本例仅在Android2.3模拟器跑通过,假设要适配其它机型。请自行研究,这里不过抛砖引玉。

0x00

Android中的Apk的加固(加壳)原理解析和实现,一文中脱壳代码都写在了java层非常easy被识别出来。非常多需求须要把脱壳的程序转移到native层,事实上转移的思路也非常简单,就是在native层通过JNI调用Java层代码。

执行前,首先把ForceApkObj.apk放在/sdcard/payload_odex/文件夹下。

代码已上传至github,地址为https://github.com/jltxgcy/AndroidNativeShell

0x01

    public class ProxyApplication extends Application {

	@Override

	protected void attachBaseContext(Context base) {

		super.attachBaseContext(base);

		DexLoader.load("com.jltxgcy.dynamicdex");

	}

	@Override

	public void onCreate() {

		DexLoader.run();

	}

}

还记得原来这两个方法有着一大堆代码,这里唯独一行代码就搞定。

我们再看来DexLoader类。

public class DexLoader {

	static {

		System.loadLibrary("dexloader");

	}

	public static native void load(String path);

	public static native void run();

}

原来核心脱壳代码放在了native层。

0x02

JNI的实现例如以下。大家能够看到本质上就是把java层的代码通过JNI转移到native层了。

static void loadApk(JNIEnv * env, jclass clazz, jstring package) {

	jclass activityThreadClazz;

	jmethodID currentActivityThreadMethodID;

	jobject activityThreadObject;

	const char *packageName;

	const char *className;

	const char *methodName;

	int codeoff;

	jfieldID mPackagesFieldID;

	jobject mPackagesJObject;

	jclass mPackagesClazz;

	jmethodID getMethodID;

	jobject weakReferenceJObject;

	jclass weakReferenceJClazz;

	jmethodID getweakMethodID;

	jobject loadedApkJObject;

	jclass loadedApkJClazz;

	jfieldID mClassLoaderFieldID;

	jobject mClassLoaderJObject;

	jstring dexPath;

	jstring dexOptPath;

	jclass dexClassLoaderClazz;

	jmethodID initDexLoaderMethod;

	jobject dexClassLoaderJObject;

	activityThreadClazz = env->FindClass("android/app/ActivityThread");

	currentActivityThreadMethodID = env->GetStaticMethodID(activityThreadClazz, "currentActivityThread",

            "()Landroid/app/ActivityThread;");

	activityThreadObject = env->CallStaticObjectMethod(activityThreadClazz, currentActivityThreadMethodID);

	packageName = env->GetStringUTFChars(package, JNI_FALSE);

	mPackagesFieldID = env->GetFieldID(activityThreadClazz, "mPackages", "Ljava/util/HashMap;");

	mPackagesJObject = env->GetObjectField(activityThreadObject, mPackagesFieldID);

	mPackagesClazz = env->GetObjectClass(mPackagesJObject);

	getMethodID = env->GetMethodID(mPackagesClazz, "get",

            "(Ljava/lang/Object;)Ljava/lang/Object;");

	weakReferenceJObject = env->CallObjectMethod(mPackagesJObject, getMethodID, package);

	weakReferenceJClazz = env->GetObjectClass(weakReferenceJObject);

	getweakMethodID = env->GetMethodID(weakReferenceJClazz, "get",

            "()Ljava/lang/Object;");

	loadedApkJObject = env->CallObjectMethod(weakReferenceJObject, getweakMethodID);

	loadedApkJClazz = env->GetObjectClass(loadedApkJObject);

	mClassLoaderFieldID = env->GetFieldID(loadedApkJClazz, "mClassLoader", "Ljava/lang/ClassLoader;");

	mClassLoaderJObject = env->GetObjectField(loadedApkJObject, mClassLoaderFieldID);

	dexPath = env->NewStringUTF("/sdcard/payload_odex/ForceApkObj.apk");

	dexOptPath = env->NewStringUTF("/sdcard/payload_odex/");

	dexClassLoaderClazz = env->FindClass("dalvik/system/DexClassLoader");

	initDexLoaderMethod = env->GetMethodID(dexClassLoaderClazz, "<init>","(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/ClassLoader;)V");

	dexClassLoaderJObject = env->NewObject(dexClassLoaderClazz,initDexLoaderMethod, dexPath, dexOptPath, NULL, mClassLoaderJObject);

	env->SetObjectField(loadedApkJObject, mClassLoaderFieldID, dexClassLoaderJObject);

	ALOGD("packageName:%s", packageName);

}

static void run(JNIEnv * env, jclass clazz) {

	jclass activityThreadClazz;

	jmethodID currentActivityThreadMethodID;

	jobject activityThreadObject;

	jfieldID mBoundApplicationFieldID;

	jobject mBoundApplicationJObject;

	jclass mBoundApplicationClazz;

	jfieldID mInfoFieldID;

	jobject mInfoJObject;

	jclass mInfoClazz;

	jfieldID mApplicationFieldID;

	jobject mApplicationJObject;

	jfieldID mInitialApplicationFieldID;

	jobject mInitialApplicationJObject;

	jfieldID mAllApplicationsFieldID;

	jobject mAllApplicationsJObject;

	jclass mAllApplicationsClazz;

	jmethodID removeMethodID;

	jfieldID mApplicationInfoFieldID;

	jobject mApplicationInfoJObject;

	jclass mApplicationInfoClazz;

	jfieldID mBindApplicationInfoFieldID;

	jobject mBindApplicationInfoJObject;

	jclass mBindApplicationInfoClazz;

	jfieldID classNameFieldID;

	jfieldID mBindClassNameFieldID;

	jstring applicationName;

	jmethodID makeApplicationMethodID;

	jobject ApplicationJObject;

	jclass ApplicationClazz;

	jmethodID onCreateMethodID;

	activityThreadClazz = env->FindClass("android/app/ActivityThread");

	currentActivityThreadMethodID = env->GetStaticMethodID(activityThreadClazz, "currentActivityThread",

	            "()Landroid/app/ActivityThread;");

	activityThreadObject = env->CallStaticObjectMethod(activityThreadClazz, currentActivityThreadMethodID);

	mBoundApplicationFieldID = env->GetFieldID(activityThreadClazz, "mBoundApplication", "Landroid/app/ActivityThread$AppBindData;");

	mBoundApplicationJObject = env->GetObjectField(activityThreadObject, mBoundApplicationFieldID);

	mBoundApplicationClazz = env->GetObjectClass(mBoundApplicationJObject);

	mInfoFieldID = env->GetFieldID(mBoundApplicationClazz, "info", "Landroid/app/LoadedApk;");

	mInfoJObject = env->GetObjectField(mBoundApplicationJObject, mInfoFieldID);

	mInfoClazz = env->GetObjectClass(mInfoJObject);

	mApplicationFieldID = env->GetFieldID(mInfoClazz, "mApplication", "Landroid/app/Application;");

	mApplicationJObject = env->GetObjectField(mInfoJObject, mApplicationFieldID);

	env->SetObjectField(mInfoJObject, mApplicationFieldID, NULL);

	mInitialApplicationFieldID = env->GetFieldID(activityThreadClazz, "mInitialApplication", "Landroid/app/Application;");

	mInitialApplicationJObject = env->GetObjectField(activityThreadObject, mInitialApplicationFieldID);

	mAllApplicationsFieldID = env->GetFieldID(activityThreadClazz, "mAllApplications", "Ljava/util/ArrayList;");

	mAllApplicationsJObject = env->GetObjectField(activityThreadObject, mAllApplicationsFieldID);

	mAllApplicationsClazz = env->GetObjectClass(mAllApplicationsJObject);

	removeMethodID = env->GetMethodID(mAllApplicationsClazz, "remove",

            "(Ljava/lang/Object;)Z");

	jboolean isTrue = env->CallBooleanMethod(mAllApplicationsJObject, removeMethodID, mInitialApplicationJObject);

	mApplicationInfoFieldID = env->GetFieldID(mInfoClazz, "mApplicationInfo", "Landroid/content/pm/ApplicationInfo;");

	mApplicationInfoJObject = env->GetObjectField(mInfoJObject, mApplicationInfoFieldID);

	mApplicationInfoClazz = env->GetObjectClass(mApplicationInfoJObject);

	mBindApplicationInfoFieldID = env->GetFieldID(mBoundApplicationClazz, "appInfo", "Landroid/content/pm/ApplicationInfo;");

	mBindApplicationInfoJObject = env->GetObjectField(mBoundApplicationJObject, mBindApplicationInfoFieldID);

	mBindApplicationInfoClazz = env->GetObjectClass(mBindApplicationInfoJObject);

	classNameFieldID = env->GetFieldID(mApplicationInfoClazz, "className", "Ljava/lang/String;");

	mBindClassNameFieldID = env->GetFieldID(mBindApplicationInfoClazz, "className", "Ljava/lang/String;");

	applicationName = env->NewStringUTF("com.example.forceapkobj.MyApplication");

	env->SetObjectField(mApplicationInfoJObject, classNameFieldID, applicationName);

	env->SetObjectField(mBindApplicationInfoJObject, mBindClassNameFieldID, applicationName);

	makeApplicationMethodID = env->GetMethodID(mInfoClazz, "makeApplication","(ZLandroid/app/Instrumentation;)Landroid/app/Application;");

	ApplicationJObject = env->CallObjectMethod(mInfoJObject, makeApplicationMethodID, JNI_FALSE, NULL);

	env->SetObjectField(activityThreadObject, mInitialApplicationFieldID, ApplicationJObject);

	ApplicationClazz = env->GetObjectClass(ApplicationJObject);

	onCreateMethodID = env->GetMethodID(ApplicationClazz, "onCreate","()V");

	env->CallVoidMethod(ApplicationJObject, onCreateMethodID);

}

JNIEXPORT void JNICALL Java_com_jltxgcy_dynamicdex_DexLoader_load

  (JNIEnv * env, jclass clazz, jstring packageName) {

	loadApk(env, clazz, packageName);

	ALOGD("Java_com_jltxgcy_dynamicdex_DexLoader_load");

}

JNIEXPORT void JNICALL Java_com_jltxgcy_dynamicdex_DexLoader_run

  (JNIEnv * env, jclass clazz) {

	run(env, clazz);

	ALOGD("Java_com_jltxgcy_dynamicdex_DexLoader_run");

}

Android加壳native实现的更多相关文章

  1. Android中对Apk加固(加壳)续篇之---对Native层(so文件)进行加固

    有人说Android程序用Java代码写的,再怎么弄都是不安全的,很容易破解的,现在晚上关于应用加固的技术也很多了,当然这些也可以用于商业发展的,梆梆加密和爱加密就是很好的例子,当然这两家加固的Apk ...

  2. 【腾讯Bugly干货分享】Android Linker 与 SO 加壳技术

    本文来自于腾讯bugly开发者社区,非经作者同意,请勿转载,原文地址:http://dev.qq.com/topic/57e3a3bc42eb88da6d4be143 作者:王赛 1. 前言 Andr ...

  3. 简单粗暴的对android so文件加壳,防止静态分析

    转载自http://bbs.pediy.com/showthread.php?t=191649 以前一直对.so文件加载时解密不懂,不了解其工作原理和实现思路.最近翻看各种资料,有了一些思路.看到论坛 ...

  4. Android中的Apk的加固(加壳)原理解析和实现

    一.前言 今天又到周末了,憋了好久又要出博客了,今天来介绍一下Android中的如何对Apk进行加固的原理.现阶段.我们知道Android中的反编译工作越来越让人操作熟练,我们辛苦的开发出一个apk, ...

  5. Android中的Apk的加固(加壳)原理解析和实现(转)

    一.前言 今天又到周末了,憋了好久又要出博客了,今天来介绍一下Android中的如何对Apk进行加固的原理.现阶段.我们知道Android中的反编译工作越来越让人操作熟练,我们辛苦的开发出一个apk, ...

  6. 【转】Android中的Apk的加固(加壳)原理解析和实现

    一.前言 今天又到周末了,憋了好久又要出博客了,今天来介绍一下Android中的如何对Apk进行加固的原理.现阶段.我们知道Android中的反编译工作越来越让人操作熟练,我们辛苦的开发出一个apk, ...

  7. android黑科技系列——Apk的加固(加壳)原理解析和实现

    一.前言 今天又到周末了,憋了好久又要出博客了,今天来介绍一下Android中的如何对Apk进行加固的原理.现阶段.我们知道Android中的反编译工作越来越让人操作熟练,我们辛苦的开发出一个apk, ...

  8. Android Linker 与 SO 加壳技术

    1. 前言 Android 系统安全愈发重要,像传统pc安全的可执行文件加固一样,应用加固是Android系统安全中非常重要的一环.目前Android 应用加固可以分为dex加固和Native加固,N ...

  9. android apk 防止反编译技术第一篇-加壳技术

    做android framework方面的工作将近三年的时间了,现在公司让做一下android apk安全方面的研究,于是最近就在网上找大量的资料来学习.现在将最近学习成果做一下整理总结.学习的这些成 ...

随机推荐

  1. 理解Linux虚拟文件系统VFS

    当前,除了linux标准的文件系统Ext2/Ext3/Ext4外,还有很多种文件系统,比如reiserfs, xfs, Windows的vfat NTFS,网络文件系统nfs 以及flash 文件系统 ...

  2. SDOJ 2605 闲荡

    描述 L 饭后无聊,便在 BugTown 里闲荡. BugTown 共有 N 栋房屋和 M 条有向道路.每栋房屋都有一个非负整数 vi 作为标识. BugTown 有一个特性十分神奇:从任意一个房屋离 ...

  3. Python 调用multiprocessing模块下面的Process类方法(实现服务器、客户端并发)-UDP协议

    #基于UDP协议的multiprocessing自定义通信 服务端: from multiprocessing import Process import socket def task(server ...

  4. hdu 2665 划分树模板题(可作为模板)

    Kth number Time Limit: 15000/5000 MS (Java/Others)    Memory Limit: 32768/32768 K (Java/Others)Total ...

  5. 九度oj 题目1380:lucky number

    题目描述: 每个人有自己的lucky number,小A也一样.不过他的lucky number定义不一样.他认为一个序列中某些数出现的次数为n的话,都是他的lucky number.但是,现在这个序 ...

  6. BZOJ4571 [Scoi2016]美味 【主席树】

    题目 一家餐厅有 n 道菜,编号 1...n ,大家对第 i 道菜的评价值为 ai(1≤i≤n).有 m 位顾客,第 i 位顾客的期 望值为 bi,而他的偏好值为 xi .因此,第 i 位顾客认为第 ...

  7. 刷题总结——String painter(hdu2476)

    题目: Problem Description There are two strings A and B with equal length. Both strings are made up of ...

  8. java集合四种遍历方式

    package conection; import java.util.Iterator;import java.util.LinkedList;import java.util.List; publ ...

  9. java web项目防止多用户重复登录解决方案

    原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 .作者信息和本人声明.否则将追究法律责任.作者:永恒の_☆    地址:http://blog.csdn.net/chenghui031 ...

  10. 【CF1016B】Segment Occurrences(模拟)

    题意:给定两个串s和t,多次询问s的一个区间[l ,r]中有多少个子串与t串相同 len<=1e3,q<=1e5 思路:前缀和 #include<cstdio> #includ ...