first commit

Author: AndroidReverser-Test

.gitignore

@@ -0,0 +1,15 @@
+*.iml
+.gradle
+/local.properties
+/.idea/caches
+/.idea/libraries
+/.idea/modules.xml
+/.idea/workspace.xml
+/.idea/navEditor.xml
+/.idea/assetWizardSettings.xml
+.DS_Store
+/build
+/captures
+.externalNativeBuild
+.cxx
+local.properties

app/.gitignore

@@ -0,0 +1 @@
+/build

app/build.gradle.kts

@@ -0,0 +1,64 @@
+import com.android.build.api.dsl.Packaging
+
+plugins {
+    alias(libs.plugins.android.application)
+}
+
+android {
+    namespace = "com.test.kerneltracedemo"
+    compileSdk = 35
+
+    defaultConfig {
+        applicationId = "com.test.kerneltracedemo"
+        minSdk = 29
+        targetSdk = 35
+        versionCode = 1
+        versionName = "1.0"
+
+        testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
+        externalNativeBuild {
+            cmake {
+                cppFlags += ""
+                targets +=  "kerneltracedemo"
+            }
+        }
+
+        ndk {
+            abiFilters.add("arm64-v8a") // 只编译 arm64 架构
+        }
+    }
+
+
+
+    buildTypes {
+        release {
+            isMinifyEnabled = false
+            proguardFiles(
+                getDefaultProguardFile("proguard-android-optimize.txt"),
+                "proguard-rules.pro"
+            )
+        }
+    }
+
+    compileOptions {
+        sourceCompatibility = JavaVersion.VERSION_11
+        targetCompatibility = JavaVersion.VERSION_11
+    }
+    externalNativeBuild {
+        cmake {
+            path = file("src/main/cpp/CMakeLists.txt")
+            version = "3.22.1"
+        }
+    }
+}
+
+dependencies {
+
+    implementation(libs.appcompat)
+    implementation(libs.material)
+    implementation(libs.activity)
+    implementation(libs.constraintlayout)
+    testImplementation(libs.junit)
+    androidTestImplementation(libs.ext.junit)
+    androidTestImplementation(libs.espresso.core)
+}

app/proguard-rules.pro

@@ -0,0 +1,21 @@
+# Add project specific ProGuard rules here.
+# You can control the set of applied configuration files using the
+# proguardFiles setting in build.gradle.
+#
+# For more details, see
+#   http://developer.android.com/guide/developing/tools/proguard.html
+
+# If your project uses WebView with JS, uncomment the following
+# and specify the fully qualified class name to the JavaScript interface
+# class:
+#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
+#   public *;
+#}
+
+# Uncomment this to preserve the line number information for
+# debugging stack traces.
+#-keepattributes SourceFile,LineNumberTable
+
+# If you keep the line number information, uncomment this to
+# hide the original source file name.
+#-renamesourcefileattribute SourceFile

app/src/androidTest/java/com/test/kerneltracedemo/ExampleInstrumentedTest.java

@@ -0,0 +1,26 @@
+package com.test.kerneltracedemo;
+
+import android.content.Context;
+
+import androidx.test.platform.app.InstrumentationRegistry;
+import androidx.test.ext.junit.runners.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import static org.junit.Assert.*;
+
+/**
+ * Instrumented test, which will execute on an Android device.
+ *
+ * @see <a href="http://d.android.com/tools/testing">Testing documentation</a>
+ */
+@RunWith(AndroidJUnit4.class)
+public class ExampleInstrumentedTest {
+    @Test
+    public void useAppContext() {
+        // Context of the app under test.
+        Context appContext = InstrumentationRegistry.getInstrumentation().getTargetContext();
+        assertEquals("com.test.kerneltracedemo", appContext.getPackageName());
+    }
+}

app/src/main/AndroidManifest.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools">
+
+    <application
+        android:extractNativeLibs="true"
+        android:allowBackup="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.KernelTraceDemo"
+        tools:targetApi="31">
+        <activity
+            android:name=".MainActivity"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>

app/src/main/cpp/CMakeLists.txt

@@ -0,0 +1,38 @@
+
+# For more information about using CMake with Android Studio, read the
+# documentation: https://d.android.com/studio/projects/add-native-code.html.
+# For more examples on how to use CMake, see https://github.com/android/ndk-samples.
+
+# Sets the minimum CMake version required for this project.
+cmake_minimum_required(VERSION 3.22.1)
+
+# Declares the project name. The project name can be accessed via ${ PROJECT_NAME},
+# Since this is the top level CMakeLists.txt, the project name is also accessible
+# with ${CMAKE_PROJECT_NAME} (both CMake variables are in-sync within the top level
+# build script scope).
+project("kerneltracedemo")
+
+# Creates and names a library, sets it as either STATIC
+# or SHARED, and provides the relative paths to its source code.
+# You can define multiple libraries, and CMake builds them for you.
+# Gradle automatically packages shared libraries with your APK.
+#
+# In this top level CMakeLists.txt, ${CMAKE_PROJECT_NAME} is used to define
+# the target library name; in the sub-module's CMakeLists.txt, ${PROJECT_NAME}
+# is preferred for the same purpose.
+#
+# In order to load a library into your app from Java/Kotlin, you must call
+# System.loadLibrary() and pass the name of the library defined here;
+# for GameActivity/NativeActivity derived applications, the same library name must be
+# used in the AndroidManifest.xml file.
+add_library(${CMAKE_PROJECT_NAME} SHARED
+    # List C/C++ source files with relative paths to this CMakeLists.txt.
+    kerneltracedemo.cpp)
+
+# Specifies libraries CMake should link to your target library. You
+# can link libraries from various origins, such as libraries defined in this
+# build script, prebuilt third-party libraries, or Android system libraries.
+target_link_libraries(${CMAKE_PROJECT_NAME}
+    # List libraries link to the target library
+    android
+    log)

app/src/main/cpp/kerneltracedemo.cpp

@@ -0,0 +1,112 @@
+#include <jni.h>
+#include <thread>
+#include <linux/unistd.h>
+#include <string>
+#include "log.h"
+#include "uprobe_trace_user.h"
+
+#define MAX_VMA_NUM 10
+
+char module_path[PATH_MAX];
+static uint64_t module_base = 0;
+unsigned long start_addrs[MAX_VMA_NUM];
+unsigned long end_addrs[MAX_VMA_NUM];
+unsigned long vma_base[MAX_VMA_NUM];
+int vma_num=0;
+
+
+
+//用于解析进程自身maps文件获取module_base，module_path以及相关可执行段地址信息的函数
+//这个示例里so是没有加密代码段，并且so在maps文件中出现的第一段内存区域的起始地址就是其加载的基址
+//在很多其他情况下并非如此，这个要看情况改变获取的方法
+bool init_vma(){
+    FILE *f;
+    char buf[256];
+    f = fopen("/proc/self/maps","r");
+    bool flag = false;
+    if(!f){
+        return false;
+    }
+    while (fgets(buf,256,f)!=NULL){
+        unsigned long tstart,tend,tbase;
+        char permissions[5];
+        int major,minor;
+        unsigned long inode;
+        char path[256];
+
+        int fields = sscanf(buf,"%lx-%lx %4s %lx %x:%x %lu %s",&tstart,&tend,permissions,&tbase,&major,&minor,&inode,path);
+        if(fields==8){
+            if(strstr(path,"libkerneltracedemo.so")){
+//                LOGD("start:%lx,end:%lx,permissions:%s,tbase:%lx\n",tstart,tend,permissions,tbase);
+                if(!flag){
+                    strcpy(module_path,path);
+                    module_base = tstart;
+                    flag = true;
+                }
+                if(permissions[2]=='x'){
+                    start_addrs[vma_num] = tstart;
+                    end_addrs[vma_num] = tend;
+                    vma_base[vma_num] = tbase;
+                    vma_num++;
+                }
+            }
+        }
+
+    }
+    fclose(f);
+    if(vma_num==0){
+        return false;
+    }
+    return true;
+}
+
+
+__attribute__((noinline)) void test_kernel_trace(){
+    LOGD("test_kernel_trace fun calling");
+}
+
+void test(){
+    while (true){
+        test_kernel_trace();
+        sleep(1);
+    }
+}
+
+JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM *vm, void *reserved) {
+    if(!init_vma()){
+        LOGE("can not parse maps files");
+        return JNI_VERSION_1_6;
+    }
+    LOGD("success parse maps files");
+
+    //为KernelTrace提供必要的初始信息
+    set_target_uid(getuid());
+    set_module_base(module_base);
+    set_target_file(module_path);
+
+    LOGD("module_base:%llx,module_path:%s",module_base,module_path);
+
+    //hook前进行的一些准备
+    unsigned long test_fun_addr = (unsigned long)test_kernel_trace;
+    unsigned long test_fun_offset = test_fun_addr - module_base;
+    unsigned long uprobe_offset = 0;
+    for (int i=0;i<vma_num;i++){
+        if(test_fun_addr>start_addrs[i] && test_fun_addr<end_addrs[i]){
+            uprobe_offset = test_fun_addr-start_addrs[i]+vma_base[i];//获取uprobe offset要进行的运算
+        }
+    }
+
+    char oins[4];
+    memcpy(oins,(void *)test_kernel_trace,4);//获取被hook函数的第一条汇编指令
+    LOGD("test_fun_offset:%lx,uprobe_offset:%lx",test_fun_offset,uprobe_offset);
+    //如果so的相应汇编指令不是在so加载后才动态解密可直接设置fix_insn参数为NULL
+    //set_fun_info(uprobe_offset,test_fun_offset,"test_kernel_trace",NULL);
+
+    //不过最好还是直接读取汇编指令并传入
+    set_fun_info(uprobe_offset,test_fun_offset,"test_kernel_trace",oins);//发送hook请求
+
+    //启动测试线程开始测试
+    std::thread test_thread(test);
+    test_thread.detach();
+    return JNI_VERSION_1_6;
+}

app/src/main/cpp/log.h

@@ -0,0 +1,7 @@
+#include <android/log.h>
+
+#define LOG_TAG "Test-Log"
+#define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)
+#define LOGW(...) __android_log_print(ANDROID_LOG_WARN, LOG_TAG, __VA_ARGS__)
+#define LOGE(...) __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__)
+#define LOGI(...) __android_log_print(ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__)

app/src/main/cpp/uprobe_trace_user.h

@@ -0,0 +1,55 @@
+#include <sys/syscall.h>
+#include <unistd.h>
+
+
+#define TRACE_FLAG 511
+#define MAX_HOOK_NUM 1000
+#define SET_TRACE_SUCCESS 1000
+#define SET_TRACE_ERROR 1001
+
+enum trace_info {
+    SET_TARGET_FILE,
+    SET_MODULE_BASE,
+    SET_FUN_INFO,
+    FIX_ORI_INS,
+    SET_TARGET_UPROBE,
+    SET_TARGET_UID,
+    CLEAR_UPROBE,
+};
+
+//	unsigned long start, size_t len, unsigned char *vec
+
+int set_module_base(unsigned long module_base){
+    int ret = syscall(__NR_mincore,module_base,TRACE_FLAG+SET_MODULE_BASE,"");
+    return ret;
+}
+
+int set_target_uid(uid_t uid){
+    int ret = syscall(__NR_mincore,uid,TRACE_FLAG+SET_TARGET_UID,"");
+    return ret;
+}
+
+int set_target_file(char* file_name){
+    int ret = syscall(__NR_mincore,0,TRACE_FLAG+SET_TARGET_FILE,file_name);
+    return ret;
+}
+
+int set_fun_info(unsigned long uprobe_offset,unsigned long fun_offset,char *fun_name,char *fix_insn){
+    int insert_key_ret = syscall(__NR_mincore,fun_offset,TRACE_FLAG+SET_FUN_INFO,fun_name);
+    if(insert_key_ret==SET_TRACE_SUCCESS){
+        if(fix_insn){
+            int fix_insn_ret = syscall(__NR_mincore,uprobe_offset,TRACE_FLAG+FIX_ORI_INS,fix_insn);
+            if(fix_insn_ret == SET_TRACE_ERROR){
+                return SET_TRACE_ERROR;
+            }
+        }
+        int ret = syscall(__NR_mincore,uprobe_offset,TRACE_FLAG+SET_TARGET_UPROBE,"");
+        return ret;
+    }
+    return SET_TRACE_ERROR;
+}
+
+int clear_all_uprobes(){
+    int ret = syscall(__NR_mincore,0,TRACE_FLAG+CLEAR_UPROBE,"");
+    return ret;
+}