SlideShare une entreprise Scribd logo

Native hook mechanism in Android Bionic linker

K
Kevin Mai-Hsuan Chia

It is an introduction to the Native Hook mechanism, which is a function hook mechanism in Android. It is implemented in Bionic linker, which is the dynamic linker in Android. With Native Hook mechanism enabled, you can hook any native function with another one, without any modification to the existing libraries.

Ingénierie
1  sur  90
Télécharger pour lire hors ligne
Android Dynamic Framework : Native Hook Mechanism in Bionic Linker Mai-Hsuan Chia Shih-Wei Liao Department of Computer Science and Information Engineering National Taiwan University
Outline ● Background ● Motivation ● Native Hook Mechanism ● Experiment ● Applications ● Future works ● Conclusion
Background ● JNI ● Android Dynamic Framework ● Bionic
JNI ● Enable Java code can call or can be called by native applications
JNI Java method JNI Native functionC/C++ Java
Java calls native class HelloWorld { private native void print(); // print() is native function public static void main(String[] args) { new HelloWorld().print(); } static { System.loadLibrary("hello"); // This loads libhello.so } }
● A framework which is able to dynamically replace Java methods in ART Runtime without modifying APKs. Android Dynamic Framework
Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2
Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2 0. Do linking
Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2 1. Query HookTable
Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2 Replace ClassA::A1 with ClassB::B1 1. Query HookTable
Android Dynamic Framework Class A Class B HookTable ... class linker Method A2 Method B1 Method B2 Method B1 2. Do method hooking
● C library in Android ● Forked from BSDs rather than from GNU/Linux ○ To avoid license problems ● Smaller ● Faster Bionic
● Components ○ libc ○ libm ○ libdl (written from scratch) ○ dynamic linker ■ /system/bin/linker (written from scratch) Bionic
Motivation ● Only Java methods can be replaced in Android Dynamic Framework
Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func C1 Func C2 native call hooking path
Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func C1 Func C2 native call hooking path
Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func D1 Func C2 native call hooking path (2) dlopen native hook (1) method hook
Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func D1 Func C2 native call hooking path (2) dlopen native hook (1) method hook (2) dlopen native hook
Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func E2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func D1 Func C2 native call hooking path (2) dlopen native hook (1) method hook (2) dlopen native hook (3) native to native hook
Motivation ● (1) method hook can be done in the existing Android Dynamic Framework ● However, (2) dlopen native hook and (3) native to native hook cannot not be done.
Motivation ● Native hook mechanism can do both (2) dlopen native hook and (3) native to native hook
Motivation With Native hook mechanism integrated, Android Dynamic Framework can be more complete and powerful
Native hook mechanism ● Implemented in Bionic Linker
Review ● How Bionic Linker loads an executable ● Dynamic linking flow ● Dynamic loading flow
How Bionic Linker loads an executable
OS creates a process image ● Based on the interpreter’s segments. high low Memory space /system/bin/linker linker
Linker links itself ● __linker_init() high low Memory space /system/bin/linker
Load the executable ● __linker_init_post_relocation() /system/bin/linker high low Memory space exe executable
Get needed libraries names ● __linker_init_post_relocation() /system/bin/linker high low Memory space executable exe .dynamic DT_NEEDED ptr_to_liba1.so_name DT_NEEDED ptr_to_liba2.so_name … DT_NULL
Get needed libraries names ● __linker_init_post_relocation() /system/bin/linker high low Memory space executable exe DT_NEEDED ptr_to_liba1.so_name DT_NEEDED ptr_to_liba2.so_name … DT_NULL .dynamic char needed_libraries_names[] = { “liba1.so”, “liba2.so” }
Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree
Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so Loaded Not Loaded p.s.
Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so Loaded Not Loaded p.s.
Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so libb1.so libb2.so libb3.so libb4.so ... ... Loaded Not Loaded p.s.
Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so libb2.so libb3.so libb4.so ... ... Loaded Not Loaded p.s. libb1.so
Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so libb2.so libb3.so libb4.so ... ... ... ... ... ... ... Loaded Not Loaded p.s. libb1.so
Load needed libraries liba1.soexe liba2.so libb1.so libb2.so ... ● find_libaries(exe, needed_libraries_names) ○ step 2 : turn dependencies tree into libraries_list in Breadth First Search(BFS) order libraries_list dependencies tree
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries foreach lib in libraries_list { foreach rel in lib.dynamic_relocation_table { symbol = rel.sym; soinfo_do_lookup(symbol, lib, libraries_list); } }
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next;
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; NOT FOUND
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; NOT FOUND
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; FOUND ok
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_k is defined in lib: sym_k = lib.find(sym) else: lib = lib->next; ok
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... ok ok
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list liba1.so sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next;
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list ... sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next;
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list ... sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; It is DONE until all libraries are linked
Jump to the application’s entry /system/bin/linker high low Memory space executable liba1.so liba2.so libb1.so ... ● jump to executable’s _start.
The executable is loaded successfully ● And start to execute /system/bin/linker high low Memory space liba1.so liba2.so libb1.so ... .text section _start: …. …. executable
Bionic linker linking & loading flow ● Dynamic linking flow ● Dynamic loading flow
__linker_init_post_relocation Dynamic linking dlopen_ext do_dlopen find_library find_libraries find_library_internal load_library Dynamic loading ... load all libraries … relocate all symbols
Native hook mechanism Modified codes are mainly in two parts ● Load hooking libraries in find_libraries() ○ Init native_hook_table ○ Look up native_hook_table ○ Load hooking_library ● Replace hooked_symbol with hooking_symbol in soinfo_do_lookup() ○ Look up native_hook_table ○ Replace every hooked_symbol in hooked_library with hooking_symbol in hooking_library
Native hook file format in /system/nh_file.txt < hooked_lib_name:hooked_symbol:hooking_lib_name:hooking_symbol >
System flow hooking lib nh_file ROM /system/bin/linker __linker_init_post_relocation find_libraries init native_hook_table look up native hook table soinfo_do_lookup look up native hook table replace hooked symbol with hooking symbol New Process load hooking library
Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table
Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table 0. load liba1.so
Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table 1. look up the native hook table HOOKED LIB “liba1.so” FOUND
Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table 2. load libhooking.so libhooking. so
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi hi ha linker 0. relocate symbol
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker NOT FOUND hi
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker FOUND hi
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker FOUND hi 1. look up native hook table liba1.so:hi is to be hooked
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker hi 1. look up native hook table 2. find libhooking.so:ha
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker ha 3. relocate hooked_symbol “hi” with the hooking_symbol “ha”
// in libnativehook.so #include “native_hook.h” void* find_lib_symbol(char* lib_name, char* symbol) { // Using dl_iterate_phdr() to get the symbol’s address // in the loaded library whose name is lib_name. … return ptr_to_symbol; } Before/After hook SDK
How find_lib_symbol() works ? With the following facts, we can get the hooked_symbol in hooked_library with dl_iterate_phdr(callback, void* data) ● hooked_lib is loaded in the memory ● dl_iterate_phdr()iterates all loaded libraries in the process, and get each library’s program header and base address. ● With library’s program header, we can get .dynamic segment, and therefore we get .dynstr and .dynsym section ● With .dynsym and .dynstr, we can find the offset of hooked_symbol in hooked_lib. ● hooked_symbol_addr = base address + offset
// in libmine.so #include “native_hook.h” double my_sin(double x) { char hooked_lib[] = "/system/lib/libm.so"; char hooked_symbol[] = "sin"; double (*hooked_sin)(double) = find_lib_symbol(hooked_lib, hooked_symbol); /* before hook : you can do something before calling hooked_func */ double result = hooked_sin(x); /* after hook : you can do something after calling hooked_func */ result += 5566; return result; } After hook example
After hook example // in main.c #include <math.h> #include <stdio.h> #define PI 3.14159265 int main(void) { double angle = 30.0; double result = sin((angle * PI) / 180); printf(“sin(%lf) = %lfn”, angle, result); return 0; } libm.so:sin:libmine.so:my_sin ... Native Hook Table $ ./main sin(30.000000) = 5566.500000
double my_sin(double x) { char hooked_lib[] = "/system/lib/libm.so"; char hooked_symbol[] = "sin"; static void* cache_ptr = NULL; double (*hooked_sin)(double) = NULL; if (cache_ptr) { hooked_sin = cache_ptr; } else { hooked_sin = find_lib_symbol(hooked_lib, hooked_symbol); } if (hooked_sin) { cache_ptr = (void*)hooked_sin; } double result = hooked_sin(x); result += 5566; return result; } Before/After hook with cache
Experiment 1,000 100,000 1,000,000 10,000,000 Baseline 0.10 0.14 0.52 4.07 Normal hook 0.20 0.23 0.60 4.15 Before/After hook without cache 0.25 1.9 17.12 169.03 Before/After hook with cache 0.22 0.24 0.69 4.77 iterations
Experiment 169.03
Applications ● Profiling ● Boosting apps performance ● Security sandbox
Profiling Target function Before hook After hook ● Input Distribution Analysis ● Function call Analysis ● Output Analysis
● Hook functions that affect the performance of applications in Android ● Scenario ○ Functions in libm.so are not good enough for some special purpose, we can hook the function with the optimized one. Boosting apps performance
libm_opt.so optimized_sin: ... libbenchmark.so getScore: … call <sin> App libm.so sin: ... JNI
libm_opt.so optimized_sin: ... libbenchmark.so getScore: … call <sin> App libm.so sin: ... JNI Replace ‘sin’ with ‘optimized_sin’
Security sandbox ● Use “before hook” to hook the open()in libc ● Examine the filename and other parameters in advance ○ If the to-be-written file is a critical file, we let the app open another file to write without consciousness.
Security sandbox f = open(“/data/critical.txt”, ‘w’); ... modifying critical.txt ... ... App Sandbox
Security sandbox f = open(“/data/critical.txt”, ‘w’); ... modifying critical.txt ... ... App Sandbox /data/critical.txt should not be modified.
Security sandbox f = open(“/data/critical.txt”, ‘w’); ... modifying critical.txt ... ... App Sandbox f = open(“/data/another.txt”, ‘w’); In the sandbox, app is deceived to write to “/data/another.txt” instead of “/data/critical.txt”.
Security sandbox App Sandbox f = open(“/data/another.txt”, ‘w’); f = open(“/data/another.txt”, ‘w’); ... modifying another.txt ... ...
● Provide more easy-to-use API for Native Hook in Android ○ Native Hook SDK Future works
● Completely integrate Native Hook into Android Dynamic Framework ○ Provide hooking between Java method and native functions. Future works Integrated Hook Table liba.so:funca:libb.so:funcb # hook native to native classA:methoda:classB:methodb # hook java to java classA:methoda:libb.so:funcb # hook java to native libb.so:funcb:classA:methoda # hook native to java ...
Conclusion ● Native Hook mechanism is a strong and useful framework in Android allowing developers to replace native functions at runtime without modifying the existing functions. ● Native Hook is more powerful than Java method hook mechanisms because it is implemented in Bionic Linker. ● With Before/After hook mechanism, you can do whatever you want before/after any existing function. ● With Native Hook enabled, it suffers only little overhead to load nh_file and hooking libraries.
Q & A
Thank you for your listening
Backup slides
void* find_lib_symbol(char* lib_name, char* symbol) { // Using dl_iterate_phdr() to get the symbol’s address // in the loaded library whose name is lib_name. static void* unordered_map<std::string, void*> cache = nullptr; std::string lib_symbol = std::string(lib_name) + symbol; if (cache) { unordered_map<std::string, void*>::iterator it = cache.find(lib_symbol); if (it != cache.end()) { return it->second; } } … // find ptr_to_symbol if (ptr_to_symbol) { cache[lib_symbol] = ptr_to_symbol; } return ptr_to_symbol; } Before/After hook with cache in find_lib_symbol
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker FOUND hi 1. look up native hook table liba1.so:hi is to be hooked 2. find libhooking.so:ha

Recommandé

基于 FRIDA 的全平台逆向分析
基于 FRIDA 的全平台逆向分析基于 FRIDA 的全平台逆向分析
基于 FRIDA 的全平台逆向分析CC
 
Spring boot anane maryem ben aziza syrine
Spring boot anane maryem ben aziza syrineSpring boot anane maryem ben aziza syrine
Spring boot anane maryem ben aziza syrineSyrine Ben aziza
 
Flutter talkshow
Flutter talkshowFlutter talkshow
Flutter talkshowNhan Cao
 
Multi Touch And Gesture Event Interface And Types
Multi Touch And Gesture Event Interface And TypesMulti Touch And Gesture Event Interface And Types
Multi Touch And Gesture Event Interface And TypesEthan Cha
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
Go swagger tutorial how to create golang api documentation using go swagger (1)
Go swagger tutorial how to create golang api documentation using go swagger (1)Go swagger tutorial how to create golang api documentation using go swagger (1)
Go swagger tutorial how to create golang api documentation using go swagger (1)Katy Slemon
 
iOS Coding Best Practices
iOS Coding Best PracticesiOS Coding Best Practices
iOS Coding Best PracticesJean-Luc David
 
Cours Middleware orientés objets
Cours Middleware orientés objetsCours Middleware orientés objets
Cours Middleware orientés objetsVincent Englebert
 

Recommandé

基于 FRIDA 的全平台逆向分析
基于 FRIDA 的全平台逆向分析基于 FRIDA 的全平台逆向分析
基于 FRIDA 的全平台逆向分析CC
 
Spring boot anane maryem ben aziza syrine
Spring boot anane maryem ben aziza syrineSpring boot anane maryem ben aziza syrine
Spring boot anane maryem ben aziza syrineSyrine Ben aziza
 
Flutter talkshow
Flutter talkshowFlutter talkshow
Flutter talkshowNhan Cao
 
Multi Touch And Gesture Event Interface And Types
Multi Touch And Gesture Event Interface And TypesMulti Touch And Gesture Event Interface And Types
Multi Touch And Gesture Event Interface And TypesEthan Cha
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
Go swagger tutorial how to create golang api documentation using go swagger (1)
Go swagger tutorial how to create golang api documentation using go swagger (1)Go swagger tutorial how to create golang api documentation using go swagger (1)
Go swagger tutorial how to create golang api documentation using go swagger (1)Katy Slemon
 
iOS Coding Best Practices
iOS Coding Best PracticesiOS Coding Best Practices
iOS Coding Best PracticesJean-Luc David
 
Cours Middleware orientés objets
Cours Middleware orientés objetsCours Middleware orientés objets
Cours Middleware orientés objetsVincent Englebert
 
Android audio system(audio_hardwareinterace)
Android audio system(audio_hardwareinterace)Android audio system(audio_hardwareinterace)
Android audio system(audio_hardwareinterace)fefe7270
 
Inside Android's UI
Inside Android's UIInside Android's UI
Inside Android's UIOpersys inc.
 
Flutter tutorial for Beginner Step by Step
Flutter tutorial for Beginner Step by StepFlutter tutorial for Beginner Step by Step
Flutter tutorial for Beginner Step by StepChandramouli Biyyala
 
Testing Android App Bundle with Appium
Testing Android App Bundle with AppiumTesting Android App Bundle with Appium
Testing Android App Bundle with AppiumMasayuki Wakizaka
 
Android architecture
Android architectureAndroid architecture
Android architecturepoojapainter
 
Linux presentation
Linux presentationLinux presentation
Linux presentationNikhil Jain
 
Browser Automation with Playwright – for integration, RPA, UI testing and mor...
Browser Automation with Playwright – for integration, RPA, UI testing and mor...Browser Automation with Playwright – for integration, RPA, UI testing and mor...
Browser Automation with Playwright – for integration, RPA, UI testing and mor...Lucas Jellema
 
What and Why Flutter? What is a Widget in Flutter?
What and Why Flutter? What is a Widget in Flutter?What and Why Flutter? What is a Widget in Flutter?
What and Why Flutter? What is a Widget in Flutter?MohammadHussain595488
 
Pune Flutter Presents - Flutter 101
Pune Flutter Presents - Flutter 101Pune Flutter Presents - Flutter 101
Pune Flutter Presents - Flutter 101Arif Amirani
 
Android Intent.pptx
Android Intent.pptxAndroid Intent.pptx
Android Intent.pptxvishal choudhary
 
Android Core Aula 5 - RIL (Radio Interface Layer)
Android Core Aula 5 - RIL (Radio Interface Layer)Android Core Aula 5 - RIL (Radio Interface Layer)
Android Core Aula 5 - RIL (Radio Interface Layer)Felipe Silveira
 
Flutter overview - advantages & disadvantages for business
Flutter overview - advantages & disadvantages for businessFlutter overview - advantages & disadvantages for business
Flutter overview - advantages & disadvantages for businessBartosz Kosarzycki
 
Web automation using selenium.ppt
Web automation using selenium.pptWeb automation using selenium.ppt
Web automation using selenium.pptAna Sarbescu
 
Presentation Spring
Presentation SpringPresentation Spring
Presentation SpringNathaniel Richand
 
Provider vs BLoC vs Redux
Provider vs BLoC vs ReduxProvider vs BLoC vs Redux
Provider vs BLoC vs ReduxBartosz Kosarzycki
 
Activities, Fragments, and Events
Activities, Fragments, and EventsActivities, Fragments, and Events
Activities, Fragments, and EventsHenry Osborne
 
Introduction to flutter
Introduction to flutter Introduction to flutter
Introduction to flutter Wan Muzaffar Wan Hashim
 
La magia de Flutter
La magia de FlutterLa magia de Flutter
La magia de FlutterMauricio Angulo Sillas
 
Email authentication using firebase auth + flutter
Email authentication using firebase auth + flutterEmail authentication using firebase auth + flutter
Email authentication using firebase auth + flutterKaty Slemon
 
Project report(Smart Auction Access)
Project report(Smart Auction Access)Project report(Smart Auction Access)
Project report(Smart Auction Access)akki_hearts
 
Linker namespace upload
Linker namespace uploadLinker namespace upload
Linker namespace uploadBin Yang
 
社群新生代的小故事
社群新生代的小故事社群新生代的小故事
社群新生代的小故事Viktor Lin
 

Contenu connexe

Tendances

Android audio system(audio_hardwareinterace)
Android audio system(audio_hardwareinterace)Android audio system(audio_hardwareinterace)
Android audio system(audio_hardwareinterace)fefe7270
 
Inside Android's UI
Inside Android's UIInside Android's UI
Inside Android's UIOpersys inc.
 
Flutter tutorial for Beginner Step by Step
Flutter tutorial for Beginner Step by StepFlutter tutorial for Beginner Step by Step
Flutter tutorial for Beginner Step by StepChandramouli Biyyala
 
Testing Android App Bundle with Appium
Testing Android App Bundle with AppiumTesting Android App Bundle with Appium
Testing Android App Bundle with AppiumMasayuki Wakizaka
 
Android architecture
Android architectureAndroid architecture
Android architecturepoojapainter
 
Linux presentation
Linux presentationLinux presentation
Linux presentationNikhil Jain
 
Browser Automation with Playwright – for integration, RPA, UI testing and mor...
Browser Automation with Playwright – for integration, RPA, UI testing and mor...Browser Automation with Playwright – for integration, RPA, UI testing and mor...
Browser Automation with Playwright – for integration, RPA, UI testing and mor...Lucas Jellema
 
What and Why Flutter? What is a Widget in Flutter?
What and Why Flutter? What is a Widget in Flutter?What and Why Flutter? What is a Widget in Flutter?
What and Why Flutter? What is a Widget in Flutter?MohammadHussain595488
 
Pune Flutter Presents - Flutter 101
Pune Flutter Presents - Flutter 101Pune Flutter Presents - Flutter 101
Pune Flutter Presents - Flutter 101Arif Amirani
 
Android Core Aula 5 - RIL (Radio Interface Layer)
Android Core Aula 5 - RIL (Radio Interface Layer)Android Core Aula 5 - RIL (Radio Interface Layer)
Android Core Aula 5 - RIL (Radio Interface Layer)Felipe Silveira
 
Flutter overview - advantages & disadvantages for business
Flutter overview - advantages & disadvantages for businessFlutter overview - advantages & disadvantages for business
Flutter overview - advantages & disadvantages for businessBartosz Kosarzycki
 
Web automation using selenium.ppt
Web automation using selenium.pptWeb automation using selenium.ppt
Web automation using selenium.pptAna Sarbescu
 
Activities, Fragments, and Events
Activities, Fragments, and EventsActivities, Fragments, and Events
Activities, Fragments, and EventsHenry Osborne
 
Email authentication using firebase auth + flutter
Email authentication using firebase auth + flutterEmail authentication using firebase auth + flutter
Email authentication using firebase auth + flutterKaty Slemon
 
Project report(Smart Auction Access)
Project report(Smart Auction Access)Project report(Smart Auction Access)
Project report(Smart Auction Access)akki_hearts
 

Tendances (20)

Android audio system(audio_hardwareinterace)
Android audio system(audio_hardwareinterace)Android audio system(audio_hardwareinterace)
Android audio system(audio_hardwareinterace)
 
Inside Android's UI
Inside Android's UIInside Android's UI
Inside Android's UI
 
Flutter tutorial for Beginner Step by Step
Flutter tutorial for Beginner Step by StepFlutter tutorial for Beginner Step by Step
Flutter tutorial for Beginner Step by Step
 
Testing Android App Bundle with Appium
Testing Android App Bundle with AppiumTesting Android App Bundle with Appium
Testing Android App Bundle with Appium
 
Android architecture
Android architectureAndroid architecture
Android architecture
 
Linux presentation
Linux presentationLinux presentation
Linux presentation
 
Browser Automation with Playwright – for integration, RPA, UI testing and mor...
Browser Automation with Playwright – for integration, RPA, UI testing and mor...Browser Automation with Playwright – for integration, RPA, UI testing and mor...
Browser Automation with Playwright – for integration, RPA, UI testing and mor...
 
What and Why Flutter? What is a Widget in Flutter?
What and Why Flutter? What is a Widget in Flutter?What and Why Flutter? What is a Widget in Flutter?
What and Why Flutter? What is a Widget in Flutter?
 
Pune Flutter Presents - Flutter 101
Pune Flutter Presents - Flutter 101Pune Flutter Presents - Flutter 101
Pune Flutter Presents - Flutter 101
 
Android Intent.pptx
Android Intent.pptxAndroid Intent.pptx
Android Intent.pptx
 
Android Core Aula 5 - RIL (Radio Interface Layer)
Android Core Aula 5 - RIL (Radio Interface Layer)Android Core Aula 5 - RIL (Radio Interface Layer)
Android Core Aula 5 - RIL (Radio Interface Layer)
 
Flutter overview - advantages & disadvantages for business
Flutter overview - advantages & disadvantages for businessFlutter overview - advantages & disadvantages for business
Flutter overview - advantages & disadvantages for business
 
Web automation using selenium.ppt
Web automation using selenium.pptWeb automation using selenium.ppt
Web automation using selenium.ppt
 
Presentation Spring
Presentation SpringPresentation Spring
Presentation Spring
 
Provider vs BLoC vs Redux
Provider vs BLoC vs ReduxProvider vs BLoC vs Redux
Provider vs BLoC vs Redux
 
Activities, Fragments, and Events
Activities, Fragments, and EventsActivities, Fragments, and Events
Activities, Fragments, and Events
 
Introduction to flutter
Introduction to flutter Introduction to flutter
Introduction to flutter
 
La magia de Flutter
La magia de FlutterLa magia de Flutter
La magia de Flutter
 
Email authentication using firebase auth + flutter
Email authentication using firebase auth + flutterEmail authentication using firebase auth + flutter
Email authentication using firebase auth + flutter
 
Project report(Smart Auction Access)
Project report(Smart Auction Access)Project report(Smart Auction Access)
Project report(Smart Auction Access)
 

En vedette

Linker namespace upload
Linker namespace uploadLinker namespace upload
Linker namespace uploadBin Yang
 
社群新生代的小故事
社群新生代的小故事社群新生代的小故事
社群新生代的小故事Viktor Lin
 
141 deview 2013 발표자료(박준형) v1.1(track4-session1)
141 deview 2013 발표자료(박준형) v1.1(track4-session1)141 deview 2013 발표자료(박준형) v1.1(track4-session1)
141 deview 2013 발표자료(박준형) v1.1(track4-session1)NAVER D2
 
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)GangSeok Lee
 
Making Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMMaking Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMRafael Winterhalter
 
無瑕的程式碼 Clean Code 心得分享
無瑕的程式碼 Clean Code 心得分享無瑕的程式碼 Clean Code 心得分享
無瑕的程式碼 Clean Code 心得分享Win Yu
 

En vedette (8)

Linker namespace upload
Linker namespace uploadLinker namespace upload
Linker namespace upload
 
社群新生代的小故事
社群新生代的小故事社群新生代的小故事
社群新生代的小故事
 
141 deview 2013 발표자료(박준형) v1.1(track4-session1)
141 deview 2013 발표자료(박준형) v1.1(track4-session1)141 deview 2013 발표자료(박준형) v1.1(track4-session1)
141 deview 2013 발표자료(박준형) v1.1(track4-session1)
 
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
 
Making Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMMaking Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVM
 
Seminar 12-11-19
Seminar 12-11-19Seminar 12-11-19
Seminar 12-11-19
 
Fairaccess
FairaccessFairaccess
Fairaccess
 
無瑕的程式碼 Clean Code 心得分享
無瑕的程式碼 Clean Code 心得分享無瑕的程式碼 Clean Code 心得分享
無瑕的程式碼 Clean Code 心得分享
 

Similaire à Native hook mechanism in Android Bionic linker

Exciting JavaScript - Part I
Exciting JavaScript - Part IExciting JavaScript - Part I
Exciting JavaScript - Part IEugene Lazutkin
 
Beginner's guide to linkers
Beginner's guide to linkersBeginner's guide to linkers
Beginner's guide to linkersPinkus Chang
 
Whirlwind tour of the Runtime Dynamic Linker
Whirlwind tour of the Runtime Dynamic LinkerWhirlwind tour of the Runtime Dynamic Linker
Whirlwind tour of the Runtime Dynamic LinkerGonçalo Gomes
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain艾鍗科技
 
Strategies to improve embedded Linux application performance beyond ordinary ...
Strategies to improve embedded Linux application performance beyond ordinary ...Strategies to improve embedded Linux application performance beyond ordinary ...
Strategies to improve embedded Linux application performance beyond ordinary ...André Oriani
 
The Ring programming language version 1.5.2 book - Part 176 of 181
The Ring programming language version 1.5.2 book - Part 176 of 181The Ring programming language version 1.5.2 book - Part 176 of 181
The Ring programming language version 1.5.2 book - Part 176 of 181Mahmoud Samir Fayed
 
The Ring programming language version 1.5.4 book - Part 180 of 185
The Ring programming language version 1.5.4 book - Part 180 of 185The Ring programming language version 1.5.4 book - Part 180 of 185
The Ring programming language version 1.5.4 book - Part 180 of 185Mahmoud Samir Fayed
 
DLL Design with Building Blocks
DLL Design with Building BlocksDLL Design with Building Blocks
DLL Design with Building BlocksMax Kleiner
 
Exciting JavaScript - Part II
Exciting JavaScript - Part IIExciting JavaScript - Part II
Exciting JavaScript - Part IIEugene Lazutkin
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsFelipe Prado
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
 
Advanced c programming in Linux
Advanced c programming in Linux Advanced c programming in Linux
Advanced c programming in Linux Mohammad Golyani
 
From Android NDK To AOSP
From Android NDK To AOSPFrom Android NDK To AOSP
From Android NDK To AOSPMin-Yih Hsu
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
 
Python and Zope: An introduction (May 2004)
Python and Zope: An introduction (May 2004)Python and Zope: An introduction (May 2004)
Python and Zope: An introduction (May 2004)Kiran Jonnalagadda
 
Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...
Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...
Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...Yandex
 
C, C++ Interview Questions Part - 1
C, C++ Interview Questions Part - 1C, C++ Interview Questions Part - 1
C, C++ Interview Questions Part - 1ReKruiTIn.com
 

Similaire à Native hook mechanism in Android Bionic linker (20)

Exciting JavaScript - Part I
Exciting JavaScript - Part IExciting JavaScript - Part I
Exciting JavaScript - Part I
 
Beginner's guide to linkers
Beginner's guide to linkersBeginner's guide to linkers
Beginner's guide to linkers
 
Whirlwind tour of the Runtime Dynamic Linker
Whirlwind tour of the Runtime Dynamic LinkerWhirlwind tour of the Runtime Dynamic Linker
Whirlwind tour of the Runtime Dynamic Linker
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain
 
Strategies to improve embedded Linux application performance beyond ordinary ...
Strategies to improve embedded Linux application performance beyond ordinary ...Strategies to improve embedded Linux application performance beyond ordinary ...
Strategies to improve embedded Linux application performance beyond ordinary ...
 
Ruby Under The Hood
Ruby Under The HoodRuby Under The Hood
Ruby Under The Hood
 
The Ring programming language version 1.5.2 book - Part 176 of 181
The Ring programming language version 1.5.2 book - Part 176 of 181The Ring programming language version 1.5.2 book - Part 176 of 181
The Ring programming language version 1.5.2 book - Part 176 of 181
 
The Ring programming language version 1.5.4 book - Part 180 of 185
The Ring programming language version 1.5.4 book - Part 180 of 185The Ring programming language version 1.5.4 book - Part 180 of 185
The Ring programming language version 1.5.4 book - Part 180 of 185
 
DLL Design with Building Blocks
DLL Design with Building BlocksDLL Design with Building Blocks
DLL Design with Building Blocks
 
Exciting JavaScript - Part II
Exciting JavaScript - Part IIExciting JavaScript - Part II
Exciting JavaScript - Part II
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
 
Advanced c programming in Linux
Advanced c programming in Linux Advanced c programming in Linux
Advanced c programming in Linux
 
From Android NDK To AOSP
From Android NDK To AOSPFrom Android NDK To AOSP
From Android NDK To AOSP
 
Libraries
LibrariesLibraries
Libraries
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
 
Python and Zope: An introduction (May 2004)
Python and Zope: An introduction (May 2004)Python and Zope: An introduction (May 2004)
Python and Zope: An introduction (May 2004)
 
CLIPS Basic Student Guide
CLIPS Basic Student GuideCLIPS Basic Student Guide
CLIPS Basic Student Guide
 
Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...
Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...
Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...
 
C, C++ Interview Questions Part - 1
C, C++ Interview Questions Part - 1C, C++ Interview Questions Part - 1
C, C++ Interview Questions Part - 1
 

Dernier

UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesPrabhanshu Chaturvedi
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 

Dernier (20)

UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and Properties
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 

Native hook mechanism in Android Bionic linker

  • 1. Android Dynamic Framework : Native Hook Mechanism in Bionic Linker Mai-Hsuan Chia Shih-Wei Liao Department of Computer Science and Information Engineering National Taiwan University
  • 2. Outline ● Background ● Motivation ● Native Hook Mechanism ● Experiment ● Applications ● Future works ● Conclusion
  • 3. Background ● JNI ● Android Dynamic Framework ● Bionic
  • 4. JNI ● Enable Java code can call or can be called by native applications
  • 6. Java calls native class HelloWorld { private native void print(); // print() is native function public static void main(String[] args) { new HelloWorld().print(); } static { System.loadLibrary("hello"); // This loads libhello.so } }
  • 7. ● A framework which is able to dynamically replace Java methods in ART Runtime without modifying APKs. Android Dynamic Framework
  • 8. Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2
  • 9. Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2 0. Do linking
  • 10. Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2 1. Query HookTable
  • 11. Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2 Replace ClassA::A1 with ClassB::B1 1. Query HookTable
  • 12. Android Dynamic Framework Class A Class B HookTable ... class linker Method A2 Method B1 Method B2 Method B1 2. Do method hooking
  • 13. ● C library in Android ● Forked from BSDs rather than from GNU/Linux ○ To avoid license problems ● Smaller ● Faster Bionic
  • 14. ● Components ○ libc ○ libm ○ libdl (written from scratch) ○ dynamic linker ■ /system/bin/linker (written from scratch) Bionic
  • 15. Motivation ● Only Java methods can be replaced in Android Dynamic Framework
  • 16. Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func C1 Func C2 native call hooking path
  • 17. Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func C1 Func C2 native call hooking path
  • 18. Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func D1 Func C2 native call hooking path (2) dlopen native hook (1) method hook
  • 19. Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func D1 Func C2 native call hooking path (2) dlopen native hook (1) method hook (2) dlopen native hook
  • 20. Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func E2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func D1 Func C2 native call hooking path (2) dlopen native hook (1) method hook (2) dlopen native hook (3) native to native hook
  • 21. Motivation ● (1) method hook can be done in the existing Android Dynamic Framework ● However, (2) dlopen native hook and (3) native to native hook cannot not be done.
  • 22. Motivation ● Native hook mechanism can do both (2) dlopen native hook and (3) native to native hook
  • 23. Motivation With Native hook mechanism integrated, Android Dynamic Framework can be more complete and powerful
  • 24. Native hook mechanism ● Implemented in Bionic Linker
  • 25. Review ● How Bionic Linker loads an executable ● Dynamic linking flow ● Dynamic loading flow
  • 26. How Bionic Linker loads an executable
  • 27. OS creates a process image ● Based on the interpreter’s segments. high low Memory space /system/bin/linker linker
  • 28. Linker links itself ● __linker_init() high low Memory space /system/bin/linker
  • 29. Load the executable ● __linker_init_post_relocation() /system/bin/linker high low Memory space exe executable
  • 30. Get needed libraries names ● __linker_init_post_relocation() /system/bin/linker high low Memory space executable exe .dynamic DT_NEEDED ptr_to_liba1.so_name DT_NEEDED ptr_to_liba2.so_name … DT_NULL
  • 31. Get needed libraries names ● __linker_init_post_relocation() /system/bin/linker high low Memory space executable exe DT_NEEDED ptr_to_liba1.so_name DT_NEEDED ptr_to_liba2.so_name … DT_NULL .dynamic char needed_libraries_names[] = { “liba1.so”, “liba2.so” }
  • 32. Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree
  • 33. Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so Loaded Not Loaded p.s.
  • 34. Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so Loaded Not Loaded p.s.
  • 35. Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so libb1.so libb2.so libb3.so libb4.so ... ... Loaded Not Loaded p.s.
  • 36. Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so libb2.so libb3.so libb4.so ... ... Loaded Not Loaded p.s. libb1.so
  • 37. Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so libb2.so libb3.so libb4.so ... ... ... ... ... ... ... Loaded Not Loaded p.s. libb1.so
  • 38. Load needed libraries liba1.soexe liba2.so libb1.so libb2.so ... ● find_libaries(exe, needed_libraries_names) ○ step 2 : turn dependencies tree into libraries_list in Breadth First Search(BFS) order libraries_list dependencies tree
  • 39. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries foreach lib in libraries_list { foreach rel in lib.dynamic_relocation_table { symbol = rel.sym; soinfo_do_lookup(symbol, lib, libraries_list); } }
  • 40. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next;
  • 41. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; NOT FOUND
  • 42. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; NOT FOUND
  • 43. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; FOUND ok
  • 44. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_k is defined in lib: sym_k = lib.find(sym) else: lib = lib->next; ok
  • 45. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... ok ok
  • 46. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list liba1.so sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next;
  • 47. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list ... sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next;
  • 48. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list ... sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; It is DONE until all libraries are linked
  • 49. Jump to the application’s entry /system/bin/linker high low Memory space executable liba1.so liba2.so libb1.so ... ● jump to executable’s _start.
  • 50. The executable is loaded successfully ● And start to execute /system/bin/linker high low Memory space liba1.so liba2.so libb1.so ... .text section _start: …. …. executable
  • 51. Bionic linker linking & loading flow ● Dynamic linking flow ● Dynamic loading flow
  • 53. Native hook mechanism Modified codes are mainly in two parts ● Load hooking libraries in find_libraries() ○ Init native_hook_table ○ Look up native_hook_table ○ Load hooking_library ● Replace hooked_symbol with hooking_symbol in soinfo_do_lookup() ○ Look up native_hook_table ○ Replace every hooked_symbol in hooked_library with hooking_symbol in hooking_library
  • 54. Native hook file format in /system/nh_file.txt < hooked_lib_name:hooked_symbol:hooking_lib_name:hooking_symbol >
  • 55. System flow hooking lib nh_file ROM /system/bin/linker __linker_init_post_relocation find_libraries init native_hook_table look up native hook table soinfo_do_lookup look up native hook table replace hooked symbol with hooking symbol New Process load hooking library
  • 56. Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table
  • 57. Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table 0. load liba1.so
  • 58. Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table 1. look up the native hook table HOOKED LIB “liba1.so” FOUND
  • 59. Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table 2. load libhooking.so libhooking. so
  • 60. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi hi ha linker 0. relocate symbol
  • 61. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker NOT FOUND hi
  • 62. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker FOUND hi
  • 63. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker FOUND hi 1. look up native hook table liba1.so:hi is to be hooked
  • 64. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker hi 1. look up native hook table 2. find libhooking.so:ha
  • 65. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker ha 3. relocate hooked_symbol “hi” with the hooking_symbol “ha”
  • 66. // in libnativehook.so #include “native_hook.h” void* find_lib_symbol(char* lib_name, char* symbol) { // Using dl_iterate_phdr() to get the symbol’s address // in the loaded library whose name is lib_name. … return ptr_to_symbol; } Before/After hook SDK
  • 67. How find_lib_symbol() works ? With the following facts, we can get the hooked_symbol in hooked_library with dl_iterate_phdr(callback, void* data) ● hooked_lib is loaded in the memory ● dl_iterate_phdr()iterates all loaded libraries in the process, and get each library’s program header and base address. ● With library’s program header, we can get .dynamic segment, and therefore we get .dynstr and .dynsym section ● With .dynsym and .dynstr, we can find the offset of hooked_symbol in hooked_lib. ● hooked_symbol_addr = base address + offset
  • 68. // in libmine.so #include “native_hook.h” double my_sin(double x) { char hooked_lib[] = "/system/lib/libm.so"; char hooked_symbol[] = "sin"; double (*hooked_sin)(double) = find_lib_symbol(hooked_lib, hooked_symbol); /* before hook : you can do something before calling hooked_func */ double result = hooked_sin(x); /* after hook : you can do something after calling hooked_func */ result += 5566; return result; } After hook example
  • 69. After hook example // in main.c #include <math.h> #include <stdio.h> #define PI 3.14159265 int main(void) { double angle = 30.0; double result = sin((angle * PI) / 180); printf(“sin(%lf) = %lfn”, angle, result); return 0; } libm.so:sin:libmine.so:my_sin ... Native Hook Table $ ./main sin(30.000000) = 5566.500000
  • 70. double my_sin(double x) { char hooked_lib[] = "/system/lib/libm.so"; char hooked_symbol[] = "sin"; static void* cache_ptr = NULL; double (*hooked_sin)(double) = NULL; if (cache_ptr) { hooked_sin = cache_ptr; } else { hooked_sin = find_lib_symbol(hooked_lib, hooked_symbol); } if (hooked_sin) { cache_ptr = (void*)hooked_sin; } double result = hooked_sin(x); result += 5566; return result; } Before/After hook with cache
  • 71. Experiment 1,000 100,000 1,000,000 10,000,000 Baseline 0.10 0.14 0.52 4.07 Normal hook 0.20 0.23 0.60 4.15 Before/After hook without cache 0.25 1.9 17.12 169.03 Before/After hook with cache 0.22 0.24 0.69 4.77 iterations
  • 73. Applications ● Profiling ● Boosting apps performance ● Security sandbox
  • 74. Profiling Target function Before hook After hook ● Input Distribution Analysis ● Function call Analysis ● Output Analysis
  • 75. ● Hook functions that affect the performance of applications in Android ● Scenario ○ Functions in libm.so are not good enough for some special purpose, we can hook the function with the optimized one. Boosting apps performance
  • 78. Security sandbox ● Use “before hook” to hook the open()in libc ● Examine the filename and other parameters in advance ○ If the to-be-written file is a critical file, we let the app open another file to write without consciousness.
  • 79. Security sandbox f = open(“/data/critical.txt”, ‘w’); ... modifying critical.txt ... ... App Sandbox
  • 80. Security sandbox f = open(“/data/critical.txt”, ‘w’); ... modifying critical.txt ... ... App Sandbox /data/critical.txt should not be modified.
  • 81. Security sandbox f = open(“/data/critical.txt”, ‘w’); ... modifying critical.txt ... ... App Sandbox f = open(“/data/another.txt”, ‘w’); In the sandbox, app is deceived to write to “/data/another.txt” instead of “/data/critical.txt”.
  • 82. Security sandbox App Sandbox f = open(“/data/another.txt”, ‘w’); f = open(“/data/another.txt”, ‘w’); ... modifying another.txt ... ...
  • 83. ● Provide more easy-to-use API for Native Hook in Android ○ Native Hook SDK Future works
  • 84. ● Completely integrate Native Hook into Android Dynamic Framework ○ Provide hooking between Java method and native functions. Future works Integrated Hook Table liba.so:funca:libb.so:funcb # hook native to native classA:methoda:classB:methodb # hook java to java classA:methoda:libb.so:funcb # hook java to native libb.so:funcb:classA:methoda # hook native to java ...
  • 85. Conclusion ● Native Hook mechanism is a strong and useful framework in Android allowing developers to replace native functions at runtime without modifying the existing functions. ● Native Hook is more powerful than Java method hook mechanisms because it is implemented in Bionic Linker. ● With Before/After hook mechanism, you can do whatever you want before/after any existing function. ● With Native Hook enabled, it suffers only little overhead to load nh_file and hooking libraries.
  • 86. Q & A
  • 87. Thank you for your listening
  • 89. void* find_lib_symbol(char* lib_name, char* symbol) { // Using dl_iterate_phdr() to get the symbol’s address // in the loaded library whose name is lib_name. static void* unordered_map<std::string, void*> cache = nullptr; std::string lib_symbol = std::string(lib_name) + symbol; if (cache) { unordered_map<std::string, void*>::iterator it = cache.find(lib_symbol); if (it != cache.end()) { return it->second; } } … // find ptr_to_symbol if (ptr_to_symbol) { cache[lib_symbol] = ptr_to_symbol; } return ptr_to_symbol; } Before/After hook with cache in find_lib_symbol
  • 90. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker FOUND hi 1. look up native hook table liba1.so:hi is to be hooked 2. find libhooking.so:ha