From 8186f253e8c0ba0ed48e8ca41ae40110f967391e Mon Sep 17 00:00:00 2001 From: topjohnwu Date: Wed, 1 Jun 2022 01:50:42 -0700 Subject: [PATCH] Fix zygisk code unloading --- native/jni/core/module.cpp | 8 +++- native/jni/zygisk/entry.cpp | 86 +++++++++++++++++------------------- native/jni/zygisk/main.cpp | 5 +-- native/jni/zygisk/zygisk.hpp | 6 ++- 4 files changed, 54 insertions(+), 51 deletions(-) diff --git a/native/jni/core/module.cpp b/native/jni/core/module.cpp index 5fb121dc8..79f27c012 100644 --- a/native/jni/core/module.cpp +++ b/native/jni/core/module.cpp @@ -563,13 +563,19 @@ int app_process_64 = -1; if (access("/system/bin/app_process" #bit, F_OK) == 0) { \ app_process_##bit = xopen("/system/bin/app_process" #bit, O_RDONLY | O_CLOEXEC); \ string zbin = zygisk_bin + "/app_process" #bit; \ + string dbin = zygisk_bin + "/magisk" #bit; \ string mbin = MAGISKTMP + "/magisk" #bit; \ int src = xopen(mbin.data(), O_RDONLY | O_CLOEXEC); \ int out = xopen(zbin.data(), O_CREAT | O_WRONLY | O_CLOEXEC, 0); \ xsendfile(out, src, nullptr, INT_MAX); \ - close(src); \ close(out); \ + out = xopen(dbin.data(), O_CREAT | O_WRONLY | O_CLOEXEC, 0); \ + lseek(src, 0, SEEK_SET); \ + xsendfile(out, src, nullptr, INT_MAX); \ + close(out); \ + close(src); \ clone_attr("/system/bin/app_process" #bit, zbin.data()); \ + clone_attr("/system/bin/app_process" #bit, dbin.data()); \ bind_mount(zbin.data(), "/system/bin/app_process" #bit); \ } diff --git a/native/jni/zygisk/entry.cpp b/native/jni/zygisk/entry.cpp index 5f9135d3e..bc1d1a4f4 100644 --- a/native/jni/zygisk/entry.cpp +++ b/native/jni/zygisk/entry.cpp @@ -1,6 +1,7 @@ #include #include #include +#include #include #include @@ -52,78 +53,56 @@ static void zygisk_cleanup_wait() { } } +static void *unload_first_stage(void *) { + // Wait 10us to make sure 1st stage is done + timespec ts = { .tv_sec = 0, .tv_nsec = 10000L }; + nanosleep(&ts, nullptr); + unmap_all(HIJACK_BIN); + xumount2(HIJACK_BIN, MNT_DETACH); + return nullptr; +} + static void second_stage_entry() { zygisk_logging(); ZLOGD("inject 2nd stage\n"); - char path[PATH_MAX]; MAGISKTMP = getenv(MAGISKTMP_ENV); - int fd = parse_int(getenv(MAGISKFD_ENV)); - - snprintf(path, sizeof(path), "/proc/self/fd/%d", fd); - xreadlink(path, path, PATH_MAX); - android_dlextinfo info { - .flags = ANDROID_DLEXT_USE_LIBRARY_FD, - .library_fd = fd, - }; - self_handle = android_dlopen_ext(path, RTLD_LAZY, &info); +#if defined(__LP64__) + self_handle = dlopen("/system/bin/app_process", RTLD_NOLOAD); +#else + self_handle = dlopen("/system/bin/app_process32", RTLD_NOLOAD); +#endif dlclose(self_handle); - close(fd); + unsetenv(MAGISKTMP_ENV); - unsetenv(MAGISKFD_ENV); sanitize_environ(); hook_functions(); + new_daemon_thread(&unload_first_stage, nullptr); } static void first_stage_entry() { - android_logging(); ZLOGD("inject 1st stage\n"); - char path[PATH_MAX]; - char buf[256]; char *ld = getenv("LD_PRELOAD"); if (char *c = strrchr(ld, ':')) { *c = '\0'; - strlcpy(path, c + 1, sizeof(path)); setenv("LD_PRELOAD", ld, 1); // Restore original LD_PRELOAD } else { unsetenv("LD_PRELOAD"); - strlcpy(path, ld, sizeof(path)); - } - - // Force the linker to load the library on top of ourselves, so we do not - // need to unmap the 1st stage library that was loaded with LD_PRELOAD. - - int fd = xopen(path, O_RDONLY | O_CLOEXEC); - // Use fd here instead of path to make sure inode is the same as 2nd stage - snprintf(buf, sizeof(buf), "%d", fd); - setenv(MAGISKFD_ENV, buf, 1); - struct stat s{}; - xfstat(fd, &s); - - android_dlextinfo info { - .flags = ANDROID_DLEXT_FORCE_LOAD | ANDROID_DLEXT_USE_LIBRARY_FD, - .library_fd = fd, - }; - auto [addr, size] = find_map_range(path, s.st_ino); - if (addr && size) { - info.flags |= ANDROID_DLEXT_RESERVED_ADDRESS; - info.reserved_addr = addr; - // The existing address is guaranteed to fit, as 1st stage and 2nd stage - // are exactly the same ELF (same inode). However, the linker could over - // estimate the required size and refuse to dlopen. The estimated size - // is not accurate so size the size to unlimited. - info.reserved_size = -1; } + // Load second stage setenv(INJECT_ENV_2, "1", 1); - // Force dlopen ourselves to make ourselves dlclose-able. - // After this call, all global variables will be reset. - android_dlopen_ext(path, RTLD_LAZY, &info); +#if defined(__LP64__) + dlopen("/system/bin/app_process", RTLD_LAZY); +#else + dlopen("/system/bin/app_process32", RTLD_LAZY); +#endif } [[gnu::constructor]] [[maybe_unused]] static void zygisk_init() { + android_logging(); if (getenv(INJECT_ENV_1)) { unsetenv(INJECT_ENV_1); first_stage_entry(); @@ -301,8 +280,23 @@ static void setup_files(int client, const sock_cred *cred) { } } + // Hijack some binary in /system/bin to host 1st stage + const char *hbin; + string mbin; + int app_fd; + if (is_64_bit) { + hbin = HIJACK_BIN64; + mbin = MAGISKTMP + "/" ZYGISKBIN "/magisk64"; + app_fd = app_process_64; + } else { + hbin = HIJACK_BIN32; + mbin = MAGISKTMP + "/" ZYGISKBIN "/magisk32"; + app_fd = app_process_32; + } + xmount(mbin.data(), hbin, nullptr, MS_BIND, nullptr); + write_int(client, 0); - send_fd(client, is_64_bit ? app_process_64 : app_process_32); + send_fd(client, app_fd); write_string(client, MAGISKTMP); } diff --git a/native/jni/zygisk/main.cpp b/native/jni/zygisk/main.cpp index b14d506d9..0c309caa2 100644 --- a/native/jni/zygisk/main.cpp +++ b/native/jni/zygisk/main.cpp @@ -78,14 +78,13 @@ int app_process_main(int argc, char *argv[]) { break; string tmp = read_string(socket); - xreadlink("/proc/self/exe", buf, sizeof(buf)); if (char *ld = getenv("LD_PRELOAD")) { string env = ld; env += ':'; - env += buf; + env += HIJACK_BIN; setenv("LD_PRELOAD", env.data(), 1); } else { - setenv("LD_PRELOAD", buf, 1); + setenv("LD_PRELOAD", HIJACK_BIN, 1); } setenv(INJECT_ENV_1, "1", 1); setenv(MAGISKTMP_ENV, tmp.data(), 1); diff --git a/native/jni/zygisk/zygisk.hpp b/native/jni/zygisk/zygisk.hpp index 3b1e69e60..aa986de45 100644 --- a/native/jni/zygisk/zygisk.hpp +++ b/native/jni/zygisk/zygisk.hpp @@ -7,9 +7,11 @@ #define INJECT_ENV_1 "MAGISK_INJ_1" #define INJECT_ENV_2 "MAGISK_INJ_2" -#define MAGISKFD_ENV "MAGISKFD" #define MAGISKTMP_ENV "MAGISKTMP" +#define HIJACK_BIN64 "/system/bin/bootanimation" +#define HIJACK_BIN32 "/system/bin/screencap" + namespace ZygiskRequest { enum : int { SETUP, @@ -26,10 +28,12 @@ enum : int { #define ZLOGD(...) LOGD("zygisk64: " __VA_ARGS__) #define ZLOGE(...) LOGE("zygisk64: " __VA_ARGS__) #define ZLOGI(...) LOGI("zygisk64: " __VA_ARGS__) +#define HIJACK_BIN HIJACK_BIN64 #else #define ZLOGD(...) LOGD("zygisk32: " __VA_ARGS__) #define ZLOGE(...) LOGE("zygisk32: " __VA_ARGS__) #define ZLOGI(...) LOGI("zygisk32: " __VA_ARGS__) +#define HIJACK_BIN HIJACK_BIN32 #endif // Find the memory address + size of the pages matching name + inode