background

In The Android system, processes are isolated from each other, and two processes cannot directly access the spatial information of other processes. In order to perform memory operation on an APP process and obtain the information in the address space of the target process or modify the private information in the address space of the target process in the Android platform, it needs to involve injection technology.

Through injection technology, you can inject the specified SO module or code into the target process. As long as the injection is successful, you can access and tamper with information in the target process space, including data and code.

The application scenario of Android injection technology is mainly for some illegal operations and implementation, such as game auxiliary software and malicious software.

Zygote injection

Zygote is one of the most important processes in The Android system, because most of the application processes in Android are incubated by zygote (fork). Fork is a process reuse technology. In other words, zygote is the father of a common APP process on Android.

The purpose of Zygote injection is to inject the specified SO module into the specified APP process. This injection process does not directly inject the SO module into the specified process, but first inject the SO module into the Zygote process.

After the so module is injected into the Zygote process, the APP process started in the Android system is clicked. The APP process started includes the SO module that needs to be injected into the specified process, which is generated by the Zygote process fork. Therefore, any newly created process will contain the SO module that has been injected into the Zygote process.

This injection is completed through indirect injection, which is also a relatively safe way to inject SO module. Currently Xposed framework is based on Zygote injection.

1. Inject the SO module to be injected into the Zygote process through the injector;

2. Manually start the APP process to inject so module. Since the APP process is fork out by Zygote process, the started APP process contains all modules in zygote process;

3. The injected SO module hijacks the control of the injected APP process and executes the code of the injected SO module;

4. Inject so module to return the control of APP process, and the injected process runs normally.

(The injector is mainly shellcode based on pTrace injection process injection)

Attach to the Zygote process via ptrace.

Call mmap to apply for target process space to store the injected ShellCode assembly code.

Execute injected ShellCode code (shellcode is assembly code injected into the target process and executed).

Call the munmap function to free the requested memory.

The Zygote process is stripped by ptrace.

Here are the key Zygote code injection implementations

Ptrace injection

Ptrace injection implementation classification:

The shellcode is injected into the memory space of the remote process by using ptrace function, and then the remote process SO module is loaded by executing shellcode.

The so module is loaded by direct remote calls to dlopen, DLSYm, dlclose and other functions, and the specified code is executed.

Ptrace calls the function injection flow directly:

Attach to the process to be injected by using ptrace;

Save the storage environment;

Remotely call mmap function to allocate memory space;

Write and load module names and function names to the remote process memory space.

Call the dlopen function remotely to open the injection module.

The address of the dlSYM function or function to be called remotely;

Remote calls to functions of the injected module;

Restore register environment;

Stripping from remote processes using pTrace.

The key ptrace is implemented by calling system functions directly

Shellcode injection is to put the operations of dlopen/ DLSYM library functions into shellCode code. The injection function only applies memory space to the remote APP process. Then modify the parameter information used by dLOpen, DLSYMDLclose and other functions in shellCode code, and then inject shellcode into the space applied by the remote APP process. Finally, execute shellcode by modifying THE PC register.

The key pTrace injection shellCode code implementation

Modify ELF file injection

In the Native layer of the Android platform, the executable file SO file belongs to the ELF file format. By modifying the ELF file format, the SO file can be injected.

By modifying the ELF binary executable file and adding your own code to the ELF file, the executable executes the custom added code first and the original logic of the ELF file at last.

Modifying binary ELF files requires attention to two important constructs:

ELF Header is the only fixed location file structure in ELF files. It stores the location and size information of Program Header Table and Section Header Table.

Modify the ELF file to implement SO file injection the implementation principle is as follows: By modifying the dependency library information in Program Header Table and adding the customized SO file information, the APP process will run and load the modified ELF file, and it will also load and run the customized SO file at the same time.

Program Header Table Indicates the entry structure

The type options in the program header entry are as follows

When the type in the header table structure is PT_DYNAMIC, that is, dynamic link information, it points to the. Dynamic segment by the block specified by the header entry’s offset (P_offset) and p_filesz(size). The.dynamic section contains information about program links and dependencies at load time.

Key ELF file modification code implementation