Binder Hook
2018-05-12 本文已影响4人
Res2013
寻找Hook点
// ActivityManagerNative.java
private static final Singleton<IActivityManager> gDefault = new
Singleton<IActivityManager>() {
protected IActivityManager create() {
IBinder b = ServiceManager.getService("activity");
if (false) {
Log.v("ActivityManager", "default service binder = " + b);
}
IActivityManager am = asInterface(b);
if (false) {
Log.v("ActivityManager", "default service = " + am);
}
return am;
}
};
static public IActivityManager asInterface(IBinder obj) {
if (obj == null) {
return null;
}
// 查找本地是否存在该IBinder对象
IActivityManager in =
(IActivityManager)obj.queryLocalInterface(descriptor);
if (in != null) {
return in;
}
return new ActivityManagerProxy(obj);
}
...
// ServiceManager.java
public static IBinder getService(String name) {
try {
IBinder service = sCache.get(name);
if (service != null) {
return service;
} else {
return getIServiceManager().getService(name);
}
} catch (RemoteException e) {
Log.e(TAG, "error in getService", e);
}
return null;
}
- 伪造一个
ActivityManagerNative系统服务对象,让asInterface()方法返回我们伪造的系统服务对象- 让
getService()方法返回我们伪造的另一对象,让该IBinder对象的queryLocalInterface()方法返回我们需要伪造的系统服务对象。- 把
2中伪造的IBinder对象放置到ServiceManager的缓存sCache中即可
