Merge pull request #59 from WaterlooBridge/master

asLody · web-flow · commit 6a661b27cc4c · 2020-12-13T14:13:56.000+08:00
Feature: add support for Android Q and R
diff --git a/whale/src/android/android_build.h b/whale/src/android/android_build.h
@@ -20,6 +20,8 @@
 #define ANDROID_O                       26
 #define ANDROID_O_MR1                   27
 #define ANDROID_P                       28
+#define ANDROID_Q                       29
+#define ANDROID_R                       30
 
 static inline int32_t GetAndroidApiLevel() {
     char prop_value[PROP_VALUE_MAX];
diff --git a/whale/src/android/art/art_runtime.cc b/whale/src/android/art/art_runtime.cc
@@ -54,7 +54,13 @@ bool ArtRuntime::OnLoad(JavaVM *vm, JNIEnv *env, jclass java_class) {
     }
     api_level_ = GetAndroidApiLevel();
     PreLoadRequiredStuff(env);
-    const char *art_path = kLibArtPath;
+    const char *art_path;
+    if (api_level_ >= ANDROID_R)
+        art_path = kLibArtPath_R;
+    else if (api_level_ >= ANDROID_Q)
+        art_path = kLibArtPath_Q;
+    else
+        art_path = kLibArtPath;
     art_elf_image_ = WDynamicLibOpen(art_path);
     if (art_elf_image_ == nullptr) {
         LOG(ERROR) << "Unable to read data from libart.so.";
@@ -70,6 +76,9 @@ bool ArtRuntime::OnLoad(JavaVM *vm, JNIEnv *env, jclass java_class) {
     size_t entrypoint_filed_size = (api_level_ <= ANDROID_LOLLIPOP) ? 8
                                                                     : kPointerSize;
     u4 expected_access_flags = kAccPrivate | kAccStatic | kAccNative;
+    if (api_level_ >= ANDROID_Q)
+            expected_access_flags |= kAccPublicApi;
+    hookEncodeArtMethod();
     jmethodID reserved0 = env->GetStaticMethodID(java_class, kMethodReserved0, "()V");
     jmethodID reserved1 = env->GetStaticMethodID(java_class, kMethodReserved1, "()V");
 
@@ -235,6 +244,9 @@ ArtRuntime::HookMethod(JNIEnv *env, jclass decl_class, jobject hooked_java_metho
     if (api_level_ >= ANDROID_P) {
         access_flags &= ~kAccCriticalNative_P;
     }
+    if (api_level_ >= ANDROID_Q) {
+        access_flags &= ~kAccFastInterpreterToInterpreterInvoke;
+    }
     hooked_method.SetAccessFlags(access_flags);
     hooked_method.SetEntryPointFromQuickCompiledCode(
             class_linker_objects_.quick_generic_jni_trampoline_
@@ -457,6 +469,21 @@ ALWAYS_INLINE bool ArtRuntime::EnforceDisableHiddenAPIPolicyImpl() {
     if (symbol) {
         WInlineHookFunction(symbol, reinterpret_cast<void *>(OnInvokeHiddenAPI), nullptr);
     }
+    // Android Q : Release version
+    symbol = WDynamicLibSymbol(
+            art_elf_image_,
+            "_ZN3art9hiddenapi6detail28ShouldDenyAccessToMemberImplINS_8ArtFieldEEEbPT_NS0_7ApiListENS0_12AccessMethodE"
+    );
+    if (symbol) {
+        WInlineHookFunction(symbol, reinterpret_cast<void *>(OnInvokeHiddenAPI), nullptr);
+    }
+    symbol = WDynamicLibSymbol(
+            art_elf_image_,
+            "_ZN3art9hiddenapi6detail28ShouldDenyAccessToMemberImplINS_9ArtMethodEEEbPT_NS0_7ApiListENS0_12AccessMethodE"
+    );
+    if (symbol) {
+        WInlineHookFunction(symbol, reinterpret_cast<void *>(OnInvokeHiddenAPI), nullptr);
+    }
     return symbol != nullptr;
 }
 
@@ -491,5 +518,19 @@ void ArtRuntime::FixBugN() {
     is_hooked = true;
 }
 
+jmethodID OnInvokeEncodeMethodId(void *thiz, void *method) {
+    return reinterpret_cast<jmethodID>(method);
+}
+
+void ArtRuntime::hookEncodeArtMethod() {
+    void *symbol = nullptr;
+    symbol = WDynamicLibSymbol(art_elf_image_,
+                               "_ZN3art3jni12JniIdManager14EncodeMethodIdEPNS_9ArtMethodE");
+    if (symbol) {
+        WInlineHookFunction(symbol, reinterpret_cast<void *>(OnInvokeEncodeMethodId),
+                            nullptr);
+    }
+}
+
 }  // namespace art
 }  // namespace whale
diff --git a/whale/src/android/art/art_runtime.h b/whale/src/android/art/art_runtime.h
@@ -17,11 +17,15 @@
 static constexpr const char *kAndroidLibDir = "/system/lib64/";
 static constexpr const char *kLibNativeBridgePath = "/system/lib64/libnativebridge.so";
 static constexpr const char *kLibArtPath = "/system/lib64/libart.so";
+static constexpr const char *kLibArtPath_Q = "/apex/com.android.runtime/lib64/libart.so";
+static constexpr const char *kLibArtPath_R = "/apex/com.android.art/lib64/libart.so";
 static constexpr const char *kLibAocPath = "/system/lib64/libaoc.so";
 static constexpr const char *kLibHoudiniArtPath = "/system/lib64/arm64/libart.so";
 #else
 static constexpr const char *kAndroidLibDir = "/system/lib/";
 static constexpr const char *kLibArtPath = "/system/lib/libart.so";
+static constexpr const char *kLibArtPath_Q = "/apex/com.android.runtime/lib/libart.so";
+static constexpr const char *kLibArtPath_R = "/apex/com.android.art/lib/libart.so";
 static constexpr const char *kLibAocPath = "/system/lib/libaoc.so";
 static constexpr const char *kLibHoudiniArtPath = "/system/lib/arm/libart.so";
 #endif
@@ -127,6 +131,8 @@ class ArtRuntime final {
 
     void FixBugN();
 
+    void hookEncodeArtMethod();
+
  private:
     JavaVM *vm_;
     jclass java_class_;
diff --git a/whale/src/android/art/art_symbol_resolver.cc b/whale/src/android/art/art_symbol_resolver.cc
@@ -106,7 +106,7 @@ bool ArtSymbolResolver::Resolve(void *elf_image, s4 api_level) {
         FIND_SYMBOL(kArt_Object_CloneWithSize, symbols_.Object_CloneWithSize, false);
     }
     if (symbols_.Object_Clone == nullptr) {
-        FIND_SYMBOL(kArt_Object_CloneWithClass, symbols_.Object_CloneWithClass, true);
+        FIND_SYMBOL(kArt_Object_CloneWithClass, symbols_.Object_CloneWithClass, false);
     }
     FIND_SYMBOL(kArt_DecodeJObject, symbols_.Thread_DecodeJObject, true);
     FIND_SYMBOL(kArt_JniEnvExt_NewLocalRef, symbols_.JniEnvExt_NewLocalRef, true);
diff --git a/whale/src/android/art/modifiers.h b/whale/src/android/art/modifiers.h
@@ -38,6 +38,7 @@ static constexpr uint32_t kAccFastNative = 0x00080000u;   // method (dex only)
 static constexpr uint32_t kAccPreverified = kAccFastNative;  // class (runtime)
 static constexpr uint32_t kAccSkipAccessChecks = kAccPreverified;
 static constexpr uint32_t kAccCriticalNative_P = 0x00200000;  // method (runtime; native only)
+static constexpr uint32_t kAccFastInterpreterToInterpreterInvoke = 0x40000000;
 // Android M only
 static constexpr uint32_t kAccDontInline = 0x00400000u;  // method (dex only)
 // Android N or later. Set by the verifier for a method we do not want the compiler to compile.
diff --git a/whale/src/dbi/hook_common.cc b/whale/src/dbi/hook_common.cc
@@ -36,7 +36,7 @@ void InterceptSysCallHook::StartHook() {
     bool stop_foreach = false;
 #if defined(linux)
     ForeachMemoryRange(
-            [&](uintptr_t begin, uintptr_t end, char *perm, char *mapname) -> bool {
+            [&](uintptr_t begin, uintptr_t end, uintptr_t offset, char *perm, char *mapname) -> bool {
                 if (strstr(perm, "x") && strstr(perm, "r")) {
                     if (callback_(mapname, &stop_foreach)) {
                         FindSysCalls(begin, end);
diff --git a/whale/src/platform/linux/process_map.cc b/whale/src/platform/linux/process_map.cc
@@ -11,7 +11,7 @@ std::unique_ptr<MemoryRange> FindFileMemoryRange(const char *name) {
     std::unique_ptr<MemoryRange> range(new MemoryRange);
     range->base_ = UINTPTR_MAX;
     ForeachMemoryRange(
-            [&](uintptr_t begin, uintptr_t end, char *perm, char *mapname) -> bool {
+            [&](uintptr_t begin, uintptr_t end, uintptr_t offset, char *perm, char *mapname) -> bool {
                 if (strstr(mapname, name)) {
                     if (range->path_ == nullptr) {
                         range->path_ = strdup(mapname);
@@ -31,23 +31,27 @@ std::unique_ptr<MemoryRange> FindFileMemoryRange(const char *name) {
 std::unique_ptr<MemoryRange> FindExecuteMemoryRange(const char *name) {
     std::unique_ptr<MemoryRange> range(new MemoryRange);
     ForeachMemoryRange(
-            [&](uintptr_t begin, uintptr_t end, char *perm, char *mapname) -> bool {
+            [&](uintptr_t begin, uintptr_t end, uintptr_t offset, char *perm, char *mapname) -> bool {
                 if (strncmp(mapname, "/system/fake-libs/", 18) == 0) {
                     return true;
                 }
-                if (strstr(mapname, name) && strstr(perm, "x") && strstr(perm, "r")) {
-                    range->path_ = strdup(mapname);
-                    range->base_ = begin;
-                    range->end_ = end;
-                    return false;
+                if (strstr(mapname, name)) {
+                    //find the correct base address
+                    if (offset == 0) {
+                        range->path_ = strdup(mapname);
+                        range->base_ = begin;
+                        range->end_ = end;
+                    }
+                    if (strstr(perm, "x"))
+                        return false;
                 }
                 return true;
             });
     return range;
 }
 
 void
-ForeachMemoryRange(std::function<bool(uintptr_t, uintptr_t, char *, char *)> callback) {
+ForeachMemoryRange(std::function<bool(uintptr_t, uintptr_t, uintptr_t offset, char *, char *)> callback) {
     FILE *f;
     if ((f = fopen("/proc/self/maps", "r"))) {
         char buf[PATH_MAX], perm[12] = {'\0'}, dev[12] = {'\0'}, mapname[PATH_MAX] = {'\0'};
@@ -58,7 +62,7 @@ ForeachMemoryRange(std::function<bool(uintptr_t, uintptr_t, char *, char *)> cal
                 break;
             sscanf(buf, "%lx-%lx %s %lx %s %ld %s", &begin, &end, perm,
                    &foo, dev, &inode, mapname);
-            if (!callback(begin, end, perm, mapname)) {
+            if (!callback(begin, end, foo, perm, mapname)) {
                 break;
             }
         }
@@ -69,7 +73,7 @@ ForeachMemoryRange(std::function<bool(uintptr_t, uintptr_t, char *, char *)> cal
 bool IsFileInMemory(const char *name) {
     bool found = false;
     ForeachMemoryRange(
-            [&](uintptr_t begin, uintptr_t end, char *perm, char *mapname) -> bool {
+            [&](uintptr_t begin, uintptr_t end, uintptr_t offset, char *perm, char *mapname) -> bool {
                 if (strstr(mapname, name)) {
                     found = true;
                     return false;
diff --git a/whale/src/platform/linux/process_map.h b/whale/src/platform/linux/process_map.h
@@ -37,7 +37,7 @@ std::unique_ptr<MemoryRange> FindExecuteMemoryRange(const char *name);
 
 std::unique_ptr<MemoryRange> FindFileMemoryRange(const char *name);
 
-void ForeachMemoryRange(std::function<bool(uintptr_t, uintptr_t, char *, char *)> callback);
+void ForeachMemoryRange(std::function<bool(uintptr_t, uintptr_t, uintptr_t, char *, char *)> callback);
 
 }  // namespace whale
 

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ bool ArtSymbolResolver::Resolve(void *elf_image, s4 api_level) {`
`106`	`106`	`FIND_SYMBOL(kArt_Object_CloneWithSize, symbols_.Object_CloneWithSize, false);`
`107`	`107`	`}`
`108`	`108`	`if (symbols_.Object_Clone == nullptr) {`
`109`		`- FIND_SYMBOL(kArt_Object_CloneWithClass, symbols_.Object_CloneWithClass, true);`
	`109`	`+ FIND_SYMBOL(kArt_Object_CloneWithClass, symbols_.Object_CloneWithClass, false);`
`110`	`110`	`}`
`111`	`111`	`FIND_SYMBOL(kArt_DecodeJObject, symbols_.Thread_DecodeJObject, true);`
`112`	`112`	`FIND_SYMBOL(kArt_JniEnvExt_NewLocalRef, symbols_.JniEnvExt_NewLocalRef, true);`