最近在研究进程注入,只能在pc上将so注入安卓进程,修改.so文件中的值
先记录一些参考贴:
http://blog.csdn.net/l173864930/article/details/38455951
http://www.cnblogs.com/lanrenxinxin/p/4712222.html
https://www.2cto.com/kf/201411/351143.html
http://blog.csdn.net/qq1084283172/article/details/53869796
【最简单的so注入,在myso.so(病毒)中调用宿主(inso.so)的c++方法,改变inso.so中的值】
参考贴:https://www.2cto.com/kf/201411/351143.html
1.材料:Poison应用(在上面的参考贴里有实现代码和最终的应用)
Android.mk:
LOCAL_PATH := $(call my-dir) #Myso include $(CLEAR_VARS) LOCAL_MODULE := myso LOCAL_MODULE_FILENAME := libmyso LOCAL_SRC_FILES := myso.cpp LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog include $(BUILD_SHARED_LIBRARY) #Inso include $(CLEAR_VARS) LOCAL_MODULE := inso LOCAL_MODULE_FILENAME := libinso LOCAL_SRC_FILES := inso.cpp \ JniTest.cpp LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog include $(BUILD_SHARED_LIBRARY)
Application.mk
# 编译生成的模块运行支持的平台 APP_ABI := armeabi-v7a # 设置编译连接的工具的版本 #NDK_TOOLCHAIN_VERSION = 4.9
myso.cpp(病毒so文件的源码)
#include <stdio.h>
#include <stddef.h>
#include <dlfcn.h>
#include <pthread.h>
#include <stddef.h>
#include "log.h"
class PoisonObj{
public:
PoisonObj(){
LOGI(">>>>>>>>>>>>>PoisonObj()<<<<<<<<<<<<<<");
//
void* handle = dlopen("libinso.so", RTLD_NOW);
void (*setA_func)(int) = (void (*)(int))dlsym(handle, "setA");
if (setA_func) {
setA_func(999);
}
}
~PoisonObj(){}
} ppt;
extern "C"{
extern void setA(int i);
void display();
}
inso.cpp(宿主so文件的源码)
extern "C"{
static int gA = 1;
void setA(int i){
gA = i;
}
int getA(){
return gA;
}
}
JniTest.cpp
#include <jni.h>
#include <string.h>
extern "C"{
extern int getA();
JNIEXPORT int JNICALL Java_com_example_poison_MainActivity_nativeGetA(JNIEnv *env,jobject thiz,jobject context){
getA();
}
}
MainActivity.java
package com.example.poison;
import android.app.Activity;
import android.content.Context;
import android.os.Bundle;
import android.util.Log;
import android.view.View;
import android.widget.Button;
import android.widget.Toast;
public class MainActivity extends Activity {
static{
System.loadLibrary("inso");
//System.loadLibrary("myso");
}
native public int nativeGetA(Context context);
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Button btnLog = (Button)findViewById(R.id.btnLog);
btnLog.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View arg0) {
new Thread(new Runnable() {
@Override
public void run() {
while(true){
Log.i("TTT","----------num is " + nativeGetA(MainActivity.this) );
try{
Thread.sleep(1000L);
}catch(Exception e){
e.printStackTrace();
}
}
}
}).run();
}
});
}
}
2.注入步骤:
adb push poison /data/local/tmp
adb push libmyso.so /data/local/tmp
adb shell chmod 0777 /data/local/tmp/poison
adb shell chmod 0777 /data/local/tmp/libmyso.so
adb shell
su
ps | grep com.example.poison (假设得到的进程id为17569)
/data/local/tmp/poison /data/local/tmp/libmobisec.so 17569
cat /proc/17569/maps | grep libmyso.so(可以看到进程中有libmyso.so,注入之前是没有的)
adb logcat -s TTT
3.检查效果
日志tag为"TTT",可以发现,注入进程后,inso.so中gA的值被修改了
----------num is 1
----------num is 1
----------num is 1
>>>>>>>>>>>>PoisonObj()<<<<<<<<<<<<<
----------num is 999
----------num is 999
----------num is 999
4.原理
1.宿主程序运行,打印num
2.将病毒注入宿主程序时,因为myso.cpp中有一个PoisonObj的全局对象,系统调用PoisonObj的构造函数,在里面修改num的值
3.继续打印num的值