本例仅在Android2.3模拟器跑通过,假设要适配其它机型。请自行研究,这里不过抛砖引玉。

0x00

Android中的Apk的加固(加壳)原理解析和实现,一文中脱壳代码都写在了java层非常easy被识别出来。非常多需求须要把脱壳的程序转移到native层,事实上转移的思路也非常简单,就是在native层通过JNI调用Java层代码。

执行前,首先把ForceApkObj.apk放在/sdcard/payload_odex/文件夹下。

代码已上传至github,地址为https://github.com/jltxgcy/AndroidNativeShell

0x01

    public class ProxyApplication extends Application {

	@Override

	protected void attachBaseContext(Context base) {

		super.attachBaseContext(base);

		DexLoader.load("com.jltxgcy.dynamicdex");

	}

	@Override

	public void onCreate() {

		DexLoader.run();

	}

}

还记得原来这两个方法有着一大堆代码,这里唯独一行代码就搞定。

我们再看来DexLoader类。

public class DexLoader {

	static {

		System.loadLibrary("dexloader");

	}

	public static native void load(String path);

	public static native void run();

}

原来核心脱壳代码放在了native层。

0x02

JNI的实现例如以下。大家能够看到本质上就是把java层的代码通过JNI转移到native层了。

static void loadApk(JNIEnv * env, jclass clazz, jstring package) {

	jclass activityThreadClazz;

	jmethodID currentActivityThreadMethodID;

	jobject activityThreadObject;

	const char *packageName;

	const char *className;

	const char *methodName;

	int codeoff;

	jfieldID mPackagesFieldID;

	jobject mPackagesJObject;

	jclass mPackagesClazz;

	jmethodID getMethodID;

	jobject weakReferenceJObject;

	jclass weakReferenceJClazz;

	jmethodID getweakMethodID;

	jobject loadedApkJObject;

	jclass loadedApkJClazz;

	jfieldID mClassLoaderFieldID;

	jobject mClassLoaderJObject;

	jstring dexPath;

	jstring dexOptPath;

	jclass dexClassLoaderClazz;

	jmethodID initDexLoaderMethod;

	jobject dexClassLoaderJObject;

	activityThreadClazz = env->FindClass("android/app/ActivityThread");

	currentActivityThreadMethodID = env->GetStaticMethodID(activityThreadClazz, "currentActivityThread",

            "()Landroid/app/ActivityThread;");

	activityThreadObject = env->CallStaticObjectMethod(activityThreadClazz, currentActivityThreadMethodID);

	packageName = env->GetStringUTFChars(package, JNI_FALSE);

	mPackagesFieldID = env->GetFieldID(activityThreadClazz, "mPackages", "Ljava/util/HashMap;");

	mPackagesJObject = env->GetObjectField(activityThreadObject, mPackagesFieldID);

	mPackagesClazz = env->GetObjectClass(mPackagesJObject);

	getMethodID = env->GetMethodID(mPackagesClazz, "get",

            "(Ljava/lang/Object;)Ljava/lang/Object;");

	weakReferenceJObject = env->CallObjectMethod(mPackagesJObject, getMethodID, package);

	weakReferenceJClazz = env->GetObjectClass(weakReferenceJObject);

	getweakMethodID = env->GetMethodID(weakReferenceJClazz, "get",

            "()Ljava/lang/Object;");

	loadedApkJObject = env->CallObjectMethod(weakReferenceJObject, getweakMethodID);

	loadedApkJClazz = env->GetObjectClass(loadedApkJObject);

	mClassLoaderFieldID = env->GetFieldID(loadedApkJClazz, "mClassLoader", "Ljava/lang/ClassLoader;");

	mClassLoaderJObject = env->GetObjectField(loadedApkJObject, mClassLoaderFieldID);

	dexPath = env->NewStringUTF("/sdcard/payload_odex/ForceApkObj.apk");

	dexOptPath = env->NewStringUTF("/sdcard/payload_odex/");

	dexClassLoaderClazz = env->FindClass("dalvik/system/DexClassLoader");

	initDexLoaderMethod = env->GetMethodID(dexClassLoaderClazz, "<init>","(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/ClassLoader;)V");

	dexClassLoaderJObject = env->NewObject(dexClassLoaderClazz,initDexLoaderMethod, dexPath, dexOptPath, NULL, mClassLoaderJObject);

	env->SetObjectField(loadedApkJObject, mClassLoaderFieldID, dexClassLoaderJObject);

	ALOGD("packageName:%s", packageName);

}

static void run(JNIEnv * env, jclass clazz) {

	jclass activityThreadClazz;

	jmethodID currentActivityThreadMethodID;

	jobject activityThreadObject;

	jfieldID mBoundApplicationFieldID;

	jobject mBoundApplicationJObject;

	jclass mBoundApplicationClazz;

	jfieldID mInfoFieldID;

	jobject mInfoJObject;

	jclass mInfoClazz;

	jfieldID mApplicationFieldID;

	jobject mApplicationJObject;

	jfieldID mInitialApplicationFieldID;

	jobject mInitialApplicationJObject;

	jfieldID mAllApplicationsFieldID;

	jobject mAllApplicationsJObject;

	jclass mAllApplicationsClazz;

	jmethodID removeMethodID;

	jfieldID mApplicationInfoFieldID;

	jobject mApplicationInfoJObject;

	jclass mApplicationInfoClazz;

	jfieldID mBindApplicationInfoFieldID;

	jobject mBindApplicationInfoJObject;

	jclass mBindApplicationInfoClazz;

	jfieldID classNameFieldID;

	jfieldID mBindClassNameFieldID;

	jstring applicationName;

	jmethodID makeApplicationMethodID;

	jobject ApplicationJObject;

	jclass ApplicationClazz;

	jmethodID onCreateMethodID;

	activityThreadClazz = env->FindClass("android/app/ActivityThread");

	currentActivityThreadMethodID = env->GetStaticMethodID(activityThreadClazz, "currentActivityThread",

	            "()Landroid/app/ActivityThread;");

	activityThreadObject = env->CallStaticObjectMethod(activityThreadClazz, currentActivityThreadMethodID);

	mBoundApplicationFieldID = env->GetFieldID(activityThreadClazz, "mBoundApplication", "Landroid/app/ActivityThread$AppBindData;");

	mBoundApplicationJObject = env->GetObjectField(activityThreadObject, mBoundApplicationFieldID);

	mBoundApplicationClazz = env->GetObjectClass(mBoundApplicationJObject);

	mInfoFieldID = env->GetFieldID(mBoundApplicationClazz, "info", "Landroid/app/LoadedApk;");

	mInfoJObject = env->GetObjectField(mBoundApplicationJObject, mInfoFieldID);

	mInfoClazz = env->GetObjectClass(mInfoJObject);

	mApplicationFieldID = env->GetFieldID(mInfoClazz, "mApplication", "Landroid/app/Application;");

	mApplicationJObject = env->GetObjectField(mInfoJObject, mApplicationFieldID);

	env->SetObjectField(mInfoJObject, mApplicationFieldID, NULL);

	mInitialApplicationFieldID = env->GetFieldID(activityThreadClazz, "mInitialApplication", "Landroid/app/Application;");

	mInitialApplicationJObject = env->GetObjectField(activityThreadObject, mInitialApplicationFieldID);

	mAllApplicationsFieldID = env->GetFieldID(activityThreadClazz, "mAllApplications", "Ljava/util/ArrayList;");

	mAllApplicationsJObject = env->GetObjectField(activityThreadObject, mAllApplicationsFieldID);

	mAllApplicationsClazz = env->GetObjectClass(mAllApplicationsJObject);

	removeMethodID = env->GetMethodID(mAllApplicationsClazz, "remove",

            "(Ljava/lang/Object;)Z");

	jboolean isTrue = env->CallBooleanMethod(mAllApplicationsJObject, removeMethodID, mInitialApplicationJObject);

	mApplicationInfoFieldID = env->GetFieldID(mInfoClazz, "mApplicationInfo", "Landroid/content/pm/ApplicationInfo;");

	mApplicationInfoJObject = env->GetObjectField(mInfoJObject, mApplicationInfoFieldID);

	mApplicationInfoClazz = env->GetObjectClass(mApplicationInfoJObject);

	mBindApplicationInfoFieldID = env->GetFieldID(mBoundApplicationClazz, "appInfo", "Landroid/content/pm/ApplicationInfo;");

	mBindApplicationInfoJObject = env->GetObjectField(mBoundApplicationJObject, mBindApplicationInfoFieldID);

	mBindApplicationInfoClazz = env->GetObjectClass(mBindApplicationInfoJObject);

	classNameFieldID = env->GetFieldID(mApplicationInfoClazz, "className", "Ljava/lang/String;");

	mBindClassNameFieldID = env->GetFieldID(mBindApplicationInfoClazz, "className", "Ljava/lang/String;");

	applicationName = env->NewStringUTF("com.example.forceapkobj.MyApplication");

	env->SetObjectField(mApplicationInfoJObject, classNameFieldID, applicationName);

	env->SetObjectField(mBindApplicationInfoJObject, mBindClassNameFieldID, applicationName);

	makeApplicationMethodID = env->GetMethodID(mInfoClazz, "makeApplication","(ZLandroid/app/Instrumentation;)Landroid/app/Application;");

	ApplicationJObject = env->CallObjectMethod(mInfoJObject, makeApplicationMethodID, JNI_FALSE, NULL);

	env->SetObjectField(activityThreadObject, mInitialApplicationFieldID, ApplicationJObject);

	ApplicationClazz = env->GetObjectClass(ApplicationJObject);

	onCreateMethodID = env->GetMethodID(ApplicationClazz, "onCreate","()V");

	env->CallVoidMethod(ApplicationJObject, onCreateMethodID);

}

JNIEXPORT void JNICALL Java_com_jltxgcy_dynamicdex_DexLoader_load

  (JNIEnv * env, jclass clazz, jstring packageName) {

	loadApk(env, clazz, packageName);

	ALOGD("Java_com_jltxgcy_dynamicdex_DexLoader_load");

}

JNIEXPORT void JNICALL Java_com_jltxgcy_dynamicdex_DexLoader_run

  (JNIEnv * env, jclass clazz) {

	run(env, clazz);

	ALOGD("Java_com_jltxgcy_dynamicdex_DexLoader_run");

}

Android加壳native实现的更多相关文章

  1. Android中对Apk加固(加壳)续篇之---对Native层(so文件)进行加固

    有人说Android程序用Java代码写的,再怎么弄都是不安全的,很容易破解的,现在晚上关于应用加固的技术也很多了,当然这些也可以用于商业发展的,梆梆加密和爱加密就是很好的例子,当然这两家加固的Apk ...

  2. 【腾讯Bugly干货分享】Android Linker 与 SO 加壳技术

    本文来自于腾讯bugly开发者社区,非经作者同意,请勿转载,原文地址:http://dev.qq.com/topic/57e3a3bc42eb88da6d4be143 作者:王赛 1. 前言 Andr ...

  3. 简单粗暴的对android so文件加壳,防止静态分析

    转载自http://bbs.pediy.com/showthread.php?t=191649 以前一直对.so文件加载时解密不懂,不了解其工作原理和实现思路.最近翻看各种资料,有了一些思路.看到论坛 ...

  4. Android中的Apk的加固(加壳)原理解析和实现

    一.前言 今天又到周末了,憋了好久又要出博客了,今天来介绍一下Android中的如何对Apk进行加固的原理.现阶段.我们知道Android中的反编译工作越来越让人操作熟练,我们辛苦的开发出一个apk, ...

  5. Android中的Apk的加固(加壳)原理解析和实现(转)

    一.前言 今天又到周末了,憋了好久又要出博客了,今天来介绍一下Android中的如何对Apk进行加固的原理.现阶段.我们知道Android中的反编译工作越来越让人操作熟练,我们辛苦的开发出一个apk, ...

  6. 【转】Android中的Apk的加固(加壳)原理解析和实现

    一.前言 今天又到周末了,憋了好久又要出博客了,今天来介绍一下Android中的如何对Apk进行加固的原理.现阶段.我们知道Android中的反编译工作越来越让人操作熟练,我们辛苦的开发出一个apk, ...

  7. android黑科技系列——Apk的加固(加壳)原理解析和实现

    一.前言 今天又到周末了,憋了好久又要出博客了,今天来介绍一下Android中的如何对Apk进行加固的原理.现阶段.我们知道Android中的反编译工作越来越让人操作熟练,我们辛苦的开发出一个apk, ...

  8. Android Linker 与 SO 加壳技术

    1. 前言 Android 系统安全愈发重要,像传统pc安全的可执行文件加固一样,应用加固是Android系统安全中非常重要的一环.目前Android 应用加固可以分为dex加固和Native加固,N ...

  9. android apk 防止反编译技术第一篇-加壳技术

    做android framework方面的工作将近三年的时间了,现在公司让做一下android apk安全方面的研究,于是最近就在网上找大量的资料来学习.现在将最近学习成果做一下整理总结.学习的这些成 ...

随机推荐

  1. springmvc始终跳转至首页,不报404错误(续)

    上篇博客说到,当我执行程序时,springmvc的控制下,它始终跳转到首页,而不正常跳转.当时通过换一个服务器解决了问题,以为是缓存的事儿.但后来又发生了同样的事儿,顿时感觉出事儿了.就立马降低了日志 ...

  2. Educational Codeforces Round 19 A+B+C+E!

    A. k-Factorization 题意:将n分解成k个大于1的数相乘的形式.如果无法分解输出-1. 思路:先打个素因子表,然后暴力判,注意最后跳出的条件. int len,a[N],b[N]; v ...

  3. hdu6074[并查集+LCA+思维] 2017多校4

    看了标答感觉思路清晰了许多,用并查集来维护全联通块的点数和边权和. 用另一个up[]数组(也是并查集)来保证每条边不会被重复附权值,这样我们只要将询问按权值从小到大排序,一定能的到最小的边权和与联通块 ...

  4. iOS学习笔记40-日志重定向

    一.日志重定向 我们在iOS开发过程中,我们时常会使用NSLog打印到控制台的日志信息进行代码调试,但这样调试的前提是连接上Xcode.如果进行真机调试但同时又不能连接Xcode的时候,就不能直接在x ...

  5. ACM程序设计选修课——1043: Radical loves integer sequences(YY)

    1043: Radical loves integer sequences Time Limit: 1 Sec  Memory Limit: 128 MB Submit: 36  Solved: 4 ...

  6. java中String初始化的两种方式

    转自:http://www.diybl.com/course/3_program/java/javajs/2007104/75886.html       字符串可能是任何程序语言中都会出现的对象,j ...

  7. Entity Framework表名默认自动变为复数形式等常见问题解决方法

    今天使用了一下手写EntityFramework,发现一些常见的问题,做个记录: 1.以前使用模板生成不太在意的问题,就是在定义实体类时,如果没映射注释,自动映射的表名会变成复数形式 如:表名==&g ...

  8. 【CF1020C】Elections(贪心)

    题意: Berland地区的腐败现象非常常见. 马上有一场选举,你事先知道了选民和政党的数量,分别为 n 和 m ,对于每一位选民,你知道他将要选举哪一个政党, 不过,每一位选民都会在接受一定数额的金 ...

  9. 应用express mockjs模拟前端json数据接口

    一.首先需要在项目安装express 1.cnpm install express --save-dev  2.cnpm install mockjs --save-dev 二.在项目根目录下新建pr ...

  10. 标准C程序设计七---64

    Linux应用             编程深入            语言编程 标准C程序设计七---经典C11程序设计    以下内容为阅读:    <标准C程序设计>(第7版) 作者 ...