一、概述

通过dlopen、dlsym获取共享库函数地址、全局变量是一种经常使用到的编程技巧，尤其是在Hook框架中。然而无论是dlsym还是一些常用框架（如Nougat_dlfunctions），都只能搜索**.dynsym段，而无法搜索.symtab**段。因此实现.symtab段搜索是一个亟待解决的问题。

本文将介绍在Nougat_dlfunctions框架基础上，如何实现搜索.symtab段的功能。（如果对FastHook不了解，请查阅FastHook——一种高效稳定、简洁易用的Android Hook框架） 项目地址：Enhanced_dlfunctions

二、Enhanced dlfunctions实现

ELF文件实际是个表结构，以段为单位，每个段存储不同的信息，段与段之间以索引来关联形成一个表。所以只要有一个头，就可以通过这些关系访问所有的段，这个头便是ELF文件头。下面我们来看看需要获取那些信息：

1. ELF文件头：存储所有段头部的信息，段头部是描述段信息的元数据，可以通过段头部来获取段信息。
2. .shstrtab段。存储所有的段的段名。通过ELF文件头，可以实现段的遍历，而无法识别具体的段（不同段类型可以相同），因此需要用段名来确定段。
3. .dynsym段：动态符号表，存储与动态链接相关的导入导出符号,不包括模块内部的符号。Nougat_dlfunctions只查询这个段，因此会漏掉很多符号。
4. .dynstr段：存储.dynsym段符号对应的符号名。
5. .symtab段：符号表。存储在程序中被定义和引用的函数和全局变量的信息。
6. .strtab段：存储.symtab段符号对应的符号名。
7. .comment段：程序相关信息，用与定位符号地址。

2.1 enhanced_dlopen

void *enhanced_dlopen(const char *libpath, int flags) {FILE *maps;char buff[256];struct ctx *ctx = 0;off_t load_addr, size;int k, fd = -1, found = 0;void *shoff;Elf_Ehdr *elf = (Elf_Ehdr *) MAP_FAILED;#define fatal(fmt, args...) do { log_err(fmt,##args); goto err_exit; } while(0)maps = fopen("/proc/self/maps", "r");if (!maps) fatal("failed to open maps");while (!found && fgets(buff, sizeof(buff), maps))if (strstr(buff, "r-xp") && strstr(buff, libpath)) found = 1;fclose(maps);if (!found) fatal("%s not found in my userspace", libpath);if (sscanf(buff, "%lx", &load_addr) != 1)fatal("failed to read load address for %s", libpath);log_info("%s loaded in Android at 0x%08lx", libpath, load_addr);/* Now, mmap the same library once again */fd = open(libpath, O_RDONLY);if (fd < 0) fatal("failed to open %s", libpath);size = lseek(fd, 0, SEEK_END);if (size <= 0) fatal("lseek() failed for %s", libpath);elf = (Elf_Ehdr *) mmap(0, size, PROT_READ, MAP_SHARED, fd, 0);close(fd);fd = -1;if (elf == MAP_FAILED) fatal("mmap() failed for %s", libpath);ctx = (struct ctx *) calloc(1, sizeof(struct ctx));if (!ctx) fatal("no memory for %s", libpath);ctx->load_addr = (void *) load_addr;shoff = ((void *) elf) + elf->e_shoff;Elf_Shdr *shstrtab = (Elf_Shdr *)(shoff + elf->e_shstrndx * elf->e_shentsize);char * shstr = malloc(shstrtab->sh_size);memcpy(shstr, ((void *) elf) + shstrtab->sh_offset, shstrtab->sh_size);for (k = 0; k < elf->e_shnum; k++, shoff += elf->e_shentsize) {Elf_Shdr *sh = (Elf_Shdr *) shoff;log_dbg("%s: k=%d shdr=%p type=%d", __func__, k, sh, sh->sh_type);switch (sh->sh_type) {case SHT_DYNSYM:if (ctx->dynsym) fatal("%s: duplicate DYNSYM sections", libpath); /* .dynsym */ctx->dynsym = malloc(sh->sh_size);if (!ctx->dynsym) fatal("%s: no memory for .dynsym", libpath);memcpy(ctx->dynsym, ((void *) elf) + sh->sh_offset, sh->sh_size);ctx->dynsym_num = (sh->sh_size / sizeof(Elf_Sym));break;case SHT_SYMTAB:if (ctx->symtab) fatal("%s: duplicate SYMTAB sections", libpath); /* .symtab */ctx->symtab = malloc(sh->sh_size);if (!ctx->symtab) fatal("%s: no memory for .symtab", libpath);memcpy(ctx->symtab, ((void *) elf) + sh->sh_offset, sh->sh_size);ctx->symtab_num = (sh->sh_size / sizeof(Elf_Sym));break;case SHT_STRTAB:if(!strcmp(shstr+sh->sh_name,".dynstr")) {if (ctx->dynstr) break;    /* .dynstr is guaranteed to be the first STRTAB */ctx->dynstr = malloc(sh->sh_size);if (!ctx->dynstr) fatal("%s: no memory for .dynstr", libpath);memcpy(ctx->dynstr, ((void *) elf) + sh->sh_offset, sh->sh_size);}else if(!strcmp(shstr+sh->sh_name,".strtab")) {if (ctx->strtab) break;ctx->strtab = malloc(sh->sh_size);if (!ctx->strtab) fatal("%s: no memory for .strtab", libpath);memcpy(ctx->strtab, ((void *) elf) + sh->sh_offset, sh->sh_size);}break;case SHT_PROGBITS:if (!ctx->dynstr || !ctx->dynsym || ctx->bias) break;/* won't even bother checking against the section name */ctx->bias = (off_t) sh->sh_addr - (off_t) sh->sh_offset;break;}}munmap(elf, size);elf = 0;if (!ctx->dynstr || !ctx->dynsym) fatal("dynamic sections not found in %s", libpath);
#undef fatallog_dbg("%s: ok, dynsym = %p, dynstr = %p symtab = %p strtab = %p", libpath, ctx->dynsym, ctx->dynstr, ctx->symtab, ctx->strtab);return ctx;}
复制代码

1. 获取so加载的地址，存储在load_addr

    maps = fopen("/proc/self/maps", "r");while (!found && fgets(buff, sizeof(buff), maps))if (strstr(buff, "r-xp") && strstr(buff, libpath)) found = 1;fclose(maps);if (sscanf(buff, "%lx", &load_addr) != 1)fatal("failed to read load address for %s", libpath);
复制代码

2. 重新映射so，获取ELF文件头

    fd = open(libpath, O_RDONLY);size = lseek(fd, 0, SEEK_END);elf = (Elf_Ehdr *) mmap(0, size, PROT_READ, MAP_SHARED, fd, 0);
复制代码

3. 获取.shstrtab段。

    Elf_Shdr *shstrtab = (Elf_Shdr *)(shoff + elf->e_shstrndx * elf->e_shentsize);char * shstr = malloc(shstrtab->sh_size);memcpy(shstr, ((void *) elf) + shstrtab->sh_offset, shstrtab->sh_size);
复制代码

4.获取.dynsym段、.dynstr段、.symtab段、.strtab段

 for (k = 0; k < elf->e_shnum; k++, shoff += elf->e_shentsize) {Elf_Shdr *sh = (Elf_Shdr *) shoff;switch (sh->sh_type) {case SHT_DYNSYM:ctx->dynsym = malloc(sh->sh_size);memcpy(ctx->dynsym, ((void *) elf) + sh->sh_offset, sh->sh_size);ctx->dynsym_num = (sh->sh_size / sizeof(Elf_Sym));break;case SHT_SYMTAB:ctx->symtab = malloc(sh->sh_size);memcpy(ctx->symtab, ((void *) elf) + sh->sh_offset, sh->sh_size);ctx->symtab_num = (sh->sh_size / sizeof(Elf_Sym));break;case SHT_STRTAB:if(!strcmp(shstr+sh->sh_name,".dynstr")) {ctx->dynstr = malloc(sh->sh_size);memcpy(ctx->dynstr, ((void *) elf) + sh->sh_offset, sh->sh_size);}else if(!strcmp(shstr+sh->sh_name,".strtab")) {ctx->strtab = malloc(sh->sh_size);memcpy(ctx->strtab, ((void *) elf) + sh->sh_offset, sh->sh_size);}break;case SHT_PROGBITS:if (!ctx->dynstr || !ctx->dynsym || ctx->bias) break;ctx->bias = (off_t) sh->sh_addr - (off_t) sh->sh_offset;break;}}
复制代码

2.2 enhanced_dlsym

void *enhanced_dlsym(void *handle, const char *name) {int k;struct ctx *ctx = (struct ctx *) handle;Elf_Sym *dynsym = (Elf_Sym *) ctx->dynsym;Elf_Sym *symtab = (Elf_Sym *) ctx->symtab;char *dynstr = (char *) ctx->dynstr;char *strtab = (char *) ctx->strtab;for (k = 0; k < ctx->dynsym_num; k++, dynsym++) {if (strcmp(dynstr + dynsym->st_name, name) == 0) {void *ret = ctx->load_addr + dynsym->st_value - ctx->bias;log_info("%s found at %p", name, ret);return ret;}}if(symtab) {for (k = 0; k < ctx->symtab_num; k++, symtab++) {sym_tab->st_name,strings + sym_tab->st_name,k);if (strcmp(strtab + symtab->st_name, name) == 0) {void *ret = ctx->load_addr + symtab->st_value - ctx->bias;log_info("%s found at %p", name, ret);return ret;}}}return 0;
}
复制代码

1. 先查询.dynsym段。遍历.dymsym所有符号，查找符号名与给定字符串一致的符号。用load_addr、bias结合符号偏移来获取实际地址。

for (k = 0; k < ctx->dynsym_num; k++, dynsym++) {if (strcmp(dynstr + dynsym->st_name, name) == 0) {void *ret = ctx->load_addr + dynsym->st_value - ctx->bias;log_info("%s found at %p", name, ret);return ret;}}
复制代码

2. 如果.dynsym段找不到目标符号且.symtab段存在时，遍历.symtab所有符号，查找符号名与给定字符串一致的符号。用load_addr、bias结合符号偏移来获取实际地址。

for (k = 0; k < ctx->symtab_num; k++, symtab++) {sym_tab->st_name,strings + sym_tab->st_name,k);if (strcmp(strtab + symtab->st_name, name) == 0) {void *ret = ctx->load_addr + symtab->st_value - ctx->bias;log_info("%s found at %p", name, ret);return ret;}}
复制代码

三、结语

Nougat_dlfunctions只支持arm平台，而我在实际工作中也不涉及到x86平台，所以Enhanced dlfunctions暂时只支持arm32和arm64，如果要兼容x86等其他平台也不难，不需要改实现，主要就是elf.h一些结构体的不同。

四、参考

1. FastHook——一种高效稳定、简洁易用的Android Hook框架
2. FastHook——巧妙利用动态代理实现非侵入式AOP
3. FastHook——远超YAHFA的优异稳定性
4. 如何使用FastHook免root hook微信