foreword
Today, the main introduction is to obtain the mac fingerprint of the device network card by means of kernel communication, and to obtain the address of the mac network card by means of netlink and kernel communication.
This way you can directly bypass android's permissions.
The network card information can also be obtained directly when the app is not authorized. Because it is difficult to mock, many large-scale apps also use this method to obtain them.
Introduction to netlink:
Netlink is a communication method provided by linux for the communication between the kernel and user mode processes.
- But note that although Netlink is mainly used for communication between user space and kernel space , it can also be used for communication between two processes in user space .
- It's just that there are many other ways of inter-process communication, and Netlink is generally not used. Unless you need to use the broadcast feature of Netlink.
- The NetLink mechanism is a special socket, which is unique to Linux . Since the transmitted messages are temporarily stored in the socket receiving buffer and are not processed immediately by the receiver, netlink is an asynchronous communication mechanism. System calls and ioctls are synchronous communication mechanisms.
Generally speaking, there are three ways of communication between user space and kernel space:
proc
ioctl
Netlink
The first two are unidirectional, but Netlink can achieve duplex communication .
The Netlink protocol is based on BSD sockets and the AF_NETLINK address family.
Using 32-bit port number addressing (formerly known as PID), each Netlink protocol (or bus, or the netlink family in the man page) is usually associated with one or a group of kernel services/components, such as NETLINK_ROUTE is used to get and set routing and link information, NETLINK_KOBJECT_UEVENT is used by the kernel to send notifications to the udev process in user space, etc.
netlink features:
1, support full-duplex, asynchronous communication
2. The user space can use the standard BSD socket interface (but netlink does not block the construction and parsing process of the protocol package, it is recommended to use a third-party library such as libnl)
3. Use a dedicated kernel API interface in the kernel space
4, Support multicast (so support "bus" type communication, which can realize message subscription)
5, can be used for process context and interrupt context on the kernel side
netlink features:
1, support full-duplex, asynchronous communication
2. The user space can use the standard BSD socket interface (but netlink does not block the construction and parsing process of the protocol package, it is recommended to use a third-party library such as libnl)
3. Use a dedicated kernel API interface in the kernel space
4, Support multicast (so support "bus" type communication, which can realize message subscription)
5, can be used for process context and interrupt context on the kernel side
How to get network card information through netlink?
How does android get the network card address through netlink?
Whether it is the ip command line or the Java network interface, it is ultimately called to ifaddrs.cpp -> getifaddrs
getifaddrs method introduction
NetlinkConnection This structure is a netlink encapsulation class
Focus on the implementation process of ReadResponses
manual:
Get the content we need by traversing and output it.
SVC inline security wrapper:
When receiving the message, the android source code uses recv to accept the message
Determine the end position by looping.
But the recv function is easy to be hooked, inlinehook recv, recvfrom, recvmsg
The return value of parameter two can be processed directly after the method is executed.
After not using the recv provided by the system directly, there are two ways to choose.
- method 1:
Call the syscall function directly, and cut into recv through the syscall function.
This method can be better compatible with 32-bit and 64-bit, but it may be directly hooked syscall this function entry.
Because the functions related to device fingerprints are key functions and focus on security. So focus on method 2
Embed syscall assembly code inside the specified method.
- Method 2: We directly replace recv with svc inline assembly code as follows
Equivalent to implementing syscall yourself (code excerpted from libc syscall)
It is also very simple to use, just import the function header.
32nd place:
64th place:
Replace the code with the following:
Unfortunately, an error was reported, seccomop was used on the Android 8 kernel to filter out svc and call recv directly
The reason for the error in a sentence
seccomp prevented call to disallowed arm system call 291
Introduction to secomp:
Seccomp is a security mechanism of Linux, and seccomp is used in android 8.1 and above
The main function is to restrict calling certain system functions directly through syscall
There are two filtering modes of seccomp (strict&filter)
The first strict only supports the following four, if you use other syscalls, you will receive a SIGKILL signal
read()
write()
exit()
rt_sigreturn
Set it as follows.
strict
filter(BPF)
Seccomp-bpf
bpf is a filtering mode, this function exists only in high versions of linux
When a process calls svc, it will first enter the bpf rules written by ourselves
Through our own written rules, we can judge whether the function is called by running.
Commonly used is ptrace+seccomp to modify the parameter content & return value result of svc.
Back to the main text, but okay,
The implementation of recv at the bottom of android is the recvfom code as follows
We switch the svc call number to recvform
The program runs perfectly, and the network card is successfully obtained.
