【Android 逆向】ART 脱壳 ( InMemoryDexClassLoader 脱壳 | InMemoryDexClassLoader 类加载器脱壳点总结 )

一、InMemoryDexClassLoader 类加载器脱壳点总结

InMemoryDexClassLoader 类加载器脱壳点总结 : 在下面列举出的函数中 , 都可以获取到内存中 DEX 文件的起始地址 , 可以将 DEX 文件从内存中 dump 下来 ;

1、dalvik_system_DexFile.cc#CreateSingleDexFileCookie

static jobject CreateSingleDexFileCookie(JNIEnv* env, std::unique_ptr data) {
  std::unique_ptr dex_file(CreateDexFile(env, std::move(data)));
  if (dex_file.get() == nullptr) {
    DCHECK(env->ExceptionCheck());
    return nullptr;
  }
  std::vector dex_files;
  dex_files.push_back(std::move(dex_file));
  return ConvertDexFilesToJavaArray(env, nullptr, dex_files);
}

源码地址 : /art/runtime/native/dalvik_system_DexFile.cc#CreateSingleDexFileCookie

2、dalvik_system_DexFile.cc#CreateDexFile

static const DexFile* CreateDexFile(JNIEnv* env, std::unique_ptr dex_mem_map) {
  std::string location = StringPrintf("Anonymous-DexFile@%p-%p",
                                      dex_mem_map->Begin(),
                                      dex_mem_map->End());
  std::string error_message;
  std::unique_ptr dex_file(DexFile::Open(location,
                                                        0,
                                                        std::move(dex_mem_map),
                                                        /* verify */ true,
                                                        /* verify_location */ true,
                                                        &error_message));
  if (dex_file == nullptr) {
    ScopedObjectAccess soa(env);
    ThrowWrappedIOException("%s", error_message.c_str());
    return nullptr;
  }

  if (!dex_file->DisableWrite()) {
    ScopedObjectAccess soa(env);
    ThrowWrappedIOException("Failed to make dex file read-only");
    return nullptr;
  }

  return dex_file.release();
}

源码地址 : /art/runtime/native/dalvik_system_DexFile.cc#CreateDexFile

3、dex_file.cc#DexFile::Open

std::unique_ptr DexFile::Open(const std::string& location,
                                             uint32_t location_checksum,
                                             std::unique_ptr map,
                                             bool verify,
                                             bool verify_checksum,
                                             std::string* error_msg) {
  ScopedTrace trace(std::string("Open dex file from mapped-memory ") + location);
  CHECK(map.get() != nullptr);

  if (map->Size() Begin(),
                                                 map->Size(),
                                                 location,
                                                 location_checksum,
                                                 kNoOatDexFile,
                                                 verify,
                                                 verify_checksum,
                                                 error_msg);
  if (dex_file != nullptr) {
    dex_file->mem_map_.reset(map.release());
  }
  return dex_file;
}

源码路径 : /art/runtime/dex_file.cc#182

4、dex_file.cc#DexFile::OpenCommon

std::unique_ptr DexFile::OpenCommon(const uint8_t* base,
                                             size_t size,
                                             const std::string& location,
                                             uint32_t location_checksum,
                                             const OatDexFile* oat_dex_file,
                                             bool verify,
                                             bool verify_checksum,
                                             std::string* error_msg,
                                             VerifyResult* verify_result) {
  if (verify_result != nullptr) {
    *verify_result = VerifyResult::kVerifyNotAttempted;
  }
  std::unique_ptr dex_file(new DexFile(base,
                                                size,
                                                location,
                                                location_checksum,
                                                oat_dex_file));
  if (dex_file == nullptr) {
    *error_msg = StringPrintf("Failed to open dex file '%s' from memory: %s", location.c_str(),
                              error_msg->c_str());
    return nullptr;
  }
  if (!dex_file->Init(error_msg)) {
    dex_file.reset();
    return nullptr;
  }
  if (verify && !DexFileVerifier::Verify(dex_file.get(),
                                         dex_file->Begin(),
                                         dex_file->Size(),
                                         location.c_str(),
                                         verify_checksum,
                                         error_msg)) {
    if (verify_result != nullptr) {
      *verify_result = VerifyResult::kVerifyFailed;
    }
    return nullptr;
  }
  if (verify_result != nullptr) {
    *verify_result = VerifyResult::kVerifySucceeded;
  }
  return dex_file;
}

源码地址 : /art/runtime/dex_file.cc#OpenCommon

5、dex_file.cc#DexFile::DexFile

DexFile::DexFile(const uint8_t* base,
                 size_t size,
                 const std::string& location,
                 uint32_t location_checksum,
                 const OatDexFile* oat_dex_file)
    : begin_(base),
      size_(size),
      location_(location),
      location_checksum_(location_checksum),
      header_(reinterpret_cast(base)),
      string_ids_(reinterpret_cast(base + header_->string_ids_off_)),
      type_ids_(reinterpret_cast(base + header_->type_ids_off_)),
      field_ids_(reinterpret_cast(base + header_->field_ids_off_)),
      method_ids_(reinterpret_cast(base + header_->method_ids_off_)),
      proto_ids_(reinterpret_cast(base + header_->proto_ids_off_)),
      class_defs_(reinterpret_cast(base + header_->class_defs_off_)),
      method_handles_(nullptr),
      num_method_handles_(0),
      call_site_ids_(nullptr),
      num_call_site_ids_(0),
      oat_dex_file_(oat_dex_file) {
  CHECK(begin_ != nullptr)