Xhy's Blog

Reverse and Think

0%

修改安卓内核源码 过State TracerPid wchan反调试

发表于

概述

修改安卓内核源码,绕过对/proc/$pid/stateStateTracerPid字段,以及/proc/$pid/wchan的反调试检测

目标文件

打开内核源码目录,/fs/proc下的base.carray.c

修改点

base.c

proc_pid_wchan函数

最后一个else分支改成

1
2
3
4
5
6
else
    {   //修改部分
        if(strstr(symname,"trace"))
            return sprintf(buffer, "%s", "sys_epoll_wait");
        return sprintf(buffer, "%s", symname);
    }

因为/proc/pid/wchan 和 /proc/pid/task/pid/wchan在调试状态下,里面内容为ptrace_stop, 非调试的状态下为ep_poll

array.c

1. task_state_array字符数组

将4和8对应的字符("T (stopped)""t (tracing stop)"
都改成"S (sleeping)"

2. task_state函数

与前文(逆向修改安卓内核 x64 过TracerPID反调试)目的一致,置TracerPid为0
将参数tpid改为0即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
seq_printf(m,
		"State:\t%s\n"
		"Tgid:\t%d\n"
		"Pid:\t%d\n"
		"PPid:\t%d\n"
		"TracerPid:\t%d\n"
		"Uid:\t%d\t%d\t%d\t%d\n"
		"Gid:\t%d\t%d\t%d\t%d\n",
		get_task_state(p),
		task_tgid_nr_ns(p, ns),
		pid_nr_ns(pid, ns),
		//修改部分
		ppid, /*tpid*/0,
		from_kuid_munged(user_ns, cred->uid),
		from_kuid_munged(user_ns, cred->euid),
		from_kuid_munged(user_ns, cred->suid),
		from_kuid_munged(user_ns, cred->fsuid),
		from_kgid_munged(user_ns, cred->gid),
		from_kgid_munged(user_ns, cred->egid),
		from_kgid_munged(user_ns, cred->sgid),
		from_kgid_munged(user_ns, cred->fsgid));

效果

使用调试器附加后,cd到/proc/$pid/,执行以下命令:
head -8 status
cat wchan

参考

Android反调试——从源码入手