Android逆向-Native调试init，init_array，JNI_OnLoad段

2023-06-08

字数统计: 6.2k字 | 阅读时长≈ 34分

研究一下如何调试Android so中的init，init_array，JNI_OnLoad段。

Android逆向-Native调试init，init_array，JNI_OnLoad段

阅读Android源码

可以自己下载下来，也可以在线看

这里推荐这个网址：

AOSPXRef

我挑了个android11.0.0_r21的来看。

官方还有： Android Code Search

loadLibrary执行原理（Android11）

首先阅读 android loadLibrary源码分析 - 简书 (jianshu.com) ，了解loadLibrary的调用机制。不过这篇博客是Android4的，版本有点太低了。

所以我选择再自己去读一下Android11的源码。

loadLibrary

首先是System.java：

System.java - OpenGrok cross reference for /libcore/ojluni/src/main/java/java/lang/System.java (aospxref.com)

@CallerSensitive
public static void loadLibrary(String libname) {
	Runtime.getRuntime().loadLibrary0(Reflection.getCallerClass(), libname);
}

loadLibrary0

然后是Runtime.java：

// This overload exists for @UnsupportedAppUsage
void loadLibrary0(ClassLoader loader, String libname) {
    // Pass null for callerClass, we don't know it at this point. Passing null preserved
    // the behavior when we used to not pass the class.
    loadLibrary0(loader, null, libname);
}

private synchronized void loadLibrary0(ClassLoader loader, Class<?> callerClass, String libname) {
    if (libname.indexOf((int)File.separatorChar) != -1) {
        throw new UnsatisfiedLinkError(
            "Directory separator should not appear in library name: " + libname);
    }
    String libraryName = libname;
    // Android-note: BootClassLoader doesn't implement findLibrary(). http://b/111850480
    // Android's class.getClassLoader() can return BootClassLoader where the RI would
    // have returned null; therefore we treat BootClassLoader the same as null here.
    if (loader != null && !(loader instanceof BootClassLoader)) {
        String filename = loader.findLibrary(libraryName);
        if (filename == null &&
                (loader.getClass() == PathClassLoader.class ||
                 loader.getClass() == DelegateLastClassLoader.class)) {
            // Don't give up even if we failed to find the library in the native lib paths.
            // The underlying dynamic linker might be able to find the lib in one of the linker
            // namespaces associated with the current linker namespace. In order to give the
            // dynamic linker a chance, proceed to load the library with its soname, which
            // is the fileName.
            // Note that we do this only for PathClassLoader  and DelegateLastClassLoader to
            // minimize the scope of this behavioral change as much as possible, which might
            // cause problem like b/143649498. These two class loaders are the only
            // platform-provided class loaders that can load apps. See the classLoader attribute
            // of the application tag in app manifest.
            filename = System.mapLibraryName(libraryName);
        }
        if (filename == null) {
            // It's not necessarily true that the ClassLoader used
            // System.mapLibraryName, but the default setup does, and it's
            // misleading to say we didn't find "libMyLibrary.so" when we
            // actually searched for "liblibMyLibrary.so.so".
            throw new UnsatisfiedLinkError(loader + " couldn't find \"" +
                                           System.mapLibraryName(libraryName) + "\"");
        }
        String error = nativeLoad(filename, loader);
        if (error != null) {
            throw new UnsatisfiedLinkError(error);
        }
        return;
    }

    // We know some apps use mLibPaths directly, potentially assuming it's not null.
    // Initialize it here to make sure apps see a non-null value.
    getLibPaths();
    String filename = System.mapLibraryName(libraryName);
    String error = nativeLoad(filename, loader, callerClass);
    if (error != null) {
        throw new UnsatisfiedLinkError(error);
    }
}

nativeLoad

反正后面调nativeLoad：

1
2
3

private static String nativeLoad(String filename, ClassLoader loader) {
	return nativeLoad(filename, loader, null);
}

下面的代码都是C实现：

PS：吐槽一下，这里我为了找到nativeLoad的C实现找了好久。

Runtime_nativeLoad

Runtime.c - Android Code Search

定位libcore/ojluni/src/main/native/Runtime.c

JNIEXPORT jstring JNICALL
Runtime_nativeLoad(JNIEnv* env, jclass ignored, jstring javaFilename,
                   jobject javaLoader, jclass caller)
{
    return JVM_NativeLoad(env, javaFilename, javaLoader, caller);
}

static JNINativeMethod gMethods[] = {
  FAST_NATIVE_METHOD(Runtime, freeMemory, "()J"),
  FAST_NATIVE_METHOD(Runtime, totalMemory, "()J"),
  FAST_NATIVE_METHOD(Runtime, maxMemory, "()J"),
  NATIVE_METHOD(Runtime, nativeGc, "()V"),
  NATIVE_METHOD(Runtime, nativeExit, "(I)V"),
  NATIVE_METHOD(Runtime, nativeLoad,
                "(Ljava/lang/String;Ljava/lang/ClassLoader;Ljava/lang/Class;)"
                    "Ljava/lang/String;"),
};

JVM_NativeLoad

然后在art/openjdkvm/OpenjdkJvm.cc里面找到：


JNIEXPORT jstring JVM_NativeLoad(JNIEnv* env,
                                 jstring javaFilename,
                                 jobject javaLoader,
                                 jclass caller) {
  ScopedUtfChars filename(env, javaFilename);
  if (filename.c_str() == nullptr) {
    return nullptr;
  }

  std::string error_msg;
  {
    art::JavaVMExt* vm = art::Runtime::Current()->GetJavaVM();
    bool success = vm->LoadNativeLibrary(env,
                                         filename.c_str(),
                                         javaLoader,
                                         caller,
                                         &error_msg);
    if (success) {
      return nullptr;
    }
  }

  // Don't let a pending exception from JNI_OnLoad cause a CheckJNI issue with NewStringUTF.
  env->ExceptionClear();
  return env->NewStringUTF(error_msg.c_str());
}

重点应该在vm->LoadNativeLibrary()上面。

LoadNativeLibrary⭐

art/runtime/jni/java_vm_ext.cc：

bool JavaVMExt::LoadNativeLibrary(JNIEnv* env,
                                  const std::string& path,
                                  jobject class_loader,
                                  jclass caller_class,
                                  std::string* error_msg) {
  error_msg->clear();

  // See if we've already loaded this library.  If we have, and the class loader
  // matches, return successfully without doing anything.
  // TODO: for better results we should canonicalize the pathname (or even compare
  // inodes). This implementation is fine if everybody is using System.loadLibrary.
  SharedLibrary* library;
  Thread* self = Thread::Current();
  {
    // TODO: move the locking (and more of this logic) into Libraries.
    MutexLock mu(self, *Locks::jni_libraries_lock_);
    library = libraries_->Get(path);
  }
  void* class_loader_allocator = nullptr;
  std::string caller_location;
  {
    ScopedObjectAccess soa(env);
    // As the incoming class loader is reachable/alive during the call of this function,
    // it's okay to decode it without worrying about unexpectedly marking it alive.
    ObjPtr<mirror::ClassLoader> loader = soa.Decode<mirror::ClassLoader>(class_loader);

    ClassLinker* class_linker = Runtime::Current()->GetClassLinker();
    if (class_linker->IsBootClassLoader(loader)) {
      loader = nullptr;
      class_loader = nullptr;
      if (caller_class != nullptr) {
        ObjPtr<mirror::Class> caller = soa.Decode<mirror::Class>(caller_class);
        ObjPtr<mirror::DexCache> dex_cache = caller->GetDexCache();
        if (dex_cache != nullptr) {
          caller_location = dex_cache->GetLocation()->ToModifiedUtf8();
        }
      }
    }

    class_loader_allocator = class_linker->GetAllocatorForClassLoader(loader);
    CHECK(class_loader_allocator != nullptr);
  }
  if (library != nullptr) {
    // Use the allocator pointers for class loader equality to avoid unnecessary weak root decode.
    if (library->GetClassLoaderAllocator() != class_loader_allocator) {
      // The library will be associated with class_loader. The JNI
      // spec says we can't load the same library into more than one
      // class loader.
      //
      // This isn't very common. So spend some time to get a readable message.
      auto call_to_string = [&](jobject obj) -> std::string {
        if (obj == nullptr) {
          return "null";
        }
        // Handle jweaks. Ignore double local-ref.
        ScopedLocalRef<jobject> local_ref(env, env->NewLocalRef(obj));
        if (local_ref != nullptr) {
          ScopedLocalRef<jclass> local_class(env, env->GetObjectClass(local_ref.get()));
          jmethodID to_string = env->GetMethodID(local_class.get(),
                                                 "toString",
                                                 "()Ljava/lang/String;");
          DCHECK(to_string != nullptr);
          ScopedLocalRef<jobject> local_string(env,
                                               env->CallObjectMethod(local_ref.get(), to_string));
          if (local_string != nullptr) {
            ScopedUtfChars utf(env, reinterpret_cast<jstring>(local_string.get()));
            if (utf.c_str() != nullptr) {
              return utf.c_str();
            }
          }
          if (env->ExceptionCheck()) {
            // We can't do much better logging, really. So leave it with a Describe.
            env->ExceptionDescribe();
            env->ExceptionClear();
          }
          return "(Error calling toString)";
        }
        return "null";
      };
      std::string old_class_loader = call_to_string(library->GetClassLoader());
      std::string new_class_loader = call_to_string(class_loader);
      StringAppendF(error_msg, "Shared library \"%s\" already opened by "
          "ClassLoader %p(%s); can't open in ClassLoader %p(%s)",
          path.c_str(),
          library->GetClassLoader(),
          old_class_loader.c_str(),
          class_loader,
          new_class_loader.c_str());
      LOG(WARNING) << *error_msg;
      return false;
    }
    VLOG(jni) << "[Shared library \"" << path << "\" already loaded in "
              << " ClassLoader " << class_loader << "]";
    if (!library->CheckOnLoadResult()) {
      StringAppendF(error_msg, "JNI_OnLoad failed on a previous attempt "
          "to load \"%s\"", path.c_str());
      return false;
    }
    return true;
  }

  // Open the shared library.  Because we're using a full path, the system
  // doesn't have to search through LD_LIBRARY_PATH.  (It may do so to
  // resolve this library's dependencies though.)

  // Failures here are expected when java.library.path has several entries
  // and we have to hunt for the lib.

  // Below we dlopen but there is no paired dlclose, this would be necessary if we supported
  // class unloading. Libraries will only be unloaded when the reference count (incremented by
  // dlopen) becomes zero from dlclose.

  // Retrieve the library path from the classloader, if necessary.
  ScopedLocalRef<jstring> library_path(env, GetLibrarySearchPath(env, class_loader));

  Locks::mutator_lock_->AssertNotHeld(self);
  const char* path_str = path.empty() ? nullptr : path.c_str();
  bool needs_native_bridge = false;
  char* nativeloader_error_msg = nullptr;
  void* handle = android::OpenNativeLibrary(
      env,
      runtime_->GetTargetSdkVersion(),
      path_str,
      class_loader,
      (caller_location.empty() ? nullptr : caller_location.c_str()),
      library_path.get(),
      &needs_native_bridge,
      &nativeloader_error_msg);
  VLOG(jni) << "[Call to dlopen(\"" << path << "\", RTLD_NOW) returned " << handle << "]";

  if (handle == nullptr) {
    *error_msg = nativeloader_error_msg;
    android::NativeLoaderFreeErrorMessage(nativeloader_error_msg);
    VLOG(jni) << "dlopen(\"" << path << "\", RTLD_NOW) failed: " << *error_msg;
    return false;
  }

  if (env->ExceptionCheck() == JNI_TRUE) {
    LOG(ERROR) << "Unexpected exception:";
    env->ExceptionDescribe();
    env->ExceptionClear();
  }
  // Create a new entry.
  // TODO: move the locking (and more of this logic) into Libraries.
  bool created_library = false;
  {
    // Create SharedLibrary ahead of taking the libraries lock to maintain lock ordering.
    std::unique_ptr<SharedLibrary> new_library(
        new SharedLibrary(env,
                          self,
                          path,
                          handle,
                          needs_native_bridge,
                          class_loader,
                          class_loader_allocator));

    MutexLock mu(self, *Locks::jni_libraries_lock_);
    library = libraries_->Get(path);
    if (library == nullptr) {  // We won race to get libraries_lock.
      library = new_library.release();
      libraries_->Put(path, library);
      created_library = true;
    }
  }
  if (!created_library) {
    LOG(INFO) << "WOW: we lost a race to add shared library: "
        << "\"" << path << "\" ClassLoader=" << class_loader;
    return library->CheckOnLoadResult();
  }
  VLOG(jni) << "[Added shared library \"" << path << "\" for ClassLoader " << class_loader << "]";

  bool was_successful = false;
  void* sym = library->FindSymbol("JNI_OnLoad", nullptr);
  if (sym == nullptr) {
    VLOG(jni) << "[No JNI_OnLoad found in \"" << path << "\"]";
    was_successful = true;
  } else {
    // Call JNI_OnLoad.  We have to override the current class
    // loader, which will always be "null" since the stuff at the
    // top of the stack is around Runtime.loadLibrary().  (See
    // the comments in the JNI FindClass function.)
    ScopedLocalRef<jobject> old_class_loader(env, env->NewLocalRef(self->GetClassLoaderOverride()));
    self->SetClassLoaderOverride(class_loader);

    VLOG(jni) << "[Calling JNI_OnLoad in \"" << path << "\"]";
    using JNI_OnLoadFn = int(*)(JavaVM*, void*);
    JNI_OnLoadFn jni_on_load = reinterpret_cast<JNI_OnLoadFn>(sym);
    int version = (*jni_on_load)(this, nullptr);

    if (IsSdkVersionSetAndAtMost(runtime_->GetTargetSdkVersion(), SdkVersion::kL)) {
      // Make sure that sigchain owns SIGSEGV.
      EnsureFrontOfChain(SIGSEGV);
    }

    self->SetClassLoaderOverride(old_class_loader.get());

    if (version == JNI_ERR) {
      StringAppendF(error_msg, "JNI_ERR returned from JNI_OnLoad in \"%s\"", path.c_str());
    } else if (JavaVMExt::IsBadJniVersion(version)) {
      StringAppendF(error_msg, "Bad JNI version returned from JNI_OnLoad in \"%s\": %d",
                    path.c_str(), version);
      // It's unwise to call dlclose() here, but we can mark it
      // as bad and ensure that future load attempts will fail.
      // We don't know how far JNI_OnLoad got, so there could
      // be some partially-initialized stuff accessible through
      // newly-registered native method calls.  We could try to
      // unregister them, but that doesn't seem worthwhile.
    } else {
      was_successful = true;
    }
    VLOG(jni) << "[Returned " << (was_successful ? "successfully" : "failure")
              << " from JNI_OnLoad in \"" << path << "\"]";
  }

  library->SetResult(was_successful);
  return was_successful;
}

感觉与4相比，区别大了不少啊。

调用JNI_OnLoad

LoadNativeLibrary后面有这么一段：

bool was_successful = false;
  void* sym = library->FindSymbol("JNI_OnLoad", nullptr);
  if (sym == nullptr) {
    VLOG(jni) << "[No JNI_OnLoad found in \"" << path << "\"]";
    was_successful = true;
  } else {
    // Call JNI_OnLoad.  We have to override the current class
    // loader, which will always be "null" since the stuff at the
    // top of the stack is around Runtime.loadLibrary().  (See
    // the comments in the JNI FindClass function.)
    ScopedLocalRef<jobject> old_class_loader(env, env->NewLocalRef(self->GetClassLoaderOverride()));
    self->SetClassLoaderOverride(class_loader);

    VLOG(jni) << "[Calling JNI_OnLoad in \"" << path << "\"]";
    using JNI_OnLoadFn = int(*)(JavaVM*, void*);
    JNI_OnLoadFn jni_on_load = reinterpret_cast<JNI_OnLoadFn>(sym);
    int version = (*jni_on_load)(this, nullptr);

大抵就是从so里面找到JNI_OnLoad的符号，然后直接执行了。

分析`.init`和`.init_array`⭐（最后的结果要看到`call_array`）

只不过在此之前，就已经通过OpenNativeLibrary进行对so的加载操作了。

下面分析.init和.init_array的执行流程。

重点似乎在这里：

void* handle = android::OpenNativeLibrary(
    env,
    runtime_->GetTargetSdkVersion(),
    path_str,
    class_loader,
    (caller_location.empty() ? nullptr : caller_location.c_str()),
    library_path.get(),
    &needs_native_bridge,
    &nativeloader_error_msg);
    
VLOG(jni) << "[Call to dlopen(\"" << path << "\", RTLD_NOW) returned " << handle << "]";

OpenNativeLibrary

定位到art/libnativeloader/native_loader.cpp：

void* OpenNativeLibrary(JNIEnv* env, int32_t target_sdk_version, const char* path,
                        jobject class_loader, const char* caller_location, jstring library_path,
                        bool* needs_native_bridge, char** error_msg) {
#if defined(ART_TARGET_ANDROID)
  UNUSED(target_sdk_version);

  if (class_loader == nullptr) {
    *needs_native_bridge = false;
    if (caller_location != nullptr) {
      android_namespace_t* boot_namespace = FindExportedNamespace(caller_location);
      if (boot_namespace != nullptr) {
        const android_dlextinfo dlextinfo = {
            .flags = ANDROID_DLEXT_USE_NAMESPACE,
            .library_namespace = boot_namespace,
        };
        void* handle = android_dlopen_ext(path, RTLD_NOW, &dlextinfo);	// dlopen加载so
        if (handle == nullptr) {
          *error_msg = strdup(dlerror());
        }
        return handle;
      }
    }

    // Check if the library is in NATIVELOADER_DEFAULT_NAMESPACE_LIBS and should
    // be loaded from the kNativeloaderExtraLibs namespace.
    {
      Result<void*> handle = TryLoadNativeloaderExtraLib(path);
      if (!handle.ok()) {
        *error_msg = strdup(handle.error().message().c_str());
        return nullptr;
      }
      if (handle.value() != nullptr) {
        return handle.value();
      }
    }

    // Fall back to the system namespace. This happens for preloaded JNI
    // libraries in the zygote.
    // TODO(b/185833744): Investigate if this should fall back to the app main
    // namespace (aka anonymous namespace) instead.
    void* handle = OpenSystemLibrary(path, RTLD_NOW);
    if (handle == nullptr) {
      *error_msg = strdup(dlerror());
    }
    return handle;
  }

  std::lock_guard<std::mutex> guard(g_namespaces_mutex);
  NativeLoaderNamespace* ns;

  if ((ns = g_namespaces->FindNamespaceByClassLoader(env, class_loader)) == nullptr) {
    // This is the case where the classloader was not created by ApplicationLoaders
    // In this case we create an isolated not-shared namespace for it.
    Result<NativeLoaderNamespace*> isolated_ns =
        CreateClassLoaderNamespaceLocked(env,
                                         target_sdk_version,
                                         class_loader,
                                         /*is_shared=*/false,
                                         /*dex_path=*/nullptr,
                                         library_path,
                                         /*permitted_path=*/nullptr,
                                         /*uses_library_list=*/nullptr);
    if (!isolated_ns.ok()) {
      *error_msg = strdup(isolated_ns.error().message().c_str());
      return nullptr;
    } else {
      ns = *isolated_ns;
    }
  }

  return OpenNativeLibraryInNamespace(ns, path, needs_native_bridge, error_msg);
#else
  UNUSED(env, target_sdk_version, class_loader, caller_location);

  // Do some best effort to emulate library-path support. It will not
  // work for dependencies.
  //
  // Note: null has a special meaning and must be preserved.
  std::string c_library_path;  // Empty string by default.
  if (library_path != nullptr && path != nullptr && path[0] != '/') {
    ScopedUtfChars library_path_utf_chars(env, library_path);
    c_library_path = library_path_utf_chars.c_str();
  }

  std::vector<std::string> library_paths = base::Split(c_library_path, ":");

  for (const std::string& lib_path : library_paths) {
    *needs_native_bridge = false;
    const char* path_arg;
    std::string complete_path;
    if (path == nullptr) {
      // Preserve null.
      path_arg = nullptr;
    } else {
      complete_path = lib_path;
      if (!complete_path.empty()) {
        complete_path.append("/");
      }
      complete_path.append(path);
      path_arg = complete_path.c_str();
    }
    void* handle = dlopen(path_arg, RTLD_NOW);
    if (handle != nullptr) {
      return handle;
    }
    if (NativeBridgeIsSupported(path_arg)) {
      *needs_native_bridge = true;
      handle = NativeBridgeLoadLibrary(path_arg, RTLD_NOW);
      if (handle != nullptr) {
        return handle;
      }
      *error_msg = strdup(NativeBridgeGetError());
    } else {
      *error_msg = strdup(dlerror());
    }
  }
  return nullptr;
#endif
}

重点：

1	void* handle = android_dlopen_ext(path, RTLD_NOW, &dlextinfo);

android_dlopen_ext⭐

这是我们在Frida里面即时打印刚刚加载的so时Hook的函数。但是实际上粒度还不是特别细。下面具体分析一下函数里面干了啥。

在bionic/libdl/libdl.cpp中：

__attribute__((__weak__))
void* android_dlopen_ext(const char* filename, int flag, const android_dlextinfo* extinfo) {
  const void* caller_addr = __builtin_return_address(0);
  return __loader_android_dlopen_ext(filename, flag, extinfo, caller_addr);
}

__loader_android_dlopen_ext

linker/dlfcn.cpp - platform/bionic - Git at Google (googlesource.com)

void* __loader_android_dlopen_ext(const char* filename,
                           int flags,
                           const android_dlextinfo* extinfo,
                           const void* caller_addr) {
  return dlopen_ext(filename, flags, extinfo, caller_addr);
}

dlopen_ext

linker/dlfcn.cpp - platform/bionic - Git at Google (googlesource.com)

static void* dlopen_ext(const char* filename, int flags, const android_dlextinfo* extinfo, const void* caller_addr) {
  ScopedPthreadMutexLocker locker(&g_dl_mutex);
  soinfo* caller_soinfo = find_containing_library(caller_addr);
  soinfo* result = do_dlopen(filename, flags, caller_soinfo, extinfo);
  if (result == NULL) {
    __bionic_format_dlerror("dlopen failed", linker_get_error_buffer());
    return NULL;
  }
  return result;
}

do_dlopen

linker/linker.cpp - platform/bionic.git - Git at Google (googlesource.com)

void* do_dlopen(const char* name, int flags,
                const android_dlextinfo* extinfo,
                const void* caller_addr) {
  std::string trace_prefix = std::string("dlopen: ") + (name == nullptr ? "(nullptr)" : name);
  ScopedTrace trace(trace_prefix.c_str());
  ScopedTrace loading_trace((trace_prefix + " - loading and linking").c_str());
  soinfo* const caller = find_containing_library(caller_addr);
  android_namespace_t* ns = get_caller_namespace(caller);
  LD_LOG(kLogDlopen,
         "dlopen(name=\"%s\", flags=0x%x, extinfo=%s, caller=\"%s\", caller_ns=%s@%p, targetSdkVersion=%i) ...",
         name,
         flags,
         android_dlextinfo_to_string(extinfo).c_str(),
         caller == nullptr ? "(null)" : caller->get_realpath(),
         ns == nullptr ? "(null)" : ns->get_name(),
         ns,
         get_application_target_sdk_version());
  auto purge_guard = android::base::make_scope_guard([&]() { purge_unused_memory(); });
  auto failure_guard = android::base::make_scope_guard(
      [&]() { LD_LOG(kLogDlopen, "... dlopen failed: %s", linker_get_error_buffer()); });
  if ((flags & ~(RTLD_NOW|RTLD_LAZY|RTLD_LOCAL|RTLD_GLOBAL|RTLD_NODELETE|RTLD_NOLOAD)) != 0) {
    DL_OPEN_ERR("invalid flags to dlopen: %x", flags);
    return nullptr;
  }
  if (extinfo != nullptr) {
    if ((extinfo->flags & ~(ANDROID_DLEXT_VALID_FLAG_BITS)) != 0) {
      DL_OPEN_ERR("invalid extended flags to android_dlopen_ext: 0x%" PRIx64, extinfo->flags);
      return nullptr;
    }
    if ((extinfo->flags & ANDROID_DLEXT_USE_LIBRARY_FD) == 0 &&
        (extinfo->flags & ANDROID_DLEXT_USE_LIBRARY_FD_OFFSET) != 0) {
      DL_OPEN_ERR("invalid extended flag combination (ANDROID_DLEXT_USE_LIBRARY_FD_OFFSET without "
          "ANDROID_DLEXT_USE_LIBRARY_FD): 0x%" PRIx64, extinfo->flags);
      return nullptr;
    }
    if ((extinfo->flags & ANDROID_DLEXT_USE_NAMESPACE) != 0) {
      if (extinfo->library_namespace == nullptr) {
        DL_OPEN_ERR("ANDROID_DLEXT_USE_NAMESPACE is set but extinfo->library_namespace is null");
        return nullptr;
      }
      ns = extinfo->library_namespace;
    }
  }
  // Workaround for dlopen(/system/lib/<soname>) when .so is in /apex. http://b/121248172
  // The workaround works only when targetSdkVersion < Q.
  std::string name_to_apex;
  if (translateSystemPathToApexPath(name, &name_to_apex)) {
    const char* new_name = name_to_apex.c_str();
    LD_LOG(kLogDlopen, "dlopen considering translation from %s to APEX path %s",
           name,
           new_name);
    // Some APEXs could be optionally disabled. Only translate the path
    // when the old file is absent and the new file exists.
    // TODO(b/124218500): Re-enable it once app compat issue is resolved
    /*
    if (file_exists(name)) {
      LD_LOG(kLogDlopen, "dlopen %s exists, not translating", name);
    } else
    */
    if (!file_exists(new_name)) {
      LD_LOG(kLogDlopen, "dlopen %s does not exist, not translating",
             new_name);
    } else {
      LD_LOG(kLogDlopen, "dlopen translation accepted: using %s", new_name);
      name = new_name;
    }
  }
  // End Workaround for dlopen(/system/lib/<soname>) when .so is in /apex.
  std::string translated_name_holder;
  assert(!g_is_hwasan || !g_is_asan);
  const char* translated_name = name;
  if (g_is_asan && translated_name != nullptr && translated_name[0] == '/') {
    char original_path[PATH_MAX];
    if (realpath(name, original_path) != nullptr) {
      translated_name_holder = std::string(kAsanLibDirPrefix) + original_path;
      if (file_exists(translated_name_holder.c_str())) {
        soinfo* si = nullptr;
        if (find_loaded_library_by_realpath(ns, original_path, true, &si)) {
          PRINT("linker_asan dlopen NOT translating \"%s\" -> \"%s\": library already loaded", name,
                translated_name_holder.c_str());
        } else {
          PRINT("linker_asan dlopen translating \"%s\" -> \"%s\"", name, translated_name);
          translated_name = translated_name_holder.c_str();
        }
      }
    }
  } else if (g_is_hwasan && translated_name != nullptr && translated_name[0] == '/') {
    char original_path[PATH_MAX];
    if (realpath(name, original_path) != nullptr) {
      // Keep this the same as CreateHwasanPath in system/linkerconfig/modules/namespace.cc.
      std::string path(original_path);
      auto slash = path.rfind('/');
      if (slash != std::string::npos || slash != path.size() - 1) {
        translated_name_holder = path.substr(0, slash) + "/hwasan" + path.substr(slash);
      }
      if (!translated_name_holder.empty() && file_exists(translated_name_holder.c_str())) {
        soinfo* si = nullptr;
        if (find_loaded_library_by_realpath(ns, original_path, true, &si)) {
          PRINT("linker_hwasan dlopen NOT translating \"%s\" -> \"%s\": library already loaded", name,
                translated_name_holder.c_str());
        } else {
          PRINT("linker_hwasan dlopen translating \"%s\" -> \"%s\"", name, translated_name);
          translated_name = translated_name_holder.c_str();
        }
      }
    }
  }
  ProtectedDataGuard guard;
  soinfo* si = find_library(ns, translated_name, flags, extinfo, caller);
  loading_trace.End();
  if (si != nullptr) {
    void* handle = si->to_handle();
    LD_LOG(kLogDlopen,
           "... dlopen calling constructors: realpath=\"%s\", soname=\"%s\", handle=%p",
           si->get_realpath(), si->get_soname(), handle);
    si->call_constructors();
    failure_guard.Disable();
    LD_LOG(kLogDlopen,
           "... dlopen successful: realpath=\"%s\", soname=\"%s\", handle=%p",
           si->get_realpath(), si->get_soname(), handle);
    return handle;
  }
  return nullptr;
}

关注si结构体。此结构体会调用下面的构造函数：

1	si->call_constructors();

call_constructors

linker_soinfo.cpp - Android Code Search


void soinfo::call_constructors() {
  if (constructors_called || g_is_ldd) {
    return;
  }

  // We set constructors_called before actually calling the constructors, otherwise it doesn't
  // protect against recursive constructor calls. One simple example of constructor recursion
  // is the libc debug malloc, which is implemented in libc_malloc_debug_leak.so:
  // 1. The program depends on libc, so libc's constructor is called here.
  // 2. The libc constructor calls dlopen() to load libc_malloc_debug_leak.so.
  // 3. dlopen() calls the constructors on the newly created
  //    soinfo for libc_malloc_debug_leak.so.
  // 4. The debug .so depends on libc, so CallConstructors is
  //    called again with the libc soinfo. If it doesn't trigger the early-
  //    out above, the libc constructor will be called again (recursively!).
  constructors_called = true;

  if (!is_main_executable() && preinit_array_ != nullptr) {
    // The GNU dynamic linker silently ignores these, but we warn the developer.
    PRINT("\"%s\": ignoring DT_PREINIT_ARRAY in shared library!", get_realpath());
  }

  get_children().for_each([] (soinfo* si) {
    si->call_constructors();
  });

  if (!is_linker()) {
    bionic_trace_begin((std::string("calling constructors: ") + get_realpath()).c_str());
  }

  // DT_INIT should be called before DT_INIT_ARRAY if both are present.
  call_function("DT_INIT", init_func_, get_realpath());	// 调用.init
  call_array("DT_INIT_ARRAY", init_array_, init_array_count_, false, get_realpath()); // 调用.init_array

  if (!is_linker()) {
    bionic_trace_end();
  }
}

注意到最后面，有调用.init和.init_array的代码段：

1
2
3

// DT_INIT should be called before DT_INIT_ARRAY if both are present.
call_function("DT_INIT", init_func_, get_realpath());
call_array("DT_INIT_ARRAY", init_array_, init_array_count_, false, get_realpath());

现在要找到init_func_和init_array_的赋值点。

linker_ctor_function_t

首先是这两个变量的类型：

linker_soinfo.h - Android Code Search

1	linker_ctor_function_t init_func_;

prelink_image

linker.cpp - Android Code Search

在bool soinfo::prelink_image()中有：

case DT_INIT:
  init_func_ = reinterpret_cast<linker_ctor_function_t>(load_bias + d->d_un.d_ptr);
  DEBUG("%s constructors (DT_INIT) found at %p", get_realpath(), init_func_);
  break;

case DT_FINI:
  fini_func_ = reinterpret_cast<linker_dtor_function_t>(load_bias + d->d_un.d_ptr);
  DEBUG("%s destructors (DT_FINI) found at %p", get_realpath(), fini_func_);
  break;

case DT_INIT_ARRAY:
  init_array_ = reinterpret_cast<linker_ctor_function_t*>(load_bias + d->d_un.d_ptr);
  DEBUG("%s constructors (DT_INIT_ARRAY) found at %p", get_realpath(), init_array_);
  break;

case DT_INIT_ARRAYSZ:
  init_array_count_ = static_cast<uint32_t>(d->d_un.d_val) / sizeof(ElfW(Addr));
  break;

call_array

下面重新去看call_function和call_array。

linker_soinfo.cpp - Android Code Search

template <typename F>
static inline void call_array(const char* array_name __unused, F* functions, size_t count,
                              bool reverse, const char* realpath) {
  if (functions == nullptr) {
    return;
  }

  TRACE("[ Calling %s (size %zd) @ %p for '%s' ]", array_name, count, functions, realpath);

  int begin = reverse ? (count - 1) : 0;
  int end = reverse ? -1 : count;
  int step = reverse ? -1 : 1;

  for (int i = begin; i != end; i += step) {
    TRACE("[ %s[%d] == %p ]", array_name, i, functions[i]);
    call_function("function", functions[i], realpath);
  }

  TRACE("[ Done calling %s for '%s' ]", array_name, realpath);
}

底层也是遍历调用call_function。

call_function

linker_soinfo.cpp - Android Code Search

static void call_function(const char* function_name __unused,
                          linker_ctor_function_t function,
                          const char* realpath __unused) {
  if (function == nullptr || reinterpret_cast<uintptr_t>(function) == static_cast<uintptr_t>(-1)) {
    return;
  }

  TRACE("[ Calling c-tor %s @ %p for '%s' ]", function_name, function, realpath);
  function(g_argc, g_argv, g_envp);
  TRACE("[ Done calling c-tor %s @ %p for '%s' ]", function_name, function, realpath);
}

底层调用了function函数。这个玩意就是将传入的地址进行reinterpret_cast变成函数指针后直接底层调用。

总结

在函数LoadNativeLibrary中，会先调用OpenNativeLibrary，把so给加载了；然后，在调用完OpenNativeLibrary之后，再去执行JNI_Onload。而在这调用OpenNativeLibrary的过程中，函数里会调用android_dlopen_ext，这个函数的内部会首先会把.init和.init_array段中的函数给遍历执行一遍，通过call_function函数。

总体来说的执行逻辑应该是这样，用层状图标识：

LoadNativeLibrary
- OpenNativeLibrary
  - android_dlopen_ext
    - 执行.init段
    - 执行.init_array段
- 执行JNI_Onload

所以就是说，如果我们直接暴力的去跳过android_dlopen_ext的话，那么.init段是没法Hook或调试到的。因此需要更细节的去深入这个函数内的地址。

查找二进制中的函数地址

根据前面的分析，我们知道要定位call_function函数中的function(g_argc, g_argv, g_envp);地址，和LoadNativeLibrary函数中int version = (*jni_on_load)(this, nullptr);地址，以便调试.init，.init_array和JNI_OnLoad。

获得linker.so

连接手机，执行：

1 2	adb pull /system/bin/linker adb pull /system/bin/linker64

得到32位与64位的linker。

定位call_function地址

我们先分析64位的。将linker64拖入IDA。

搜索字符串[ Calling c-tor %s @ %p for '%s' ]，交叉引用。

给我了4个交叉引用结果，说明可能是被内联了。

找到后，再定位BL或者BLX这样汇编的地址，这里就是调用funciton的位置。

这是64位的结果：（相对偏移）

0x4A0F0：call_array里的
0x4A36C：call_constructors

这是32位的：

0x2C7AC
0x2C9D2

获得libart.so

在Android shell里面执行grep -r "No JNI_OnLoad"大概查了一下有啥so是与JNI_OnLoad有关系的。发现应该是libart.so。

1 2	adb pull ./apex/com.android.art/lib64/libart.so （然后手动重命名一下） adb pull ./apex/com.android.art/lib/libart.so

定位LoadNativeLibrary中的调用JNI_OnLoad的地址

查找字符串[Calling JNI_OnLoad in

定位到了之后往后翻，经过一个B跳转，找到一个BLX指令；再反编译看一下，长得大概是这样：

1
2
3

v169 = v166(v164, 0);	// 定位到的地方
if ( (unsigned int)(*(_DWORD *)(*(_DWORD *)(v164 + 4) + 652) - 1) <= 0x14 )
EnsureFrontOfChain(11);

这是64位的：

0x389178 BLR X24

这是32位的：

0x298C60 BLX R8

Frida Hook init/init-array⭐

思路：Hook android_dlopen_ext函数，然后进行机器码上的patch

这是旧Android版本对dlopen的一个Hook方法。~~但是现在的call_function变成内联函数了，因此只能从外层函数下手。~~

不同手机里的linker64都不一样，需要具体分析。

function dis(address, number) {
    for (var i = 0; i < number; i++) {
        var ins = Instruction.parse(address);
        console.log("address:" + address + "--dis:" + ins.toString());
        address = ins.next;
    }
}
 
//libc->strstr()  从linker里面找到call_function的地址：趁so代码还未执行前就hook
function hook() {
//call_function("DT_INIT", init_func_, get_realpath());
    var linkermodule = Process.getModuleByName("linker");
    var call_function_addr = null;
    var symbols = linkermodule.enumerateSymbols();
    for (var i = 0; i < symbols.length; i++) {
        var symbol = symbols[i];
        //LogPrint(linkername + "->" + symbol.name + "---" + symbol.address);
        if (symbol.name.indexOf("__dl__ZL13call_functionPKcPFviPPcS2_ES0_") != -1) {
            call_function_addr = symbol.address;
            //LogPrint("linker->" + symbol.name + "---" + symbol.address)
 
        }
    }
    Interceptor.attach(call_function_addr, {
        onEnter: function (args) {
            var type = ptr(args[0]).readUtf8String();
            var address = args[1];
            var sopath = ptr(args[2]).readUtf8String();
            console.log("loadso:" + sopath + "--addr:" + address + "--type:" + type);
            if (sopath.indexOf("libnative-lib.so") != -1) {
                var libnativemodule = Process.getModuleByName("libnative-lib.so");//call_function正在加载目标so，这时就拦截下来
                var base = libnativemodule.base;
                dis(base.add(0x1234).add(1), 10);
                var patchaddr = base.add(0x2345);//改so的机器码，避免待会完全加载后运行时就错过时机了！
                // 自行patch
                Memory.patchCode(patchaddr, 4, patchaddr => {
                    var cw = new ThumbWriter(patchaddr);
                    cw.putNop();
                    cw = new ThumbWriter(patchaddr.add(0x2));
                    cw.putNop();
                    cw.flush();
                });
                console.log("+++++++++++++++++++++++")
                dis(base.add(0x1234).add(1), 10);
                console.log("----------------------")
 
                dis(base.add(0x2345).add(1), 10);
                Memory.protect(base.add(0x8E78), 4, 'rwx');
                base.add(0x1234).writeByteArray([0x00, 0xbf, 0x00, 0xbf]);
                console.log("+++++++++++++++++++++++")
                dis(base.add(0x2345).add(1), 10);
 
 
            }
        }
    })
}
 
function main() {
    hook();
}
 
setImmediate(main);

复盘一下，在call_constructors里面有：
1
2
3
// DT_INIT should be called before DT_INIT_ARRAY if both are present.
call_function("DT_INIT", init_func_, get_realpath());	// 调用.init
call_array("DT_INIT_ARRAY", init_array_, init_array_count_, false, get_realpath()); // 调用.init_array
现在考虑call_function内联的情况。call_array里面实际上也是用for循环调用call_function。因此实际上我们现在需要去Hook两个位置点，一个是call_constructors，另一个是call_array。

anyway，反正最后差不多就这个样子：

function hook_linker64() {
    var linker64 = Process.getModuleByName("linker64");
    // var libnative_lib = Process.getModuleByName("libnative-lib.so");
    // console.log("libnative_lib:", libnative_lib.base);
    console.log("linker64:", linker64.base);
    var symbols = linker64.enumerateSymbols();
    for (var i = 0; i < symbols.length; i++) {
        var symbol = symbols[i];
        if (symbol.name.indexOf("_dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_") != -1) {
            var call_array_addr = symbol.address;
            console.log("call_array:", call_array_addr);
        }
        if (symbol.name.indexOf("_dl__ZN6soinfo17call_constructorsEv") != -1) {
            var call_constructors_addr = symbol.address;
            console.log("call_constructors:", call_constructors_addr);
        }
        if (symbol.name.indexOf("_dl__Z10linker_logiPKcz") != -1) {
            var linker_logi_addr = symbol.address;
            console.log("linker_logi:", linker_logi_addr);
        }
        if (symbol.name.indexOf("_dl__ZL13call_functionPKcPFviPPcS2_ES0") != -1) {
            var call_function_addr = symbol.address;
            console.log("call_function:", call_function_addr);
        }
    }

    Interceptor.attach(call_function_addr, {
        onEnter: function(args) {
            // call_function(so_name, function_ptr)
            this.function_name = args[0].readCString();
            this.function_ptr = args[1];
            this.sopath = args[2].readUtf8String();
            console.log("function_name:", this.function_name);
            console.log("calling function:", this.function_ptr);
            console.log("sopath:", this.sopath);

            if(ptr(this.function_ptr).equals(ptr(0)) == false) {
                dis(this.function_ptr, 4);
            }
        },
        onLeave: function(retval) {

        }
    })
}

IDA动态调试

测试程序

一个PUBG的外挂，

包名是：

1	com.mycompany.application

启动android_server

1 2	./android_server64 -p 1145 adb forward tcp:1145 tcp:1145

调试模式下打开APP

用XAppDebugAPP来实现任意APP的调试附加功能。在XAppDebug中选中想要调试的程序，

adb shell
su
magisk resetprop ro.debuggable 1
stop;start;

然后在开发者选项里面设置一下需要附加的APP即可。

或者

1	adb shell am start -D -n com.mycompany.application/.MainActivity

也行

设置IDA选项

1	Debugger -> Debugger optionss

选中

Suspend on thread start/exit
Suspend on library load/unload

IDA附加至so

IDA中选择Debugger-->Attach to process，找到包名，并执行。

打开DDMS

打开DDMS后，应该能看到明确显示被调试的这个APP。

注意一定得打开才行。

JDB附加

1	jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8700

8700是DDMS用来获取手机APP信息的一个端口。所以DDMS首先得打开，否则JDB附加会失败。

执行了这个命令后，APP就会恢复执行。

在linker.so上下断点

上面的一堆操作执行后，就会停留在linker.so上。

然后开始根据刚刚的地址下断点。

在Modules界面搜索linker模块，找到了点进去，找到一大堆函数符号。

我们要的是这两个：

_dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_
_dl__ZN6soinfo17call_constructorsEv

找到了之后就在之前分析的函数调用点处，下个断点即可。

方法二⭐

还有种方法，就是知道模块的基址，然后直接加上刚刚分析的偏移，来快速下断点。（需要在加载库的时候打开断点列表进行重新激活）

比如在Module界面里面发觉Base基址是0x79A6AC1000

那么加上刚刚静态分析的偏移，就能直接定位了。

在libart.so上下断点

同样的操作，为JNI_OnLoad下断点。

在Modules界面里面找到

1	/apex/com.android.art/lib64/libart.so

总结一下我下断点的地方：（我揣摩应该库地址不会经常有变动）

0x7710009178
0x79A6B0B0F0
0x79A6B0B36C

多次调试

这几个断点会多次遇到，但不是所有加载的so都是我们想要的那个；因此需要多次F9运行，直到遇到我们需要的那个so库。

问题解决

DDMS在哪里

现在Android Studio IDE界面里面已经找不到了，但是在SDK里面还是能单独打开使用的。

1	path_to_android_sdk/tools/monitor.bat

DDMS报错

我一开始执行的时候报了错：

1	Failed to load library: ....

多方确认之后，了解到这个玩意只能在Java8及其之前的版本使用。

check了一下我的JAVA_PATH，发现居然是jdk16，版本太高了。

因此修改成我Java8的路径，这样就成功了。

参考

IDA 动态调试Android8 SO .init .init_array JNI_Onload - 简书 (jianshu.com)

android loadLibrary源码分析 - 简书 (jianshu.com)

安利一个看 Android 源代码的网站 - 知乎 (zhihu.com)

linker/linker.cpp - platform/bionic.git - Git at Google (googlesource.com)

java_vm_ext.cc - Android Code Search

ARM 汇编代码1 | Hexo (cola307.github.io)

Android 动态调试so文件 - 知乎 (zhihu.com)

本文作者： Taardis
本文链接： https://taardisaa.github.io/2023/06/08/Android逆向-Native调试init，init-array，JNI-Onload段/
版权声明： 本博客所有文章除特别声明外，均采用 Apache License 2.0 许可协议。转载请注明出处！

Android逆向-Native调试init，init_array，JNI_OnLoad段

阅读Android源码

loadLibrary执行原理（Android11）

loadLibrary

loadLibrary0

nativeLoad

Runtime_nativeLoad

JVM_NativeLoad

LoadNativeLibrary⭐

调用JNI_OnLoad

分析.init和.init_array⭐（最后的结果要看到call_array）

OpenNativeLibrary

android_dlopen_ext⭐

__loader_android_dlopen_ext

dlopen_ext

do_dlopen

call_constructors

linker_ctor_function_t

prelink_image

call_array

call_function

总结

查找二进制中的函数地址

获得linker.so

定位call_function地址

获得libart.so

定位LoadNativeLibrary中的调用JNI_OnLoad的地址

Frida Hook init/init-array⭐

IDA动态调试

测试程序

启动android_server

调试模式下打开APP

设置IDA选项

IDA附加至so

打开DDMS

JDB附加

在linker.so上下断点

方法二⭐

在libart.so上下断点

多次调试

问题解决

DDMS在哪里

DDMS报错

参考

分析`.init`和`.init_array`⭐（最后的结果要看到`call_array`）