def _handle_sigaction(self, mu, sig, act, oact):
'''
struct sigaction {
union {
void (*sa_handler)(int);
void (*sa_sigaction)(int, siginfo_t *, void *);
},
sigset_t sa_mask;
int sa_flags;
void (*sa_restorer)(void);
};
'''
act_off = act
sa_handler = memory_helpers.read_ptr(mu, act_off)
act_off += 4
sa_mask = memory_helpers.read_ptr(mu, act_off)
act_off += 4
sa_flag = memory_helpers.read_ptr(mu, act_off)
act_off += 4
sa_restorer = memory_helpers.read_ptr(mu, act_off)
logging.warning(
"sa_handler [0x%08X] sa_mask [0x%08X] sa_flag [0x%08X] sa_restorer [0x%08X]"
% (sa_handler, sa_mask, sa_flag, sa_restorer))
self._sig_maps[sig] = (sa_handler, sa_mask, sa_flag, sa_restorer)
return 0
def __process_vm_readv(self, mu, pid, local_iov, liovcnt, remote_iov, riovcnt, flag):
'''
struct iovec {
void *iov_base; /* Starting address */
size_t iov_len; /* Number of bytes to transfer */
};
'''
if (pid != self._getpid(mu)):
raise NotImplementedError("__process_vm_readv return other process not support...")
off_r = remote_iov
b = b''
for i in range(0, riovcnt):
rbase = memory_helpers.read_ptr(mu, off_r)
iov_len = memory_helpers.read_ptr(mu, off_r+4)
tmp = memory_helpers.read_byte_array(mu, rbase, iov_len)
b+=tmp
#for j in range(0, liovcnt)
off_r+=8
#
off_l = local_iov
has_read = 0
for j in range(0, liovcnt):
lbase = memory_helpers.read_ptr(mu, off_l)
liov_len = memory_helpers.read_ptr(mu, off_l+4)
tmp = b[has_read:liov_len]
has_read += len(tmp)
off_l += 8
#
print(b)
return has_read
def _handle_writev(self, mu, fd, vec, vlen):
n = 0
for i in range(0, vlen):
addr = memory_helpers.read_ptr(mu, (i * 8) + vec)
size = memory_helpers.read_ptr(mu, (i * 8) + vec + 4)
data = bytes(mu.mem_read(addr, size))
n += os.write(fd, data)
logger.info('Writev %r' % data)
#
return n
def _handle_writev(self, mu, fd, vec, vlen):
if fd == 2:
for i in range(0, vlen):
addr = memory_helpers.read_ptr(mu, (i * 8) + vec)
size = memory_helpers.read_ptr(mu, (i * 8) + vec + 4)
sys.stderr.buffer.write(mu.mem_read(addr, size))
return 0
raise NotImplementedError()
def _handle_writev(self, mu, fd, vec, vlen):
if fd == 2:
for i in range(0, vlen):
addr = memory_helpers.read_ptr(mu, (i * 8) + vec)
size = memory_helpers.read_ptr(mu, (i * 8) + vec + 4)
data = bytes(mu.mem_read(addr, size)).decode(encoding='UTF-8')
logger.error('Writev %s' % data)
return 0
return 0
def __execve(self, mu, filename_ptr, argv_ptr, envp_ptr):
filename = memory_helpers.read_utf8(mu, filename_ptr)
ptr = argv_ptr
params = []
logger.info("execve run")
while True:
off = memory_helpers.read_ptr(mu, ptr)
param = memory_helpers.read_utf8(mu, off)
if (len(param) == 0):
break
params.append(param)
ptr += 4
#
logging.warning("execve %s %r" % (filename, params))
cmd = " ".join(params)
pkg_name = config.global_config_get("pkg_name")
pm = "pm path %s" % (pkg_name, )
if (cmd.find(pm) > -1):
output = "package:/data/app/%s-1.apk" % pkg_name
logger.info("write to stdout [%s]" % output)
os.write(1, output.encode("utf-8"))
sys.exit(0)
#
else:
raise NotImplementedError()
def vfprintf(self, uc, FILE, format, va_list):
# int vfprintf ( FILE * stream, const char * format, va_list arg );
struct_FILE = memory_helpers.read_byte_array(uc, FILE, 18)
c_string = memory_helpers.read_utf8(uc, format)
args = []
result_string = ""
for i in range(0, len(c_string)):
if c_string[i] == '%':
if c_string[i + 1] == "d":
args.append(memory_helpers.read_uints(uc, va_list, 1)[0])
elif c_string[i + 1] == "c":
args.append(
chr(memory_helpers.read_byte_array(uc, va_list, 1)[0]))
elif c_string[i + 1] == "s":
s_addr = memory_helpers.read_ptr(uc, va_list)
args.append(memory_helpers.read_cString(uc, s_addr)[0])
else:
result_string += c_string[i:i + 2]
# TODO more format support
va_list += 4
result_string += "{0[" + str(len(args) - 1) + "]}"
continue
if i >= 1:
if c_string[i - 1] == '%' or c_string[i] == '%':
continue
result_string += c_string[i]
result_string = result_string.format(args)
logger.debug("Called vfprintf(%r)" % result_string)
def register_natives(self, mu, env, clazz_id, methods, methods_count):
logger.debug("JNIEnv->RegisterNatives(%d, 0x%08x, %d) was called" %
(clazz_id, methods, methods_count))
clazz = self.get_local_reference(clazz_id)
if not isinstance(clazz, jclass):
raise ValueError('Expected a jclass.')
clazz = clazz.value
for i in range(0, methods_count):
ptr_name = memory_helpers.read_ptr(mu, (i * 12) + methods)
ptr_sign = memory_helpers.read_ptr(mu, (i * 12) + methods + 4)
ptr_func = memory_helpers.read_ptr(mu, (i * 12) + methods + 8)
name = memory_helpers.read_utf8(mu, ptr_name)
signature = memory_helpers.read_utf8(mu, ptr_sign)
clazz.register_native(name, signature, ptr_func)
return JNI_OK
