This is another way to bypass the restriction of calling dl functions for system lib.

Related tags

Utilities bypass_dlfunctions
Overview

简介

在Android7.0以及以上的版本中,dlfcn.h头文件中dlopen, dlsym函数已经无法在系统库上使用。

比较常见的规避方法是,先通过maps文件找到so文件对应起始地址,然后通过解析elf 文件,得到函数的偏移量,起始地址加上偏移量就算出函数的真实地址。

具体实现方式是:Nougat_dlfunctions。不过,这种方法偶尔会不太靠谱,要么是起始地址计算错误,要么是偏移量计算不准确。

这里,通过修改入口函数的LR寄存器的值,欺骗系统认为这是从系统库里发起调用的,从而实现绕过系统的限制。

支持版本

系统:Android 4-11

架构:Arm32和Arm64 (x86,x64等暂不支持)

使用

在cmake文件中引入:

set(bypass_dlfcn_root_dir ${CMAKE_CURRENT_SOURCE_DIR}/../../../../lib)
add_subdirectory(${bypass_dlfcn_root_dir} bypasss_dlfcn)
include_directories(${bypass_dlfcn_root_dir}/include/)
target_link_libraries(
        your_lib
        bypass_dlfcn)

在代码中导入头文件:

#include "bypass_dlfcn.h"

使用头文件中的接口代替dlfcn.h中的接口:

void *bp_dlopen(const char *filename, int flag);
int bp_dlclose(void *handle);
const char *bp_dlerror(void);
void *bp_dlsym(void *handle, const char *symbol);
int bp_dladdr(const void *ddr, Dl_info *info);

License

MIT License

致谢

  1. Nougat_dlfunctions
You might also like...
A wrapper around std::variant with some helper functions

A wrapper around std::variant with some helper functions

Eyal Amir 1 Oct 30, 2021
LXC Manager provide a set of functions to visually manage LXC unprivileged containers.

LXC Manager provide a set of functions to visually manage LXC unprivileged containers. The applciation use LXC Api to manage LXC. To use the application you must have LXC installed on your linux machine.

Peter Cata 4 Dec 14, 2022
C implementation of C++ Utility functions Integer Comparison Macros

C implementation of C++ Utility functions Integer Comparison Macros

Robert C. Seacord 21 Oct 31, 2022
Locate the current executable and the current module/library on the file system

Where Am I? A drop-in two files library to locate the current executable and the current module on the file system. Supported platforms: Windows Linux

Gregory Pakosz 382 Dec 27, 2022
A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.
A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.

FindObjects-BOF A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process

Outflank B.V. 247 Dec 28, 2022
A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.
A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.

WdToggle A Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Creden

Outflank B.V. 205 Dec 3, 2022
Hexagonal hierarchical geospatial indexing system

H3: A Hexagonal Hierarchical Geospatial Indexing System H3 is a geospatial indexing system using a hexagonal grid that can be (approximately) subdivid

Uber Open Source 3.8k Dec 30, 2022
AlleyWind is an advanced Win32-based and open-sourced utility that helps you to manage system's windows
AlleyWind is an advanced Win32-based and open-sourced utility that helps you to manage system's windows

AlleyWind AlleyWind is an advanced Win32-based and open-sourced utility that helps you to manage system's windows. AlleyWind could: Displays a graphic

KNSoft 22 Oct 20, 2022
A System Fetching Program written in C.
A System Fetching Program written in C.

A System Fetching Program written in C.

ABHacker Official 7 Nov 24, 2022
Comments
  • 有个更简单的办法设置 `caller_addr`

    有个更简单的办法设置 `caller_addr` 

    extern "C" [[gnu::weak]] void *
__loader_dlopen(const char *filename, int flags, const void *caller_addr);

    这样声明一下,然后就能随便调用:

    auto art = searchFromMaps("/proc/self/maps", "libart.so");
void* handle = __loader_dlopen(art.path.c_str(), 0, art.base);

    其中 searchFromMaps 就是从 maps 中搜一个 so 的基地址。随便用个系统库都行。

    opened by yujincheng08 1
Owner
Wind
Wind
GitHub
x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

NoPatchGuardCallback x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code Read: https://www.godeye.club/2021/05/22/00

Kento Oki 139 Dec 26, 2022
PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021)

wowInjector Inject payload to WOW64(Windows 32 on Windows 64) process via exploit 32-bit thread snapshot. This trick makes us possible to do malicious

Sheng-Hao Ma 145 Nov 9, 2022
A fast phone number lib for Ruby (binds to Google's C++ libphonenumber)

MiniPhone A Ruby gem which plugs directly into Google's native C++ libphonenumber for extremely fast and robust phone number parsing, validation, and

Ian Ker-Seymer 148 Dec 28, 2022
a cpp lib for csv reading and writing

CSV Reader and Writer Author : csl E-Mail : [email protected] OverView Comma separated values (CSV, sometimes called character separated values, becau

null 0 Apr 3, 2022
Yet another ratio espresso scale

SofronioEspressoRatioScale Yet another ratio espresso scale

Sofronio 6 Oct 5, 2022
yark - Yet Another RootKit

yark - Yet Another RootKit How to Build Requirements In order to build the kernel module, you need to install the kernel-headers package corresponding

imlk 16 Nov 9, 2022
runsc loads 32/64 bit shellcode (depending on how runsc is compiled) in a way that makes it easy to load in a debugger. This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras.

runsc This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras and contains additional functionality. T

null 24 Nov 9, 2022
The goal of insidesp is to do fast point in polygon classification, the sp way.

insidesp The goal of insidesp is to do fast point in polygon classification, the sp way. We are comparing a few ways of implementing this, essentially

diminutive 2 Nov 12, 2021
Quick check of NT kernel exported&unexported functions/global variable offset

NT内核导出以及未导出函数-全局变量偏移速查 Quick check of NT kernel exported&unexported functions/global variable offset System目录下有已经完成的偏移 可以在线速查 There are already comple

不想加班劉 71 Dec 29, 2022
This project aims to code a C library regrouping usual functions.

42-formation-lvl1-1.libft Project 1 - Libft - First project for the formation of software engineers at school 42 São Paulo This project aims to code a

Vinicius Naziozeno Santoro do Rio 1 Jun 20, 2022