From cfb20b0f86414d851b51e10cd633328d405ca4f7 Mon Sep 17 00:00:00 2001 From: topjohnwu Date: Thu, 9 Nov 2023 20:55:58 -0800 Subject: [PATCH] Zygisk refactoring part 2 --- native/src/core/zygisk/gen_jni_hooks.py | 2 +- native/src/core/zygisk/hook.cpp | 320 ++++++++++++++++-------- native/src/core/zygisk/jni_hooks.hpp | 30 +-- native/src/core/zygisk/module.cpp | 42 ++-- native/src/core/zygisk/module.hpp | 10 +- native/src/core/zygisk/zygisk.hpp | 4 +- 6 files changed, 260 insertions(+), 148 deletions(-) diff --git a/native/src/core/zygisk/gen_jni_hooks.py b/native/src/core/zygisk/gen_jni_hooks.py index 97afec326..11b903566 100755 --- a/native/src/core/zygisk/gen_jni_hooks.py +++ b/native/src/core/zygisk/gen_jni_hooks.py @@ -95,7 +95,7 @@ class ForkAndSpec(JNIHook): for a in self.args: if a.set_arg: decl += ind(1) + f'args.{a.name} = &{a.name};' - decl += ind(1) + 'HookContext ctx(env, &args);' + decl += ind(1) + 'ZygiskContext ctx(env, &args);' decl += ind(1) + f'ctx.{self.base_name()}_pre();' decl += ind(1) + self.orig_method() + '(' decl += ind(2) + f'env, clazz, {self.name_list()}' diff --git a/native/src/core/zygisk/hook.cpp b/native/src/core/zygisk/hook.cpp index 6afb5fe68..d9d6d5721 100644 --- a/native/src/core/zygisk/hook.cpp +++ b/native/src/core/zygisk/hook.cpp @@ -13,22 +13,116 @@ using namespace std; -static void hook_unloader(); -static void unhook_functions(); -static void hook_jni_env(); -static void post_native_bridge_load(); +// ********************* +// Zygisk Bootstrapping +// ********************* +// +// Zygisk's lifecycle is driven by several PLT function hooks in libandroid_runtime, libart, and +// libnative_bridge. As Zygote is starting up, these carefully selected functions will call into +// the respective lifecycle callbacks in Zygisk to drive the progress forward. +// +// The entire bootstrap process is shown in the graph below. +// Arrows represent control flow, and the blocks are sorted chronologically from top to bottom. +// +// libnative_bridge libandroid_runtime zygisk libart +// +// ┌───────┐ +// │ start │ +// └───┬─┬─┘ +// │ │ ┌────────────────┐ +// │ └────────────────────────────────────────►│LoadNativeBridge│ +// │ └───────┬────────┘ +// ┌────────────────┐ │ │ +// │LoadNativeBridge│◄────────────┼───────────────────────────────────────────────────┘ +// └───────┬────┬───┘ │ +// │ │ │ ┌───────────────┐ +// │ └─────────────────┼────────────────────►│NativeBridgeItf│ +// │ │ └──────┬────────┘ +// │ │ │ +// │ │ ▼ +// │ │ ┌────────┐ +// │ │ │hook_plt│ +// ▼ │ └────────┘ +// ┌───────┐ │ +// │dlclose│ │ +// └───┬───┘ │ +// │ │ +// │ │ ┌───────────────────────┐ +// └──────────────────────┼────────────────►│post_native_bridge_load│ +// │ └───────────────────────┘ +// ▼ +// ┌──────────────────────────┐ +// │androidSetCreateThreadFunc│ +// └─────────────┬────┬───────┘ +// │ │ ┌────────────┐ +// │ └────────────────►│hook_jni_env│ +// ▼ └────────────┘ +// ┌──────────────────┐ +// │register_jni_procs│ +// └────────┬────┬────┘ +// │ │ ┌───────────────────┐ +// │ └─────────────►│replace_jni_methods│ +// │ └───────────────────┘ ┌─────────┐ +// │ │ │ +// └────────────────────────────────────────────►│ JVM │ +// │ │ +// └──┬─┬────┘ +// ┌───────────────────┐ │ │ +// │nativeXXXSpecialize│◄─────────────────────────────────────┘ │ +// └─────────────┬─────┘ │ +// │ ┌─────────────┐ │ +// └────────────────►│ZygiskContext│ │ +// └─────────────┘ ▼ +// ┌────────────────────┐ +// │pthread_attr_destroy│ +// └─────────┬──────────┘ +// ┌────────────────┐ │ +// │restore_plt_hook│◄───────────┘ +// └────────────────┘ +// +// Some notes regarding the important functions/symbols during bootstrap: +// +// * NativeBridgeItf: this symbol is the entry point for android::LoadNativeBridge +// * HookContext::hook_plt(): hook functions like |dlclose| and |androidSetCreateThreadFunc| +// * dlclose: the final step before android::LoadNativeBridge returns +// * androidSetCreateThreadFunc: called in AndroidRuntime::startReg before +// |register_jni_procs|, which is when most native JNI methods are registered. +// * HookContext::hook_jni_env(): replace the |RegisterNatives| function pointer in JNIEnv. +// * replace_jni_methods: called in the replaced |RegisterNatives| function to filter and replace +// the function pointers registered in register_jni_procs, most importantly the process +// specialization routines, which are our main targets. This marks the final step +// of the code injection bootstrap process. +// * pthread_attr_destroy: called whenever the JVM tries to setup threads for itself. We use +// this method to cleanup and unload Zygisk from the process. -struct HookState { +struct HookContext { vector> plt_backup; map, StringCmp> jni_backup; JNINativeInterface new_env{}; const JNINativeInterface *old_env = nullptr; const NativeBridgeRuntimeCallbacks *runtime_callbacks = nullptr; + + void hook_plt(); + void hook_unloader(); + void restore_plt_hook(); + void hook_jni_env(); + void restore_jni_hook(JNIEnv *env); + void post_native_bridge_load(); + +private: + void register_hook(dev_t dev, ino_t inode, const char *symbol, void *new_func, void **old_func); }; -// Global contexts -HookContext *g_ctx; -static HookState *g_state; +// Global contexts: +// +// HookContext lives as long as Zygisk is loaded in memory. It tracks the process's function +// hooking state and bootstraps code injection until we replace the process specialization methods. +// +// ZygiskContext lives during the process specialization process. It implements Zygisk +// features, such as loading modules and customizing process fork/specialization. + +ZygiskContext *g_ctx; +static HookContext *g_hook; static bool should_unmap_zygisk = false; // ----------------------------------------------------------------- @@ -39,7 +133,7 @@ ret new_##func(__VA_ARGS__) DCL_HOOK_FUNC(static void, androidSetCreateThreadFunc, void *func) { ZLOGD("androidSetCreateThreadFunc\n"); - hook_jni_env(); + g_hook->hook_jni_env(); old_androidSetCreateThreadFunc(func); } @@ -95,9 +189,9 @@ DCL_HOOK_FUNC(static int, pthread_attr_destroy, void *target) { ZLOGV("pthread_attr_destroy\n"); if (should_unmap_zygisk) { - unhook_functions(); + g_hook->restore_plt_hook(); if (should_unmap_zygisk) { - delete g_state; + delete g_hook; // Because both `pthread_attr_destroy` and `dlclose` have the same function signature, // we can use `musttail` to let the compiler reuse our stack frame and thus @@ -106,7 +200,7 @@ DCL_HOOK_FUNC(static int, pthread_attr_destroy, void *target) { } } - delete g_state; + delete g_hook; return res; } @@ -116,7 +210,7 @@ DCL_HOOK_FUNC(static int, dlclose, void *handle) { if (!kDone) { ZLOGV("dlclose zygisk_loader\n"); kDone = true; - post_native_bridge_load(); + g_hook->post_native_bridge_load(); } [[clang::musttail]] return old_dlclose(handle); } @@ -125,11 +219,11 @@ DCL_HOOK_FUNC(static int, dlclose, void *handle) { // ----------------------------------------------------------------- -HookContext::HookContext(JNIEnv *env, void *args) : +ZygiskContext::ZygiskContext(JNIEnv *env, void *args) : env(env), args{args}, process(nullptr), pid(-1), flags(0), info_flags(0), hook_info_lock(PTHREAD_MUTEX_INITIALIZER) { g_ctx = this; } -HookContext::~HookContext() { +ZygiskContext::~ZygiskContext() { // This global pointer points to a variable on the stack. // Set this to nullptr to prevent leaking local variable. // This also disables most plt hooked functions. @@ -141,24 +235,15 @@ HookContext::~HookContext() { zygisk_close_logd(); android_logging(); - should_unmap_zygisk = true; - - // Unhook JNI methods - for (const auto &[clz, methods] : g_state->jni_backup) { - if (!methods.empty() && env->RegisterNatives( - env->FindClass(clz.data()), methods.data(), - static_cast(methods.size())) != 0) { - ZLOGE("Failed to restore JNI hook of class [%s]\n", clz.data()); - should_unmap_zygisk = false; - } - } - // Strip out all API function pointers for (auto &m : modules) { m.clearApi(); } - hook_unloader(); + // Cleanup + should_unmap_zygisk = true; + g_hook->restore_jni_hook(env); + g_hook->hook_unloader(); } // ----------------------------------------------------------------- @@ -237,55 +322,61 @@ static const NativeBridgeRuntimeCallbacks* find_runtime_callbacks(struct _Unwind return nullptr; } -static void post_native_bridge_load() { +void HookContext::post_native_bridge_load() { + using method_sig = const bool (*)(const char *, const NativeBridgeRuntimeCallbacks *); + struct trace_arg { + method_sig load_native_bridge; + const NativeBridgeRuntimeCallbacks *callbacks; + }; + trace_arg arg{}; + // Unwind to find the address of android::LoadNativeBridge and NativeBridgeRuntimeCallbacks - bool (*load_native_bridge)(const char *nb_library_filename, - const NativeBridgeRuntimeCallbacks *runtime_cbs) = nullptr; - _Unwind_Backtrace(+[](struct _Unwind_Context *ctx, void *arg) -> _Unwind_Reason_Code { + _Unwind_Backtrace(+[](_Unwind_Context *ctx, void *arg) -> _Unwind_Reason_Code { void *fp = unwind_get_region_start(ctx); Dl_info info{}; dladdr(fp, &info); - ZLOGV("backtrace: %p %s\n", fp, info.dli_fname ? info.dli_fname : "???"); + ZLOGV("backtrace: %p %s\n", fp, info.dli_fname ?: "???"); if (info.dli_fname && std::string_view(info.dli_fname).ends_with("/libnativebridge.so")) { - *reinterpret_cast(arg) = fp; - g_state->runtime_callbacks = find_runtime_callbacks(ctx); - ZLOGV("NativeBridgeRuntimeCallbacks: %p\n", g_state->runtime_callbacks); + auto payload = reinterpret_cast(arg); + payload->load_native_bridge = reinterpret_cast(fp); + payload->callbacks = find_runtime_callbacks(ctx); + ZLOGV("NativeBridgeRuntimeCallbacks: %p\n", payload->callbacks); return _URC_END_OF_STACK; } return _URC_NO_REASON; - }, &load_native_bridge); + }, &arg); + + if (!arg.load_native_bridge || !arg.callbacks) + return; // Reload the real native bridge if necessary auto nb = get_prop(NBPROP); auto len = sizeof(ZYGISKLDR) - 1; if (nb.size() > len) { - load_native_bridge(nb.data() + len, g_state->runtime_callbacks); + arg.load_native_bridge(nb.data() + len, arg.callbacks); } + runtime_callbacks = arg.callbacks; } -static void hook_register(dev_t dev, ino_t inode, const char *symbol, void *new_func, void **old_func) { +// ----------------------------------------------------------------- + +void HookContext::register_hook( + dev_t dev, ino_t inode, const char *symbol, void *new_func, void **old_func) { if (!lsplt::RegisterHook(dev, inode, symbol, new_func, old_func)) { ZLOGE("Failed to register plt_hook \"%s\"\n", symbol); return; } - g_state->plt_backup.emplace_back(dev, inode, symbol, old_func); -} - -static void hook_commit() { - if (!lsplt::CommitHook()) - ZLOGE("plt_hook failed\n"); + plt_backup.emplace_back(dev, inode, symbol, old_func); } #define PLT_HOOK_REGISTER_SYM(DEV, INODE, SYM, NAME) \ - hook_register(DEV, INODE, SYM, \ + register_hook(DEV, INODE, SYM, \ reinterpret_cast(new_##NAME), reinterpret_cast(&old_##NAME)) #define PLT_HOOK_REGISTER(DEV, INODE, NAME) \ PLT_HOOK_REGISTER_SYM(DEV, INODE, #NAME, NAME) -void hook_functions() { - default_new(g_state); - +void HookContext::hook_plt() { ino_t android_runtime_inode = 0; dev_t android_runtime_dev = 0; ino_t native_bridge_inode = 0; @@ -307,16 +398,18 @@ void hook_functions() { PLT_HOOK_REGISTER(android_runtime_dev, android_runtime_inode, androidSetCreateThreadFunc); PLT_HOOK_REGISTER(android_runtime_dev, android_runtime_inode, selinux_android_setcontext); PLT_HOOK_REGISTER_SYM(android_runtime_dev, android_runtime_inode, "__android_log_close", android_log_close); - hook_commit(); + + if (!lsplt::CommitHook()) + ZLOGE("plt_hook failed\n"); // Remove unhooked methods - g_state->plt_backup.erase( - std::remove_if(g_state->plt_backup.begin(), g_state->plt_backup.end(), + plt_backup.erase( + std::remove_if(plt_backup.begin(), plt_backup.end(), [](auto &t) { return *std::get<3>(t) == nullptr;}), - g_state->plt_backup.end()); + g_hook->plt_backup.end()); } -static void hook_unloader() { +void HookContext::hook_unloader() { ino_t art_inode = 0; dev_t art_dev = 0; @@ -329,12 +422,13 @@ static void hook_unloader() { } PLT_HOOK_REGISTER(art_dev, art_inode, pthread_attr_destroy); - hook_commit(); + if (!lsplt::CommitHook()) + ZLOGE("plt_hook failed\n"); } -static void unhook_functions() { +void HookContext::restore_plt_hook() { // Unhook plt_hook - for (const auto &[dev, inode, sym, old_func] : g_state->plt_backup) { + for (const auto &[dev, inode, sym, old_func] : plt_backup) { if (!lsplt::RegisterHook(dev, inode, sym, *old_func, nullptr)) { ZLOGE("Failed to register plt_hook [%s]\n", sym); should_unmap_zygisk = false; @@ -348,44 +442,6 @@ static void unhook_functions() { // ----------------------------------------------------------------- -void hookJniNativeMethods(JNIEnv *env, const char *clz, JNINativeMethod *methods, int numMethods) { - jclass clazz; - if (!g_state || !g_state->runtime_callbacks || !env || !clz || !(clazz = env->FindClass(clz))) { - for (auto i = 0; i < numMethods; ++i) { - methods[i].fnPtr = nullptr; - } - return; - } - - // Backup existing methods - auto total = g_state->runtime_callbacks->getNativeMethodCount(env, clazz); - vector old_methods(total); - g_state->runtime_callbacks->getNativeMethods(env, clazz, old_methods.data(), total); - - // Replace the method - for (auto i = 0; i < numMethods; ++i) { - auto &method = methods[i]; - auto res = env->RegisterNatives(clazz, &method, 1); - // It's normal that the method is not found - if (res == JNI_ERR || env->ExceptionCheck()) { - auto exception = env->ExceptionOccurred(); - if (exception) env->DeleteLocalRef(exception); - env->ExceptionClear(); - method.fnPtr = nullptr; - } else { - // Find the old function pointer and return to caller - for (const auto &old_method : old_methods) { - if (strcmp(method.name, old_method.name) == 0 && - strcmp(method.signature, old_method.signature) == 0) { - ZLOGD("replace %s#%s%s %p -> %p\n", clz, - method.name, method.signature, old_method.fnPtr, method.fnPtr); - method.fnPtr = old_method.fnPtr; - } - } - } - } -} - static string get_class_name(JNIEnv *env, jclass clazz) { static auto class_getName = env->GetMethodID( env->FindClass("java/lang/Class"), "getName", "()Ljava/lang/String;"); @@ -426,20 +482,20 @@ static jint env_RegisterNatives( auto className = get_class_name(env, clazz); if (className == "com/android/internal/os/Zygote") { // Restore JNIEnv as we no longer need to replace anything - env->functions = g_state->old_env; + env->functions = g_hook->old_env; vector newMethods(methods, methods + numMethods); - vector &backup = g_state->jni_backup[className]; + vector &backup = g_hook->jni_backup[className]; HOOK_JNI(nativeForkAndSpecialize); HOOK_JNI(nativeSpecializeAppProcess); HOOK_JNI(nativeForkSystemServer); - return g_state->old_env->RegisterNatives(env, clazz, newMethods.data(), numMethods); + return g_hook->old_env->RegisterNatives(env, clazz, newMethods.data(), numMethods); } else { - return g_state->old_env->RegisterNatives(env, clazz, methods, numMethods); + return g_hook->old_env->RegisterNatives(env, clazz, methods, numMethods); } } -static void hook_jni_env() { +void HookContext::hook_jni_env() { using method_sig = jint(*)(JavaVM **, jsize, jsize *); auto get_created_vms = reinterpret_cast( dlsym(RTLD_DEFAULT, "JNI_GetCreatedJavaVMs")); @@ -476,8 +532,64 @@ static void hook_jni_env() { } // Replace the function table in JNIEnv to hook RegisterNatives - memcpy(&g_state->new_env, env->functions, sizeof(*env->functions)); - g_state->new_env.RegisterNatives = &env_RegisterNatives; - g_state->old_env = env->functions; - env->functions = &g_state->new_env; + memcpy(&new_env, env->functions, sizeof(*env->functions)); + new_env.RegisterNatives = &env_RegisterNatives; + old_env = env->functions; + env->functions = &new_env; +} + +void HookContext::restore_jni_hook(JNIEnv *env) { + for (const auto &[clz, methods] : jni_backup) { + if (!methods.empty() && env->RegisterNatives( + env->FindClass(clz.data()), methods.data(), + static_cast(methods.size())) != 0) { + ZLOGE("Failed to restore JNI hook of class [%s]\n", clz.data()); + should_unmap_zygisk = false; + } + } +} + +// ----------------------------------------------------------------- + +void hook_functions() { + default_new(g_hook); + g_hook->hook_plt(); +} + +void hookJniNativeMethods(JNIEnv *env, const char *clz, JNINativeMethod *methods, int numMethods) { + jclass clazz; + if (!g_hook || !g_hook->runtime_callbacks || !env || !clz || !(clazz = env->FindClass(clz))) { + for (auto i = 0; i < numMethods; ++i) { + methods[i].fnPtr = nullptr; + } + return; + } + + // Backup existing methods + auto total = g_hook->runtime_callbacks->getNativeMethodCount(env, clazz); + vector old_methods(total); + g_hook->runtime_callbacks->getNativeMethods(env, clazz, old_methods.data(), total); + + // Replace the method + for (auto i = 0; i < numMethods; ++i) { + auto &method = methods[i]; + auto res = env->RegisterNatives(clazz, &method, 1); + // It's normal that the method is not found + if (res == JNI_ERR || env->ExceptionCheck()) { + auto exception = env->ExceptionOccurred(); + if (exception) env->DeleteLocalRef(exception); + env->ExceptionClear(); + method.fnPtr = nullptr; + } else { + // Find the old function pointer and return to caller + for (const auto &old_method : old_methods) { + if (strcmp(method.name, old_method.name) == 0 && + strcmp(method.signature, old_method.signature) == 0) { + ZLOGD("replace %s#%s%s %p -> %p\n", clz, + method.name, method.signature, old_method.fnPtr, method.fnPtr); + method.fnPtr = old_method.fnPtr; + } + } + } + } } diff --git a/native/src/core/zygisk/jni_hooks.hpp b/native/src/core/zygisk/jni_hooks.hpp index eeeba4f69..1f9639537 100644 --- a/native/src/core/zygisk/jni_hooks.hpp +++ b/native/src/core/zygisk/jni_hooks.hpp @@ -5,7 +5,7 @@ namespace { void *nativeForkAndSpecialize_orig = nullptr; [[clang::no_stack_protector]] jint nativeForkAndSpecialize_l(JNIEnv *env, jclass clazz, jint uid, jint gid, jintArray gids, jint runtime_flags, jobjectArray rlimits, jint mount_external, jstring se_info, jstring nice_name, jintArray fds_to_close, jstring instruction_set, jstring app_data_dir) { AppSpecializeArgs_v3 args(uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, instruction_set, app_data_dir); - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeForkAndSpecialize_pre(); reinterpret_cast(nativeForkAndSpecialize_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, fds_to_close, instruction_set, app_data_dir @@ -16,7 +16,7 @@ void *nativeForkAndSpecialize_orig = nullptr; [[clang::no_stack_protector]] jint nativeForkAndSpecialize_o(JNIEnv *env, jclass clazz, jint uid, jint gid, jintArray gids, jint runtime_flags, jobjectArray rlimits, jint mount_external, jstring se_info, jstring nice_name, jintArray fds_to_close, jintArray fds_to_ignore, jstring instruction_set, jstring app_data_dir) { AppSpecializeArgs_v3 args(uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, instruction_set, app_data_dir); args.fds_to_ignore = &fds_to_ignore; - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeForkAndSpecialize_pre(); reinterpret_cast(nativeForkAndSpecialize_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, fds_to_close, fds_to_ignore, instruction_set, app_data_dir @@ -28,7 +28,7 @@ void *nativeForkAndSpecialize_orig = nullptr; AppSpecializeArgs_v3 args(uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, instruction_set, app_data_dir); args.fds_to_ignore = &fds_to_ignore; args.is_child_zygote = &is_child_zygote; - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeForkAndSpecialize_pre(); reinterpret_cast(nativeForkAndSpecialize_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, fds_to_close, fds_to_ignore, is_child_zygote, instruction_set, app_data_dir @@ -41,7 +41,7 @@ void *nativeForkAndSpecialize_orig = nullptr; args.fds_to_ignore = &fds_to_ignore; args.is_child_zygote = &is_child_zygote; args.is_top_app = &is_top_app; - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeForkAndSpecialize_pre(); reinterpret_cast(nativeForkAndSpecialize_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, fds_to_close, fds_to_ignore, is_child_zygote, instruction_set, app_data_dir, is_top_app @@ -58,7 +58,7 @@ void *nativeForkAndSpecialize_orig = nullptr; args.whitelisted_data_info_list = &whitelisted_data_info_list; args.mount_data_dirs = &mount_data_dirs; args.mount_storage_dirs = &mount_storage_dirs; - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeForkAndSpecialize_pre(); reinterpret_cast(nativeForkAndSpecialize_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, fds_to_close, fds_to_ignore, is_child_zygote, instruction_set, app_data_dir, is_top_app, pkg_data_info_list, whitelisted_data_info_list, mount_data_dirs, mount_storage_dirs @@ -68,7 +68,7 @@ void *nativeForkAndSpecialize_orig = nullptr; } [[clang::no_stack_protector]] jint nativeForkAndSpecialize_samsung_m(JNIEnv *env, jclass clazz, jint uid, jint gid, jintArray gids, jint runtime_flags, jobjectArray rlimits, jint mount_external, jstring se_info, jint _0, jint _1, jstring nice_name, jintArray fds_to_close, jstring instruction_set, jstring app_data_dir) { AppSpecializeArgs_v3 args(uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, instruction_set, app_data_dir); - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeForkAndSpecialize_pre(); reinterpret_cast(nativeForkAndSpecialize_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, _0, _1, nice_name, fds_to_close, instruction_set, app_data_dir @@ -78,7 +78,7 @@ void *nativeForkAndSpecialize_orig = nullptr; } [[clang::no_stack_protector]] jint nativeForkAndSpecialize_samsung_n(JNIEnv *env, jclass clazz, jint uid, jint gid, jintArray gids, jint runtime_flags, jobjectArray rlimits, jint mount_external, jstring se_info, jint _2, jint _3, jstring nice_name, jintArray fds_to_close, jstring instruction_set, jstring app_data_dir, jint _4) { AppSpecializeArgs_v3 args(uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, instruction_set, app_data_dir); - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeForkAndSpecialize_pre(); reinterpret_cast(nativeForkAndSpecialize_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, _2, _3, nice_name, fds_to_close, instruction_set, app_data_dir, _4 @@ -89,7 +89,7 @@ void *nativeForkAndSpecialize_orig = nullptr; [[clang::no_stack_protector]] jint nativeForkAndSpecialize_samsung_o(JNIEnv *env, jclass clazz, jint uid, jint gid, jintArray gids, jint runtime_flags, jobjectArray rlimits, jint mount_external, jstring se_info, jint _5, jint _6, jstring nice_name, jintArray fds_to_close, jintArray fds_to_ignore, jstring instruction_set, jstring app_data_dir) { AppSpecializeArgs_v3 args(uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, instruction_set, app_data_dir); args.fds_to_ignore = &fds_to_ignore; - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeForkAndSpecialize_pre(); reinterpret_cast(nativeForkAndSpecialize_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, _5, _6, nice_name, fds_to_close, fds_to_ignore, instruction_set, app_data_dir @@ -101,7 +101,7 @@ void *nativeForkAndSpecialize_orig = nullptr; AppSpecializeArgs_v3 args(uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, instruction_set, app_data_dir); args.fds_to_ignore = &fds_to_ignore; args.is_child_zygote = &is_child_zygote; - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeForkAndSpecialize_pre(); reinterpret_cast(nativeForkAndSpecialize_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, _7, _8, nice_name, fds_to_close, fds_to_ignore, is_child_zygote, instruction_set, app_data_dir @@ -161,7 +161,7 @@ void *nativeSpecializeAppProcess_orig = nullptr; [[clang::no_stack_protector]] void nativeSpecializeAppProcess_q(JNIEnv *env, jclass clazz, jint uid, jint gid, jintArray gids, jint runtime_flags, jobjectArray rlimits, jint mount_external, jstring se_info, jstring nice_name, jboolean is_child_zygote, jstring instruction_set, jstring app_data_dir) { AppSpecializeArgs_v3 args(uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, instruction_set, app_data_dir); args.is_child_zygote = &is_child_zygote; - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeSpecializeAppProcess_pre(); reinterpret_cast(nativeSpecializeAppProcess_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, is_child_zygote, instruction_set, app_data_dir @@ -172,7 +172,7 @@ void *nativeSpecializeAppProcess_orig = nullptr; AppSpecializeArgs_v3 args(uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, instruction_set, app_data_dir); args.is_child_zygote = &is_child_zygote; args.is_top_app = &is_top_app; - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeSpecializeAppProcess_pre(); reinterpret_cast(nativeSpecializeAppProcess_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, is_child_zygote, instruction_set, app_data_dir, is_top_app @@ -187,7 +187,7 @@ void *nativeSpecializeAppProcess_orig = nullptr; args.whitelisted_data_info_list = &whitelisted_data_info_list; args.mount_data_dirs = &mount_data_dirs; args.mount_storage_dirs = &mount_storage_dirs; - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeSpecializeAppProcess_pre(); reinterpret_cast(nativeSpecializeAppProcess_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, is_child_zygote, instruction_set, app_data_dir, is_top_app, pkg_data_info_list, whitelisted_data_info_list, mount_data_dirs, mount_storage_dirs @@ -197,7 +197,7 @@ void *nativeSpecializeAppProcess_orig = nullptr; [[clang::no_stack_protector]] void nativeSpecializeAppProcess_samsung_q(JNIEnv *env, jclass clazz, jint uid, jint gid, jintArray gids, jint runtime_flags, jobjectArray rlimits, jint mount_external, jstring se_info, jint _9, jint _10, jstring nice_name, jboolean is_child_zygote, jstring instruction_set, jstring app_data_dir) { AppSpecializeArgs_v3 args(uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, nice_name, instruction_set, app_data_dir); args.is_child_zygote = &is_child_zygote; - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeSpecializeAppProcess_pre(); reinterpret_cast(nativeSpecializeAppProcess_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, mount_external, se_info, _9, _10, nice_name, is_child_zygote, instruction_set, app_data_dir @@ -230,7 +230,7 @@ std::array nativeSpecializeAppProcess_methods = { void *nativeForkSystemServer_orig = nullptr; [[clang::no_stack_protector]] jint nativeForkSystemServer_l(JNIEnv *env, jclass clazz, jint uid, jint gid, jintArray gids, jint runtime_flags, jobjectArray rlimits, jlong permitted_capabilities, jlong effective_capabilities) { ServerSpecializeArgs_v1 args(uid, gid, gids, runtime_flags, permitted_capabilities, effective_capabilities); - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeForkSystemServer_pre(); reinterpret_cast(nativeForkSystemServer_orig)( env, clazz, uid, gid, gids, runtime_flags, rlimits, permitted_capabilities, effective_capabilities @@ -240,7 +240,7 @@ void *nativeForkSystemServer_orig = nullptr; } [[clang::no_stack_protector]] jint nativeForkSystemServer_samsung_q(JNIEnv *env, jclass clazz, jint uid, jint gid, jintArray gids, jint runtime_flags, jint _11, jint _12, jobjectArray rlimits, jlong permitted_capabilities, jlong effective_capabilities) { ServerSpecializeArgs_v1 args(uid, gid, gids, runtime_flags, permitted_capabilities, effective_capabilities); - HookContext ctx(env, &args); + ZygiskContext ctx(env, &args); ctx.nativeForkSystemServer_pre(); reinterpret_cast(nativeForkSystemServer_orig)( env, clazz, uid, gid, gids, runtime_flags, _11, _12, rlimits, permitted_capabilities, effective_capabilities diff --git a/native/src/core/zygisk/module.cpp b/native/src/core/zygisk/module.cpp index b3c311d32..38065178f 100644 --- a/native/src/core/zygisk/module.cpp +++ b/native/src/core/zygisk/module.cpp @@ -148,7 +148,7 @@ void ZygiskModule::postServerSpecialize(const ServerSpecializeArgs_v1 *args) con // ----------------------------------------------------------------- -void HookContext::plt_hook_register(const char *regex, const char *symbol, void *fn, void **backup) { +void ZygiskContext::plt_hook_register(const char *regex, const char *symbol, void *fn, void **backup) { if (regex == nullptr || symbol == nullptr || fn == nullptr) return; regex_t re; @@ -158,7 +158,7 @@ void HookContext::plt_hook_register(const char *regex, const char *symbol, void register_info.emplace_back(RegisterInfo{re, symbol, fn, backup}); } -void HookContext::plt_hook_exclude(const char *regex, const char *symbol) { +void ZygiskContext::plt_hook_exclude(const char *regex, const char *symbol) { if (!regex) return; regex_t re; if (regcomp(&re, regex, REG_NOSUB) != 0) @@ -167,7 +167,7 @@ void HookContext::plt_hook_exclude(const char *regex, const char *symbol) { ignore_info.emplace_back(IgnoreInfo{re, symbol ?: ""}); } -void HookContext::plt_hook_process_regex() { +void ZygiskContext::plt_hook_process_regex() { if (register_info.empty()) return; for (auto &map : lsplt::MapInfo::Scan()) { @@ -191,7 +191,7 @@ void HookContext::plt_hook_process_regex() { } } -bool HookContext::plt_hook_commit() { +bool ZygiskContext::plt_hook_commit() { { mutex_guard lock(hook_info_lock); plt_hook_process_regex(); @@ -203,7 +203,7 @@ bool HookContext::plt_hook_commit() { // ----------------------------------------------------------------- -void HookContext::sanitize_fds() { +void ZygiskContext::sanitize_fds() { zygisk_close_logd(); if (!is_child()) { @@ -256,7 +256,7 @@ void HookContext::sanitize_fds() { } } -bool HookContext::exempt_fd(int fd) { +bool ZygiskContext::exempt_fd(int fd) { if ((flags & POST_SPECIALIZE) || (flags & SKIP_CLOSE_LOG_PIPE)) return true; if (!can_exempt_fd()) @@ -265,7 +265,7 @@ bool HookContext::exempt_fd(int fd) { return true; } -bool HookContext::can_exempt_fd() const { +bool ZygiskContext::can_exempt_fd() const { return (flags & APP_FORK_AND_SPECIALIZE) && args.app->fds_to_ignore; } @@ -276,7 +276,7 @@ static int sigmask(int how, int signum) { return sigprocmask(how, &set, nullptr); } -void HookContext::fork_pre() { +void ZygiskContext::fork_pre() { // Do our own fork before loading any 3rd party code // First block SIGCHLD, unblock after original fork is done sigmask(SIG_BLOCK, SIGCHLD); @@ -303,12 +303,12 @@ void HookContext::fork_pre() { } } -void HookContext::fork_post() { +void ZygiskContext::fork_post() { // Unblock SIGCHLD in case the original method didn't sigmask(SIG_UNBLOCK, SIGCHLD); } -void HookContext::run_modules_pre(const vector &fds) { +void ZygiskContext::run_modules_pre(const vector &fds) { for (int i = 0; i < fds.size(); ++i) { struct stat s{}; if (fstat(fds[i], &s) != 0 || !S_ISREG(s.st_mode)) { @@ -347,7 +347,7 @@ void HookContext::run_modules_pre(const vector &fds) { } } -void HookContext::run_modules_post() { +void ZygiskContext::run_modules_post() { flags |= POST_SPECIALIZE; for (const auto &m : modules) { if (flags & APP_SPECIALIZE) { @@ -359,7 +359,7 @@ void HookContext::run_modules_post() { } } -void HookContext::app_specialize_pre() { +void ZygiskContext::app_specialize_pre() { flags |= APP_SPECIALIZE; vector module_fds; @@ -380,7 +380,7 @@ void HookContext::app_specialize_pre() { close(fd); } -void HookContext::app_specialize_post() { +void ZygiskContext::app_specialize_post() { run_modules_post(); if (info_flags & PROCESS_IS_MAGISK_APP) { setenv("ZYGISK_ENABLED", "1", 1); @@ -390,7 +390,7 @@ void HookContext::app_specialize_post() { env->ReleaseStringUTFChars(args.app->nice_name, process); } -void HookContext::server_specialize_pre() { +void ZygiskContext::server_specialize_pre() { vector module_fds; int fd = remote_get_info(1000, "system_server", &info_flags, module_fds); if (fd >= 0) { @@ -413,13 +413,13 @@ void HookContext::server_specialize_pre() { } } -void HookContext::server_specialize_post() { +void ZygiskContext::server_specialize_post() { run_modules_post(); } // ----------------------------------------------------------------- -void HookContext::nativeSpecializeAppProcess_pre() { +void ZygiskContext::nativeSpecializeAppProcess_pre() { process = env->GetStringUTFChars(args.app->nice_name, nullptr); ZLOGV("pre specialize [%s]\n", process); // App specialize does not check FD @@ -427,12 +427,12 @@ void HookContext::nativeSpecializeAppProcess_pre() { app_specialize_pre(); } -void HookContext::nativeSpecializeAppProcess_post() { +void ZygiskContext::nativeSpecializeAppProcess_post() { ZLOGV("post specialize [%s]\n", process); app_specialize_post(); } -void HookContext::nativeForkSystemServer_pre() { +void ZygiskContext::nativeForkSystemServer_pre() { ZLOGV("pre forkSystemServer\n"); flags |= SERVER_FORK_AND_SPECIALIZE; @@ -443,7 +443,7 @@ void HookContext::nativeForkSystemServer_pre() { sanitize_fds(); } -void HookContext::nativeForkSystemServer_post() { +void ZygiskContext::nativeForkSystemServer_post() { if (is_child()) { ZLOGV("post forkSystemServer\n"); server_specialize_post(); @@ -451,7 +451,7 @@ void HookContext::nativeForkSystemServer_post() { fork_post(); } -void HookContext::nativeForkAndSpecialize_pre() { +void ZygiskContext::nativeForkAndSpecialize_pre() { process = env->GetStringUTFChars(args.app->nice_name, nullptr); ZLOGV("pre forkAndSpecialize [%s]\n", process); flags |= APP_FORK_AND_SPECIALIZE; @@ -463,7 +463,7 @@ void HookContext::nativeForkAndSpecialize_pre() { sanitize_fds(); } -void HookContext::nativeForkAndSpecialize_post() { +void ZygiskContext::nativeForkAndSpecialize_post() { if (is_child()) { ZLOGV("post forkAndSpecialize [%s]\n", process); app_specialize_post(); diff --git a/native/src/core/zygisk/module.hpp b/native/src/core/zygisk/module.hpp index 2e1a2aacd..5b0c8e7c7 100644 --- a/native/src/core/zygisk/module.hpp +++ b/native/src/core/zygisk/module.hpp @@ -6,7 +6,7 @@ #include "api.hpp" -struct HookContext; +struct ZygiskContext; struct ZygiskModule; struct AppSpecializeArgs_v1; @@ -199,7 +199,7 @@ private: } mod; }; -extern HookContext *g_ctx; +extern ZygiskContext *g_ctx; extern int (*old_fork)(void); enum : uint32_t { @@ -217,7 +217,7 @@ enum : uint32_t { void name##_pre(); \ void name##_post(); -struct HookContext { +struct ZygiskContext { JNIEnv *env; union { void *ptr; @@ -250,8 +250,8 @@ struct HookContext { std::vector register_info; std::vector ignore_info; - HookContext(JNIEnv *env, void *args); - ~HookContext(); + ZygiskContext(JNIEnv *env, void *args); + ~ZygiskContext(); void run_modules_pre(const std::vector &fds); void run_modules_post(); diff --git a/native/src/core/zygisk/zygisk.hpp b/native/src/core/zygisk/zygisk.hpp index 5167935a6..702cb2d77 100644 --- a/native/src/core/zygisk/zygisk.hpp +++ b/native/src/core/zygisk/zygisk.hpp @@ -28,8 +28,8 @@ enum : int { #endif // Extreme verbose logging -//#define ZLOGV(...) ZLOGD(__VA_ARGS__) -#define ZLOGV(...) (void*)0 +#define ZLOGV(...) ZLOGD(__VA_ARGS__) +//#define ZLOGV(...) (void*)0 extern void *self_handle;