Android
Platform top-to-bottom, no ROOT/unlocking/flashing required, the last link in the application-level interception framework -- theSVC
System call interception.
☞ Github ☜
Due to the demands of our virtualization product, we need to support the use of the normalAndroid
cell phones to run. We need to build application-level interception frameworks that cover all layers of the application from top to bottom, and theAbyss
as a systemSVC
Call interception of instructions is the ultimate solution at the bottom of our hierarchy.
01. Description
tracee: (indicates passive-voice clauses)ptrace
Additional processes, usually target application processes.
tracer: be used forptrace
process of another process in which system calls are handled.
This framework utilizesAndroid
(used form a nominal expression)Provider
The component starts the service process for interception processing, and after the process is started, a separate thread is created to loop through all the intercepted system callbacks. Since this project is just to demonstrate the feasibility of the program and print logs, so the business logic processing is relatively simple and can be extended as needed.
If you want to access specific services, you may need to switch to multi-threaded processing to improve stability. However, we have tested multi-threaded switching also has a certain loss, performance improvement is limited, but does improve stability, to prevent a processing time-consuming to cause the application of all processes blocking.
02. Processes
application processtracee
The process of being attached is as follows:
tracer
The process is as follows:
Description: utilizationfork()
The purpose of this is to get the worker thread to attach.ptrace
There are strict limitations and only the implementation of additionalattach
threads have access to the correspondingtracee
The registers of the
03. System call processing
03.01 Ignore the library mechanism
Due to business needs, in order to improve performance, we need to ignore system calls in certain libraries such as:。
existfind_libc_exec_maps()
hit the nail on the headThe executable code is in the
maps
in the memory address interval of the system call that needs to be processed:
//enable_syscall_filtering()
FilteredSysnum internal_sysnums[] = {
{ PR_ptrace, FILTER_SYSEXIT },
{ PR_wait4, FILTER_SYSEXIT },
{ PR_waitpid, FILTER_SYSEXIT },
{ PR_execve, FILTER_SYSEXIT },
{ PR_execveat, FILTER_SYSEXIT },
{PR_readlinkat, FILTER_SYSEXIT}, //Not processed at this time
};
set_seccomp_filters
differentarch
, which sets the system call to theebpf
. The different architectures of theebpf
statements will populate together.ebpf
The pseudo-code for the composition is as follows:
for (each architecture) {
start_arch_section.
for (each system call under the current architecture) { start_arch_section.
add_trace_syscall;
end_arch_section;
}
finalize_program_filter.
start_arch_section;// Architecture-related processing ebpf, including libc filter statements.
add_trace_syscall;// add ebpf statements that match the system calls to be processed.
end_arch_section;// end ebpf statement (meaning: return if it matches a syscall)
finalize_program_filter;// finalize ebpf statement to kill threads in other exceptions.
Eventually, the following statement is called to set theebpf
。
status = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &program);
03.02 PR_ptrace
Because of atracee
There can be only one.tracer
, so there is a need to handle this system call in the application itself using theptrace
The simulation is performed at the time of the
Before the system call enters, replace the system call with thePR_void
"Not to be real.ptrace
, subsequent simulations.
After exiting the system call for theptrace
of the simulation. For requests that arePTRACE_ATTACH
、PTRACE_TRACEME
We do a variety of different treatments. Also handlesPTRACE_SYSCALL
、PTRACE_CONT
、PTRACE_SETOPTIONS
、PTRACE_GETEVENTMSG
and other kinds ofptrace
Operation.
ptrace
There are a variety of requests, and the full processing logic is more complex (we're still digesting it).
03.03 PR_wait4、PR_waitpid
become man and wifePR_ptrace
Use, if the currenttracee
It's not atracer
If it is not processed, it is transmitted directly to the system. Orwait
The first parameter of-1
If it does, then look in the collection to see if the waiting thread exists and if it is the current processing thread'stracee
If not, it is not processed and passed directly to the system.
The logic for processing is as follows:
Before the system call enters, replace the system call with thePR_void
that is not actually passed to the kernel.
After exiting the system call, the simulationtracer
Li (surname)wait
processing logic. Mainly for the current processing based on thistracer
(defined in the code asptracer
), to iterate through itstracee
to see if there is an event that needs to be processed, and if so, populate the registers and wake up the one that is currently being processed.tracer
。
03.04 PR_execve、PR_execveat
Mainly inUSE_LOADER_EXE
When turned on, thenative
The program replaces it with a program that uses a fixedloader
to load the program.
03.05 Intercept Log
E INTERCEPT/SYS: vpid 2: got event 7057f
E INTERCEPT: vpid 2,secomp_enabled 0,
E INTERCEPT/SYS: (null) info: vpid 2: sysenter start: openat(0xffffff9c, 0xb4000073c72fcd60, 0x0, 0x0, 0xb4000073c72fcd88, 0xb4000073c72fcde8) = 0xffffff9c [0x7367d45e80, 0]
E INTERCEPT/SYS: vpid 2: open path:/system/fonts/
E INTERCEPT/SYS: syscall_number:216
E INTERCEPT/SYS: vpid 2,openat: /system/fonts/
E INTERCEPT/SYS: (null) info: vpid 2: sysenter end: openat(0xffffff9c, 0xb4000073c72fcd60, 0x0, 0x0, 0xb4000073c72fcd88, 0xb4000073c72fcde8) = 0xffffff9c [0x7367d45e80, 0]
E INTERCEPT/SYS: vpid 2: open path:/system/fonts/
E INTERCEPT/SYS: (null) info: vpid 2: restarted using 7, signal 0, tracee pid 32222,app_pid 32162
E/INTERCEPT/SYS: (null) info: vpid 3: sysenter start: close(0x90, 0x0, 0x7492d0d088, 0x6, 0x73b7b82860, 0x73b7b82880) = 0x90 [0x73633faae0, 0]
E/INTERCEPT/SYS: syscall_number:41
E/INTERCEPT/SYSW: noting to do,sn:41
E/INTERCEPT/SYS: (null) info: vpid 3: sysenter end: close(0x90, 0x0, 0x7492d0d088, 0x6, 0x73b7b82860, 0x73b7b82880) = 0x90 [0x73633faae0, 0]
E/INTERCEPT/SYS: (null) info: vpid 3: restarted using 7, signal 0, tracee pid 32223,app_pid 32162
E/INTERCEPT/SYS: vpid 3: got event 7057f
04. Attachment
Extra Module:
Since this framework will add a processing process to the original application and willtrace
to the application process, so in practice, there is also a need for the new process and thetrace
Traces are hidden to prevent conflicts with the application detection module and to support the complete application itselftrace
The simulation of the call.
This is the additional Application Confrontation module, which will be shared later as a separate article.
Reference items:
/proot-me/proot
/termux/proot