Init Commit

.gitignore

@@ -0,0 +1,16 @@
+*.iml
+.gradle
+/local.properties
+/.idea/caches
+/.idea/libraries
+/.idea/modules.xml
+/.idea/workspace.xml
+/.idea/navEditor.xml
+/.idea/assetWizardSettings.xml
+.DS_Store
+/build
+/captures
+.externalNativeBuild
+.cxx
+local.properties
+/.idea

README.md

@@ -0,0 +1,39 @@
+
+### 简介
+
+在Android7.0以及以上的版本中，dlfcn.h头文件中dlopen, dlsym函数已经无法在系统库上使用。
+比较常见的规避方法是，先通过maps文件找到so文件对应起始地址，然后通过解析elf 文件，得到函数的偏移量，起始地址加上偏移量就算出函数的真实地址。
+具体实现方式是：[Nougat_dlfunctions](https://github.com/avs333/Nougat_dlfunctions)。不过，这种方法偶尔会不太靠谱，要么是起始地址计算错误，要么是偏移量计算不准确。
+
+这里，通过修改入口函数的LR寄存器的值，欺骗系统这是从系统库里发起调用的，从而实现绕过调用的限制。
+
+### 支持版本
+
+Android 4,5,6,7,8,9,10,11
+
+### 使用
+在cmake文件中引入：
+```
+set(bypass_dlfcn_root_dir ${CMAKE_CURRENT_SOURCE_DIR}/../../../../lib)
+add_subdirectory(${bypass_dlfcn_root_dir} bypasss_dlfcn)
+include_directories(${bypass_dlfcn_root_dir}/include/)
+target_link_libraries(
+        your_lib
+        bypass_dlfcn)
+```
+在代码中导入头文件:
+```
+#include "bypass_dlfcn.h"
+```
+使用头文件中的接口代替dlfcn.h中的接口:
+```
+void *bp_dlopen(const char *filename, int flag);
+int bp_dlclose(void *handle);
+const char *bp_dlerror(void);
+void *bp_dlsym(void *handle, const char *symbol);
+int bp_dladdr(const void *ddr, Dl_info *info);
+```
+
+### 致谢
+
+1. [Nougat_dlfunctions](https://github.com/avs333/Nougat_dlfunctions)

app/.gitignore

@@ -0,0 +1 @@
+/build

app/build.gradle

@@ -0,0 +1,59 @@
+plugins {
+    id 'com.android.application'
+    id 'kotlin-android'
+}
+
+android {
+    compileSdk 30
+    buildToolsVersion "30.0.3"
+
+    defaultConfig {
+        applicationId "com.example.bypass.dlfunctions"
+        minSdk 21
+        targetSdk 30
+        versionCode 1
+        versionName "1.0"
+
+        externalNativeBuild {
+            cmake {
+                cppFlags ''
+            }
+        }
+
+        ndk {
+            abiFilter("armeabi-v7a")
+//            abiFilter("arm64-v8a")
+        }
+    }
+
+    buildTypes {
+        release {
+            minifyEnabled false
+            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
+        }
+    }
+    compileOptions {
+        sourceCompatibility JavaVersion.VERSION_1_8
+        targetCompatibility JavaVersion.VERSION_1_8
+    }
+    kotlinOptions {
+        jvmTarget = '1.8'
+    }
+    externalNativeBuild {
+        cmake {
+            path file('src/main/cpp/CMakeLists.txt')
+            version '3.10.2'
+        }
+    }
+    buildFeatures {
+        viewBinding true
+    }
+}
+
+dependencies {
+
+    implementation 'androidx.core:core-ktx:1.3.2'
+    implementation 'androidx.appcompat:appcompat:1.2.0'
+    implementation 'com.google.android.material:material:1.2.1'
+    implementation 'androidx.constraintlayout:constraintlayout:2.0.4'
+}

app/proguard-rules.pro

@@ -0,0 +1,21 @@
+# Add project specific ProGuard rules here.
+# You can control the set of applied configuration files using the
+# proguardFiles setting in build.gradle.
+#
+# For more details, see
+#   http://developer.android.com/guide/developing/tools/proguard.html
+
+# If your project uses WebView with JS, uncomment the following
+# and specify the fully qualified class name to the JavaScript interface
+# class:
+#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
+#   public *;
+#}
+
+# Uncomment this to preserve the line number information for
+# debugging stack traces.
+#-keepattributes SourceFile,LineNumberTable
+
+# If you keep the line number information, uncomment this to
+# hide the original source file name.
+#-renamesourcefileattribute SourceFile

app/src/main/AndroidManifest.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.example.bypass.dlfunctions">
+
+    <application
+        android:allowBackup="true"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.Bypass_dlfunctions">
+        <activity
+            android:name=".MainActivity"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>

app/src/main/cpp/CMakeLists.txt

@@ -0,0 +1,26 @@
+cmake_minimum_required(VERSION 3.10.2)
+
+project("bypass_dlfunctions_sample")
+
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-stack-protector")
+
+set(bypass_dlfcn_root_dir ${CMAKE_CURRENT_SOURCE_DIR}/../../../../lib)
+add_subdirectory(${bypass_dlfcn_root_dir} bypasss_dlfcn)
+
+include_directories(
+        ${bypass_dlfcn_root_dir}/include/
+)
+
+add_library(
+        bypass_dlfunctions_sample
+        SHARED
+        sample.cpp)
+
+find_library(
+        log-lib
+        log)
+
+target_link_libraries(
+        bypass_dlfunctions_sample
+        bypass_dlfcn
+        ${log-lib})

app/src/main/cpp/sample.cpp

@@ -0,0 +1,51 @@
+#include <jni.h>
+#include <string>
+#include <vector>
+#include <android/log.h>
+#include "bypass_dlfcn.h"
+
+#define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, "Test_DlFunctions", __VA_ARGS__)
+
+template<typename ...Args>
+inline std::string format_string(const char *format, Args... args) {
+    constexpr size_t oldlen = BUFSIZ;
+    char buffer[oldlen];
+    size_t newlen = snprintf(&buffer[0], oldlen, format, args...);
+    newlen++;
+    if (newlen > oldlen) {
+        std::vector<char> newbuffer(newlen);
+        snprintf(newbuffer.data(), newlen, format, args...);
+        return std::string(newbuffer.data());
+    }
+    return buffer;
+}
+
+extern "C" JNIEXPORT jstring JNICALL
+Java_com_example_bypass_dlfunctions_MainActivity_test_1bypass_1dlfcn(
+    JNIEnv *env, jclass clazz) {
+
+    std::string so_file_name = "libart.so";
+    std::string target_function_name = "_ZN3art10ObjectLockINS_6mirror6ObjectEED2Ev";
+
+    void *handle = bp_dlopen(so_file_name.c_str(), RTLD_NOW);
+
+    void *func_address = bp_dlsym(handle, target_function_name.c_str());
+
+    LOGD(" bypass dlopen, dlopen result: %p,  dlsym result: %p", handle, func_address);
+
+    Dl_info info;
+    bp_dladdr(func_address, &info);
+
+    std::string result;
+    result += info.dli_fname;
+    result += format_string(" dlopen result: %p", handle);
+    result += "\n";
+    result += "function name: ";
+    result += info.dli_sname;
+    result += "\n";
+    result += format_string(" dlsym result: %p", func_address);
+
+    LOGD(" result: \n %s", result.c_str());
+
+    return env->NewStringUTF(result.c_str());
+}

app/src/main/java/com/example/bypass/dlfunctions/MainActivity.kt

@@ -0,0 +1,36 @@
+package com.example.bypass.dlfunctions
+
+import androidx.appcompat.app.AppCompatActivity
+import android.os.Bundle
+import android.view.View
+import android.widget.Toast
+import androidx.annotation.Keep
+import com.example.bypass.dlfunctions.databinding.ActivityMainBinding
+
+@Keep
+class MainActivity : AppCompatActivity() {
+
+    private lateinit var binding: ActivityMainBinding
+
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+        binding = ActivityMainBinding.inflate(layoutInflater)
+        setContentView(binding.root)
+    }
+
+
+    fun clickedBtn(view: View) {
+        val result = test_bypass_dlfcn()
+        Toast.makeText(this, result, Toast.LENGTH_LONG).show()
+    }
+
+    companion object {
+        init {
+            System.loadLibrary("bypass_dlfunctions_sample")
+        }
+
+        @JvmStatic
+        @Keep
+        external fun test_bypass_dlfcn(): String
+    }
+}

app/src/main/res/drawable-v24/ic_launcher_foreground.xml

@@ -0,0 +1,30 @@
+<vector xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:aapt="http://schemas.android.com/aapt"
+    android:width="108dp"
+    android:height="108dp"
+    android:viewportWidth="108"
+    android:viewportHeight="108">
+    <path android:pathData="M31,63.928c0,0 6.4,-11 12.1,-13.1c7.2,-2.6 26,-1.4 26,-1.4l38.1,38.1L107,108.928l-32,-1L31,63.928z">
+        <aapt:attr name="android:fillColor">
+            <gradient
+                android:endX="85.84757"
+                android:endY="92.4963"
+                android:startX="42.9492"
+                android:startY="49.59793"
+                android:type="linear">
+                <item
+                    android:color="#44000000"
+                    android:offset="0.0" />
+                <item
+                    android:color="#00000000"
+                    android:offset="1.0" />
+            </gradient>
+        </aapt:attr>
+    </path>
+    <path
+        android:fillColor="#FFFFFF"
+        android:fillType="nonZero"
+        android:pathData="M65.3,45.828l3.8,-6.6c0.2,-0.4 0.1,-0.9 -0.3,-1.1c-0.4,-0.2 -0.9,-0.1 -1.1,0.3l-3.9,6.7c-6.3,-2.8 -13.4,-2.8 -19.7,0l-3.9,-6.7c-0.2,-0.4 -0.7,-0.5 -1.1,-0.3C38.8,38.328 38.7,38.828 38.9,39.228l3.8,6.6C36.2,49.428 31.7,56.028 31,63.928h46C76.3,56.028 71.8,49.428 65.3,45.828zM43.4,57.328c-0.8,0 -1.5,-0.5 -1.8,-1.2c-0.3,-0.7 -0.1,-1.5 0.4,-2.1c0.5,-0.5 1.4,-0.7 2.1,-0.4c0.7,0.3 1.2,1 1.2,1.8C45.3,56.528 44.5,57.328 43.4,57.328L43.4,57.328zM64.6,57.328c-0.8,0 -1.5,-0.5 -1.8,-1.2s-0.1,-1.5 0.4,-2.1c0.5,-0.5 1.4,-0.7 2.1,-0.4c0.7,0.3 1.2,1 1.2,1.8C66.5,56.528 65.6,57.328 64.6,57.328L64.6,57.328z"
+        android:strokeWidth="1"
+        android:strokeColor="#00000000" />
+</vector>