[原创] krhook模块(krhook实现了拦截系统调用并进行用户层堆栈回溯的功能)使用介绍

发表于: 2021-9-29 12:10 9581

[原创] krhook模块(krhook实现了拦截系统调用并进行用户层堆栈回溯的功能)使用介绍

github_yhnu 活跃值

2021-9-29 12:10

9581

krhook/kr_offline工具使用说明

前段时间做了krhook模块(在内核层拦截系统调用, 进行用户层堆栈回溯), 已经通过日志打印出了maps信息和pc调用链, 为了达到类似安卓崩溃分析的效果, 我们还需要一个离线工具,具体原理可以参考

870K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6N6i4m8H3L8%4u0@1i4K6u0W2N6h3&6A6N6s2W2Q4x3X3g2U0L8$3#2Q4x3V1k6Z5j5#2)9J5c8X3g2F1i4K6u0V1N6i4y4Q4x3V1k6S2M7Y4c8A6j5$3I4W2M7#2)9J5c8U0p5I4y4e0l9H3x3o6t1&6x3U0p5$3y4W2)9J5k6q4y4&6L8h3u0G2L8r3W2U0j5i4c8W2i4K6u0V1b7h3&6V1M7X3!0A6k6q4)9J5k6r3y4J5j5i4y4Z5

先简单讲讲krhook模块的优点

krhook实现了拦截系统调用并进行用户层堆栈回溯的功能, 所有操作均在内核层进行处理, 可以过所有的防护系统

阅读须知.阅读须知.阅读须知.

因为内核层兼容比较复杂, 如果遇到对应问题, 先查看环境是否一致(内核版本需要为4.14.117且自己做过修改, 对应系统为安卓10)

自己先写一个APP方便理解对应的原理

对应示例代码

using System.Collections;
using System.Collections.Generic;
using System.IO;
using UnityEngine;
 
public class FileOpenTest : MonoBehaviour
{
    public void FileOpen()
    {
        byte[] data = { 1, 2, 3, 4 };
        // below it will call openat and tigger krhook for stack walk
        var fileStream = File.Open(Path.Combine(Application.persistentDataPath, "a.txt"), FileMode.OpenOrCreate);
        fileStream.Write(data, 0, data.Length);
        fileStream.Close();
    }
}

如果你想简单那就用下面的apk即可

86bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6&6K9r3&6#2i4K6u0r3L8%4l9%4N6q4)9J5c8Y4u0W2L8r3g2S2M7$3g2K6i4K6u0r3k6r3!0%4L8X3I4G2j5h3c8Q4x3V1k6$3x3g2)9J5k6e0m8Q4x3V1k6V1k6h3#2G2i4K6u0W2j5i4m8C8

安装对应的apk,获取uid为10226

OnePlus7T:/data/local/tmp # ps -ef |grep krh
u0_a226      23140   757 2 23:11:53 ?     00:11:41 com.DefaultCompany.krhook_unity3d
root         26124  7633 3 11:40:54 pts/1 00:00:00 grep krh
OnePlus7T:/data/local/tmp #

启动krhook模块, 并开启uid过滤(这就是为什么上面需要拿到uid的原因, 另外如果app不卸载, uid并不会变化)

OnePlus7T:/data/local/tmp # insmod krhook.ko
OnePlus7T:/data/local/tmp # lsmod
Module                  Size  Used by
krhook                 24576  0
wlan                 7323648  0
rmnet_perf             36864  0
OnePlus7T:/data/local/tmp # echo 10226 > /dev/mypid
OnePlus7T:/data/local/tmp #

点击apk对应的按钮, 触发openat调用

OnePlus7T:/data/local/tmp # dmesg
[63479.878705] [20210929_08:59:12.888466]@5 [s]openat /storage/emulated/0/Android/data/com.DefaultCompany.krhook_unity3d/files/a.txt
......
[63479.879722] [20210929_08:59:12.889486]@5 [m]0x703dd51000-0x7040000000 0x00000000 r--p /data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
[63479.879730] [20210929_08:59:12.889494]@5 [m]0x7071b4e000-0x7071c6c000 0x00000000 r--p /apex/com.android.runtime/lib64/bionic/libc.so
[63479.879735] [20210929_08:59:12.889499]@5 [m]0x7071c6c000-0x7075000000 0x00000000 r--p /data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libunity.so
[63479.879741] [20210929_08:59:12.889506]@5 [m]0x7079bee000-0x707bbee000 rw-s
[63479.879746] [20210929_08:59:12.889511]@5 [m]0x707dbee000-0x707e5f7000 rw-s
[63479.879751] [20210929_08:59:12.889515]@5 [m]0x707e5f7000-0x707f000000 rw-s
[63479.879757] [20210929_08:59:12.889521]@5 [m]0x70a035c000-0x70a0d65000 rw-s
[63479.879762] [20210929_08:59:12.889526]@5 [m]0x70a0d65000-0x70a0ec9000 0x00000000 r--p /vendor/lib64/hw/vulkan.msmnile.so
[63479.879766] [20210929_08:59:12.889531]@5 [m]0x70a0ec9000-0x70a0fd7000 0x00164000 --xp /vendor/lib64/hw/vulkan.msmnile.so
[63479.879770] [20210929_08:59:12.889535]@5 [m]0x70a0fd7000-0x70a0fe7000 0x00272000 rw-p /vendor/lib64/hw/vulkan.msmnile.so
[63479.879774] [20210929_08:59:12.889539]@5 [m]0x70a0fe7000-0x70a0fef000 0x00282000 r--p /vendor/lib64/hw/vulkan.msmnile.so
[63479.879800] [20210929_08:59:12.889564]@5 [m]0x7184a03000-0x7185d88000 0x00000000 r-xp /data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so
......
[63480.310487] [20210929_08:59:13.320249]@5 [e]openat [/storage/emulated/0/Android/data/com.DefaultCompany.krhook_unity3d/files/a.txt] current->pid:[23205] ppid:[757] uid:[10226] tgid:[23140] stack:0x7277206388|0x7184f09c18|0x7184f2b568|0x718597e054|0x7185971930|0x718596fa6c|0x718596b93c|0x718596b8b0|0x718599e918|0x718548ffd8|0x718549c290|0x718549f61c|0x71852ed8b0|0x71852ed980|0x7184ded750|0x71852d80b8|0x71855edd38|0x71857c53fc|0x7184df0ab0|0x71852e7388|0x71852e583c|0x71852e50cc|0x7184d4f84c|0x71852d67e4|0x7184d6b230|0x7184f9feac|0x7184f02f04|0x718a4341d0|0xffffffffffffffff|

将上面的日志信息完整的保存下来

3e2K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6&6K9r3&6#2i4K6u0r3L8%4l9%4N6q4)9J5c8X3u0D9L8$3u0Q4x3V1k6V1k6i4k6Q4x3V1k6C8M7W2)9#2k6X3!0X3k6X3I4A6L8X3g2Q4x3V1k6V1k6h3#2G2i4K6u0W2K9%4u0Z5L8$3!0C8i4K6u0W2N6s2S2@1

堆栈还原

需要借助离线工具

9edK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6&6K9r3&6#2i4K6u0r3L8%4l9%4N6q4)9J5c8Y4u0W2L8r3g2S2M7$3g2K6i4K6u0r3k6r3!0%4L8X3I4G2j5h3c8Q4x3V1k6$3x3g2)9J5k6e0m8Q4x3V1k6C8M7W2)9#2k6X3!0X3k6X3I4A6L8X3g2Q4x3X3g2W2P5r3f1`.

通过日志信息我们可以知道应用程序so对应的目录为 /data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/

执行下面的命令

1 2	`adb pull` `/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64` `kr_offline.exe demo.krhook.txt arm64`

我们就获得了用户层的完整调用链

-----------------------------------------
openat[/storage/emulated/0/Android/data/com.DefaultCompany.krhook_unity3d/files/a.txt] dump stack:
/apex/com.android.runtime/lib64/bionic/libc.so/0x7277145000 + 0xc1388 (__openat multf3.c:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x506c18 (_ZN6il2cpp2os4File4OpenERKNSt6__ndk112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEEiiiiPi ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x528568 (_ZN6il2cpp6icalls8mscorlib6System2IO6MonoIO6Open40EPDsiiiiPi ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0xf7b054 (MonoIO_Open_m194115823A6163255C8845AB97ADF010DAD88E22 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0xf6e930 (MonoIO_Open_m75D574F44B3C1E6FA4E245D48D5AC73F70BE16B7 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0xf6ca6c (FileStream__ctor_mBC5F76C88DBC8C81D1F83407197D75F36E1ADBD7 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0xf6893c (FileStream__ctor_mB254658F1E758D76B41C942CB91BDF38FD544C83 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0xf688b0 (File_Open_mDA5EB4A312EAEBF8543B13C572271FB5F673A501 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0xf9b918 (FileOpenTest_FileOpen_m76B8151D8C479F745ECF6F56D62D556DB2435397 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0xa8cfd8 (UnityAction_Invoke_mC9FF5AA1F82FDE635B3B6644CE71C94C31C3E71A ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0xa99290 (InvokableCall_Invoke_m0B9E7F14A2C67AB51F01745BD2C6C423114C9394 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0xa9c61c (UnityEvent_Invoke_mB2FA1C76256FE34D5E7F84ABE528AC61CE8A0325 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x8ea8b0 (Button_Press_m33BA6E9820146E8EED7AB489A8846D879B76CF41 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x8ea980 (Button_OnPointerClick_m4C4EDB8613C2C5B391EFD3A29C58B0AA00DD9B91 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x3ea750 (_ZN23InterfaceActionInvoker1IP58PointerEventData_tC18994283B7753E430E316A62D9E45BA6D644C63E6InvokeEjP11Il2CppClassP12Il2CppObjectS1_ ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x8d50b8 (ExecuteEvents_Execute_m24768528CCF25F4ADB0E66538ABF950C8EE2E9B0 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0xbead38 (EventFunction_1_Invoke_mB923A0E7E49A56D420C97EB6D98A660EAF8A348D_gshared ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0xdc23fc (ExecuteEvents_Execute_TisRuntimeObject_m69C612263456A3111F97114B38B8A0E2E16E4347_gshared ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x3edab0 (_Z129ExecuteEvents_Execute_TisIPointerClickHandler_t337D40B4F0C87DA190B55BF225ADB716F4ADCA13_mB8A59713F468FB6A061C8A5DF7FF205EE1C9A855P52GameObject_tBD1244AD56B4E59AAD76E5E7C9282EC5CE434F0FP55BaseEventData_t46C9D2AE3183A742EDE89944AF64A23DBF1B80A5P57EventFunction_1_t7BFB6A90DB6AE5607866DE2A89133CA327285B1EPK10MethodInfo ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x8e4388 (StandaloneInputModule_ProcessTouchPress_m46FBF040EAB0A0F8D832FEB600EF0B9C48E13F61 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x8e283c (StandaloneInputModule_ProcessTouchEvents_m74C783AF0B4D517978ECCE3E8A1081F49D174F69 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x8e20cc (StandaloneInputModule_Process_mF637455BCED017FB359E090B58F15C490EFD2B54 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x34c84c (_ZN18VirtActionInvoker06InvokeEjP12Il2CppObject ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x8d37e4 (EventSystem_Update_m12CAEF521A10D406D1A6EA01E00DD851683C7208 ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x368230 (_Z65RuntimeInvoker_TrueVoid_t22962CB4C05B1D89B55A6E1139F0E87A90987017PFvvEPK10MethodInfoPvPS4_ ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x59ceac (_ZN6il2cpp2vm7Runtime6InvokeEPK10MethodInfoPvPS5_PP15Il2CppException ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libil2cpp.so/0x7184a03000 + 0x4fff04 (il2cpp_runtime_invoke ??:? )
/data/app/com.DefaultCompany.krhook_unity3d-PL6MaRBI5vxhNhVP3URXtA==/lib/arm64/libunity.so/0x7189808000 + 0xc2c1d0 (_Z23scripting_method_invoke18ScriptingMethodPtr18ScriptingObjectPtrR18ScriptingArgumentsP21ScriptingExceptionPtrb ??:? )

对应工具和链接

a72K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6&6K9r3&6#2i4K6u0r3L8%4l9%4N6q4)9J5c8Y4c8J5k6h3g2Q4x3V1k6E0j5i4y4@1k6i4u0Q4x3V1k6C8M7W2)9#2k6X3!0X3k6X3I4A6L8X3f1`.

096K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6&6K9r3&6#2i4K6u0r3L8%4l9%4N6q4)9J5c8Y4c8J5k6h3g2Q4x3V1k6E0j5i4y4@1k6i4u0Q4x3V1k6C8M7X3S2G2L8$3D9`.

5f5K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6&6K9r3&6#2i4K6u0r3L8%4l9%4N6q4)9J5c8Y4u0W2L8r3g2S2M7$3g2K6

总结

通过上面的操作步骤就可以拿到对应的用户层堆栈, 为我们逆向打开一扇窗户, 后期会开发硬件断点然后离线回溯的功能, 敬请期待.

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

最后于 2022-4-7 11:46 被github_yhnu编辑，原因：

#逆向分析 #NDK分析 #HOOK注入 #源码框架

收藏・19

免费・3

支持

最新回复 (1)
雅鸦歌雪币： 110 活跃值： (954) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 91 粉丝 0 关注私信	雅鸦歌 2 楼 m 最后于 2022-3-11 18:02 被雅鸦歌编辑，原因： 2021-9-29 14:50 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

github_yhnu

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号