arminject icon indicating copy to clipboard operation
arminject copied to clipboard

Published 20 hours ago verified publisher icon evilsocket

Hook not working on Android 6

Open mingchen opened this issue 8 years ago • 5 comments

make test lunch Chrom with a blank screen with following output:

@ Starting com.android.chrome/com.google.android.apps.chrome.Main ...
@ Injection into PID 16594 starting ...
--------- beginning of main
--------- beginning of system
01-03 13:09:11.769 16594 16594 I LIBHOOK : LIBRARY LOADED FROM PID 16594.
01-03 13:09:11.779 16594 16594 I LIBHOOK : Found 125 loaded modules.
01-03 13:09:11.779 16594 16594 I LIBHOOK : Installing 12 hooks.
01-03 13:09:11.779 16594 16594 I LIBHOOK : [0x72606000] Hooking /data/dalvik-cache/arm/system@[email protected] ...
01-03 13:09:11.780 16594 16594 I LIBHOOK : [0x91580000] Hooking /data/app/com.android.chrome-1/base.apk ...
01-03 13:09:11.780 16594 16594 I LIBHOOK : dlopen error: dlopen failed: library "/data/app/com.android.chrome-1/base.apk" wasn't loaded and RTLD_NOLOAD prevented it.
01-03 13:09:11.780 16594 16594 I LIBHOOK : dlopen error: dlopen failed: library "/data/app/com.android.chrome-1/base.apk" wasn't loaded and RTLD_NOLOAD prevented it.
01-03 13:09:11.780 16594 16594 I LIBHOOK : dlopen error: dlopen failed: library "/data/app/com.android.chrome-1/base.apk" wasn't loaded and RTLD_NOLOAD prevented it.
01-03 13:09:11.780 16594 16594 I LIBHOOK : dlopen error: dlopen failed: library "/data/app/com.android.chrome-1/base.apk" wasn't loaded and RTLD_NOLOAD prevented it.
01-03 13:09:11.780 16594 16594 I LIBHOOK : dlopen error: dlopen failed: library "/data/app/com.android.chrome-1/base.apk" wasn't loaded and RTLD_NOLOAD prevented it.
01-03 13:09:11.780 16594 16594 I LIBHOOK : dlopen error: dlopen failed: library "/data/app/com.android.chrome-1/base.apk" wasn't loaded and RTLD_NOLOAD prevented it.
01-03 13:09:11.780 16594 16594 I LIBHOOK : dlopen error: dlopen failed: library "/data/app/com.android.chrome-1/base.apk" wasn't loaded and RTLD_NOLOAD prevented it.
01-03 13:09:11.780 16594 16594 I LIBHOOK : dlopen error: dlopen failed: library "/data/app/com.android.chrome-1/base.apk" wasn't loaded and RTLD_NOLOAD prevented it.
01-03 13:09:11.780 16594 16594 I LIBHOOK : dlopen error: dlopen failed: library "/data/app/com.android.chrome-1/base.apk" wasn't loaded and RTLD_NOLOAD prevented it.
01-03 13:09:11.780 16594 16594 I LIBHOOK : dlopen error: dlopen failed: library "/data/app/com.android.chrome-1/base.apk" wasn't loaded and RTLD_NOLOAD prevented it.
01-03 13:09:11.780 16594 16594 I LIBHOOK : dlopen error: dlopen failed: library "/data/app/com.android.chrome-1/base.apk" wasn't loaded and RTLD_NOLOAD prevented it.
01-03 13:09:11.780 16594 16594 I LIBHOOK : dlopen error: dlopen failed: library "/data/app/com.android.chrome-1/base.apk" wasn't loaded and RTLD_NOLOAD prevented it.
01-03 13:09:11.780 16594 16594 I LIBHOOK : [0x9D5CD000] Hooking /system/lib/libqdutils.so ...
01-03 13:09:11.782 16594 16594 I LIBHOOK :   open - 0xece0c102 -> 0x9d491fad
01-03 13:09:11.782 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=66 - rel_count=63 ).
01-03 13:09:11.782 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=66 - rel_count=63 ).
01-03 13:09:11.782 16594 16594 I LIBHOOK :   close - 0xe51b0014 -> 0x9d49195d
01-03 13:09:11.782 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=66 - rel_count=63 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=66 - rel_count=63 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=66 - rel_count=63 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=66 - rel_count=63 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=66 - rel_count=63 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=66 - rel_count=63 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=66 - rel_count=63 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=66 - rel_count=63 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : [0x9D5D5000] Hooking /system/lib/libmemalloc.so ...
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=49 - rel_count=49 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=49 - rel_count=49 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=49 - rel_count=49 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=49 - rel_count=49 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=49 - rel_count=49 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=49 - rel_count=49 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=49 - rel_count=49 ).
01-03 13:09:11.783 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=49 - rel_count=49 ).
01-03 13:09:11.784 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=49 - rel_count=49 ).
01-03 13:09:11.784 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=49 - rel_count=49 ).
01-03 13:09:11.784 16594 16594 I LIBHOOK : [0x9D5DF000] Hooking /data/app/com.android.chrome-1/lib/arm/libchromium_android_linker.so ...
01-03 13:09:11.784 16594 16594 I LIBHOOK : [0x9D886000] Hooking /system/lib/hw/gralloc.msm8974.so ...
01-03 13:09:11.784 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=57 - rel_count=43 ).
01-03 13:09:11.784 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=57 - rel_count=43 ).
01-03 13:09:11.784 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=57 - rel_count=43 ).
01-03 13:09:11.784 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=57 - rel_count=43 ).
01-03 13:09:11.784 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=57 - rel_count=43 ).
01-03 13:09:11.784 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=57 - rel_count=43 ).
01-03 13:09:11.784 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=57 - rel_count=43 ).
01-03 13:09:11.785 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=57 - rel_count=43 ).
01-03 13:09:11.785 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=57 - rel_count=43 ).
01-03 13:09:11.785 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=57 - rel_count=43 ).
01-03 13:09:11.785 16594 16594 I LIBHOOK : Unable to find symbol in the reloc tables ( plt_rel_count=57 - rel_count=43 ).
01-03 13:09:11.785 16594 16594 I LIBHOOK : [0x9E664000] Hooking /data/app/com.android.chrome-1/oat/arm/base.odex ...
01-03 13:09:11.785 16594 16594 I LIBHOOK : [0xA7F57000] Hooking /system/lib/libwebviewchromium_loader.so ...

mingchen avatar Jan 03 '16 21:01 mingchen

I came across this change to the linker, which I suspect might be the cause for the injector not working on Android 6.0:

https://android.googlesource.com/platform/bionic/+/d88e1f350111b3dfd71c6492321f0503cb5540db

Basically, dlopen no longer returns a pointer to the soinfo struct, but a handle id instead. So unless we can figure out another way of getting at the soinfo struct, we're out of luck!

sir-earl avatar Aug 01 '16 11:08 sir-earl

I have the same issue

beyonddoor avatar Jun 11 '17 13:06 beyonddoor

@sir-earl Yes, you right, I've recompiled the linker with below changes: void* soinfo::to_handle() { // if (get_application_target_sdk_version() < ANDROID_API_N || !has_min_version(3)) { return this; // } //return reinterpret_cast<void*>(get_handle()); } And it fixed the issue.

sergk79 avatar Oct 04 '18 17:10 sergk79

@sir-earl Yes, you right, I've recompiled the linker with below changes: void* soinfo::to_handle() { // if (get_application_target_sdk_version() < ANDROID_API_N || !has_min_version(3)) { return this; // } //return reinterpret_cast<void*>(get_handle()); } And it fixed the issue.

To which file did you make the changes? I can't find the linker itself. Only the linker.h

GurTelem avatar Jul 24 '19 08:07 GurTelem

@GurTelem

To which file did you make the changes? I can't find the linker itself. Only the linker.h

That was the linker binary from [AOSP]:(http://androidxref.com/8.1.0_r33/xref/bionic/linker/linker_soinfo.cpp)

Yeah, that is defenitely not the universal solution, but it worked for my case.

sergk79 avatar Jul 25 '19 20:07 sergk79