監控原理
通常加固會在程式運行前完成對text的解密,所以脫殼可以通過
/proc/pid/mem或/proc/pid/pagemap或/proc/pid/maps,獲取到加固后解密的代碼內容,
可以通過Inotify系列api來監控mem或pagemap的打開或訪問事件,
一旦發生觸發了事件就結束行程來阻止android的記憶體被dump,
代碼實作
//監控記憶體是否被修改事件
void thread_watchIntifyDump()
{
char dirName[NAME_MAX]={0};
//用于監控/proc/pid/maps的資料
snprintf(dirName,NAME_MAX,"/proc/%d/maps",getpid());
int fd = inotify_init();
if (fd < 0)
{
LOGA("inotify_init err.\n");
return;
}
int wd = inotify_add_watch(fd,dirName,IN_ALL_EVENTS);
if (wd < 0)
{
LOGA("inotify_add_watch err.\n");
close(fd);
return;
}
const int buflen=sizeof(struct inotify_event) * 0x100;
char buf[buflen]={0};
fd_set readfds;
while(1)
{
FD_ZERO(&readfds);
FD_SET(fd, &readfds);
int iRet = select(fd+1,&readfds,0,0,0); // 此處阻塞
LOGB("iRet的回傳值:%d\n",iRet);
if(-1==iRet)
break;
if (iRet)
{
memset(buf,0,buflen);
int len = read(fd,buf,buflen);
int i=0;
while(i < len)
{
struct inotify_event *event = (struct inotify_even
t*)&buf[i];
LOGB("1 event mask的數值為:%d\n",event->mask);
if( (event->mask==IN_OPEN) )
{
// 此處判定為有true,執行崩潰.
LOGB("2 有人打開pagemap,第%d次.\n\n",i);
}i += sizeof (struct inotify_event) + event->len;
}
}
}
inotify_rm_watch(fd,wd);
close(fd);
return;
}
//介面函式呼叫
void main()
{
// 監控/proc/pid/mem
pthread_t ptMem,t,ptPageMap;
int iRet=0;
// 監控/proc/pid/pagemap
iRet=pthread_create(&ptPageMap,NULL,(PPP)thread_watchInotifyDump,NULL);
if (0!=iRet)
{
LOGA("Create,thread_watchDumpPagemap,error!\n");
return;
}
iRet=pthread_detach(ptPageMap);
if (0!=iRet)
{
LOGA("pthread_detach,thread_watchDumpPagemap,error!\n");
return;
}
LOGB("pid:%d\n",getpid());
return;
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/yidong/292378.html
標籤:其他