add dlopen bypass

README.md

@@ -34,9 +34,49 @@ allprojects {
 ```
 ## Usage
 
+### Java
+
 Just include the library as explained in the Integration chapter.
 The BypassProvider will automatically unseal your process and allow you to access hidden api.
 
+### C/C++
+
+The native restriction bypass will be installed automatically via the Content Provider and will give
+you the power to load any system library.
+
+No header or linked library is needed, just follow this example:
+
+```c
+void *(*_dlopen)(void *, const char *__filename, int __flag) = nullptr; // will be used to store the function to the new dlopen function
+
+void test(JNIEnv *env) {
+    // place address of the new dlopen function
+    _dlopen = (void *(*)(void *, const char *__filename, int __flag)) env->functions->FatalError;
+
+#if __x86_64__ || __aarch64__
+    void *val = _dlopen((void *) &dlopen, "/system/lib64/libssl.so",
+                        RTLD_LAZY);
+#else
+    void *val = _dlopen((void *) &dlopen, "/system/lib/libssl.so",
+                        RTLD_LAZY);
+#endif
+    if (val != nullptr) {
+        __android_log_print(ANDROID_LOG_INFO, "RestrictionBypass",
+                            "Install dlopen bypass test successful! have fun!");
+    } else {
+
+        __android_log_print(ANDROID_LOG_INFO, "RestrictionBypass",
+                            "Install dlopen bypass test NOT SUCCESSFUL! Please provide logs!");
+    }
+}
+
+```
+
+This bypass replaces the env->functions->FatalError function with instructions telling to jump to the original dlopen function. This let the VM think that
+this call is invoked from libart itself and not from you're library.
+
+If you find any bugs please create an issue in this project and provide logs as well as an coding example!
+
 ## Troubleshooting
 
 Please create a bug report if you find any issues. This chapter will be updated then.

restrictionbypass/CMakeLists.txt

@@ -17,6 +17,7 @@ add_library( # Sets the name of the library.
         SHARED
 
         # Provides a relative path to your source file(s).
+        src/main/cpp/dlopenBypass/DlOpenBypass.cpp
         src/main/cpp/RestrictionBypass.cpp)
 
 

restrictionbypass/src/main/cpp/RestrictionBypass.cpp

@@ -2,6 +2,8 @@
 #include <android/log.h>
 #include <thread>
 #include <future>
+#include <dlfcn.h>
+#include "dlopenBypass/DlOpenBypass.h"
 
 /////////////////// HELPERS
 JavaVM *_vm;
@@ -228,6 +230,36 @@ static int registerNativeMethods(JNIEnv *env, const char *className,
     return JNI_TRUE;
 }
 
+int installDlopenBypass(JNIEnv *env) {
+    if (DlOpenBypass::install(env) != nullptr) {
+        return 1;
+    }
+    return 0;
+}
+
+void *(*_dlopen)(void *, const char *__filename, int __flag) = nullptr;
+
+void test(JNIEnv *env) {
+    // place address of the new dlopen function
+    _dlopen = (void *(*)(void *, const char *__filename, int __flag)) env->functions->FatalError;
+
+#if __x86_64__ || __aarch64__
+    void *val = _dlopen((void *) &dlopen, "/system/lib64/libssl.so",
+                        RTLD_LAZY);
+#else
+    void *val = _dlopen((void *) &dlopen, "/system/lib/libssl.so",
+                        RTLD_LAZY);
+#endif
+    if (val != nullptr) {
+        __android_log_print(ANDROID_LOG_INFO, "RestrictionBypass",
+                            "Install dlopen bypass test successful! have fun!");
+    } else {
+
+        __android_log_print(ANDROID_LOG_INFO, "RestrictionBypass",
+                            "Install dlopen bypass test NOT SUCCESSFUL! Please provide logs!");
+    }
+}
+
 jint JNI_OnLoad(JavaVM *vm, void * /*reserved*/) {
     _vm = vm;
     JNIEnv *env = nullptr;
@@ -242,5 +274,14 @@ jint JNI_OnLoad(JavaVM *vm, void * /*reserved*/) {
         return -1;
     }
 
+    if (installDlopenBypass(env) == 1) {
+        __android_log_print(ANDROID_LOG_INFO, "RestrictionBypass",
+                            "Install dlopen bypass successful.. starting test!");
+    } else {
+        __android_log_print(ANDROID_LOG_INFO, "RestrictionBypass",
+                            "Install dlopen bypass NOT SUCCESSFUL !!");
+    }
+    test(env);
+
     return JNI_VERSION_1_4;
 }

restrictionbypass/src/main/cpp/dlopenBypass/DlOpenBypass.cpp

@@ -0,0 +1,70 @@
+//
+// Created by Sascha Roth on 05.12.19.
+//
+#include "DlOpenBypass.h"
+#include <unistd.h>
+#include <sys/mman.h>
+#include <vector>
+#include <sys/vfs.h>
+
+// extern "C" while debugging
+static void *lokalFakeHook(void *dlopenaddr, const char *__filename, int __flag) {
+    return ((void *(*)(const char *__filename, int __flag)) dlopenaddr)(__filename,
+                                                                        __flag);
+}
+
+extern "C" bool updatePermissions(void *addr, int permissions) {
+    size_t pagesize = (size_t) sysconf(_SC_PAGESIZE);
+    void *lowerBoundary = (void *) ((long long) addr - ((long long) addr % pagesize));
+
+    if (mprotect(lowerBoundary, pagesize, permissions) != 0) {
+        return false;
+    }
+    return true;
+}
+
+void *DlOpenBypass::install(JNIEnv *env) {
+    void *fake_dlopen_addr = (void *) env->functions->FatalError;
+    if (fake_dlopen_addr == nullptr) {
+        // log() << "DlOpenBypass [-] " << "Error while obtaining fatal error";
+        return nullptr;
+    }
+    // log() << "DlOpenBypass [+] " << "sys_dlopen [+] " << "Change permission";
+
+    if (!updatePermissions((void *) &lokalFakeHook, PROT_EXEC | PROT_READ | PROT_WRITE)) {
+        // log() << "DlOpenBypass [-] " << "Error while change permission";
+        return nullptr;
+    }
+    // log() << "DlOpenBypass [+] " << "sys_dlopen [+] " << "Change permission of fake dlopen";
+
+    if (!updatePermissions(fake_dlopen_addr,
+                           PROT_EXEC | PROT_READ | PROT_WRITE)) {
+        // log() << "DlOpenBypass [-] " << "Error while change permission";
+        return nullptr;
+    }
+    // log() << "DlOpenBypass [+] " << "sys_dlopen [+] " << "Copy data";
+#ifdef __x86_64__
+    memcpy((void *) env->functions->FatalError, (void *) &lokalFakeHook,
+           48); // TODO architecture dependend
+#elif __i386__
+    memcpy((void *) env->functions->FatalError, (void *) &lokalFakeHook, 79); // TODO architecture dependend
+#elif __aarch64__
+    memcpy((void *) env->functions->FatalError, (void *) &lokalFakeHook, 144); // TODO architecture dependend
+#elif defined(__ARM_ARCH_5TE__) || defined(__ARM_ARCH_7A__)
+    memcpy((void *) env->functions->FatalError, (void *) &lokalFakeHook, 79); // TODO architecture dependend
+#else
+#error "UNSUPPORTED ARCHITECTURE"
+#endif
+    // log() << "DlOpenBypass [+] " << "sys_dlopen [+] " << "Exec fake_dlopen "
+    //      << fake_dlopen_addr;
+
+//    void *val = ((void *(*)(void *, const char *__filename, int __flag)) fake_dlopen_addr)(
+//            (void *) &dlopen,
+//            libName,
+//            RTLD_LAZY);
+//    // log() << "DlOpenBypass [+] " << "sys_dlopen [+] " << "fake dlopen returned <" << val << ">";
+//    if (val == nullptr) {
+//        // log() << "Error while call dlopen <" << dlerror() << ">";
+//    }
+    return fake_dlopen_addr;
+}

restrictionbypass/src/main/cpp/dlopenBypass/DlOpenBypass.h

@@ -0,0 +1,26 @@
+//
+// Created by Sascha Roth on 05.12.19.
+//
+
+#pragma once
+
+
+#include <jni.h>
+#include <string>
+
+/**
+ * On latest Android versions dlopen of system libraries is forbidden.
+ *
+ * This module bypasses this by using ChickenHook and jni.
+ * See also: [bypass classname]
+ *
+ *
+ */
+class DlOpenBypass {
+public:
+
+    static void * install(JNIEnv *env);
+private:
+
+
+};