Location>code7788 >text

Abyss】Android platform application-level system call interception framework

Popularity:760 ℃/2024-09-19 11:16:00

AndroidPlatform top-to-bottom, no ROOT/unlocking/flashing required, the last link in the application-level interception framework -- theSVCSystem call interception.

☞ Github ☜ 

Due to the demands of our virtualization product, we need to support the use of the normalAndroidcell phones to run. We need to build application-level interception frameworks that cover all layers of the application from top to bottom, and theAbyssas a systemSVCCall interception of instructions is the ultimate solution at the bottom of our hierarchy.

01. Description

tracee: (indicates passive-voice clauses)ptraceAdditional processes, usually target application processes.

tracer: be used forptraceprocess of another process in which system calls are handled.

This framework utilizesAndroid(used form a nominal expression)ProviderThe component starts the service process for interception processing, and after the process is started, a separate thread is created to loop through all the intercepted system callbacks. Since this project is just to demonstrate the feasibility of the program and print logs, so the business logic processing is relatively simple and can be extended as needed.

If you want to access specific services, you may need to switch to multi-threaded processing to improve stability. However, we have tested multi-threaded switching also has a certain loss, performance improvement is limited, but does improve stability, to prevent a processing time-consuming to cause the application of all processes blocking.

02. Processes

application processtraceeThe process of being attached is as follows:

tracerThe process is as follows:

Description: utilizationfork()The purpose of this is to get the worker thread to attach.ptraceThere are strict limitations and only the implementation of additionalattachthreads have access to the correspondingtraceeThe registers of the

03. System call processing

03.01 Ignore the library mechanism

Due to business needs, in order to improve performance, we need to ignore system calls in certain libraries such as:

existfind_libc_exec_maps()hit the nail on the headThe executable code is in themapsin the memory address interval of the system call that needs to be processed:

//enable_syscall_filtering()
FilteredSysnum internal_sysnums[] = {
    { PR_ptrace, FILTER_SYSEXIT },
    { PR_wait4, FILTER_SYSEXIT },
    { PR_waitpid, FILTER_SYSEXIT },
    { PR_execve, FILTER_SYSEXIT },
    { PR_execveat, FILTER_SYSEXIT },
    {PR_readlinkat, FILTER_SYSEXIT}, //Not processed at this time
};

set_seccomp_filtersdifferentarch, which sets the system call to theebpf. The different architectures of theebpfstatements will populate together.ebpfThe pseudo-code for the composition is as follows:

for (each architecture) {
start_arch_section.
for (each system call under the current architecture) { start_arch_section.
    add_trace_syscall;
   end_arch_section;
}
finalize_program_filter.

start_arch_section;// Architecture-related processing ebpf, including libc filter statements.
add_trace_syscall;// add ebpf statements that match the system calls to be processed.
end_arch_section;// end ebpf statement (meaning: return if it matches a syscall)
finalize_program_filter;// finalize ebpf statement to kill threads in other exceptions.

Eventually, the following statement is called to set theebpf

status = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &program);

03.02 PR_ptrace

Because of atraceeThere can be only one.tracer, so there is a need to handle this system call in the application itself using theptraceThe simulation is performed at the time of the

Before the system call enters, replace the system call with thePR_void"Not to be real.ptrace, subsequent simulations.

After exiting the system call for theptraceof the simulation. For requests that arePTRACE_ATTACHPTRACE_TRACEMEWe do a variety of different treatments. Also handlesPTRACE_SYSCALLPTRACE_CONTPTRACE_SETOPTIONSPTRACE_GETEVENTMSGand other kinds ofptraceOperation.

ptraceThere are a variety of requests, and the full processing logic is more complex (we're still digesting it).

03.03 PR_wait4、PR_waitpid

become man and wifePR_ptraceUse, if the currenttraceeIt's not atracerIf it is not processed, it is transmitted directly to the system. OrwaitThe first parameter of-1If it does, then look in the collection to see if the waiting thread exists and if it is the current processing thread'straceeIf not, it is not processed and passed directly to the system.

The logic for processing is as follows:

Before the system call enters, replace the system call with thePR_voidthat is not actually passed to the kernel.

After exiting the system call, the simulationtracerLi (surname)waitprocessing logic. Mainly for the current processing based on thistracer(defined in the code asptracer), to iterate through itstraceeto see if there is an event that needs to be processed, and if so, populate the registers and wake up the one that is currently being processed.tracer

03.04 PR_execve、PR_execveat

Mainly inUSE_LOADER_EXEWhen turned on, thenativeThe program replaces it with a program that uses a fixedloaderto load the program.

03.05 Intercept Log

E INTERCEPT/SYS: vpid 2: got event 7057f
E INTERCEPT: vpid 2,secomp_enabled 0,
E INTERCEPT/SYS: (null) info: vpid 2: sysenter start: openat(0xffffff9c, 0xb4000073c72fcd60, 0x0, 0x0, 0xb4000073c72fcd88, 0xb4000073c72fcde8) = 0xffffff9c [0x7367d45e80, 0]
E INTERCEPT/SYS: vpid 2: open path:/system/fonts/
E INTERCEPT/SYS: syscall_number:216
E INTERCEPT/SYS: vpid 2,openat: /system/fonts/
E INTERCEPT/SYS: (null) info: vpid 2: sysenter end: openat(0xffffff9c, 0xb4000073c72fcd60, 0x0, 0x0, 0xb4000073c72fcd88, 0xb4000073c72fcde8) = 0xffffff9c [0x7367d45e80, 0]
E INTERCEPT/SYS: vpid 2: open path:/system/fonts/
E INTERCEPT/SYS: (null) info: vpid 2: restarted using 7, signal 0, tracee pid 32222,app_pid 32162

E/INTERCEPT/SYS: (null) info: vpid 3: sysenter start: close(0x90, 0x0, 0x7492d0d088, 0x6, 0x73b7b82860, 0x73b7b82880) = 0x90 [0x73633faae0, 0]
E/INTERCEPT/SYS: syscall_number:41
E/INTERCEPT/SYSW: noting to do,sn:41
E/INTERCEPT/SYS: (null) info: vpid 3: sysenter end: close(0x90, 0x0, 0x7492d0d088, 0x6, 0x73b7b82860, 0x73b7b82880) = 0x90 [0x73633faae0, 0]
E/INTERCEPT/SYS: (null) info: vpid 3: restarted using 7, signal 0, tracee pid 32223,app_pid 32162
E/INTERCEPT/SYS: vpid 3: got event 7057f

04. Attachment

Extra Module:

Since this framework will add a processing process to the original application and willtraceto the application process, so in practice, there is also a need for the new process and thetraceTraces are hidden to prevent conflicts with the application detection module and to support the complete application itselftraceThe simulation of the call.

This is the additional Application Confrontation module, which will be shared later as a separate article.

Reference items:

/proot-me/proot

/termux/proot