最近在研究进程注入,只能在pc上将so注入安卓进程,修改.so文件中的值
先记录一些参考贴:
http://blog.csdn.net/l173864930/article/details/38455951
http://www.cnblogs.com/lanrenxinxin/p/4712222.html
https://www.2cto.com/kf/201411/351143.html
http://blog.csdn.net/qq1084283172/article/details/53869796
【最简单的so注入,在myso.so(病毒)中调用宿主(inso.so)的c++方法,改变inso.so中的值】
参考贴:https://www.2cto.com/kf/201411/351143.html
1.材料:Poison应用(在上面的参考贴里有实现代码和最终的应用)
Android.mk:
LOCAL_PATH := $(call my-dir) #Myso include $(CLEAR_VARS) LOCAL_MODULE := myso LOCAL_MODULE_FILENAME := libmyso LOCAL_SRC_FILES := myso.cpp LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog include $(BUILD_SHARED_LIBRARY) #Inso include $(CLEAR_VARS) LOCAL_MODULE := inso LOCAL_MODULE_FILENAME := libinso LOCAL_SRC_FILES := inso.cpp \ JniTest.cpp LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog include $(BUILD_SHARED_LIBRARY)
Application.mk
# 编译生成的模块运行支持的平台 APP_ABI := armeabi-v7a # 设置编译连接的工具的版本 #NDK_TOOLCHAIN_VERSION = 4.9
myso.cpp(病毒so文件的源码)
#include <stdio.h> #include <stddef.h> #include <dlfcn.h> #include <pthread.h> #include <stddef.h> #include "log.h" class PoisonObj{ public: PoisonObj(){ LOGI(">>>>>>>>>>>>>PoisonObj()<<<<<<<<<<<<<<"); // void* handle = dlopen("libinso.so", RTLD_NOW); void (*setA_func)(int) = (void (*)(int))dlsym(handle, "setA"); if (setA_func) { setA_func(999); } } ~PoisonObj(){} } ppt; extern "C"{ extern void setA(int i); void display(); }
inso.cpp(宿主so文件的源码)
extern "C"{ static int gA = 1; void setA(int i){ gA = i; } int getA(){ return gA; } }
JniTest.cpp
#include <jni.h> #include <string.h> extern "C"{ extern int getA(); JNIEXPORT int JNICALL Java_com_example_poison_MainActivity_nativeGetA(JNIEnv *env,jobject thiz,jobject context){ getA(); } }
MainActivity.java
package com.example.poison; import android.app.Activity; import android.content.Context; import android.os.Bundle; import android.util.Log; import android.view.View; import android.widget.Button; import android.widget.Toast; public class MainActivity extends Activity { static{ System.loadLibrary("inso"); //System.loadLibrary("myso"); } native public int nativeGetA(Context context); @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); Button btnLog = (Button)findViewById(R.id.btnLog); btnLog.setOnClickListener(new View.OnClickListener() { @Override public void onClick(View arg0) { new Thread(new Runnable() { @Override public void run() { while(true){ Log.i("TTT","----------num is " + nativeGetA(MainActivity.this) ); try{ Thread.sleep(1000L); }catch(Exception e){ e.printStackTrace(); } } } }).run(); } }); } }
2.注入步骤:
adb push poison /data/local/tmp
adb push libmyso.so /data/local/tmp
adb shell chmod 0777 /data/local/tmp/poison
adb shell chmod 0777 /data/local/tmp/libmyso.so
adb shell
su
ps | grep com.example.poison (假设得到的进程id为17569)
/data/local/tmp/poison /data/local/tmp/libmobisec.so 17569
cat /proc/17569/maps | grep libmyso.so(可以看到进程中有libmyso.so,注入之前是没有的)
adb logcat -s TTT
3.检查效果
日志tag为"TTT",可以发现,注入进程后,inso.so中gA的值被修改了
----------num is 1 ----------num is 1 ----------num is 1 >>>>>>>>>>>>PoisonObj()<<<<<<<<<<<<< ----------num is 999 ----------num is 999 ----------num is 999
4.原理
1.宿主程序运行,打印num
2.将病毒注入宿主程序时,因为myso.cpp中有一个PoisonObj的全局对象,系统调用PoisonObj的构造函数,在里面修改num的值
3.继续打印num的值