diff options
| author | Your Name <you@example.com> | 2022-08-01 08:10:45 +0100 |
|---|---|---|
| committer | Your Name <you@example.com> | 2022-08-05 20:56:14 +0100 |
| commit | 7b6743f14ceb426e282900a9d5ee35b1ac820013 (patch) | |
| tree | ba76da004c1a52b79eeb21713c968eab87d4b46b | |
| parent | 4b9c560b07e1ea42633b59e0eb94f7a3f0fe0c58 (diff) | |
| download | afl++-7b6743f14ceb426e282900a9d5ee35b1ac820013.tar.gz | |
Android fixes
| -rw-r--r-- | frida_mode/GNUmakefile | 88 | ||||
| -rw-r--r-- | frida_mode/include/seccomp.h | 2 | ||||
| -rw-r--r-- | frida_mode/src/main.c | 31 | ||||
| -rw-r--r-- | frida_mode/src/prefetch.c | 4 | ||||
| -rw-r--r-- | frida_mode/src/seccomp/seccomp.c | 6 |
5 files changed, 108 insertions, 23 deletions
diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 256bea02..43b8932a 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -13,6 +13,16 @@ JS_SRC:=$(BUILD_DIR)api.c JS_OBJ:=$(BUILD_DIR)api.o SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c) OBJS:=$(foreach src,$(SOURCES),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src)))) + +TARGET_CC?=$(CC) +TARGET_CXX?=$(CXX) +HOST_CC?=$(CC) +HOST_CXX?=$(CXX) +IS_ANDROID:=$(findstring android, $(shell $(TARGET_CC) --version 2>/dev/null)) +IS_x86:=$(findstring i686, $(shell $(TARGET_CC) --version 2>/dev/null)) +IS_x86_64:=$(findstring x86_64, $(shell $(TARGET_CC) --version 2>/dev/null)) +IS_ARM:=$(findstring arm, $(shell $(TARGET_CC) --version 2>/dev/null)) +IS_ARM64:=$(findstring aarch64, $(shell $(TARGET_CC) --version 2>/dev/null)) CFLAGS+=-fPIC \ -D_GNU_SOURCE \ -D_FORTIFY_SOURCE=2 \ @@ -21,6 +31,10 @@ CFLAGS+=-fPIC \ -funroll-loops \ -ffunction-sections \ +ifdef IS_ANDROID +CFLAGS+=-DANDROID +endif + AFL_CFLAGS:=-Wno-unused-parameter \ -Wno-sign-compare \ -Wno-unused-function \ @@ -28,9 +42,16 @@ AFL_CFLAGS:=-Wno-unused-parameter \ -Wno-int-to-pointer-cast \ -Wno-pointer-sign +ifdef IS_ANDROID +LDFLAGS+= -static-libstdc++ \ + -DANDROID \ + -llog \ + -shared +else LDFLAGS+=-shared \ -lpthread \ -lresolv +endif ifdef DEBUG CFLAGS+=-Werror \ @@ -78,11 +99,11 @@ else ifdef DEBUG AFL_CFLAGS:=$(AFL_CFLAGS) -Wno-prio-ctor-dtor endif + LDFLAGS+= -z noexecstack \ -Wl,--gc-sections \ -Wl,--exclude-libs,ALL \ - -ldl \ - -lrt + -ldl LDSCRIPT:=-Wl,--version-script=$(PWD)frida.map endif @@ -93,22 +114,24 @@ ifeq "$(shell uname)" "Linux" endif endif -ifneq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" "" + +ifdef IS_ANDROID OS:=android - ifneq "$(findstring aarch64, $(shell $(CC) --version 2>/dev/null))" "" - ARCH:=arm64 + ifdef IS_x86 + ARCH:=x86 endif - ifneq "$(findstring arm, $(shell $(CC) --version 2>/dev/null))" "" - ARCH:=arm + ifdef IS_x86 + ARCH:=x86_64 endif - ifneq "$(findstring x86_64, $(shell $(CC) --version 2>/dev/null))" "" - ARCH:=x86_64 + ifdef IS_ARM + ARCH:=arm endif - ifneq "$(findstring i686, $(shell $(CC) --version 2>/dev/null))" "" - ARCH:=x86 + ifdef IS_ARM64 + ARCH:=arm64 endif endif + ifeq "$(ARCH)" "armhf" TARGET_CC:=arm-linux-gnueabihf-gcc TARGET_CXX:=arm-linux-gnueabihf-g++ @@ -224,10 +247,22 @@ else ifeq "$(ARCH)" "arm64" CFLAGS+=-I $(FRIDA_DIR)build/frida_thin-$(OS)-$(ARCH)/include/frida-1.0 \ -I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/glib-2.0/ \ - -I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \ + -I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \ + -I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/capstone/ \ + -I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \ + +ifeq "$(OS)" "android" + CFLAGS += -static-libstdc++ +endif +else +CFLAGS+=-I $(FRIDA_DIR)build/frida_thin-$(OS)-$(ARCH)/include/frida-1.0 \ + -I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/glib-2.0/ \ + -I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \ -I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/capstone/ \ -I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \ +endif + TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \ $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libsoup-2.4.a \ $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libsqlite3.a \ @@ -245,13 +280,15 @@ TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \ $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/liblzma.a \ $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libz.a \ -else - CFLAGS+=-I $(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/include/frida-1.0 \ -I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/glib-2.0/ \ -I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \ -I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/capstone/ \ - -I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \ + -I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ + +ifeq "$(OS)" "android" + CFLAGS += -static-libstdc++ +endif TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \ $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libsoup-2.4.a \ @@ -270,11 +307,6 @@ TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \ $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/liblzma.a \ $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libz.a \ -endif - - - - else $(GUM_DEVKIT_TARBALL): | $(FRIDA_BUILD_DIR) @@ -376,6 +408,7 @@ $(AFLPP_QEMU_DRIVER_HOOK_OBJ): $(AFLPP_QEMU_DRIVER_HOOK_SRC) | $(BUILD_DIR) hook: $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) ############################# ADDR ############################################# +ifneq "$(OS)" "android" $(ADDR_BIN): $(ADDR_SRC) | $(BUILD_DIR) -$(TARGET_CC) \ $(CFLAGS) \ @@ -389,7 +422,20 @@ $(ADDR_BIN): $(ADDR_SRC) | $(BUILD_DIR) -ldl \ -lrt \ $< -o $@ - +else +$(ADDR_BIN): $(ADDR_SRC) | $(BUILD_DIR) + -$(TARGET_CC) \ + $(CFLAGS) \ + -Werror \ + -Wall \ + -Wextra \ + -Wpointer-arith \ + -z noexecstack \ + -Wl,--gc-sections \ + -Wl,--exclude-libs,ALL \ + -ldl \ + $< -o $@ +endif addr: $(ADDR_BIN) ############################# CLEAN ############################################ diff --git a/frida_mode/include/seccomp.h b/frida_mode/include/seccomp.h index 0cd90bc2..0886759c 100644 --- a/frida_mode/include/seccomp.h +++ b/frida_mode/include/seccomp.h @@ -1,7 +1,7 @@ #ifndef _SECCOMP_H #define _SECCOMP_H -#ifndef __APPLE__ +#if !defined(__APPLE__) && !defined(__ANDROID__) #include <stdint.h> #include <linux/filter.h> diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index 844c42b9..1bbcec28 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -36,6 +36,17 @@ #ifdef __APPLE__ extern mach_port_t mach_task_self(); extern GumAddress gum_darwin_find_entrypoint(mach_port_t task); +#elif defined(__ANDROID__) +typedef struct { + void (**preinit_array)(void); + void (**init_array)(void); + void (**fini_array)(void); +} structors_array_t; + +extern void __libc_init(void* raw_args, + void (*onexit)(void) __unused, + int (*slingshot)(int, char **, char **), + structors_array_t const * const structors); #else extern int __libc_start_main(int (*main)(int, char **, char **), int argc, char **ubp_av, void (*init)(void), @@ -69,7 +80,11 @@ static void on_main_os(int argc, char **argv, char **envp) { GumInterceptor *interceptor = gum_interceptor_obtain(); gum_interceptor_begin_transaction(interceptor); + #if defined(__ANDROID__) + gum_interceptor_revert(interceptor, __libc_init); + #else gum_interceptor_revert(interceptor, __libc_start_main); + #endif gum_interceptor_end_transaction(interceptor); gum_interceptor_flush(interceptor); @@ -276,6 +291,22 @@ static void intercept_main(void) { intercept_hook(main, on_main, NULL); } +#elif defined(__ANDROID__) +static void on_libc_init(void* raw_args, + void (*onexit)(void) __unused, + int (*slingshot)(int, char**, char**), + structors_array_t const * const structors){ + main_fn = slingshot; + intercept_unhook_self(); + intercept_hook(slingshot, on_main, NULL); + return __libc_init(raw_args, onexit, slingshot, structors); + +} +static void intercept_main(void) { + + intercept_hook(__libc_init, on_libc_init, NULL); + +} #else static int on_libc_start_main(int (*main)(int, char **, char **), int argc, diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index 5621a685..b2c516f5 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -298,12 +298,16 @@ void prefetch_init(void) { /* * Configure the shared memory region to be removed once the process dies. + * This doesn't work on Android, so we skip it. Would could end up leaking + * shared memory regions though. */ + #ifndef __ANDROID__ if (shmctl(prefetch_shm_id, IPC_RMID, NULL) < 0) { FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); } +#endif /* Clear it, not sure it's necessary, just seems like good practice */ memset(prefetch_data, '\0', sizeof(prefetch_data_t)); diff --git a/frida_mode/src/seccomp/seccomp.c b/frida_mode/src/seccomp/seccomp.c index 984a3990..72443831 100644 --- a/frida_mode/src/seccomp/seccomp.c +++ b/frida_mode/src/seccomp/seccomp.c @@ -11,7 +11,9 @@ void seccomp_on_fork(void) { #ifdef __APPLE__ FFATAL("Seccomp not supported on OSX"); -#else +#elif defined(__ANDROID__) + FFATAL("Seccomp not supported on Android"); +#else seccomp_callback_parent(); #endif @@ -32,6 +34,8 @@ void seccomp_init(void) { #ifdef __APPLE__ FFATAL("Seccomp not supported on OSX"); +#elif defined(__ANDROID__) + FFATAL("Seccomp not supported on Android"); #else seccomp_callback_initialize(); #endif |