IBinder获取手机服务信息异常
生活随笔
收集整理的這篇文章主要介紹了
IBinder获取手机服务信息异常
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
?
小米8 利用IBinder transact獲取服務的接口名字,結果出現以下異常:
W/System.err: java.lang.SecurityException W/System.err: ? ? at android.os.BinderProxy.transactNative(Native Method) W/System.err: ? ? at android.os.BinderProxy.transact(BinderProxy.java:482) W/System.err: ? ? at com.gamesec.essential.Essential.getInterfaceName(Essential.java:182) W/System.err: ? ? at com.gamesec.essential.Essential.getRunningServiceInfo(Essential.java:204) W/System.err: ? ? at com.gamesec.essential.Essential.getEssential(Essential.java:134) W/System.err: ? ? at com.gamesec.DataCollector.collectDeviceInfo(DataCollector.java:373) W/System.err: ? ? at com.gamesec.DataCollectorThread.run(DataCollectorThread.java:12)?
手機系統為android9.0,所以查看源碼?/.core/jni/android_util_Binder.cpp文件
?
android_os_BinderProxy_transact
[?android_util_Binder.cpp]
static jboolean android_os_BinderProxy_transact(JNIEnv* env, jobject obj,jint code, jobject dataObj, jobject replyObj, jint flags) // throws RemoteException {if (dataObj == NULL) {jniThrowNullPointerException(env, NULL);return JNI_FALSE;}Parcel* data = parcelForJavaObject(env, dataObj);if (data == NULL) {return JNI_FALSE;}Parcel* reply = parcelForJavaObject(env, replyObj);if (reply == NULL && replyObj != NULL) {return JNI_FALSE;}IBinder* target = getBPNativeData(env, obj)->mObject.get();if (target == NULL) {jniThrowException(env, "java/lang/IllegalStateException", "Binder has been finalized!");return JNI_FALSE;}ALOGV("Java code calling transact on %p in Java object %p with code %" PRId32 "\n",target, obj, code);bool time_binder_calls;int64_t start_millis;if (kEnableBinderSample) {// Only log the binder call duration for things on the Java-level main thread.// But if we don'ttime_binder_calls = should_time_binder_calls();if (time_binder_calls) {start_millis = uptimeMillis();}}//printf("Transact from Java code to %p sending: ", target); data->print();status_t err = target->transact(code, *data, reply, flags);//if (reply) printf("Transact from Java code to %p received: ", target); reply->print();if (kEnableBinderSample) {if (time_binder_calls) {conditionally_log_binder_call(start_millis, target, code);}}if (err == NO_ERROR) {return JNI_TRUE;} else if (err == UNKNOWN_TRANSACTION) {return JNI_FALSE;}signalExceptionForError(env, obj, err, true /*canThrowRemoteException*/, data->dataSize());return JNI_FALSE; }這里會有異常拋出:
從上述代碼可以看到,返回通過IBinder->transact接口返回err結果,IBinder->transact的接口可繼續查看:BpBinder.transact和IPC.transact里面的實現,關于BpBinder.transact和IPC.transact的詳細信息下面繼續介紹:
BpBinder.transact
[?BpBinder.cpp]
status_t BpBinder::transact(uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) {if (mAlive) {//[見小節2.6]status_t status = IPCThreadState::self()->transact(mHandle, code, data, reply, flags);if (status == DEAD_OBJECT) mAlive = 0;return status;}return DEAD_OBJECT; }當binder死亡,則返回err=DEAD_OBJECT,所對應的拋出的異常為DeadObjectException
?
IPC.transact
[IPCThreadState.cpp]
status_t IPCThreadState::transact(int32_t handle,uint32_t code, const Parcel& data,Parcel* reply, uint32_t flags) {status_t err = data.errorCheck(); //錯誤檢查flags |= TF_ACCEPT_FDS;if (err == NO_ERROR) {err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL);}if (err != NO_ERROR) {if (reply) reply->setError(err);return (mLastError = err); //返回writeTransactionData的執行結果err}if ((flags & TF_ONE_WAY) == 0) {if (reply) {err = waitForResponse(reply); //} else {Parcel fakeReply;err = waitForResponse(&fakeReply);}} else {err = waitForResponse(NULL, NULL);}return err; //返回waitForResponse的執行結果err }返回值err的來源:
?
IPC.waitForResponse
[IPCThreadState.cpp]
status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult) {uint32_t cmd;int32_t err;while (1) {// 向Binder驅動寫入交互if ((err=talkWithDriver()) < NO_ERROR) break;err = mIn.errorCheck();...switch (cmd) {case BR_DEAD_REPLY:err = DEAD_OBJECT;goto finish;case BR_FAILED_REPLY:err = FAILED_TRANSACTION;goto finish;default:err = executeCommand(cmd); //[見小節2.7.1]if (err != NO_ERROR) goto finish;break;}}...return err; }當收到BR_DEAD_REPLY,則拋出err=DEAD_OBJECT
當收到BR_FAILED_REPLY, 則拋出err=FAILED_TRANSACTION
否則返回的是executeCommand的err
?
IPC.executeCommand
status_t IPCThreadState::executeCommand(int32_t cmd){BBinder* obj;RefBase::weakref_type* refs;status_t result = NO_ERROR;switch ((uint32_t)cmd) {case BR_ERROR://從mIn中讀取出錯誤碼result = mIn.readInt32();break;...default:result = UNKNOWN_ERROR;break;}return result;}talkWithDriver過程便會跟Binder驅動交互
當服務端收到bind請求,則此時進入execTransact()過程。
?
Binder.execTransact
[Binder.java]
private boolean execTransact(int code, long dataObj, long replyObj, int flags) {Parcel data = Parcel.obtain(dataObj);Parcel reply = Parcel.obtain(replyObj);boolean res;try {//執行onTransact方法[見小節3.1.1]res = onTransact(code, data, reply, flags);} catch (RemoteException e) {if ((flags & FLAG_ONEWAY) != 0) {Log.w(TAG, "Binder call failed.", e);} else {reply.setDataPosition(0);reply.writeException(e); //[見后續]}res = true;} catch (RuntimeException e) {if ((flags & FLAG_ONEWAY) != 0) {Log.w(TAG, "Caught a RuntimeException from the binder stub implementation.", e);} else {reply.setDataPosition(0);reply.writeException(e); //[見后續]}res = true;} catch (OutOfMemoryError e) {Log.e(TAG, "Caught an OutOfMemoryError from the binder stub implementation.", e);RuntimeException re = new RuntimeException("Out of memory", e);reply.setDataPosition(0);reply.writeException(re); //[見后續]res = true;}//[見小節3.3]checkParcel(this, code, reply, "Unreasonably large binder reply buffer");reply.recycle();data.recycle();return res; }可以看到服務端發送異常有3大類:
還有一類見writeException
writeException
public final void writeException(Exception e) {int code = 0;if (e instanceof SecurityException) {code = EX_SECURITY;} else if (e instanceof BadParcelableException) {code = EX_BAD_PARCELABLE;} else if (e instanceof IllegalArgumentException) {code = EX_ILLEGAL_ARGUMENT;} else if (e instanceof NullPointerException) {code = EX_NULL_POINTER;} else if (e instanceof IllegalStateException) {code = EX_ILLEGAL_STATE;} else if (e instanceof NetworkOnMainThreadException) {code = EX_NETWORK_MAIN_THREAD;} else if (e instanceof UnsupportedOperationException) {code = EX_UNSUPPORTED_OPERATION;}writeInt(code); //寫入異常碼StrictMode.clearGatheredViolations();if (code == 0) {if (e instanceof RuntimeException) {throw (RuntimeException) e;}throw new RuntimeException(e);}writeString(e.getMessage()); }此處寫入的異常類型:
?
checkParcel
static void checkParcel(IBinder obj, int code, Parcel parcel, String msg) {// 檢查parcel數據是否大于800KBif (CHECK_PARCEL_SIZE && parcel.dataSize() >= 800*1024) {StringBuilder sb = new StringBuilder();sb.append(msg);sb.append(": on ");sb.append(obj);sb.append(" calling ");sb.append(code);sb.append(" size ");sb.append(parcel.dataSize());sb.append(" (data: ");parcel.setDataPosition(0);sb.append(parcel.readInt());sb.append(", ");sb.append(parcel.readInt());sb.append(", ");sb.append(parcel.readInt());sb.append(")");Slog.wtfStack(TAG, sb.toString());}}?
總結異常數據傳輸流程如下圖:
?
結論:小米手機發出安全異常是binder服務端發出的,廠商設置了權限無法訪問。
總結
以上是生活随笔為你收集整理的IBinder获取手机服务信息异常的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 奇妙的安全旅行之DES算法(二)
- 下一篇: 探索比特币源码5-私钥