CN115951956B - Android dynamic link library unshelling method, equipment and medium - Google Patents
Android dynamic link library unshelling method, equipment and medium Download PDFInfo
- Publication number
- CN115951956B CN115951956B CN202310231340.4A CN202310231340A CN115951956B CN 115951956 B CN115951956 B CN 115951956B CN 202310231340 A CN202310231340 A CN 202310231340A CN 115951956 B CN115951956 B CN 115951956B
- Authority
- CN
- China
- Prior art keywords
- link library
- dynamic link
- unshelling
- function
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000008439 repair process Effects 0.000 claims abstract description 21
- 238000012545 processing Methods 0.000 claims abstract description 9
- 230000006870 function Effects 0.000 claims description 100
- 238000013507 mapping Methods 0.000 claims description 10
- 238000011084 recovery Methods 0.000 claims description 2
- 230000008569 process Effects 0.000 description 9
- 238000004590 computer program Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses a method, equipment and medium for unshelling an Zhuo Dongtai link library. The method comprises the following steps: loading all code segments with the PT_LOAD type in the dynamic link library to be unshelling into a memory; actively calling a shell code to unshelling the dynamic link library to be unshelling to obtain an unshelling dynamic link library; reverse linking is carried out on the shelled dynamic link library to obtain an intermediate result, and restoration processing is carried out on the shelled dynamic link library based on the intermediate result so as to restore the damage to the file in the dynamic link library caused by the shelling program and the file offset problem caused by loading the dynamic link library to be shelled into a memory; and writing the memory mirror image of the dynamic link library after unshelling and repair into a local file. The invention realizes automatic shelling and automatic repairing of the android dynamic link library (particularly the dynamic link library taking the so as the suffix), and ensures the code quality after shelling.
Description
Technical Field
The invention relates to the technical field of android dynamic link library shelling, in particular to an android Zhuo Dongtai link library shelling method, equipment and medium.
Background
The code of android applications is typically divided into two parts: the java code part at the upper layer and the native code part at the bottom layer (the native code part is usually written in c or c++ language), the executable file compiled by the java code part is a davik byte code with the suffix of dex, and the executable file compiled by the native code part is a dynamic link library with the suffix of so. Because the dynamic link library generally relates to the core function of the app, some android application software developers perform shell protection on the dynamic link library, which brings great obstruction to reverse analysis and penetration test, so that the dynamic link library needs to be unshelling. The dynamic link library unshelling technology in the market at present uses debuggers such as IDA to dynamically load the dynamic link library, and manually controls the debuggers to execute decryption codes, then determines the decrypted memory area of the dynamic link library, and writes plug-in units to unshelling the decrypted memory area from the content dump to the file.
Although the shelling technology can realize shelling of most of dynamic link libraries, the shelling process is extremely complicated, and the problem that the file offset is relocated after shelling and cannot be recovered exists, so that the quality of codes after shelling is seriously reduced. And during dynamic debugging, the anti-debugging technology is likely to be encountered, so that the uncoating failure is caused.
In view of this, the present invention has been made.
Disclosure of Invention
In order to solve the technical problems, the invention provides a method, equipment and medium for unshelling an Zhuo Dongtai link library, which realize automatic unshelling and automatic repairing of an android dynamic link library (particularly a dynamic link library with a. So as a suffix) and ensure the unshelling code quality.
The embodiment of the invention provides an An Zhuo Dongtai link library unshelling method, which comprises the following steps:
calculating the number of bytes required for mapping a dynamic link library to be unshelling to a memory, wherein the dynamic link library to be unshelling is a file with so as a suffix;
applying for a memory space with a corresponding size according to the calculated byte number, and loading all code segments with the type PT_LOAD in the dynamic link library to be unshelling into a memory;
linking the dynamic link library to be unshelling;
actively calling a shell code to unshelling the dynamic link library to be unshelling to obtain an unshelling dynamic link library;
reverse linking is carried out on the shelled dynamic link library to obtain an intermediate result, and restoration processing is carried out on the shelled dynamic link library based on the intermediate result so as to restore the damage to the file in the dynamic link library caused by the shelled program and the file offset problem caused by loading the dynamic link library to be shelled into a memory, wherein the original dynamic link library is processed by the shelled program to generate the shelled dynamic link library, and the shelled dynamic link library is the dynamic link library to be shelled;
and writing the memory mirror image of the dynamic link library after unshelling and repair into a local file.
The embodiment of the invention provides electronic equipment, which comprises:
a processor and a memory;
the processor is used for executing the steps of the android dynamic link library unshelling method according to any embodiment by calling the program or the instructions stored in the memory.
The embodiment of the invention provides a computer readable storage medium, which stores a program or instructions for causing a computer to execute the steps of the android dynamic link library unshelling method according to any embodiment.
The embodiment of the invention has the following technical effects:
mapping the dynamic link library to be unshelling to the byte number required by the memory by calculating, wherein the dynamic link library to be unshelling is a file taking so as a suffix; applying for a memory space with a corresponding size according to the calculated byte number, and loading all code segments with the type PT_LOAD in the dynamic link library to be unshelling into a memory; linking the dynamic link library to be unshelling; actively calling a shell code to unshelling the dynamic link library to be unshelling to obtain an unshelling dynamic link library; reverse linking is carried out on the shelled dynamic link library to obtain an intermediate result, and restoration processing is carried out on the shelled dynamic link library based on the intermediate result so as to restore the damage to the file in the dynamic link library caused by the shelled program and the file offset problem caused by loading the dynamic link library to be shelled into a memory, wherein the original dynamic link library is processed by the shelled program to generate the shelled dynamic link library, and the shelled dynamic link library is the dynamic link library to be shelled; the technical means of writing the memory mirror image of the dynamic link library after unshelling and repair into the local file realizes the automatic unshelling and automatic repair of the android dynamic link library (in particular to the dynamic link library taking the so as a suffix) and ensures the unshelling code quality.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of an exemplary method for unshelling an An Zhuo Dongtai linked library according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the invention, are within the scope of the invention.
Fig. 1 is a flow chart of a method for unshelling an An Zhuo Dongtai linked library according to an embodiment of the present invention, as shown in fig. 1, the method includes the following steps:
s110, calculating the byte number required by mapping the dynamic link library to be unshelling to the memory, wherein the dynamic link library to be unshelling is a file with so as a suffix.
The dynamic link library to be unshelling specifically refers to a dynamic link library formed by an executable file (the file is named as a suffix) compiled by a native code part (the native code part is usually written in a c or c++) at the bottom layer of android application software.
It can be understood that before executing step S110, the dynamic link library to be unshelling needs to be read into the memory, specifically, the byte number of the dynamic link library to be unshelling is calculated by calling the fopen function, the fseek function and the ftell function, the memory block with the corresponding size is applied according to the calculated byte number of the dynamic link library to be unshelling, and the dynamic link library to be unshelling is read into the applied memory block.
The fopen function, the fseek function and the ftell function are functions in the standard library stdio.h of the C language, and the three functions are called in sequence, so that the size of one file can be obtained.
S120, applying for a memory space with a corresponding size according to the calculated byte number, and loading all code segments with the type PT_LOAD in the dynamic link library to be unshelling to a memory.
The calculating the byte number required by mapping the dynamic link library to be unshelling to the memory, applying for a memory space with a corresponding size according to the calculated byte number, and loading all code segments with the type PT_LOAD in the dynamic link library to be unshelling to the memory, wherein the method comprises the following steps:
calling a unshelling function unpack_elf_from_mem to calculate the byte number total_sz of a memory space required by mapping a dynamic link library to be unshelling to a memory through the unshelling function unpack_elf_from_mem, initializing a size field to the calculated total_sz, calling an alloc_mem_region function to apply for the memory, and calling a load_segments function to LOAD all code segments with the type PT_LOAD in the dynamic link library to be unshelling to the memory;
the input of the unshelling function unpack_elf_from_mem is a memory mirror image of the dynamic link library to be unshelling.
S130, linking the dynamic link library to be unshelling.
Illustratively, the dynamic link library is linked by calling the link_image function by the unshelling function unpack_elf_from_mem. The essence is to link the ELF file, which comprises two steps, namely symbol parsing and repositioning. The meaning of symbol analysis is as follows: the source program contains definition and reference of symbol, the compiler stores the related information of symbol in symbol table, the symbol table is a structure array, each table item contains information of symbol name, length and position, etc. The linker associates each symbol's reference with a determined symbol definition. The meaning of repositioning is: an absolute address of each symbol definition in the virtual address space is determined, and the address to which the symbol refers is modified to the relocated symbol definition address.
Optionally, the link_image function is called by the unshelling function unpack_elf_from_mem to link the dynamic link library.
S140, actively calling a shell code to unshelling the dynamic link library to be unshelling, and obtaining the unshelling dynamic link library.
The init_proc function and init_array function in the dynamic link library are illustratively called by a call_constraints_recovery function called by a unshelling function unpack_elf_from_mem to realize the operation of shell code by operating the init_proc function or the init_array function and the unshelling of the dynamic link library to be unshelling by operating the shell code.
The init_proc function and init_array function are functions in a standard ELF file, and the shell code (i.e. the decryption code of the shell) can be selected from one of the functions, but from the perspective of a "shelling tool", it is not known whether the shell code is in the init_proc function or the init_array function, so that it is necessary to run both functions once to ensure that the original code is decrypted.
And S150, carrying out reverse link on the shelled dynamic link library to obtain an intermediate result, and carrying out repair treatment on the shelled dynamic link library based on the intermediate result so as to repair the damage of the shelled program to the file in the dynamic link library and the file offset problem caused by loading the dynamic link library to be shelled into a memory.
The original dynamic link library is processed by a shelling program to generate a shelled dynamic link library, and the shelled dynamic link library is the dynamic link library to be shelled.
On the one hand, the shell program is determined through a great deal of practical experience to damage the elf_header function and the program_header_table function of the dynamically linked library file, so that the elf_header function and the program_header_table function need to be repaired in order to ensure the code quality after the shelling. Specific repair logic can be developed specifically according to the common problem to be repaired, and illustratively, the following are source codes of the repair_program_header function:
repair_program_header()
{
Elf32_Ehdr*ehdr = (Elf32_Ehdr *)psi->base;
Elf32_Phdr*phdr;
intcnt;
phdr= (Elf32_Phdr *)(psi->base + ehdr->e_phoff);
for(cnt = 0; cnt<ehdr->e_phnum; ++cnt, ++phdr) {
if(phdr->p_type== PT_LOAD)
{
Elf32_Phdr*phdr_next = phdr + 1;
if(phdr_next->p_type== PT_LOAD)
{
phdr->p_memsz= (phdr_next->p_vaddr&(~PAGE_MASK)) - phdr->p_vaddr;
}
}
if(phdr->p_vaddr>= psi->size)
{
phdr->p_vaddr= 0;
}
if(phdr->p_memsz>psi->size)
{
phdr->p_memsz= 0;
}
if(phdr->p_offset!= phdr->p_vaddr)
{
phdr->p_offset= phdr->p_vaddr;
}
if(phdr->p_filesz!= phdr->p_memsz)
{
phdr->p_filesz= phdr->p_memsz;
}
if(phdr->p_paddr!= phdr->p_vaddr)
{
phdr->p_paddr= phdr->p_vaddr;
}
}
returntrue;
}
since the finally dehulled dynamically linked library file is fetched from the memory, for the program_header function, the "memory address" is required to restore the "file offset" and the memory size is required to restore the file size.
On the other hand, in the process of loading the dynamic link library into the memory, a "relocation" process is required, that is, the "file offset" is converted into the "memory address", and the final product of "unshelling" is the "unshelling dynamic link library", that is, after the "unshelling" operation is completed in the memory, a "restore relocation" operation (that is, the process of converting the "memory address" back into the "file offset" corresponds to the custom function restore_reloc_entries), which is essentially the reverse operation of the "relocation" operation. Since the memory loading of the dynamic link library is accomplished by custom functions allocmregion and load segments, the "base address" of the dynamic link library in the memory can be obtained from their return values, and then the "base address" can be taken to perform a "restore relocation" operation (which can be implemented by calling the restore reloc entries function).
Exemplary, the reverse linking is performed on the shelled dynamic link library to obtain an intermediate result, and repair processing is performed on the shelled dynamic link library based on the intermediate result to repair damage to the file in the dynamic link library caused by the shelling program and file offset problem caused by loading the dynamic link library to be shelled into the memory, including:
calling a repair function repair_unpacked_file through a unshelling function unpacke_shell_from_mem, reversely linking the unshelling dynamic link library through a repair function repair_unpacked_file, obtaining an intermediate result, then calling a repair_shell_header function to set fields e_shell, e_share and e_share in the intermediate result in zero respectively, calling a repair_program_header function, and calling a restore_reloc_entries function to restore repositioning data;
wherein the calling the restore_reloc_entries function to restore relocation data comprises:
and acquiring the return values of the alloc_mem_region function and the load_segments function, wherein the return values comprise the base address of the dynamic link library in the memory, and recovering the original address of each symbol in the dynamic link library based on the base address.
S160, writing the memory mirror image of the dynamic link library after unshelling and repair into a local file.
Further, the active calling shell code dehulling the dynamic link library to be dehulled, and after the dehulled dynamic link library is obtained, before the memory image of the dehulled and repaired dynamic link library is written into the local file, the method further comprises:
the method comprises the steps of removing shell codes from an init_proc function and an init_array function through a shelling function unpack_elf_from_mem to call a patch_packet_code function so as to ensure that the shelled dynamic link library cannot be shelled again when running again. If the "shell code" is not removed after the dynamically linked library is unshelling, the "unshelling dynamically linked library" will first run the "shell code" when it is run again later, and the dynamically linked library will be "encrypted back" again, so the "shell code" must be removed after the dynamically linked library is unshelling.
According to the scheme provided by the embodiment of the invention, the shelling process of the android dynamic link library is automatically completed by utilizing an active calling mode, and the problem that the function offset is relocated and cannot be recovered after shelling is solved, so that the shelling process is greatly simplified, the shelling efficiency is improved, and the code quality after shelling is improved.
In general terms, the above-mentioned shelling method is specifically: and calculating the byte number size of the dynamic link library to be unshelling through a fopen, fseek, ftell function, applying for a memory block with the byte number of size, reading the dynamic link library to be unshelling into the memory block, and calling an unshelling function unpack_elf_from_mem. The unshelling function unpack_elf_from_mem firstly calls get_total_sz function to calculate the number of memory space bytes total_sz required by mapping dynamic link library to memory, then initializes size field to calculated total_sz, then calls alloc_mem_region function to apply memory, then calls load_segments function to LOAD all sections of type pt_load in dynamic link library to correct position of memory (since sections of type pt_load in dynamic link library file need to be loaded into memory before running, pt_load section loaded in memory is required to be "page aligned" (general memory page is 4K size, so general is 4K aligned), so there is a conversion from "file offset" to "memory address", so "correct position" means "correct address calculated for loading pt_load section into memory", then calls k_image function to LOAD dynamic link library, and then calls dynamic link library to decrypt function. The repaira_unpackaged_file function is then called. The repair_unpacked_file function is used to complete the unshelling repair work. Firstly, running an unlink_image function to carry out reverse link, then calling a repairjelf_header function to repair the elf_header, then calling a repairjprogram_header function to repair the program_header_table, then calling a restore_reloc_entries function to restore relocation data, and then calling a patch_packet_code function to remove shell codes from the.
The unpack_elf_from_mem finally calls the dump_unpacked_file function to write the unshelling and repaired memory image into the local file, and the unshelling and repair process is completed.
Fig. 2 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. As shown in fig. 2, electronic device 400 includes one or more processors 401 and memory 402.
The processor 401 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities and may control other components in the electronic device 400 to perform desired functions.
In one example, the electronic device 400 may further include: an input device 403 and an output device 404, which are interconnected by a bus system and/or other forms of connection mechanisms (not shown). The input device 403 may include, for example, a keyboard, a mouse, and the like. The output device 404 may output various information to the outside, including early warning prompt information, braking force, etc. The output device 404 may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, etc.
Of course, only some of the components of the electronic device 400 that are relevant to the present invention are shown in fig. 2 for simplicity, components such as buses, input/output interfaces, etc. are omitted. In addition, electronic device 400 may include any other suitable components depending on the particular application.
In addition to the methods and apparatus described above, embodiments of the invention may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform the steps of the android dynamic link library unshelling method provided by any of the embodiments of the invention.
The computer program product may write program code for performing operations of embodiments of the present invention in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present invention may also be a computer-readable storage medium, on which computer program instructions are stored, which, when executed by a processor, cause the processor to perform the steps of the android dynamic link library unshelling method provided by any of the embodiments of the present invention.
The computer readable storage medium may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of the present application. As used in this specification, the terms "a," "an," "the," and/or "the" are not intended to be limiting, but rather are to be construed as covering the singular and the plural, unless the context clearly dictates otherwise. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method or apparatus comprising such elements.
It should also be noted that the positional or positional relationship indicated by the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. are based on the positional or positional relationship shown in the drawings, are merely for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the apparatus or element in question must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention. Unless specifically stated or limited otherwise, the terms "mounted," "connected," and the like are to be construed broadly and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the essence of the corresponding technical solutions from the technical solutions of the embodiments of the present invention.
Claims (6)
1. A method for unshelling an Zhuo Dongtai linked library, comprising:
calculating the number of bytes required for mapping a dynamic link library to be unshelling to a memory, wherein the dynamic link library to be unshelling is a file with so as a suffix;
applying for a memory space with a corresponding size according to the calculated byte number, and loading all code segments with the type PT_LOAD in the dynamic link library to be unshelling into a memory;
linking the dynamic link library to be unshelling;
actively calling a shell code to unshelling the dynamic link library to be unshelling to obtain an unshelling dynamic link library;
reverse linking is carried out on the shelled dynamic link library to obtain an intermediate result, and restoration processing is carried out on the shelled dynamic link library based on the intermediate result so as to restore the damage to the file in the dynamic link library caused by the shelled program and the file offset problem caused by loading the dynamic link library to be shelled into a memory, wherein the original dynamic link library is processed by the shelled program to generate the shelled dynamic link library, and the shelled dynamic link library is the dynamic link library to be shelled;
writing the memory mirror image of the dynamic link library after unshelling and repair into a local file;
before the calculation of the byte number required for mapping the dynamic link library to be unshelling to the memory, the method further comprises the following steps:
calculating the byte number of a dynamic link library to be unshelling by sequentially calling a fopen function, an fseek function and an ftell function, applying for a memory block with a corresponding size according to the calculated byte number of the dynamic link library to be unshelling, and reading the dynamic link library to be unshelling into the applied memory block;
correspondingly, the calculating the byte number required by mapping the dynamic link library to be unshelling to the memory, applying for a memory space with a corresponding size according to the calculated byte number, and loading all code segments with the type PT_LOAD in the dynamic link library to be unshelling to the memory, including:
calling a unshelling function unpack_elf_from_mem to calculate the byte number total_sz of a memory space required by mapping a dynamic link library to be unshelling to a memory through the unshelling function unpack_elf_from_mem, initializing a size field to the calculated total_sz, calling an alloc_mem_region function to apply for the memory, and calling a load_segments function to LOAD all code segments with the type PT_LOAD in the dynamic link library to be unshelling to the memory;
the input of the unshelling function unpack_elf_from_mem is a memory mirror image of the dynamic link library to be unshelling;
the reverse link is performed on the shelled dynamic link library to obtain an intermediate result, and repair processing is performed on the shelled dynamic link library based on the intermediate result to repair the damage to the file in the dynamic link library caused by the shelling program and the file offset problem caused by loading the dynamic link library to be shelled into the memory, including:
calling a repair function repair_unpacked_file through a unshelling function unpacke_shell_from_mem, reversely linking the unshelling dynamic link library through a repair function repair_unpacked_file, obtaining an intermediate result, then calling a repair_shell_header function to set fields e_shell, e_share and e_share in the intermediate result in zero respectively, calling a repair_program_header function, and calling a restore_reloc_entries function to restore repositioning data;
wherein the calling the restore_reloc_entries function to restore relocation data comprises:
and acquiring the return values of the alloc_mem_region function and the load_segments function, wherein the return values comprise the base address of the dynamic link library in the memory, and recovering the original address of each symbol in the dynamic link library based on the base address.
2. Method according to claim 1, wherein linking the dynamic link library to be dehulled comprises:
the link_image function is called by the uncoating function unpack_elf_from_mem to link the dynamic link library.
3. The method of claim 1, wherein the actively invoking the shell code to dehull the dynamic link library to be dehulled to obtain a dehulled dynamic link library, comprises:
the method comprises the steps of calling a call_structures_recovery function through a shell_function unpack_elf_from_mem to call an init_proc function and an init_array function in a dynamic link library, so that shell code can be operated through operation of the init_proc function or the init_array function, and the shell of the dynamic link library to be shelled can be realized through operation of the shell code.
4. The method of claim 1, wherein the actively calling shell code dehulling the dynamic link library to be dehulled, and after obtaining the dehulled dynamic link library, before writing the memory image of the dehulled and repaired dynamic link library to the local file, the method further comprises:
the shell code is removed from the init_proc function and the init_array function by calling the patch_packet_code function through the uncoating function unpack_elf_from_mem.
5. An electronic device, the electronic device comprising:
a processor and a memory;
the processor is configured to perform the steps of the android dynamic link library unshelling method according to any one of claims 1 to 4 by calling a program or instructions stored in the memory.
6. A computer-readable storage medium storing a program or instructions that cause a computer to perform the steps of the android dynamic link library unshelling method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310231340.4A CN115951956B (en) | 2023-03-13 | 2023-03-13 | Android dynamic link library unshelling method, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310231340.4A CN115951956B (en) | 2023-03-13 | 2023-03-13 | Android dynamic link library unshelling method, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115951956A CN115951956A (en) | 2023-04-11 |
| CN115951956B true CN115951956B (en) | 2023-06-06 |
Family
ID=85891310
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310231340.4A Active CN115951956B (en) | 2023-03-13 | 2023-03-13 | Android dynamic link library unshelling method, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115951956B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111427782A (en) * | 2020-03-24 | 2020-07-17 | 同盾控股有限公司 | Operation method, device, equipment and storage medium of android dynamic link library |
| CN113868648A (en) * | 2021-09-08 | 2021-12-31 | 南京烽火天地通信科技有限公司 | Automatic shelling engine implementation method for malicious files |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105930692A (en) * | 2016-04-20 | 2016-09-07 | 北京鼎源科技有限公司 | Dynamic shelling method for Android application |
| CN106778226A (en) * | 2016-11-24 | 2017-05-31 | 四川无声信息技术有限公司 | Shell document hulling method and device |
| CN107392018B (en) * | 2017-06-30 | 2020-09-15 | 阿里巴巴集团控股有限公司 | Application program shelling method and device |
-
2023
- 2023-03-13 CN CN202310231340.4A patent/CN115951956B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111427782A (en) * | 2020-03-24 | 2020-07-17 | 同盾控股有限公司 | Operation method, device, equipment and storage medium of android dynamic link library |
| CN113868648A (en) * | 2021-09-08 | 2021-12-31 | 南京烽火天地通信科技有限公司 | Automatic shelling engine implementation method for malicious files |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115951956A (en) | 2023-04-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9858072B2 (en) | Portable executable file analysis | |
| US20170161040A1 (en) | Arranging Binary Code Based on Call Graph Partitioning | |
| Okolica et al. | Windows operating systems agnostic memory analysis | |
| US9235433B2 (en) | Speculative object representation | |
| US9146759B2 (en) | Assumption-based compilation | |
| US20110321002A1 (en) | Rewriting Branch Instructions Using Branch Stubs | |
| JP2004038923A (en) | Emulation of conditional code flag for program code conversion | |
| JPH11507450A (en) | Method and system for detecting corrupted data using mirror data | |
| US20130024675A1 (en) | Return address optimisation for a dynamic code translator | |
| CN106796525A (en) | On-demand loading dynamic script language codes are used with reducing internal memory | |
| US9465595B2 (en) | Computing apparatus, computing method, and computing program | |
| US20100153936A1 (en) | Deferred constant pool generation | |
| TW201351274A (en) | Method and apparatus for substituting compiler built-in helper functions with machine instructions | |
| JP2000040005A (en) | Program converting device | |
| CN115951956B (en) | Android dynamic link library unshelling method, equipment and medium | |
| US8661421B2 (en) | Methods and apparatuses for endian conversion | |
| CN110045952B (en) | Code calling method and device | |
| US6854109B2 (en) | Tool for converting .MAP file formats | |
| US11635947B2 (en) | Instruction translation support method and information processing apparatus | |
| US20210365252A1 (en) | Instruction translation support method and information processing apparatus | |
| JP7338778B2 (en) | Program, instruction generation method and instruction generation device | |
| JP3848171B2 (en) | Computer simulation program, processor model verification method, and computer simulation method | |
| US20080127072A1 (en) | Method and system for extending evaluation for intermediate representation interpretation | |
| CN117289941A (en) | Target file generation method and device, electronic equipment and storage medium | |
| JP3248935B2 (en) | Source program analysis processor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231227 Address after: 215, Innovation Plaza Podium, 2007 Pingshan Avenue, Liulian Community, Pingshan Street, Pingshan District, Shenzhen City, Guangdong Province, 518118 Patentee after: China Automotive Research Technology Co.,Ltd. Address before: 300300 building 17, No. 68, Xianfeng East Road, Dongli District, Tianjin Patentee before: CNR software evaluation (Tianjin) Co.,Ltd. |