 		
129 | 		if len(self.loads) != 2:
130 | 			print('Program segment modifed file, no analysis now!')
131 | 			return
132 | 		self.sections = []
133 | 		f.seek(self.loads[0].p_offset, 0)
134 | 		load0_data = f.read(self.loads[0].p_filesz)		
135 | 		if self.static_compile:
136 | 			print('*** This file is statically compiled! ***')
137 | 			text_offset = 52 + (self.ehdr.e_phoff - 52) + self.ehdr.e_phnum * 32
138 | 			text_offset = (text_offset + 0xf) & ~0xf
139 | 			text_vaddr = text_offset + self.loads[0].p_vaddr
140 | 			
141 | 			end_tag = SearchTextEnd(load0_data)
142 | 			if end_tag != -1:
143 | 				self.sections.append(Section('.note.android.ident', self.loads[0].p_vaddr + end_tag, self.arm_exidx.p_vaddr, 'DATA'))
144 | 			self.sections.append(Section('.text', text_vaddr, self.loads[0].p_vaddr + end_tag, 'CODE'))
145 | 			self.sections.append(Section('.arm.exidx', self.arm_exidx.p_vaddr, self.arm_exidx.p_vaddr + self.arm_exidx.p_filesz, 'DATA'))				
146 | 				
147 | 			[rodata_offset, rodata_len] = SearchRODATA(load0_data, self.arm_exidx.p_offset + self.arm_exidx.p_filesz, self.loads[0].p_offset + self.loads[0].p_filesz)
148 | 			if rodata_offset != -1:
149 | 				rodata_vaddr = rodata_offset + self.loads[0].p_vaddr
150 | 				self.sections.append(Section('.arm.extab',  self.arm_exidx.p_vaddr + self.arm_exidx.p_filesz, rodata_vaddr, 'DATA'))
151 | 			else:
152 | 				rodata_vaddr = self.arm_exidx.p_vaddr + self.arm_exidx.p_filesz
153 | 			self.sections.append(Section('.rodata', rodata_vaddr, self.loads[0].p_vaddr + self.loads[0].p_filesz, 'DATA'))
154 | 			self.sections.append(Section('.data', self.loads[1].p_vaddr, self.loads[1].p_vaddr + self.loads[1].p_filesz, 'DATA'))
155 | 			self.sections.append(Section('.bss', self.loads[1].p_vaddr + self.loads[1].p_filesz, self.loads[1].p_vaddr + self.loads[1].p_memsz, 'DATA'))
156 | 		else:
157 | 			f.seek(self.dynamic.p_offset, 0)
158 | 			for i in range(self.dynamic.p_filesz / 8):
159 | 				(d_tag, d_val) = struct.unpack('<II', f.read(8))
160 | 				if d_tag == DT_SYMTAB:
161 | 					symtab_vaddr = d_val
162 | 				elif d_tag == DT_STRTAB:
163 | 					strtab_vaddr = d_val
164 | 				elif d_tag == DT_STRSZ:
165 | 					strtabSize = d_val
166 | 				elif d_tag == DT_HASH:
167 | 					hashtab_vaddr = d_val
168 | 				elif d_tag == DT_INIT_ARRAY:
169 | 					initArray_vaddr = d_val
170 | 				elif d_tag == DT_INIT_ARRAYSZ:
171 | 					initArraySize = d_val
172 | 				elif d_tag == DT_FINI_ARRAY:
173 | 					finiArray_vaddr = d_val
174 | 				elif d_tag == DT_FINI_ARRAYSZ:
175 | 					finiArraySize = d_val
176 | 				elif d_tag == DT_PREINIT_ARRAY:
177 | 					preinitArray_vaddr = d_val
178 | 				elif d_tag == DT_PREINIT_ARRAYSZ:
179 | 					preinitArraySize = d_val
180 | 				elif d_tag == DT_REL:
181 | 					rel_vaddr = d_val
182 | 				elif d_tag == DT_RELSZ:
183 | 					relSize = d_val
184 | 				elif d_tag == DT_JMPREL:
185 | 					relPlt_vaddr = d_val
186 | 				elif d_tag == DT_PLTRELSZ:
187 | 					relPltSize = d_val
188 | 				else:
189 | 					pass
190 | 			f.seek(hashtab_vaddr - self.loads[0].p_vaddr, 0)
191 | 			[nbucket, nchain] = struct.unpack('<II', f.read(8))
192 | 			f.seek(symtab_vaddr - self.loads[0].p_vaddr, 0)
193 | 			symtab = f.read(nchain * 16)
194 | 			
195 | 			f.seek(strtab_vaddr - self.loads[0].p_vaddr, 0)
196 | 			strtab = f.read(strtabSize)
197 | 			
198 | 			f.seek(rel_vaddr - self.loads[0].p_vaddr, 0)
199 | 			rel = f.read(relSize)
200 | 			
201 | 			f.seek(relPlt_vaddr - self.loads[0].p_vaddr, 0)
202 | 			relPlt = f.read(relPltSize)
203 | 						
204 | 			f.seek(initArray_vaddr - self.loads[1].p_vaddr, 0)
205 | 			initArray = f.read(initArraySize)
206 | 
207 | 			f.seek(finiArray_vaddr - self.loads[1].p_vaddr, 0)
208 | 			finiArray = f.read(finiArraySize)
209 | 			
210 | 			f.seek(preinitArray_vaddr - self.loads[1].p_vaddr, 0)
211 | 			preinitArray = f.read(preinitArraySize)			
212 | 			#
213 | 			plt_offset = SearchPltStart(load0_data)
214 | 			self.sections.append(Section('.plt', plt_offset + self.loads[0].p_vaddr, plt_offset + self.loads[0].p_vaddr + 20 + 12 * relPltSize / 8, 'CODE'))
215 | 			
216 | 			text_offset = plt_offset + 20 + 12 * relPltSize / 8
217 | 			text_vaddr = self.loads[0].p_vaddr + text_offset
218 | 			end_tag = SearchTextEnd(load0_data)
219 | 			
220 | 			if end_tag != -1:
221 | 				self.sections.append(Section('.note.android.ident', self.loads[0].p_vaddr + end_tag, self.arm_exidx.p_vaddr, 'DATA'))
222 | 			self.sections.append(Section('.text', text_vaddr, self.loads[0].p_vaddr + end_tag, 'CODE'))
223 | 			self.sections.append(Section('.arm.exidx', self.arm_exidx.p_vaddr, self.arm_exidx.p_vaddr + self.arm_exidx.p_filesz, 'DATA'))				
224 | 			
225 | 			[rodata_offset, rodata_len] = SearchRODATA(load0_data, self.arm_exidx.p_offset + self.arm_exidx.p_filesz, self.loads[0].p_offset + self.loads[0].p_filesz)
226 | 			if rodata_offset != -1:
227 | 				rodata_vaddr = rodata_offset + self.loads[0].p_vaddr
228 | 				self.sections.append(Section('.arm.extab',  self.arm_exidx.p_vaddr + self.arm_exidx.p_filesz, rodata_vaddr, 'DATA'))
229 | 			else:
230 | 				rodata_vaddr = self.arm_exidx.p_vaddr + self.arm_exidx.p_filesz
231 | 			self.sections.append(Section('.rodata', rodata_vaddr, self.loads[0].p_vaddr + self.loads[0].p_filesz, 'DATA'))	
232 | 			self.sections.append(Section('.init_array', initArray_vaddr, initArray_vaddr + initArraySize, 'DATA'))
233 | 			self.sections.append(Section('.fini_array', finiArray_vaddr, finiArray_vaddr + finiArraySize, 'DATA'))
234 | 			self.sections.append(Section('.preinit_array', preinitArray_vaddr, preinitArray_vaddr + preinitArraySize, 'DATA'))
235 | 			
236 | 			self.rels = []			
237 | 			for i in range(0, relPltSize, 8):
238 | 				[r_offset, r_info] = struct.unpack('<II', relPlt[i: i+8])
239 | 				sym_index = r_info >> 8
240 | 				[st_name, st_value] = struct.unpack('<II', symtab[sym_index * 16: sym_index * 16 + 8])
241 | 				tail = findCstringTail(strtab[st_name : len(strtab)])
242 | 				st_name = strtab[st_name: st_name + tail]
243 | 				self.rels.append(RelInfo(st_name, r_offset, True))				
244 | 			
245 | 			f.seek(self.loads[1].p_offset, 0)
246 | 			load1_data = f.read(self.loads[1].p_filesz)
247 | 			got_end_offset = SearchGotEnd(load1_data, preinitArray_vaddr + preinitArraySize - self.loads[1].p_vaddr, self.loads[1].p_filesz, self.rels)
248 | 			if got_end_offset == 0:
249 | 				self.sections.append(Section('.got', preinitArray_vaddr + preinitArraySize, self.loads[1].p_vaddr + self.loads[1].p_filesz, 'DATA'))
250 | 			else:
251 | 				self.sections.append(Section('.got', preinitArray_vaddr + preinitArraySize, self.loads[1].p_vaddr + got_end_offset, 'DATA'))
252 | 				self.sections.append(Section('.data', preinitArray_vaddr + preinitArraySize, self.loads[1].p_vaddr + got_end_offset, 'DATA'))
253 | 			self.sections.append(Section('.bss', self.loads[1].p_vaddr + self.loads[1].p_filesz, self.loads[1].p_vaddr + self.loads[1].p_memsz, 'DATA'))
254 | 			
255 | def findCstringTail(str):
256 | 	retval = -1
257 | 
258 | 	for i in range(0, len(str)):
259 | 		if str[i] == '\x00':
260 | 			retval = i
261 | 			break
262 | 	return retval
263 | 
264 | def accept_file(f, n):
265 | 	retval = 0
266 | 	if n == 0:
267 | 		f.seek(0)
268 | 		if f.read(4) == ELF_MAGIC:
269 | 			retval = "ELF32ARM<Bin> By ThomasKing"
270 | 	return retval
271 | 
272 | def load_file(f, neflags, format):
273 | 	print('------------Log begin ---------------')
274 | 	f.seek(0)
275 | 	elf = ELFImage(f)
276 | 	idaapi.set_processor_type("arm", SETPROC_ALL|SETPROC_FATAL)
277 | 	
278 | 	for i in range(len(elf.loads)):
279 | 		f.file2base(elf.loads[i].p_offset, elf.loads[i].p_vaddr, elf.loads[i].p_vaddr + elf.loads[i].p_filesz, 1)
280 | 		if len(elf.loads) != 2:
281 | 			if elf.loads[i].p_flags & 0x1 == 1:
282 | 				add_segm(0, elf.loads[i].p_vaddr, elf.loads[i].p_vaddr + elf.loads[i].p_filesz, ('load%d' %i), 'CODE')
283 | 			else:
284 | 				add_segm(0, elf.loads[i].p_vaddr, elf.loads[i].p_vaddr + elf.loads[i].p_filesz, ('load%d' %i), 'DATA')
285 | 	if elf.ehdr.e_entry % 2 == 1:
286 | 		add_entry(elf.ehdr.e_entry & ~(0x1), elf.ehdr.e_entry & ~(0x1), 'start', 0)
287 | 	else:
288 | 		add_entry(elf.ehdr.e_entry, elf.ehdr.e_entry, 'start', 1)	
289 | 	
290 | 	if len(elf.loads) != 2:
291 | 		return 1
292 | 	for i in range(len(elf.sections)):
293 | 		add_segm(0, elf.sections[i].vaddr, elf.sections[i].vend, elf.sections[i].name, elf.sections[i].attr)
294 | 	
295 | 	if not elf.static_compile:
296 | 		extern_vaddr = elf.loads[1].p_vaddr + elf.loads[1].p_memsz
297 | 		add_segm(0, extern_vaddr, extern_vaddr + len(elf.rels) * 4, 'extern', 'XTRN')
298 | 
299 | 		for i in range(len(elf.rels)):
300 | 			MakeDword(extern_vaddr + i * 4)
301 | 			MakeName(extern_vaddr + i * 4, '__imp_' + elf.rels[i].name)
302 | 			MakeName(elf.rels[i].r_offset, elf.rels[i].name + '_ptr')
303 | 			PatchDword(elf.rels[i].r_offset, extern_vaddr + i * 4)
304 | 	
305 | 	print('------------Log end ---------------')
306 | 	return 1
307 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | 
2 | site: http://thomasking2014.com/index.php/archives/20/
3 | 


--------------------------------------------------------------------------------
/driver test/jni/Android.mk:
--------------------------------------------------------------------------------
 1 | LOCAL_PATH := $(call my-dir)
 2 | 
 3 | include $(CLEAR_VARS)
 4 | LOCAL_ARM_MODE := arm
 5 | 
 6 | LOCAL_MODULE    := dump_test
 7 | LOCAL_SRC_FILES := dump_test.c
 8 | 
 9 | LOCAL_CFLAGS += -pie
10 | LOCAL_LDFLAGS += -pie -fPIE
11 | 
12 | include $(BUILD_EXECUTABLE)
13 | 
14 | include $(CLEAR_VARS)
15 | LOCAL_ARM_MODE := arm
16 | 
17 | LOCAL_MODULE    := dump_host
18 | LOCAL_SRC_FILES := dump_host.c
19 | 
20 | LOCAL_CFLAGS += -pie
21 | LOCAL_LDFLAGS += -pie -fPIE
22 | 
23 | include $(BUILD_EXECUTABLE)
24 | 
25 | include $(CLEAR_VARS)
26 | LOCAL_ARM_MODE := arm
27 | 
28 | LOCAL_MODULE    := ptrace_trace
29 | LOCAL_SRC_FILES := ptrace_trace.c
30 | 
31 | LOCAL_LDFLAGS := -static
32 | 
33 | include $(BUILD_EXECUTABLE)
34 | 
35 | include $(CLEAR_VARS)
36 | LOCAL_ARM_MODE := arm
37 | 
38 | LOCAL_MODULE    := bin_wrapper
39 | LOCAL_SRC_FILES := bin_wrapper.c
40 | 
41 | LOCAL_LDFLAGS := -static
42 | 
43 | include $(BUILD_EXECUTABLE)


--------------------------------------------------------------------------------
/driver test/jni/Application.mk:
--------------------------------------------------------------------------------
1 | APP_PLATFORM := android-21
2 | APP_ABI := armeabi


--------------------------------------------------------------------------------
/driver test/jni/bin_wrapper.c:
--------------------------------------------------------------------------------
  1 | /*
  2 | ** Author: ThomasKing
  3 | ** Date: 2015/02/25
  4 | */ 
  5 | #include <string.h>
  6 | #include <stdio.h>
  7 | #include <stdlib.h>
  8 | #include <unistd.h>
  9 | #include <sys/prctl.h>
 10 | #include <sys/syscall.h>
 11 | #include <sys/types.h>
 12 | #include <pthread.h>
 13 | #include <fcntl.h>
 14 | #include <sys/stat.h>
 15 | #include <semaphore.h>
 16 | #include <sys/socket.h>
 17 | #include <sys/mman.h>
 18 | #include <signal.h>
 19 | #include <sys/wait.h>
 20 | #include <sys/ioctl.h>
 21 | #include <sys/utsname.h>
 22 | #include <sys/ptrace.h>
 23 | 
 24 | #define LEAK_DEV "REHelper"
 25 | #define CMD_BASE 0xC0000000
 26 | #define DUMP_MEM (CMD_BASE + 1)
 27 | #define SET_PID  (CMD_BASE + 2)
 28 | #define MODIFY_M (CMD_BASE + 3)
 29 | 
 30 | 
 31 | void set_target(pid_t pid){
 32 | 	int fd = open("/dev/REHelper", O_RDWR);
 33 | 	if(fd == -1){
 34 | 		printf("[*] open error, check USER!");
 35 | 		return ;
 36 | 	}
 37 | 	ioctl(fd, SET_PID, pid);
 38 | 	close(fd);
 39 | }
 40 | 
 41 | 	static ssize_t mem_rw(struct mm_struct *mm, char __user *buf,
 42 | 	            size_t count, unsigned long addr, int write)
 43 | 	{
 44 | 	    ssize_t copied;
 45 | 	    char *page;
 46 | 
 47 | 	    if (!mm)
 48 | 	        return 0;
 49 | 
 50 | 	    page = (char *)__get_free_page(GFP_TEMPORARY);
 51 | 	    if (!page)
 52 | 	        return -ENOMEM;
 53 | 
 54 | 	    copied = 0;
 55 | 	    if (!atomic_inc_not_zero(&mm->mm_users))
 56 | 	        goto free;
 57 | 
 58 | 	    while (count > 0) {
 59 | 	        int this_len = min_t(int, count, PAGE_SIZE);
 60 | 
 61 | 	        if (write && copy_from_user(page, buf, this_len)) {
 62 | 	            copied = -EFAULT;
 63 | 	            break;
 64 | 	        }
 65 | 
 66 | 	        this_len = access_remote_vm(mm, addr, page, this_len, write);
 67 | 	        if (!this_len) {
 68 | 	            if (!copied)
 69 | 	                copied = -EIO;
 70 | 	            break;
 71 | 	        }
 72 | 
 73 | 	        if (!write && copy_to_user(buf, page, this_len)) {
 74 | 	            copied = -EFAULT;
 75 | 	            break;
 76 | 	        }
 77 | 
 78 | 	        buf += this_len;
 79 | 	        addr += this_len;
 80 | 	        copied += this_len;
 81 | 	        count -= this_len;
 82 | 	    }
 83 | 
 84 | 	    mmput(mm);
 85 | 	free:
 86 | 	    free_page((unsigned long) page);
 87 | 	    return copied;
 88 | 	}
 89 | 	
 90 | int main(int argc, char const *argv[]){
 91 | 	int *flag = (int*)mmap(0, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0);
 92 | 
 93 | 	if(flag == (int*)-1){
 94 | 		perror("mmap error");
 95 | 		return -1;
 96 | 	}
 97 | 	*flag = 0;
 98 | 	pid_t pid = fork();	
 99 | 	if(pid < 0){
100 | 		perror("fork error");
101 | 		return -1;
102 | 	}
103 | 	if(pid == 0){
104 | 		while(!*flag){
105 | 			sleep(1);
106 | 		}
107 | 		char *cmd[] = {"/data/local/tmp/ptrace_trace", NULL};
108 | 		execve(cmd[0], &cmd[0], NULL);
109 | 		exit(0);
110 | 	}
111 | 	set_target(pid);
112 | 	*flag = 1;
113 | 	waitpid(pid, 0, 0);
114 | 	munmap(flag, 0x1000);
115 | 
116 | 	return 0;
117 | }


--------------------------------------------------------------------------------
/driver test/jni/dump_host.c:
--------------------------------------------------------------------------------
 1 | /*
 2 | ** Author: ThomasKing
 3 | ** Date: 2015/02/23
 4 | */ 
 5 | #include <string.h>
 6 | #include <stdio.h>
 7 | #include <stdlib.h>
 8 | #include <unistd.h>
 9 | #include <sys/prctl.h>
10 | #include <sys/syscall.h>
11 | #include <sys/types.h>
12 | #include <pthread.h>
13 | #include <fcntl.h>
14 | #include <sys/stat.h>
15 | #include <semaphore.h>
16 | #include <sys/socket.h>
17 | #include <sys/mman.h>
18 | #include <signal.h>
19 | #include <sys/wait.h>
20 | #include <sys/ioctl.h>
21 | #include <sys/utsname.h>
22 | #include <sys/ptrace.h>
23 | 
24 | #define CMD_BASE 0xC0000000
25 | #define DUMP_MEM (CMD_BASE + 1)
26 | #define SET_PID  (CMD_BASE + 2)
27 | 
28 | struct dump_request{
29 |     pid_t pid;
30 |     unsigned long addr;
31 |     ssize_t count;
32 |     char *buf;
33 | };
34 | 
35 | char buf[4096];
36 | 
37 | int main(int argc, char const *argv[]){
38 | 	struct dump_request request;
39 | 	if(argc < 2){
40 | 		printf("Input target pid\n");
41 | 		return -1;
42 | 	}
43 | 	request.pid = atoi(argv[1]);
44 | 	request.addr = 0x40000000;
45 | 	request.buf = buf;
46 | 	request.count = 1000;
47 | 
48 | 	int fd = open("/dev/REHelper", O_RDWR);
49 | 	if(fd == -1){
50 | 		printf("[*] open error, check USER!");
51 | 		return -1;
52 | 	}
53 | 	ioctl(fd, DUMP_MEM, &request);
54 | 	close(fd);
55 | 
56 | 	if(buf[0] == 0xcc){
57 | 		printf("Dump ok\n");
58 | 	}
59 | 	printf("Done !\n");
60 | 	return 0;
61 | }


--------------------------------------------------------------------------------
/driver test/jni/dump_test.c:
--------------------------------------------------------------------------------
 1 | /*
 2 | ** Author: ThomasKing
 3 | ** Date: 2015/02/23
 4 | */ 
 5 | #include <string.h>
 6 | #include <stdio.h>
 7 | #include <stdlib.h>
 8 | #include <unistd.h>
 9 | #include <sys/prctl.h>
10 | #include <sys/syscall.h>
11 | #include <sys/types.h>
12 | #include <pthread.h>
13 | #include <fcntl.h>
14 | #include <sys/stat.h>
15 | #include <semaphore.h>
16 | #include <sys/socket.h>
17 | #include <sys/mman.h>
18 | #include <signal.h>
19 | #include <sys/wait.h>
20 | #include <sys/ioctl.h>
21 | #include <sys/utsname.h>
22 | #include <sys/ptrace.h>
23 | 
24 | int main(int argc, char const *argv[]){
25 | 	printf("dump_test pid[%d]\n", getpid());
26 | 	void *base = mmap((void*)0x40000000, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0);
27 | 	if(base == (void*)-1){
28 | 		printf("mmap error\n");
29 | 		return -1;
30 | 	}
31 | 	memset(base, 0xcc, 0x1000);
32 | 	getchar();
33 | 	return 0;
34 | }


--------------------------------------------------------------------------------
/driver test/jni/ptrace_trace.c:
--------------------------------------------------------------------------------
 1 | /*
 2 | ** Author: ThomasKing
 3 | ** Date: 2015/02/25
 4 | */ 
 5 | #include <sys/stat.h>
 6 | #include <unistd.h>
 7 | #include <semaphore.h>
 8 | #include <stdio.h>
 9 | #include <sys/prctl.h>
10 | #include <sys/socket.h>
11 | #include <stdlib.h>
12 | #include <sys/types.h>
13 | #include <sys/wait.h>
14 | #include <sys/ioctl.h>
15 | #include <netinet/in.h>
16 | #include <sys/mman.h>
17 | #include <sys/ptrace.h>
18 | #include <sys/syscall.h>
19 | #include <sys/utsname.h>
20 | #include <stdbool.h>
21 | #include <sys/types.h>
22 | #include <sys/stat.h>
23 | #include <fcntl.h>
24 | #include <asm/ptrace.h>
25 | #include <sys/inotify.h>
26 | 
27 | int check_status(){
28 | 	int debugged = 0;
29 | 	int fp = fopen("/proc/self/status", "r");
30 | 	if(fp){
31 | 		// ...
32 | 		fclose(fp);
33 | 	}
34 | 	return debugged;
35 | }
36 | 
37 | int add_notity(){
38 | 	int fd_notity = inotify_init();
39 | 	if(fd_notity > 0){
40 | 		inotify_add_watch(fd_notity, "/proc/self/mem", IN_OPEN | IN_ACCESS | IN_MODIFY);
41 | 		//...
42 | 	}
43 | 	return 0;
44 | }
45 | 
46 | int main(int argc, char **argv){
47 | 	struct pt_regs regs;
48 | 	memset(&regs, 0, sizeof(struct pt_regs));
49 | 
50 | 	check_status();
51 | 	add_notity();
52 | 
53 | 	pid_t pid = fork();
54 | 	if(pid == 0){
55 | 		void *base = mmap((void*)0x40000000, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0);
56 | 		if(base == (void*)-1){
57 | 			perror("mmap");
58 | 		}
59 | 		memset(base, 0xaa, 0x1000);
60 | 		*(unsigned long*)(base + 4) = 0xbbbbbbbb;
61 | 		if(ptrace(PTRACE_TRACEME, 0, NULL, NULL) < 0){
62 | 			perror("ptrace_traceme");
63 | 		}
64 | 		kill(getpid(), 19);
65 | 		exit(0);
66 | 	}else if(pid > 0){
67 | 		sleep(1);
68 | 		printf("pid: %d, child_pid: %d\n", getpid(), pid);
69 | 
70 | 		if(ptrace(PTRACE_SYSCALL, pid, NULL, 0) < 0 ){
71 | 			perror( "ptrace_syscall" );
72 | 			return -1;
73 | 		}
74 | 		waitpid(pid, NULL, WUNTRACED );
75 | 
76 | 		if (ptrace(PTRACE_SYSCALL, pid, NULL, NULL ) < 0) {
77 | 			perror("ptrace_syscall");
78 | 			return -1;
79 | 		}
80 | 		waitpid(pid, NULL, WUNTRACED);
81 | 
82 | 		unsigned long data = ptrace(PTRACE_PEEKDATA, pid, 0x40000000, 0);
83 | 		printf("data: 0x%lx\n", data);
84 | 		if(data != 0xaaaaaaaa){
85 | 			printf("modify from kernel, data: %lx\n", data);
86 | 		}
87 | 		kill(pid, 9);
88 | 		waitpid(pid, NULL, 0);
89 | 	}else{
90 | 		printf("fork error\n");
91 | 	}
92 | 	return 0;
93 | }


--------------------------------------------------------------------------------
/driver/Makefile:
--------------------------------------------------------------------------------
 1 | WORKDIR := /media/psf/kernel_source
 2 | KERNELDIR := $(WORKDIR)/msm
 3 | PWD := $(shell pwd)
 4 | ARCH=arm
 5 | CROSS_COMPILE=$(WORKDIR)/toolchains/arm-eabi-4.8/bin/arm-eabi-
 6 | CC=$(CROSS_COMPILE)gcc
 7 | LD=$(CROSS_COMPILE)ld
 8 | obj-m := REHelper.o
 9 | modules:
10 | 	$(MAKE) -C $(KERNELDIR) ARCH=$(ARCH) CROSS_COMPILE=$(CROSS_COMPILE) M=$(PWD) modules  
11 | clean:
12 | 	rm *.o *.ko *.mod.c *.order


--------------------------------------------------------------------------------
/driver/REHelper.c:
--------------------------------------------------------------------------------
  1 | /*
  2 | ** Author: ThomasKing
  3 | ** Date: 2015/02/23
  4 | */ 
  5 | #include <linux/module.h>
  6 | #include <linux/cdev.h>
  7 | #include <linux/fs.h>
  8 | #include <linux/types.h>
  9 | #include <linux/uaccess.h>
 10 | #include <linux/device.h>
 11 | #include <linux/string.h>
 12 | #include <linux/sched.h>
 13 | #include <linux/kallsyms.h>
 14 | #include <linux/kernel.h>
 15 | #include <linux/module.h>
 16 | #include <linux/kprobes.h>
 17 | 
 18 | #define RE_DEV "REHelper"
 19 | #define CMD_BASE 0xC0000000
 20 | #define DUMP_MEM (CMD_BASE + 1)
 21 | #define SET_PID  (CMD_BASE + 2)
 22 | #define MODIFY_M (CMD_BASE + 3)
 23 | 
 24 | static int (*access_remote_vm)(struct mm_struct *, unsigned long, void *, int, int);
 25 | 
 26 | struct dump_request{
 27 |     pid_t pid;
 28 |     unsigned long addr;
 29 |     ssize_t count;
 30 |     char __user *buf;
 31 | };
 32 | 
 33 | pid_t monitor_pid = -1;
 34 | 
 35 | asmlinkage int jsys_open(const char *pathname, int flags, mode_t mode){
 36 |     pid_t current_pid = current_thread_info()->task->tgid;    
 37 | 
 38 |     if(!monitor_pid || (current_pid == monitor_pid)){
 39 |         printk(KERN_INFO "[open] pathname %s, flags: %x, mode: %x\n", 
 40 |             pathname, flags, mode);
 41 |     }
 42 |     
 43 |     jprobe_return();
 44 |     return 0;
 45 | }
 46 | 
 47 | asmlinkage int jsys_openat(int dirfd, const char *pathname, int flags, mode_t mode){
 48 |     pid_t current_pid = current_thread_info()->task->tgid;    
 49 | 
 50 |     if(!monitor_pid || (current_pid == monitor_pid)){
 51 |         printk(KERN_INFO "[openat] dirfd: %d, pathname %s, flags: %x, mode: %x\n", 
 52 |             dirfd, pathname, flags, mode);
 53 |     }
 54 |     
 55 |     jprobe_return();
 56 |     return 0;
 57 | }
 58 | 
 59 | asmlinkage long jsys_ptrace(long request, long pid, unsigned long addr,
 60 |                unsigned long data){
 61 |     pid_t current_pid = current_thread_info()->task->tgid;    
 62 | 
 63 |     if(!monitor_pid || (current_pid == monitor_pid)){
 64 |         switch(request){
 65 |             case PTRACE_TRACEME: {
 66 |                 printk(KERN_INFO "PTRACE_TRACEME: [src]pid = %d\n", current_pid);            
 67 |             }break;
 68 |             case PTRACE_PEEKDATA: {
 69 |                 printk(KERN_INFO "PTRACE_PEEKDATA: [src]pid = %d --> [dst]pid = %d, addr: %lx, data: %lx\n", 
 70 |                     current_pid, pid, addr, data);            
 71 |             }break;
 72 | 
 73 |             default:{
 74 | 
 75 |             }break;
 76 |         }
 77 |     }
 78 |     
 79 |     jprobe_return();
 80 |     return 0;
 81 | }
 82 | 
 83 | asmlinkage int jinotify_add_watch(int fd, const char *pathname, uint32_t mask){
 84 |     pid_t current_pid = current_thread_info()->task->tgid;    
 85 | 
 86 |     if(!monitor_pid || (current_pid == monitor_pid)){
 87 |         printk(KERN_INFO "[inotify_add_watch]: fd: %d, pathname: %s, mask: %x", 
 88 |             fd, pathname, mask);
 89 |     }
 90 | 
 91 |     jprobe_return();
 92 |     return 0;    
 93 | }
 94 | 
 95 | static struct jprobe ptrace_probe = {
 96 |     .entry          = jsys_ptrace,
 97 |     .kp = {
 98 |         .symbol_name    = "sys_ptrace",
 99 |     },
100 | };
101 | 
102 | static struct jprobe open_probe = {
103 |     .entry          = jsys_open,
104 |     .kp = {
105 |         .symbol_name    = "sys_open",
106 |     },
107 | };
108 | 
109 | static struct jprobe openat_probe = {
110 |     .entry          = jsys_openat,
111 |     .kp = {
112 |         .symbol_name    = "sys_openat",
113 |     },
114 | };
115 | 
116 | static struct jprobe inotify_add_watch_probe = {
117 |     .entry          = jinotify_add_watch,
118 |     .kp = {
119 |         .symbol_name    = "sys_inotify_add_watch",
120 |     },
121 | };
122 | 
123 | static struct jprobe *my_jprobe[] = {
124 |     &open_probe,
125 |     &openat_probe,
126 |     &ptrace_probe,
127 |     &inotify_add_watch_probe
128 | };
129 | 
130 | static ssize_t mem_rw(struct mm_struct *mm, char __user *buf,
131 |             size_t count, unsigned long addr, int write)
132 | {
133 |     ssize_t copied;
134 |     char *page;
135 | 
136 |     if (!mm)
137 |         return 0;
138 | 
139 |     page = (char *)__get_free_page(GFP_TEMPORARY);
140 |     if (!page)
141 |         return -ENOMEM;
142 | 
143 |     copied = 0;
144 |     if (!atomic_inc_not_zero(&mm->mm_users))
145 |         goto free;
146 | 
147 |     while (count > 0) {
148 |         int this_len = min_t(int, count, PAGE_SIZE);
149 | 
150 |         if (write && copy_from_user(page, buf, this_len)) {
151 |             copied = -EFAULT;
152 |             break;
153 |         }
154 | 
155 |         this_len = access_remote_vm(mm, addr, page, this_len, write);
156 |         if (!this_len) {
157 |             if (!copied)
158 |                 copied = -EIO;
159 |             break;
160 |         }
161 | 
162 |         if (!write && copy_to_user(buf, page, this_len)) {
163 |             copied = -EFAULT;
164 |             break;
165 |         }
166 | 
167 |         buf += this_len;
168 |         addr += this_len;
169 |         copied += this_len;
170 |         count -= this_len;
171 |     }
172 | 
173 |     mmput(mm);
174 | free:
175 |     free_page((unsigned long) page);
176 |     return copied;
177 | }
178 | 
179 | static ssize_t mem_read(struct mm_struct *mm, char __user *buf,
180 |             size_t count, unsigned long addr)
181 | {
182 |     return mem_rw(mm, buf, count, addr, 0);
183 | }
184 | 
185 | static ssize_t mem_write(struct mm_struct *mm, char __user *buf,
186 |             size_t count, unsigned long addr)
187 | {
188 |     return mem_rw(mm, (char __user*)buf, count, addr, 1);
189 | }
190 | 
191 | static int REHelper_open(struct inode *inode, struct file *file)
192 | {
193 |     printk(KERN_INFO "REHelper device open success!\n");
194 |     return 0;
195 | }
196 | 
197 | static long REHelper_unlocked_ioctl(struct file *file, unsigned int cmd, unsigned long arg){
198 | 	long ret = 0;
199 |     void __user *argp = (void __user *)arg;
200 |     struct task_struct *target_task;
201 |     struct dump_request *request = (struct dump_request *)argp;
202 |     
203 | 	switch(cmd){
204 |         case DUMP_MEM:
205 |             target_task = find_task_by_vpid(request->pid);
206 |             if(!target_task){
207 |                 printk(KERN_INFO "find_task_by_vpid(%d) failed\n", request->pid);
208 |                 ret = -ESRCH;
209 |                 return ret;
210 |             }
211 |             request->count = mem_read(target_task->mm, request->buf, request->count, request->addr);
212 |             break;
213 |         case SET_PID:
214 |             monitor_pid = (pid_t) arg;
215 |             printk(KERN_INFO "Set monitor pid: %d\n", monitor_pid);
216 |             break;
217 |         case MODIFY_M:
218 | 
219 |             break;
220 |         default:
221 |             ret = -EFAULT;
222 | 	}
223 | 	return ret;
224 | }
225 | 
226 | static struct file_operations REHelper_fops = {
227 |     .owner = THIS_MODULE,
228 |     .unlocked_ioctl = REHelper_unlocked_ioctl,
229 |     .open = REHelper_open
230 | };
231 | 
232 | static int major = 0;
233 | 
234 | struct cdev REHelper_cdev;
235 |  
236 | static struct class *REHelper_cls;
237 | 
238 | static int REHelper_init(void){
239 |     dev_t dev_id;
240 |     int ret = 0;
241 | 
242 |     if(major){
243 |         dev_id = MKDEV(major, 0);
244 |         register_chrdev_region(dev_id, 1, RE_DEV);
245 |     } else {
246 |         alloc_chrdev_region(&dev_id, 0, 1, RE_DEV);
247 |         major = MAJOR(dev_id);
248 |     }
249 |     cdev_init(&REHelper_cdev, &REHelper_fops); 
250 |     cdev_add(&REHelper_cdev, dev_id, 1);
251 |     REHelper_cls = class_create(THIS_MODULE, RE_DEV);
252 |     device_create(REHelper_cls, NULL, dev_id, NULL, RE_DEV);
253 | 
254 |     access_remote_vm = (int (*)(struct mm_struct *, unsigned long, void *, int, int))kallsyms_lookup_name("access_remote_vm");
255 |     if(!access_remote_vm){
256 |         printk(KERN_INFO "Cannot find access_remote_vm [%p]", access_remote_vm);
257 |         return -1;
258 |     }
259 |     printk(KERN_INFO "Find access_remote_vm [%p]", access_remote_vm);
260 | 
261 |     ret = register_jprobes(&my_jprobe, sizeof(my_jprobe) / sizeof(my_jprobe[0]));
262 |     if (ret < 0) {
263 |         printk(KERN_INFO "register_jprobe failed, returned %d\n", ret);
264 |         return -1;
265 |     }
266 |     
267 |     return 0;
268 | }
269 | 
270 | static void REHelper_exit(void){
271 |     device_destroy(REHelper_cls, MKDEV(major, 0));
272 |     class_destroy(REHelper_cls);
273 |     cdev_del(&REHelper_cdev);
274 |     unregister_chrdev_region(MKDEV(major, 0), 1);
275 | 
276 |     unregister_jprobes(&my_jprobe, sizeof(my_jprobe) / sizeof(my_jprobe[0]));
277 | }
278 |  
279 | module_init(REHelper_init);
280 | module_exit(REHelper_exit);
281 | MODULE_LICENSE("GPL");
282 | MODULE_AUTHOR("ThomasKing");


--------------------------------------------------------------------------------