-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.cpp
128 lines (110 loc) · 3.64 KB
/
main.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#include <android_malloc.h>
#include <dirent.h>
#include <dlfcn.h>
#include <iostream>
#include <malloc.h>
#include <string>
using namespace std;
static void *findSymbol(const char *path, const char *symbol) {
void *handle = dlopen(path, RTLD_LAZY);
if (!handle) {
cout << "Handler is null" << endl;
return nullptr;
}
void *target = dlsym(handle, symbol);
if (!target) {
cout << "symbol is null" << endl;
}
return target;
}
int get_target_process_pid(const char *pkg_name) {
int id;
pid_t pid = -1;
DIR *dir;
FILE *fp;
char cmdline[256];
char filename[32];
struct dirent *entry;
if (pkg_name == NULL) {
return -1;
}
dir = opendir("/proc");
if (dir == NULL) {
return -1;
}
while ((entry = readdir(dir)) != NULL) {
id = atoi(entry->d_name);
if (id != 0) {
sprintf(filename, "/proc/%d/cmdline", id);
fp = fopen(filename, "r");
if (fp) {
fgets(cmdline, sizeof(cmdline), fp);
fclose(fp);
if (strcmp(cmdline, pkg_name) == 0) {
pid = id;
break;
}
}
}
}
closedir(dir);
return pid;
}
void *get_libs_addr(pid_t pid, const char *lib_name) {
char maps_path[32];
long addr = 0;
if (pid < 0) {
sprintf(maps_path, "/proc/self/maps");
} else {
sprintf(maps_path, "/proc/%d/maps", pid);
}
FILE *maps = fopen(maps_path, "r");
char str_line[1024];
cout << "get_libs_addr:" << maps_path << " lib:" << lib_name << endl;
while (!feof(maps)) {
fgets(str_line, 1024, maps);
if (strstr(str_line, lib_name) != nullptr) {
cout << "match:" << str_line << endl;
fclose(maps);
addr = strtoul(strtok(str_line, "-"), nullptr, 16);
cout << "str addr" << addr <<endl;
cout << " ptr " << (void *)addr << endl;
if (addr == 0x8000)
addr = 0;
break;
}
}
fclose(maps);
cout << " ENDL " << endl;
return (void *) addr;
}
void *get_remote_func_addr(void *local_lib_addr, void *local_func_addr, void *remote_func_addr) {
return (void *) ((long) remote_func_addr + (long) local_func_addr - (long) local_lib_addr);
}
typedef bool (*android_mallopt_func_t)(int, void *, size_t);
const char *LIBC_NAME = "lib64/bionic/libc.so";
const char *LINKER_PATH = "bin/linker64";
int main() {
pid_t my_pid = get_target_process_pid(nullptr);
pid_t target_pid = get_target_process_pid("com.android.settings");
void *remote_libc_addr = get_libs_addr(target_pid, LIBC_NAME);
void *remote_linker_addr = get_libs_addr(target_pid, LINKER_PATH);
void *local_libc_addr = get_libs_addr(my_pid, LIBC_NAME);
void *local_linker_addr = get_libs_addr(my_pid, LINKER_PATH);
cout << remote_libc_addr << endl;
android_mallopt_leak_info_t leak_info;
void *func_ptr = findSymbol("libc.so", "android_mallopt");
cout << "android_mallopt ptr:" << func_ptr << endl;
bool result = reinterpret_cast<android_mallopt_func_t>(func_ptr)(M_GET_MALLOC_LEAK_INFO, &leak_info, sizeof(leak_info));
if (!result) {
cout << "MALLOC_LEAK FAILED!!!" << result << endl;
}
if (leak_info.buffer == nullptr || leak_info.overall_size == 0 || leak_info.info_size == 0 || (leak_info.overall_size / leak_info.info_size) == 0) {
cout << "MALLOC_LEAK NULL!!!" << endl;
}
#define PRINT(fild) std::cout << #fild << leak_info.fild << std::endl;
PRINT(backtrace_size);
PRINT(total_memory)
PRINT(overall_size)
return 0;
}