一、概述
通過dlopen、dlsym獲取共享庫函式地址、全域性變數是一種經常使用到的程式設計技巧,尤其是在Hook框架中。然而無論是dlsym還是一些常用框架(如Nougat_dlfunctions),都只能搜尋**.dynsym段,而無法搜尋.symtab**段。因此實現.symtab段搜尋是一個亟待解決的問題。
本文將介紹在Nougat_dlfunctions框架基礎上,如何實現搜尋.symtab段的功能。(如果對FastHook不瞭解,請查閱FastHook——一種高效穩定、簡潔易用的Android Hook框架) 專案地址:Enhanced_dlfunctions
二、Enhanced dlfunctions實現
ELF檔案實際是個表結構,以段為單位,每個段儲存不同的資訊,段與段之間以索引來關聯形成一個表。所以只要有一個頭,就可以通過這些關係訪問所有的段,這個頭便是ELF檔案頭。下面我們來看看需要獲取那些資訊:
- ELF檔案頭:儲存所有段頭部的資訊,段頭部是描述段資訊的後設資料,可以通過段頭部來獲取段資訊。
- .shstrtab段。儲存所有的段的段名。通過ELF檔案頭,可以實現段的遍歷,而無法識別具體的段(不同段型別可以相同),因此需要用段名來確定段。
- .dynsym段:動態符號表,儲存與動態連結相關的匯入匯出符號,不包括模組內部的符號。Nougat_dlfunctions只查詢這個段,因此會漏掉很多符號。
- .dynstr段:儲存.dynsym段符號對應的符號名。
- .symtab段:符號表。儲存在程式中被定義和引用的函式和全域性變數的資訊。
- .strtab段:儲存.symtab段符號對應的符號名。
- .comment段:程式相關資訊,用與定位符號地址。
2.1 enhanced_dlopen
void *enhanced_dlopen(const char *libpath, int flags) {
FILE *maps;
char buff[256];
struct ctx *ctx = 0;
off_t load_addr, size;
int k, fd = -1, found = 0;
void *shoff;
Elf_Ehdr *elf = (Elf_Ehdr *) MAP_FAILED;
#define fatal(fmt, args...) do { log_err(fmt,##args); goto err_exit; } while(0)
maps = fopen("/proc/self/maps", "r");
if (!maps) fatal("failed to open maps");
while (!found && fgets(buff, sizeof(buff), maps))
if (strstr(buff, "r-xp") && strstr(buff, libpath)) found = 1;
fclose(maps);
if (!found) fatal("%s not found in my userspace", libpath);
if (sscanf(buff, "%lx", &load_addr) != 1)
fatal("failed to read load address for %s", libpath);
log_info("%s loaded in Android at 0x%08lx", libpath, load_addr);
/* Now, mmap the same library once again */
fd = open(libpath, O_RDONLY);
if (fd < 0) fatal("failed to open %s", libpath);
size = lseek(fd, 0, SEEK_END);
if (size <= 0) fatal("lseek() failed for %s", libpath);
elf = (Elf_Ehdr *) mmap(0, size, PROT_READ, MAP_SHARED, fd, 0);
close(fd);
fd = -1;
if (elf == MAP_FAILED) fatal("mmap() failed for %s", libpath);
ctx = (struct ctx *) calloc(1, sizeof(struct ctx));
if (!ctx) fatal("no memory for %s", libpath);
ctx->load_addr = (void *) load_addr;
shoff = ((void *) elf) + elf->e_shoff;
Elf_Shdr *shstrtab = (Elf_Shdr *)(shoff + elf->e_shstrndx * elf->e_shentsize);
char * shstr = malloc(shstrtab->sh_size);
memcpy(shstr, ((void *) elf) + shstrtab->sh_offset, shstrtab->sh_size);
for (k = 0; k < elf->e_shnum; k++, shoff += elf->e_shentsize) {
Elf_Shdr *sh = (Elf_Shdr *) shoff;
log_dbg("%s: k=%d shdr=%p type=%d", __func__, k, sh, sh->sh_type);
switch (sh->sh_type) {
case SHT_DYNSYM:
if (ctx->dynsym) fatal("%s: duplicate DYNSYM sections", libpath); /* .dynsym */
ctx->dynsym = malloc(sh->sh_size);
if (!ctx->dynsym) fatal("%s: no memory for .dynsym", libpath);
memcpy(ctx->dynsym, ((void *) elf) + sh->sh_offset, sh->sh_size);
ctx->dynsym_num = (sh->sh_size / sizeof(Elf_Sym));
break;
case SHT_SYMTAB:
if (ctx->symtab) fatal("%s: duplicate SYMTAB sections", libpath); /* .symtab */
ctx->symtab = malloc(sh->sh_size);
if (!ctx->symtab) fatal("%s: no memory for .symtab", libpath);
memcpy(ctx->symtab, ((void *) elf) + sh->sh_offset, sh->sh_size);
ctx->symtab_num = (sh->sh_size / sizeof(Elf_Sym));
break;
case SHT_STRTAB:
if(!strcmp(shstr+sh->sh_name,".dynstr")) {
if (ctx->dynstr) break; /* .dynstr is guaranteed to be the first STRTAB */
ctx->dynstr = malloc(sh->sh_size);
if (!ctx->dynstr) fatal("%s: no memory for .dynstr", libpath);
memcpy(ctx->dynstr, ((void *) elf) + sh->sh_offset, sh->sh_size);
}else if(!strcmp(shstr+sh->sh_name,".strtab")) {
if (ctx->strtab) break;
ctx->strtab = malloc(sh->sh_size);
if (!ctx->strtab) fatal("%s: no memory for .strtab", libpath);
memcpy(ctx->strtab, ((void *) elf) + sh->sh_offset, sh->sh_size);
}
break;
case SHT_PROGBITS:
if (!ctx->dynstr || !ctx->dynsym || ctx->bias) break;
/* won't even bother checking against the section name */
ctx->bias = (off_t) sh->sh_addr - (off_t) sh->sh_offset;
break;
}
}
munmap(elf, size);
elf = 0;
if (!ctx->dynstr || !ctx->dynsym) fatal("dynamic sections not found in %s", libpath);
#undef fatal
log_dbg("%s: ok, dynsym = %p, dynstr = %p symtab = %p strtab = %p", libpath, ctx->dynsym, ctx->dynstr, ctx->symtab, ctx->strtab);
return ctx;
}
複製程式碼1. 獲取so載入的地址,儲存在load_addr
maps = fopen("/proc/self/maps", "r");
while (!found && fgets(buff, sizeof(buff), maps))
if (strstr(buff, "r-xp") && strstr(buff, libpath)) found = 1;
fclose(maps);
if (sscanf(buff, "%lx", &load_addr) != 1)
fatal("failed to read load address for %s", libpath);
複製程式碼2. 重新對映so,獲取ELF檔案頭
fd = open(libpath, O_RDONLY);
size = lseek(fd, 0, SEEK_END);
elf = (Elf_Ehdr *) mmap(0, size, PROT_READ, MAP_SHARED, fd, 0);
複製程式碼3. 獲取.shstrtab段。
Elf_Shdr *shstrtab = (Elf_Shdr *)(shoff + elf->e_shstrndx * elf->e_shentsize);
char * shstr = malloc(shstrtab->sh_size);
memcpy(shstr, ((void *) elf) + shstrtab->sh_offset, shstrtab->sh_size);
複製程式碼4.獲取.dynsym段、.dynstr段、.symtab段、.strtab段
for (k = 0; k < elf->e_shnum; k++, shoff += elf->e_shentsize) {
Elf_Shdr *sh = (Elf_Shdr *) shoff;
switch (sh->sh_type) {
case SHT_DYNSYM:
ctx->dynsym = malloc(sh->sh_size);
memcpy(ctx->dynsym, ((void *) elf) + sh->sh_offset, sh->sh_size);
ctx->dynsym_num = (sh->sh_size / sizeof(Elf_Sym));
break;
case SHT_SYMTAB:
ctx->symtab = malloc(sh->sh_size);
memcpy(ctx->symtab, ((void *) elf) + sh->sh_offset, sh->sh_size);
ctx->symtab_num = (sh->sh_size / sizeof(Elf_Sym));
break;
case SHT_STRTAB:
if(!strcmp(shstr+sh->sh_name,".dynstr")) {
ctx->dynstr = malloc(sh->sh_size);
memcpy(ctx->dynstr, ((void *) elf) + sh->sh_offset, sh->sh_size);
}else if(!strcmp(shstr+sh->sh_name,".strtab")) {
ctx->strtab = malloc(sh->sh_size);
memcpy(ctx->strtab, ((void *) elf) + sh->sh_offset, sh->sh_size);
}
break;
case SHT_PROGBITS:
if (!ctx->dynstr || !ctx->dynsym || ctx->bias) break;
ctx->bias = (off_t) sh->sh_addr - (off_t) sh->sh_offset;
break;
}
}
複製程式碼2.2 enhanced_dlsym
void *enhanced_dlsym(void *handle, const char *name) {
int k;
struct ctx *ctx = (struct ctx *) handle;
Elf_Sym *dynsym = (Elf_Sym *) ctx->dynsym;
Elf_Sym *symtab = (Elf_Sym *) ctx->symtab;
char *dynstr = (char *) ctx->dynstr;
char *strtab = (char *) ctx->strtab;
for (k = 0; k < ctx->dynsym_num; k++, dynsym++) {
if (strcmp(dynstr + dynsym->st_name, name) == 0) {
void *ret = ctx->load_addr + dynsym->st_value - ctx->bias;
log_info("%s found at %p", name, ret);
return ret;
}
}
if(symtab) {
for (k = 0; k < ctx->symtab_num; k++, symtab++) {
sym_tab->st_name,strings + sym_tab->st_name,k);
if (strcmp(strtab + symtab->st_name, name) == 0) {
void *ret = ctx->load_addr + symtab->st_value - ctx->bias;
log_info("%s found at %p", name, ret);
return ret;
}
}
}
return 0;
}
複製程式碼1. 先查詢.dynsym段。遍歷.dymsym所有符號,查詢符號名與給定字串一致的符號。用load_addr、bias結合符號偏移來獲取實際地址。
for (k = 0; k < ctx->dynsym_num; k++, dynsym++) {
if (strcmp(dynstr + dynsym->st_name, name) == 0) {
void *ret = ctx->load_addr + dynsym->st_value - ctx->bias;
log_info("%s found at %p", name, ret);
return ret;
}
}
複製程式碼2. 如果.dynsym段找不到目標符號且.symtab段存在時,遍歷.symtab所有符號,查詢符號名與給定字串一致的符號。用load_addr、bias結合符號偏移來獲取實際地址。
for (k = 0; k < ctx->symtab_num; k++, symtab++) {
sym_tab->st_name,strings + sym_tab->st_name,k);
if (strcmp(strtab + symtab->st_name, name) == 0) {
void *ret = ctx->load_addr + symtab->st_value - ctx->bias;
log_info("%s found at %p", name, ret);
return ret;
}
}
複製程式碼三、結語
Nougat_dlfunctions只支援arm平臺,而我在實際工作中也不涉及到x86平臺,所以Enhanced dlfunctions暫時只支援arm32和arm64,如果要相容x86等其他平臺也不難,不需要改實現,主要就是elf.h一些結構體的不同。