梆梆企业加固-AntiFrida

梆梆企业加固-AntiFrida

梆梆在JNI_Onload中 hook了__dl__Z9do_dlopenPKciPK17android_dlextinfoPKv

image-20230302224622327

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
soinfo* do_dlopen(const char* name, int flags, const android_dlextinfo* extinfo) {
  if ((flags & ~(RTLD_NOW|RTLD_LAZY|RTLD_LOCAL|RTLD_GLOBAL|RTLD_NOLOAD)) != 0) {
    DL_ERR("invalid flags to dlopen: %x", flags);
    return NULL;
  }
  if (extinfo != NULL && ((extinfo->flags & ~(ANDROID_DLEXT_VALID_FLAG_BITS)) != 0)) {
    DL_ERR("invalid extended flags to android_dlopen_ext: %" PRIx64, extinfo->flags);
    return NULL;
  }
  protect_data(PROT_READ | PROT_WRITE);
  soinfo* si = find_library(name, flags, extinfo);
  if (si != NULL) {
    si->CallConstructors();
  }
  protect_data(PROT_READ);
  return si;
}

image-20230302105924197

image-20230302105942409

image-20230302114014694

image-20230302161144746

libDexhelper.so检测frida逻辑

调用do_dlopen时,LR 寄存器指向的内存可执行(rwxp, r-xp)

frida实际调用时,LR指向app_process32内存起始地址

image-20230302180024348

https://github.com/frida/frida-gum/blob/442db4dba0f5d19bd84af02124bbd07738325712/gum/backend-linux/gumandroid.c#L97

1
2
void * (* do_dlopen) (const char * filename, int flags, const void * extinfo,
    void * caller_addr);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
static gboolean
gum_store_module_handle_if_name_matches (const GumSoinfoDetails * details,
                                         GumGetModuleHandleContext * ctx)
{
  GumLinkerApi * api = details->api;

  if (gum_linux_module_path_matches (details->path, ctx->name))
  {
    GumSoinfoBody * sb = details->body;
    int flags = RTLD_LAZY;
    void * caller_addr = GSIZE_TO_POINTER (sb->base); //<-----------------

    if (gum_android_is_vdso_module_name (details->path))
      return FALSE;

    if ((sb->flags & GUM_SOINFO_NEW_FORMAT) != 0)
    {
      GumSoinfo * parent;

      parent = gum_soinfo_get_parent (details->si);
      if (parent != NULL)
      {
        caller_addr = GSIZE_TO_POINTER (gum_soinfo_get_body (parent)->base);
      }

      if (sb->version >= 1)
      {
        flags = gum_soinfo_get_rtld_flags (details->si);
      }
    }

    if (gum_android_get_api_level () >= 21)
    {
      flags |= RTLD_NOLOAD;
    }

    if (api->dlopen != NULL)
    {
      /* API level >= 26 (Android >= 8.0) */
      ctx->module = api->dlopen (details->path, flags, caller_addr);
    }
    else if (api->do_dlopen != NULL)
    {
      /* API level >= 24 (Android >= 7.0) */
      ctx->module = api->do_dlopen (details->path, flags, NULL, caller_addr);
    }
    else
    {
      ctx->module = dlopen (details->path, flags);
    }

    return FALSE;
  }

  return TRUE;
}