Detailed explanation of three Android platform injection techniques

background

In the Android system, processes are isolated from each other, and two processes cannot directly access the spatial information of other processes. Therefore, in order to perform memory operations on an app process on the Android platform and obtain information in the address space of the target process or modify private information in the address space of the target process, injection technology is required.

The injection technology can be used to inject the specified so module or code into the target process. Once the injection is successful, the information in the target process space, including data and code, can be accessed and tampered with.

The application scenarios of Android's injection technology are mainly to perform some illegal operations and implementations such as game auxiliary function software and malicious function software.

The following mainly analyzes the three injection methods of zygote injection, ptrace injection, and modified so file injection in detail.

Zygote injection

Zygote is a very important process in the Android system, because most of the application processes in Android are hatched (forked) by it, and fork is a process reuse technology. In other words, the father of ordinary application APP processes in the Android system is the zygote process.

The purpose of zygote injection is to inject the specified so module into the specified APP process. This injection process does not directly inject the so module into the specified process, but first injects the so module into the zygote process.

After the so module is injected into the zygote process, when you click the application APP process started in the Android system, the started App process includes the so module that needs to be injected into the specified process. Too many are generated by the zygote process fork, so the newly created process will contain the so module that has been injected into the zygote process.

This type of injection is done through indirect injection, which is also a relatively safe way to inject so modules. Currently, the xposed framework is based on zygote injection.

Zygote injection so module process

1. Inject the so module to be injected into the zygote process through the injector;

2. Manually start the APP process to be injected with the so module. Since the APP process is forked by the zygote process, the started APP process contains all modules in the zygote process;

3. The injected so module hijacks the control of the injected APP process and executes the code injected into the so module;

4. The injected so module returns control of the APP process, and the injected process runs normally.

Implementation process of Zygote injector

(The injector is mainly based on ptrace to inject shellcode into the process)

• Attach to the zygote process via ptrace.
• Call mmap to apply for the target process space to save the injected shellcode assembly code.
• Execute the injected shellcode code (shellcode code is the assembly code injected into the target process and executed).
• Call the munmap function to release the requested memory.
• Split the zygote process via ptrace.

The following is the key zygote code injection implementation

ptrace injection

Ptrace injection implementation classification:

• The shellcode is injected into the memory space of the remote process by using the ptrace function, and then the remote process so module is loaded by executing the shellcode.
• The injected so module is loaded by directly calling dlopen, dlsym, dlclose and other functions remotely, and the specified code is executed.

Ptrace directly calls the function injection process:

• By using ptrace to attach to the process to be injected;
• Save the storage environment;
• Remotely call the mmap function to allocate memory space;
• Write the loaded module name and function name to the remote process memory space;
• Remotely call the dlopen function to open the injection module;
• Remotely call the dlsym function or the function address that needs to be called;
• Remotely call the function of the injected module;
• Restore register environment;
• Use ptrace to detach from the remote process.

The key ptrace directly calls the system function to implement

The principle of shellcode injection by ptrace

Shellcode injection is to put the operation of dlopen/dlsym library function in the shellcode code. The injection function only applies for memory space of the remote APP process, then modifies the parameter information used by dlopen, dlsymdlclose and other functions in the shellcode code, and then injects the shellcode code into the space applied for by the remote APP process, and finally executes the shellcode code by modifying the PC register.

Detailed steps of ptrace to inject shellcode

1. Write the calls of dlopen, dlsym and other functions in the shellcode to load the so module and execute the function, but you need to fill the parameter address, function address and register address with the real address first;

2. Attach to the remote APP process and save the data of the registers in the APP process to prepare for the subsequent resumption of the remote process;

3. Apply for memory space from the remote APP process, select the specific location where the shellcode is stored, and prepare to store the shellcode and parameter data;

4. Calculate the address of the local so module function corresponding to the so module function in the remote APP process, and fill it into the parameters in shellcdoe. Calculate the offset of the library function parameters and the register value relative to the starting position of the shellcode, and add the starting position of the shellcode in the remote process. The result is the location of these parameters in the memory space of the remote process, and fill these addresses into the parameters of the shellcode;

5. Set the register value to execute the library function;

6. Restore the register values ​​to allow the remote process to continue executing normally.

Key ptrace injection shellcode code implementation

Modify ELF file injection

The executable file SO file in the Native layer of the Android platform belongs to the ELF file format. The injection of the SO file can be achieved by modifying the ELF file format.

By modifying the ELF binary executable file and adding your own code to the ELF file, the executable file will first execute the custom added code when it is running, and finally execute the original logic of the ELF file.

Modifying binary ELF files requires attention to two important structures:

ELF Header, Program Header Table

The ELF Header is the only file structure in the ELF file with a fixed location. It stores the location and size information of the Program Header Table and Section Header Table.

Program Header Table saves the memory mapping and dependent library related information of each Section during the loading process of the ELF file, and is used to tell the Android system how to create a process image.

The principle of modifying the ELF file to implement so file injection is as follows: by modifying the dependent library information in the Program Header Table, adding custom so file information, the APP process runs and loads the modified ELF file, and it also loads and runs the custom so file.

Program Header Table Item Structure

The type options in the program header table entry are as follows

When the type in the program header table entry structure is PT_DYNAMIC, that is, dynamic link information, it is the data block specified by the program header table entry offset (p_offset) and p_filesz (size) that points to the .dynamic segment. This .dynamic segment contains the dependent library information when the program is linked and loaded.

Modify the injection implementation process of ELF files

1. Modify the string table pointed to by the .dynamic segment and add a custom so module name;

2. Add the PT_LOAD entry in the Program Header Table by modifying it. The newly added entry maps the string table data that protects the so module name into memory. At the same time, move the Program Header Table to the end of the file;

3. Modify the array data of the .dynamic segment to point to the new string table and the custom so module name;

4. Modify the location information of the Program Header Table in the ELF HEADER structure and point to the new Program Header Table.

Key ELF file modification code implementation