BinderHackDemo

trace all binder-funcion calls on android-platform

该demo展示了如何使用libbinderhack.so模块，trace-app自身进程binder调用情况

您可以通过该次提交，查看如何使用libbinderhack.so

libbinderhack.so用途:

1.可以作为一个逆向工具，分析app行为

2.可以作为一款性能分析工具，查看进程是否有非必要的、频繁跨进程调用binder

3.可以作为一款安全工具，分析本app是否有不合规的api调用(可以参考工信部移动互联网安全)

缺点：

1.目前只支持安卓5.0以上平台(art)

2.由于hook的仅仅是BinderProxy.transactNative函数，所以仅能trace到proxy调用

输出的demo样例:

com.example.myapplication D/WHULZZ: android.content.pm.IPackageManager getInstalledApplications
com.example.myapplication D/WHULZZ: android.view.accessibility.IAccessibilityManager getEnabledAccessibilityServiceList
com.example.myapplication D/WHULZZ: android.app.IActivityTaskManager activityTopResumedStateLost
com.example.myapplication D/WHULZZ: com.android.internal.view.IInputMethodManager removeImeSurfaceFromWindow
com.example.myapplication D/WHULZZ: android.view.IWindowSession relayout
com.example.myapplication D/WHULZZ: com.android.internal.view.IInputMethodManager removeImeSurfaceFromWindow
com.example.myapplication D/WHULZZ: android.app.IActivityTaskManager activityStopped
com.example.myapplication D/WHULZZ: com.android.internal.view.IInputMethodManager removeImeSurfaceFromWindow
com.example.myapplication D/WHULZZ: android.view.accessibility.IAccessibilityManager getEnabledAccessibilityServiceList
com.example.myapplication D/WHULZZ: android.view.IWindowSession relayout
com.example.myapplication D/WHULZZ: com.android.internal.view.IInputMethodManager removeImeSurfaceFromWindow
com.example.myapplication D/WHULZZ: android.app.IActivityTaskManager getActivityOptions
com.example.myapplication D/WHULZZ: miui.security.ISecurityManager activityResume
com.example.myapplication D/WHULZZ: android.app.IActivityTaskManager activityResumed
com.example.myapplication D/WHULZZ: android.view.IWindowSession relayout
com.example.myapplication D/WHULZZ: com.android.internal.view.IInputMethodManager removeImeSurfaceFromWindow
com.example.myapplication D/WHULZZ: android.view.IWindowSession finishDrawing
com.example.myapplication D/WHULZZ: com.android.internal.view.IInputMethodManager removeImeSurfaceFromWindow
com.example.myapplication D/WHULZZ: android.app.IActivityTaskManager activityIdle
com.example.myapplication D/WHULZZ: com.android.internal.view.IInputMethodManager startInputOrWindowGainedFocus
com.example.myapplication D/WHULZZ: com.android.internal.view.IInputMethodManager reportPerceptible
com.example.myapplication D/WHULZZ: com.android.internal.view.IInputMethodManager removeImeSurfaceFromWindow

使用方式

1.必须在您的apk资源目录中提供bm.properties文件，并定义BinderCareEntry

该文件中定义了BinderCareEntry="java class name"

便于后文叙述，此java class name简称为ENTRY

BinderHackDemo中将此ENTRY定义为com.example.myapplication.MainActivity

该ENTRY会被libbinderhack.so加载时使用，如未定义，将导致link失败

2.必须在ENTRY class中定义这两个native-jni函数

正确声明这两个native函数:

必须将这两个函数放一起声明

    /**
     * start binder monitor
     */
    private static native void start();

    /**
     * end binder monitor
     */
    private static native void end();

错误声明方式如下：

private static native void start();

public void xx();//不能在start/end函数之间存放其他声明

private static native void end();

3.如果您只关注部分binder调用，可在ENTRY中提供getInterestBinders函数

您可以仿照BinderHackDemo中的样例：

 getInstalledApplications HashSet
   pmFuncs = new HashSet<>(); pmFuncs.add("getInstalledApplications"); monitorBinderMap.put("android.content.pm.IPackageManager", pmFuncs); return monitorBinderMap; }"> 
      /**
     * This function is not necessary!
     * If not provided, binderhack will print all the binder calls.
     * This function will be called by native-c code.
     *
     * @return HashMap
    
     >. see demo below for detail
    
     */
    @Keep
    private static HashMap getInterestBinders() {
        //关注IActivityManager->activityPaused
        HashMap<String, Set<String>> monitorBinderMap = new HashMap<>();
        HashSet<String> amFuncs = new HashSet<>();
        amFuncs.add("activityPaused");
        monitorBinderMap.put("android.app.IActivityManager", amFuncs);

        //关注IPackageManager->getInstalledApplications
        HashSet<String> pmFuncs = new HashSet<>();
        pmFuncs.add("getInstalledApplications");
        monitorBinderMap.put("android.content.pm.IPackageManager", pmFuncs);
        return monitorBinderMap;
    } 
 

4.如果您要拦截binder调用，您可以在ENTRY中提供transactStart/transactEnd函数

同样可以在样例中找到demo

transactStart

    /**
     *
     * @param interfaceName likely as android.content.pm.IPackageManager
     * @param funcName likely as getInstalledApplications
     * @param data see {@link android.os.IBinder}->transact(...)
     * @param reply see {@link android.os.IBinder}->transact(...)
     * @return TRUE represents you've decided to intercept the origin call.
     */
    @Keep
    private static boolean transactStart(Object interfaceName, Object funcName, Parcel data, Parcel reply) {
        Log.d("WHULZZ", String.format("transactStart %s %s", interfaceName, funcName));
        return false;
    }

transactEnd

    /**
     *
     * @param interfaceName likely as android.content.pm.IPackageManager
     * @param funcName likely as getInstalledApplications
     * @param data see {@link android.os.IBinder}->transact(...)
     * @param reply reply see {@link android.os.IBinder}->transact(...)
     * @param originRet this is the origin result
     * @return I advice you to use {@param originRet}
     */
    @Keep
    private static boolean transactEnd(Object interfaceName, Object funcName, Parcel data, Parcel reply, boolean originRet) {
        Log.d("WHULZZ", String.format("transactEnd %s %s", interfaceName, funcName));
        return originRet;
    }

libbinderhack.so模块后续也会开源，请耐心等候

欢迎脑暴...

contact with [email protected]

HackerNews with Kotlin Multi-platform mobile technology

KNews The goal of this project is to build mobile apps that consumes HackerNews API with Kotlin Multi-Platform technology. About My idea is to build 2

43 Oct 3, 2022

Kotlin Multi Platform UI

Xeon UI (work-in-progress 👷 🔧️ 👷‍♀️ ⛏ ) Development Version Release This Is Latest Release ~ In Development $version_release = ~ What's New?? * In

2 Oct 15, 2021

Kotlin multi-platform application navigation library.

navigation Kotlin multi-platform application navigation library. Supports Jetpack Compose. val navigator = rememberNavigatorByKey("Greeting") { key -

9 Jan 2, 2023

Kotlin multi-platform simple File I/O library

KmpIO This is a Kotlin multiplatform (KMP) library for basic Text file, Binary file, and zip/archive file IO. It was initially implemented with the an

9 Oct 1, 2022

Camunda Platform 7 WebApp Auto-Login

Camunda Platform 7 WebApp Auto-Login Auto-login feature for development Why should you use it? Because otherwise, you need to type again and again "ad

8 Sep 6, 2022

A platform to capture, visualize and evaluate multiple Coiffeur-Jass

JassTracker Screenshots Development The easiest way to start all components is using the configured IntelliJ run configuration. There exists one confi

5 Dec 28, 2022

An e-commerce app which provide a new platform to order food items from various restaurants

Food_App_Internshala An e-commerce app which provide a new platform to order food items from various restaurants. Splash and Login Page Opening of the

0 Apr 26, 2022

This is the interpreter of Hime language, a dialect of Lisp, run on JVM platform.

Hime Language About This is the interpreter of Hime language, a dialect of Lisp, running on JVM platform. Once a feature is finished and tested, and n

8 Jul 12, 2022

Game server management, orchestration, and scaling platform.

Liftgate Game server management, orchestration, and scaling platform. Project Status This project is a W.I.P. This README will be updated once we ente

4 Nov 14, 2022

Trace all binder-funcion calls on android-platform

Related tags

Overview

BinderHackDemo

该demo展示了如何使用libbinderhack.so模块，trace-app自身进程binder调用情况

libbinderhack.so用途:

缺点：

输出的demo样例:

使用方式

1.必须在您的apk资源目录中提供bm.properties文件，并定义BinderCareEntry

2.必须在ENTRY class中定义这两个native-jni函数

正确声明这两个native函数:

错误声明方式如下：

3.如果您只关注部分binder调用，可在ENTRY中提供getInterestBinders函数

您可以仿照BinderHackDemo中的样例：

4.如果您要拦截binder调用，您可以在ENTRY中提供transactStart/transactEnd函数

transactStart

transactEnd

libbinderhack.so模块后续也会开源，请耐心等候

欢迎脑暴...

You might also like...

HackerNews with Kotlin Multi-platform mobile technology

Kotlin Multi Platform UI

Kotlin multi-platform application navigation library.

Kotlin multi-platform simple File I/O library

Camunda Platform 7 WebApp Auto-Login

A platform to capture, visualize and evaluate multiple Coiffeur-Jass

An e-commerce app which provide a new platform to order food items from various restaurants

This is the interpreter of Hime language, a dialect of Lisp, run on JVM platform.

Game server management, orchestration, and scaling platform.

Owner

Webclient-kotlin-sample - An example of using the http web client to promote synchronous and asynchronous https calls

The home of the amigo-platform which serves as the main service for the amigo multimedia platform

A fully-customizable Open-Source Android application platform with plethora of animation and customizations for all kinds of community events like technical fests, college programs and competitions. Modify and Build as per your requirements without coding from scratch!.

CovidTracker traces all the covid-19 cases all over the world.

Kotrlin Programming Language Cross-Platform Development which includes Android, iOS and Backend. Pretty much everwhere.

Plannr is an organizational platform developed using Java, in the form of an Android app, that helps university students coordinate their everyday routine.

Kotatsu is a free and open source manga reader for Android platform

Flexible switch is a responsive switch with some nice features which developers can use for making awesome switches on android platform.

Android eCommerce storefront app based on Shopemaa eCommerce Platform.

Collection of Rewrite Recipes pertaining to the JHipster web application & microservice development platform