Hook dex2oat functions to remove LSPosed traces

We use the env LD_PRELOAD to hook the execution of `dex2oat`, which can be directly set to be a file descriptor.
JingMatrix · Jan 5, 2025 · d2bb29e · d2bb29e
1 parent fd25732
commit d2bb29e
Show file tree

Hide file tree

Showing 8 changed files with 158 additions and 14 deletions.
diff --git a/daemon/src/main/java/org/lsposed/lspd/service/Dex2OatService.java b/daemon/src/main/java/org/lsposed/lspd/service/Dex2OatService.java
@@ -51,8 +51,8 @@ public class Dex2OatService implements Runnable {
     private static final String WRAPPER32 = "bin/dex2oat32";
     private static final String WRAPPER64 = "bin/dex2oat64";
 
-    private final String[] dex2oatArray = new String[4];
-    private final FileDescriptor[] fdArray = new FileDescriptor[4];
+    private final String[] dex2oatArray = new String[6];
+    private final FileDescriptor[] fdArray = new FileDescriptor[6];
     private final FileObserver selinuxObserver;
     private int compatibility = DEX2OAT_OK;
 
@@ -76,6 +76,9 @@ public Dex2OatService() {
             openDex2oat(3, "/apex/com.android.art/bin/dex2oatd64");
         }
 
+        openDex2oat(4, "/data/adb/modules/zygisk_lsposed/bin/liboat_hook32.so");
+        openDex2oat(5, "/data/adb/modules/zygisk_lsposed/bin/liboat_hook64.so");
+
         var enforce = Paths.get("/sys/fs/selinux/enforce");
         var policy = Paths.get("/sys/fs/selinux/policy");
         var list = new ArrayList<File>();
@@ -126,7 +129,7 @@ public void stopWatching() {
     }
 
     private boolean notMounted() {
-        for (int i = 0; i < dex2oatArray.length; i++) {
+        for (int i = 0; i < dex2oatArray.length && i < 4; i++) {
             var bin = dex2oatArray[i];
             if (bin == null) continue;
             try {
@@ -193,8 +196,7 @@ public void run() {
                     var fd = new FileDescriptor[]{fdArray[id]};
                     client.setFileDescriptorsForSend(fd);
                     os.write(1);
-                    Log.d(TAG, "Sent stock fd: is64 = " + ((id & 0b10) != 0) +
-                            ", isDebug = " + ((id & 0b01) != 0));
+                    Log.d(TAG, "Sent fd of " + dex2oatArray[id]);
                 }
             }
         } catch (IOException e) {

diff --git a/dex2oat/src/main/cpp/CMakeLists.txt b/dex2oat/src/main/cpp/CMakeLists.txt
@@ -2,8 +2,10 @@ cmake_minimum_required(VERSION 3.10)
 project(dex2oat)
 
 add_executable(dex2oat dex2oat.c)
+add_library(oat_hook SHARED oat_hook.c)
 
 target_link_libraries(dex2oat log)
+target_link_libraries(oat_hook log)
 
 if (DEFINED DEBUG_SYMBOLS_PATH)
     message(STATUS "Debug symbols will be placed at ${DEBUG_SYMBOLS_PATH}")

diff --git a/dex2oat/src/main/cpp/dex2oat.c b/dex2oat/src/main/cpp/dex2oat.c
@@ -21,7 +21,6 @@
 // Created by Nullptr on 2022/4/1.
 //
 
-#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -96,6 +95,7 @@ int main(int argc, char **argv) {
     struct sockaddr_un sock = {};
     sock.sun_family = AF_UNIX;
     strlcpy(sock.sun_path + 1, kSockName, sizeof(sock.sun_path) - 1);
+
     int sock_fd = socket(AF_UNIX, SOCK_STREAM, 0);
     size_t len = sizeof(sa_family_t) + strlen(sock.sun_path + 1) + 1;
     if (connect(sock_fd, (struct sockaddr *)&sock, len)) {
@@ -106,6 +106,17 @@ int main(int argc, char **argv) {
     int stock_fd = recv_fd(sock_fd);
     read_int(sock_fd);
     close(sock_fd);
+
+    sock_fd = socket(AF_UNIX, SOCK_STREAM, 0);
+    if (connect(sock_fd, (struct sockaddr *)&sock, len)) {
+        PLOGE("failed to connect to %s", sock.sun_path + 1);
+        return 1;
+    }
+    write_int(sock_fd, LP_SELECT(4, 5));
+    int hooker_fd = recv_fd(sock_fd);
+    read_int(sock_fd);
+    close(sock_fd);
+
     LOGD("sock: %s %d", sock.sun_path + 1, stock_fd);
 
     const char *new_argv[argc + 2];
@@ -114,16 +125,20 @@ int main(int argc, char **argv) {
     new_argv[argc + 1] = NULL;
 
     if (getenv("LD_LIBRARY_PATH") == NULL) {
-#if defined(__LP64__)
-        char const *libenv =
-            "LD_LIBRARY_PATH=/apex/com.android.art/lib64:/apex/com.android.os.statsd/lib64";
-#else
-        char const *libenv =
-            "LD_LIBRARY_PATH=/apex/com.android.art/lib:/apex/com.android.os.statsd/lib";
-#endif
+        char const *libenv = LP_SELECT(
+            "LD_LIBRARY_PATH=/apex/com.android.art/lib:/apex/com.android.os.statsd/lib",
+            "LD_LIBRARY_PATH=/apex/com.android.art/lib64:/apex/com.android.os.statsd/lib64");
         putenv((char *)libenv);
     }
+
+    // Set LD_PRELOAD to load liboat_hook.so
+    const int STRING_BUFFER = 50;
+    char env_str[STRING_BUFFER];
+    snprintf(env_str, STRING_BUFFER, "LD_PRELOAD=/proc/%d/fd/%d", getpid(), hooker_fd);
+    putenv(env_str);
+
     fexecve(stock_fd, (char **)new_argv, environ);
+
     PLOGE("fexecve failed");
     return 2;
 }
diff --git a/dex2oat/src/main/cpp/logging.h b/dex2oat/src/main/cpp/logging.h
@@ -1,5 +1,6 @@
 #pragma once
 
+#include <errno.h>
 #include <android/log.h>
 
 #ifndef LOG_TAG

diff --git a/dex2oat/src/main/cpp/oat_hook.c b/dex2oat/src/main/cpp/oat_hook.c
@@ -0,0 +1,115 @@
+#include <dlfcn.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "logging.h"
+
+static uint32_t (*OatHeader_GetKeyValueStoreSize)(void*);
+static uint8_t* (*OatHeader_GetKeyValueStore)(void*);
+static bool store_updated = false;
+const char* parameter_to_remove = " --inline-max-code-units=0";
+
+typedef struct {
+    char* key;
+    char* value;
+} KeyValuePair;
+
+void UpdateKeyValueStore(KeyValuePair* key_value, uint8_t* store) {
+    char* data_ptr = (char*)store;
+    while (key_value != NULL && key_value->key != NULL) {
+        strcpy(data_ptr, key_value->key);
+        data_ptr += strlen(key_value->key) + 1;
+        strcpy(data_ptr, key_value->value);
+        data_ptr += strlen(key_value->value) + 1;
+        key_value++;
+    }
+    LOGD("KeyValueStore updated");
+    store_updated = true;
+}
+
+__attribute__((visibility("default"))) uint8_t* _ZNK3art9OatHeader16GetKeyValueStoreEv(
+    void* header) {
+    LOGD("OatHeader::GetKeyValueStore() called on object at %p\n", header);
+    uint8_t* key_value_store_ = OatHeader_GetKeyValueStore(header);
+    uint32_t key_value_store_size_ = OatHeader_GetKeyValueStoreSize(header);
+    const char* ptr = (const char*)(key_value_store_);
+    const char* end = ptr + key_value_store_size_;
+    LOGD("store: %p, size: %d", key_value_store_, key_value_store_size_);
+    KeyValuePair* new_store = NULL;
+    int new_store_count = 0;
+
+    while (ptr < end) {
+        // Scan for a closing zero.
+        const char* key_end = (const char*)(memchr(ptr, '\0', end - ptr));
+        if (!key_end) {
+            LOGE("no key_end scanned");
+            return key_value_store_;
+        }
+        char* key = strndup(ptr, key_end - ptr);
+        const char* value_start = key_end + 1;
+        const char* value_end = (const char*)(memchr(value_start, '\0', end - value_start));
+        if (!value_end) {
+            LOGE("no value_end scanned");
+            return key_value_store_;
+        }
+        char* value = strndup(value_start, value_end - value_start);
+
+        // Clean the value if the key is "dex2oat-cmdline"
+        if (strcmp(key, "dex2oat-cmdline") == 0) {
+            size_t len = strlen(value) - strlen(parameter_to_remove);
+            char* new_value = (char*)malloc(len + 1);
+            strncpy(new_value, value, len);
+            new_value[len] = '\0';
+            free(value);
+            value = new_value;
+        }
+
+        new_store_count++;
+        new_store = (KeyValuePair*)realloc(new_store, sizeof(KeyValuePair) * new_store_count);
+        new_store[new_store_count - 1].key = key;
+        new_store[new_store_count - 1].value = value;
+
+        // Advance over the value.
+        ptr = value_end + 1;
+    }
+    UpdateKeyValueStore(new_store, key_value_store_);
+
+    // Free allocated memory
+    for (int i = 0; i < new_store_count; i++) {
+        free(new_store[i].key);
+        free(new_store[i].value);
+    }
+    free(new_store);
+
+    return key_value_store_;
+}
+
+__attribute__((visibility("default"))) uint32_t
+_ZNK3art9OatHeader20GetKeyValueStoreSizeEv(void* header) {
+    uint32_t size = OatHeader_GetKeyValueStoreSize(header);
+    if (store_updated) {
+        LOGD("OatHeader::GetKeyValueStoreSize() called on object at %p\n", header);
+        size -= strlen(parameter_to_remove);
+    }
+    return size;
+}
+
+__attribute__((constructor)) static void initialize() {
+    if (!OatHeader_GetKeyValueStore) {
+        OatHeader_GetKeyValueStore = dlsym(RTLD_NEXT, "_ZNK3art9OatHeader16GetKeyValueStoreEv");
+        if (!OatHeader_GetKeyValueStore) {
+            LOGE("Error resolving symbol: _ZNK3art9OatHeader16GetKeyValueStoreEv");
+            exit(1);
+        }
+    }
+
+    if (!OatHeader_GetKeyValueStoreSize) {
+        OatHeader_GetKeyValueStoreSize =
+            dlsym(RTLD_NEXT, "_ZNK3art9OatHeader20GetKeyValueStoreSizeEv");
+        if (!OatHeader_GetKeyValueStoreSize) {
+            LOGE("Error resolving symbol: _ZNK3art9OatHeader20GetKeyValueStoreSizeEv");
+            exit(1);
+        }
+    }
+}
diff --git a/magisk-loader/build.gradle.kts b/magisk-loader/build.gradle.kts
@@ -221,6 +221,7 @@ fun afterEval() = android.applicationVariants.forEach { variant ->
         into("bin") {
             from(project(":dex2oat").layout.buildDirectory.dir("intermediates/cmake/$buildTypeLowered/obj")) {
                 include("**/dex2oat")
+                include("**/liboat_hook.so")
             }
         }
         val dexOutPath = if (buildTypeLowered == "release")

diff --git a/magisk-loader/magisk_module/customize.sh b/magisk-loader/magisk_module/customize.sh
@@ -123,19 +123,27 @@ if [ "$API" -ge 29 ]; then
 
   if [ "$ARCH" = "arm" ] || [ "$ARCH" = "arm64" ]; then
     extract "$ZIPFILE" "bin/armeabi-v7a/dex2oat" "$MODPATH/bin" true
+    extract "$ZIPFILE" "bin/armeabi-v7a/liboat_hook.so" "$MODPATH/bin" true
     mv "$MODPATH/bin/dex2oat" "$MODPATH/bin/dex2oat32"
+    mv "$MODPATH/bin/liboat_hook.so" "$MODPATH/bin/liboat_hook32.so"
 
     if [ "$IS64BIT" = true ]; then
       extract "$ZIPFILE" "bin/arm64-v8a/dex2oat" "$MODPATH/bin" true
+      extract "$ZIPFILE" "bin/arm64-v8a/liboat_hook.so" "$MODPATH/bin" true
       mv "$MODPATH/bin/dex2oat" "$MODPATH/bin/dex2oat64"
+      mv "$MODPATH/bin/liboat_hook.so" "$MODPATH/bin/liboat_hook64.so"
     fi
   elif [ "$ARCH" == "x86" ] || [ "$ARCH" == "x64" ]; then
     extract "$ZIPFILE" "bin/x86/dex2oat" "$MODPATH/bin" true
+    extract "$ZIPFILE" "bin/x86/liboat_hook.so" "$MODPATH/bin" true
     mv "$MODPATH/bin/dex2oat" "$MODPATH/bin/dex2oat32"
+    mv "$MODPATH/bin/liboat_hook.so" "$MODPATH/bin/liboat_hook32.so"
 
     if [ "$IS64BIT" = true ]; then
       extract "$ZIPFILE" "bin/x86_64/dex2oat" "$MODPATH/bin" true
+      extract "$ZIPFILE" "bin/x86_64/liboat_hook.so" "$MODPATH/bin" true
       mv "$MODPATH/bin/dex2oat" "$MODPATH/bin/dex2oat64"
+      mv "$MODPATH/bin/liboat_hook.so" "$MODPATH/bin/liboat_hook64.so"
     fi
   fi
 

diff --git a/magisk-loader/magisk_module/sepolicy.rule b/magisk-loader/magisk_module/sepolicy.rule
@@ -3,7 +3,7 @@ allow dex2oat dex2oat_exec file execute_no_trans
 allow shell shell dir write
 
 type xposed_file file_type
-allow {installd isolated_app shell} xposed_file {file dir} *
+allow {dex2oat installd isolated_app shell} xposed_file {file dir} *
 
 type xposed_data file_type
 typeattribute xposed_data mlstrustedobject