7

将Frida内置进AOSP中

 2 years ago
source link: https://www.cnblogs.com/Tu9oh0st/p/15391266.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

将Frida内置进AOSP中

  • 系统:Ubuntu20
  • aosp版本:10r2
  • 下载最新的ndk lts,我选择22,我选择最新的lts版本,在make的时候可能会要求让你选择22,所以选择lts的上一个版本即可。
  • 确保GCC的版本在7.5以上
  • 相应的工具链要在PATH中,比如ptython3,Node.JS

编译frida

下载相应的库:

sudo apt-get install build-essential curl git lib32stdc++-9-dev ibc6-dev-i386 nodejs npm python3-dev python3-pip gcc-multilib g++-multilib

将NDK加入到环境变量中:

Export ANDROID_NDK_ROOT=your_ndk_path

Export PATH=ANDROIDNDKROOT:ANDROIDNDKROOT:PATH

下载frida源码:

git clone --recurse-submodules https://github.com/frida/frida.git

官方toolchainsdk下载地址如下

其中20210123fridareleng/deps.mk中的frida_deps_version

后面部分则是toolchain-{平台+架构}.tar.bz2

https://build.frida.re/deps/20210123/toolchain-linux-x86_64.tar.bz2

https://build.frida.re/deps/20210123/sdk-linux-x86_64.tar.bz2

https://build.frida.re/deps/20210123/sdk-android-arm.tar.bz2

https://build.frida.re/deps/20210123/sdk-android-arm64.tar.bz2

可以手动下载上面的文件,然后在frida的文件夹下新建build文件夹

然后将文件放入build即可

现在执行releng/setup-env.sh

不过个人认为手动方便一点,因为编译时的网络访问问题真的烦人(省略N字)

编译frida:

make core-android-arm64

编译成功:

编译AOSP10

链接:https://pan.baidu.com/s/1MYTdT4pxMo8vsq5CxPFVZg

提取码:yuov

下载aosp 10 源码。

解压后,下载驱动文件:https://developers.google.com/android/drivers#sailfishqp1a.190711.020

再执行驱动文件即可。

下载相应的库:

sudo apt-get install -y openjdk-8-jdk

sudo apt-get install git-core gnupg flex bison gperf build-essential zip curl zlib1g-dev gcc-multilib g++-multilib libc6-dev-i386 lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z-dev libgl1-mesa-dev libxml2-utils xsltproc unzip

source build/envsetup.sh

lunch

选择好对应的版本就进行编译

如果出现如下错误:

[ 37% 50/135] test github.com/google/blueprint/pathtools
FAILED: out/soong/.bootstrap/blueprint-pathtools/test/test.passed
out/soong/.bootstrap/bin/gotestrunner -p ./build/blueprint/pathtools -f out/soong/.bootstrap/blueprint-pathtools/test/test.passed -- out/soong/.bootstrap/blueprint-pathtools/test/test -test.short
--- FAIL: TestGlobEscapes (0.00s)
 --- FAIL: TestGlobEscapes//* (0.00s)
 glob_test.go:562: incorrect matches list:
 glob_test.go:562: pattern: "/"
 glob_test.go:562: got: []string{"/", "a/", "b", "/a", "/b/", "/b/b", "a/a"}
 glob_test.go:562: expected: []string{"", "/", "?", "a/", "b", "/", "/a", "/b/", "/b/b", "a/a"}
 --- FAIL: TestGlobEscapes//* (0.00s)
 glob_test.go:562: incorrect matches list:
 glob_test.go:562: pattern: "/\"
 glob_test.go:562: got: []string(nil)
 glob_test.go:562: expected: []string{"", "/"}
 --- FAIL: TestGlobEscapes/**/* (0.00s)
 glob_test.go:562: incorrect matches list:
 glob_test.go:562: pattern: "\\/"
 glob_test.go:562: got: []string{"/a", "/b/"}
 glob_test.go:562: expected: []string{"/", "/a", "/b/"}
 --- FAIL: TestGlobEscapes/**//* (0.00s)
 glob_test.go:562: incorrect matches list:
 glob_test.go:562: pattern: "\\//"
 glob_test.go:562: got: []string{"/a", "/b/", "/b/b"}
 glob_test.go:562: expected: []string{"/", "/a", "/b/", "/b/b"}
FAIL
05:04:52 soong bootstrap failed with: exit status 1

该错误应该是源码问题,所以我后来使用repo重新同步了一次源码

// 创建bin目录
mkdir ~/bin
PATH=~/bin:$PATH
// 下载repo启动器
curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
chmod a+x ~/bin/repo
// 创建AOSP源码目录 
mkdir aosp10r2
cd aosp10r2
// 初始化源码仓库, 选择与设备对应的源码tag版本
repo init -u https://android.googlesource.com/platform/manifest -b android-10.0.0_r2
// 下载
repo sync

我这边是挂梯子下载的,速度还行,如果不行请使用清华园或者是中科大。北清华、南科大。

修改AOSP10r2源码将frida内置

方案一,使用frida-gadget配合config文件来做配合。

根据gadget官网文档中描述的,该方案已经被人利用成功过,所以直接站在巨人的肩膀上可以省力不少,其次,该方案不需要root权限,对于内置frida来说很方便,因为root这个权限也是相当危险的。

方案二,userdebug模式,将frida内置到系统中

将编译完成的frida-gadget.so拷贝出来,放到aosp10r2/out/target/product/sailfish/system/lib64/下

如果是32位的gadget,就放到aosp10r2/out/target/product/sailfish/system/lib/下,并都添加lib前缀。

其次还需要配置config文件,文件名为libfrida-gadget.config.so,lib开头,config.so结尾,中间的名字按照放到lib下的firda文件名来确定,内容如下:

{
  "interaction": {
    "type": "listen",
    "address": "127.0.0.1",
    "port": 27042,
    "on_load": "resume"
  }
}

64位frida-gadget.so在frida/build/frida-android-arm64/lib/frida/64/frida-gadget.so

修改aosp/framework/base/core/jni/com_android_internal_os_Zygote.cpp中的com_android_internal_os_Zygote_nativeForkAndSpecialize函数,以及需要在文件上面添加#include <dlfcn.h>,导入dlopen相关函数。

static jint com_android_internal_os_Zygote_nativeForkAndSpecialize(
        JNIEnv* env, jclass, jint uid, jint gid, jintArray gids,
        jint runtime_flags, jobjectArray rlimits,
        jint mount_external, jstring se_info, jstring nice_name,
        jintArray managed_fds_to_close, jintArray managed_fds_to_ignore, jboolean is_child_zygote,
        jstring instruction_set, jstring app_data_dir) {
    jlong capabilities = CalculateCapabilities(env, uid, gid, gids, is_child_zygote);

    if (UNLIKELY(managed_fds_to_close == nullptr)) {
      ZygoteFailure(env, "zygote", nice_name, "Zygote received a null fds_to_close vector.");
    }

    std::vector<int> fds_to_close =
        ExtractJIntArray(env, "zygote", nice_name, managed_fds_to_close).value();
    std::vector<int> fds_to_ignore =
        ExtractJIntArray(env, "zygote", nice_name, managed_fds_to_ignore)
            .value_or(std::vector<int>());

    std::vector<int> usap_pipes = MakeUsapPipeReadFDVector();

    fds_to_close.insert(fds_to_close.end(), usap_pipes.begin(), usap_pipes.end());
    fds_to_ignore.insert(fds_to_ignore.end(), usap_pipes.begin(), usap_pipes.end());

    fds_to_close.push_back(gUsapPoolSocketFD);

    if (gUsapPoolEventFD != -1) {
      fds_to_close.push_back(gUsapPoolEventFD);
      fds_to_ignore.push_back(gUsapPoolEventFD);
    }

    pid_t pid = ForkCommon(env, false, fds_to_close, fds_to_ignore);

    if (pid == 0) {
      SpecializeCommon(env, uid, gid, gids, runtime_flags, rlimits,
                       capabilities, capabilities,
                       mount_external, se_info, nice_name, false,
                       is_child_zygote == JNI_TRUE, instruction_set, app_data_dir);
      #if defined(__arm__) || defined(__arm64__)
        {
            #if defined(__arm__)
                #define FRIDA_LIB "/system/lib/libfrida-gadget_arm_32.so"
            #else
                #define FRIDA_LIB "/system/lib64/libfrida-gadget_arm_64.so"
            #endif
            const char *name = env->GetStringUTFChars(nice_name, 0);
            void* frida = dlopen(FRIDA_LIB, RTLD_NOW);
            if(NULL == frida) {
                ALOGE("(%s) load frida-gadget(%s) failed, err= %d\n", name, FRIDA_LIB, errno);
            } else {
                ALOGI("(%s) load frida-gadget(%s) success\n", name, FRIDA_LIB);
            }
            env->ReleaseStringUTFChars(nice_name, name);
        }
       #endif 
    }
    return pid;
}

Frida-ps -U没问题,但是firda -UF 会有问题。

__EOF__


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK