| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  | #include <dlfcn.h>
 | 
					
						
							| 
									
										
										
										
											2021-10-27 01:53:16 -07:00
										 |  |  | #include <sys/mount.h>
 | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  | #include <xhook.h>
 | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  | #include <bitset>
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  | #include <utils.hpp>
 | 
					
						
							| 
									
										
										
										
											2021-09-07 19:35:28 -07:00
										 |  |  | #include <flags.h>
 | 
					
						
							| 
									
										
										
										
											2021-01-12 03:28:00 -08:00
										 |  |  | #include <daemon.hpp>
 | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-10-05 03:53:11 -07:00
										 |  |  | #include "zygisk.hpp"
 | 
					
						
							| 
									
										
										
										
											2021-08-01 14:35:16 -07:00
										 |  |  | #include "memory.hpp"
 | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  | #include "module.hpp"
 | 
					
						
							| 
									
										
										
										
											2021-10-27 03:54:48 -07:00
										 |  |  | #include "deny/deny.hpp"
 | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  | 
 | 
					
						
							|  |  |  | using namespace std; | 
					
						
							| 
									
										
										
										
											2021-08-01 14:35:16 -07:00
										 |  |  | using jni_hook::hash_map; | 
					
						
							|  |  |  | using jni_hook::tree_map; | 
					
						
							|  |  |  | using xstring = jni_hook::string; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | // Extreme verbose logging
 | 
					
						
							| 
									
										
										
										
											2021-10-27 03:57:36 -07:00
										 |  |  | //#define ZLOGV(...) ZLOGD(__VA_ARGS__)
 | 
					
						
							|  |  |  | #define ZLOGV(...)
 | 
					
						
							| 
									
										
										
										
											2021-08-02 03:20:19 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  | static bool unhook_functions(); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | namespace { | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | enum { | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |     DO_UNMOUNT, | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |     FORK_AND_SPECIALIZE, | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  |     APP_SPECIALIZE, | 
					
						
							|  |  |  |     SERVER_SPECIALIZE, | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  |     CAN_DLCLOSE, | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  |     FLAG_MAX | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  | #define DCL_PRE_POST(name) \
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | void name##_pre();         \ | 
					
						
							|  |  |  | void name##_post(); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-01 14:35:16 -07:00
										 |  |  | struct HookContext { | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  |     JNIEnv *env; | 
					
						
							| 
									
										
										
										
											2021-08-02 03:20:19 -07:00
										 |  |  |     union { | 
					
						
							| 
									
										
										
										
											2021-10-05 03:53:11 -07:00
										 |  |  |         AppSpecializeArgsImpl *args; | 
					
						
							|  |  |  |         ServerSpecializeArgsImpl *server_args; | 
					
						
							| 
									
										
										
										
											2021-08-02 03:20:19 -07:00
										 |  |  |         void *raw_args; | 
					
						
							|  |  |  |     }; | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  |     const char *process; | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |     vector<ZygiskModule> modules; | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |     bitset<FLAG_MAX> state; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     int pid; | 
					
						
							|  |  |  |     uint32_t flags; | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |     HookContext() : pid(-1), flags(0) {} | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  |     static void close_fds(); | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  |     void unload_zygisk(); | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  |     DCL_PRE_POST(fork) | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |     void run_modules_pre(const vector<int> &fds); | 
					
						
							|  |  |  |     void run_modules_post(); | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  |     DCL_PRE_POST(nativeForkAndSpecialize) | 
					
						
							|  |  |  |     DCL_PRE_POST(nativeSpecializeAppProcess) | 
					
						
							|  |  |  |     DCL_PRE_POST(nativeForkSystemServer) | 
					
						
							| 
									
										
										
										
											2021-08-01 14:35:16 -07:00
										 |  |  | }; | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  | #undef DCL_PRE_POST
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | struct StringCmp { | 
					
						
							|  |  |  |     using is_transparent = void; | 
					
						
							|  |  |  |     bool operator()(string_view a, string_view b) const { return a < b; } | 
					
						
							|  |  |  | }; | 
					
						
							| 
									
										
										
										
											2021-08-01 14:35:16 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-11 22:56:18 -07:00
										 |  |  | // Global variables
 | 
					
						
							|  |  |  | vector<tuple<const char *, const char *, void **>> *xhook_list; | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | map<string, vector<JNINativeMethod>, StringCmp> *jni_hook_list; | 
					
						
							| 
									
										
										
										
											2021-08-11 22:56:18 -07:00
										 |  |  | hash_map<xstring, tree_map<xstring, tree_map<xstring, void *>>> *jni_method_map; | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  | // Current context
 | 
					
						
							|  |  |  | HookContext *g_ctx; | 
					
						
							| 
									
										
										
										
											2021-08-11 22:56:18 -07:00
										 |  |  | const JNINativeInterface *old_functions; | 
					
						
							|  |  |  | JNINativeInterface *new_functions; | 
					
						
							| 
									
										
										
										
											2021-01-09 20:39:59 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-10-17 20:00:31 +08:00
										 |  |  | #define HOOK_JNI(method)                                                                     \
 | 
					
						
							|  |  |  | if (methods[i].name == #method##sv) {                                                        \ | 
					
						
							|  |  |  |     int j = 0;                                                                               \ | 
					
						
							|  |  |  |     for (; j < method##_methods_num; ++j) {                                                  \ | 
					
						
							|  |  |  |         if (strcmp(methods[i].signature, method##_methods[j].signature) == 0) {              \ | 
					
						
							|  |  |  |             jni_hook_list->try_emplace(className).first->second.push_back(methods[i]);       \ | 
					
						
							|  |  |  |             method##_orig = methods[i].fnPtr;                                                \ | 
					
						
							|  |  |  |             newMethods[i] = method##_methods[j];                                             \ | 
					
						
							|  |  |  |             ZLOGI("replaced %s#" #method "\n", className);                                   \ | 
					
						
							|  |  |  |             --hook_cnt;                                                                      \ | 
					
						
							|  |  |  |             break;                                                                           \ | 
					
						
							|  |  |  |         }                                                                                    \ | 
					
						
							|  |  |  |     }                                                                                        \ | 
					
						
							|  |  |  |     if (j == method##_methods_num) {                                                         \ | 
					
						
							|  |  |  |         ZLOGE("unknown signature of %s#" #method ": %s\n", className, methods[i].signature); \ | 
					
						
							|  |  |  |     }                                                                                        \ | 
					
						
							|  |  |  |     continue;                                                                                \ | 
					
						
							| 
									
										
										
										
											2021-01-08 05:25:44 -08:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | // JNI method hook definitions, auto generated
 | 
					
						
							|  |  |  | #include "jni_hooks.hpp"
 | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-11 22:56:18 -07:00
										 |  |  | #undef HOOK_JNI
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | jclass gClassRef; | 
					
						
							|  |  |  | jmethodID class_getName; | 
					
						
							|  |  |  | string get_class_name(JNIEnv *env, jclass clazz) { | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  |     if (!gClassRef) { | 
					
						
							|  |  |  |         jclass cls = env->FindClass("java/lang/Class"); | 
					
						
							|  |  |  |         gClassRef = (jclass) env->NewGlobalRef(cls); | 
					
						
							|  |  |  |         env->DeleteLocalRef(cls); | 
					
						
							|  |  |  |         class_getName = env->GetMethodID(gClassRef, "getName", "()Ljava/lang/String;"); | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     auto nameRef = (jstring) env->CallObjectMethod(clazz, class_getName); | 
					
						
							|  |  |  |     const char *name = env->GetStringUTFChars(nameRef, nullptr); | 
					
						
							|  |  |  |     string className(name); | 
					
						
							|  |  |  |     env->ReleaseStringUTFChars(nameRef, name); | 
					
						
							|  |  |  |     std::replace(className.begin(), className.end(), '.', '/'); | 
					
						
							|  |  |  |     return className; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // -----------------------------------------------------------------
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-11 22:56:18 -07:00
										 |  |  | #define DCL_HOOK_FUNC(ret, func, ...) \
 | 
					
						
							|  |  |  | ret (*old_##func)(__VA_ARGS__);       \ | 
					
						
							|  |  |  | ret new_##func(__VA_ARGS__) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | jint env_RegisterNatives( | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  |         JNIEnv *env, jclass clazz, const JNINativeMethod *methods, jint numMethods) { | 
					
						
							|  |  |  |     auto className = get_class_name(env, clazz); | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |     ZLOGV("JNIEnv->RegisterNatives [%s]\n", className.data()); | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  |     auto newMethods = hookAndSaveJNIMethods(className.data(), methods, numMethods); | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  |     return old_functions->RegisterNatives(env, clazz, newMethods.get() ?: methods, numMethods); | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2021-01-08 05:25:44 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  | DCL_HOOK_FUNC(int, jniRegisterNativeMethods, | 
					
						
							|  |  |  |         JNIEnv *env, const char *className, const JNINativeMethod *methods, int numMethods) { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |     ZLOGV("jniRegisterNativeMethods [%s]\n", className); | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  |     auto newMethods = hookAndSaveJNIMethods(className, methods, numMethods); | 
					
						
							| 
									
										
										
										
											2021-01-08 05:25:44 -08:00
										 |  |  |     return old_jniRegisterNativeMethods(env, className, newMethods.get() ?: methods, numMethods); | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  | // Skip actual fork and return cached result if applicable
 | 
					
						
							| 
									
										
										
										
											2021-11-02 21:53:33 -07:00
										 |  |  | // Also unload first stage zygisk if necessary
 | 
					
						
							| 
									
										
										
										
											2021-01-10 01:25:30 -08:00
										 |  |  | DCL_HOOK_FUNC(int, fork) { | 
					
						
							| 
									
										
										
										
											2021-11-02 21:53:33 -07:00
										 |  |  |     unload_first_stage(); | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |     return (g_ctx && g_ctx->pid >= 0) ? g_ctx->pid : old_fork(); | 
					
						
							| 
									
										
										
										
											2021-01-10 01:25:30 -08:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-10-27 03:54:48 -07:00
										 |  |  | // Unmount stuffs in the process's private mount namespace
 | 
					
						
							| 
									
										
										
										
											2021-10-27 01:53:16 -07:00
										 |  |  | DCL_HOOK_FUNC(int, unshare, int flags) { | 
					
						
							|  |  |  |     int res = old_unshare(flags); | 
					
						
							| 
									
										
										
										
											2021-12-05 09:52:25 +08:00
										 |  |  |     if (g_ctx && (flags & CLONE_NEWNS) != 0 && res == 0) { | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |         if (g_ctx->state[DO_UNMOUNT]) { | 
					
						
							| 
									
										
										
										
											2021-10-27 03:54:48 -07:00
										 |  |  |             revert_unmount(); | 
					
						
							|  |  |  |         } else { | 
					
						
							|  |  |  |             umount2("/system/bin/app_process64", MNT_DETACH); | 
					
						
							|  |  |  |             umount2("/system/bin/app_process32", MNT_DETACH); | 
					
						
							| 
									
										
										
										
											2021-08-19 04:55:17 -07:00
										 |  |  |         } | 
					
						
							| 
									
										
										
										
											2021-01-12 03:28:00 -08:00
										 |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-10-27 03:54:48 -07:00
										 |  |  |     return res; | 
					
						
							| 
									
										
										
										
											2021-01-12 03:28:00 -08:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-11-16 01:59:45 -08:00
										 |  |  | // A place to clean things up before zygote evaluates fd table
 | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  | DCL_HOOK_FUNC(void, android_log_close) { | 
					
						
							|  |  |  |     HookContext::close_fds(); | 
					
						
							|  |  |  |     old_android_log_close(); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  | // Last point before process secontext changes
 | 
					
						
							|  |  |  | DCL_HOOK_FUNC(int, selinux_android_setcontext, | 
					
						
							|  |  |  |         uid_t uid, int isSystemServer, const char *seinfo, const char *pkgname) { | 
					
						
							|  |  |  |     if (g_ctx) { | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |         g_ctx->state[CAN_DLCLOSE] = unhook_functions(); | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  |     } | 
					
						
							|  |  |  |     return old_selinux_android_setcontext(uid, isSystemServer, seinfo, pkgname); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  | // -----------------------------------------------------------------
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-12 06:41:59 -07:00
										 |  |  | // The original android::AppRuntime virtual table
 | 
					
						
							|  |  |  | void **gAppRuntimeVTable; | 
					
						
							| 
									
										
										
										
											2021-08-11 22:56:18 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  | // This method is a trampoline for hooking JNIEnv->RegisterNatives
 | 
					
						
							| 
									
										
										
										
											2021-08-12 06:41:59 -07:00
										 |  |  | void onVmCreated(void *self, JNIEnv* env) { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |     ZLOGD("AppRuntime::onVmCreated\n"); | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-12 06:41:59 -07:00
										 |  |  |     // Restore virtual table
 | 
					
						
							|  |  |  |     auto new_table = *reinterpret_cast<void***>(self); | 
					
						
							|  |  |  |     *reinterpret_cast<void***>(self) = gAppRuntimeVTable; | 
					
						
							|  |  |  |     delete[] new_table; | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  |     new_functions = new JNINativeInterface(); | 
					
						
							|  |  |  |     memcpy(new_functions, env->functions, sizeof(*new_functions)); | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |     new_functions->RegisterNatives = &env_RegisterNatives; | 
					
						
							| 
									
										
										
										
											2021-08-12 06:41:59 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  |     // Replace the function table in JNIEnv to hook RegisterNatives
 | 
					
						
							|  |  |  |     old_functions = env->functions; | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  |     env->functions = new_functions; | 
					
						
							| 
									
										
										
										
											2021-08-12 06:41:59 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | template<int N> | 
					
						
							|  |  |  | void vtable_entry(void *self, JNIEnv* env) { | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |     // The first invocation will be onVmCreated. It will also restore the vtable.
 | 
					
						
							| 
									
										
										
										
											2021-08-12 06:41:59 -07:00
										 |  |  |     onVmCreated(self, env); | 
					
						
							|  |  |  |     // Call original function
 | 
					
						
							|  |  |  |     reinterpret_cast<decltype(&onVmCreated)>(gAppRuntimeVTable[N])(self, env); | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // This method is a trampoline for swizzling android::AppRuntime vtable
 | 
					
						
							| 
									
										
										
										
											2021-08-11 22:56:18 -07:00
										 |  |  | bool swizzled = false; | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  | DCL_HOOK_FUNC(void, setArgv0, void *self, const char *argv0, bool setProcName) { | 
					
						
							|  |  |  |     if (swizzled) { | 
					
						
							|  |  |  |         old_setArgv0(self, argv0, setProcName); | 
					
						
							|  |  |  |         return; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |     ZLOGD("AndroidRuntime::setArgv0\n"); | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-12 06:41:59 -07:00
										 |  |  |     // We don't know which entry is onVmCreated, so overwrite every one
 | 
					
						
							|  |  |  |     // We also don't know the size of the vtable, but 8 is more than enough
 | 
					
						
							|  |  |  |     auto new_table = new void*[8]; | 
					
						
							|  |  |  |     new_table[0] = reinterpret_cast<void*>(&vtable_entry<0>); | 
					
						
							|  |  |  |     new_table[1] = reinterpret_cast<void*>(&vtable_entry<1>); | 
					
						
							|  |  |  |     new_table[2] = reinterpret_cast<void*>(&vtable_entry<2>); | 
					
						
							|  |  |  |     new_table[3] = reinterpret_cast<void*>(&vtable_entry<3>); | 
					
						
							|  |  |  |     new_table[4] = reinterpret_cast<void*>(&vtable_entry<4>); | 
					
						
							|  |  |  |     new_table[5] = reinterpret_cast<void*>(&vtable_entry<5>); | 
					
						
							|  |  |  |     new_table[6] = reinterpret_cast<void*>(&vtable_entry<6>); | 
					
						
							|  |  |  |     new_table[7] = reinterpret_cast<void*>(&vtable_entry<7>); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  |     // Swizzle C++ vtable to hook virtual function
 | 
					
						
							| 
									
										
										
										
											2021-08-12 06:41:59 -07:00
										 |  |  |     gAppRuntimeVTable = *reinterpret_cast<void***>(self); | 
					
						
							|  |  |  |     *reinterpret_cast<void***>(self) = new_table; | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  |     swizzled = true; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     old_setArgv0(self, argv0, setProcName); | 
					
						
							| 
									
										
										
										
											2021-01-10 01:25:30 -08:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-11 22:56:18 -07:00
										 |  |  | #undef DCL_HOOK_FUNC
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-01-10 01:25:30 -08:00
										 |  |  | // -----------------------------------------------------------------
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  | void hookJniNativeMethods(JNIEnv *env, const char *clz, JNINativeMethod *methods, int numMethods) { | 
					
						
							|  |  |  |     auto class_map = jni_method_map->find(clz); | 
					
						
							|  |  |  |     if (class_map == jni_method_map->end()) { | 
					
						
							|  |  |  |         for (int i = 0; i < numMethods; ++i) { | 
					
						
							|  |  |  |             methods[i].fnPtr = nullptr; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |         return; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     vector<JNINativeMethod> hooks; | 
					
						
							|  |  |  |     for (int i = 0; i < numMethods; ++i) { | 
					
						
							|  |  |  |         auto method_map = class_map->second.find(methods[i].name); | 
					
						
							|  |  |  |         if (method_map != class_map->second.end()) { | 
					
						
							|  |  |  |             auto it = method_map->second.find(methods[i].signature); | 
					
						
							|  |  |  |             if (it != method_map->second.end()) { | 
					
						
							|  |  |  |                 // Copy the JNINativeMethod
 | 
					
						
							|  |  |  |                 hooks.push_back(methods[i]); | 
					
						
							|  |  |  |                 // Save the original function pointer
 | 
					
						
							|  |  |  |                 methods[i].fnPtr = it->second; | 
					
						
							|  |  |  |                 // Do not allow double hook, remove method from map
 | 
					
						
							|  |  |  |                 method_map->second.erase(it); | 
					
						
							|  |  |  |                 continue; | 
					
						
							|  |  |  |             } | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |         // No matching method found, set fnPtr to null
 | 
					
						
							|  |  |  |         methods[i].fnPtr = nullptr; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     if (hooks.empty()) | 
					
						
							|  |  |  |         return; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     old_jniRegisterNativeMethods(env, clz, hooks.data(), hooks.size()); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-11-16 01:59:45 -08:00
										 |  |  | ZygiskModule::ZygiskModule(int id, void *handle, void *entry) | 
					
						
							|  |  |  | : raw_entry(entry), api(this), id(id), handle(handle) {} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | ApiTable::ApiTable(ZygiskModule *m) | 
					
						
							|  |  |  | : module(m), registerModule(&ZygiskModule::RegisterModule) {} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | bool ZygiskModule::RegisterModule(ApiTable *table, long *module) { | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |     long ver = *module; | 
					
						
							|  |  |  |     // Unsupported version
 | 
					
						
							|  |  |  |     if (ver > ZYGISK_API_VERSION) | 
					
						
							|  |  |  |         return false; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     // Set the actual module_abi*
 | 
					
						
							|  |  |  |     table->module->ver = module; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     // Fill in API accordingly with module API version
 | 
					
						
							| 
									
										
										
										
											2022-01-14 03:10:02 -08:00
										 |  |  |     switch (ver) { | 
					
						
							|  |  |  |     case 2: | 
					
						
							|  |  |  |         table->v2.getModuleDir = [](ZygiskModule *m) { return m->getModuleDir(); }; | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |         table->v2.getFlags = [](auto) { return ZygiskModule::getFlags(); }; | 
					
						
							| 
									
										
										
										
											2022-01-14 03:10:02 -08:00
										 |  |  |         [[fallthrough]]; | 
					
						
							|  |  |  |     case 1: | 
					
						
							|  |  |  |         table->v1.hookJniNativeMethods = &hookJniNativeMethods; | 
					
						
							|  |  |  |         table->v1.pltHookRegister = [](const char *p, const char *s, void *n, void **o) { | 
					
						
							|  |  |  |             xhook_register(p, s, n, o); | 
					
						
							|  |  |  |         }; | 
					
						
							|  |  |  |         table->v1.pltHookExclude = [](const char *p, const char *s) { | 
					
						
							|  |  |  |             xhook_ignore(p, s); | 
					
						
							|  |  |  |         }; | 
					
						
							|  |  |  |         table->v1.pltHookCommit = []{ bool r = xhook_refresh(0) == 0; xhook_clear(); return r; }; | 
					
						
							|  |  |  |         table->v1.connectCompanion = [](ZygiskModule *m) { return m->connectCompanion(); }; | 
					
						
							|  |  |  |         table->v1.setOption = [](ZygiskModule *m, auto opt) { m->setOption(opt); }; | 
					
						
							|  |  |  |         break; | 
					
						
							|  |  |  |     default: | 
					
						
							|  |  |  |         // Unknown version number
 | 
					
						
							|  |  |  |         return false; | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  |     return true; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-10-17 04:36:18 -07:00
										 |  |  | int ZygiskModule::connectCompanion() const { | 
					
						
							|  |  |  |     if (int fd = connect_daemon(); fd >= 0) { | 
					
						
							|  |  |  |         write_int(fd, ZYGISK_REQUEST); | 
					
						
							| 
									
										
										
										
											2021-10-23 14:38:30 -07:00
										 |  |  |         write_int(fd, ZYGISK_CONNECT_COMPANION); | 
					
						
							| 
									
										
										
										
											2021-10-17 04:36:18 -07:00
										 |  |  |         write_int(fd, id); | 
					
						
							|  |  |  |         return fd; | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |     return -1; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-01-14 03:10:02 -08:00
										 |  |  | int ZygiskModule::getModuleDir() const { | 
					
						
							|  |  |  |     if (int fd = connect_daemon(); fd >= 0) { | 
					
						
							|  |  |  |         write_int(fd, ZYGISK_REQUEST); | 
					
						
							|  |  |  |         write_int(fd, ZYGISK_GET_MODDIR); | 
					
						
							|  |  |  |         write_int(fd, id); | 
					
						
							|  |  |  |         int dfd = recv_fd(fd); | 
					
						
							|  |  |  |         close(fd); | 
					
						
							|  |  |  |         return dfd; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     return -1; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-10-21 03:20:04 -07:00
										 |  |  | void ZygiskModule::setOption(zygisk::Option opt) { | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |     if (g_ctx == nullptr) | 
					
						
							|  |  |  |         return; | 
					
						
							| 
									
										
										
										
											2021-10-21 03:20:04 -07:00
										 |  |  |     switch (opt) { | 
					
						
							|  |  |  |     case zygisk::FORCE_DENYLIST_UNMOUNT: | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |         g_ctx->state[DO_UNMOUNT] = true; | 
					
						
							| 
									
										
										
										
											2021-10-21 03:20:04 -07:00
										 |  |  |         break; | 
					
						
							|  |  |  |     case zygisk::DLCLOSE_MODULE_LIBRARY: | 
					
						
							|  |  |  |         unload = true; | 
					
						
							|  |  |  |         break; | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  | uint32_t ZygiskModule::getFlags() { | 
					
						
							|  |  |  |     return g_ctx ? (g_ctx->flags & ~PRIVATE_MASK) : 0; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  | void HookContext::run_modules_pre(const vector<int> &fds) { | 
					
						
							|  |  |  |     char buf[256]; | 
					
						
							| 
									
										
										
										
											2021-11-12 02:02:05 -08:00
										 |  |  | 
 | 
					
						
							|  |  |  |     // Since we directly use the pointer to elements in the vector, in order to prevent dangling
 | 
					
						
							|  |  |  |     // pointers, the vector has to be pre-allocated to ensure reallocation does not occur
 | 
					
						
							|  |  |  |     modules.reserve(fds.size()); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |     for (int i = 0; i < fds.size(); ++i) { | 
					
						
							|  |  |  |         snprintf(buf, sizeof(buf), "/proc/self/fd/%d", fds[i]); | 
					
						
							|  |  |  |         if (void *h = dlopen(buf, RTLD_LAZY)) { | 
					
						
							| 
									
										
										
										
											2021-11-16 01:59:45 -08:00
										 |  |  |             if (void *e = dlsym(h, "zygisk_module_entry")) { | 
					
						
							|  |  |  |                 modules.emplace_back(i, h, e); | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |             } | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |         close(fds[i]); | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-11-16 01:59:45 -08:00
										 |  |  | 
 | 
					
						
							|  |  |  |     // Record all open fds
 | 
					
						
							|  |  |  |     bitset<1024> open_fds; | 
					
						
							|  |  |  |     auto dir = open_dir("/proc/self/fd"); | 
					
						
							|  |  |  |     for (dirent *entry; (entry = xreaddir(dir.get()));) { | 
					
						
							|  |  |  |         int fd = parse_int(entry->d_name); | 
					
						
							|  |  |  |         if (fd < 0 || fd >= 1024) { | 
					
						
							|  |  |  |             close(fd); | 
					
						
							|  |  |  |             continue; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |         open_fds[fd] = true; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |     for (auto &m : modules) { | 
					
						
							| 
									
										
										
										
											2021-11-16 01:59:45 -08:00
										 |  |  |         m.entry(&m.api, env); | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |         if (state[APP_SPECIALIZE]) { | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |             m.preAppSpecialize(args); | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |         } else if (state[SERVER_SPECIALIZE]) { | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |             m.preServerSpecialize(server_args); | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-11-16 01:59:45 -08:00
										 |  |  | 
 | 
					
						
							|  |  |  |     // Close all unrecorded fds
 | 
					
						
							|  |  |  |     rewinddir(dir.get()); | 
					
						
							|  |  |  |     for (dirent *entry; (entry = xreaddir(dir.get()));) { | 
					
						
							|  |  |  |         int fd = parse_int(entry->d_name); | 
					
						
							|  |  |  |         if (fd < 0 || fd >= 1024 || !open_fds[fd]) { | 
					
						
							|  |  |  |             close(fd); | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void HookContext::run_modules_post() { | 
					
						
							| 
									
										
										
										
											2021-11-16 01:59:45 -08:00
										 |  |  |     for (const auto &m : modules) { | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |         if (state[APP_SPECIALIZE]) { | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |             m.postAppSpecialize(args); | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |         } else if (state[SERVER_SPECIALIZE]) { | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |             m.postServerSpecialize(server_args); | 
					
						
							|  |  |  |         } | 
					
						
							| 
									
										
										
										
											2021-11-16 01:59:45 -08:00
										 |  |  |         m.doUnload(); | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |     } | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | void HookContext::close_fds() { | 
					
						
							|  |  |  |     close(logd_fd.exchange(-1)); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  | void HookContext::unload_zygisk() { | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |     if (state[CAN_DLCLOSE]) { | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  |         // Do NOT call the destructor
 | 
					
						
							|  |  |  |         operator delete(jni_method_map); | 
					
						
							|  |  |  |         // Directly unmap the whole memory block
 | 
					
						
							|  |  |  |         jni_hook::memory_block::release(); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         // Strip out all API function pointers
 | 
					
						
							|  |  |  |         for (auto &m : modules) { | 
					
						
							| 
									
										
										
										
											2021-11-16 01:59:45 -08:00
										 |  |  |             memset(&m.api, 0, sizeof(m.api)); | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         new_daemon_thread(reinterpret_cast<thread_entry>(&dlclose), self_handle); | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  | // -----------------------------------------------------------------
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  | void HookContext::nativeSpecializeAppProcess_pre() { | 
					
						
							|  |  |  |     g_ctx = this; | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |     state[APP_SPECIALIZE] = true; | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  |     process = env->GetStringUTFChars(args->nice_name, nullptr); | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |     if (state[FORK_AND_SPECIALIZE]) { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |         ZLOGV("pre  forkAndSpecialize [%s]\n", process); | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  |     } else { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |         ZLOGV("pre  specialize [%s]\n", process); | 
					
						
							| 
									
										
										
										
											2021-01-12 03:28:00 -08:00
										 |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-01-10 01:25:30 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |     auto module_fds = remote_get_info(args->uid, process, &flags); | 
					
						
							|  |  |  |     if ((flags & UNMOUNT_MASK) == UNMOUNT_MASK) { | 
					
						
							| 
									
										
										
										
											2021-10-27 03:54:48 -07:00
										 |  |  |         // TODO: Handle MOUNT_EXTERNAL_NONE on older platforms
 | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |         ZLOGI("[%s] is on the denylist\n", process); | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |         state[DO_UNMOUNT] = true; | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  |     } else { | 
					
						
							| 
									
										
										
										
											2021-10-13 04:52:02 -07:00
										 |  |  |         run_modules_pre(module_fds); | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-11-16 03:12:01 -08:00
										 |  |  | 
 | 
					
						
							|  |  |  |     close_fds(); | 
					
						
							|  |  |  |     android_logging(); | 
					
						
							| 
									
										
										
										
											2021-01-12 03:28:00 -08:00
										 |  |  | } | 
					
						
							| 
									
										
										
										
											2021-01-10 01:25:30 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  | void HookContext::nativeSpecializeAppProcess_post() { | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |     if (state[FORK_AND_SPECIALIZE]) { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |         ZLOGV("post forkAndSpecialize [%s]\n", process); | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  |     } else { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |         ZLOGV("post specialize [%s]\n", process); | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-01-10 01:25:30 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  |     env->ReleaseStringUTFChars(args->nice_name, process); | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  |     run_modules_post(); | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |     if (flags & PROCESS_IS_MAGISK_APP) { | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  |         setenv("ZYGISK_ENABLED", "1", 1); | 
					
						
							| 
									
										
										
										
											2021-09-18 02:38:53 -07:00
										 |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  |     g_ctx = nullptr; | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |     if (!state[FORK_AND_SPECIALIZE]) { | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  |         unload_zygisk(); | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-01-09 17:41:25 -08:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | void HookContext::nativeForkSystemServer_pre() { | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  |     fork_pre(); | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |     state[SERVER_SPECIALIZE] = true; | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  |     if (pid == 0) { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |         ZLOGV("pre  forkSystemServer\n"); | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |         run_modules_pre(remote_get_info(1000, "system_server", &flags)); | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  |         close_fds(); | 
					
						
							| 
									
										
										
										
											2021-11-16 03:12:01 -08:00
										 |  |  |         android_logging(); | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void HookContext::nativeForkSystemServer_post() { | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  |     if (pid == 0) { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |         ZLOGV("post forkSystemServer\n"); | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  |         run_modules_post(); | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     fork_post(); | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  | void HookContext::nativeForkAndSpecialize_pre() { | 
					
						
							|  |  |  |     fork_pre(); | 
					
						
							| 
									
										
										
										
											2022-01-17 19:54:33 -08:00
										 |  |  |     state[FORK_AND_SPECIALIZE] = true; | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  |     if (pid == 0) { | 
					
						
							|  |  |  |         nativeSpecializeAppProcess_pre(); | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void HookContext::nativeForkAndSpecialize_post() { | 
					
						
							|  |  |  |     if (pid == 0) { | 
					
						
							|  |  |  |         nativeSpecializeAppProcess_post(); | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     fork_post(); | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2021-01-09 17:41:25 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-11 22:56:18 -07:00
										 |  |  | int sigmask(int how, int signum) { | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  |     sigset_t set; | 
					
						
							|  |  |  |     sigemptyset(&set); | 
					
						
							|  |  |  |     sigaddset(&set, signum); | 
					
						
							|  |  |  |     return sigprocmask(how, &set, nullptr); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-02 03:20:19 -07:00
										 |  |  | // Do our own fork before loading any 3rd party code
 | 
					
						
							|  |  |  | // First block SIGCHLD, unblock after original fork is done
 | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  | void HookContext::fork_pre() { | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |     g_ctx = this; | 
					
						
							|  |  |  |     sigmask(SIG_BLOCK, SIGCHLD); | 
					
						
							|  |  |  |     pid = old_fork(); | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2021-01-12 03:28:00 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-02 03:20:19 -07:00
										 |  |  | // Unblock SIGCHLD in case the original method didn't
 | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  | void HookContext::fork_post() { | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |     sigmask(SIG_UNBLOCK, SIGCHLD); | 
					
						
							|  |  |  |     g_ctx = nullptr; | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  |     unload_zygisk(); | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | } | 
					
						
							| 
									
										
										
										
											2021-08-02 03:20:19 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | } // namespace
 | 
					
						
							| 
									
										
										
										
											2021-01-09 20:39:59 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | static bool hook_refresh() { | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  |     if (xhook_refresh(0) == 0) { | 
					
						
							|  |  |  |         xhook_clear(); | 
					
						
							|  |  |  |         return true; | 
					
						
							|  |  |  |     } else { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |         ZLOGE("xhook failed\n"); | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  |         return false; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  | static int hook_register(const char *path, const char *symbol, void *new_func, void **old_func) { | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  |     int ret = xhook_register(path, symbol, new_func, old_func); | 
					
						
							|  |  |  |     if (ret != 0) { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |         ZLOGE("Failed to register hook \"%s\"\n", symbol); | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  |         return ret; | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-01-10 05:07:17 -08:00
										 |  |  |     xhook_list->emplace_back(path, symbol, old_func); | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  |     return 0; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  | #define XHOOK_REGISTER_SYM(PATH_REGEX, SYM, NAME) \
 | 
					
						
							|  |  |  |     hook_register(PATH_REGEX, SYM, (void*) new_##NAME, (void **) &old_##NAME) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  | #define XHOOK_REGISTER(PATH_REGEX, NAME) \
 | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  |     XHOOK_REGISTER_SYM(PATH_REGEX, #NAME, NAME) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #define ANDROID_RUNTIME ".*/libandroid_runtime.so$"
 | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  | #define APP_PROCESS     "^/system/bin/app_process.*"
 | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  | 
 | 
					
						
							|  |  |  | void hook_functions() { | 
					
						
							| 
									
										
										
										
											2021-09-07 19:35:28 -07:00
										 |  |  | #if MAGISK_DEBUG
 | 
					
						
							| 
									
										
										
										
											2021-10-27 03:57:36 -07:00
										 |  |  |     // xhook_enable_debug(1);
 | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  |     xhook_enable_sigsegv_protection(0); | 
					
						
							|  |  |  | #endif
 | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  |     default_new(xhook_list); | 
					
						
							|  |  |  |     default_new(jni_hook_list); | 
					
						
							|  |  |  |     default_new(jni_method_map); | 
					
						
							| 
									
										
										
										
											2021-01-10 05:07:17 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  |     XHOOK_REGISTER(ANDROID_RUNTIME, fork); | 
					
						
							| 
									
										
										
										
											2021-10-27 01:53:16 -07:00
										 |  |  |     XHOOK_REGISTER(ANDROID_RUNTIME, unshare); | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  |     XHOOK_REGISTER(ANDROID_RUNTIME, jniRegisterNativeMethods); | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  |     XHOOK_REGISTER(ANDROID_RUNTIME, selinux_android_setcontext); | 
					
						
							| 
									
										
										
										
											2021-08-21 03:52:59 -07:00
										 |  |  |     XHOOK_REGISTER_SYM(ANDROID_RUNTIME, "__android_log_close", android_log_close); | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  |     hook_refresh(); | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  |     // Remove unhooked methods
 | 
					
						
							|  |  |  |     xhook_list->erase( | 
					
						
							|  |  |  |             std::remove_if(xhook_list->begin(), xhook_list->end(), | 
					
						
							|  |  |  |             [](auto &t) { return *std::get<2>(t) == nullptr;}), | 
					
						
							|  |  |  |             xhook_list->end()); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     if (old_jniRegisterNativeMethods == nullptr) { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |         ZLOGD("jniRegisterNativeMethods not hooked, using fallback\n"); | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |         // android::AndroidRuntime::setArgv0(const char*, bool)
 | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  |         XHOOK_REGISTER_SYM(APP_PROCESS, "_ZN7android14AndroidRuntime8setArgv0EPKcb", setArgv0); | 
					
						
							|  |  |  |         hook_refresh(); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         // We still need old_jniRegisterNativeMethods as other code uses it
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |         // android::AndroidRuntime::registerNativeMethods(_JNIEnv*, const char*, const JNINativeMethod*, int)
 | 
					
						
							| 
									
										
										
										
											2021-08-11 00:00:21 -07:00
										 |  |  |         constexpr char sig[] = "_ZN7android14AndroidRuntime21registerNativeMethodsEP7_JNIEnvPKcPK15JNINativeMethodi"; | 
					
						
							|  |  |  |         *(void **) &old_jniRegisterNativeMethods = dlsym(RTLD_DEFAULT, sig); | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-11-07 13:05:44 -08:00
										 |  |  | static bool unhook_functions() { | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |     bool success = true; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-19 01:54:12 -07:00
										 |  |  |     // Restore JNIEnv
 | 
					
						
							|  |  |  |     if (g_ctx->env->functions == new_functions) { | 
					
						
							|  |  |  |         g_ctx->env->functions = old_functions; | 
					
						
							|  |  |  |         if (gClassRef) { | 
					
						
							|  |  |  |             g_ctx->env->DeleteGlobalRef(gClassRef); | 
					
						
							|  |  |  |             gClassRef = nullptr; | 
					
						
							|  |  |  |             class_getName = nullptr; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-01-08 05:25:44 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-01-09 17:41:25 -08:00
										 |  |  |     // Unhook JNI methods
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |     for (const auto &[clz, methods] : *jni_hook_list) { | 
					
						
							|  |  |  |         if (!methods.empty() && old_jniRegisterNativeMethods( | 
					
						
							|  |  |  |                 g_ctx->env, clz.data(), methods.data(), methods.size()) != 0) { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |             ZLOGE("Failed to restore JNI hook of class [%s]\n", clz.data()); | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |             success = false; | 
					
						
							|  |  |  |         } | 
					
						
							| 
									
										
										
										
											2021-01-08 05:25:44 -08:00
										 |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-08-01 14:35:16 -07:00
										 |  |  |     delete jni_hook_list; | 
					
						
							| 
									
										
										
										
											2021-01-08 05:25:44 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-01-09 17:41:25 -08:00
										 |  |  |     // Unhook xhook
 | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |     for (const auto &[path, sym, old_func] : *xhook_list) { | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  |         if (xhook_register(path, sym, *old_func, nullptr) != 0) { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |             ZLOGE("Failed to register xhook [%s]\n", sym); | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |             success = false; | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  |         } | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-01-10 05:07:17 -08:00
										 |  |  |     delete xhook_list; | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |     if (!hook_refresh()) { | 
					
						
							| 
									
										
										
										
											2021-10-14 02:13:23 -07:00
										 |  |  |         ZLOGE("Failed to restore xhook\n"); | 
					
						
							| 
									
										
										
										
											2021-08-20 23:40:57 -07:00
										 |  |  |         success = false; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     return success; | 
					
						
							| 
									
										
										
										
											2021-01-08 00:53:24 -08:00
										 |  |  | } |