SlideShare a Scribd company logo

Native hook mechanism in Android Bionic linker

K
Kevin Mai-Hsuan Chia

It is an introduction to the Native Hook mechanism, which is a function hook mechanism in Android. It is implemented in Bionic linker, which is the dynamic linker in Android. With Native Hook mechanism enabled, you can hook any native function with another one, without any modification to the existing libraries.

Engineering
1 of 90
Download to read offline
Android Dynamic Framework : Native Hook Mechanism in Bionic Linker Mai-Hsuan Chia Shih-Wei Liao Department of Computer Science and Information Engineering National Taiwan University
Outline ● Background ● Motivation ● Native Hook Mechanism ● Experiment ● Applications ● Future works ● Conclusion
Background ● JNI ● Android Dynamic Framework ● Bionic
JNI ● Enable Java code can call or can be called by native applications
JNI Java method JNI Native functionC/C++ Java
Java calls native class HelloWorld { private native void print(); // print() is native function public static void main(String[] args) { new HelloWorld().print(); } static { System.loadLibrary("hello"); // This loads libhello.so } }
● A framework which is able to dynamically replace Java methods in ART Runtime without modifying APKs. Android Dynamic Framework
Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2
Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2 0. Do linking
Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2 1. Query HookTable
Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2 Replace ClassA::A1 with ClassB::B1 1. Query HookTable
Android Dynamic Framework Class A Class B HookTable ... class linker Method A2 Method B1 Method B2 Method B1 2. Do method hooking
● C library in Android ● Forked from BSDs rather than from GNU/Linux ○ To avoid license problems ● Smaller ● Faster Bionic
● Components ○ libc ○ libm ○ libdl (written from scratch) ○ dynamic linker ■ /system/bin/linker (written from scratch) Bionic
Motivation ● Only Java methods can be replaced in Android Dynamic Framework
Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func C1 Func C2 native call hooking path
Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func C1 Func C2 native call hooking path
Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func D1 Func C2 native call hooking path (2) dlopen native hook (1) method hook
Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func D1 Func C2 native call hooking path (2) dlopen native hook (1) method hook (2) dlopen native hook
Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func E2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func D1 Func C2 native call hooking path (2) dlopen native hook (1) method hook (2) dlopen native hook (3) native to native hook
Motivation ● (1) method hook can be done in the existing Android Dynamic Framework ● However, (2) dlopen native hook and (3) native to native hook cannot not be done.
Motivation ● Native hook mechanism can do both (2) dlopen native hook and (3) native to native hook
Motivation With Native hook mechanism integrated, Android Dynamic Framework can be more complete and powerful
Native hook mechanism ● Implemented in Bionic Linker
Review ● How Bionic Linker loads an executable ● Dynamic linking flow ● Dynamic loading flow
How Bionic Linker loads an executable
OS creates a process image ● Based on the interpreter’s segments. high low Memory space /system/bin/linker linker
Linker links itself ● __linker_init() high low Memory space /system/bin/linker
Load the executable ● __linker_init_post_relocation() /system/bin/linker high low Memory space exe executable
Get needed libraries names ● __linker_init_post_relocation() /system/bin/linker high low Memory space executable exe .dynamic DT_NEEDED ptr_to_liba1.so_name DT_NEEDED ptr_to_liba2.so_name … DT_NULL
Get needed libraries names ● __linker_init_post_relocation() /system/bin/linker high low Memory space executable exe DT_NEEDED ptr_to_liba1.so_name DT_NEEDED ptr_to_liba2.so_name … DT_NULL .dynamic char needed_libraries_names[] = { “liba1.so”, “liba2.so” }
Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree
Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so Loaded Not Loaded p.s.
Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so Loaded Not Loaded p.s.
Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so libb1.so libb2.so libb3.so libb4.so ... ... Loaded Not Loaded p.s.
Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so libb2.so libb3.so libb4.so ... ... Loaded Not Loaded p.s. libb1.so
Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so libb2.so libb3.so libb4.so ... ... ... ... ... ... ... Loaded Not Loaded p.s. libb1.so
Load needed libraries liba1.soexe liba2.so libb1.so libb2.so ... ● find_libaries(exe, needed_libraries_names) ○ step 2 : turn dependencies tree into libraries_list in Breadth First Search(BFS) order libraries_list dependencies tree
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries foreach lib in libraries_list { foreach rel in lib.dynamic_relocation_table { symbol = rel.sym; soinfo_do_lookup(symbol, lib, libraries_list); } }
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next;
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; NOT FOUND
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; NOT FOUND
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; FOUND ok
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_k is defined in lib: sym_k = lib.find(sym) else: lib = lib->next; ok
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... ok ok
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list liba1.so sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next;
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list ... sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next;
Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list ... sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; It is DONE until all libraries are linked
Jump to the application’s entry /system/bin/linker high low Memory space executable liba1.so liba2.so libb1.so ... ● jump to executable’s _start.
The executable is loaded successfully ● And start to execute /system/bin/linker high low Memory space liba1.so liba2.so libb1.so ... .text section _start: …. …. executable
Bionic linker linking & loading flow ● Dynamic linking flow ● Dynamic loading flow
__linker_init_post_relocation Dynamic linking dlopen_ext do_dlopen find_library find_libraries find_library_internal load_library Dynamic loading ... load all libraries … relocate all symbols
Native hook mechanism Modified codes are mainly in two parts ● Load hooking libraries in find_libraries() ○ Init native_hook_table ○ Look up native_hook_table ○ Load hooking_library ● Replace hooked_symbol with hooking_symbol in soinfo_do_lookup() ○ Look up native_hook_table ○ Replace every hooked_symbol in hooked_library with hooking_symbol in hooking_library
Native hook file format in /system/nh_file.txt < hooked_lib_name:hooked_symbol:hooking_lib_name:hooking_symbol >
System flow hooking lib nh_file ROM /system/bin/linker __linker_init_post_relocation find_libraries init native_hook_table look up native hook table soinfo_do_lookup look up native hook table replace hooked symbol with hooking symbol New Process load hooking library
Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table
Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table 0. load liba1.so
Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table 1. look up the native hook table HOOKED LIB “liba1.so” FOUND
Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table 2. load libhooking.so libhooking. so
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi hi ha linker 0. relocate symbol
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker NOT FOUND hi
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker FOUND hi
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker FOUND hi 1. look up native hook table liba1.so:hi is to be hooked
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker hi 1. look up native hook table 2. find libhooking.so:ha
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker ha 3. relocate hooked_symbol “hi” with the hooking_symbol “ha”
// in libnativehook.so #include “native_hook.h” void* find_lib_symbol(char* lib_name, char* symbol) { // Using dl_iterate_phdr() to get the symbol’s address // in the loaded library whose name is lib_name. … return ptr_to_symbol; } Before/After hook SDK
How find_lib_symbol() works ? With the following facts, we can get the hooked_symbol in hooked_library with dl_iterate_phdr(callback, void* data) ● hooked_lib is loaded in the memory ● dl_iterate_phdr()iterates all loaded libraries in the process, and get each library’s program header and base address. ● With library’s program header, we can get .dynamic segment, and therefore we get .dynstr and .dynsym section ● With .dynsym and .dynstr, we can find the offset of hooked_symbol in hooked_lib. ● hooked_symbol_addr = base address + offset
// in libmine.so #include “native_hook.h” double my_sin(double x) { char hooked_lib[] = "/system/lib/libm.so"; char hooked_symbol[] = "sin"; double (*hooked_sin)(double) = find_lib_symbol(hooked_lib, hooked_symbol); /* before hook : you can do something before calling hooked_func */ double result = hooked_sin(x); /* after hook : you can do something after calling hooked_func */ result += 5566; return result; } After hook example
After hook example // in main.c #include <math.h> #include <stdio.h> #define PI 3.14159265 int main(void) { double angle = 30.0; double result = sin((angle * PI) / 180); printf(“sin(%lf) = %lfn”, angle, result); return 0; } libm.so:sin:libmine.so:my_sin ... Native Hook Table $ ./main sin(30.000000) = 5566.500000
double my_sin(double x) { char hooked_lib[] = "/system/lib/libm.so"; char hooked_symbol[] = "sin"; static void* cache_ptr = NULL; double (*hooked_sin)(double) = NULL; if (cache_ptr) { hooked_sin = cache_ptr; } else { hooked_sin = find_lib_symbol(hooked_lib, hooked_symbol); } if (hooked_sin) { cache_ptr = (void*)hooked_sin; } double result = hooked_sin(x); result += 5566; return result; } Before/After hook with cache
Experiment 1,000 100,000 1,000,000 10,000,000 Baseline 0.10 0.14 0.52 4.07 Normal hook 0.20 0.23 0.60 4.15 Before/After hook without cache 0.25 1.9 17.12 169.03 Before/After hook with cache 0.22 0.24 0.69 4.77 iterations
Experiment 169.03
Applications ● Profiling ● Boosting apps performance ● Security sandbox
Profiling Target function Before hook After hook ● Input Distribution Analysis ● Function call Analysis ● Output Analysis
● Hook functions that affect the performance of applications in Android ● Scenario ○ Functions in libm.so are not good enough for some special purpose, we can hook the function with the optimized one. Boosting apps performance
libm_opt.so optimized_sin: ... libbenchmark.so getScore: … call <sin> App libm.so sin: ... JNI
libm_opt.so optimized_sin: ... libbenchmark.so getScore: … call <sin> App libm.so sin: ... JNI Replace ‘sin’ with ‘optimized_sin’
Security sandbox ● Use “before hook” to hook the open()in libc ● Examine the filename and other parameters in advance ○ If the to-be-written file is a critical file, we let the app open another file to write without consciousness.
Security sandbox f = open(“/data/critical.txt”, ‘w’); ... modifying critical.txt ... ... App Sandbox
Security sandbox f = open(“/data/critical.txt”, ‘w’); ... modifying critical.txt ... ... App Sandbox /data/critical.txt should not be modified.
Security sandbox f = open(“/data/critical.txt”, ‘w’); ... modifying critical.txt ... ... App Sandbox f = open(“/data/another.txt”, ‘w’); In the sandbox, app is deceived to write to “/data/another.txt” instead of “/data/critical.txt”.
Security sandbox App Sandbox f = open(“/data/another.txt”, ‘w’); f = open(“/data/another.txt”, ‘w’); ... modifying another.txt ... ...
● Provide more easy-to-use API for Native Hook in Android ○ Native Hook SDK Future works
● Completely integrate Native Hook into Android Dynamic Framework ○ Provide hooking between Java method and native functions. Future works Integrated Hook Table liba.so:funca:libb.so:funcb # hook native to native classA:methoda:classB:methodb # hook java to java classA:methoda:libb.so:funcb # hook java to native libb.so:funcb:classA:methoda # hook native to java ...
Conclusion ● Native Hook mechanism is a strong and useful framework in Android allowing developers to replace native functions at runtime without modifying the existing functions. ● Native Hook is more powerful than Java method hook mechanisms because it is implemented in Bionic Linker. ● With Before/After hook mechanism, you can do whatever you want before/after any existing function. ● With Native Hook enabled, it suffers only little overhead to load nh_file and hooking libraries.
Q & A
Thank you for your listening
Backup slides
void* find_lib_symbol(char* lib_name, char* symbol) { // Using dl_iterate_phdr() to get the symbol’s address // in the loaded library whose name is lib_name. static void* unordered_map<std::string, void*> cache = nullptr; std::string lib_symbol = std::string(lib_name) + symbol; if (cache) { unordered_map<std::string, void*>::iterator it = cache.find(lib_symbol); if (it != cache.end()) { return it->second; } } … // find ptr_to_symbol if (ptr_to_symbol) { cache[lib_symbol] = ptr_to_symbol; } return ptr_to_symbol; } Before/After hook with cache in find_lib_symbol
Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker FOUND hi 1. look up native hook table liba1.so:hi is to be hooked 2. find libhooking.so:ha

Recommended

C++: Constructor, Copy Constructor and Assignment operator
C++: Constructor, Copy Constructor and Assignment operatorC++: Constructor, Copy Constructor and Assignment operator
C++: Constructor, Copy Constructor and Assignment operatorJussi Pohjolainen
 
SOLID Principles
SOLID PrinciplesSOLID Principles
SOLID PrinciplesSurendra Shukla
 
君はyarn.lockをコミットしているか?
君はyarn.lockをコミットしているか?君はyarn.lockをコミットしているか?
君はyarn.lockをコミットしているか?
Teppei Sato
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to Frida
AbhishekJaiswal270
 
Collections - Lists, Sets
Collections - Lists, Sets Collections - Lists, Sets
Collections - Lists, Sets
Hitesh-Java
 
node-gypを使ったネイティブモジュールの作成
node-gypを使ったネイティブモジュールの作成node-gypを使ったネイティブモジュールの作成
node-gypを使ったネイティブモジュールの作成
shigeki_ohtsu
 
Java Multithreading
Java MultithreadingJava Multithreading
Java Multithreading
Rajkattamuri
 

Recommended

C++: Constructor, Copy Constructor and Assignment operator
C++: Constructor, Copy Constructor and Assignment operatorC++: Constructor, Copy Constructor and Assignment operator
C++: Constructor, Copy Constructor and Assignment operatorJussi Pohjolainen
 
SOLID Principles
SOLID PrinciplesSOLID Principles
SOLID PrinciplesSurendra Shukla
 
君はyarn.lockをコミットしているか?
君はyarn.lockをコミットしているか?君はyarn.lockをコミットしているか?
君はyarn.lockをコミットしているか?
Teppei Sato
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to Frida
AbhishekJaiswal270
 
Collections - Lists, Sets
Collections - Lists, Sets Collections - Lists, Sets
Collections - Lists, Sets
Hitesh-Java
 
node-gypを使ったネイティブモジュールの作成
node-gypを使ったネイティブモジュールの作成node-gypを使ったネイティブモジュールの作成
node-gypを使ったネイティブモジュールの作成
shigeki_ohtsu
 
Java Multithreading
Java MultithreadingJava Multithreading
Java Multithreading
Rajkattamuri
 
Android起動周りのノウハウ
Android起動周りのノウハウAndroid起動周りのノウハウ
Android起動周りのノウハウchancelab
 
SpringBootTest入門
SpringBootTest入門SpringBootTest入門
SpringBootTest入門
Yahoo!デベロッパーネットワーク
 
Multithreading in java
Multithreading in javaMultithreading in java
Multithreading in java
junnubabu
 
基礎から学ぶ組み込みAndroid
基礎から学ぶ組み込みAndroid基礎から学ぶ組み込みAndroid
基礎から学ぶ組み込みAndroid
demuyan
 
Exception handling in java
Exception handling in javaException handling in java
Exception handling in java
Elizabeth alexander
 
Microservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudMicroservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring Cloud
Eberhard Wolff
 
Inheritance
InheritanceInheritance
Inheritance
Prof. Dr. K. Adisesha
 
Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptables
Przemysław Piotrowski
 
Istioサービスメッシュ入門
Istioサービスメッシュ入門Istioサービスメッシュ入門
Istioサービスメッシュ入門
Yoichi Kawasaki
 
これからSpringを使う開発者が知っておくべきこと
これからSpringを使う開発者が知っておくべきことこれからSpringを使う開発者が知っておくべきこと
これからSpringを使う開発者が知っておくべきこと
土岐 孝平
 
Inner classes in java
Inner classes in javaInner classes in java
Inner classes in java
PhD Research Scholar
 
Inner Classes & Multi Threading in JAVA
Inner Classes & Multi Threading in JAVAInner Classes & Multi Threading in JAVA
Inner Classes & Multi Threading in JAVATech_MX
 
JEP280: Java 9 で文字列結合の処理が変わるぞ!準備はいいか!? #jjug_ccc
JEP280: Java 9 で文字列結合の処理が変わるぞ!準備はいいか!? #jjug_cccJEP280: Java 9 で文字列結合の処理が変わるぞ!準備はいいか!? #jjug_ccc
JEP280: Java 9 で文字列結合の処理が変わるぞ!準備はいいか!? #jjug_ccc
YujiSoftware
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
NSConclave
 
Multithreading in java
Multithreading in javaMultithreading in java
Multithreading in java
Lovely Professional University
 
Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編
OESF Education
 
Dependency Inversion Principle
Dependency Inversion PrincipleDependency Inversion Principle
Dependency Inversion PrincipleMarco Mangia Musardo
 
今さら聞けないDiとspring
今さら聞けないDiとspring今さら聞けないDiとspring
今さら聞けないDiとspring
土岐 孝平
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 
Riverpodでテストを書こう
Riverpodでテストを書こうRiverpodでテストを書こう
Riverpodでテストを書こう
Shinnosuke Tokuda
 
Linker namespace upload
Linker namespace uploadLinker namespace upload
Linker namespace upload
Bin Yang
 
社群新生代的小故事
社群新生代的小故事社群新生代的小故事
社群新生代的小故事
Viktor Lin
 

More Related Content

What's hot

Android起動周りのノウハウ
Android起動周りのノウハウAndroid起動周りのノウハウ
Android起動周りのノウハウchancelab
 
SpringBootTest入門
SpringBootTest入門SpringBootTest入門
SpringBootTest入門
Yahoo!デベロッパーネットワーク
 
Multithreading in java
Multithreading in javaMultithreading in java
Multithreading in java
junnubabu
 
基礎から学ぶ組み込みAndroid
基礎から学ぶ組み込みAndroid基礎から学ぶ組み込みAndroid
基礎から学ぶ組み込みAndroid
demuyan
 
Exception handling in java
Exception handling in javaException handling in java
Exception handling in java
Elizabeth alexander
 
Microservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudMicroservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring Cloud
Eberhard Wolff
 
Inheritance
InheritanceInheritance
Inheritance
Prof. Dr. K. Adisesha
 
Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptables
Przemysław Piotrowski
 
Istioサービスメッシュ入門
Istioサービスメッシュ入門Istioサービスメッシュ入門
Istioサービスメッシュ入門
Yoichi Kawasaki
 
これからSpringを使う開発者が知っておくべきこと
これからSpringを使う開発者が知っておくべきことこれからSpringを使う開発者が知っておくべきこと
これからSpringを使う開発者が知っておくべきこと
土岐 孝平
 
Inner classes in java
Inner classes in javaInner classes in java
Inner classes in java
PhD Research Scholar
 
Inner Classes & Multi Threading in JAVA
Inner Classes & Multi Threading in JAVAInner Classes & Multi Threading in JAVA
Inner Classes & Multi Threading in JAVATech_MX
 
JEP280: Java 9 で文字列結合の処理が変わるぞ!準備はいいか!? #jjug_ccc
JEP280: Java 9 で文字列結合の処理が変わるぞ!準備はいいか!? #jjug_cccJEP280: Java 9 で文字列結合の処理が変わるぞ!準備はいいか!? #jjug_ccc
JEP280: Java 9 で文字列結合の処理が変わるぞ!準備はいいか!? #jjug_ccc
YujiSoftware
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
NSConclave
 
Multithreading in java
Multithreading in javaMultithreading in java
Multithreading in java
Lovely Professional University
 
Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編
OESF Education
 
今さら聞けないDiとspring
今さら聞けないDiとspring今さら聞けないDiとspring
今さら聞けないDiとspring
土岐 孝平
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 
Riverpodでテストを書こう
Riverpodでテストを書こうRiverpodでテストを書こう
Riverpodでテストを書こう
Shinnosuke Tokuda
 

What's hot (20)

Android起動周りのノウハウ
Android起動周りのノウハウAndroid起動周りのノウハウ
Android起動周りのノウハウ
 
SpringBootTest入門
SpringBootTest入門SpringBootTest入門
SpringBootTest入門
 
Multithreading in java
Multithreading in javaMultithreading in java
Multithreading in java
 
基礎から学ぶ組み込みAndroid
基礎から学ぶ組み込みAndroid基礎から学ぶ組み込みAndroid
基礎から学ぶ組み込みAndroid
 
Exception handling in java
Exception handling in javaException handling in java
Exception handling in java
 
Microservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudMicroservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring Cloud
 
Inheritance
InheritanceInheritance
Inheritance
 
Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptables
 
Istioサービスメッシュ入門
Istioサービスメッシュ入門Istioサービスメッシュ入門
Istioサービスメッシュ入門
 
これからSpringを使う開発者が知っておくべきこと
これからSpringを使う開発者が知っておくべきことこれからSpringを使う開発者が知っておくべきこと
これからSpringを使う開発者が知っておくべきこと
 
Inner classes in java
Inner classes in javaInner classes in java
Inner classes in java
 
Inner Classes & Multi Threading in JAVA
Inner Classes & Multi Threading in JAVAInner Classes & Multi Threading in JAVA
Inner Classes & Multi Threading in JAVA
 
JEP280: Java 9 で文字列結合の処理が変わるぞ!準備はいいか!? #jjug_ccc
JEP280: Java 9 で文字列結合の処理が変わるぞ!準備はいいか!? #jjug_cccJEP280: Java 9 で文字列結合の処理が変わるぞ!準備はいいか!? #jjug_ccc
JEP280: Java 9 で文字列結合の処理が変わるぞ!準備はいいか!? #jjug_ccc
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
 
Multithreading in java
Multithreading in javaMultithreading in java
Multithreading in java
 
Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編
 
Dependency Inversion Principle
Dependency Inversion PrincipleDependency Inversion Principle
Dependency Inversion Principle
 
今さら聞けないDiとspring
今さら聞けないDiとspring今さら聞けないDiとspring
今さら聞けないDiとspring
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Riverpodでテストを書こう
Riverpodでテストを書こうRiverpodでテストを書こう
Riverpodでテストを書こう
 

Viewers also liked

Linker namespace upload
Linker namespace uploadLinker namespace upload
Linker namespace upload
Bin Yang
 
社群新生代的小故事
社群新生代的小故事社群新生代的小故事
社群新生代的小故事
Viktor Lin
 
141 deview 2013 발표자료(박준형) v1.1(track4-session1)
141 deview 2013 발표자료(박준형) v1.1(track4-session1)141 deview 2013 발표자료(박준형) v1.1(track4-session1)
141 deview 2013 발표자료(박준형) v1.1(track4-session1)NAVER D2
 
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
GangSeok Lee
 
Making Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMMaking Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVM
Rafael Winterhalter
 
Seminar 12-11-19
Seminar 12-11-19Seminar 12-11-19
Seminar 12-11-19
Pipat Methavanitpong
 
Fairaccess
FairaccessFairaccess
Fairaccess
aafaf ouaddah
 
無瑕的程式碼 Clean Code 心得分享
無瑕的程式碼 Clean Code 心得分享無瑕的程式碼 Clean Code 心得分享
無瑕的程式碼 Clean Code 心得分享
Win Yu
 

Viewers also liked (8)

Linker namespace upload
Linker namespace uploadLinker namespace upload
Linker namespace upload
 
社群新生代的小故事
社群新生代的小故事社群新生代的小故事
社群新生代的小故事
 
141 deview 2013 발표자료(박준형) v1.1(track4-session1)
141 deview 2013 발표자료(박준형) v1.1(track4-session1)141 deview 2013 발표자료(박준형) v1.1(track4-session1)
141 deview 2013 발표자료(박준형) v1.1(track4-session1)
 
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
 
Making Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMMaking Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVM
 
Seminar 12-11-19
Seminar 12-11-19Seminar 12-11-19
Seminar 12-11-19
 
Fairaccess
FairaccessFairaccess
Fairaccess
 
無瑕的程式碼 Clean Code 心得分享
無瑕的程式碼 Clean Code 心得分享無瑕的程式碼 Clean Code 心得分享
無瑕的程式碼 Clean Code 心得分享
 

Similar to Native hook mechanism in Android Bionic linker

Exciting JavaScript - Part I
Exciting JavaScript - Part IExciting JavaScript - Part I
Exciting JavaScript - Part I
Eugene Lazutkin
 
Beginner's guide to linkers
Beginner's guide to linkersBeginner's guide to linkers
Beginner's guide to linkers
Pinkus Chang
 
Whirlwind tour of the Runtime Dynamic Linker
Whirlwind tour of the Runtime Dynamic LinkerWhirlwind tour of the Runtime Dynamic Linker
Whirlwind tour of the Runtime Dynamic Linker
Gonçalo Gomes
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain
艾鍗科技
 
Strategies to improve embedded Linux application performance beyond ordinary ...
Strategies to improve embedded Linux application performance beyond ordinary ...Strategies to improve embedded Linux application performance beyond ordinary ...
Strategies to improve embedded Linux application performance beyond ordinary ...
André Oriani
 
Ruby Under The Hood
Ruby Under The HoodRuby Under The Hood
Ruby Under The Hood
craig lehmann
 
The Ring programming language version 1.5.2 book - Part 176 of 181
The Ring programming language version 1.5.2 book - Part 176 of 181The Ring programming language version 1.5.2 book - Part 176 of 181
The Ring programming language version 1.5.2 book - Part 176 of 181
Mahmoud Samir Fayed
 
The Ring programming language version 1.5.4 book - Part 180 of 185
The Ring programming language version 1.5.4 book - Part 180 of 185The Ring programming language version 1.5.4 book - Part 180 of 185
The Ring programming language version 1.5.4 book - Part 180 of 185
Mahmoud Samir Fayed
 
DLL Design with Building Blocks
DLL Design with Building BlocksDLL Design with Building Blocks
DLL Design with Building Blocks
Max Kleiner
 
Exciting JavaScript - Part II
Exciting JavaScript - Part IIExciting JavaScript - Part II
Exciting JavaScript - Part II
Eugene Lazutkin
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
Felipe Prado
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
Moabi.com
 
Advanced c programming in Linux
Advanced c programming in Linux Advanced c programming in Linux
Advanced c programming in Linux
Mohammad Golyani
 
From Android NDK To AOSP
From Android NDK To AOSPFrom Android NDK To AOSP
From Android NDK To AOSP
Min-Yih Hsu
 
Libraries
LibrariesLibraries
Libraries
Ashwanth Selvam
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Vincenzo Iozzo
 
Python and Zope: An introduction (May 2004)
Python and Zope: An introduction (May 2004)Python and Zope: An introduction (May 2004)
Python and Zope: An introduction (May 2004)
Kiran Jonnalagadda
 
CLIPS Basic Student Guide
CLIPS Basic Student GuideCLIPS Basic Student Guide
CLIPS Basic Student Guide
Univ of Umm Al Qura , Makkah
 
Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...
Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...
Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...Yandex
 
C, C++ Interview Questions Part - 1
C, C++ Interview Questions Part - 1C, C++ Interview Questions Part - 1
C, C++ Interview Questions Part - 1
ReKruiTIn.com
 

Similar to Native hook mechanism in Android Bionic linker (20)

Exciting JavaScript - Part I
Exciting JavaScript - Part IExciting JavaScript - Part I
Exciting JavaScript - Part I
 
Beginner's guide to linkers
Beginner's guide to linkersBeginner's guide to linkers
Beginner's guide to linkers
 
Whirlwind tour of the Runtime Dynamic Linker
Whirlwind tour of the Runtime Dynamic LinkerWhirlwind tour of the Runtime Dynamic Linker
Whirlwind tour of the Runtime Dynamic Linker
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain
 
Strategies to improve embedded Linux application performance beyond ordinary ...
Strategies to improve embedded Linux application performance beyond ordinary ...Strategies to improve embedded Linux application performance beyond ordinary ...
Strategies to improve embedded Linux application performance beyond ordinary ...
 
Ruby Under The Hood
Ruby Under The HoodRuby Under The Hood
Ruby Under The Hood
 
The Ring programming language version 1.5.2 book - Part 176 of 181
The Ring programming language version 1.5.2 book - Part 176 of 181The Ring programming language version 1.5.2 book - Part 176 of 181
The Ring programming language version 1.5.2 book - Part 176 of 181
 
The Ring programming language version 1.5.4 book - Part 180 of 185
The Ring programming language version 1.5.4 book - Part 180 of 185The Ring programming language version 1.5.4 book - Part 180 of 185
The Ring programming language version 1.5.4 book - Part 180 of 185
 
DLL Design with Building Blocks
DLL Design with Building BlocksDLL Design with Building Blocks
DLL Design with Building Blocks
 
Exciting JavaScript - Part II
Exciting JavaScript - Part IIExciting JavaScript - Part II
Exciting JavaScript - Part II
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
 
Advanced c programming in Linux
Advanced c programming in Linux Advanced c programming in Linux
Advanced c programming in Linux
 
From Android NDK To AOSP
From Android NDK To AOSPFrom Android NDK To AOSP
From Android NDK To AOSP
 
Libraries
LibrariesLibraries
Libraries
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
 
Python and Zope: An introduction (May 2004)
Python and Zope: An introduction (May 2004)Python and Zope: An introduction (May 2004)
Python and Zope: An introduction (May 2004)
 
CLIPS Basic Student Guide
CLIPS Basic Student GuideCLIPS Basic Student Guide
CLIPS Basic Student Guide
 
Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...
Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...
Разработка кросс-платформенного кода между iPhone &lt; -> Windows с помощью o...
 
C, C++ Interview Questions Part - 1
C, C++ Interview Questions Part - 1C, C++ Interview Questions Part - 1
C, C++ Interview Questions Part - 1
 

Recently uploaded

MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
Osamah Alsalih
 
Cosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdfCosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdf
Kamal Acharya
 
14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application
SyedAbiiAzazi1
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
Kerry Sado
 
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...
Amil Baba Dawood bangali
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
zwunae
 
Unbalanced Three Phase Systems and circuits.pptx
Unbalanced Three Phase Systems and circuits.pptxUnbalanced Three Phase Systems and circuits.pptx
Unbalanced Three Phase Systems and circuits.pptx
ChristineTorrepenida1
 
digital fundamental by Thomas L.floydl.pdf
digital fundamental by Thomas L.floydl.pdfdigital fundamental by Thomas L.floydl.pdf
digital fundamental by Thomas L.floydl.pdf
drwaing
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
SUTEJAS
 
Heap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTS
Heap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTSHeap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTS
Heap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTS
Soumen Santra
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
Intella Parts
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
JoytuBarua2
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
ydteq
 
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsKuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
Victor Morales
 
PPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testingPPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testing
anoopmanoharan2
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Sreedhar Chowdam
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
bakpo1
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
MdTanvirMahtab2
 
DfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributionsDfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributions
gestioneergodomus
 
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...
ssuser7dcef0
 

Recently uploaded (20)

MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
 
Cosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdfCosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdf
 
14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
 
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
 
Unbalanced Three Phase Systems and circuits.pptx
Unbalanced Three Phase Systems and circuits.pptxUnbalanced Three Phase Systems and circuits.pptx
Unbalanced Three Phase Systems and circuits.pptx
 
digital fundamental by Thomas L.floydl.pdf
digital fundamental by Thomas L.floydl.pdfdigital fundamental by Thomas L.floydl.pdf
digital fundamental by Thomas L.floydl.pdf
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
 
Heap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTS
Heap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTSHeap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTS
Heap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTS
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
 
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsKuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
 
PPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testingPPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testing
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
 
DfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributionsDfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributions
 
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...
 

Native hook mechanism in Android Bionic linker

  • 1. Android Dynamic Framework : Native Hook Mechanism in Bionic Linker Mai-Hsuan Chia Shih-Wei Liao Department of Computer Science and Information Engineering National Taiwan University
  • 2. Outline ● Background ● Motivation ● Native Hook Mechanism ● Experiment ● Applications ● Future works ● Conclusion
  • 3. Background ● JNI ● Android Dynamic Framework ● Bionic
  • 4. JNI ● Enable Java code can call or can be called by native applications
  • 6. Java calls native class HelloWorld { private native void print(); // print() is native function public static void main(String[] args) { new HelloWorld().print(); } static { System.loadLibrary("hello"); // This loads libhello.so } }
  • 7. ● A framework which is able to dynamically replace Java methods in ART Runtime without modifying APKs. Android Dynamic Framework
  • 8. Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2
  • 9. Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2 0. Do linking
  • 10. Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2 1. Query HookTable
  • 11. Android Dynamic Framework Class A Class B HookTable ... class linker Method A1 Method A2 Method B1 Method B2 Replace ClassA::A1 with ClassB::B1 1. Query HookTable
  • 12. Android Dynamic Framework Class A Class B HookTable ... class linker Method A2 Method B1 Method B2 Method B1 2. Do method hooking
  • 13. ● C library in Android ● Forked from BSDs rather than from GNU/Linux ○ To avoid license problems ● Smaller ● Faster Bionic
  • 14. ● Components ○ libc ○ libm ○ libdl (written from scratch) ○ dynamic linker ■ /system/bin/linker (written from scratch) Bionic
  • 15. Motivation ● Only Java methods can be replaced in Android Dynamic Framework
  • 16. Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func C1 Func C2 native call hooking path
  • 17. Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func C1 Func C2 native call hooking path
  • 18. Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func D1 Func C2 native call hooking path (2) dlopen native hook (1) method hook
  • 19. Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func D2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func D1 Func C2 native call hooking path (2) dlopen native hook (1) method hook (2) dlopen native hook
  • 20. Class A Method A2 Method B1 Class B Method B1 Method B2 JNI libd.so Func D1 Func E2 libe.so Func E1 Func E2 (1) method hook Method A3 libc.so Func D1 Func C2 native call hooking path (2) dlopen native hook (1) method hook (2) dlopen native hook (3) native to native hook
  • 21. Motivation ● (1) method hook can be done in the existing Android Dynamic Framework ● However, (2) dlopen native hook and (3) native to native hook cannot not be done.
  • 22. Motivation ● Native hook mechanism can do both (2) dlopen native hook and (3) native to native hook
  • 23. Motivation With Native hook mechanism integrated, Android Dynamic Framework can be more complete and powerful
  • 24. Native hook mechanism ● Implemented in Bionic Linker
  • 25. Review ● How Bionic Linker loads an executable ● Dynamic linking flow ● Dynamic loading flow
  • 26. How Bionic Linker loads an executable
  • 27. OS creates a process image ● Based on the interpreter’s segments. high low Memory space /system/bin/linker linker
  • 28. Linker links itself ● __linker_init() high low Memory space /system/bin/linker
  • 29. Load the executable ● __linker_init_post_relocation() /system/bin/linker high low Memory space exe executable
  • 30. Get needed libraries names ● __linker_init_post_relocation() /system/bin/linker high low Memory space executable exe .dynamic DT_NEEDED ptr_to_liba1.so_name DT_NEEDED ptr_to_liba2.so_name … DT_NULL
  • 31. Get needed libraries names ● __linker_init_post_relocation() /system/bin/linker high low Memory space executable exe DT_NEEDED ptr_to_liba1.so_name DT_NEEDED ptr_to_liba2.so_name … DT_NULL .dynamic char needed_libraries_names[] = { “liba1.so”, “liba2.so” }
  • 32. Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree
  • 33. Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so Loaded Not Loaded p.s.
  • 34. Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so Loaded Not Loaded p.s.
  • 35. Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so libb1.so libb2.so libb3.so libb4.so ... ... Loaded Not Loaded p.s.
  • 36. Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so libb2.so libb3.so libb4.so ... ... Loaded Not Loaded p.s. libb1.so
  • 37. Load needed libraries ● find_libaries(exe, needed_libraries_names) ○ step 1 : load libraries and build dependencies tree exe liba1.so liba2.so libb2.so libb3.so libb4.so ... ... ... ... ... ... ... Loaded Not Loaded p.s. libb1.so
  • 38. Load needed libraries liba1.soexe liba2.so libb1.so libb2.so ... ● find_libaries(exe, needed_libraries_names) ○ step 2 : turn dependencies tree into libraries_list in Breadth First Search(BFS) order libraries_list dependencies tree
  • 39. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries foreach lib in libraries_list { foreach rel in lib.dynamic_relocation_table { symbol = rel.sym; soinfo_do_lookup(symbol, lib, libraries_list); } }
  • 40. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next;
  • 41. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; NOT FOUND
  • 42. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; NOT FOUND
  • 43. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; FOUND ok
  • 44. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... if sym_k is defined in lib: sym_k = lib.find(sym) else: lib = lib->next; ok
  • 45. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list exe sym_1 sym_n ... ok ok
  • 46. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list liba1.so sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next;
  • 47. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list ... sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next;
  • 48. Link the application and all libraries ● find_libaries(exe, needed_libraries_names) ○ step 3 : relocate all to-be-relocated symbols in the application and libraries liba1.soexe liba2.so libb1.so libb2.so ... libraries_list ... sym_1 sym_n ... if sym_1 is defined in lib: sym_1 = lib.find(sym) else: lib = lib->next; It is DONE until all libraries are linked
  • 49. Jump to the application’s entry /system/bin/linker high low Memory space executable liba1.so liba2.so libb1.so ... ● jump to executable’s _start.
  • 50. The executable is loaded successfully ● And start to execute /system/bin/linker high low Memory space liba1.so liba2.so libb1.so ... .text section _start: …. …. executable
  • 51. Bionic linker linking & loading flow ● Dynamic linking flow ● Dynamic loading flow
  • 53. Native hook mechanism Modified codes are mainly in two parts ● Load hooking libraries in find_libraries() ○ Init native_hook_table ○ Look up native_hook_table ○ Load hooking_library ● Replace hooked_symbol with hooking_symbol in soinfo_do_lookup() ○ Look up native_hook_table ○ Replace every hooked_symbol in hooked_library with hooking_symbol in hooking_library
  • 54. Native hook file format in /system/nh_file.txt < hooked_lib_name:hooked_symbol:hooking_lib_name:hooking_symbol >
  • 55. System flow hooking lib nh_file ROM /system/bin/linker __linker_init_post_relocation find_libraries init native_hook_table look up native hook table soinfo_do_lookup look up native hook table replace hooked symbol with hooking symbol New Process load hooking library
  • 56. Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table
  • 57. Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table 0. load liba1.so
  • 58. Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table 1. look up the native hook table HOOKED LIB “liba1.so” FOUND
  • 59. Load hooking libraries linkerexe liba1.so liba2.so Loaded Not Loaded p.s. liba1.so:hi:libhooking.so:ha ... Native Hook Table 2. load libhooking.so libhooking. so
  • 60. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi hi ha linker 0. relocate symbol
  • 61. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker NOT FOUND hi
  • 62. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker FOUND hi
  • 63. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker FOUND hi 1. look up native hook table liba1.so:hi is to be hooked
  • 64. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker hi 1. look up native hook table 2. find libhooking.so:ha
  • 65. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker ha 3. relocate hooked_symbol “hi” with the hooking_symbol “ha”
  • 66. // in libnativehook.so #include “native_hook.h” void* find_lib_symbol(char* lib_name, char* symbol) { // Using dl_iterate_phdr() to get the symbol’s address // in the loaded library whose name is lib_name. … return ptr_to_symbol; } Before/After hook SDK
  • 67. How find_lib_symbol() works ? With the following facts, we can get the hooked_symbol in hooked_library with dl_iterate_phdr(callback, void* data) ● hooked_lib is loaded in the memory ● dl_iterate_phdr()iterates all loaded libraries in the process, and get each library’s program header and base address. ● With library’s program header, we can get .dynamic segment, and therefore we get .dynstr and .dynsym section ● With .dynsym and .dynstr, we can find the offset of hooked_symbol in hooked_lib. ● hooked_symbol_addr = base address + offset
  • 68. // in libmine.so #include “native_hook.h” double my_sin(double x) { char hooked_lib[] = "/system/lib/libm.so"; char hooked_symbol[] = "sin"; double (*hooked_sin)(double) = find_lib_symbol(hooked_lib, hooked_symbol); /* before hook : you can do something before calling hooked_func */ double result = hooked_sin(x); /* after hook : you can do something after calling hooked_func */ result += 5566; return result; } After hook example
  • 69. After hook example // in main.c #include <math.h> #include <stdio.h> #define PI 3.14159265 int main(void) { double angle = 30.0; double result = sin((angle * PI) / 180); printf(“sin(%lf) = %lfn”, angle, result); return 0; } libm.so:sin:libmine.so:my_sin ... Native Hook Table $ ./main sin(30.000000) = 5566.500000
  • 70. double my_sin(double x) { char hooked_lib[] = "/system/lib/libm.so"; char hooked_symbol[] = "sin"; static void* cache_ptr = NULL; double (*hooked_sin)(double) = NULL; if (cache_ptr) { hooked_sin = cache_ptr; } else { hooked_sin = find_lib_symbol(hooked_lib, hooked_symbol); } if (hooked_sin) { cache_ptr = (void*)hooked_sin; } double result = hooked_sin(x); result += 5566; return result; } Before/After hook with cache
  • 71. Experiment 1,000 100,000 1,000,000 10,000,000 Baseline 0.10 0.14 0.52 4.07 Normal hook 0.20 0.23 0.60 4.15 Before/After hook without cache 0.25 1.9 17.12 169.03 Before/After hook with cache 0.22 0.24 0.69 4.77 iterations
  • 73. Applications ● Profiling ● Boosting apps performance ● Security sandbox
  • 74. Profiling Target function Before hook After hook ● Input Distribution Analysis ● Function call Analysis ● Output Analysis
  • 75. ● Hook functions that affect the performance of applications in Android ● Scenario ○ Functions in libm.so are not good enough for some special purpose, we can hook the function with the optimized one. Boosting apps performance
  • 78. Security sandbox ● Use “before hook” to hook the open()in libc ● Examine the filename and other parameters in advance ○ If the to-be-written file is a critical file, we let the app open another file to write without consciousness.
  • 79. Security sandbox f = open(“/data/critical.txt”, ‘w’); ... modifying critical.txt ... ... App Sandbox
  • 80. Security sandbox f = open(“/data/critical.txt”, ‘w’); ... modifying critical.txt ... ... App Sandbox /data/critical.txt should not be modified.
  • 81. Security sandbox f = open(“/data/critical.txt”, ‘w’); ... modifying critical.txt ... ... App Sandbox f = open(“/data/another.txt”, ‘w’); In the sandbox, app is deceived to write to “/data/another.txt” instead of “/data/critical.txt”.
  • 82. Security sandbox App Sandbox f = open(“/data/another.txt”, ‘w’); f = open(“/data/another.txt”, ‘w’); ... modifying another.txt ... ...
  • 83. ● Provide more easy-to-use API for Native Hook in Android ○ Native Hook SDK Future works
  • 84. ● Completely integrate Native Hook into Android Dynamic Framework ○ Provide hooking between Java method and native functions. Future works Integrated Hook Table liba.so:funca:libb.so:funcb # hook native to native classA:methoda:classB:methodb # hook java to java classA:methoda:libb.so:funcb # hook java to native libb.so:funcb:classA:methoda # hook native to java ...
  • 85. Conclusion ● Native Hook mechanism is a strong and useful framework in Android allowing developers to replace native functions at runtime without modifying the existing functions. ● Native Hook is more powerful than Java method hook mechanisms because it is implemented in Bionic Linker. ● With Before/After hook mechanism, you can do whatever you want before/after any existing function. ● With Native Hook enabled, it suffers only little overhead to load nh_file and hooking libraries.
  • 86. Q & A
  • 87. Thank you for your listening
  • 89. void* find_lib_symbol(char* lib_name, char* symbol) { // Using dl_iterate_phdr() to get the symbol’s address // in the loaded library whose name is lib_name. static void* unordered_map<std::string, void*> cache = nullptr; std::string lib_symbol = std::string(lib_name) + symbol; if (cache) { unordered_map<std::string, void*>::iterator it = cache.find(lib_symbol); if (it != cache.end()) { return it->second; } } … // find ptr_to_symbol if (ptr_to_symbol) { cache[lib_symbol] = ptr_to_symbol; } return ptr_to_symbol; } Before/After hook with cache in find_lib_symbol
  • 90. Replace hooked_symbol with hooking_symbol liba1.soexe liba2.so libhooking.s o libraries_list liba1.so:hi:libhooking.so:ha ... Native Hook Table exe hi ha linker FOUND hi 1. look up native hook table liba1.so:hi is to be hooked 2. find libhooking.so:ha