Android 系统调用实现函数功能--SVC指令的实现与检测

0x0 简述：
arm android中通过一些反编译的工具分析ELF文件时，根据一些导入的系统函数可以很轻松的找到一些功能代码的实现：

查看libc中分析这些函数的实现：

arm中通过SVC指令实现的系统调用

因此利用这一点应用中加入了类似的实现操作，隐蔽掉调用系统函数的符号，增加分析难度：

0x1 实现：
以getpid为例

修改调用方式，获取pid原本通过系统API getpid获取，修改为：
int xxxxxgetpid();

从源码中获取getpid汇编实现过程，6.0路径如下：
bionic/libc/arch-arm/syscalls/_getpid.S:

#include <private/bionic_asm.h>ENTRY(__getpid)    mov     ip, r7    ldr     r7, =__NR_getpid    swi     #0    mov     r7, ip    cmn     r0, #(MAX_ERRNO + 1)    bxls    lr    neg     r0, r0    b       __set_errno_internalEND(__getpid)

ENTRY和END为宏定义，后面包含对应的符号地址，因此头文件对应的定义编译为C的符号，在头文件添加int xxxxxgetpid();即可，对应汇编中的符号地址。
LOCAL_SRC_FILES中加入.S文件，如果想插入到函数中间，函数设置为inline。

IDA查看：

 sub_172C   ; DATA XREF: sub_2D98+4o.text:0000172C           ; .text:off_2DA0o.text:0000172C                 MOV     R12, R7.text:00001730                 MOV     R7, #0x14.text:00001734                 SVC     0.text:00001738                 MOV     R7, R12.text:0000173C                 CMN     R0, #0x1000.text:00001740                 BXLS    LR.text:00001744                 RSB     R0, R0, #0.text:00001748                 B       sub_2E14

0x2 检测
攻防永远都是对立与互存的，既然有通过这种方式去屏蔽掉对导入系统函数的检测，也当然有用其他方式去检测这些导入的函数了。

利用调用SVC指令的特征去实现了一个简单检测的ida脚本，有误差和不准确的地方，对我来说够用了，可以参考一二。

脚本代码：

sysCallTab = {}sysCallTab[0] = "__NR_restart_syscall"sysCallTab[1] = "__NR_exit"sysCallTab[2] = "__NR_fork"sysCallTab[3] = "__NR_read"sysCallTab[4] = "__NR_write"sysCallTab[5] = "__NR_open"sysCallTab[6] = "__NR_close"sysCallTab[8] = "__NR_creat"sysCallTab[9] = "__NR_link"sysCallTab[10] = "__NR_unlink"sysCallTab[11] = "__NR_execve"sysCallTab[12] = "__NR_chdir"sysCallTab[13] = "__NR_time"sysCallTab[14] = "__NR_mknod"sysCallTab[15] = "__NR_chmod"sysCallTab[16] = "__NR_lchown"sysCallTab[19] = "__NR_lseek"sysCallTab[20] = "__NR_getpid"sysCallTab[21] = "__NR_mount"sysCallTab[22] = "__NR_umount"sysCallTab[23] = "__NR_setuid"sysCallTab[24] = "__NR_getuid"sysCallTab[25] = "__NR_stime"sysCallTab[26] = "__NR_ptrace"sysCallTab[27] = "__NR_alarm"sysCallTab[29] = "__NR_pause"sysCallTab[30] = "__NR_utime"sysCallTab[33] = "__NR_access"sysCallTab[34] = "__NR_nice"sysCallTab[36] = "__NR_sync"sysCallTab[37] = "__NR_kill"sysCallTab[38] = "__NR_rename"sysCallTab[39] = "__NR_mkdir"sysCallTab[40] = "__NR_rmdir"sysCallTab[41] = "__NR_dup"sysCallTab[42] = "__NR_pipe"sysCallTab[43] = "__NR_times"sysCallTab[45] = "__NR_brk"sysCallTab[46] = "__NR_setgid"sysCallTab[47] = "__NR_getgid"sysCallTab[49] = "__NR_geteuid"sysCallTab[50] = "__NR_getegid"sysCallTab[51] = "__NR_acct"sysCallTab[52] = "__NR_umount2"sysCallTab[54] = "__NR_ioctl"sysCallTab[55] = "__NR_fcntl"sysCallTab[57] = "__NR_setpgid"sysCallTab[60] = "__NR_umask"sysCallTab[61] = "__NR_chroot"sysCallTab[62] = "__NR_ustat"sysCallTab[63] = "__NR_dup2"sysCallTab[64] = "__NR_getppid"sysCallTab[65] = "__NR_getpgrp"sysCallTab[66] = "__NR_setsid"sysCallTab[67] = "__NR_sigaction"sysCallTab[70] = "__NR_setreuid"sysCallTab[71] = "__NR_setregid"sysCallTab[72] = "__NR_sigsuspend"sysCallTab[73] = "__NR_sigpending"sysCallTab[74] = "__NR_sethostname"sysCallTab[75] = "__NR_setrlimit"sysCallTab[76] = "__NR_getrlimit"sysCallTab[77] = "__NR_getrusage"sysCallTab[78] = "__NR_gettimeofday"sysCallTab[79] = "__NR_settimeofday"sysCallTab[80] = "__NR_getgroups"sysCallTab[81] = "__NR_setgroups"sysCallTab[82] = "__NR_select"sysCallTab[83] = "__NR_symlink"sysCallTab[85] = "__NR_readlink"sysCallTab[86] = "__NR_uselib"sysCallTab[87] = "__NR_swapon"sysCallTab[88] = "__NR_reboot"sysCallTab[89] = "__NR_readdir"sysCallTab[90] = "__NR_mmap"sysCallTab[91] = "__NR_munmap"sysCallTab[92] = "__NR_truncate"sysCallTab[93] = "__NR_ftruncate"sysCallTab[94] = "__NR_fchmod"sysCallTab[95] = "__NR_fchown"sysCallTab[96] = "__NR_getpriority"sysCallTab[97] = "__NR_setpriority"sysCallTab[99] = "__NR_statfs"sysCallTab[100] = "__NR_fstatfs"sysCallTab[102] = "__NR_socketcall"sysCallTab[103] = "__NR_syslog"sysCallTab[104] = "__NR_setitimer"sysCallTab[105] = "__NR_getitimer"sysCallTab[106] = "__NR_stat"sysCallTab[107] = "__NR_lstat"sysCallTab[108] = "__NR_fstat"sysCallTab[111] = "__NR_vhangup"sysCallTab[113] = "__NR_syscall"sysCallTab[114] = "__NR_wait4"sysCallTab[115] = "__NR_swapoff"sysCallTab[116] = "__NR_sysinfo"sysCallTab[117] = "__NR_ipc"sysCallTab[118] = "__NR_fsync"sysCallTab[119] = "__NR_sigreturn"sysCallTab[120] = "__NR_clone"sysCallTab[121] = "__NR_setdomainname"sysCallTab[122] = "__NR_uname"sysCallTab[124] = "__NR_adjtimex"sysCallTab[125] = "__NR_mprotect"sysCallTab[126] = "__NR_sigprocmask"sysCallTab[128] = "__NR_init_module"sysCallTab[129] = "__NR_delete_module"sysCallTab[131] = "__NR_quotactl"sysCallTab[132] = "__NR_getpgid"sysCallTab[133] = "__NR_fchdir"sysCallTab[134] = "__NR_bdflush"sysCallTab[135] = "__NR_sysfs"sysCallTab[136] = "__NR_personality"sysCallTab[138] = "__NR_setfsuid"sysCallTab[139] = "__NR_setfsgid"sysCallTab[140] = "__NR__llseek"sysCallTab[141] = "__NR_getdents"sysCallTab[142] = "__NR__newselect"sysCallTab[143] = "__NR_flock"sysCallTab[144] = "__NR_msync"sysCallTab[145] = "__NR_readv"sysCallTab[146] = "__NR_writev"sysCallTab[147] = "__NR_getsid"sysCallTab[148] = "__NR_fdatasync"sysCallTab[149] = "__NR__sysctl"sysCallTab[150] = "__NR_mlock"sysCallTab[151] = "__NR_munlock"sysCallTab[152] = "__NR_mlockall"sysCallTab[153] = "__NR_munlockall"sysCallTab[154] = "__NR_sched_setparam"sysCallTab[155] = "__NR_sched_getparam"sysCallTab[156] = "__NR_sched_setscheduler"sysCallTab[157] = "__NR_sched_getscheduler"sysCallTab[158] = "__NR_sched_yield"sysCallTab[159] = "__NR_sched_get_priority_max"sysCallTab[160] = "__NR_sched_get_priority_min"sysCallTab[161] = "__NR_sched_rr_get_interval"sysCallTab[162] = "__NR_nanosleep"sysCallTab[163] = "__NR_mremap"sysCallTab[164] = "__NR_setresuid"sysCallTab[165] = "__NR_getresuid"sysCallTab[168] = "__NR_poll"sysCallTab[169] = "__NR_nfsservctl"sysCallTab[170] = "__NR_setresgid"sysCallTab[171] = "__NR_getresgid"sysCallTab[172] = "__NR_prctl"sysCallTab[173] = "__NR_rt_sigreturn"sysCallTab[174] = "__NR_rt_sigaction"sysCallTab[175] = "__NR_rt_sigprocmask"sysCallTab[176] = "__NR_rt_sigpending"sysCallTab[177] = "__NR_rt_sigtimedwait"sysCallTab[178] = "__NR_rt_sigqueueinfo"sysCallTab[179] = "__NR_rt_sigsuspend"sysCallTab[180] = "__NR_pread64"sysCallTab[181] = "__NR_pwrite64"sysCallTab[182] = "__NR_chown"sysCallTab[183] = "__NR_getcwd"sysCallTab[184] = "__NR_capget"sysCallTab[185] = "__NR_capset"sysCallTab[186] = "__NR_sigaltstack"sysCallTab[187] = "__NR_sendfile"sysCallTab[190] = "__NR_vfork"sysCallTab[191] = "__NR_ugetrlimit"sysCallTab[192] = "__NR_mmap2"sysCallTab[193] = "__NR_truncate64"sysCallTab[194] = "__NR_ftruncate64"sysCallTab[195] = "__NR_stat64"sysCallTab[196] = "__NR_lstat64"sysCallTab[197] = "__NR_fstat64"sysCallTab[198] = "__NR_lchown32"sysCallTab[199] = "__NR_getuid32"sysCallTab[200] = "__NR_getgid32"sysCallTab[201] = "__NR_geteuid32"sysCallTab[202] = "__NR_getegid32"sysCallTab[203] = "__NR_setreuid32"sysCallTab[204] = "__NR_setregid32"sysCallTab[205] = "__NR_getgroups32"sysCallTab[206] = "__NR_setgroups32"sysCallTab[207] = "__NR_fchown32"sysCallTab[208] = "__NR_setresuid32"sysCallTab[209] = "__NR_getresuid32"sysCallTab[210] = "__NR_setresgid32"sysCallTab[211] = "__NR_getresgid32"sysCallTab[212] = "__NR_chown32"sysCallTab[213] = "__NR_setuid32"sysCallTab[214] = "__NR_setgid32"sysCallTab[215] = "__NR_setfsuid32"sysCallTab[216] = "__NR_setfsgid32"sysCallTab[217] = "__NR_getdents64"sysCallTab[218] = "__NR_pivot_root"sysCallTab[219] = "__NR_mincore"sysCallTab[220] = "__NR_madvise"sysCallTab[221] = "__NR_fcntl64"sysCallTab[224] = "__NR_gettid"sysCallTab[225] = "__NR_readahead"sysCallTab[226] = "__NR_setxattr"sysCallTab[227] = "__NR_lsetxattr"sysCallTab[228] = "__NR_fsetxattr"sysCallTab[229] = "__NR_getxattr"sysCallTab[230] = "__NR_lgetxattr"sysCallTab[231] = "__NR_fgetxattr"sysCallTab[232] = "__NR_listxattr"sysCallTab[233] = "__NR_llistxattr"sysCallTab[234] = "__NR_flistxattr"sysCallTab[235] = "__NR_removexattr"sysCallTab[236] = "__NR_lremovexattr"sysCallTab[237] = "__NR_fremovexattr"sysCallTab[238] = "__NR_tkill"sysCallTab[239] = "__NR_sendfile64"sysCallTab[240] = "__NR_futex"sysCallTab[241] = "__NR_sched_setaffinity"sysCallTab[242] = "__NR_sched_getaffinity"sysCallTab[243] = "__NR_io_setup"sysCallTab[244] = "__NR_io_destroy"sysCallTab[245] = "__NR_io_getevents"sysCallTab[246] = "__NR_io_submit"sysCallTab[247] = "__NR_io_cancel"sysCallTab[248] = "__NR_exit_group"sysCallTab[249] = "__NR_lookup_dcookie"sysCallTab[250] = "__NR_epoll_create"sysCallTab[251] = "__NR_epoll_ctl"sysCallTab[252] = "__NR_epoll_wait"sysCallTab[253] = "__NR_remap_file_pages"sysCallTab[256] = "__NR_set_tid_address"sysCallTab[257] = "__NR_timer_create"sysCallTab[258] = "__NR_timer_settime"sysCallTab[259] = "__NR_timer_gettime"sysCallTab[260] = "__NR_timer_getoverrun"sysCallTab[261] = "__NR_timer_delete"sysCallTab[262] = "__NR_clock_settime"sysCallTab[263] = "__NR_clock_gettime"sysCallTab[264] = "__NR_clock_getres"sysCallTab[265] = "__NR_clock_nanosleep"sysCallTab[266] = "__NR_statfs64"sysCallTab[267] = "__NR_fstatfs64"sysCallTab[268] = "__NR_tgkill"sysCallTab[269] = "__NR_utimes"sysCallTab[270] = "__NR_arm_fadvise64_64"sysCallTab[271] = "__NR_pciconfig_iobase"sysCallTab[272] = "__NR_pciconfig_read"sysCallTab[273] = "__NR_pciconfig_write"sysCallTab[274] = "__NR_mq_open"sysCallTab[275] = "__NR_mq_unlink"sysCallTab[276] = "__NR_mq_timedsend"sysCallTab[277] = "__NR_mq_timedreceive"sysCallTab[278] = "__NR_mq_notify"sysCallTab[279] = "__NR_mq_getsetattr"sysCallTab[280] = "__NR_waitid"sysCallTab[281] = "__NR_socket"sysCallTab[282] = "__NR_bind"sysCallTab[283] = "__NR_connect"sysCallTab[284] = "__NR_listen"sysCallTab[285] = "__NR_accept"sysCallTab[286] = "__NR_getsockname"sysCallTab[287] = "__NR_getpeername"sysCallTab[288] = "__NR_socketpair"sysCallTab[289] = "__NR_send"sysCallTab[290] = "__NR_sendto"sysCallTab[291] = "__NR_recv"sysCallTab[292] = "__NR_recvfrom"sysCallTab[293] = "__NR_shutdown"sysCallTab[294] = "__NR_setsockopt"sysCallTab[295] = "__NR_getsockopt"sysCallTab[296] = "__NR_sendmsg"sysCallTab[297] = "__NR_recvmsg"sysCallTab[298] = "__NR_semop"sysCallTab[299] = "__NR_semget"sysCallTab[300] = "__NR_semctl"sysCallTab[301] = "__NR_msgsnd"sysCallTab[302] = "__NR_msgrcv"sysCallTab[303] = "__NR_msgget"sysCallTab[304] = "__NR_msgctl"sysCallTab[305] = "__NR_shmat"sysCallTab[306] = "__NR_shmdt"sysCallTab[307] = "__NR_shmget"sysCallTab[308] = "__NR_shmctl"sysCallTab[309] = "__NR_add_key"sysCallTab[310] = "__NR_request_key"sysCallTab[311] = "__NR_keyctl"sysCallTab[312] = "__NR_semtimedop"sysCallTab[313] = "__NR_vserver"sysCallTab[314] = "__NR_ioprio_set"sysCallTab[315] = "__NR_ioprio_get"sysCallTab[316] = "__NR_inotify_init"sysCallTab[317] = "__NR_inotify_add_watch"sysCallTab[318] = "__NR_inotify_rm_watch"sysCallTab[319] = "__NR_mbind"sysCallTab[320] = "__NR_get_mempolicy"sysCallTab[321] = "__NR_set_mempolicy"sysCallTab[322] = "__NR_openat"sysCallTab[323] = "__NR_mkdirat"sysCallTab[324] = "__NR_mknodat"sysCallTab[325] = "__NR_fchownat"sysCallTab[326] = "__NR_futimesat"sysCallTab[327] = "__NR_fstatat64"sysCallTab[328] = "__NR_unlinkat"sysCallTab[329] = "__NR_renameat"sysCallTab[330] = "__NR_linkat"sysCallTab[331] = "__NR_symlinkat"sysCallTab[332] = "__NR_readlinkat"sysCallTab[333] = "__NR_fchmodat"sysCallTab[334] = "__NR_faccessat"sysCallTab[335] = "__NR_pselect6"sysCallTab[336] = "__NR_ppoll"sysCallTab[337] = "__NR_unshare"sysCallTab[338] = "__NR_set_robust_list"sysCallTab[339] = "__NR_get_robust_list"sysCallTab[340] = "__NR_splice"sysCallTab[341] = "__NR_arm_sync_file_range"sysCallTab[342] = "__NR_tee"sysCallTab[343] = "__NR_vmsplice"sysCallTab[344] = "__NR_move_pages"sysCallTab[345] = "__NR_getcpu"sysCallTab[346] = "__NR_epoll_pwait"sysCallTab[347] = "__NR_kexec_load"sysCallTab[348] = "__NR_utimensat"sysCallTab[349] = "__NR_signalfd"sysCallTab[350] = "__NR_timerfd_create"sysCallTab[351] = "__NR_eventfd"sysCallTab[352] = "__NR_fallocate"sysCallTab[353] = "__NR_timerfd_settime"sysCallTab[354] = "__NR_timerfd_gettime"sysCallTab[355] = "__NR_signalfd4"sysCallTab[356] = "__NR_eventfd2"sysCallTab[357] = "__NR_epoll_create1"sysCallTab[358] = "__NR_dup3"sysCallTab[359] = "__NR_pipe2"sysCallTab[360] = "__NR_inotify_init1"sysCallTab[361] = "__NR_preadv"sysCallTab[362] = "__NR_pwritev"sysCallTab[363] = "__NR_rt_tgsigqueueinfo"sysCallTab[364] = "__NR_perf_event_open"sysCallTab[365] = "__NR_recvmmsg"sysCallTab[366] = "__NR_accept4"sysCallTab[367] = "__NR_fanotify_init"sysCallTab[368] = "__NR_fanotify_mark"sysCallTab[369] = "__NR_prlimit64"sysCallTab[370] = "__NR_name_to_handle_at"sysCallTab[371] = "__NR_open_by_handle_at"sysCallTab[372] = "__NR_clock_adjtime"sysCallTab[373] = "__NR_syncfs"sysCallTab[374] = "__NR_sendmmsg"sysCallTab[375] = "__NR_setns"sysCallTab[376] = "__NR_process_vm_readv"sysCallTab[377] = "__NR_process_vm_writev"sysCallTab[378] = "__NR_kcmp"sysCallTab[379] = "__NR_finit_module"sysCallTab[380] = "__NR_sched_setattr"sysCallTab[381] = "__NR_sched_getattr"sysCallTab[0x0f0001] = "__ARM_NR_breakpoint"sysCallTab[0x0f0002] = "__ARM_NR_cacheflush"sysCallTab[0x0f0003] = "__ARM_NR_usr26"sysCallTab[0x0f0004] = "__ARM_NR_usr32"sysCallTab[0x0f0005] = "__ARM_NR_set_tls"textStart = 0x217E0textEnd = 0x113680for i in range(textStart,textEnd):    if Byte(i) == 0xEF and \       Byte(i-1) == 0x00 and \       Byte(i-2) == 0x00 and \       Byte(i-3) == 0x00 and \       Byte(i-4) == 0xE3 and \       Byte(i-5) == 0xA0:       print "system call : %x"  %(Byte(i-7))       print "addr : %x"  %(i)       print "Func Name : %s" %(sysCallTab[Byte(i-7)])

前面的字典构造是从ndk中拿到系统调用表，代码段地址是硬编码的，需要修改，最后是打印的log效果：

转载请注明出处。