android内核集成Frida,ubuntu 20.04系统AOSP(Android 11)集成Frida

static jint com_android_internal_os_Zygote_nativeForkAndSpecialize(

JNIEnv* env, jclass, jint uid, jint gid, jintArray gids,

jint runtime_flags, jobjectArray rlimits,

jint mount_external, jstring se_info, jstring nice_name,

jintArray managed_fds_to_close, jintArray managed_fds_to_ignore, jboolean is_child_zygote,

jstring instruction_set, jstring app_data_dir, jboolean is_top_app,

jobjectArray pkg_data_info_list, jobjectArray whitelisted_data_info_list,

jboolean mount_data_dirs, jboolean mount_storage_dirs) {

jlong capabilities = CalculateCapabilities(env, uid, gid, gids, is_child_zygote);

if (UNLIKELY(managed_fds_to_close == nullptr)) {

ZygoteFailure(env, "zygote", nice_name, "Zygote received a null fds_to_close vector.");

}

std::vector fds_to_close =

ExtractJIntArray(env, "zygote", nice_name, managed_fds_to_close).value();

std::vector fds_to_ignore =

ExtractJIntArray(env, "zygote", nice_name, managed_fds_to_ignore)

.value_or(std::vector());

std::vector usap_pipes = MakeUsapPipeReadFDVector();

fds_to_close.insert(fds_to_close.end(), usap_pipes.begin(), usap_pipes.end());

fds_to_ignore.insert(fds_to_ignore.end(), usap_pipes.begin(), usap_pipes.end());

fds_to_close.push_back(gUsapPoolSocketFD);

if (gUsapPoolEventFD != -1) {

fds_to_close.push_back(gUsapPoolEventFD);

fds_to_ignore.push_back(gUsapPoolEventFD);

}

if (gSystemServerSocketFd != -1) {

fds_to_close.push_back(gSystemServerSocketFd);

fds_to_ignore.push_back(gSystemServerSocketFd);

}

pid_t pid = ForkCommon(env, false, fds_to_close, fds_to_ignore, true);

if (pid == 0) {

SpecializeCommon(env, uid, gid, gids, runtime_flags, rlimits,

capabilities, capabilities,

mount_external, se_info, nice_name, false,

is_child_zygote == JNI_TRUE, instruction_set, app_data_dir,

is_top_app == JNI_TRUE, pkg_data_info_list,

whitelisted_data_info_list,

mount_data_dirs == JNI_TRUE,

mount_storage_dirs == JNI_TRUE);

/*

* 在虚拟机，系统框架初始化完成之后，加载frida框架

* 需要增加头文件的引用 #include

*/

#if defined(__x86_64__) || defined(__i386__)

{

#if defined(__x86_64__)

#define FRIDA_LIB "/system/lib64/libfrida-gadget-14.2.2-android-x86_64.so"

#else

#define FRIDA_LIB "/system/lib/libfrida-gadget-14.2.2-android-x86.so"

#endif

const char *name = env->GetStringUTFChars(nice_name, 0);

void* frida = dlopen(FRIDA_LIB, RTLD_NOW);

if(NULL == frida) {

ALOGE("(%s) load frida-gadget(%s) failed, err= %d\n", name, FRIDA_LIB, errno);

} else {

ALOGI("(%s) load frida-gadget(%s) success\n", name, FRIDA_LIB);

}

env->ReleaseStringUTFChars(nice_name, name);

}

#endif

}

return pid;

}