我们有了Android Linker源码部分的解析,还学习了Unicorn的详细使用。如果没有看过之前文章的同学可以看下之前的文章哦。今天我们就来看下Unidbg是如何将一个So加载且跑起来的
在Unidbg中,我们想要加载一个So一般都是通过
DalvikModule dalvikModule = vm.loadLibrary(new File("so_path"), true);
来加载一个So文件,通过这个方法,我们最终会发现Unidbg调用了AndroidElfLoader类的loadInternal方法。AndroidElfLoader类也就充当了Linker的角色,所以我们今天就来分析一下这个类
我们先来分析一下AndroidElfLoader的构造方法
public AndroidElfLoader(Emulator<AndroidFileIO> emulator, UnixSyscallHandler<AndroidFileIO> syscallHandler) {// 调用父类构造方法,初始化emulator和syscallHandler字段super(emulator, syscallHandler);// 初始化SPstackSize = STACK_SIZE_OF_PAGE * PageAlign();// 将栈空间mem_map映射,因为在Backend(Unicorn)中,所有需要用的内存都需要先进行映射才能够进行使用,大小就是STACK_SIZE_OF_PAGE * PageAlign(),可读可写权限_map(STACK_BASE - stackSize, stackSize, UnicornConst.UC_PROT_READ | UnicornConst.UC_PROT_WRITE);// 设置SP寄存器setStackPoint(STACK_BASE);// 初始化TLS(线程局部存储相关),在libc一些系统库中是有线程局部变量的,如errno等。这里就做了相关的协处理器的初始化操作viron = initializeTLS(new String[] {"ANDROID_DATA=/data","ANDROID_ROOT=/system"});this.setErrno(0);
}
上面的注释也写的很清楚了,再总结一下AndroidElfLoader初始化做了什么
对TLS感兴趣可以阅读以下源码
.4.4_r1/xref/bionic/libc/bionic/libc_init_common.cpp#111
.4.4_r1/xref/bionic/libc/bionic/pthread_internals.cpp#66
.4.4_r1/xref/bionic/libc/private/bionic_tls.h#90
那么当我们调用了loadLibrary方法后,在Android中最终调用了AndroidElfLoader类下的loadInternal方法,我们来分析这个方法,该类的初始化我们已经分析过了
protected final LinuxModule loadInternal(LibraryFile libraryFile, boolean forceCallInit) {// File对象被封装为了LibraryFile对象try {// 接着调用了loadInternal(重载)方法,继续加载流程LinuxModule module = loadInternal(libraryFile);// 处理符号(关于重定位)resolveSymbols(!forceCallInit);// callInitFunction默认trueif (callInitFunction || forceCallInit) {// 调用初始化函数for (LinuxModule m : modules.values().toArray(new LinuxModule[0])) {boolean forceCall = (forceCallInit && m == module) || m.isForceCallInit();if (callInitFunction) {m.callInitFunction(emulator, forceCall);} else if (forceCall) {m.callInitFunction(emulator, true);}m.initFunctionList.clear();}}// 添加引用计数module.addReferenceCount();return module;} catch (IOException e) {throw new IllegalStateException(e);}
}
上面的函数接着调用了重载loadInternal方法继续加载,加载完成会返回一个LinuxModule对象,该对象就保存了该So文件加载后的信息,接着处理了符号和调用初始化函数
我们接着来看重载loadInternal方法,代码比较长
private LinuxModule loadInternal(LibraryFile libraryFile) throws IOException {// 将我们的So文件让ElfFile类去解析,这个ElfFile是jelf库经过凯神改装过的,可以帮助解析Elf文件final ElfFile elfFile = ElfFile.fromBytes(libraryFile.mapBuffer());// ... 判断文件是否合法,32位模拟器是否加载了64位So等待long start = System.currentTimeMillis();// 获取当前So的最大虚拟地址和页对齐align参数long bound_high = 0;long align = 0;for (int i = 0; i < elfFile.num_ph; i++) {ElfSegment ph = ProgramHeader(i);if (ph.type == ElfSegment.PT_LOAD && ph.mem_size > 0) {// 遍历所有mem_size>0的PT_LOAD段long high = ph.virtual_address + ph.mem_size;// 寻找bound_high最大值if (bound_high < high) {bound_high = high;}// 寻找alignment最大值if (ph.alignment > align) {align = ph.alignment;}}}ElfDynamicStructure dynamicStructure = null;// 从获取到的So指定的alignment和默认的PageAlign取一个最大值,一般拿到的就是4K大小final long baseAlign = Math.PageAlign(), align);// 根据baseAlign来计算该So的加载地址。初始地址0x40000000Lfinal long load_base = ((mmapBaseAddress - 1) / baseAlign + 1) * baseAlign;// 这个就相当于Linker在计算load_size,但Unidbg中将所有So的最小虚拟地址默认为0// 这里有改进空间对吧,因为Linker中为了防止内存浪费,出现了一个load_bias_字段// 但是出于目的不用,Unidbg的目的是让二进制文件跑起来long size = ARM.align(0, bound_high, baseAlign).size;// 设置加载下个So的mmapBaseAddresssetMMapBaseAddress(load_base + size);// MemRegion存储了哪块内存对应了哪个So文件final List<MemRegion> regions = new ArrayList<>(5);MemoizedObject<ArmExIdx> armExIdx = null;MemoizedObject<GnuEhFrameHeader> ehFrameHeader = null;Alignment lastAlignment = null;// 再次遍历所有段for (int i = 0; i < elfFile.num_ph; i++) {ElfSegment ph = ProgramHeader(i);switch (ph.type) {case ElfSegment.PT_LOAD:// PT_LOAD段// 获取该段在内存中对应的操作权限,如该段未指定,设置满权限(一般不会出现这种情况)int prot = get_segment_protection(ph.flags);if (prot == UnicornConst.UC_PROT_NONE) {prot = UnicornConst.UC_PROT_ALL;}// 该段在内存中的起始地址final long begin = load_base + ph.virtual_address;// 计算该段在内存中的位置和大小Alignment check = ARM.align(begin, ph.mem_size, Math.PageAlign(), ph.alignment));// 获取上一个内存快final int regionSize = regions.size();MemRegion last = regionSize <= 0 ? null : (regionSize - 1);// 处理两个段之间重叠部分?未找到案例MemRegion overall = null;if (last != null && check.address >= last.begin && check.address < d) {overall = last;}if (overall != null) {// 处理重叠段,应该为特殊情况,正常都会走下面else分支long overallSize = d - check._protect(check.address, overallSize, overall.perms | prot);if (ph.mem_size > overallSize) {Alignment alignment = _map(begin + overallSize, ph.mem_size - overallSize, prot, Name(), Math.PageAlign(), ph.alignment));regions.add(new MemRegion(alignment.address, alignment.address + alignment.size, prot, libraryFile, ph.virtual_address));if (lastAlignment != null) {throw new UnsupportedOperationException();}lastAlignment = alignment;}} else {// 将该PT_LOAD段指示的内存大小进行映射Alignment alignment = _map(begin, ph.mem_size, prot, Name(), Math.PageAlign(), ph.alignment));// 添加一块MemRegionregions.add(new MemRegion(alignment.address, alignment.address + alignment.size, prot, libraryFile, ph.virtual_address));if (lastAlignment != null) {// 处理该段与上一个段之间的空隙,置0long base = lastAlignment.address + lastAlignment.size;long off = alignment.address - base;if (off < 0) {throw new IllegalStateException();}if (off > 0) {_map(base, off, UnicornConst.UC_PROT_NONE);if (memoryMap.put(base, new MemoryMap(base, (int) off, UnicornConst.UC_PROT_NONE)) != null) {log.warn("mem_map replace exists memory map base=" + HexString(base));}}}lastAlignment = alignment;}// 将该段对应的数据写入进已经映射好的内存ph.getPtLoadData().writeTo(pointer(begin));break;case ElfSegment.PT_DYNAMIC:// DYNAMIC段dynamicStructure = ph.getDynamicStructure();break;case ElfSegment.PT_INTERP:// INTERP段指定了解释器位置,在So中没用if (log.isDebugEnabled()) {log.debug("[" + Name() + "]interp=" + ph.getInterpreter());}break;case ElfSegment.PT_GNU_EH_FRAME:// 没分析过,未知TODOehFrameHeader = ph.getEhFrameHeader();break;case ElfSegment.PT_ARM_EXIDX:// 异常相关的段armExIdx = ph.getARMExIdxData();break;default:if (log.isDebugEnabled()) {log.debug("[" + Name() + "]segment type=0x" + pe) + ", offset=0x" + HexString(ph.offset));}break;}}// 此时,该So中的有用的段信息已经处理完毕// 该加载到内存的已经加载到内存// 该置空的内存也已置空// 动态段、异常段、PT_GNU_EH_FRAME段的信息已经保存下来,继续看接下来的处理// 动态段是必须有的if (dynamicStructure == null) {throw new IllegalStateException("dynamicStructure is empty.");}// 此SoName是动态段中的tag为SO_NAME指定的内容,而且Unidbg中的Log也是基于这个SoName打印的// 如果该内容为空,才会使用文件名。这也就是有的同学会问为什么我加载的是libxxxxx.so,而日志输出libyyyyyy.so呢final String soName = Name());// 下面处理So中的依赖库Map<String, Module> neededLibraries = new HashMap<>();// NeededLibraries(),这个方法是Unidbg改写jelf库加上的方法,会获取到所有的依赖库的名字for (String neededLibrary : NeededLibraries()) {if (log.isDebugEnabled()) {log.debug(soName + " need dependency " + neededLibrary);}// modules字段保存了所有已经加载过的库,这里就是在寻找是否该So已经被加载过LinuxModule loaded = (neededLibrary);if (loaded != null) {// 如果加载过了,添加引用计数、放到neededLibraries变量loaded.addReferenceCount();neededLibraries.BaseName(loaded.name), loaded);continue;}// 如果依赖还没有被加载过,就开始寻找这个依赖文件在哪,先在当前So的路径下找LibraryFile neededLibraryFile = solveLibrary(emulator, neededLibrary);// 如果当前路径下没有找到,就去找library解析器去找if (libraryResolver != null && neededLibraryFile == null) {neededLibraryFile = solveLibrary(emulator, neededLibrary);}if (neededLibraryFile != null) {// 大吉大利,So找到啦,就会在这里加载LinuxModule needed = loadInternal(neededLibraryFile);needed.addReferenceCount();neededLibraries.BaseName(needed.name), needed);} else {log.info(soName + " load dependency " + neededLibrary + " failed");}}// 到这里,该So所依赖的So也被加载进来了// 下面这个循环会处理未解决(符号为0特殊情况)的重定位,进行二次重定位,极少数能成功,如果确定没用可以注释掉for (LinuxModule module : modules.values()) {for (Iterator<ModuleSymbol> iterator = UnresolvedSymbol().iterator(); iterator.hasNext(); ) {ModuleSymbol moduleSymbol = ();ModuleSymbol resolved = NeededLibraries(), false, hookListeners, SvcMemory());if (resolved != null) {if (log.isDebugEnabled()) {log.debug("[" + moduleSymbol.soName + "]" + Name() + " symbol resolved to " + SoName);}location(emulator);ve();}}}// 下面开始处理重定位List<ModuleSymbol> list = new ArrayList<>();for (MemoizedObject<ElfRelocation> object : Relocations()) {// 遍历So中所有的重定位信息ElfRelocation relocation = Value();// 拿到重定位类型final int type = pe();if (type == 0) {log.warn("Unhandled relocation type " + type);continue;}// 拿到重定位项指定的符号信息ElfSymbol symbol = relocation.sym() == 0 ? null : relocation.symbol();long sym_value = symbol != null ? symbol.value : 0;// 计算需要重定位的位置Pointer relocationAddr = UnidbgPointer.pointer(emulator, load_base + relocation.offset());assert relocationAddr != null;Log log = Log("com.github.unidbg.linux." + soName);if (log.isDebugEnabled()) {log.debug("symbol=" + symbol + ", type=" + type + ", relocationAddr=" + relocationAddr + ", offset=0x" + HexString(relocation.offset()) + ", addend=" + relocation.addend() + ", sym=" + relocation.sym() + ", android=" + relocation.isAndroid());}ModuleSymbol moduleSymbol;// 根据重定位类型进行不同的处理,下面包含了32位/64位下的重定位处理switch (type) {case ARMEmulator.R_ARM_ABS32: {int offset = Int(0);moduleSymbol = resolveSymbol(load_base, symbol, relocationAddr, soName, neededLibraries.values(), offset);if (moduleSymbol == null) {// 不能当即处理的,添加到list,后面再处理list.add(new ModuleSymbol(soName, load_base, symbol, relocationAddr, null, offset));} else {location(emulator);}break;}case ARMEmulator.R_AARCH64_ABS64: {long offset = Long(0) + relocation.addend();moduleSymbol = resolveSymbol(load_base, symbol, relocationAddr, soName, neededLibraries.values(), offset);if (moduleSymbol == null) {list.add(new ModuleSymbol(soName, load_base, symbol, relocationAddr, null, offset));} else {location(emulator);}break;}case ARMEmulator.R_ARM_RELATIVE: {int offset = Int(0);if (sym_value == 0) {relocationAddr.setInt(0, (int) load_base + offset);} else {throw new IllegalStateException("sym_value=0x" + HexString(sym_value));}break;}case ARMEmulator.R_AARCH64_RELATIVE:if (sym_value == 0) {relocationAddr.setLong(0, load_base + relocation.addend());} else {throw new IllegalStateException("sym_value=0x" + HexString(sym_value));}break;case ARMEmulator.R_ARM_GLOB_DAT:case ARMEmulator.R_ARM_JUMP_SLOT:moduleSymbol = resolveSymbol(load_base, symbol, relocationAddr, soName, neededLibraries.values(), 0);if (moduleSymbol == null) {list.add(new ModuleSymbol(soName, load_base, symbol, relocationAddr, null, 0));} else {location(emulator);}break;case ARMEmulator.R_AARCH64_GLOB_DAT:case ARMEmulator.R_AARCH64_JUMP_SLOT:moduleSymbol = resolveSymbol(load_base, symbol, relocationAddr, soName, neededLibraries.values(), relocation.addend());if (moduleSymbol == null) {list.add(new ModuleSymbol(soName, load_base, symbol, relocationAddr, null, relocation.addend()));} else {location(emulator);}break;case ARMEmulator.R_ARM_COPY:throw new IllegalStateException("R_ARM_COPY relocations are not supported");case ARMEmulator.R_AARCH64_COPY:throw new IllegalStateException("R_AARCH64_COPY relocations are not supported");case ARMEmulator.R_AARCH64_ABS32:case ARMEmulator.R_AARCH64_ABS16:case ARMEmulator.R_AARCH64_PREL64:case ARMEmulator.R_AARCH64_PREL32:case ARMEmulator.R_AARCH64_PREL16:case ARMEmulator.R_AARCH64_IRELATIVE:case ARMEmulator.R_AARCH64_TLS_TPREL64:case ARMEmulator.R_AARCH64_TLS_DTPREL32:case ARMEmulator.R_ARM_IRELATIVE:case ARMEmulator.R_ARM_REL32:default:log.warn("[" + soName + "]Unhandled relocation type " + type + ", symbol=" + symbol + ", relocationAddr=" + relocationAddr + ", offset=0x" + HexString(relocation.offset()) + ", addend=" + relocation.addend() + ", android=" + relocation.isAndroid());break;}}// 重定位完成后,开始执行初始化函数List<InitFunction> initFunctionList = new ArrayList<>();if (elfFile.file_type == ElfFile.FT_EXEC) {// 处理可执行文件相关,我们分析So的,忽略就可以int preInitArraySize = PreInitArraySize();int count = preInitArraySize / PointerSize();if (count > 0) {Pointer pointer = UnidbgPointer.pointer(emulator, load_base + PreInitArrayOffset());if (pointer == null) {throw new IllegalStateException("DT_PREINIT_ARRAY is null");}for (int i = 0; i < count; i++) {Pointer func = Pointer((long) i * PointerSize());if (func != null) {initFunctionList.add(new AbsoluteInitFunction(load_base, soName, ((UnidbgPointer) func).peer));}}}}if (elfFile.file_type == ElfFile.FT_DYN) {// 处理So的初始化函数//下面的处理内容在新版有修复,我们之前Linker的文章也讲过,他们的顺序不应该是平级的,需要Init函数先执行int init = Init();if (init != 0) {initFunctionList.add(new LinuxInitFunction(load_base, soName, init));}// 处理 init.arrayint initArraySize = InitArraySize();int count = initArraySize / PointerSize();if (count > 0) {Pointer pointer = UnidbgPointer.pointer(emulator, load_base + InitArrayOffset());if (pointer == null) {throw new IllegalStateException("DT_INIT_ARRAY is null");}for (int i = 0; i < count; i++) {// 当作数组来处理每一个init函数Pointer func = Pointer((long) i * PointerSize());if (func != null) {// 将他们添加到initFunction列表中initFunctionList.add(new AbsoluteInitFunction(load_base, soName, ((UnidbgPointer) func).peer));}}}}// 至此,依赖So加载了,重定位可以处理的也处理了(不能处理的还会有二次处理)// 初始化函数也被添加到列表中了,但是还没有调用(注意)SymbolLocator dynsym = SymbolStructure();if (dynsym == null) {throw new IllegalStateException("dynsym is null");}ElfSection symbolTableSection = null;try {symbolTableSection = SymbolTableSection();} catch(Throwable ignored) {}// 将加载好的So封装位LinuxModule对象LinuxModule module = new LinuxModule(load_base, size, soName, dynsym, list, initFunctionList, neededLibraries, regions,armExIdx, ehFrameHeader, symbolTableSection, elfFile, dynamicStructure);// ...// 放入已加载的So列表中modules.put(soName, module);if (maxSoName == null || soName.length() > maxSoName.length()) {maxSoName = soName;}if (bound_high > maxSizeOfSo) {maxSizeOfSo = bound_high;}// 设置可执行Elf的入口点module._point);log.debug("Load library " + soName + " offset=" + (System.currentTimeMillis() - start) + "ms" + ", entry_point=0x" + _point));// 通知监听器,So已加载完毕notifyModuleLoaded(module);return module;
}
我们分为上下两篇文章。我们看到上面这个loadInternal方法就是加载一个So主要的内容,大致内容看到这里其实已经够用了,如果想了解更多的细节就看下篇。其中的很多方法我们没有展开来讲解,接下来我们就来处理剩余的细枝末节。如果文章有错误的地方还请指正,可以加个VX一起交流:roy5ue或直接在文章下方进行评论哦
本文发布于:2024-02-01 13:34:31,感谢您对本站的认可!
本文链接:https://www.4u4v.net/it/170676567136966.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
| 留言与评论(共有 0 条评论) |
