深入源码分析non-sdk并绕过Android 9.0反射限制

Android 9.0终于来了,non-sdk或许是我们最大的适配点。本文将分析non-sdk的原理以及如何绕过它继续反射调用系统私有API。

 

先看一段简单的反射代码:

            Class activityThreadClass = Class.forName("android.app.ActivityThread");
            Method currentActivityThreadMethod = activityThreadClass.getDeclaredMethod("currentActivityThread");

运行这段代码便会出现""Accessing hidden ....."警告。

 

先看一下getDeclaredMethod()实现:

    public Method getDeclaredMethod(String name, Class... parameterTypes)
        throws NoSuchMethodException, SecurityException {
        return getMethod(name, parameterTypes, false);
    }

接下来看下getMethod()函数:

    private Method getMethod(String name, Class[] parameterTypes, boolean recursivePublicMethods)
            throws NoSuchMethodException {
        if (name == null) {
            throw new NullPointerException("name == null");
        }
        if (parameterTypes == null) {
            parameterTypes = EmptyArray.CLASS;
        }
        for (Class c : parameterTypes) {
            if (c == null) {
                throw new NoSuchMethodException("parameter type is null");
            }
        }
        Method result = recursivePublicMethods ? getPublicMethodRecursive(name, parameterTypes)
                                               : getDeclaredMethodInternal(name, parameterTypes);
        // Fail if we didn't find the method or it was expected to be public.
        if (result == null ||
            (recursivePublicMethods && !Modifier.isPublic(result.getAccessFlags()))) {
            throw new NoSuchMethodException(name + " " + Arrays.toString(parameterTypes));
        }
        return result;
    }

因为它的参数固定为recursivePublicMethods为false,所以最后会调用getDeclaredMethodInternal(),而这是一个natie函数,定义如下。

    /**
     * Returns the method if it is defined by this class; {@code null} otherwise. This may return a
     * non-public member.
     *
     * @param name the method name
     * @param args the method's parameter types
     */
    @FastNative
    private native Method getDeclaredMethodInternal(String name, Class[] args);

 

getDeclaredMethodInternal()的native实现在art/runtime/native/java_lang_Class.cc中,为了看得更直观的,我们来看一下9.0和8.1相比做了哪些修改。下图中左边是9.0,右边是8.1:

深入源码分析non-sdk并绕过Android 9.0反射限制_第1张图片

一下就看出来了,9.1的代码在反射时候会增加一个ShouldBlockAccessToMember()判断,如果返回true,那么你在getDeclaredMethod()时候就会得到null。

 

顺着往下看ShouldBlockAccessToMember()是怎么判断的:

// Returns true if the first non-ClassClass caller up the stack should not be
// allowed access to `member`.
template
ALWAYS_INLINE static bool ShouldBlockAccessToMember(T* member, Thread* self)
    REQUIRES_SHARED(Locks::mutator_lock_) {
  hiddenapi::Action action = hiddenapi::GetMemberAction(
      member, self, IsCallerTrusted, hiddenapi::kReflection);
  if (action != hiddenapi::kAllow) {
    hiddenapi::NotifyHiddenApiListener(member);
  }

  return action == hiddenapi::kDeny;
}

它会调用hiddenapi::GetMemberAction(),如果返回hiddenapi::kDeny,则会block反射调用。

hiddenapi主要会涉及到art/runtime/hidden_api.h和art/runtime/hidden_api.cc两个文件。

 

继续往下看GetMemberAction()的实现: 

template inline Action GetMemberAction(T* member,Thread* self,std::function fn_caller_is_trusted,AccessMethod access_method)
    REQUIRES_SHARED(Locks::mutator_lock_) {
  DCHECK(member != nullptr);

  HiddenApiAccessFlags::ApiList api_list = member->GetHiddenApiAccessFlags();

  Action action = GetActionFromAccessFlags(member->GetHiddenApiAccessFlags());
  if (action == kAllow) {
    // Nothing to do.
    return action;
  }

  if (fn_caller_is_trusted(self)) {
    // Caller is trusted. Exit.
    return kAllow;
  }

  return detail::GetMemberActionImpl(member, api_list, action, access_method);
}

这个函数会先通过GetHiddenApiAccessFlags()获取到API的hidden访问级别,再根据它用GetActionFromAccessFlags()来拿到对应的Action。

如果Action为kAllow,则不做任何处理。

如果Action不为kAllow再通过fn_caller_is_trusted看当前是否是系统调用的,如果是系统调用则返回kAllow。

如果Action不为kAllow且不是系统调用则继续通过GetMemberActionImpl()做进一步判断,看是否需要block。

(by the way,如果我们要绕过反射限制,就可以在这个函数中做处理,后面会讲到)

 

GetHiddenApiAccessFlags()的实现在runtime/art_method-inl.h中:

inline HiddenApiAccessFlags::ApiList ArtMethod::GetHiddenApiAccessFlags()
    REQUIRES_SHARED(Locks::mutator_lock_) {
  if (UNLIKELY(IsIntrinsic())) {
    switch (static_cast(GetIntrinsic())) {
      case Intrinsics::kSystemArrayCopyChar:
      case Intrinsics::kStringGetCharsNoCheck:
      case Intrinsics::kReferenceGetReferent:
        // These intrinsics are on the light greylist and will fail a DCHECK in
        // SetIntrinsic() if their flags change on the respective dex methods.
        // Note that the DCHECK currently won't fail if the dex methods are
        // whitelisted, e.g. in the core image (b/77733081). As a result, we
        // might print warnings but we won't change the semantics.
        return HiddenApiAccessFlags::kLightGreylist;
      case Intrinsics::kVarHandleFullFence:
      case Intrinsics::kVarHandleAcquireFence:
      case Intrinsics::kVarHandleReleaseFence:
      case Intrinsics::kVarHandleLoadLoadFence:
      case Intrinsics::kVarHandleStoreStoreFence:
      case Intrinsics::kVarHandleCompareAndExchange:
      case Intrinsics::kVarHandleCompareAndExchangeAcquire:
      case Intrinsics::kVarHandleCompareAndExchangeRelease:
      case Intrinsics::kVarHandleCompareAndSet:
      case Intrinsics::kVarHandleGet:
      case Intrinsics::kVarHandleGetAcquire:
      case Intrinsics::kVarHandleGetAndAdd:
      case Intrinsics::kVarHandleGetAndAddAcquire:
      case Intrinsics::kVarHandleGetAndAddRelease:
      case Intrinsics::kVarHandleGetAndBitwiseAnd:
      case Intrinsics::kVarHandleGetAndBitwiseAndAcquire:
      case Intrinsics::kVarHandleGetAndBitwiseAndRelease:
      case Intrinsics::kVarHandleGetAndBitwiseOr:
      case Intrinsics::kVarHandleGetAndBitwiseOrAcquire:
      case Intrinsics::kVarHandleGetAndBitwiseOrRelease:
      case Intrinsics::kVarHandleGetAndBitwiseXor:
      case Intrinsics::kVarHandleGetAndBitwiseXorAcquire:
      case Intrinsics::kVarHandleGetAndBitwiseXorRelease:
      case Intrinsics::kVarHandleGetAndSet:
      case Intrinsics::kVarHandleGetAndSetAcquire:
      case Intrinsics::kVarHandleGetAndSetRelease:
      case Intrinsics::kVarHandleGetOpaque:
      case Intrinsics::kVarHandleGetVolatile:
      case Intrinsics::kVarHandleSet:
      case Intrinsics::kVarHandleSetOpaque:
      case Intrinsics::kVarHandleSetRelease:
      case Intrinsics::kVarHandleSetVolatile:
      case Intrinsics::kVarHandleWeakCompareAndSet:
      case Intrinsics::kVarHandleWeakCompareAndSetAcquire:
      case Intrinsics::kVarHandleWeakCompareAndSetPlain:
      case Intrinsics::kVarHandleWeakCompareAndSetRelease:
        // These intrinsics are on the blacklist and will fail a DCHECK in
        // SetIntrinsic() if their flags change on the respective dex methods.
        // Note that the DCHECK currently won't fail if the dex methods are
        // whitelisted, e.g. in the core image (b/77733081). Given that they are
        // exclusively VarHandle intrinsics, they should not be used outside
        // tests that do not enable hidden API checks.
        return HiddenApiAccessFlags::kBlacklist;
      default:
        // Remaining intrinsics are public API. We DCHECK that in SetIntrinsic().
        return HiddenApiAccessFlags::kWhitelist;
    }
  } else {
    return HiddenApiAccessFlags::DecodeFromRuntime(GetAccessFlags());
  }
}

就是简单的获取函数flag,我们可以简单的认为一个函数的flag是固定的。

这个函数的返回值ApiList其实也是一个int值,具体的定位在at/libdexfile/dex/hidden_api_access_flags.h中:

  enum ApiList {
    kWhitelist = 0,
    kLightGreylist,
    kDarkGreylist,
    kBlacklist,
  };

和这个ApiList对应的Action定义在hidden_api.h中:

enum Action {
  kAllow,
  kAllowButWarn,
  kAllowButWarnAndToast,
  kDeny
};

我们先来看看GetActionFromAccessFlags()是如何根据ApiList得到Action的:

inline Action GetActionFromAccessFlags(HiddenApiAccessFlags::ApiList api_list) {
  if (api_list == HiddenApiAccessFlags::kWhitelist) {
    return kAllow;
  }

  EnforcementPolicy policy = Runtime::Current()->GetHiddenApiEnforcementPolicy();
  if (policy == EnforcementPolicy::kNoChecks) {
    // Exit early. Nothing to enforce.
    return kAllow;
  }

  // if policy is "just warn", always warn. We returned above for whitelist APIs.
  if (policy == EnforcementPolicy::kJustWarn) {
    return kAllowButWarn;
  }
  DCHECK(policy >= EnforcementPolicy::kDarkGreyAndBlackList);
  // The logic below relies on equality of values in the enums EnforcementPolicy and
  // HiddenApiAccessFlags::ApiList, and their ordering. Assertions are in hidden_api.cc.
  if (static_cast(policy) > static_cast(api_list)) {
    return api_list == HiddenApiAccessFlags::kDarkGreylist
        ? kAllowButWarnAndToast
        : kAllowButWarn;
  } else {
    return kDeny;
  }
}

如果ApiList为kWhitelist,或者GetHiddenApiEnforcementPolicy()返回的策略为kNoChecks,则不做任何处理。

这里涉及到了EnforcementPolicy,我们看看它的定义:

enum class EnforcementPolicy {
  kNoChecks             = 0,
  kJustWarn             = 1,  // keep checks enabled, but allow everything (enables logging)
  kDarkGreyAndBlackList = 2,  // ban dark grey & blacklist
  kBlacklistOnly        = 3,  // ban blacklist violations only
  kMax = kBlacklistOnly,
};

kNoChecks:允许调用所有API,不做任何检测

kJustWarn:允许调用所有API,但是对于私有API的调用会打印警告log

kDarkGreyAndBlackList:会阻止调用dark grey或black list中的API

kBlacklistOnly:会阻止调用black list中的API
 

到这里我们也就明白了ApiList,Action,EnforcementPolicy这三者的关系。

Google其实是通过EnforcementPolicy的配置,将ApiList转成Action。脑海里突然想到了我们天天说的要将业务和实现分离,这就是例子....

 

下面将GetActionFromAccessFlags()的处理逻辑整理成一个表格,不想看看代码的看这个表格就可以了:

  ApiList
kWhitelist kLightGreylist kDarkGreylist kBlacklist
EnforcementPolicy kNoChecks kAllow kAllow kAllow kAllow
kJustWarn kAllow kAllowButWarn kAllowButWarn kAllowButWarn
kDarkGreyAndBlackList kAllow kAllowButWarn kDeny kDeny
kBlacklistOnly kAllow kAllowButWarn kAllowButWarnAndToast kDeny

 

 

 

接下来再看下GetMemberActionImpl()函数会做哪些判断:

template
Action GetMemberActionImpl(T* member,
                           HiddenApiAccessFlags::ApiList api_list,
                           Action action,
                           AccessMethod access_method) {
  DCHECK_NE(action, kAllow);

  // Get the signature, we need it later.
  MemberSignature member_signature(member);

  Runtime* runtime = Runtime::Current();

  // Check for an exemption first. Exempted APIs are treated as white list.
  // We only do this if we're about to deny, or if the app is debuggable. This is because:
  // - we only print a warning for light greylist violations for debuggable apps
  // - for non-debuggable apps, there is no distinction between light grey & whitelisted APIs.
  // - we want to avoid the overhead of checking for exemptions for light greylisted APIs whenever
  //   possible.
  const bool shouldWarn = kLogAllAccesses || runtime->IsJavaDebuggable();
  if (shouldWarn || action == kDeny) {
    if (member_signature.IsExempted(runtime->GetHiddenApiExemptions())) {
      action = kAllow;
      // Avoid re-examining the exemption list next time.
      // Note this results in no warning for the member, which seems like what one would expect.
      // Exemptions effectively adds new members to the whitelist.
      MaybeWhitelistMember(runtime, member);
      return kAllow;
    }

    if (access_method != kNone) {
      // Print a log message with information about this class member access.
      // We do this if we're about to block access, or the app is debuggable.
      member_signature.WarnAboutAccess(access_method, api_list);
    }
  }

  if (kIsTargetBuild) {
    uint32_t eventLogSampleRate = runtime->GetHiddenApiEventLogSampleRate();
    // Assert that RAND_MAX is big enough, to ensure sampling below works as expected.
    static_assert(RAND_MAX >= 0xffff, "RAND_MAX too small");
    if (eventLogSampleRate != 0 &&
        (static_cast(std::rand()) & 0xffff) < eventLogSampleRate) {
      member_signature.LogAccessToEventLog(access_method, action);
    }
  }

  if (action == kDeny) {
    // Block access
    return action;
  }

  // Allow access to this member but print a warning.
  DCHECK(action == kAllowButWarn || action == kAllowButWarnAndToast);

  if (access_method != kNone) {
    // Depending on a runtime flag, we might move the member into whitelist and
    // skip the warning the next time the member is accessed.
    MaybeWhitelistMember(runtime, member);

    // If this action requires a UI warning, set the appropriate flag.
    if (shouldWarn &&
        (action == kAllowButWarnAndToast || runtime->ShouldAlwaysSetHiddenApiWarningFlag())) {
      runtime->SetPendingHiddenApiWarning(true);
    }
  }

  return action;
}

 

kLogAllAccesses表示是否强制打印警告,默认值为false。

IsJavaDebuggable()则是看我们的App是release版本还是debug版本。
当app为debug版本或者action为kDeny时,这时还会调用IsExempted()来看这个函数是否真的需要处理。如果函数在豁免名单中,则不会处理,返回kAllow。并且调用MaybeWhitelistMember()将这个API的flag修改为kWhitelist。

MaybeWhitelistMember()实现:

template
static ALWAYS_INLINE void MaybeWhitelistMember(Runtime* runtime, T* member)
    REQUIRES_SHARED(Locks::mutator_lock_) {
  if (CanUpdateMemberAccessFlags(member) && runtime->ShouldDedupeHiddenApiWarnings()) {
    member->SetAccessFlags(HiddenApiAccessFlags::EncodeForRuntime(
        member->GetAccessFlags(), HiddenApiAccessFlags::kWhitelist));
  }
}

所以现在我们知道了其实系统是有2个列表的,一个列表是系统中自带的list,另外一个是进程启动时,设置的豁免列表。

 

接着上面继续分析,如果不在豁免名单里面,并且这个函数访问模式不是kNone,则会打印警告Log.

hidden_api.h中定义了几种访问模式:

enum AccessMethod {
  kNone,  // internal test that does not correspond to an actual access by app
  kReflection,
  kJNI,
  kLinking,
};

下面讲一下这几种模式分别在什么情况下使用:

1.kNone是一种测试模式,这种模式下不会打印任何log。比如linker中检测某个函数是否存在,则会用这种模式。

下面是class_linker.cc中的代码:

// Returns true if `method` is either null or hidden.
// Does not print any warnings if it is hidden.
static bool CheckNoSuchMethod(ArtMethod* method,
                              ObjPtr dex_cache,
                              ObjPtr class_loader)
      REQUIRES_SHARED(Locks::mutator_lock_) {
  return method == nullptr ||
         hiddenapi::GetMemberAction(method,
                                    class_loader,
                                    dex_cache,
                                    hiddenapi::kNone)  // do not print warnings
             == hiddenapi::kDeny;
}

 

2.kReflection如其名字,java层反射调用API时使用的。

下面是java_lang_Class.cc中的代码:

static jobject Class_getDeclaredMethodInternal(JNIEnv* env, jobject javaThis,
                                               jstring name, jobjectArray args) {

.................
  if (result == nullptr || ShouldBlockAccessToMember(result->GetArtMethod(), soa.Self())) {
    return nullptr;
  }
  return soa.AddLocalReference(result.Get());
}



template
ALWAYS_INLINE static bool ShouldBlockAccessToMember(T* member, Thread* self)
    REQUIRES_SHARED(Locks::mutator_lock_) {
  hiddenapi::Action action = hiddenapi::GetMemberAction(
      member, self, IsCallerTrusted, hiddenapi::kReflection);
  if (action != hiddenapi::kAllow) {
    hiddenapi::NotifyHiddenApiListener(member);
  }
  return action == hiddenapi::kDeny;
}

3.kJNI则是在JNI层通过FindMethodID()/FindFieldID()调用函数时使用的。

下面是jni_internal.cc中的代码:

static jmethodID FindMethodID(ScopedObjectAccess& soa, jclass jni_class,
                              const char* name, const char* sig, bool is_static)
    REQUIRES_SHARED(Locks::mutator_lock_) {
  .............
  if (method != nullptr && ShouldBlockAccessToMember(method, soa.Self())) {
    method = nullptr;
  }
  if (method == nullptr || method->IsStatic() != is_static) {
    ThrowNoSuchMethodError(soa, c, name, sig, is_static ? "static" : "non-static");
    return nullptr;
  }
  return jni::EncodeArtMethod(method);
}



template
ALWAYS_INLINE static bool ShouldBlockAccessToMember(T* member, Thread* self)
    REQUIRES_SHARED(Locks::mutator_lock_) {
  hiddenapi::Action action = hiddenapi::GetMemberAction(
      member, self, IsCallerTrusted, hiddenapi::kJNI);
  if (action != hiddenapi::kAllow) {
    hiddenapi::NotifyHiddenApiListener(member);
  }

  return action == hiddenapi::kDeny;
}

4.kLinking是在linker调用FindResolvedMethod()/FindResolvedField()时使用,针对动态链接的方式。

下面是jni_internal.cc中的代码:

ArtMethod* ClassLinker::FindResolvedMethod(ObjPtr klass,
                                           ObjPtr dex_cache,
                                           ObjPtr class_loader,
                                           uint32_t method_idx) {
........
  if (resolved != nullptr &&
      hiddenapi::GetMemberAction(
          resolved, class_loader, dex_cache, hiddenapi::kLinking) == hiddenapi::kDeny) {
    resolved = nullptr;
  }
  .....
  return resolved;
}

 

 

到现在GetMemberActionImpl()主要代码分析完了,剩下最后提示的部分:

emplate
Action GetMemberActionImpl(T* member,
                           HiddenApiAccessFlags::ApiList api_list,
                           Action action,
                           AccessMethod access_method) {
  ...................

  if (action == kDeny) {
    // Block access
    return action;
  }

  // Allow access to this member but print a warning.
  DCHECK(action == kAllowButWarn || action == kAllowButWarnAndToast);

  if (access_method != kNone) {
    // Depending on a runtime flag, we might move the member into whitelist and
    // skip the warning the next time the member is accessed.
    MaybeWhitelistMember(runtime, member);

    // If this action requires a UI warning, set the appropriate flag.
    if (shouldWarn &&
        (action == kAllowButWarnAndToast || runtime->ShouldAlwaysSetHiddenApiWarningFlag())) {
      runtime->SetPendingHiddenApiWarning(true);
    }
  }

  return action;
}

如果action为kDeny,则直接返回,不是就会看是否需要弹出对话框等UI上的提示。

 

下面是打印警告Log的代码:

void MemberSignature::WarnAboutAccess(AccessMethod access_method,
                                      HiddenApiAccessFlags::ApiList list) {
  LOG(WARNING) << "Accessing hidden " << (type_ == kField ? "field " : "method ")
               << Dumpable(*this) << " (" << list << ", " << access_method << ")";
}

 

分析到此暂告一段落。总结一下:

1.对我们APP开发者来说,有3种做法会处触发API检查:a.java层反射;  b.jni调用; c.provided方式的动态链接 

整理如下:

类型 触发non-sdk检查的函数
hiddenapi::kJNI(Jni调用java Api) FindMethodID()
FindFieldID()
hiddenapi::kLinking(Linker动态链接) FindResolvedMethod()
ResolveMethodWithoutInvokeType()
FindResolvedField()
FindResolvedFieldJLS()
hiddenapi::kReflection(java反射) Class_getPublicFieldRecursive()
Class_getDeclaredField()
Class_getDeclaredConstructorInternal()
Class_getDeclaredMethodInternal()
Class_newInstance()

 

2.API的检查结果都是由hidden_api.h中的GetMemberAction()返回的

 

3.ApiList,Action,EnforcementPolicy关系整理如下:

  ApiList
kWhitelist kLightGreylist kDarkGreylist kBlacklist
EnforcementPolicy kNoChecks kAllow kAllow kAllow kAllow
kJustWarn kAllow kAllowButWarn kAllowButWarn kAllowButWarn
kDarkGreyAndBlackList kAllow kAllowButWarn kDeny kDeny
kBlacklistOnly kAllow kAllowButWarn kAllowButWarnAndToast kDeny

 

4.如果Runtime::Current()->GetHiddenApiEnforcementPolicy()的返回值为kNoChecks,也就是0,则允许访问,并且这个函数并不是inline,就可以被我们比较容易的hook并修改返回值。

 

5.对于私有API调用,还会调用GetMemberActionImpl()进一步处理,如果Action为kDeny,还会看通过IsExempted()来看是否在豁免名单中,如果在,则会返回kAllow,并修改该API为kWhitelist。

 

 

接下来我们通过Hook GetHiddenApiEnforcementPolicy()来绕过non-sdk API检查。

休息一会再回来接着写.......

 

 

 

你可能感兴趣的:(Android)