Wanzi Changwen teaches you to use the Android kernel driver to read and write memory

Enterprise 2023-04-16 15:58:08 views: null

How to read this article:

Please make sure you have strong hands-on skills and a strong interest in game-aided development.

Please go directly to the kernel compilation section

The pre-knowledge section is like an appendix to a dictionary, you can come back and look it up when you need it. As the saying goes: know what it is, know why it is.

Pre-knowledge

What is a kernel driver

For a driver, the most important thing is 3a file:

  1. source code
  2. Kconfig
  3. Makefile

As long as 3this , linuxthe kernel's compilation script can ensure that our driver is compiled into it.

There are two ways to compile a kernel module:

  1. compiled into the kernel;
  2. Compile as an independent driver module;

First, we open the makefile in the rwProcMem moduleinsert image description here

What this code means is:

# 定义模块名
MODULE_NAME := rwProcMem37

# 定义内核对象文件
RESMAN_CORE_OBJS:=sys.o

# 定义空的 glue 对象文件
RESMAN_GLUE_OBJS:=

# 如果已经在内核构建过程中了
ifneq ($(KERNELRELEASE),)
    # 指定需要链接的对象文件
    $(MODULE_NAME)-objs:=$(RESMAN_GLUE_OBJS) $(RESMAN_CORE_OBJS)
    # 声明需要编译成模块的源文件
    obj-m := rwProcMem37.o
else
    # 如果不在内核构建过程中,则定义内核路径
    KDIR := /cepheus-q-oss/out
all:
    # 切换到内核路径并编译模块
    make -C $(KDIR) M=$(PWD) ARCH=arm64 SUBARCH=arm64 modules
clean:
    # 清理生成的文件
    rm -f *.ko *.o *.mod.o *.mod.c *.symvers *.order
endif

In fact, this is a fixed way of writing. It means that the compilation method of this module is: enter rwProcMem37the directory, and only compile this driver module.

Android kernel boot

Android is different from the general embedded Linux system environment firmware (booloader+kernel+rootfs), which packs the kernel, ramdisk (rootfs), second stage (dtb, kernel.logd, etc.) into a boot.img file

And our operation of the kernel undoubtedly requires the boot.img file.

The following will introduce the method of obtaining the boot.img file for general models

Get the boot.img file

First, please download the complete package of the current version of your model. Wire brush bag and card brush bag are all available.

Take Mi 12pro as an example

11

In the upper right corner, you can see the words Download the latest full package.

Download the latest full package and transfer it to your computer.

Next we will use the tool payload_dumper.exe to unpack it.

[Download URL][https://shuj.lanzoue.com/i79XB0s5bf0f]

Create a new folder and put the unpacking tool in it

Create two folders again and name them payload_input and payload_output

The final folder structure is shown in the figure
insert image description here

Unzip the latest version of the complete package just downloaded with the decompression tool that comes with the computer .

Find the payload.bin file and put it in the payload_input folder

insert image description here

Then run the unpacking tool, you can find the decompressed boot.img in the payload_output folder

1112

Adapt your pure c project to kernel overdetection technology

In the rwProcMem33 project, a complete memory read and write technology is provided

//驱动_打开进程
	uint64_t hProcess = rwDriver.OpenProcess(pid);
	printf("调用驱动 OpenProcess 返回值:%" PRIu64 "\n", hProcess);
	if (!hProcess) {
		printf("调用驱动 OpenProcess 失败\n");
		fflush(stdout);
		return 0;
	}


	//驱动_读取进程内存
	char readBuf[1024] = { 0 };
	size_t real_read = 0;
	//如果是单线程读内存,还可另选用极速版函数:ReadProcessMemory_Fast
	BOOL read_res = rwDriver.ReadProcessMemory(hProcess, (uint64_t)pBuf, &readBuf, sizeof(readBuf), &real_read, FALSE);
	printf("调用驱动 ReadProcessMemory 读取内存地址:%p,返回值:%d,读取到的内容:%s,实际读取大小:%zu\n", pBuf, read_res, readBuf, real_read);

	//驱动_写入进程内存
	memset(readBuf, 0, sizeof(readBuf));
	snprintf(readBuf, sizeof(readBuf), "%s", "写入456");
	size_t real_write = 0;
	//如果是单线程写内存,还可另选用极速版函数:WriteProcessMemory_Fast
	BOOL write_res = rwDriver.WriteProcessMemory(hProcess, (uint64_t)pBuf, &readBuf, sizeof(readBuf), &real_write, FALSE);
	printf("调用驱动 WriteProcessMemory 写入内存地址:%p,返回值:%d,写入的内容:%s,实际写入大小:%zu\n", pBuf, write_res, readBuf, real_write);

	printf("当前缓冲区内容 :%s,当前缓冲区的内存地址:%p\n", szBuf, pBuf);

Just replace the pure C memory read-write module, and other parts do not need to be changed

recompile pure c afterwards

Compile pure c on the win side

1. Download NDK

NDK download

  • Download and pay attention to distinguish between 32-bit and 64-bit

  • Unzip directly after the download is complete

  • If you need to download the latest NDK version, you may need to go to Google's official website to download

  • If you want to compile pure c, please do not download the latest version of ndk, the latest version of ndk has stopped supporting gcc. Please download android-ndk-r17c version

2. Environment variables

Environment variable setting: enter the path of NDK

3. Check whether NDK can run correctly

If you confirm that the environment variable path configuration is correct, but the command line still cannot recognize the ndk-build command, you can try to restart the computer or the command line

4. Compile pure c

insert image description here

In the testko directory, open the cmd command line

enter

ndk-build

In the libs directory, you can find the pure c files that have been successfully compiled

Download the corresponding version of the kernel source code

First download the adb tool . If you are not good at English, you can download a computer version of the machine assistant to open adb. Then connect your phone. implement

adb shell cat /proc/version

Check the kernel version number of your phone

As shown below

insert image description here

The kernel version number of my phone is Linux version 4.14.180-perf-g11d81629da33

Then go to https://source.android.com/setup/build/building-kernels to view your source code branch here

And download the source code

repo init -u https://android.googlesource.com/kernel/manifest -b
android-msm-coral-4.14-android12
repo sync

to be used in subsequent steps

Compile the kernel driver module~

Environment configuration

It is recommended to use ubuntu virtual machine or cloud host.

If the following command reports an error, please solve it by yourself, no matter what method you use, as long as it reaches the description before the command.

  • Change the software source to Ali source
sudo cp /etc/apt/sources.list /etc/apt/sources.list_backup
sudo gedit /etc/apt/sources.list
# 阿里云源
deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted
universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-security main
restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main
restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main
restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main
restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted
universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main
restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main
restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main
restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main
restricted universe multiverse
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install build-essential
  • install git, curl, python
sudo apt-get install git
git config --global user.email "[email protected]"
git config --global user.name "xxx"
##安装git
sudo apt-get install curl
mkdir ~/bin
PATH=~/bin:$PATH
curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo
chmod a+x ~/bin/repo
##安装curl
add-apt-repository ppa:deadsnakes/ppa
sudo apt install python3.9
sudo ln -s /usr/bin/python3 /usr/bin/python
##安装python
  • Modify the size of the swap area
sudo swapoff /swapfile
sudo rm /swapfile
# 设置了32g交换区, 防止编译失败
sudo dd if=/dev/zero of=/swapfile bs=1GB count=32
sudo chmod 600 /swapfile
sudo mkswap -f /swapfile
sudo swapon /swapfile

Compile the source code

The following starts with the operation of the mobile phone kernel. Be sure to follow the instructions step-by-step. Otherwise there will be a risk of bricking

Use android-image-kitchen to decompress boot

[Download link][https://forum.xda-developers.com/attachments/android-image-kitchen-v3-8-win32-zip.5300919/]

Put boot.img under its folder, run unpackimg.bat to get command line parameters

Note: The folder path cannot have Chinese characters

Get the command line parameters as follows
insert image description here

Please do not close the command line, the obtained parameters will be used

Also found under the split_img file is a file called boot.img-ramdisk.cpio.gz . As shown below

insert image description here

Unzip this file into the downloaded kernel source code. If you still don’t know how to download the kernel source code of your corresponding model, please refer to the source code download section in the pre-knowledge

Add some private goods to the source code

Download [private goods][http://aospxref.com/android-11.0.0_r21/xref/system/tools/mkbootimg/mkbootimg.py]

to the root directory of the source code

Modify build/build.sh, add before echo "Files copied to ${DIST_DIR}"

if [ -f "${VENDOR_RAMDISK_BINARY}" ]; then
cp ${VENDOR_RAMDISK_BINARY} ${DIST_DIR}
fi

Download the kernel driver source code

Most of the kernel projects on the market use the source code of rwProcMem33

insert image description here

obj-m += rwProcMem.o

Add a line to the Makefile in the drivers directory

obj-m += rwProcMem/

Modify ver_control.h, and use the macro definition of pagemap to enable

Just uncomment the second macro in ver-control.h

start compiling

The parameters can be replaced according to the modifications unpacked by android-image-kitchen

BUILD_CONFIG=private/msm-google/build.config.floral
BUILD_BOOT_IMG=1 MKBOOTIMG_PATH=mkbootimg.py
VENDOR_RAMDISK_BINARY=boot.img-ramdisk.cpio KERNEL_BINARY=Image.lz4
BOOT_IMAGE_HEADER_VERSION=2
KERNEL_CMDLINE="console=ttyMSM0,115200n8
androidboot.console=ttyMSM0 printk.devkmsg=on msm_rtb.filter=0x237
ehci-hcd.park=3 service_locator.enable=1 androidboot.memcg=1
cgroup.memory=nokmem usbcore.autosuspend=7
androidboot.usbcontroller=a600000.dwc3 swiotlb=2048
androidboot.boot_devices=soc/1d84000.ufshc loop.max_part=7
buildvariant=user" BASE_ADDRESS=0x00000000 PAGE_SIZE=4096
build/build.sh

After the compilation is complete, the folder is obtained

The boot.img in the folder is the new kernel for embedded memory reading and writing

Flash into the kernel

use command

flash boot boot.img

You can flash in. With the modification of the pure c reading and writing method in the pre-knowledge, most of the games can be streaked.

Seeing this, I believe you have successfully compiled your own kernel.
For problems in kernel compilation, you can send messages to my mailbox [email protected] to leave a message about the problems you encounter. And attach a screenshot, see I will reply in time.

Guess you like

Origin blog.csdn.net/qq_46832407/article/details/129971512
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com