【Android 逆向】ART 脱壳 ( InMemoryDexClassLoader 脱壳 | InMemoryDexClassLoader 类加载器脱壳点总结 )
生活随笔
收集整理的這篇文章主要介紹了
【Android 逆向】ART 脱壳 ( InMemoryDexClassLoader 脱壳 | InMemoryDexClassLoader 类加载器脱壳点总结 )
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
文章目錄
- 一、InMemoryDexClassLoader 類加載器脫殼點總結
- 1、dalvik_system_DexFile.cc#CreateSingleDexFileCookie
- 2、dalvik_system_DexFile.cc#CreateDexFile
- 3、dex_file.cc#DexFile::Open
- 4、dex_file.cc#DexFile::OpenCommon
- 5、dex_file.cc#DexFile::DexFile
一、InMemoryDexClassLoader 類加載器脫殼點總結
InMemoryDexClassLoader 類加載器脫殼點總結 : 在下面列舉出的函數中 , 都可以獲取到內存中 DEX 文件的起始地址 , 可以將 DEX 文件從內存中 dump 下來 ;
1、dalvik_system_DexFile.cc#CreateSingleDexFileCookie
static jobject CreateSingleDexFileCookie(JNIEnv* env, std::unique_ptr<MemMap> data) {std::unique_ptr<const DexFile> dex_file(CreateDexFile(env, std::move(data)));if (dex_file.get() == nullptr) {DCHECK(env->ExceptionCheck());return nullptr;}std::vector<std::unique_ptr<const DexFile>> dex_files;dex_files.push_back(std::move(dex_file));return ConvertDexFilesToJavaArray(env, nullptr, dex_files); }
源碼地址 : /art/runtime/native/dalvik_system_DexFile.cc#CreateSingleDexFileCookie
2、dalvik_system_DexFile.cc#CreateDexFile
static const DexFile* CreateDexFile(JNIEnv* env, std::unique_ptr<MemMap> dex_mem_map) {std::string location = StringPrintf("Anonymous-DexFile@%p-%p",dex_mem_map->Begin(),dex_mem_map->End());std::string error_message;std::unique_ptr<const DexFile> dex_file(DexFile::Open(location,0,std::move(dex_mem_map),/* verify */ true,/* verify_location */ true,&error_message));if (dex_file == nullptr) {ScopedObjectAccess soa(env);ThrowWrappedIOException("%s", error_message.c_str());return nullptr;}if (!dex_file->DisableWrite()) {ScopedObjectAccess soa(env);ThrowWrappedIOException("Failed to make dex file read-only");return nullptr;}return dex_file.release(); }
源碼地址 : /art/runtime/native/dalvik_system_DexFile.cc#CreateDexFile
3、dex_file.cc#DexFile::Open
std::unique_ptr<const DexFile> DexFile::Open(const std::string& location,uint32_t location_checksum,std::unique_ptr<MemMap> map,bool verify,bool verify_checksum,std::string* error_msg) {ScopedTrace trace(std::string("Open dex file from mapped-memory ") + location);CHECK(map.get() != nullptr);if (map->Size() < sizeof(DexFile::Header)) {*error_msg = StringPrintf("DexFile: failed to open dex file '%s' that is too short to have a header",location.c_str());return nullptr;}std::unique_ptr<DexFile> dex_file = OpenCommon(map->Begin(),map->Size(),location,location_checksum,kNoOatDexFile,verify,verify_checksum,error_msg);if (dex_file != nullptr) {dex_file->mem_map_.reset(map.release());}return dex_file; }
源碼路徑 : /art/runtime/dex_file.cc#182
4、dex_file.cc#DexFile::OpenCommon
std::unique_ptr<DexFile> DexFile::OpenCommon(const uint8_t* base,size_t size,const std::string& location,uint32_t location_checksum,const OatDexFile* oat_dex_file,bool verify,bool verify_checksum,std::string* error_msg,VerifyResult* verify_result) {if (verify_result != nullptr) {*verify_result = VerifyResult::kVerifyNotAttempted;}std::unique_ptr<DexFile> dex_file(new DexFile(base,size,location,location_checksum,oat_dex_file));if (dex_file == nullptr) {*error_msg = StringPrintf("Failed to open dex file '%s' from memory: %s", location.c_str(),error_msg->c_str());return nullptr;}if (!dex_file->Init(error_msg)) {dex_file.reset();return nullptr;}if (verify && !DexFileVerifier::Verify(dex_file.get(),dex_file->Begin(),dex_file->Size(),location.c_str(),verify_checksum,error_msg)) {if (verify_result != nullptr) {*verify_result = VerifyResult::kVerifyFailed;}return nullptr;}if (verify_result != nullptr) {*verify_result = VerifyResult::kVerifySucceeded;}return dex_file; }
源碼地址 : /art/runtime/dex_file.cc#OpenCommon
5、dex_file.cc#DexFile::DexFile
DexFile::DexFile(const uint8_t* base,size_t size,const std::string& location,uint32_t location_checksum,const OatDexFile* oat_dex_file): begin_(base),size_(size),location_(location),location_checksum_(location_checksum),header_(reinterpret_cast<const Header*>(base)),string_ids_(reinterpret_cast<const StringId*>(base + header_->string_ids_off_)),type_ids_(reinterpret_cast<const TypeId*>(base + header_->type_ids_off_)),field_ids_(reinterpret_cast<const FieldId*>(base + header_->field_ids_off_)),method_ids_(reinterpret_cast<const MethodId*>(base + header_->method_ids_off_)),proto_ids_(reinterpret_cast<const ProtoId*>(base + header_->proto_ids_off_)),class_defs_(reinterpret_cast<const ClassDef*>(base + header_->class_defs_off_)),method_handles_(nullptr),num_method_handles_(0),call_site_ids_(nullptr),num_call_site_ids_(0),oat_dex_file_(oat_dex_file) {CHECK(begin_ != nullptr) << GetLocation();CHECK_GT(size_, 0U) << GetLocation();// Check base (=header) alignment.// Must be 4-byte aligned to avoid undefined behavior when accessing// any of the sections via a pointer.CHECK_ALIGNED(begin_, alignof(Header));InitializeSectionsFromMapList(); }
源碼地址 : /art/runtime/dex_file.cc#DexFile
總結
以上是生活随笔為你收集整理的【Android 逆向】ART 脱壳 ( InMemoryDexClassLoader 脱壳 | InMemoryDexClassLoader 类加载器脱壳点总结 )的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 【Android 逆向】ART 脱壳 (
- 下一篇: 【Android 逆向】ART 脱壳 (