CN115951956A - Android dynamic link library shelling method, equipment and medium - Google Patents
Android dynamic link library shelling method, equipment and medium Download PDFInfo
- Publication number
- CN115951956A CN115951956A CN202310231340.4A CN202310231340A CN115951956A CN 115951956 A CN115951956 A CN 115951956A CN 202310231340 A CN202310231340 A CN 202310231340A CN 115951956 A CN115951956 A CN 115951956A
- Authority
- CN
- China
- Prior art keywords
- dynamic link
- link library
- function
- memory
- shelling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 230000008439 repair process Effects 0.000 claims abstract description 36
- 238000012545 processing Methods 0.000 claims abstract description 10
- 230000006870 function Effects 0.000 claims description 107
- 238000013507 mapping Methods 0.000 claims description 7
- 238000011084 recovery Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 description 9
- 238000004590 computer program Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses a shelling method, equipment and a medium for an An Zhuo Dongtai link library. The method comprises the following steps: loading all code segments with types of PT _ LOAD in a dynamic link library to be shelled into a memory; actively calling a shell code to shell the dynamic link library to be shelled to obtain a shelled dynamic link library; performing reverse link on the dynamic link library after shelling to obtain an intermediate result, and performing repair processing on the dynamic link library after shelling on the basis of the intermediate result so as to repair damage of a shell adding program to files in the dynamic link library and the problem of file offset caused by loading the dynamic link library to be shelled into a memory; and writing the memory image of the dynamic link library after the shell removal and the repair into a local file. The invention realizes automatic shelling and automatic repair of the android dynamic link library (particularly the dynamic link library taking so as to be suffix), and ensures the code quality after shelling.
Description
Technical Field
The invention relates to the technical field of android dynamic link library shelling, in particular to a shelling method, device and medium for an android Zhuo Dongtai link library.
Background
The code of android applications is typically divided into two parts: the upper java code portion, which is compiled into an executable file in the dalvik bytecode with dex as suffix, and the lower native code portion (which is usually written in c or c + + language) which is compiled into an executable file in the dynamic link library with so as suffix. Because the core function of the app is usually involved in the dynamic link library, part of android application software developers perform shell protection on the dynamic link library, which brings great hindrance to reverse analysis and penetration test, and therefore the dynamic link library needs to be shelled. The existing dynamic link library shelling technology in the market is a shelling mode that a debugger such as IDA (integrated digital architecture) is used for dynamically loading the dynamic link library, the debugger is manually controlled to execute decryption codes, then a memory area decrypted by the dynamic link library is determined, and plug-ins are written to enable contents dump in the decrypted memory area to be in files.
Although the shelling technology described above can implement shelling of most dynamic link libraries, the shelling process is extremely complicated, and there is a problem that the post-shelling file offset is relocated and cannot be recovered, which seriously reduces the quality of the post-shelling code. And in the dynamic debugging process, the anti-debugging technology is likely to be encountered to cause shelling failure.
In view of the above, the present invention is particularly proposed.
Disclosure of Invention
In order to solve the technical problems, the invention provides a method, equipment and a medium for shelling an android Zhuo Dongtai link library, which realize automatic shelling and automatic repair of an android dynamic link library (specifically, a dynamic link library taking so as to serve as a suffix), and ensure the quality of a code after shelling.
The embodiment of the invention provides an shelling method for an A Zhuo Dongtai linked library, which comprises the following steps:
calculating the number of bytes required for mapping the dynamic link library to be unshelled to the memory, wherein the dynamic link library to be unshelled is a file with so as a suffix;
applying for a memory space with a corresponding size according to the calculated byte number, and loading all code segments with the types of PT _ LOAD in the dynamic link library to be unshelled to a memory;
linking the dynamic link library to be unshelled;
actively calling a shell code to shell the dynamic link library to be shelled to obtain a shelled dynamic link library;
performing reverse link on the dynamic link library after shelling to obtain an intermediate result, and performing repair processing on the dynamic link library after shelling based on the intermediate result to repair damage of a shell adding program to files in the dynamic link library and the problem of file offset caused by loading the dynamic link library to be shelled into a memory, wherein the original dynamic link library is processed by the shell adding program to generate the dynamic link library after shelling, and the dynamic link library after shelling is the dynamic link library to be shelled;
and writing the memory image of the dynamic link library subjected to the shelling and repairing into a local file.
An embodiment of the present invention provides an electronic device, including:
a processor and a memory;
the processor is used for executing the steps of the android dynamic link library shelling method according to any embodiment by calling the program or the instruction stored in the memory.
Embodiments of the present invention provide a computer-readable storage medium, which stores a program or instructions, where the program or instructions cause a computer to execute the steps of the method for shelling an android dynamic link library according to any embodiment.
The embodiment of the invention has the following technical effects:
mapping a dynamic link library to be unshelled to a memory by calculating the number of bytes required for mapping the dynamic link library to be unshelled to the memory, wherein the dynamic link library to be unshelled is a file with so as a suffix; applying for a memory space with a corresponding size according to the calculated byte number, and loading all code segments with the types of PT _ LOAD in the dynamic link library to be shelled to a memory; linking the dynamic link library to be shelled; actively calling a shell code to shell the dynamic link library to be shelled to obtain a shelled dynamic link library; performing reverse link on the dynamic link library after shelling to obtain an intermediate result, and performing repair processing on the dynamic link library after shelling based on the intermediate result to repair damage of a shell adding program to files in the dynamic link library and the problem of file offset caused by loading the dynamic link library to be shelled into a memory, wherein the original dynamic link library is processed by the shell adding program to generate the dynamic link library after shelling, and the dynamic link library after shelling is the dynamic link library to be shelled; the technical means of writing the memory mirror image of the dynamic link library after shelling and repairing into a local file realizes automatic shelling and automatic repairing of the android dynamic link library (specifically, the dynamic link library with so as to be suffix), and ensures the quality of the code after shelling.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a schematic flowchart of a method for shelling an Ann Zhuo Dongtai Linked library according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flowchart of a method for shelling an an Zhuo Dongtai linked library according to an embodiment of the present invention, where as shown in fig. 1, the method includes the following steps:
s110, calculating the number of bytes needed for mapping the dynamic link library to be unshelled to the memory, wherein the dynamic link library to be unshelled is a file with so as a suffix.
The dynamic link library to be shelled specifically refers to a dynamic link library composed of executable files (the files are suffixes) compiled by native code parts (the native code parts are usually written in c or c + + languages) of the bottom layer of android application software.
It can be understood that, before step S110 is executed, the dynamic link library to be decapsulated needs to be read into the memory, specifically, the number of bytes of the dynamic link library to be decapsulated is calculated by calling the fopen function, the fseek function, and the ftell function, a memory block of a corresponding size is applied according to the calculated number of bytes of the dynamic link library to be decapsulated, and the dynamic link library to be decapsulated is read into the applied memory block.
The fopen function, the fseek function and the ftell function are functions in a C language standard library stdio.h, and the three functions are called in sequence to obtain the size of one file.
And S120, applying for a corresponding memory space according to the calculated byte number, and loading all code segments with the types of PT _ LOAD in the dynamic link library to be shelled to a memory.
The calculation maps the dynamic link library to be unshelled to the byte number required by the memory, applies for the memory space with the corresponding size according to the calculated byte number, and LOADs all code segments with the types of PT _ LOAD in the dynamic link library to be unshelled to the memory, and comprises the following steps:
calling a shelling function unpack _ elf _ from _ mem, calculating byte number total _ sz of a memory space required by mapping a dynamic link library to be shelled to a memory by calling a get _ total _ sz function through the shelling function unpack _ elf _ from _ mem, then initializing a size field to the calculated total _ sz, calling an alloc _ mem _ region function to apply for the memory, and then calling a LOAD _ segments function to LOAD all code segments with types of PT _ LOAD in the dynamic link library to be shelled to the memory;
the input of the un-shelling function unpack _ elf _ from _ mem is the memory mirror image of the to-be-shelled dynamic link library.
And S130, linking the dynamic link library to be shelled.
Illustratively, the link _ image function is called by the unsharp function unpack _ elf _ from _ mem to link the dynamically linked library. The essence of the method is to link the ELF file, and the method specifically comprises two steps, wherein the first step is symbol analysis, and the second step is relocation. Wherein, the meaning of symbol analysis is as follows: the source program includes definition and reference of symbols, the compiler stores the related information of the occurring symbols in a symbol table, the symbol table is a structure array, and each table item includes information of symbol name, length, position and the like. The linker associates each symbol's reference with a certain symbol definition. The meaning of relocation is: determining the absolute address of each symbol definition in the virtual address space, and modifying the address where the symbol is referenced into the relocated symbol definition address.
Optionally, the link _ image function is called by the un pack _ elf _ from _ mem function to link the dynamically linked library.
And S140, actively calling a shell code to shell the dynamic link library to be shelled to obtain the shelled dynamic link library.
Illustratively, calling the call constraints recovery function through the un _ elf _ from _ mem calls the init _ proc function and the init _ array function in the dynamic link library so as to execute the shell code through executing the init _ proc function or the init _ array function, and to execute the shell code to execute the dynamic link library to be shelled.
The init _ proc function and the init _ array function are functions in a standard ELF file, the shell code (i.e., the decryption code of the shell) is selected from one of the two functions, but from the viewpoint of a "shelling tool", it is not known whether the shell code is in the init _ proc function or the init _ array function, so that the two functions need to be run once to ensure that the original code is decrypted.
S150, performing reverse linking on the dynamic link library after shelling to obtain an intermediate result, and performing repairing processing on the dynamic link library after shelling based on the intermediate result so as to repair damage of a shell adding program to files in the dynamic link library and the problem of file offset caused by loading the dynamic link library to be shelled into a memory.
And processing the original dynamic link library by a shell adding program to generate a shell added dynamic link library, wherein the shell added dynamic link library is the dynamic link library to be shelled.
On the one hand, it is determined through a large amount of practical experience that the shelling program may damage the elf _ header function and the program _ header _ table function of the dynamic link library file, and therefore, in order to ensure the code quality after shelling, the elf _ header function and the program _ header _ table function need to be repaired. Specific repair logic can be developed specifically according to common problems to be repaired, and for example, the following is the source code of the replay _ program _ header function:
repair_program_header()
{
Elf32_Ehdr*ehdr = (Elf32_Ehdr *)psi->base;
Elf32_Phdr*phdr;
intcnt;
phdr= (Elf32_Phdr *)(psi->base + ehdr->e_phoff);
for(cnt = 0; cnt<ehdr->e_phnum; ++cnt, ++phdr) {
if(phdr->p_type== PT_LOAD)
{
Elf32_Phdr*phdr_next = phdr + 1;
if(phdr_next->p_type== PT_LOAD)
{
phdr->p_memsz= (phdr_next->p_vaddr&(~PAGE_MASK)) - phdr->p_vaddr;
}
}
if(phdr->p_vaddr>= psi->size)
{
phdr->p_vaddr= 0;
}
if(phdr->p_memsz>psi->size)
{
phdr->p_memsz= 0;
}
if(phdr->p_offset!= phdr->p_vaddr)
{
phdr->p_offset= phdr->p_vaddr;
}
if(phdr->p_filesz!= phdr->p_memsz)
{
phdr->p_filesz= phdr->p_memsz;
}
if(phdr->p_paddr!= phdr->p_vaddr)
{
phdr->p_paddr= phdr->p_vaddr;
}
}
returntrue;
}
since the dynamic link library file after final shelling is captured from the memory, for the program _ header function, the "file offset" needs to be restored by using the "memory address", and the file size needs to be restored by using the memory size.
On the other hand, in the process of loading the dynamic link library into the memory, a "relocation" process needs to be performed, that is, the "file offset" is converted into the "memory address", and the final finished product of the "shelling" is the "shelled dynamic link library", that is, after the "shelling" operation is completed in the memory, an "relocation recovery" operation needs to be performed (that is, the "memory address" is converted back into the "file offset", which corresponds to the custom function restore _ reloc _ entries), and in essence, the "relocation recovery" operation is the opposite operation to the "relocation" operation. Since the memory loading of the dynamic link library is completed by the custom functions alloc _ mem _ region and load _ segments, the "base address" of the dynamic link library in the memory can be obtained from their return values, and then the "base address" is taken to perform the "restore relocation" operation (specifically, it can be implemented by calling the restore _ reload _ entries function).
Illustratively, the reversely linking the dynamic link library after shelling to obtain an intermediate result, and performing repair processing on the dynamic link library after shelling based on the intermediate result to repair damage to a file in the dynamic link library caused by a shell adding program and a file offset problem caused by loading the dynamic link library to be shelled into a memory includes:
calling a repair function repair _ unpacked _ file through an unshelling function unpack _ elf _ from _ medium, calling a reverse link function unlink _ image through the repair function repair _ unpacked _ file to reversely link the unshelled dynamic link library to obtain an intermediate result, calling a repair _ elf _ header function to respectively set fields e _ shoff, e _ shentrize, e _ shnum and e _ shrendx in an elf _ header function in the intermediate result to zero, calling a repair _ program _ header function to repair a program _ header _ table function, and calling a restore _ reloc _ entries function to restore relocation data;
wherein, the calling restore reloc entries function to restore relocation data includes:
and acquiring return values of the alloc _ mem _ region function and the load _ segments function, wherein the return values comprise base addresses of the dynamic link library in a memory, and recovering the original addresses of each symbol in the dynamic link library based on the base addresses.
And S160, writing the memory image of the dynamic link library subjected to shell removal and repair into a local file.
Further, the method further includes, after the shell code is actively called to shell the dynamic link library to be shelled and obtain the dynamic link library after the shell is removed, before the memory image of the dynamic link library after the shell is removed and repaired is written into the local file, the method further includes:
the patch _ packet _ code function is called by the un _ elf _ from _ mem function to remove shell codes from the init _ proc function and the init _ array function, so as to ensure that the dynamically linked library after shell removal cannot be re-shelled when running again. If the 'shell code' is not removed after the dynamic link library is unshelled, the 'shell code' is firstly run when the 'unshelled dynamic link library' is run again later, and then the dynamic link library is encrypted back, so that the dynamic link library cannot run, and the 'shell code' must be removed after the dynamic link library is unshelled.
According to the scheme of the embodiment of the invention, the shelling process of the android dynamic link library is automatically completed by using an active calling mode, and the problem that the function offset after shelling cannot be recovered after being relocated is solved, so that the shelling flow is greatly simplified, and the shelling efficiency and the code quality after shelling are improved.
In summary, the shelling method specifically includes: calculating the byte size of the dynamic link library to be shelled through fopen, fseek and ftell functions, then applying for a memory block with the byte size, then reading the memory block into the dynamic link library to be shelled, and then calling a shelling function unpack _ elf _ from _ mem. The decapsulation function unpack _ elf _ from _ mem first calls the get _ total _ sz function to calculate the number of memory space bytes required by the dynamic link library to map to the memory, total _ sz, then initializes the size field to the calculated total _ sz, then calls the alloc _ mem _ region function to apply for the memory, then calls the LOAD _ segments function to LOAD all segments of the type PT _ LOAD in the dynamic link library to the correct location of the memory (since the segment of the type PT _ LOAD in the dynamic link library file needs to be loaded into the memory before running, while the PT _ LOAD segment loaded into the memory needs to be "page aligned" (typically the memory page is 4K in size, and is typically aligned by 4K), there is a conversion from "file offset" to "memory address", so the "correct location" means "the correct memory address calculated for loading the PT _ LOAD segment into the memory"), then calls the link _ library function to perform decryption on the dynamic link library, and then calls the store _ command _ source _ store _ command function to decrypt the dynamic link library. The replay _ unpacked _ file function is then called. The repair _ unpacked _ file function is used to complete the repair work after the shelling. The method comprises the steps of firstly running a unlink _ image function for reverse linking, then calling a replay _ elf _ header function to repair elf _ header, then calling a replay _ program _ header function to repair program _ header _ table, then calling a restore _ reload _ entries function to restore relocation data, and then calling a patch _ packet _ code function to remove shell code from the init _ program and init _ array.
And finally calling a dump _ unpacked _ file function to write the memory image subjected to shelling and repairing into the local file by the unpack _ elf _ from _ mem, and finishing the shelling and repairing processes completely.
Fig. 2 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. As shown in fig. 2, the electronic device 400 includes one or more processors 401 and memory 402.
The processor 401 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities and may control other components in the electronic device 400 to perform desired functions.
In one example, the electronic device 400 may further include: an input device 403 and an output device 404, which are interconnected by a bus system and/or other form of connection mechanism (not shown). The input device 403 may include, for example, a keyboard, a mouse, and the like. The output device 404 can output various information to the outside, including warning prompt information, braking force, etc. The output devices 404 may include, for example, a display, speakers, printer, and the like, as well as a communication network and its connected remote output devices.
Of course, for simplicity, only some of the components of the electronic device 400 relevant to the present invention are shown in fig. 2, omitting components such as buses, input/output interfaces, and the like. In addition, electronic device 400 may include any other suitable components depending on the particular application.
In addition to the above methods and apparatus, embodiments of the present invention may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform the steps of the android dynamic link library shelling method provided by any of the embodiments of the present invention.
The computer program product may write program code for carrying out operations for embodiments of the present invention in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, an embodiment of the present invention may also be a computer-readable storage medium having stored thereon computer program instructions, which, when executed by a processor, cause the processor to perform the steps of the android dynamic link library shelling method provided by any embodiment of the present invention.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is to be understood that the terminology used herein is for the purpose of describing particular embodiments only, and is not intended to limit the scope of the present application. As used in this specification, the terms "a", "an" and/or "the" are not intended to be inclusive of the singular, but rather are intended to be inclusive of the plural, unless the context clearly dictates otherwise. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, or apparatus that comprises the element.
It is also noted that the terms "center," "upper," "lower," "left," "right," "vertical," "horizontal," "inner," "outer," and the like are used herein to denote an orientation or positional relationship, as illustrated in the accompanying drawings, for convenience in describing the present invention and to simplify the description, but are not intended to denote or imply that the referenced device or element must have a particular orientation, be constructed in a particular orientation, and be operated in a particular orientation, and thus should not be construed as limiting the present invention. Unless expressly stated or limited otherwise, the terms "mounted," "connected," "coupled," and the like are to be construed broadly and encompass, for example, both fixed and removable coupling as well as integral coupling; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions deviate from the technical solutions of the embodiments of the present invention.
Claims (8)
1. An Ann Zhuo Dongtai linked library shelling method, comprising:
calculating the number of bytes required for mapping the dynamic link library to be unshelled to the memory, wherein the dynamic link library to be unshelled is a file with so as a suffix;
applying for a memory space with a corresponding size according to the calculated byte number, and loading all code segments with the types of PT _ LOAD in the dynamic link library to be unshelled to a memory;
linking the dynamic link library to be shelled;
actively calling a shell code to shell the dynamic link library to be shelled to obtain a shelled dynamic link library;
performing reverse link on the dynamic link library after shelling to obtain an intermediate result, and performing repair processing on the dynamic link library after shelling based on the intermediate result to repair damage of a shell adding program to files in the dynamic link library and the problem of file offset caused by loading the dynamic link library to be shelled into a memory, wherein the original dynamic link library is processed by the shell adding program to generate the dynamic link library after shelling, and the dynamic link library after shelling is the dynamic link library to be shelled;
and writing the memory image of the dynamic link library subjected to the shelling and repairing into a local file.
2. The method of claim 1, wherein before calculating the number of bytes required to map the to-be-shelled dynamically linked library to memory, further comprising:
calculating the byte number of a dynamic link library to be shelled by calling a fopen function, a fseek function and a ftell function in sequence, applying for a memory block with a corresponding size according to the calculated byte number of the dynamic link library to be shelled, and reading the dynamic link library to be shelled into the applied memory block;
correspondingly, the calculating maps the dynamic link library to be unpulled to the byte number required by the memory, applies for the memory space with the corresponding size according to the calculated byte number, and LOADs all code segments with the type of PT _ LOAD in the dynamic link library to be unpulled to the memory, including:
calling a shelling function unpack _ elf _ from _ mem, calculating byte number total _ sz of a memory space required by mapping a dynamic link library to be shelled to a memory by calling a get _ total _ sz function through the shelling function unpack _ elf _ from _ mem, then initializing a size field to the calculated total _ sz, calling an alloc _ mem _ region function to apply for the memory, and then calling a LOAD _ segments function to LOAD all code segments with types of PT _ LOAD in the dynamic link library to be shelled to the memory;
the input of the un-shelling function unpack _ elf _ from _ mem is the memory mirror image of the to-be-shelled dynamic link library.
3. The method according to claim 2, wherein the reversely linking the dynamic link library after shelling to obtain an intermediate result, and performing a repair process on the dynamic link library after shelling based on the intermediate result to repair damage to a file in the dynamic link library caused by the shell adding program and a file offset problem caused by loading the dynamic link library to be shelled into the memory comprises:
calling a repair function repair _ unpacked _ file through an unshelling function unpack _ elf _ from _ medium, calling a reverse link function unlink _ image through the repair function repair _ unpacked _ file to reversely link the unshelled dynamic link library to obtain an intermediate result, calling a repair _ elf _ header function to respectively set fields e _ shoff, e _ shentrize, e _ shnum and e _ shrendx in an elf _ header function in the intermediate result to zero, calling a repair _ program _ header function to repair a program _ header _ table function, and calling a restore _ reloc _ entries function to restore relocation data;
wherein, the calling restore reloc entries function to restore relocation data includes:
and acquiring return values of the alloc _ mem _ region function and the load _ segments function, wherein the return values comprise base addresses of the dynamic link library in a memory, and recovering the original addresses of each symbol in the dynamic link library based on the base addresses.
4. The method of claim 1, wherein linking the to-be-shelled dynamically linked library comprises:
and calling a link _ image function by an unsharp function unpack _ elf _ from _ mem to link the dynamic link library.
5. The method of claim 1, wherein the actively calling shell code shells the dynamic link library to be shelled to obtain a shelled dynamic link library, and the shelling comprises:
calling a call _ constraints _ recovery function through a shelling function unpack _ elf _ from _ mem to call an init _ proc function and an init _ array function in the dynamic link library, so that running of shell codes is realized by running the init _ proc function or the init _ array function, and shelling of the dynamic link library to be shelled is realized by running the shell codes.
6. The method of claim 1, wherein the actively calling shell code shells the dynamic link library to be shelled, obtains the shelled dynamic link library, and writes a memory image of the shelled and repaired dynamic link library to a local file, and wherein the method further comprises:
the patch _ packet _ code function is called by the un _ elf _ from _ mem function to remove shell code from the init _ proc and init _ array functions.
7. An electronic device, characterized in that the electronic device comprises:
a processor and a memory;
the processor is configured to perform the steps of the android dynamically linked library shelling method as claimed in any one of claims 1 to 6 by calling a program or instructions stored in the memory.
8. A computer-readable storage medium storing a program or instructions for causing a computer to perform the steps of the android dynamic link library shelling method as claimed in any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310231340.4A CN115951956B (en) | 2023-03-13 | 2023-03-13 | Android dynamic link library unshelling method, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310231340.4A CN115951956B (en) | 2023-03-13 | 2023-03-13 | Android dynamic link library unshelling method, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115951956A true CN115951956A (en) | 2023-04-11 |
| CN115951956B CN115951956B (en) | 2023-06-06 |
Family
ID=85891310
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310231340.4A Active CN115951956B (en) | 2023-03-13 | 2023-03-13 | Android dynamic link library unshelling method, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115951956B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105930692A (en) * | 2016-04-20 | 2016-09-07 | 北京鼎源科技有限公司 | Dynamic shelling method for Android application |
| CN106778226A (en) * | 2016-11-24 | 2017-05-31 | 四川无声信息技术有限公司 | Shell document hulling method and device |
| CN107392018A (en) * | 2017-06-30 | 2017-11-24 | 阿里巴巴集团控股有限公司 | Application program hulling method and device |
| CN111427782A (en) * | 2020-03-24 | 2020-07-17 | 同盾控股有限公司 | Operation method, device, equipment and storage medium of android dynamic link library |
| CN113868648A (en) * | 2021-09-08 | 2021-12-31 | 南京烽火天地通信科技有限公司 | Automatic shelling engine implementation method for malicious files |
-
2023
- 2023-03-13 CN CN202310231340.4A patent/CN115951956B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105930692A (en) * | 2016-04-20 | 2016-09-07 | 北京鼎源科技有限公司 | Dynamic shelling method for Android application |
| CN106778226A (en) * | 2016-11-24 | 2017-05-31 | 四川无声信息技术有限公司 | Shell document hulling method and device |
| CN107392018A (en) * | 2017-06-30 | 2017-11-24 | 阿里巴巴集团控股有限公司 | Application program hulling method and device |
| CN111427782A (en) * | 2020-03-24 | 2020-07-17 | 同盾控股有限公司 | Operation method, device, equipment and storage medium of android dynamic link library |
| CN113868648A (en) * | 2021-09-08 | 2021-12-31 | 南京烽火天地通信科技有限公司 | Automatic shelling engine implementation method for malicious files |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115951956B (en) | 2023-06-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9858072B2 (en) | Portable executable file analysis | |
| US10324694B2 (en) | Arranging binary code based on call graph partitioning | |
| US10504605B2 (en) | Method and system for testing firmware of solid-state storage device, and electronic apparatus | |
| CN107807839B (en) | Method and device for modifying memory data of virtual machine and electronic equipment | |
| US20140129875A1 (en) | Method for reading kernel log upon kernel panic in operating system | |
| US10133871B1 (en) | Method and system for identifying functional attributes that change the intended operation of a compiled binary extracted from a target system | |
| US20190087208A1 (en) | Method and apparatus for loading elf file of linux system in windows system | |
| CN110716845A (en) | Method for reading log information of Android system | |
| CN112667246A (en) | Application function extension method and device and electronic equipment | |
| CN113867768A (en) | Operating system processing method and device, electronic equipment and storage medium | |
| CN107678770B (en) | Interface chip upgrading method and device, storage medium and processor | |
| CN111666102A (en) | File format conversion method, chip verification method, related device and network chip | |
| CN115951956A (en) | Android dynamic link library shelling method, equipment and medium | |
| CN111694580B (en) | Method and device for upgrading and initializing storage device and electronic device | |
| JP2009020695A (en) | Information processing apparatus and system | |
| CN114691496A (en) | Unit testing method, unit testing device, computing equipment and medium | |
| US20140325186A1 (en) | Supporting code execution in dual address spaces | |
| US20170357558A1 (en) | Apparatus and method to enable a corrected program to take over data used before correction thereof | |
| CN109324809B (en) | Data processing method and device | |
| JP6691884B2 (en) | Computer and application management method | |
| JP4741835B2 (en) | Memory dump system | |
| CN114443353A (en) | Mirror image file simulation method and device, electronic equipment and storage medium | |
| JP2003228492A (en) | Computer simulation program, verification method for model of processor, and computer simulation method | |
| JP2796162B2 (en) | Instruction processing method | |
| CN113031956A (en) | Program compiling method and device and program running method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231227 Address after: 215, Innovation Plaza Podium, 2007 Pingshan Avenue, Liulian Community, Pingshan Street, Pingshan District, Shenzhen City, Guangdong Province, 518118 Patentee after: China Automotive Research Technology Co.,Ltd. Address before: 300300 building 17, No. 68, Xianfeng East Road, Dongli District, Tianjin Patentee before: CNR software evaluation (Tianjin) Co.,Ltd. |