From 7b6743f14ceb426e282900a9d5ee35b1ac820013 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 1 Aug 2022 08:10:45 +0100 Subject: Android fixes --- frida_mode/src/main.c | 31 +++++++++++++++++++++++++++++++ frida_mode/src/prefetch.c | 4 ++++ frida_mode/src/seccomp/seccomp.c | 6 +++++- 3 files changed, 40 insertions(+), 1 deletion(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index 844c42b9..1bbcec28 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -36,6 +36,17 @@ #ifdef __APPLE__ extern mach_port_t mach_task_self(); extern GumAddress gum_darwin_find_entrypoint(mach_port_t task); +#elif defined(__ANDROID__) +typedef struct { + void (**preinit_array)(void); + void (**init_array)(void); + void (**fini_array)(void); +} structors_array_t; + +extern void __libc_init(void* raw_args, + void (*onexit)(void) __unused, + int (*slingshot)(int, char **, char **), + structors_array_t const * const structors); #else extern int __libc_start_main(int (*main)(int, char **, char **), int argc, char **ubp_av, void (*init)(void), @@ -69,7 +80,11 @@ static void on_main_os(int argc, char **argv, char **envp) { GumInterceptor *interceptor = gum_interceptor_obtain(); gum_interceptor_begin_transaction(interceptor); + #if defined(__ANDROID__) + gum_interceptor_revert(interceptor, __libc_init); + #else gum_interceptor_revert(interceptor, __libc_start_main); + #endif gum_interceptor_end_transaction(interceptor); gum_interceptor_flush(interceptor); @@ -275,6 +290,22 @@ static void intercept_main(void) { main_fn = main; intercept_hook(main, on_main, NULL); +} +#elif defined(__ANDROID__) +static void on_libc_init(void* raw_args, + void (*onexit)(void) __unused, + int (*slingshot)(int, char**, char**), + structors_array_t const * const structors){ + main_fn = slingshot; + intercept_unhook_self(); + intercept_hook(slingshot, on_main, NULL); + return __libc_init(raw_args, onexit, slingshot, structors); + +} +static void intercept_main(void) { + + intercept_hook(__libc_init, on_libc_init, NULL); + } #else diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index 5621a685..b2c516f5 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -298,12 +298,16 @@ void prefetch_init(void) { /* * Configure the shared memory region to be removed once the process dies. + * This doesn't work on Android, so we skip it. Would could end up leaking + * shared memory regions though. */ + #ifndef __ANDROID__ if (shmctl(prefetch_shm_id, IPC_RMID, NULL) < 0) { FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); } +#endif /* Clear it, not sure it's necessary, just seems like good practice */ memset(prefetch_data, '\0', sizeof(prefetch_data_t)); diff --git a/frida_mode/src/seccomp/seccomp.c b/frida_mode/src/seccomp/seccomp.c index 984a3990..72443831 100644 --- a/frida_mode/src/seccomp/seccomp.c +++ b/frida_mode/src/seccomp/seccomp.c @@ -11,7 +11,9 @@ void seccomp_on_fork(void) { #ifdef __APPLE__ FFATAL("Seccomp not supported on OSX"); -#else +#elif defined(__ANDROID__) + FFATAL("Seccomp not supported on Android"); +#else seccomp_callback_parent(); #endif @@ -32,6 +34,8 @@ void seccomp_init(void) { #ifdef __APPLE__ FFATAL("Seccomp not supported on OSX"); +#elif defined(__ANDROID__) + FFATAL("Seccomp not supported on Android"); #else seccomp_callback_initialize(); #endif -- cgit 1.4.1 From e9cb939956557b1f10bbab289d965f84702962eb Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 1 Aug 2022 08:10:45 +0100 Subject: Fixes to formatting --- frida_mode/src/main.c | 25 ++++++++++++++----------- frida_mode/src/prefetch.c | 3 ++- frida_mode/src/seccomp/seccomp.c | 2 +- 3 files changed, 17 insertions(+), 13 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index 1bbcec28..c8c50b37 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -38,15 +38,16 @@ extern mach_port_t mach_task_self(); extern GumAddress gum_darwin_find_entrypoint(mach_port_t task); #elif defined(__ANDROID__) typedef struct { - void (**preinit_array)(void); - void (**init_array)(void); - void (**fini_array)(void); + + void (**preinit_array)(void); + void (**init_array)(void); + void (**fini_array)(void); + } structors_array_t; -extern void __libc_init(void* raw_args, - void (*onexit)(void) __unused, - int (*slingshot)(int, char **, char **), - structors_array_t const * const structors); +extern void __libc_init(void *raw_args, void (*onexit)(void) __unused, + int (*slingshot)(int, char **, char **), + structors_array_t const *const structors); #else extern int __libc_start_main(int (*main)(int, char **, char **), int argc, char **ubp_av, void (*init)(void), @@ -291,17 +292,19 @@ static void intercept_main(void) { intercept_hook(main, on_main, NULL); } + #elif defined(__ANDROID__) -static void on_libc_init(void* raw_args, - void (*onexit)(void) __unused, - int (*slingshot)(int, char**, char**), - structors_array_t const * const structors){ +static void on_libc_init(void *raw_args, void (*onexit)(void) __unused, + int (*slingshot)(int, char **, char **), + structors_array_t const *const structors) { + main_fn = slingshot; intercept_unhook_self(); intercept_hook(slingshot, on_main, NULL); return __libc_init(raw_args, onexit, slingshot, structors); } + static void intercept_main(void) { intercept_hook(__libc_init, on_libc_init, NULL); diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index b2c516f5..e20923c4 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -301,12 +301,13 @@ void prefetch_init(void) { * This doesn't work on Android, so we skip it. Would could end up leaking * shared memory regions though. */ - #ifndef __ANDROID__ +#ifndef __ANDROID__ if (shmctl(prefetch_shm_id, IPC_RMID, NULL) < 0) { FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); } + #endif /* Clear it, not sure it's necessary, just seems like good practice */ diff --git a/frida_mode/src/seccomp/seccomp.c b/frida_mode/src/seccomp/seccomp.c index 72443831..12b58f4e 100644 --- a/frida_mode/src/seccomp/seccomp.c +++ b/frida_mode/src/seccomp/seccomp.c @@ -13,7 +13,7 @@ void seccomp_on_fork(void) { FFATAL("Seccomp not supported on OSX"); #elif defined(__ANDROID__) FFATAL("Seccomp not supported on Android"); -#else +#else seccomp_callback_parent(); #endif -- cgit 1.4.1 From 00b5d3792de4a7867da9cb5abd08de9fca484db1 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 1 Aug 2022 08:10:45 +0100 Subject: Changes to abstract shared memory --- frida_mode/include/shm.h | 9 +++++++++ frida_mode/src/instrument/instrument.c | 27 ++----------------------- frida_mode/src/prefetch.c | 31 ++--------------------------- frida_mode/src/shm.c | 36 ++++++++++++++++++++++++++++++++++ frida_mode/src/stats/stats.c | 24 +++-------------------- frida_mode/src/stats/stats_arm64.c | 21 ++------------------ frida_mode/src/stats/stats_x86_64.c | 21 ++------------------ 7 files changed, 56 insertions(+), 113 deletions(-) create mode 100644 frida_mode/include/shm.h create mode 100644 frida_mode/src/shm.c (limited to 'frida_mode/src') diff --git a/frida_mode/include/shm.h b/frida_mode/include/shm.h new file mode 100644 index 00000000..8338ccba --- /dev/null +++ b/frida_mode/include/shm.h @@ -0,0 +1,9 @@ +#ifndef _SHM_H +#define _SHM_H + +#include + +void *shm_create(size_t size); + +#endif + diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 0e286eab..e1e4ac22 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -1,7 +1,5 @@ #include #include -#include -#include #include #include "frida-gumjs.h" @@ -17,6 +15,7 @@ #include "persistent.h" #include "prefetch.h" #include "ranges.h" +#include "shm.h" #include "stalker.h" #include "stats.h" #include "util.h" @@ -348,29 +347,7 @@ void instrument_init(void) { transformer = gum_stalker_transformer_make_from_callback( instrument_basic_block, NULL, NULL); - if (instrument_unique) { - - int shm_id = - shmget(IPC_PRIVATE, __afl_map_size, IPC_CREAT | IPC_EXCL | 0600); - if (shm_id < 0) { FATAL("shm_id < 0 - errno: %d\n", errno); } - - edges_notified = shmat(shm_id, NULL, 0); - g_assert(edges_notified != MAP_FAILED); - - /* - * Configure the shared memory region to be removed once the process - * dies. - */ - if (shmctl(shm_id, IPC_RMID, NULL) < 0) { - - FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); - - } - - /* Clear it, not sure it's necessary, just seems like good practice */ - memset(edges_notified, '\0', __afl_map_size); - - } + if (instrument_unique) { edges_notified = shm_create(__afl_map_size); } if (instrument_use_fixed_seed) { diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index e20923c4..905e0ae9 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -1,12 +1,11 @@ #include -#include -#include #include "frida-gumjs.h" #include "entry.h" #include "intercept.h" #include "prefetch.h" +#include "shm.h" #include "stalker.h" #include "util.h" @@ -285,33 +284,7 @@ void prefetch_init(void) { * with the coverage bitmap region and fork will take care of ensuring both * the parent and child see the same consistent memory region. */ - prefetch_shm_id = - shmget(IPC_PRIVATE, sizeof(prefetch_data_t), IPC_CREAT | IPC_EXCL | 0600); - if (prefetch_shm_id < 0) { - - FFATAL("prefetch_shm_id < 0 - errno: %d\n", errno); - - } - - prefetch_data = shmat(prefetch_shm_id, NULL, 0); - g_assert(prefetch_data != MAP_FAILED); - - /* - * Configure the shared memory region to be removed once the process dies. - * This doesn't work on Android, so we skip it. Would could end up leaking - * shared memory regions though. - */ -#ifndef __ANDROID__ - if (shmctl(prefetch_shm_id, IPC_RMID, NULL) < 0) { - - FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); - - } - -#endif - - /* Clear it, not sure it's necessary, just seems like good practice */ - memset(prefetch_data, '\0', sizeof(prefetch_data_t)); + prefetch_data = shm_create(sizeof(prefetch_data_t)); prefetch_hook_fork(); diff --git a/frida_mode/src/shm.c b/frida_mode/src/shm.c new file mode 100644 index 00000000..c76427cb --- /dev/null +++ b/frida_mode/src/shm.c @@ -0,0 +1,36 @@ +#include "shm.h" +#include "util.h" + +#include +#include +#include +#include +#include +#include + +void *shm_create(size_t size) { + + int shm_id = + shmget(IPC_PRIVATE, size, IPC_CREAT | IPC_EXCL | S_IRUSR | S_IWUSR); + if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); } + + void *addr = shmat(shm_id, NULL, 0); + if (addr == MAP_FAILED) { FFATAL("addr == MAP_FAILED - errno: %d\n", errno); } + + /* + * Configure the shared memory region to be removed once the process + * dies. + */ + if (shmctl(shm_id, IPC_RMID, NULL) < 0) { + + FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); + + } + + /* Clear it, not sure it's necessary, just seems like good practice */ + memset(addr, '\0', size); + + return addr; + +} + diff --git a/frida_mode/src/stats/stats.c b/frida_mode/src/stats/stats.c index af08cd71..1d3520bc 100644 --- a/frida_mode/src/stats/stats.c +++ b/frida_mode/src/stats/stats.c @@ -2,17 +2,16 @@ #include #include #include -#include #include #include "frida-gumjs.h" #include "config.h" -#include "util.h" - #include "entry.h" +#include "shm.h" #include "stalker.h" #include "stats.h" +#include "util.h" #define MICRO_TO_SEC 1000000 @@ -360,27 +359,10 @@ void stats_init(void) { g_free(path); - int shm_id = - shmget(IPC_PRIVATE, sizeof(stats_data_t), IPC_CREAT | IPC_EXCL | 0600); - if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); } - - stats_data = shmat(shm_id, NULL, 0); - g_assert(stats_data != MAP_FAILED); - GumStalkerObserver *observer = stalker_get_observer(); stats_observer_init(observer); - /* - * Configure the shared memory region to be removed once the process dies. - */ - if (shmctl(shm_id, IPC_RMID, NULL) < 0) { - - FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); - - } - - /* Clear it, not sure it's necessary, just seems like good practice */ - memset(stats_data, '\0', sizeof(stats_data_t)); + stats_data = shm_create(sizeof(stats_data_t)); starts_arch_init(); diff --git a/frida_mode/src/stats/stats_arm64.c b/frida_mode/src/stats/stats_arm64.c index 313ab47a..ea283dbe 100644 --- a/frida_mode/src/stats/stats_arm64.c +++ b/frida_mode/src/stats/stats_arm64.c @@ -1,9 +1,9 @@ -#include #include #include "frida-gumjs.h" #include "ranges.h" +#include "shm.h" #include "stats.h" #include "util.h" @@ -44,24 +44,7 @@ static stats_data_arch_t *stats_data_arch = NULL; void starts_arch_init(void) { - int shm_id = shmget(IPC_PRIVATE, sizeof(stats_data_arch_t), - IPC_CREAT | IPC_EXCL | 0600); - if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); } - - stats_data_arch = shmat(shm_id, NULL, 0); - g_assert(stats_data_arch != MAP_FAILED); - - /* - * Configure the shared memory region to be removed once the process dies. - */ - if (shmctl(shm_id, IPC_RMID, NULL) < 0) { - - FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); - - } - - /* Clear it, not sure it's necessary, just seems like good practice */ - memset(stats_data_arch, '\0', sizeof(stats_data_arch_t)); + stats_data_arch = shm_create(sizeof(stats_data_arch_t)); } diff --git a/frida_mode/src/stats/stats_x86_64.c b/frida_mode/src/stats/stats_x86_64.c index 761ca133..e2fb7b80 100644 --- a/frida_mode/src/stats/stats_x86_64.c +++ b/frida_mode/src/stats/stats_x86_64.c @@ -1,9 +1,9 @@ -#include #include #include "frida-gumjs.h" #include "ranges.h" +#include "shm.h" #include "stats.h" #include "util.h" @@ -46,24 +46,7 @@ static stats_data_arch_t *stats_data_arch = NULL; void starts_arch_init(void) { - int shm_id = shmget(IPC_PRIVATE, sizeof(stats_data_arch_t), - IPC_CREAT | IPC_EXCL | 0600); - if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); } - - stats_data_arch = shmat(shm_id, NULL, 0); - g_assert(stats_data_arch != MAP_FAILED); - - /* - * Configure the shared memory region to be removed once the process dies. - */ - if (shmctl(shm_id, IPC_RMID, NULL) < 0) { - - FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); - - } - - /* Clear it, not sure it's necessary, just seems like good practice */ - memset(stats_data_arch, '\0', sizeof(stats_data_arch_t)); + stats_data_arch = shm_create(sizeof(stats_data_arch_t)); } -- cgit 1.4.1 From 608ea5f8abbfce9c309d452e2ee3dbb014dc511a Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 1 Aug 2022 08:10:45 +0100 Subject: Add support for Android SHM --- frida_mode/src/asan/asan.c | 17 +++++++---------- frida_mode/src/shm.c | 44 ++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 47 insertions(+), 14 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/asan/asan.c b/frida_mode/src/asan/asan.c index 3a672d31..bd4062be 100644 --- a/frida_mode/src/asan/asan.c +++ b/frida_mode/src/asan/asan.c @@ -8,23 +8,17 @@ static gboolean asan_enabled = FALSE; gboolean asan_initialized = FALSE; void asan_config(void) { - if (getenv("AFL_USE_FASAN") != NULL) { asan_enabled = TRUE; } - } void asan_init(void) { - FOKF(cBLU "Instrumentation" cRST " - " cGRN "asan:" cYEL " [%c]", asan_enabled ? 'X' : ' '); if (asan_enabled) { - asan_arch_init(); asan_initialized = TRUE; - } - } static gboolean asan_exclude_module(const GumModuleDetails *details, @@ -36,14 +30,17 @@ static gboolean asan_exclude_module(const GumModuleDetails *details, address = gum_module_find_export_by_name(details->name, symbol_name); if (address == 0) { return TRUE; } + /* If the reported address of the symbol is outside of the range of the module + * then ignore it */ + if (address < details->range->base_address) { return TRUE; } + if (address > (details->range->base_address + details->range->size)) { + return TRUE; + } + ranges_add_exclude((GumMemoryRange *)details->range); return FALSE; - } void asan_exclude_module_by_symbol(gchar *symbol_name) { - gum_process_enumerate_modules(asan_exclude_module, symbol_name); - } - diff --git a/frida_mode/src/shm.c b/frida_mode/src/shm.c index c76427cb..5b885b04 100644 --- a/frida_mode/src/shm.c +++ b/frida_mode/src/shm.c @@ -7,9 +7,48 @@ #include #include #include +#ifdef __ANDROID__ + #include + #include +#endif + +#ifdef __ANDROID__ + #define ASHMEM_DEVICE "/dev/ashmem" void *shm_create(size_t size) { + int fd = -1; + char ourkey[11] = {0}; + void * addr = MAP_FAILED; + struct ashmem_pin pin = {0, size}; + + fd = open(ASHMEM_DEVICE, O_RDWR); + if (fd < 0) { FFATAL("Failed open /dev/ashmem: %d", errno); } + + if (snprintf(ourkey, sizeof(ourkey) - 1, "%d", IPC_PRIVATE) < 0) { + FFATAL("Failed to generate key: %d", errno); + } + + if (ioctl(fd, ASHMEM_SET_NAME, ourkey) < 0) { + FFATAL("ioctl(ASHMEM_SET_NAME) errno: %d\n", errno); + } + + if (ioctl(fd, ASHMEM_SET_SIZE, size) < 0) { + FFATAL("ioctl(ASHMEM_SET_SIZE) errno: %d\n", errno); + } + + addr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); + if (addr == MAP_FAILED) { FFATAL("mmap failed: %d\n", errno); } + /* Shared memory pinning has been deprecated. So if the ioctl fails, then + just assume we are running on a version where it has been. Worst case, we + will leak the shared memory region.*/ + ioctl(fd, ASHMEM_UNPIN, &pin); + close(fd); + + return addr; +} +#else +void *shm_create(size_t size) { int shm_id = shmget(IPC_PRIVATE, size, IPC_CREAT | IPC_EXCL | S_IRUSR | S_IWUSR); if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); } @@ -22,15 +61,12 @@ void *shm_create(size_t size) { * dies. */ if (shmctl(shm_id, IPC_RMID, NULL) < 0) { - FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); - } /* Clear it, not sure it's necessary, just seems like good practice */ memset(addr, '\0', size); return addr; - } - +#endif -- cgit 1.4.1