Xhy's Blog

Reverse and Think

0%

发表于

问题描述

编写内核驱动,使用mmap共享内存。发现读取到的数据不对。
联想到mmaplength会自动调整为PAGE_SIZE的倍数,猜测是因为mmap返回的是对应page的起始地址,导致存在偏移。

修复方式:初始化时,单独申请一块大小为PAGE_SIZE的内存,不使用数组。
并调用SetPageReserved,保留该页。

阅读全文 »

发表于

概述

某app使用了curl+openssl进行https通信,并开启了证书校验。
通过分析curl源码,定位到证书校验位置,Patch汇编代码,绕过证书校验。

原理

相关代码

SSL_CTX_set_verify定义:openssl/ssl/ssl_lib.c#L3551

1
2
3
4
5
6
void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
                        int (*cb) (int, X509_STORE_CTX *))
{
    ctx->verify_mode = mode;
    ctx->default_verify_callback = cb;
}

调用位置ossl_connect_step1curl/lib/vtls/openssl.c#L3200
相关变量verifypeercurl/lib/vtls/openssl.c#L2676

阅读全文 »

发表于

命令对照表

GDB to LLDB command map

环境

PC: Windows 10
NDK: 22.1.7171670

程序位置

GDB 8.3(位于<ndk>\toolchains\llvm\prebuilt\windows-x86_64\bin
lldb version 11.0.5(位于<ndk>\prebuilt\windows-x86_64\bin

Server

ARM

<ndk>\prebuilt\android-arm64\gdbserver
<ndk>\toolchains\llvm\prebuilt\windows-x86_64\lib64\clang\11.0.5\lib\linux\arm\lldb-server

ARM64

<ndk>\prebuilt\android-arm\gdbserver
<ndk>\toolchains\llvm\prebuilt\windows-x86_64\lib64\clang\11.0.5\lib\linux\aarch64\lldb-server

阅读全文 »

发表于

问题描述

使用insmod安装内核模块后,在appNative层访问驱动,提示Permission Denied
设置驱动权限,绕过DAC权限检查:chmod 666 /dev/helloworld
再次调用,仍然失败。
执行dmesg -w | grep "avc: denied",查看SELinux日志。

1
[23292:logd.auditd]type=1400 audit(1651503112.740:5320): avc: denied { read write } for comm="exp.hellokernel" name="helloworld" dev="tmpfs" ino=297747 scontext=u:r:priv_app:s0:c227,c256,c512,c768 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

关闭SELinux后,成功调用驱动。

添加allow规则,调用仍失败,查阅资料得知需要设置为mlstrustedsubject

最终基于magiskpolicy,实现了自定义SELinux规则的添加。

PS:笔者将apk放到了system/priv-app目录下,所以rolepriv_app,而非untrusted_app

阅读全文 »

发表于

报错信息

Log

1
2
3
4
logcat: Unexpected EOF!

This means that either the device shut down, logd crashed, or this instance of logcat was unable to read log
messages as quickly as they were being produced.

LSPosed

1
2
Logd maybe crashed, retrying in 1s...
Logd crashed too many times, trying manually start...

修复

开发者选项-日志记录器缓冲区大小修改为16M

发表于

调用链

process_vm_rw->process_vm_rw_core->process_vm_rw_single_vec->process_vm_rw_pages->copy_page_to_iter->
copy_page_to_iter_iovec->copyout

核心代码

common/mm/process_vm_access.c
common/lib/iov_iter.c

版本号:android-4.14-stable

Linux manual page

process_vm_readv(2) - Linux manual page

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#include <sys/uio.h>

ssize_t process_vm_readv(pid_t pid,
                        const struct iovec *local_iov,
                        unsigned long liovcnt,
                        const struct iovec *remote_iov,
                        unsigned long riovcnt,
                        unsigned long flags);
ssize_t process_vm_writev(pid_t pid,
                        const struct iovec *local_iov,
                        unsigned long liovcnt,
                        const struct iovec *remote_iov,
                        unsigned long riovcnt,
                        unsigned long flags);
阅读全文 »

发表于

环境

Redmi K40 GamingMIUI 12.5.8

提取boot.img

查看文件名:

1
ls -al /dev/block/by-name | grep boot

提取boot.img

1
dd if=$(readlink /dev/block/by-name/boot_a) of=/sdcard/boot.img

提取内核

法1 PC

自己编译或者使用affggh/magiskbootkitchen

1
2
adb pull /sdcard/boot.img .
./magiskboot unpack boot.img

法2 手机

1
./magiskboot unpack /sdcard/boot.img

反编译

使用IDA64打开kernel,选择ARM processer64-Bit
执行Python脚本:

1
2
3
import idc
for i in range(0, 0x100000):
    idc.create_insn(i)

然后等待IDA分析结束。

定位check_version

使用010Editor搜索字符串disagrees about version of symbol,复制地址。
IDA64中查看交叉引用,定位到的函数即为check_version

Patch

将函数体的第一个跳转Patch为B指令。然后F5,查看返回值是否为1。

例如:
CBZ X2, loc_FB8A8
Patch为:
B loc_FB8A8

相关代码:

1
2
3
ROM:00000000000FB8A8                               loc_FB8A8                               ; CODE XREF: sub_FB804+14↑j
ROM:00000000000FB8A8 35 00 80 52                   MOV             W21, #1
ROM:00000000000FB8AC 0A 00 00 14                   B               loc_FB8D4
1
2
3
4
5
6
7
8
9
ROM:00000000000FB8D4                               loc_FB8D4                               ; CODE XREF: sub_FB804+74↑j
ROM:00000000000FB8D4                                                                       ; sub_FB804+90↑j
ROM:00000000000FB8D4                                                                       ; sub_FB804+A8↑j
ROM:00000000000FB8D4 E0 03 15 2A                   MOV             W0, W21
ROM:00000000000FB8D8 F4 4F 43 A9                   LDP             X20, X19, [SP,#0x20+var_s10]
ROM:00000000000FB8DC F6 57 42 A9                   LDP             X22, X21, [SP,#0x20+var_s0]
ROM:00000000000FB8E0 F7 0B 40 F9                   LDR             X23, [SP,#0x20+var_10]
ROM:00000000000FB8E4 FD 7B C4 A8                   LDP             X29, X30, [SP+0x20+var_20],#0x40
ROM:00000000000FB8E8 C0 03 5F D6                   RET

参考

绕过Android内核模块加载验证