Add detection using smaps

Currently, detection using stats map is still unstable, we add this
commit for future tests.

Author: JingMatrix

README.md

@@ -1,4 +1,4 @@
-# Detecting library injection in memory using `solist` and `virtual maps`
+# Detecting library injection in memory
 
 ## Detection using `solist`
 

app/src/main/cpp/CMakeLists.txt

@@ -29,7 +29,7 @@ set(CMAKE_CXX_STANDARD 20)
 # used in the AndroidManifest.xml file.
 add_library(${CMAKE_PROJECT_NAME} SHARED
         # List C/C++ source files with relative paths to this CMakeLists.txt.
-        elf_util.cpp native-lib.cpp solist.cpp vmap.cpp)
+        elf_util.cpp native-lib.cpp smap.cpp solist.cpp vmap.cpp)
 
 target_include_directories(${CMAKE_PROJECT_NAME} PUBLIC include)
 # Specifies libraries CMake should link to your target library. You

app/src/main/cpp/include/smap.h

@@ -0,0 +1,25 @@
+#include <stdio.h>
+#include <string>
+#include <unistd.h>
+
+namespace StatsMap {
+struct SmapsEntry {
+  int64_t size_kb = -1;
+  int64_t private_dirty_kb = -1;
+  int64_t swap_kb = -1;
+  std::string pathname;
+};
+struct SmapsParserState {
+  bool parsed_header = false;
+  SmapsEntry current_entry{};
+};
+
+template <typename T> static bool ParseSmaps(FILE *f, T callback);
+static inline const char *FindNthToken(const char *line, size_t n, size_t size);
+
+template <typename T>
+static bool ParseSmapsLine(char *line, size_t size, SmapsParserState *state,
+                           T callback);
+
+SmapsEntry DetectInjection(std::string lib);
+} // namespace StatsMap

app/src/main/cpp/native-lib.cpp

@@ -1,4 +1,5 @@
 #include "logging.h"
+#include "smap.h"
 #include "solist.hpp"
 #include "vmap.hpp"
 #include <format>
@@ -11,19 +12,33 @@ Java_org_matrix_demo_MainActivity_stringFromJNI(JNIEnv *env,
 
   std::string solist_detection = "No injection found using solist";
   std::string vmap_detection = "No injection found using vitrual map";
+  std::string smap_detection = "No injection found using stats map";
   SoList::SoInfo *abnormal_soinfo = SoList::DetectInjection();
-  VirtualMap::MapInfo *abnormal_map = VirtualMap::DetectInjection();
+  VirtualMap::MapInfo *abnormal_vmap = VirtualMap::DetectInjection();
+  /* StatsMap::SmapsEntry abnormal_smap = */
+  /*     StatsMap::DetectInjection(std::string("libharfbuzz_ng.so")); */
+
   if (abnormal_soinfo != nullptr) {
-    solist_detection = std::format("Solist: injection at {}", (void *)abnormal_soinfo);
+    solist_detection =
+        std::format("Solist: injection at {}", (void *)abnormal_soinfo);
     LOGE("Abnormal soinfo %p: %s loaded at %s", abnormal_soinfo,
          abnormal_soinfo->get_name(), abnormal_soinfo->get_path());
   }
 
-  if (abnormal_map != nullptr) {
-    vmap_detection = std::format("Virtual map: injection at {}", abnormal_map->path);
-    LOGE("Abnormal map %s: [0x%lx-0x%lx]", abnormal_map->path.data(),
-         abnormal_map->start, abnormal_map->end);
+  if (abnormal_vmap != nullptr) {
+    vmap_detection =
+        std::format("Virtual map: injection at {}", abnormal_vmap->path);
+    LOGE("Abnormal vmap %s: [0x%lx-0x%lx]", abnormal_vmap->path.data(),
+         abnormal_vmap->start, abnormal_vmap->end);
   }
 
-  return env->NewStringUTF((solist_detection + "\n" + vmap_detection).c_str());
+  /* if (abnormal_smap.private_dirty_kb != -1) { */
+  /*   smap_detection = */
+  /*       std::format("Stats map: injection at {}", abnormal_smap.pathname); */
+  /*   LOGE("Abnormal smap %s", abnormal_smap.pathname.data()); */
+  /* } */
+
+  return env->NewStringUTF(
+      (solist_detection + "\n" + vmap_detection + "\n" + smap_detection)
+          .c_str());
 }

app/src/main/cpp/smap.cpp

@@ -0,0 +1,94 @@
+#include "smap.h"
+#include "logging.h"
+#include <errno.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <unistd.h>
+namespace StatsMap {
+
+template <typename T> static bool ParseSmaps(FILE *f, T callback) {
+  SmapsParserState state;
+  size_t line_size = 1024;
+  char *line = static_cast<char *>(malloc(line_size));
+  for (;;) {
+    errno = 0;
+    ssize_t rd = getline(&line, &line_size, f);
+    if (rd == -1) {
+      free(line);
+      if (state.parsed_header)
+        callback(state.current_entry);
+      return errno == 0;
+    } else {
+      if (line[rd - 1] == '\n') {
+        line[rd - 1] = '\0';
+        rd--;
+      }
+      if (!ParseSmapsLine(line, static_cast<size_t>(rd), &state, callback)) {
+        free(line);
+        return false;
+      }
+    }
+  }
+}
+
+static inline const char *FindNthToken(const char *line, size_t n,
+                                       size_t size) {
+  size_t tokens = 0;
+  bool parsing_token = false;
+  for (size_t i = 0; i < size; ++i) {
+    if (!parsing_token && line[i] != ' ') {
+      parsing_token = true;
+      if (tokens++ == n)
+        return line + static_cast<ssize_t>(i);
+    }
+    if (line[i] == ' ')
+      parsing_token = false;
+  }
+  return nullptr;
+}
+
+template <typename T>
+static bool ParseSmapsLine(char *line, size_t size, SmapsParserState *state,
+                           T callback) {
+  char *first_token_end = static_cast<char *>(memchr(line, ' ', size));
+  if (first_token_end == nullptr || first_token_end == line)
+    return false; // Malformed.
+  bool is_header = *(first_token_end - 1) != ':';
+  if (is_header) {
+    if (state->parsed_header)
+      callback(state->current_entry);
+    state->current_entry = {};
+    const char *last_token_begin = FindNthToken(line, 5u, size);
+    if (last_token_begin)
+      state->current_entry.pathname.assign(last_token_begin);
+    state->parsed_header = true;
+    return true;
+  }
+  if (!state->parsed_header)
+    return false;
+  sscanf(line, "Size: %" PRId64 " kB", &state->current_entry.size_kb);
+  sscanf(line, "Swap: %" PRId64 " kB", &state->current_entry.swap_kb);
+  sscanf(line, "Private_Dirty: %" PRId64 " kB",
+         &state->current_entry.private_dirty_kb);
+  return true;
+}
+
+SmapsEntry DetectInjection(std::string lib) {
+  SmapsEntry injection;
+
+  auto self_maps = fopen("/proc/self/smaps", "re");
+  ParseSmaps(self_maps, [&injection, lib](const SmapsEntry &entry) {
+    if (entry.pathname.find(lib) != std::string::npos &&
+        entry.private_dirty_kb > 0) {
+      injection.pathname = entry.pathname;
+      injection.private_dirty_kb = entry.private_dirty_kb;
+      LOGD("Injection at %s: Private_Dirty %d kB", injection.pathname.data(),
+           injection.private_dirty_kb);
+    }
+  });
+  fclose(self_maps);
+
+  return injection;
+}
+
+} // namespace StatsMap