一、概述
通过dlopen、dlsym获取共享库函数地址、全局变量是一种经常使用到的编程技巧,尤其是在Hook框架中。然而无论是dlsym还是一些常用框架(如Nougat_dlfunctions
),都只能搜索.dynsym段,而无法搜索.symtab段。因此实现.symtab段搜索是一个亟待解决的问题。
本文将介绍在Nougat_dlfunctions框架基础上,如何实现搜索.symtab段的功能。(如果对FastHook不了解,请查阅FastHook——一种高效稳定、简洁易用的Android Hook框架)
项目地址:Enhanced_dlfunctions
二、Enhanced dlfunctions实现
ELF文件实际是个表结构,以段为单位,每个段存储不同的信息,段与段之间以索引来关联形成一个表。所以只要有一个头,就可以通过这些关系访问所有的段,这个头便是ELF文件头。下面我们来看看需要获取那些信息:
- ELF文件头:存储所有段头部的信息,段头部是描述段信息的元数据,可以通过段头部来获取段信息。
- .shstrtab段。存储所有的段的段名。通过ELF文件头,可以实现段的遍历,而无法识别具体的段(不同段类型可以相同),因此需要用段名来确定段。
- .dynsym段:动态符号表,存储与动态链接相关的导入导出符号,不包括模块内部的符号。Nougat_dlfunctions只查询这个段,因此会漏掉很多符号。
- .dynstr段:存储.dynsym段符号对应的符号名。
- .symtab段:符号表。存储在程序中被定义和引用的函数和全局变量的信息。
- .strtab段:存储.symtab段符号对应的符号名。
- .comment段:程序相关信息,用与定位符号地址。
2.1 enhanced_dlopen
void *enhanced_dlopen(const char *libpath, int flags) {
FILE *maps;
char buff[256];
struct ctx *ctx = 0;
off_t load_addr, size;
int k, fd = -1, found = 0;
void *shoff;
Elf_Ehdr *elf = (Elf_Ehdr *) MAP_FAILED;
#define fatal(fmt, args...) do { log_err(fmt,##args); goto err_exit; } while(0)
maps = fopen("/proc/self/maps", "r");
if (!maps) fatal("failed to open maps");
while (!found && fgets(buff, sizeof(buff), maps))
if (strstr(buff, "r-xp") && strstr(buff, libpath)) found = 1;
fclose(maps);
if (!found) fatal("%s not found in my userspace", libpath);
if (sscanf(buff, "%lx", &load_addr) != 1)
fatal("failed to read load address for %s", libpath);
log_info("%s loaded in Android at 0x%08lx", libpath, load_addr);
/* Now, mmap the same library once again */
fd = open(libpath, O_RDONLY);
if (fd < 0) fatal("failed to open %s", libpath);
size = lseek(fd, 0, SEEK_END);
if (size <= 0) fatal("lseek() failed for %s", libpath);
elf = (Elf_Ehdr *) mmap(0, size, PROT_READ, MAP_SHARED, fd, 0);
close(fd);
fd = -1;
if (elf == MAP_FAILED) fatal("mmap() failed for %s", libpath);
ctx = (struct ctx *) calloc(1, sizeof(struct ctx));
if (!ctx) fatal("no memory for %s", libpath);
ctx->load_addr = (void *) load_addr;
shoff = ((void *) elf) + elf->e_shoff;
Elf_Shdr *shstrtab = (Elf_Shdr *)(shoff + elf->e_shstrndx * elf->e_shentsize);
char * shstr = malloc(shstrtab->sh_size);
memcpy(shstr, ((void *) elf) + shstrtab->sh_offset, shstrtab->sh_size);
for (k = 0; k < elf->e_shnum; k++, shoff += elf->e_shentsize) {
Elf_Shdr *sh = (Elf_Shdr *) shoff;
log_dbg("%s: k=%d shdr=%p type=%d", __func__, k, sh, sh->sh_type);
switch (sh->sh_type) {
case SHT_DYNSYM:
if (ctx->dynsym) fatal("%s: duplicate DYNSYM sections", libpath); /* .dynsym */
ctx->dynsym = malloc(sh->sh_size);
if (!ctx->dynsym) fatal("%s: no memory for .dynsym", libpath);
memcpy(ctx->dynsym, ((void *) elf) + sh->sh_offset, sh->sh_size);
ctx->dynsym_num = (sh->sh_size / sizeof(Elf_Sym));
break;
case SHT_SYMTAB:
if (ctx->symtab) fatal("%s: duplicate SYMTAB sections", libpath); /* .symtab */
ctx->symtab = malloc(sh->sh_size);
if (!ctx->symtab) fatal("%s: no memory for .symtab", libpath);
memcpy(ctx->symtab, ((void *) elf) + sh->sh_offset, sh->sh_size);
ctx->symtab_num = (sh->sh_size / sizeof(Elf_Sym));
break;
case SHT_STRTAB:
if(!strcmp(shstr+sh->sh_name,".dynstr")) {
if (ctx->dynstr) break; /* .dynstr is guaranteed to be the first STRTAB */
ctx->dynstr = malloc(sh->sh_size);
if (!ctx->dynstr) fatal("%s: no memory for .dynstr", libpath);
memcpy(ctx->dynstr, ((void *) elf) + sh->sh_offset, sh->sh_size);
}else if(!strcmp(shstr+sh->sh_name,".strtab")) {
if (ctx->strtab) break;
ctx->strtab = malloc(sh->sh_size);
if (!ctx->strtab) fatal("%s: no memory for .strtab", libpath);
memcpy(ctx->strtab, ((void *) elf) + sh->sh_offset, sh->sh_size);
}
break;
case SHT_PROGBITS:
if (!ctx->dynstr || !ctx->dynsym || ctx->bias) break;
/* won't even bother checking against the section name */
ctx->bias = (off_t) sh->sh_addr - (off_t) sh->sh_offset;
break;
}
}
munmap(elf, size);
elf = 0;
if (!ctx->dynstr || !ctx->dynsym) fatal("dynamic sections not found in %s", libpath);
#undef fatal
log_dbg("%s: ok, dynsym = %p, dynstr = %p symtab = %p strtab = %p", libpath, ctx->dynsym, ctx->dynstr, ctx->symtab, ctx->strtab);
return ctx;
}
1. 获取so加载的地址,存储在load_addr
maps = fopen("/proc/self/maps", "r");
while (!found && fgets(buff, sizeof(buff), maps))
if (strstr(buff, "r-xp") && strstr(buff, libpath)) found = 1;
fclose(maps);
if (sscanf(buff, "%lx", &load_addr) != 1)
fatal("failed to read load address for %s", libpath);
2. 重新映射so,获取ELF文件头
fd = open(libpath, O_RDONLY);
size = lseek(fd, 0, SEEK_END);
elf = (Elf_Ehdr *) mmap(0, size, PROT_READ, MAP_SHARED, fd, 0);
3. 获取.shstrtab段。
Elf_Shdr *shstrtab = (Elf_Shdr *)(shoff + elf->e_shstrndx * elf->e_shentsize);
char * shstr = malloc(shstrtab->sh_size);
memcpy(shstr, ((void *) elf) + shstrtab->sh_offset, shstrtab->sh_size);
4.获取.dynsym段、.dynstr段、.symtab段、.strtab段
for (k = 0; k < elf->e_shnum; k++, shoff += elf->e_shentsize) {
Elf_Shdr *sh = (Elf_Shdr *) shoff;
switch (sh->sh_type) {
case SHT_DYNSYM:
ctx->dynsym = malloc(sh->sh_size);
memcpy(ctx->dynsym, ((void *) elf) + sh->sh_offset, sh->sh_size);
ctx->dynsym_num = (sh->sh_size / sizeof(Elf_Sym));
break;
case SHT_SYMTAB:
ctx->symtab = malloc(sh->sh_size);
memcpy(ctx->symtab, ((void *) elf) + sh->sh_offset, sh->sh_size);
ctx->symtab_num = (sh->sh_size / sizeof(Elf_Sym));
break;
case SHT_STRTAB:
if(!strcmp(shstr+sh->sh_name,".dynstr")) {
ctx->dynstr = malloc(sh->sh_size);
memcpy(ctx->dynstr, ((void *) elf) + sh->sh_offset, sh->sh_size);
}else if(!strcmp(shstr+sh->sh_name,".strtab")) {
ctx->strtab = malloc(sh->sh_size);
memcpy(ctx->strtab, ((void *) elf) + sh->sh_offset, sh->sh_size);
}
break;
case SHT_PROGBITS:
if (!ctx->dynstr || !ctx->dynsym || ctx->bias) break;
ctx->bias = (off_t) sh->sh_addr - (off_t) sh->sh_offset;
break;
}
}
2.2 enhanced_dlsym
void *enhanced_dlsym(void *handle, const char *name) {
int k;
struct ctx *ctx = (struct ctx *) handle;
Elf_Sym *dynsym = (Elf_Sym *) ctx->dynsym;
Elf_Sym *symtab = (Elf_Sym *) ctx->symtab;
char *dynstr = (char *) ctx->dynstr;
char *strtab = (char *) ctx->strtab;
for (k = 0; k < ctx->dynsym_num; k++, dynsym++) {
if (strcmp(dynstr + dynsym->st_name, name) == 0) {
void *ret = ctx->load_addr + dynsym->st_value - ctx->bias;
log_info("%s found at %p", name, ret);
return ret;
}
}
if(symtab) {
for (k = 0; k < ctx->symtab_num; k++, symtab++) {
sym_tab->st_name,strings + sym_tab->st_name,k);
if (strcmp(strtab + symtab->st_name, name) == 0) {
void *ret = ctx->load_addr + symtab->st_value - ctx->bias;
log_info("%s found at %p", name, ret);
return ret;
}
}
}
return 0;
}
1. 先查询.dynsym段。遍历.dymsym所有符号,查找符号名与给定字符串一致的符号。用load_addr、bias结合符号偏移来获取实际地址。
for (k = 0; k < ctx->dynsym_num; k++, dynsym++) {
if (strcmp(dynstr + dynsym->st_name, name) == 0) {
void *ret = ctx->load_addr + dynsym->st_value - ctx->bias;
log_info("%s found at %p", name, ret);
return ret;
}
}
2. 如果.dynsym段找不到目标符号且.symtab段存在时,遍历.symtab所有符号,查找符号名与给定字符串一致的符号。用load_addr、bias结合符号偏移来获取实际地址。
for (k = 0; k < ctx->symtab_num; k++, symtab++) {
sym_tab->st_name,strings + sym_tab->st_name,k);
if (strcmp(strtab + symtab->st_name, name) == 0) {
void *ret = ctx->load_addr + symtab->st_value - ctx->bias;
log_info("%s found at %p", name, ret);
return ret;
}
}
三、结语
Nougat_dlfunctions只支持arm平台,而我在实际工作中也不涉及到x86平台,所以Enhanced dlfunctions暂时只支持arm32和arm64,如果要兼容x86等其他平台也不难,不需要改实现,主要就是elf.h一些结构体的不同。
FastHook系列
FastHook——一种高效稳定、简洁易用的Android Hook框架
FastHook——巧妙利用动态代理实现非侵入式AOP
FastHook——远超YAHFA的优异稳定性
如何使用FastHook免root hook微信
