Native hook mechanism in Android Bionic linker

Android Dynamic Framework : Native Hook Mechanism in Bionic Linker

Mai-Hsuan ChiaShih-Wei Liao

Department of Computer Science and Information EngineeringNational Taiwan University

Outline● Background● Motivation● Native Hook Mechanism● Experiment● Applications● Future works● Conclusion

Background● JNI● Android Dynamic Framework● Bionic

JNI● Enable Java code can call or can be called by native applications

Java method

Native functionC/C++

Java calls nativeclass HelloWorld { private native void print(); // print() is native function public static void main(String[] args) { new HelloWorld().print(); } static { System.loadLibrary("hello"); // This loads libhello.so }}

● A framework which is able to dynamically replace Java methods in ART Runtime without modifying APKs.

Android Dynamic Framework

Class A Class B

HookTable

...class linker

Method A1

Method A2

Method B1

Method B2

Class A Class B

HookTable

...class linker

Method A1

Method A2

Method B1

Method B2

0. Do linking

Class A Class B

HookTable

...class linker

Method A1

Method A2

Method B1

Method B2

1. Query HookTable

Class A Class B

HookTable

...class linker

Method A1

Method A2

Method B1

Method B2

Replace ClassA::A1 with ClassB::B1

1. Query HookTable

Class A Class B

HookTable

...class linker

Method A2

Method B1

Method B2

Method B1

2. Do method hooking

● C library in Android● Forked from BSDs rather than from GNU/Linux

○ To avoid license problems● Smaller● Faster

Bionic

● Components○ libc○ libm○ libdl (written from scratch)○ dynamic linker

■ /system/bin/linker (written from scratch)

Bionic

Motivation● Only Java methods can be replaced in Android Dynamic

Framework

Class A

Method A2

Method B1

Class B

Method B1

Method B2

libd.so

Func D1

Func D2

libe.so

Func E1

Func E2

(1) method hook

Method A3

libc.so

Func C1

Func C2

native call

hooking path

Class A

Method A2

Method B1

Class B

Method B1

Method B2

libd.so

Func D1

Func D2

libe.so

Func E1

Func E2

(1) method hook

Method A3

libc.so

Func C1

Func C2

native call

hooking path

Class A

Method A2

Method B1

Class B

Method B1

Method B2

libd.so

Func D1

Func D2

libe.so

Func E1

Func E2

(1) method hook

Method A3

libc.so

Func D1

Func C2

native call

hooking path

(2) dlopen native hook

(1) method hook

Class A

Method A2

Method B1

Class B

Method B1

Method B2

libd.so

Func D1

Func D2

libe.so

Func E1

Func E2

(1) method hook

Method A3

libc.so

Func D1

Func C2

native call

hooking path

(1) method hook

Class A

Method A2

Method B1

Class B

Method B1

Method B2

libd.so

Func D1

Func E2

libe.so

Func E1

Func E2

(1) method hook

Method A3

libc.so

Func D1

Func C2

native call

hooking path

(1) method hook

(3) native to native hook

Motivation● (1) method hook can be done in the existing Android Dynamic

Framework● However, (2) dlopen native hook and (3) native to native hook

cannot not be done.

Motivation● Native hook mechanism can do both (2) dlopen native hook and

(3) native to native hook

MotivationWith Native hook mechanism integrated,

Android Dynamic Framework can be more complete and powerful

Native hook mechanism● Implemented in Bionic Linker

Review● How Bionic Linker loads an executable● Dynamic linking flow● Dynamic loading flow

How Bionic Linker loads an executable

OS creates a process image● Based on the interpreter’s segments. high

Memory space

/system/bin/linker

linker

Linker links itself● __linker_init() high

Memory space

/system/bin/linker

Load the executable● __linker_init_post_relocation()

/system/bin/linker

Memory space

executable

Get needed libraries names ● __linker_init_post_relocation()

/system/bin/linker

Memory space

executable

.dynamic

DT_NEEDEDptr_to_liba1.so_nameDT_NEEDEDptr_to_liba2.so_name…DT_NULL

Get needed libraries names ● __linker_init_post_relocation()

/system/bin/linker

Memory space

executable

DT_NEEDEDptr_to_liba1.so_nameDT_NEEDEDptr_to_liba2.so_name…DT_NULL

.dynamic

char needed_libraries_names[] = {“liba1.so”, “liba2.so”

Load needed libraries● find_libaries(exe, needed_libraries_names)

○ step 1 : load libraries and build dependencies tree

liba1.so

liba2.so Loaded NotLoaded

liba1.so

liba2.so

libb1.so

libb2.so

libb3.solibb4.so

Loaded NotLoaded

liba1.so

liba2.so

libb2.so

libb3.solibb4.so

Loaded NotLoaded

libb1.so

liba1.so

liba2.so

libb2.so

libb3.solibb4.so

... Loaded NotLoaded

libb1.so

Load needed libraries

liba1.soexe liba2.so libb1.so libb2.so ...

● find_libaries(exe, needed_libraries_names)○ step 2 : turn dependencies tree into libraries_list in

Breadth First Search(BFS) order

libraries_listdependencies tree

Link the application and all libraries● find_libaries(exe, needed_libraries_names)

○ step 3 : relocate all to-be-relocated symbols in the application and libraries

foreach lib in libraries_list { foreach rel in lib.dynamic_relocation_table { symbol = rel.sym; soinfo_do_lookup(symbol, lib, libraries_list); }}

libraries_list

if sym_1 is defined in lib: sym_1 = lib.find(sym)else: lib = lib->next;

libraries_list

NOT FOUND

libraries_list

NOT FOUND

libraries_list

if sym_k is defined in lib: sym_k = lib.find(sym)else: lib = lib->next;

libraries_list

liba1.so

libraries_list

It is DONE until all libraries are linked

Jump to the application’s entry

/system/bin/linker

Memory space

executable

liba1.so

liba2.so

libb1.so

● jump to executable’s _start.

The executable is loaded successfully● And start to execute

/system/bin/linker

Memory space

liba1.so

liba2.so

libb1.so

.text section

_start:….….

executable

Bionic linker linking & loading flow● Dynamic linking flow● Dynamic loading flow

__linker_init_post_relocation

Dynamic linking

dlopen_ext

do_dlopen

find_library

find_libraries

find_library_internal

load_library

Dynamic loading

...load all libraries…relocate all symbols

Native hook mechanismModified codes are mainly in two parts

● Load hooking libraries in find_libraries()○ Init native_hook_table○ Look up native_hook_table○ Load hooking_library

● Replace hooked_symbol with hooking_symbol in soinfo_do_lookup()○ Look up native_hook_table○ Replace every hooked_symbol in hooked_library with hooking_symbol in

hooking_library

Native hook file formatin /system/nh_file.txt

< hooked_lib_name:hooked_symbol:hooking_lib_name:hooking_symbol >

System flow

hooking lib

nh_file

/system/bin/linker

__linker_init_post_relocation

find_libraries

init native_hook_table

look up native hook table

soinfo_do_lookup

look up native hook table

replace hooked symbol with hooking symbol

NewProcess

load hooking library

Load hooking libraries

linkerexe

liba1.so

liba1.so:hi:libhooking.so:ha...

Native Hook Table

linkerexe

liba1.so

Native Hook Table

0. load liba1.so

linkerexe

liba1.so

Native Hook Table

1. look up the native hook table

HOOKED LIB “liba1.so” FOUND

linkerexe

liba1.so

Native Hook Table

2. load libhooking.so

libhooking.so

Replace hooked_symbol with hooking_symbol

liba1.soexe liba2.so libhooking.so

libraries_list

Native Hook Table

hi halinker

0. relocate symbol

libraries_list

Native Hook Table

exehi ha

linker

NOT FOUNDhi

libraries_list

Native Hook Table

exehi ha

linker

FOUNDhi

libraries_list

Native Hook Table

exehi ha

linker

FOUNDhi

1. look up native hook table

liba1.so:hi is to be hooked

libraries_list

Native Hook Table

exehi ha

linker

2. find libhooking.so:ha

libraries_list

Native Hook Table

exehi ha

linker

3. relocate hooked_symbol “hi” with the hooking_symbol “ha”

// in libnativehook.so

#include “native_hook.h”

void* find_lib_symbol(char* lib_name, char* symbol){

// Using dl_iterate_phdr() to get the symbol’s address// in the loaded library whose name is lib_name.…return ptr_to_symbol;

Before/After hook SDK

How find_lib_symbol() works ?With the following facts, we can get the hooked_symbol in hooked_library with dl_iterate_phdr(callback, void* data)

● hooked_lib is loaded in the memory● dl_iterate_phdr()iterates all loaded libraries in the process, and get each

library’s program header and base address.● With library’s program header, we can get .dynamic segment, and therefore we get

.dynstr and .dynsym section● With .dynsym and .dynstr, we can find the offset of hooked_symbol in hooked_lib.● hooked_symbol_addr = base address + offset

// in libmine.so#include “native_hook.h”

double my_sin(double x){

char hooked_lib[] = "/system/lib/libm.so";char hooked_symbol[] = "sin";double (*hooked_sin)(double) = find_lib_symbol(hooked_lib, hooked_symbol);

/* before hook : you can do something before calling hooked_func */

double result = hooked_sin(x);/*

after hook : you can do something after calling hooked_func */

result += 5566;

return result;}

After hook example

After hook example// in main.c

#include <math.h>#include <stdio.h>#define PI 3.14159265

int main(void){

double angle = 30.0;double result = sin((angle * PI) /

180);printf(“sin(%lf) = %lf\n”, angle,

result);return 0;

libm.so:sin:libmine.so:my_sin...

Native Hook Table

$ ./mainsin(30.000000) = 5566.500000

double my_sin(double x){

char hooked_lib[] = "/system/lib/libm.so";char hooked_symbol[] = "sin";static void* cache_ptr = NULL;double (*hooked_sin)(double) = NULL;if (cache_ptr) {

hooked_sin = cache_ptr;} else {

hooked_sin = find_lib_symbol(hooked_lib, hooked_symbol);}if (hooked_sin) {

cache_ptr = (void*)hooked_sin;}double result = hooked_sin(x);result += 5566;return result;

Before/After hook with cache

Experiment1,000 100,000 1,000,000 10,000,000

Baseline 0.10 0.14 0.52 4.07

Normal hook 0.20 0.23 0.60 4.15

Before/After hook without cache 0.25 1.9 17.12 169.03

Before/After hook with cache 0.22 0.24 0.69 4.77

iterations

Experiment169.03

Applications● Profiling● Boosting apps performance● Security sandbox

Profiling

Target function

Before hook

After hook

● Input Distribution Analysis

● Function call Analysis

● Output Analysis

● Hook functions that affect the performance of applications in Android

● Scenario○ Functions in libm.so are not good enough for some special

purpose, we can hook the function with the optimized one.

Boosting apps performance

libm_opt.so

optimized_sin:...

libbenchmark.so

getScore:…call <sin>

libm.so

sin:...

libm_opt.so

optimized_sin:...

libbenchmark.so

getScore:…call <sin>

libm.so

sin:...

Replace ‘sin’ with ‘optimized_sin’

Security sandbox● Use “before hook” to hook the open()in libc● Examine the filename and other parameters in advance

○ If the to-be-written file is a critical file, we let the app open another file to write without consciousness.

Security sandbox

f = open(“/data/critical.txt”, ‘w’);...

modifying critical.txt ...

Sandbox

Security sandbox

Sandbox

/data/critical.txt should not be modified.

Security sandbox

Sandbox

f = open(“/data/another.txt”, ‘w’);

In the sandbox, app is deceived to write to “/data/another.txt” instead of

“/data/critical.txt”.

Security sandbox

Sandbox

f = open(“/data/another.txt”, ‘w’);

f = open(“/data/another.txt”, ‘w’);...

modifying another.txt ...

● Provide more easy-to-use API for Native Hook in Android○ Native Hook SDK

Future works

● Completely integrate Native Hook into Android Dynamic Framework○ Provide hooking between Java method and native functions.

Future works

Integrated Hook Table

liba.so:funca:libb.so:funcb # hook native to nativeclassA:methoda:classB:methodb # hook java to javaclassA:methoda:libb.so:funcb # hook java to nativelibb.so:funcb:classA:methoda # hook native to java

Conclusion● Native Hook mechanism is a strong and useful framework in

Android allowing developers to replace native functions at runtime without modifying the existing functions.

● Native Hook is more powerful than Java method hook mechanisms because it is implemented in Bionic Linker.

● With Before/After hook mechanism, you can do whatever you want before/after any existing function.

● With Native Hook enabled, it suffers only little overhead to load nh_file and hooking libraries.

Thank you for your listening

Backup slides

void* find_lib_symbol(char* lib_name, char* symbol){

// Using dl_iterate_phdr() to get the symbol’s address// in the loaded library whose name is lib_name.static void* unordered_map<std::string, void*> cache = nullptr;std::string lib_symbol = std::string(lib_name) + symbol;if (cache) {

unordered_map<std::string, void*>::iterator it = cache.find(lib_symbol);if (it != cache.end()) {

return it->second;}

}…// find ptr_to_symbolif (ptr_to_symbol) {

cache[lib_symbol] = ptr_to_symbol;}return ptr_to_symbol;

Before/After hook with cache in find_lib_symbol

libraries_list

Native Hook Table

exehi ha

linker

FOUNDhi

liba1.so:hi is to be hooked

2. find libhooking.so:ha

Native hook mechanism in Android Bionic linker

Engineering

Transcript of Native hook mechanism in Android Bionic linker

Bionic Architecture

Bionic finger

bionic - Mikodental

A BIONIC LIFTER HATÓELV A - wellstarsiker.hu06 BYAS - BIONIC YOUTH ACTIVATING SYSTEM BYAS - BIONIC YOUTH ACTIVATING SYSTEM 07 A BIONIC LIFTER HATÓELV A hatóanyagok mélyebb bőrrétegekbe

Bionic Arm

Bionic 880

Bionic Arduino

Bionic Guide6

Dynamic Linker

Can progressive Hearing Awareness Donor list Edition 2017 ... · Spring Edition 2017 BIONIC CONNECTIONS From a bionic ear to a bionic era 5 Bionic Connections | Spring 2017 Bionic

Bionic Body.doc

POWER-LINKER POWER-LINKER GROUP CO’s GROUNDING SYSTEM … 1.pdf · 3 power-linker power- linker group power-linker group co’s •in an electrical system, close to 70% to 80% of

Bionic, reverse / Bionic, revers

Bionic Arm2

Bionic Guide1

Bionic Limbs

Bionic Manual

Bionic Eye

Bionic Guide2

Bionic technology