lpcdma/base.cpp

## base.cpp
static jobject getApplication(JNIEnv *env) {
    jobject application = NULL;
    jclass activity_thread_clz = env->FindClass("android/app/ActivityThread");
    if (activity_thread_clz != NULL) {
        jmethodID currentApplication = env->GetStaticMethodID(
                activity_thread_clz, "currentApplication", "()Landroid/app/Application;");
        if (currentApplication != NULL) {
            application = env->CallStaticObjectMethod(activity_thread_clz, currentApplication);
        }
        env->DeleteLocalRef(activity_thread_clz);
    }
    return application;
}

static void hookInit(JNIEnv *env, jclass,jstring dexPath, jstring odexPath, jstring className, jstring methodName) {

    jclass classloaderClass = env->FindClass("java/lang/ClassLoader");

    jmethodID getsysloaderMethod = env->GetStaticMethodID(classloaderClass, "getSystemClassLoader","()Ljava/lang/ClassLoader;");
    jobject loader =env->CallStaticObjectMethod(classloaderClass,getsysloaderMethod);

    jstring dexpath = dexPath;
    jstring dex_odex_path = odexPath;
    jclass dexLoaderClass = env->FindClass("dalvik/system/DexClassLoader");
    jmethodID initDexLoaderMethod =env->GetMethodID(dexLoaderClass, "<init>","(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/ClassLoader;)V");
    jobject dexLoader =env->NewObject(dexLoaderClass,initDexLoaderMethod, dexpath, dex_odex_path, NULL, loader);
    jmethodID findclassMethod = env->GetMethodID(dexLoaderClass,"findClass", "(Ljava/lang/String;)Ljava/lang/Class;");
    if(NULL==findclassMethod)
    {
        findclassMethod = env->GetMethodID(dexLoaderClass,"loadClass", "(Ljava/lang/String;)Ljava/lang/Class;");
    }
    jstring javaClassName = className;
    jclass javaClientClass=(jclass)env->CallObjectMethod(dexLoader,findclassMethod,javaClassName);
    const char* func =env->GetStringUTFChars(methodName, NULL);
    jmethodID inject_method = env->GetStaticMethodID(javaClientClass, func, "()V");
    env->CallStaticVoidMethod(javaClientClass,inject_method);
}

static void System_Load(JNIEnv *env, const char* lib){
    auto clazz = env->FindClass("java/lang/System");
    auto method = env->GetStaticMethodID(clazz, "load", "(Ljava/lang/String;)V");
    auto libPath = env->NewStringUTF(lib);
    env->CallStaticVoidMethod(clazz, method, libPath);
    env->DeleteLocalRef(clazz);
    env->DeleteLocalRef(libPath);
    if (env->ExceptionCheck()){
        env->ExceptionDescribe();
        env->ExceptionClear();
    }
}

static void System_Library(JNIEnv *env, const char* lib){
    auto clazzRuntime = env->FindClass("java/lang/Runtime");
    auto clazzVMStack = env->FindClass("dalvik/system/VMStack");
    auto methodGetRuntime = env->GetStaticMethodID(clazzRuntime, "getRuntime", "()Ljava/lang/Runtime;");
    auto methodGetCallingClassLoader = env->GetStaticMethodID(clazzVMStack, "getCallingClassLoader", "()Ljava/lang/ClassLoader;");
    auto runtime = env->CallStaticObjectMethod(clazzRuntime, methodGetRuntime);
    auto loader = env->CallStaticObjectMethod(clazzVMStack, methodGetCallingClassLoader);
    auto methodLoadLibrary0 = env->GetMethodID(env->GetObjectClass(runtime), "loadLibrary0", "(Ljava/lang/ClassLoader;Ljava/lang/String;)V");
    auto libName = env->NewStringUTF(lib);
    env->CallVoidMethod(runtime, methodLoadLibrary0, loader, libName);
    env->DeleteLocalRef(clazzRuntime);
    env->DeleteLocalRef(clazzVMStack);
    env->DeleteLocalRef(runtime);
    env->DeleteLocalRef(loader);
    env->DeleteLocalRef(libName);
    if (env->ExceptionCheck()){
        env->ExceptionDescribe();
        env->ExceptionClear();
    }
}

## hookhoudini.c
typedef void* (*PFN_bridge_dlopen)(const char* filename, int flag);
typedef void* (*PFN_sub_1FEAD0)(const char* filename, int flag);

void load_payload() {
    void* openfun = 0, *payload = 0, *houdini = 0;
    houdini = dlopen("/system/lib/libhoudini.so", RTLD_NOW);
    LOGD("libhoudini.so handle:%p\n", houdini);
    //https://raw.githubusercontent.com/tiann/epic/master/library/src/main/cpp/fake_dlfcn.cpp
   houdini = fake_dlopen("/system/lib/libhoudini.so", RTLD_NOW);
   LOGD("libhoudini.so handle:%p\n", houdini);
    if (houdini) {
        openfun = fake_dlsym(houdini, "dvm2hdDlopen");
        LOGD("openfun:%p\n", openfun);
        if (!openfun) {
            void** itf = (void**)fake_dlsym(houdini, "NativeBridgeItf");
            if (itf) {
                openfun = itf[2];
                LOGD("itf openfun:%p\n", openfun);
            }
        }
        PFN_bridge_dlopen pfn_bridge_dlopen = (PFN_bridge_dlopen)openfun;
        payload = pfn_bridge_dlopen("/data/local/tmp/libsubstrate.so", RTLD_NOW);
        LOGD("libpayload.so handle:%p\n", payload);
        //Shall not invoke deprecated interface in v3 implementation!

        void** info = (void**)houdini;
        void* base_addr = info[0];
        LOGD("base_addr:%p\n", base_addr);
        PFN_sub_1FEAD0 pfn_sub_1FEAD0 = (PFN_sub_1FEAD0)((void*)((unsigned int)base_addr + 0x1FEAD0));
        LOGD("pfn_sub_1FEAD0:%p\n", pfn_sub_1FEAD0);

        payload = pfn_sub_1FEAD0("/data/local/tmp/libsubstrate.so", RTLD_NOW);
        LOGD("libpayload.so handle:%p\n", payload);
    }
}

//获得过程,.rodata:00398634	00000026	C	loaded library %s via Native Bridge.\n
//内存r/w断点失败, exec断点
//回溯
//未完成回溯.
	static jobject getApplication(JNIEnv *env) {
	jobject application = NULL;
	jclass activity_thread_clz = env->FindClass("android/app/ActivityThread");
	if (activity_thread_clz != NULL) {
	jmethodID currentApplication = env->GetStaticMethodID(
	activity_thread_clz, "currentApplication", "()Landroid/app/Application;");
	if (currentApplication != NULL) {
	application = env->CallStaticObjectMethod(activity_thread_clz, currentApplication);
	}
	env->DeleteLocalRef(activity_thread_clz);
	}
	return application;
	}

	static void hookInit(JNIEnv *env, jclass,jstring dexPath, jstring odexPath, jstring className, jstring methodName) {

	jclass classloaderClass = env->FindClass("java/lang/ClassLoader");

	jmethodID getsysloaderMethod = env->GetStaticMethodID(classloaderClass, "getSystemClassLoader","()Ljava/lang/ClassLoader;");
	jobject loader =env->CallStaticObjectMethod(classloaderClass,getsysloaderMethod);

	jstring dexpath = dexPath;
	jstring dex_odex_path = odexPath;
	jclass dexLoaderClass = env->FindClass("dalvik/system/DexClassLoader");
	jmethodID initDexLoaderMethod =env->GetMethodID(dexLoaderClass, "<init>","(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/ClassLoader;)V");
	jobject dexLoader =env->NewObject(dexLoaderClass,initDexLoaderMethod, dexpath, dex_odex_path, NULL, loader);
	jmethodID findclassMethod = env->GetMethodID(dexLoaderClass,"findClass", "(Ljava/lang/String;)Ljava/lang/Class;");
	if(NULL==findclassMethod)
	{
	findclassMethod = env->GetMethodID(dexLoaderClass,"loadClass", "(Ljava/lang/String;)Ljava/lang/Class;");
	}
	jstring javaClassName = className;
	jclass javaClientClass=(jclass)env->CallObjectMethod(dexLoader,findclassMethod,javaClassName);
	const char* func =env->GetStringUTFChars(methodName, NULL);
	jmethodID inject_method = env->GetStaticMethodID(javaClientClass, func, "()V");
	env->CallStaticVoidMethod(javaClientClass,inject_method);
	}

	static void System_Load(JNIEnv env, const char lib){
	auto clazz = env->FindClass("java/lang/System");
	auto method = env->GetStaticMethodID(clazz, "load", "(Ljava/lang/String;)V");
	auto libPath = env->NewStringUTF(lib);
	env->CallStaticVoidMethod(clazz, method, libPath);
	env->DeleteLocalRef(clazz);
	env->DeleteLocalRef(libPath);
	if (env->ExceptionCheck()){
	env->ExceptionDescribe();
	env->ExceptionClear();
	}
	}

	static void System_Library(JNIEnv env, const char lib){
	auto clazzRuntime = env->FindClass("java/lang/Runtime");
	auto clazzVMStack = env->FindClass("dalvik/system/VMStack");
	auto methodGetRuntime = env->GetStaticMethodID(clazzRuntime, "getRuntime", "()Ljava/lang/Runtime;");
	auto methodGetCallingClassLoader = env->GetStaticMethodID(clazzVMStack, "getCallingClassLoader", "()Ljava/lang/ClassLoader;");
	auto runtime = env->CallStaticObjectMethod(clazzRuntime, methodGetRuntime);
	auto loader = env->CallStaticObjectMethod(clazzVMStack, methodGetCallingClassLoader);
	auto methodLoadLibrary0 = env->GetMethodID(env->GetObjectClass(runtime), "loadLibrary0", "(Ljava/lang/ClassLoader;Ljava/lang/String;)V");
	auto libName = env->NewStringUTF(lib);
	env->CallVoidMethod(runtime, methodLoadLibrary0, loader, libName);
	env->DeleteLocalRef(clazzRuntime);
	env->DeleteLocalRef(clazzVMStack);
	env->DeleteLocalRef(runtime);
	env->DeleteLocalRef(loader);
	env->DeleteLocalRef(libName);
	if (env->ExceptionCheck()){
	env->ExceptionDescribe();
	env->ExceptionClear();
	}
	}
	typedef void* (PFN_bridge_dlopen)(const char filename, int flag);
	typedef void* (PFN_sub_1FEAD0)(const char filename, int flag);

	void load_payload() {
	void* openfun = 0, payload = 0, houdini = 0;
	houdini = dlopen("/system/lib/libhoudini.so", RTLD_NOW);
	LOGD("libhoudini.so handle:%p\n", houdini);
	//https://raw.githubusercontent.com/tiann/epic/master/library/src/main/cpp/fake_dlfcn.cpp
	houdini = fake_dlopen("/system/lib/libhoudini.so", RTLD_NOW);
	LOGD("libhoudini.so handle:%p\n", houdini);
	if (houdini) {
	openfun = fake_dlsym(houdini, "dvm2hdDlopen");
	LOGD("openfun:%p\n", openfun);
	if (!openfun) {
	void itf = (void)fake_dlsym(houdini, "NativeBridgeItf");
	if (itf) {
	openfun = itf[2];
	LOGD("itf openfun:%p\n", openfun);
	}
	}
	PFN_bridge_dlopen pfn_bridge_dlopen = (PFN_bridge_dlopen)openfun;
	payload = pfn_bridge_dlopen("/data/local/tmp/libsubstrate.so", RTLD_NOW);
	LOGD("libpayload.so handle:%p\n", payload);
	//Shall not invoke deprecated interface in v3 implementation!

	void info = (void)houdini;
	void* base_addr = info[0];
	LOGD("base_addr:%p\n", base_addr);
	PFN_sub_1FEAD0 pfn_sub_1FEAD0 = (PFN_sub_1FEAD0)((void*)((unsigned int)base_addr + 0x1FEAD0));
	LOGD("pfn_sub_1FEAD0:%p\n", pfn_sub_1FEAD0);

	payload = pfn_sub_1FEAD0("/data/local/tmp/libsubstrate.so", RTLD_NOW);
	LOGD("libpayload.so handle:%p\n", payload);
	}
	}

	//获得过程,.rodata:00398634 00000026 C loaded library %s via Native Bridge.\n
	//内存r/w断点失败, exec断点
	//回溯
	//未完成回溯.