├── .DS_Store ├── README.md ├── arm64-v8a └── mprop2 ├── armeabi-v7a └── mprop2 ├── inject.c └── old_version ├── .DS_Store ├── Attach.c ├── CallSys.c ├── README.md ├── StructCall.c ├── TThread.c ├── Test.c ├── Tracee.c ├── arm ├── .hook.c.swp ├── hook ├── hook.c ├── inject ├── inject.c ├── test ├── test.c ├── try └── try.c ├── attach ├── callsys ├── changeData ├── changeData.c ├── hook ├── hook.c ├── inject ├── inject.c ├── structcall ├── test ├── thread └── tracee /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/.DS_Store -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## 能干啥 2 | android设备在root环境下,修改ro属性的值。 3 | 原来版本是在android 6搞的,没针对64位机子,现在这类机子比较多。目前找的几个mprop想要改ro.debuggable都改不了,只能自己把原来的更一把了 4 | 5 | ## 注意 6 | root环境下使用!!root环境下使用!!root环境下使用!! 7 | 8 | selinux要关闭!!selinux要关闭!!selinux要关闭!! 9 | 10 | ## 使用 11 | ``` 12 | adb push mprop2 /data/local/tmp 13 | (root) chmod 755 /data/local/tmp/mprop2 14 | (root) /data/local/tmp/mprop2 $pid --on|--off 15 | ``` 16 | 主要针对的是init进程,遇到过进程号不是1的init进程,因此,还是使用时查一把传参吧 17 | 原理和原来旧版一样,init进程的内存中找到ro.所在,直接替换掉该字符串。 18 | 为了确保效果,现在把进程的所有内存一点点便利一遍,所以会更花时间,长达几十秒 19 | --on 打开效果,执行完毕后使用setprop|getprop去确定是否有效 20 | --off 改完了最好再跑一遍把对init的操作效果改回来。毕竟是把内存里的对应字符串篡改了,不能保证其他代码会不会用到被篡改的地方,保险起见 21 | 22 | ## 适用范围 23 | emmm.....手头只有init进程跑的是64位的,,只能说确保自己能用,,其他的情况没条件测,代码放上去了,遇到没效果的可以针对性的改一改自己编一把。不知道我这 原版思路的,可以瞄一眼old_version/README.md 24 | 25 | ## 声明 26 | 仅供学习参考,概不承担任何后果 27 | 28 | ## 还想说啥 29 | emmm.....希望对你有所帮助 30 | 31 | ## 后日谈 32 | 啊啊啊,发现vivo的init进程,,连个libc库都没加载..根本没法调用dlopen等方法..处理思路是,程序自己先加载一下libc等库,然后读取dlopen等方法,把整个方法的代码块复制;在目标进程找到一个可写可执行的内存,把内容保存一下,然后把复制的代码块写入,pc指针移过去..执行完毕后恢复现场.. 33 | -------------------------------------------------------------------------------- /arm64-v8a/mprop2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/arm64-v8a/mprop2 -------------------------------------------------------------------------------- /armeabi-v7a/mprop2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/armeabi-v7a/mprop2 -------------------------------------------------------------------------------- /inject.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | #if defined(__i386__) 17 | #define pt_regs user_regs_struct 18 | #elif defined(__aarch64__) 19 | #define pt_regs user_pt_regs 20 | #define uregs regs 21 | #define ARM_pc pc 22 | #define ARM_sp sp 23 | #define ARM_cpsr pstate 24 | #define ARM_lr regs[30] 25 | #define ARM_r0 regs[0] 26 | #define PTRACE_GETREGS PTRACE_GETREGSET 27 | #define PTRACE_SETREGS PTRACE_SETREGSET 28 | #endif 29 | 30 | #define ENABLE_DEBUG 1 31 | 32 | #if ENABLE_DEBUG 33 | #define LOG_TAG "INJECT" 34 | #define LOGD(fmt, args...) __android_log_print(ANDROID_LOG_DEBUG,LOG_TAG, fmt, ##args) 35 | #define DEBUG_PRINT(format, args...) \ 36 | LOGD(format, ##args) 37 | #else 38 | #define DEBUG_PRINT(format,args...) 39 | #endif 40 | 41 | #define CPSR_T_MASK ( 1u << 5 ) 42 | 43 | 44 | 45 | //进程的每个module信息 46 | struct mode_node { 47 | long begin; 48 | long end; 49 | char permiss[6]; 50 | }; 51 | 52 | //储存进程的module 53 | struct root { 54 | struct mode_node start[5000]; 55 | int length; 56 | }; 57 | 58 | //libc.so的信息 59 | struct mode_node libc_node; 60 | int found = 0; 61 | 62 | //switch on|off 63 | int switch_statue; 64 | 65 | //向进程写入数据 66 | int ptrace_setData(pid_t pid, const void *addr, const void *data, int size) { 67 | int count = size / sizeof(long); 68 | int remain = size % sizeof(long); 69 | long buf; 70 | int i = 0; 71 | for (i = 0; i < count; i++) { 72 | memcpy(&buf, data, sizeof(long)); 73 | if (ptrace(PTRACE_POKETEXT, pid, addr, buf) == -1) 74 | printf("write data error:%d\n", i); 75 | data = ((long *) data) + 1; 76 | addr = ((long *) addr) + 1; 77 | } 78 | if (remain > 0) { 79 | buf = ptrace(PTRACE_PEEKTEXT, pid, addr, NULL); 80 | memcpy(&buf, data, remain); 81 | if (ptrace(PTRACE_POKETEXT, pid, addr, buf) == -1) { 82 | perror("wirte remain data error"); 83 | return -1; 84 | } 85 | } 86 | return -1; 87 | } 88 | 89 | //读取进程的内存数据 90 | char *ptrace_getData(pid_t pid, unsigned long addr, unsigned long size) { 91 | int count = size / sizeof(long); 92 | int remain = size % sizeof(long); 93 | char *str = (char *) malloc(size + 1); 94 | memset(str, 0, size + 1); 95 | int LONG_SIZE = sizeof(long); 96 | char *point = str; 97 | union u { 98 | long val; 99 | char chars[sizeof(long)]; 100 | } d; 101 | 102 | int i; 103 | for (i = 0; i < count; i++) { 104 | d.val = ptrace(PTRACE_PEEKTEXT, pid, addr, 0); 105 | memcpy(point, d.chars, LONG_SIZE); 106 | addr += LONG_SIZE; 107 | point += LONG_SIZE; 108 | } 109 | 110 | if (remain > 0) { 111 | d.val = ptrace(PTRACE_PEEKTEXT, pid, addr, 0); 112 | memcpy(point, d.chars, remain); 113 | } 114 | return str; 115 | } 116 | 117 | int ptrace_writedata(pid_t pid, uint8_t *dest, uint8_t *data, size_t size) { 118 | long i, j, remain; 119 | uint8_t *laddr; 120 | size_t bytes_width = sizeof(long); 121 | 122 | union u { 123 | long val; 124 | // char chars[bytes_width]; 125 | char chars[8]; 126 | } d; 127 | 128 | j = size / bytes_width; 129 | remain = size % bytes_width; 130 | 131 | laddr = data; 132 | 133 | for (i = 0; i < j; i++) { 134 | memcpy(d.chars, laddr, bytes_width); 135 | ptrace(PTRACE_POKETEXT, pid, dest, d.val); 136 | 137 | dest += bytes_width; 138 | laddr += bytes_width; 139 | } 140 | 141 | if (remain > 0) { 142 | d.val = ptrace(PTRACE_PEEKTEXT, pid, dest, 0); 143 | for (i = 0; i < remain; i++) { 144 | d.chars[i] = *laddr++; 145 | } 146 | 147 | ptrace(PTRACE_POKETEXT, pid, dest, d.val); 148 | } 149 | 150 | return 0; 151 | } 152 | 153 | int ptrace_getregs(pid_t pid, struct pt_regs *regs) { 154 | #if defined (__aarch64__) 155 | int regset = NT_PRSTATUS; 156 | struct iovec ioVec; 157 | 158 | ioVec.iov_base = regs; 159 | ioVec.iov_len = sizeof(*regs); 160 | if (ptrace(PTRACE_GETREGSET, pid, (void *) regset, &ioVec) < 0) { 161 | perror("ptrace_getregs: Can not get register values"); 162 | printf(" io %llx, %d", ioVec.iov_base, ioVec.iov_len); 163 | return -1; 164 | } 165 | 166 | return 0; 167 | #else 168 | if (ptrace(PTRACE_GETREGS, pid, NULL, regs) < 0) { 169 | perror("ptrace_getregs: Can not get register values"); 170 | return -1; 171 | } 172 | 173 | return 0; 174 | #endif 175 | } 176 | 177 | #if defined(__arm__) || defined(__aarch64__) 178 | 179 | int ptrace_call(pid_t pid, uintptr_t addr, long *params, int num_params, struct pt_regs *regs) { 180 | int i; 181 | #if defined(__arm__) 182 | int num_param_registers = 4; 183 | #elif defined(__aarch64__) 184 | int num_param_registers = 8; 185 | #endif 186 | 187 | for (i = 0; i < num_params && i < num_param_registers; i++) { 188 | regs->uregs[i] = params[i]; 189 | } 190 | 191 | // 192 | // push remained params onto stack 193 | // 194 | if (i < num_params) { 195 | regs->ARM_sp -= (num_params - i) * sizeof(long); 196 | ptrace_writedata(pid, (void *) regs->ARM_sp, (uint8_t *) params[i], 197 | (num_params - i) * sizeof(long)); 198 | } 199 | 200 | regs->ARM_pc = addr; 201 | if (regs->ARM_pc & 1) { 202 | /* thumb */ 203 | regs->ARM_pc &= (~1u); 204 | regs->ARM_cpsr |= CPSR_T_MASK; 205 | } else { 206 | /* arm */ 207 | regs->ARM_cpsr &= ~CPSR_T_MASK; 208 | } 209 | 210 | regs->ARM_lr = 0; 211 | 212 | if (ptrace_setregs(pid, regs) == -1 213 | || ptrace_continue(pid) == -1) { 214 | printf("error\n"); 215 | return -1; 216 | } 217 | 218 | int stat = 0; 219 | waitpid(pid, &stat, WUNTRACED); 220 | while (stat != 0xb7f) { 221 | if (ptrace_continue(pid) == -1) { 222 | printf("error\n"); 223 | return -1; 224 | } 225 | waitpid(pid, &stat, WUNTRACED); 226 | } 227 | 228 | return 0; 229 | } 230 | 231 | #elif defined(__i386__) || defined(__x86_64__) 232 | long ptrace_call(pid_t pid, uintptr_t addr, long *params, int num_params, struct user_regs_struct * regs) 233 | { 234 | regs->esp -= (num_params) * sizeof(long) ; 235 | ptrace_writedata(pid, (void *)regs->esp, (uint8_t *)params, (num_params) * sizeof(long)); 236 | 237 | long tmp_addr = 0x00; 238 | regs->esp -= sizeof(long); 239 | ptrace_writedata(pid, regs->esp, (char *)&tmp_addr, sizeof(tmp_addr)); 240 | 241 | regs->eip = addr; 242 | 243 | if (ptrace_setregs(pid, regs) == -1 244 | || ptrace_continue( pid) == -1) { 245 | printf("error\n"); 246 | return -1; 247 | } 248 | 249 | int stat = 0; 250 | waitpid(pid, &stat, WUNTRACED); 251 | while (stat != 0xb7f) { 252 | if (ptrace_continue(pid) == -1) { 253 | printf("error\n"); 254 | return -1; 255 | } 256 | waitpid(pid, &stat, WUNTRACED); 257 | } 258 | 259 | return 0; 260 | } 261 | #else 262 | #error "Not supported" 263 | #endif 264 | 265 | 266 | int ptrace_setregs(pid_t pid, struct pt_regs *regs) { 267 | #if defined (__aarch64__) 268 | int regset = NT_PRSTATUS; 269 | struct iovec ioVec; 270 | 271 | ioVec.iov_base = regs; 272 | ioVec.iov_len = sizeof(*regs); 273 | if (ptrace(PTRACE_SETREGSET, pid, (void *) regset, &ioVec) < 0) { 274 | perror("ptrace_setregs: Can not get register values"); 275 | return -1; 276 | } 277 | 278 | return 0; 279 | #else 280 | if (ptrace(PTRACE_SETREGS, pid, NULL, regs) < 0) { 281 | perror("ptrace_setregs: Can not set register values"); 282 | return -1; 283 | } 284 | 285 | return 0; 286 | #endif 287 | } 288 | 289 | int ptrace_continue(pid_t pid) { 290 | if (ptrace(PTRACE_CONT, pid, NULL, 0) < 0) { 291 | perror("ptrace_cont"); 292 | return -1; 293 | } 294 | 295 | return 0; 296 | } 297 | 298 | int ptrace_attach(pid_t pid) { 299 | if (ptrace(PTRACE_ATTACH, pid, NULL, 0) < 0) { 300 | perror("ptrace_attach"); 301 | return -1; 302 | } 303 | 304 | int status = 0; 305 | waitpid(pid, &status, WUNTRACED); 306 | 307 | return 0; 308 | } 309 | 310 | int ptrace_detach(pid_t pid) { 311 | if (ptrace(PTRACE_DETACH, pid, NULL, 0) < 0) { 312 | perror("ptrace_detach"); 313 | return -1; 314 | } 315 | 316 | return 0; 317 | } 318 | 319 | 320 | void *get_module_base(pid_t pid, const char *module_name) { 321 | FILE *fp; 322 | long addr = 0; 323 | char *pch; 324 | char filename[32]; 325 | char line[1024]; 326 | 327 | if (pid < 0) { 328 | /* self process */ 329 | snprintf(filename, sizeof(filename), "/proc/self/maps", pid); 330 | } else { 331 | snprintf(filename, sizeof(filename), "/proc/%d/maps", pid); 332 | } 333 | 334 | fp = fopen(filename, "r"); 335 | 336 | if (fp != NULL) { 337 | while (fgets(line, sizeof(line), fp)) { 338 | if (strstr(line, module_name)) { 339 | pch = strtok(line, "-"); 340 | addr = strtoull(pch, NULL, 16); 341 | 342 | if (addr == 0x8000) 343 | addr = 0; 344 | 345 | break; 346 | } 347 | } 348 | 349 | fclose(fp); 350 | } 351 | 352 | return (void *) addr; 353 | } 354 | 355 | //获取进程对应的所有可读的moudle 356 | struct root *get_all_module_r(pid_t pid) { 357 | FILE *fp; 358 | int rc; 359 | long addr = 0; 360 | char *pch, *cursor; 361 | char filename[32]; 362 | char line[1024]; 363 | char copy[1024]; 364 | long begin, end; 365 | char *params; 366 | struct root *link = 0; 367 | struct mode_node *tmp; 368 | 369 | if (pid < 0) { 370 | /* self process */ 371 | snprintf(filename, sizeof(filename), "/proc/self/maps", pid); 372 | } else { 373 | snprintf(filename, sizeof(filename), "/proc/%d/maps", pid); 374 | } 375 | fp = fopen(filename, "r"); 376 | if (fp != NULL) { 377 | link = malloc(sizeof(struct root)); 378 | memset(link, 0, sizeof(struct root)); 379 | memset(line, 0, sizeof(line)); 380 | while (fgets(line, sizeof(line), fp)) { 381 | // if (strstr(line, "/init") == NULL && strstr(line, "libc.so") == NULL) 382 | // continue; 383 | strcpy(copy, line); 384 | pch = strtok(copy, "-"); 385 | begin = strtoll(pch, NULL, 16); 386 | pch = strtok(NULL, " "); 387 | end = strtoll(pch, NULL, 16); 388 | params = strtok(NULL, " "); 389 | if (strstr(line, "libc.so") != NULL) { 390 | if (found) 391 | continue; 392 | libc_node.begin = begin; 393 | libc_node.end = end; 394 | found = 1; 395 | } else { 396 | tmp = &link->start[link->length]; 397 | tmp->begin = begin; 398 | tmp->end = end; 399 | strcpy(tmp->permiss, params); 400 | link->length++; 401 | } 402 | } 403 | } 404 | 405 | fclose(fp); 406 | return link; 407 | } 408 | 409 | 410 | int find_pid_of(const char *process_name) { 411 | int id; 412 | pid_t pid = -1; 413 | DIR *dir; 414 | FILE *fp; 415 | char filename[32]; 416 | char cmdline[256]; 417 | 418 | struct dirent *entry; 419 | 420 | if (process_name == NULL) 421 | return -1; 422 | 423 | dir = opendir("/proc"); 424 | if (dir == NULL) 425 | return -1; 426 | 427 | while ((entry = readdir(dir)) != NULL) { 428 | id = atoi(entry->d_name); 429 | if (id != 0) { 430 | sprintf(filename, "/proc/%d/cmdline", id); 431 | fp = fopen(filename, "r"); 432 | if (fp) { 433 | fgets(cmdline, sizeof(cmdline), fp); 434 | fclose(fp); 435 | 436 | if (strcmp(process_name, cmdline) == 0) { 437 | /* process found */ 438 | pid = id; 439 | break; 440 | } 441 | } 442 | } 443 | } 444 | 445 | closedir(dir); 446 | return pid; 447 | } 448 | 449 | uint64_t ptrace_retval(struct pt_regs *regs) { 450 | #if defined(__arm__) || defined(__aarch64__) 451 | return regs->ARM_r0; 452 | #elif defined(__i386__) 453 | return regs->eax; 454 | #else 455 | #error "Not supported" 456 | #endif 457 | } 458 | 459 | uint64_t ptrace_ip(struct pt_regs *regs) { 460 | #if defined(__arm__) || defined(__aarch64__) 461 | return regs->ARM_pc; 462 | #elif defined(__i386__) 463 | return regs->eip; 464 | #else 465 | #error "Not supported" 466 | #endif 467 | } 468 | 469 | int ptrace_call_wrapper(pid_t target_pid, const char *func_name, void *func_addr, long *parameters, 470 | int param_num, struct pt_regs *regs) { 471 | DEBUG_PRINT("[+] Calling %s in target process.\n", func_name); 472 | if (ptrace_call(target_pid, (uintptr_t) func_addr, parameters, param_num, regs) == -1) 473 | return -1; 474 | DEBUG_PRINT("[+] Calling success , see return"); 475 | if (ptrace_getregs(target_pid, regs) == -1) 476 | return -1; 477 | DEBUG_PRINT("[+] Target process returned from %s, return value=%llx, pc=%llx \n", 478 | func_name, ptrace_retval(regs), ptrace_ip(regs)); 479 | return 0; 480 | } 481 | 482 | 483 | int main(int argc, char **argv) { 484 | pid_t target_pid; 485 | if (argc >= 3) { 486 | target_pid = atoi(argv[1]); 487 | if (strcmp(argv[2], "--on") == 0) { 488 | switch_statue = 1; 489 | } else if (strcmp(argv[2], "--off") == 0) { 490 | switch_statue = 0; 491 | } else { 492 | perror("only support params: --on | --off"); 493 | return 0; 494 | } 495 | } else { 496 | // target_pid = find_pid_of("init"); 497 | perror("such as: mprop $pid --on|--off\npid:the pid of init\n"); 498 | return 0; 499 | } 500 | if (target_pid == -1) { 501 | perror("counld find the pid of init, please add -t $pid"); 502 | return 0; 503 | } 504 | printf("process: init -- pid:%d\n", target_pid); 505 | 506 | char ro[4] = {0x72, 0x6f, 0x2e, 0x00}; 507 | char sd[4] = {0x72, 0x6f, 0x2f, 0x00}; 508 | 509 | struct root *link = get_all_module_r(target_pid); 510 | long tmp_base, tmp_end ,rec; 511 | char *str; 512 | long parm[4]; 513 | char tmp[5]; 514 | struct pt_regs regs, original_regs; 515 | if (link && libc_node.begin) { 516 | // printf("libc moudle : %lx, %lx\n", libc_node.begin, libc_node.end); 517 | void *local_libc_addr = get_module_base(-1, "libc.so"); 518 | // printf("mylibc addr:%p -- mproject:%p", local_libc_addr, (void *) mprotect); 519 | void *remote_mproject = (uintptr_t) (void *) mprotect - (uintptr_t) local_libc_addr 520 | + libc_node.begin; 521 | printf("found remote func:%p\n", remote_mproject); 522 | 523 | if (ptrace_attach(target_pid) == -1) 524 | goto exit; 525 | 526 | if (ptrace_getregs(target_pid, ®s) == -1) 527 | goto exit; 528 | 529 | memcpy(&original_regs, ®s, sizeof(regs)); 530 | 531 | printf("you should may sure that the selinux is closed!!!!\n"); 532 | printf("patch code ing....it may cost few minutes....\n"); 533 | 534 | for (int i = 0; i < link->length; i++) { 535 | tmp_base = link->start[i].begin; 536 | tmp_end = link->start[i].end; 537 | 538 | //全设置为可读可写可执行,之后设置回去 539 | parm[0] = tmp_base; 540 | parm[1] = tmp_end - tmp_base; 541 | parm[2] = PROT_READ | PROT_WRITE | PROT_EXEC; 542 | if (ptrace_call_wrapper(target_pid, "mprotect", remote_mproject, parm, 3, ®s) == -1) 543 | goto exit; 544 | 545 | if (switch_statue) { 546 | for (; tmp_base < tmp_end; tmp_base++) { 547 | str = ptrace_getData(target_pid, tmp_base, 4); 548 | if (strcmp(str, ro) == 0) { 549 | ptrace_setData(target_pid, tmp_base, sd, 4); 550 | } 551 | } 552 | } else { 553 | for (; tmp_base < tmp_end; tmp_base++) { 554 | str = ptrace_getData(target_pid, tmp_base, 4); 555 | if (strcmp(str, sd) == 0) { 556 | ptrace_setData(target_pid, tmp_base, ro, 4); 557 | } 558 | } 559 | } 560 | 561 | 562 | parm[2] = 0; 563 | if (link->start[i].permiss[0] == 'r') { 564 | parm[2] |= PROT_READ; 565 | } 566 | if (link->start[i].permiss[1] == 'w') { 567 | parm[2] |= PROT_WRITE; 568 | } 569 | if (link->start[i].permiss[2] == 'x') { 570 | parm[2] |= PROT_EXEC; 571 | } 572 | if (ptrace_call_wrapper(target_pid, "mprotect", remote_mproject, parm, 3, ®s) == -1) 573 | goto exit; 574 | 575 | } 576 | } else if (!link) { 577 | perror("未定位到init所在的module\n"); 578 | return 0; 579 | } else { 580 | perror("未找到init中libc.so所在\n"); 581 | return 0; 582 | } 583 | printf("oprea is finished !!\n"); 584 | 585 | exit: 586 | 587 | ptrace_setregs(target_pid, &original_regs); 588 | ptrace_detach(target_pid); 589 | return 0; 590 | } 591 | 592 | -------------------------------------------------------------------------------- /old_version/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/old_version/.DS_Store -------------------------------------------------------------------------------- /old_version/Attach.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | int main(int argc,char *argv[]) 11 | { 12 | pid_t traced_process; 13 | struct user_regs_struct regs; 14 | long ins; 15 | if(argc != 2) 16 | { 17 | puts("no pid input "); 18 | exit(1); 19 | } 20 | traced_process = atoi(argv[1]); 21 | printf("try to trace pid:%u\n",traced_process); 22 | if(ptrace(PTRACE_ATTACH,traced_process,NULL,NULL)==-1) 23 | perror("trace error:1\n"); 24 | 25 | wait(NULL); 26 | if(ptrace(PTRACE_GETREGS,traced_process,NULL,®s)) 27 | perror("trace error:2\n"); 28 | 29 | ins = ptrace(PTRACE_PEEKTEXT,traced_process,regs.rip,NULL); 30 | if(ins==-1) 31 | perror("trace error:3\n"); 32 | 33 | printf("EIP:%llx Instruction executed: %lx\n",regs.rip,ins); 34 | 35 | if(ptrace(PTRACE_DETACH,traced_process,NULL,NULL)==-1) 36 | perror("trace error:"); 37 | 38 | return 0; 39 | 40 | } 41 | -------------------------------------------------------------------------------- /old_version/CallSys.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | int main() 11 | { 12 | pid_t child; 13 | long orig_eax, eax; 14 | long params[3]; 15 | int status; 16 | int insyscall=0; 17 | child = fork(); 18 | 19 | if(child == 0 ){ 20 | ptrace(PTRACE_TRACEME, 0, NULL, NULL); 21 | execl("/bin/ls", "ls", NULL); 22 | }else{ 23 | while(1){ 24 | wait(&status); 25 | if(WIFEXITED(status)) 26 | break; 27 | orig_eax = ptrace(PTRACE_PEEKUSER, child, 8*ORIG_RAX, NULL); 28 | if(orig_eax == SYS_write){ 29 | if(insyscall ==0){ 30 | insyscall=1; 31 | params[0] = ptrace(PTRACE_PEEKUSER,child, 8*RDI, NULL); 32 | params[1] = ptrace(PTRACE_PEEKUSER, child, 8*RSI, NULL); 33 | params[2] = ptrace(PTRACE_PEEKUSER, child, 8*RDX, NULL); 34 | printf("write call with %ld, %ld, %ld\n",params[0],params[1] ,params[2]); 35 | }else{ 36 | eax = ptrace(PTRACE_PEEKUSER, child, 8*RAX, NULL); 37 | printf("write returned with %ld\n",eax); 38 | } 39 | } 40 | ptrace(PTRACE_SYSCALL, child, NULL, NULL); 41 | } 42 | 43 | } 44 | return 0; 45 | } 46 | -------------------------------------------------------------------------------- /old_version/README.md: -------------------------------------------------------------------------------- 1 | 某次看到mprop这个小工具,但是无奈作者并没有公布源码。于是萌生了自己动手写一个的念头。当然,自己并没有相关只是,所以也就是等于顺便学习了一波。https://bbs.pediy.com/thread-215311.htm 根据作者的字里行间,进程注入,修改内存这几个关键字眼,以此为思路,我查找了相关的资料文章,并进行了简单的代码编写测试。在ubuntu上使用ptrace正常,然后遇到了gcc编译c程序到android上的各种问题,详细查看下面的专门笔记。 2 | 最后,自己的思路大概是,使用ptrace来attach到安卓里面的init进程 3 | 4 | prop_info* pi = (prop_info*) __system_property_find(name.c_str()); 5 | if (pi != nullptr) { 6 | // ro.* properties are actually "write-once". 7 | if (android::base::StartsWith(name, "ro.")) { 8 | LOG(ERROR) << "property_set(\"" << name << "\", \"" << value << "\") failed: "<< "property already set"; 9 | return PROP_ERROR_READ_ONLY_PROPERTY; 10 | } 11 | __system_property_update(pi, value.c_str(), valuelen); 12 | } else { int rc = __system_property_add(name.c_str(), name.size(), value.c_str(), valuelen); 13 | if (rc < 0) { LOG(ERROR) << "property_set(\"" << name << "\", \"" << value << "__system_property_add failed"; 14 | return PROP_ERROR_SET_FAILED; 15 | } 16 | 17 | 关键就是判断ro那行代码。一开始是打算将整个判断代码nop掉。。但后面发现有点问题,一个是整个代码nop量有点多,另一个主要问题是我找不到这行代码在进程中的位置。。主要是不知道为什么,init进程使用readelf和objdump两个工具都没办法找到这些函数名,但他们又确实不是使用动态链接库。因此暂时怀疑是因为init进程使用了静态编译才这样。。也有可能自己相关知识不够扎实。。另外想到一个以后可以实验的办法(可以使用c层面的hook来根据strcmp找到函数返回地址确定。)。。最后无奈下,想了个取巧的办法,查找判断中“ro.”的字串位置更改掉,这样子判断无法set的时候就不是ro.了。算取巧。。按照仅剩不多的记忆,做点笔记。。 18 | 19 | 20 | 关键代码查看 arm/hook.c 即可,其他是各种测试用的。。懒得整理了。ß -------------------------------------------------------------------------------- /old_version/StructCall.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | int main() 11 | { 12 | pid_t child; 13 | long orig_rax, rax; 14 | long params[3] = {0}; 15 | int status = 0; 16 | int insyscall = 0; 17 | struct user_regs_struct regs; 18 | child = fork(); 19 | if(child == 0) 20 | { 21 | ptrace(PTRACE_TRACEME, 0, NULL, NULL); 22 | execl("/bin/ls", "ls", NULL); 23 | }else 24 | { 25 | while(1) 26 | { 27 | wait(&status); 28 | if(WIFEXITED(status)) 29 | break; 30 | orig_rax = ptrace(PTRACE_PEEKUSER, child, 8*ORIG_RAX, NULL); 31 | if(orig_rax == SYS_write) 32 | { 33 | if(insyscall ==0) 34 | { 35 | insyscall = 1; 36 | ptrace(PTRACE_GETREGS, child, NULL, ®s); 37 | printf("write called with %llu,%llu, %llu\n",regs.rdi, 38 | regs.rsi,regs.rdx); 39 | }else 40 | { 41 | ptrace(PTRACE_GETREGS, child, NULL, ®s); 42 | printf("write returned with %lld\n", regs.rax); 43 | insyscall=0 ; 44 | } 45 | } 46 | ptrace(PTRACE_SYSCALL, child, NULL, NULL); 47 | } 48 | } 49 | return 0; 50 | } 51 | -------------------------------------------------------------------------------- /old_version/TThread.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | int main(){ 6 | int i; 7 | for(i = 0;i < 100; ++i) { 8 | printf("My counter: %d\n", i); 9 | sleep(2); 10 | i=1; 11 | } 12 | 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /old_version/Test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | int main(){ 11 | pid_t child; 12 | long orig_eax; 13 | child = fork(); 14 | if(child ==0 ){ 15 | ptrace(PTRACE_TRACEME, 0, NULL, NULL); 16 | execl("/bin/ls", "ls", NULL); 17 | } 18 | else{ 19 | orig_eax = ptrace(PTRACE_PEEKUSER, child, 8 * ORIG_RAX, NULL); 20 | printf("The child made a system call %ld\n", orig_eax); 21 | ptrace(PTRACE_CONT, child, NULL, NULL); 22 | } 23 | return 0; 24 | } 25 | 26 | -------------------------------------------------------------------------------- /old_version/Tracee.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #define LONG_SIZE 8 12 | 13 | 14 | void getdata(pid_t child, long addr,char *str,int len) 15 | { 16 | char *laddr = str; 17 | int i = 0,j = len/LONG_SIZE; 18 | union u{ 19 | long val; 20 | char chars[LONG_SIZE]; 21 | } word; 22 | while(i to continue"); 110 | getchar(); 111 | printBytes("place breakpoint instruction with tracee instruction",backup,LONG_SIZE); 112 | putdata(traced_process,regs.rip,backup,CODE_SIZE); 113 | ptrace(PTRACE_SETREGS,traced_process,NULL,®s); 114 | ptrace(PTRACE_DETACH,traced_process,NULL,NULL); 115 | return 0; 116 | } 117 | */ 118 | 119 | 120 | 121 | /* 122 | int main(int argc,char *argv[]) 123 | { 124 | if(argc != 2) 125 | { 126 | puts("no pid input"); 127 | exit(1); 128 | } 129 | 130 | pid_t traced_process; 131 | struct user_regs_struct regs; 132 | long ins; 133 | char c; 134 | traced_process = atoi(argv[1]); 135 | printf("try to attach pid : %u\n",traced_process); 136 | if(ptrace(PTRACE_ATTACH,traced_process,NULL,NULL)==-1) 137 | perror("trace attach errori"); 138 | wait(NULL); 139 | while(1){ 140 | if(ptrace(PTRACE_GETREGS,traced_process,NULL,®s)==-1) 141 | perror("trace get regs error"); 142 | printf("this rip:%llx\n",regs.rip); 143 | getchar(); 144 | ptrace(PTRACE_SINGLESTEP,traced_process,NULL,NULL); 145 | wait(NULL); 146 | } 147 | ptrace(PTRACE_DETACH,traced_process,NULL,NULL); 148 | } 149 | */ 150 | 151 | long freespaceaddr(pid_t pid) 152 | { 153 | FILE *fp; 154 | char filename[30]; 155 | char line[85]; 156 | long addr; 157 | long end; 158 | char str[20]; 159 | char tmp[20]; 160 | sprintf(filename, "/proc/%d/maps", pid); 161 | //sprintf(filename, "proc/%d/mem", pid); 162 | fp = fopen(filename, "r"); 163 | if(fp == NULL) 164 | exit(1); 165 | int i=0; 166 | char c[3]; 167 | while(fgets(line, 85, fp) != NULL) { 168 | sscanf(line, "%lx-%*s %s %*s %s", &addr,tmp,str); 169 | // printf("++:%s",line); 170 | //getdata(pid,addr,c,2); 171 | //printf("%s||----:%d %d\n",tmp ,c[0],c[1]); 172 | if(strcmp(tmp,"r-xp")==0) 173 | { 174 | if(i==1){ 175 | break; 176 | } 177 | i++; 178 | } 179 | } 180 | fclose(fp); 181 | return addr; 182 | } 183 | 184 | #define CODE_SIZE 48 185 | int main(int argc, char *argv[]) 186 | { 187 | if(argc<2) 188 | { 189 | puts("no pid input"); 190 | exit(1); 191 | } 192 | pid_t tracee = atoi(argv[1]); 193 | char code_inject[CODE_SIZE] = {0xeb,0x13,0x5e,0xb8,0x01,0x00,0x00,0x00,0xbf,0x01,0x00,0x00,0x00,0xba,0x0d,0x00,0x00,0x00,0x0f,0x05,0xcc,0xe8,0xe8,0xff,0xff,0xff,0x48,0x65,0x6c,0x6c,0x6f,0x20,0x77,0x6f,0x72,0x6c,0x64,0xa}; 194 | char code_backup[CODE_SIZE]; 195 | struct user_regs_struct oldregs,regs; 196 | long ins; 197 | if(ptrace(PTRACE_ATTACH,tracee,NULL,NULL)==-1) 198 | perror("attach error"); 199 | wait(NULL); 200 | puts("attach success"); 201 | ptrace(PTRACE_GETREGS,tracee,NULL,®s); 202 | //long addr = regs.rip; 203 | long addr = freespaceaddr(tracee)+2; 204 | printf("found rip addr:%lx\n",addr); 205 | getdata(tracee,addr,code_backup,CODE_SIZE); 206 | putdata(tracee,addr,code_inject,CODE_SIZE); 207 | memcpy(&oldregs,®s,sizeof(regs)); 208 | regs.rip = addr; 209 | printf("new rip: %llx\n",regs.rip); 210 | if(ptrace(PTRACE_SETREGS,tracee,NULL,®s)==-1) 211 | perror("set regs error"); 212 | puts("replace instructions success, continue tracee"); 213 | if(ptrace(PTRACE_CONT,tracee,NULL,NULL)==-1) 214 | perror("continue tracee error"); 215 | wait(NULL); 216 | ptrace(PTRACE_GETREGS,tracee,NULL,®s); 217 | printf("tracee end at rip: %llx\n:",regs.rip); 218 | puts("tracee has stopped,putting back original instructions"); 219 | putdata(tracee,addr,code_backup,CODE_SIZE); 220 | if(ptrace(PTRACE_SETREGS,tracee,NULL,&oldregs)==-1) 221 | perror("put original instuctions error"); 222 | // ptrace(PTRACE_DETACH,tracee,NULL,NULL); 223 | return 0; 224 | 225 | } 226 | 227 | -------------------------------------------------------------------------------- /old_version/arm/.hook.c.swp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/old_version/arm/.hook.c.swp -------------------------------------------------------------------------------- /old_version/arm/hook: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/old_version/arm/hook -------------------------------------------------------------------------------- /old_version/arm/hook.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #define CPSR_T_MASK ( 1u << 5 ) 15 | 16 | 17 | //获取目标进程的模块地址(一般有多个,第一个是r-xp) 18 | void* get_module_addr(pid_t pid,const char *module_name,long *end) 19 | { 20 | FILE *fp; 21 | char filePath[128]; 22 | char fileLine[1024]; 23 | if(pid < 0) 24 | snprintf(filePath, sizeof(filePath), "/proc/self/maps"); 25 | else 26 | snprintf(filePath, sizeof(filePath), "/proc/%d/maps",pid); 27 | 28 | fp = fopen(filePath,"r"); 29 | if(fp==NULL) 30 | { 31 | printf("get Module addre open fp error\n"); 32 | return NULL; 33 | } 34 | unsigned long addr_start =0,addr_end = 0; 35 | while(fgets(fileLine,sizeof(fileLine),fp)) 36 | { 37 | if(strstr(fileLine, module_name)) 38 | { 39 | if(2==sscanf(fileLine,"%8lx-%8lx",&addr_start,&addr_end)) 40 | break; 41 | } 42 | } 43 | fclose(fp); 44 | printf("library :%s %lx-%lx, pid:%d\n",module_name, addr_start,addr_end, pid); 45 | *end = addr_end; 46 | return (void*)addr_start; 47 | } 48 | //获取模块的函数地址 49 | void* get_func_addr(pid_t pid, const char *module_name,const void *func_offset_addr) 50 | { 51 | //第三个参数是函数在自己的模块或者进程里的偏移地址,需要本人手动分析 52 | //其他人的代码都是分析so的,自己的程序将so加载,然后算出函数位置-so的位置得到偏移量,这样子就可以加上目标进程的so位置得到目标进程的函数的位置了。然而我这边是想要修改进程函数,不再so里面,因此偏移量我想办法自己计算吧。 53 | void *local_addr; 54 | local_addr = get_module_addr(pid,module_name,NULL); 55 | return (void*)((unsigned long)local_addr+(unsigned long)func_offset_addr); 56 | } 57 | 58 | 59 | 60 | //向进程写入数据 61 | int ptrace_setData(pid_t pid,const void *addr, const void *data, int size) 62 | { 63 | int count = size / sizeof(long); 64 | int remain = size % sizeof(long); 65 | long buf; 66 | int i=0; 67 | for(i=0;i0) 76 | { 77 | buf = ptrace(PTRACE_PEEKTEXT,pid,addr,NULL); 78 | memcpy(&buf,data,remain); 79 | if(ptrace(PTRACE_POKETEXT,pid,addr,buf)==-1) 80 | { 81 | perror("wirte remain data error"); 82 | return -1; 83 | } 84 | } 85 | } 86 | 87 | //读取进程的内存数据 88 | char* ptrace_getData(pid_t pid, unsigned long addr, unsigned long size) 89 | { 90 | int count = size / sizeof(long); 91 | int remain = size % sizeof(long); 92 | char *str = (char*)malloc(size+1); 93 | memset(str,0,size+1); 94 | int LONG_SIZE = sizeof(long); 95 | char *point=str; 96 | union u 97 | { 98 | long val; 99 | char chars[LONG_SIZE]; 100 | } d; 101 | 102 | int i; 103 | for(i=0;i0) 112 | { 113 | d.val=ptrace(PTRACE_PEEKTEXT,pid,addr,0); 114 | memcpy(point,d.chars,remain); 115 | } 116 | return str; 117 | } 118 | 119 | 120 | //调用目标进程函数 121 | int ptrace_call(pid_t pid, const void* addr, const long *parameters, int num, struct pt_regs *regs) 122 | { 123 | int i; 124 | //前四个参数分别放入r0-4,其他的按右到左放入栈里。 125 | //如果需要传入字符串等信息需要提前将数据写入目标进程。 126 | 127 | for(i=0;iuregs[i] = parameters[i]; 130 | } 131 | 132 | if(iARM_sp -= (num-i)*sizeof(long); 136 | if(ptrace_setData(pid,(void*)regs->ARM_sp,¶meters[i],(num-i)*sizeof(long))==-1) 137 | { 138 | printf("write to stack error\n"); 139 | return -1; 140 | } 141 | } 142 | 143 | //设置pc寄存器 144 | regs->ARM_pc = (long)addr; 145 | //arm每个指令4字节,thumb每个指令2字节,在跳转子函数进入thumb函数时,pc地址会+1表示进入thumb指令状态(也学是因为thubm函数有 146 | //一行声明?),因此thumb函数里的所有pc地址都不会是偶数。。因为每次pc计数+2....所以,可以按照pc的第0bit来判断是arm或者thumb 147 | // #define CPSR_T_MASK ( 1u << 5 ) 148 | // 猜测这里需要将cpsr寄存器设置为1表示thumb。而因为thumb函数的话,pc指向地址为偶数,但是跳转的时候会自动+1,不需要我们操心, 149 | //因此直接讲pc末尾置0即可。 150 | 151 | if(regs->ARM_pc & 1)//thumb情况 152 | { 153 | regs->ARM_pc &=(~1u); 154 | regs->ARM_cpsr |= ~CPSR_T_MASK; 155 | } 156 | else 157 | regs->ARM_cpsr &= ~CPSR_T_MASK; 158 | 159 | //设置lr寄存器值为0,当函数返回时进程会接收到异常信号而停止运行 160 | //这里进行设置只是为了看看是否有效吧,,经测试不设置,还是可以的,这个只是 161 | //为了我们自己认为的弄出个信号吧。对于使用ptrace_cont运行的子进程,它会在3种情况下进入暂停状态:①下一次系统调用;②子进程退出;③子进程的执行发生错误信号为0xb7f,低2字节表示子进程是退出(0x0)还是暂停(0x7f),高2字节字节表示退出信号为11(SIGSEGV) 162 | regs->ARM_lr = 0; 163 | 164 | if(ptrace(PTRACE_SETREGS,pid,NULL,regs)==-1) 165 | perror("ptrace call setregs errpr"); 166 | 167 | if(ptrace(PTRACE_CONT,pid,NULL,NULL)==-1) 168 | perror("ptrace call continue error"); 169 | 170 | printf("wait for stopping....\n"); 171 | 172 | int stat = 0; 173 | waitpid(pid, &stat, WUNTRACED); 174 | while(stat != 0xb7f) 175 | { 176 | if(ptrace(PTRACE_CONT,pid,NULL,NULL)==-1) 177 | perror("inject continue error"); 178 | return -1; 179 | waitpid(pid,&stat,WUNTRACED); 180 | } 181 | printf("inject success\n"); 182 | return 0; 183 | } 184 | 185 | 186 | 187 | long getSysCallNo(int pid, struct pt_regs *regs) 188 | { 189 | long scno = 0; 190 | ptrace(PTRACE_GETREGS, pid, NULL, regs); 191 | scno = ptrace(PTRACE_PEEKTEXT, pid, (void *)(regs->ARM_pc - 4), NULL); 192 | if(scno == 0) 193 | return 0; 194 | if(scno == 0xef000000) 195 | { 196 | scno = regs->ARM_r7; 197 | //printf("this EABI\n"); 198 | } 199 | else 200 | { 201 | if((scno & 0x0ff00000) != 0x0f900000) 202 | { 203 | return -1; 204 | } 205 | scno &= 0x000fffff; 206 | //printf("OABI is this\n"); 207 | } 208 | return scno; 209 | } 210 | 211 | 212 | int main(int argc,char* argv[]) 213 | { 214 | if(argc != 2) 215 | { 216 | puts("no pid input"); 217 | exit(1); 218 | } 219 | long scno=0; 220 | FILE *fp; 221 | pid_t pid; 222 | pid = atoi(argv[1]); 223 | long baseAddr,*end=malloc(sizeof(long)); 224 | long parm[4]; 225 | char buf[2048],*tmp; 226 | struct pt_regs regs,old; 227 | printf("try to attach pid:%u\n",pid); 228 | sprintf(buf,"/proc/%d/maps",pid); 229 | /* fp = fopen(buf,"r"); 230 | if(fp==NULL) 231 | { 232 | perror("open maps error"); 233 | } 234 | while(fgets(buf,sizeof(buf),fp)) 235 | { 236 | if(strstr(buf,"r-xp")) 237 | { 238 | tmp = strtok(buf,"-"); 239 | baseAddr = strtoul(tmp,NULL,16); 240 | break; 241 | } 242 | } 243 | */ 244 | char module[20] = "inject"; 245 | long offset = 0x42c; 246 | // baseAddr =(long) get_func_addr(pid, module,(void *)offset); 247 | 248 | char ch[20] = "init"; 249 | baseAddr = (long) get_module_addr(pid,ch, end); 250 | printf("the baseAddr,,the end :%lx ---%lx\n",baseAddr,*end); 251 | if(ptrace(PTRACE_ATTACH,pid,NULL,NULL)==-1) 252 | perror("trace attach error"); 253 | wait(NULL); 254 | char *str; 255 | char ro[5]={0x72,0x6f,0x2e,0x00,0x00}; 256 | char sd[5]={0x62,0x62,0x62,0x00,0x00}; 257 | printf("===%s\n",ro); 258 | for(baseAddr;baseAddr<*end;baseAddr++) 259 | { 260 | str = ptrace_getData(pid,baseAddr,4); 261 | if(strcmp(str,ro)==0) 262 | { 263 | printf("i found it!!!!:%lx\n",baseAddr); 264 | break; 265 | } 266 | } 267 | ptrace_setData(pid,(void *)baseAddr,sd,4); 268 | printf("not find\n"); 269 | 270 | /* 271 | while(1) 272 | { 273 | wait(NULL); 274 | scno=getSysCallNo(pid,®s); 275 | printf("the scno num is:%d\n",scno); 276 | if(scno==__NR_write) 277 | { 278 | printf("found the write Func\n"); 279 | // printf("the params:%lx\n",regs.ARM_pc); 280 | // memcpy(&old,®s, sizeof(struct pt_regs)); 281 | //ptrace_call(pid,(void *)(baseAddr),parm,0,®s); 282 | //ptrace(PTRACE_SETREGS,pid,NULL,&old); 283 | 284 | 285 | ptrace(PTRACE_GETREGS,pid,NULL,®s); 286 | printf("ths sp top=====:%lx\n",regs.ARM_sp); 287 | char* str= ptrace_getData(pid,regs.ARM_r1,15); 288 | printf("input text :%s",str); 289 | printf("\n--------------\n"); 290 | long end=0xffc44000; 291 | long start=0xffc65000; 292 | for(start;start>end;start-=4) 293 | { 294 | str=ptrace_getData(pid,start,4); 295 | printf("the item is:%lx\n",str); 296 | } 297 | 298 | 299 | 300 | 301 | break; 302 | } 303 | 304 | if(ptrace(PTRACE_GETREGS,pid,NULL,®s)==-1) 305 | perror("trace getregs error"); 306 | if(ptrace(PTRACE_SYSCALL,pid,NULL,NULL)==-1) 307 | perror("trace continue error"); 308 | 309 | } 310 | */ 311 | ptrace(PTRACE_DETACH,pid,NULL,NULL); 312 | 313 | return 0; 314 | } 315 | -------------------------------------------------------------------------------- /old_version/arm/inject: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/old_version/arm/inject -------------------------------------------------------------------------------- /old_version/arm/inject.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | void injectFunc() 7 | { 8 | printf("i have hook it!!!!!!!!!!\n"); 9 | printf("this is second step!!\n"); 10 | } 11 | 12 | int main(int argc, char *argv[]) 13 | { 14 | while(1) 15 | { 16 | sleep(3); 17 | // printf("+++++++++++++++++**\n"); 18 | // printf("addr :%lx",&strcmp); 19 | injectFunc(); 20 | } 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /old_version/arm/test: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/old_version/arm/test -------------------------------------------------------------------------------- /old_version/arm/test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | long getSysCallNo(int pid, struct pt_regs *regs) 12 | { 13 | long scno = 0; 14 | ptrace(PTRACE_GETREGS, pid, NULL, regs); 15 | scno = ptrace(PTRACE_PEEKTEXT, pid, (void *)(regs->ARM_pc - 4), NULL); 16 | if(scno == 0) 17 | return 0; 18 | 19 | if (scno == 0xef000000) 20 | { 21 | scno = regs->ARM_r7; 22 | } 23 | else 24 | { 25 | if ((scno & 0x0ff00000) != 0x0f900000) 26 | { 27 | return -1; 28 | } 29 | 30 | scno &= 0x000fffff; 31 | } 32 | return scno; 33 | } 34 | 35 | void tracePro(int pid) 36 | { 37 | long scno=0; 38 | struct pt_regs regs; 39 | 40 | scno = getSysCallNo(pid, ®s); 41 | printf("Target syscall no:%ld\n",scno); 42 | } 43 | 44 | int main(int argc, char *argv[]) 45 | { 46 | if(argc != 2) 47 | { 48 | printf("please input pid...\n"); 49 | return 1; 50 | } 51 | 52 | pid_t traced_process; 53 | int status; 54 | traced_process = atoi(argv[1]); 55 | 56 | if( ptrace(PTRACE_ATTACH, traced_process, NULL, NULL) != 0) 57 | { 58 | printf("Trace process failed:%d.\n", errno); 59 | return 1; 60 | } 61 | while(1) 62 | { 63 | wait(&status); 64 | if(WIFEXITED(status)) 65 | { 66 | break; 67 | } 68 | tracePro(traced_process); 69 | ptrace(PTRACE_SYSCALL, traced_process, NULL, NULL); 70 | } 71 | 72 | ptrace(PTRACE_DETACH, traced_process, NULL, NULL); 73 | 74 | return 0; 75 | } 76 | -------------------------------------------------------------------------------- /old_version/arm/try: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/old_version/arm/try -------------------------------------------------------------------------------- /old_version/arm/try.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(){ 4 | while(1) 5 | { 6 | printf("111111\n"); 7 | } 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /old_version/attach: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/old_version/attach -------------------------------------------------------------------------------- /old_version/callsys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/old_version/callsys -------------------------------------------------------------------------------- /old_version/changeData: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/old_version/changeData -------------------------------------------------------------------------------- /old_version/changeData.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #define LONG_SIZE 8 12 | 13 | //获取参数 14 | char* getdata(pid_t child, unsigned long addr,unsigned long len) 15 | { 16 | char *str =(char*) malloc(len+1); 17 | memset(str, 0, len+1); 18 | union u{ 19 | long int val; 20 | char chars[LONG_SIZE]; 21 | }word; 22 | int i,j; 23 | for(i = 0,j = len/LONG_SIZE;i 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #define LONG_SIZE 8 11 | void putdata(pid_t child,long addr,char* str,int len) 12 | { 13 | char *laddr = str; 14 | int i=0,j=len/LONG_SIZE; 15 | union u { 16 | long val; 17 | char chars[5]; 18 | } word; 19 | while(i 2 | #include 3 | void injectFunc() 4 | { 5 | printf("i have hook it!!!!!!!!!!\n"); 6 | printf("this is second step!!\n"); 7 | } 8 | 9 | int main(int argc, char *argv[]) 10 | { 11 | while(1) 12 | { 13 | sleep(3); 14 | printf("+++++++++++++++++\n"); 15 | } 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /old_version/structcall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/old_version/structcall -------------------------------------------------------------------------------- /old_version/test: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/old_version/test -------------------------------------------------------------------------------- /old_version/thread: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/old_version/thread -------------------------------------------------------------------------------- /old_version/tracee: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/youmeng1024/mprop-code/20fec0a8a5dd013e43e36ce481e0f1a0d956d0b3/old_version/tracee --------------------------------------------------------------------------------