Reputation: 123
Android: How can I intercept native function calls?
I'm a student in computer science. As part of my master's project, I'm trying to intercept calls to functions in native libraries on the Android platform. The goal is to decide whether to allow the call or deny it in order to improve security.
Following the approach of a research paper 1, I want to modify the Procedure Linkage Table (PLT) and the Global Offset Table (GOT) of the ELF file. The idea is that I want to make all the function calls point to my own intercepting function, which decides whether to block the call or pass it through to the original target function.
The ELF specification 2 says (in Book III, Chapter 2 Program Loading and Dynamic Linking, page 2-13, Sections "Global Offset Table" and "Procedure Linkage Table") that the actual contents and form of the PLT and the GOT depend upon the processor. However, in the documentation "ELF for the ARM Architecture" 3, I was unable to see the exact specification of either of those tables. I am concentrating on ARM and not considering other architectures at the moment.
I have 3 questions:
- How can I map a symbol to a GOT or PLT entry?
- Where do I find the precise specification of the GOT and PLT for ARM processors?
- As the PLT contains machine code; will I have to parse that code in order to modify the target address, or do all PLT entries look identical, so that I could just modify the memory at a constant offset for each PLT entry?
Thanks, Manuel
Upvotes: 2
Views: 793
Answers (1)
Reputation: 631
- You need to parse ELF headers and look up the symbol index by the string name in the SHT_DYNSYM. Then iterate over the GOT (which would be called ".rela.plt") and find the entry with the matching index.
- I don't know about the formal spec, but you can always study the android linker source and disassemble some binaries to notice the patterns
- Usually PLT is just common code and you don't need to modify it. It's actually designed this way because if linker had to modify it, you would end up with RWX memory which is undesirable. So you just need to rewrite the entry in the GOT. By default the GOT entries point to the resolver routine that will find the needed function and write the entry to the GOT. That's on Linux. On Android the address are already resolved.
I did something for the x86_64 Linux https://github.com/astarasikov/sxge/blob/vaapi_recorder/apps/src/sxge/apps/demo1_cube/hook-elf.c
And also there's a blog about doing what you want on Android https://www.google.de/amp/shunix.com/android-got-hook/amp/
Upvotes: 0
Related Questions
- Intercepting Android Methods
- Is there a way to bypass the android runtime request permissions with NDK?
- How to create callbacks between android code and native code?
- Intercepting call in Android
- Make calls to Java code from the native code?
- Debug native code in Android Library
- Invoking native functions of ported library
- System calls in Android NDK
- NDK call function from native code
- Calling a Java function from the Native code using the NDK