记录lldb带符号调试安卓
记录lldb带符号调试安卓

记录lldb带符号调试安卓

Tags
Published
Sub-item
Parent item
Author
AI summary
为了跟踪一下调用 我先在 linker的 call_constructors 下了个断点
* thread #1, name = 'om.jywsqk.jh.jh', stop reason = breakpoint 2.1 frame #0: 0x0000007c2085232c linker64`__dl__ZN6soinfo17call_constructorsEv linker64`__dl__ZN6soinfo17call_constructorsEv: -> 0x7c2085232c <+0>: sub sp, sp, #0x60 0x7c20852330 <+4>: stp x29, x30, [sp, #0x40] 0x7c20852334 <+8>: stp x20, x19, [sp, #0x50] 0x7c20852338 <+12>: add x29, sp, #0x40 (lldb) bt * thread #1, name = 'om.jywsqk.jh.jh', stop reason = breakpoint 2.1 * frame #0: 0x0000007c2085232c linker64`__dl__ZN6soinfo17call_constructorsEv frame #1: 0x0000007c2084b6dc linker64`__dl__Z9do_dlopenPKciPK17android_dlextinfoPKv + 1616 frame #2: 0x0000007c2084af18 linker64`__dl__ZL10dlopen_extPKciPK17android_dlextinfoPKv + 76 frame #3: 0x0000007c169150cc libdl.so`android_dlopen_ext + 20 frame #4: 0x0000007c0c11da28 libnativeloader.so`android::NativeLoaderNamespace::Load(char const*) const + 188 frame #5: 0x0000007c0c10de1c libnativeloader.so`OpenNativeLibraryInNamespace + 72 frame #6: 0x0000007c0c10d554 libnativeloader.so`OpenNativeLibrary + 136 frame #7: 0x000000796ab19d4c libart.so`art::JavaVMExt::LoadNativeLibrary(_JNIEnv*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, _jobject*, _jclass*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*) + 732 frame #8: 0x00000079603e21c4 libopenjdkjvm.so`JVM_NativeLoad + 416 frame #9: 0x00000000708b8960 boot.oat`art_jni_trampoline + 160 frame #10: 0x00000000708ebe48 boot.oat`java.lang.Runtime.load0 + 584 frame #11: 0x00000000708efa50 boot.oat`java.lang.System.load + 96 frame #12: 0x000000796abb809c libart.so`NterpCommonInvokeStatic + 124
 
为了方便看代码 上面的c++风格的符号使用 demangler 还原一下
* thread #1, name = 'om.jywsqk.jh.jh', stop reason = breakpoint 2.1 * frame #0: 0x0000007c2085232c linker64`__dl_soinfo::call_constructors() frame #1: 0x0000007c2084b6dc linker64`__dl_do_dlopen(char const*, int, android_dlextinfo const*, void const*) 1616 frame #2: 0x0000007c2084af18 linker64`__dl_dlopen_ext(char const*, int, android_dlextinfo const*, void const*) 76 frame #3: 0x0000007c169150cc libdl.so`android_dlopen_ext 20 frame #4: 0x0000007c0c11da28 libnativeloader.so`android::NativeLoaderNamespace::Load(char const*) const 188 frame #5: 0x0000007c0c10de1c libnativeloader.so`OpenNativeLibraryInNamespace 72 frame #6: 0x0000007c0c10d554 libnativeloader.so`OpenNativeLibrary 136 frame #7: 0x000000796ab19d4c libart.so`art::JavaVMExt::LoadNativeLibrary(_JNIEnv*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, _jobject*, _jclass*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*) 732 frame #8: 0x00000079603e21c4 libopenjdkjvm.so`JVM_NativeLoad 416 frame #9: 0x00000000708b8960 boot.oat`art_jni_trampoline 160 frame #10: 0x00000000708ebe48 boot.oat`java.lang.Runtime.load0 584 frame #11: 0x00000000708efa50 boot.oat`java.lang.System.load 96 frame #12: 0x000000796abb809c libart.so`nterp_helper 156
 
这里的 x0 就是soinfo*了 这里拿 lldb 查看一下
(lldb) p *(soinfo*)$x0 (soinfo) $0 = { phdr = 0x0000007966108040 phnum = 8 base = 521403400192 size = 16384 dynamic = 0x000000796610ad98 next = nullptr flags_ = 1073743169 strtab_ = 0x0000007966108528 "" symtab_ = 0x0000007966108318 nbucket_ = 17 nchain_ = 22 bucket_ = 0x0000007966108230 chain_ = 0x0000007966108274 plt_rela_ = 0x0000007966108750 plt_rela_count_ = 11 rela_ = 0x0000007966108678 rela_count_ = 9 preinit_array_ = 0x0000000000000000 preinit_array_count_ = 0 init_array_ = 0x0000000000000000 init_array_count_ = 0 fini_array_ = 0x000000796610ad80 fini_array_count_ = 2 init_func_ = 0x0000000000000000 fini_func_ = 0x0000000000000000 ref_count_ = 1 link_map_head = { l_addr = 521403400192 l_name = 0x0000007c1f60e880 "/data/app/~~2a2KyZV06mN7c3XmdS1Www==/com.jywsqk.jh.jh-8sP-H9S_j6waw-HoRFU3xg==/lib/arm64/libmain.so" l_ld = 0x000000796610ad98 l_next = nullptr l_prev = 0x0000007c1f685480 } constructors_called = false load_bias = 521403400192 has_DT_SYMBOLIC = false version_ = 6 st_dev_ = 64802 st_ino_ = 36896 children_ = { head_ = 0x0000007c1f7564d0 tail_ = 0x0000007c1f756480 } parents_ = { head_ = nullptr tail_ = nullptr } file_offset_ = 0 rtld_flags_ = 2 dt_flags_1_ = 1 strtab_size_ = 223 gnu_nbucket_ = 3 gnu_bucket_ = 0x00000079661082e8 gnu_chain_ = 0x00000079661082bc gnu_maskwords_ = 0 gnu_shift2_ = 6 gnu_bloom_filter_ = 0x00000079661082e0 local_group_root_ = 0x0000007c1f685620 android_relocs_ = 0x0000000000000000 android_relocs_size_ = 0 soname_ = "libmain.so" realpath_ = "/data/app/~~2a2KyZV06mN7c3XmdS1Www==/com.jywsqk.jh.jh-8sP-H9S_j6waw-HoRFU3xg==/lib/arm64/libmain.so" versym_ = 0x0000007966108608 verdef_ptr_ = 0 verdef_cnt_ = 0 verneed_ptr_ = 521403401784 verneed_cnt_ = 2 target_sdk_version_ = 26 dt_runpath_ = size=0 {} primary_namespace_ = 0x0000007c1f597dd0 secondary_namespaces_ = (head_ = 0x0000000000000000, tail_ = 0x0000000000000000) handle_ = 7524134029017337729 relr_ = 0x0000000000000000 relr_count_ = 0 tls_ = nullptr { __value_ = nullptr } tlsdesc_args_ = size=0 {} gap_start_ = 521403842560 gap_size_ = 0 }
 
 
* thread #1, name = 'om.jywsqk.jh.jh', stop reason = breakpoint 3.1 frame #0: 0x0000007c169150b8 libdl.so`android_dlopen_ext libdl.so`android_dlopen_ext: -> 0x7c169150b8 <+0>: stp x29, x30, [sp, #-0x10]! 0x7c169150bc <+4>: mov x29, sp 0x7c169150c0 <+8>: xpaclri 0x7c169150c4 <+12>: mov x3, x30 // ref : http://xrefandroid.com/android-12.0.0_r34/xref/bionic/libc/include/android/dlext.h?fi=android_dlextinfo#155 (lldb) x/s 0x00000079dfa4fa50 0x79dfa4fa50: "/data/app/~~GEhfXINKLgwi1V-hlHUHjQ==/com.google.android.webview-1egDD-EHl0w3X-IbMoVC4g==/base.apk" (lldb) p *(android_dlextinfo*)$x2 (android_dlextinfo) $1 = { flags = 512 reserved_addr = 0x0000000000000000 reserved_size = 0 relro_fd = 0 library_fd = 0 library_fd_offset = 0 library_namespace = 0x0000007c1f597dd0 } // ref : http://xrefandroid.com/android-12.0.0_r34/xref/bionic/linker/linker_namespaces.h#167 (lldb) p *(*(android_dlextinfo*)$x2).library_namespace (android_namespace_t) $3 = { name_ = "clns-5" is_isolated_ = true is_exempt_list_enabled_ = false is_also_used_as_anonymous_ = false ld_library_paths_ = size=0 {} default_library_paths_ = size=2 { [0] = "/data/app/~~2a2KyZV06mN7c3XmdS1Www==/com.jywsqk.jh.jh-8sP-H9S_j6waw-HoRFU3xg==/lib/arm64" [1] = "/data/app/~~2a2KyZV06mN7c3XmdS1Www==/com.jywsqk.jh.jh-8sP-H9S_j6waw-HoRFU3xg==/base.apk!/lib/arm64-v8a" } permitted_paths_ = size=3 { [0] = "/data" [1] = "/mnt/expand" [2] = "/data/user/0/com.jywsqk.jh.jh" } allowed_libs_ = size=0 {} linked_namespaces_ = size=5 { [0] = { linked_namespace_ = 0x0000007c208d54e0 shared_lib_sonames_ = size=24 { [0] = "libandroid.so" [1] = "liblog.so" [2] = "libdl.so" [3] = "libstdc++.so" [4] = "libGLESv1_CM.so" [5] = "libEGL.so" [6] = "libOpenMAXAL.so" [7] = "libaaudio.so" [8] = "libbinder_ndk.so" [9] = "libc.so" [10] = "libcamera2ndk.so" [11] = "libGLESv2.so" [12] = "libGLESv3.so" [13] = "libsync.so" [14] = "libjnigraphics.so" [15] = "libm.so" [16] = "libmediandk.so" [17] = "libOpenSLES.so" [18] = "libz.so" [19] = "libvulkan.so" [20] = "libRS.so" [21] = "libwebviewchromium_plat_support.so" [22] = "libnativewindow.so" [23] = "libamidi.so" } allow_all_shared_libs_ = false } [1] = { linked_namespace_ = 0x0000007c1f597170 shared_lib_sonames_ = size=1 { [0] = "libnativehelper.so" } allow_all_shared_libs_ = false } [2] = { linked_namespace_ = 0x0000007c1f597380 shared_lib_sonames_ = size=3 { [0] = "libicui18n.so" [1] = "libicuuc.so" [2] = "libicu.so" } allow_all_shared_libs_ = false } [3] = { linked_namespace_ = 0x0000007c1f5974e0 shared_lib_sonames_ = size=1 { [0] = "libneuralnetworks.so" } allow_all_shared_libs_ = false } [4] = { linked_namespace_ = 0x0000007c1f597900 shared_lib_sonames_ = size=8 { [0] = "libairbrush-pixel.so" [1] = "libqdMetaData.so" [2] = "lib_aion_buffer.so" [3] = "libOpenCL-pixel.so" [4] = "libadsprpc.so" [5] = "libsdsprpc.so" [6] = "libfastcvopt.so" [7] = "libcdsprpc.so" } allow_all_shared_libs_ = false } } soinfo_list_ = { head_ = 0x0000007c1f755660 tail_ = 0x0000007c1f756cb0 } }
 
 
 
notion image
notion image
 
把这个 caller_addr 改成libart.so 的基地值就可以假装用户so是系统so,系统的linker就可以自己去链接libart.so 里面的方法了
 
notion image
 
soinfo* const caller = find containing library(caller addr); 这个得到的就是 libart.so 的soinfo* 然后这里还可以封装一下 用函数名直接找soinfo*