Skip to content

R
ReyunSecureSdk
Commit f34d6966 by Fear1ess
Options

4/19

parent 39118ec8
Showing with 284 additions and 49 deletions
wandun/src/main/cpp/collect.c
......@@ -9,6 +9,7 @@
#include "wd_result.h"
#include "wdun.h"
#include <fcntl.h>
#include <fake_dlfcn.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
......@@ -21,6 +22,7 @@
#include <errno.h>
#include <zlib.h>
#define WD_COLLECT "wd_collect"
......@@ -235,14 +237,8 @@ void collect_mac_addr(JNIEnv *env, cJSON *json) {
return_label2:
(*env)->DeleteLocalRef(env, name_str);
char* mac_addr2 = "";
int fd = WDSYSCALL(SYS_openat, AT_FDCWD, "/sys/class/net/wlan0/address", O_RDONLY, NULL);
if(fd > 0) {
char buf[32] = {0};
if(WDSYSCALL(SYS_read, fd, buf, 32) > 0) {
mac_addr2 = buf;
}
}
char mac_addr2[32] = {0};
read_file("/sys/class/net/wlan0/address", "r", mac_addr2, 31);
cJSON_AddStringToObject(json, "mac_addr2", mac_addr2);
logd(WD_COLLECT, "%s", "collect mac_addr finished...");
......@@ -345,7 +341,162 @@ void collect_proxy_info(JNIEnv *env, cJSON *json) {
}
void collect_camera_info(JNIEnv *env, cJSON *json) {
//todo
cJSON* item_json = cJSON_CreateArray();
//获取CameraManager对象
jobject camera_Str=(*env)->NewStringUTF(env,"camera");
jobject cameraManager_obj=wdCallObjectMethod(env,g_app_context,"getSystemService",
"(Ljava/lang/String;)Ljava/lang/Object;",camera_Str);
jobjectArray cameraIdList_Obj=wdCallObjectMethod(env,cameraManager_obj,"getCameraIdList",
"()[Ljava/lang/String;");
int count=(*env)->GetArrayLength(env,cameraIdList_Obj);
logd(WD_COLLECT, "%d", count);
//cJSON_AddNumberToObject(item_json,"count",count);
//
jobject SCALER_AVAILABLE_MAX_DIGITAL_ZOOM=wdGetStaticObjectField(env,"android/hardware/camera2/CameraCharacteristics"
,"SCALER_AVAILABLE_MAX_DIGITAL_ZOOM","Landroid/hardware/camera2/CameraCharacteristics$Key;");
jobject SCALER_STREAM_CONFIGURATION_MAP =wdGetStaticObjectField(env,"android/hardware/camera2/CameraCharacteristics"
,"SCALER_STREAM_CONFIGURATION_MAP","Landroid/hardware/camera2/CameraCharacteristics$Key;"
);
jobject SENSOR_ORIENTATION =wdGetStaticObjectField(env,"android/hardware/camera2/CameraCharacteristics"
,"SENSOR_ORIENTATION","Landroid/hardware/camera2/CameraCharacteristics$Key;"
);
jobject CONTROL_AE_COMPENSATION_RANGE =wdGetStaticObjectField(env,"android/hardware/camera2/CameraCharacteristics"
,"CONTROL_AE_COMPENSATION_RANGE","Landroid/hardware/camera2/CameraCharacteristics$Key;"
);
jobject CONTROL_MAX_REGIONS_AE =wdGetStaticObjectField(env,"android/hardware/camera2/CameraCharacteristics"
,"CONTROL_MAX_REGIONS_AE","Landroid/hardware/camera2/CameraCharacteristics$Key;"
);
jobject CONTROL_MAX_REGIONS_AF =wdGetStaticObjectField(env,"android/hardware/camera2/CameraCharacteristics"
,"CONTROL_MAX_REGIONS_AF","Landroid/hardware/camera2/CameraCharacteristics$Key;"
);
jobject SENSOR_INFO_PHYSICAL_SIZE =wdGetStaticObjectField(env,"android/hardware/camera2/CameraCharacteristics"
,"SENSOR_INFO_PHYSICAL_SIZE","Landroid/hardware/camera2/CameraCharacteristics$Key;"
);
jobject SENSOR_INFO_PIXEL_ARRAY_SIZE =wdGetStaticObjectField(env,"android/hardware/camera2/CameraCharacteristics"
,"SENSOR_INFO_PIXEL_ARRAY_SIZE","Landroid/hardware/camera2/CameraCharacteristics$Key;"
);
//循环获取每个摄像头对应的信息
for (int i = 0; i < count ; ++i) {
cJSON* item_json_item = cJSON_CreateObject();
//获取摄像头的序号
jstring cameraId=(*env)->GetObjectArrayElement(env,cameraIdList_Obj,i);
char* camera_str=(*env)->GetStringUTFChars(env,cameraId,0);
// cJSON_AddStringToObject(item_json,"cameraId",camera_str);
logd(WD_COLLECT, "cameraId = %s",camera_str);
cJSON_AddStringToObject(item_json_item,"cameraId",camera_str);
jobject cameraCharacteristics=wdCallObjectMethod(env,cameraManager_obj,
"getCameraCharacteristics",
"(Ljava/lang/String;)Landroid/hardware/camera2/CameraCharacteristics;",cameraId);
//获取最大的Zoom
jobject maxZoom=wdCallObjectMethod(env,cameraCharacteristics,"get"
,"(Landroid/hardware/camera2/CameraCharacteristics$Key;)Ljava/lang/Object;",SCALER_AVAILABLE_MAX_DIGITAL_ZOOM);
if(maxZoom!=NULL){
float zoom=wdCallFloatMethod(env,maxZoom,"floatValue","()F");
cJSON_AddNumberToObject(item_json_item,"maxZoom",zoom);
logd(WD_COLLECT,"maxZoom= %lf",zoom);
}
//获取
jobject maxPixel=wdCallObjectMethod(env,cameraCharacteristics,"get"
,"(Landroid/hardware/camera2/CameraCharacteristics$Key;)Ljava/lang/Object;",SCALER_STREAM_CONFIGURATION_MAP);
if(maxPixel!=NULL){
int format=256;
jobjectArray outputSizes=wdCallObjectMethod(env,maxPixel,"getOutputSizes"
,"(I)[Landroid/util/Size;",format);
int len=(*env)->GetArrayLength(env,outputSizes);
if(len>0){
jobject obj=(*env)->GetObjectArrayElement(env,outputSizes,0);
int maxPixel_Int=wdCallIntMethod(env,obj,"getWidth","()I")
*wdCallIntMethod(env,obj,"getHeight","()I");
cJSON_AddNumberToObject(item_json_item,"maxPixel",maxPixel_Int);
logd(WD_COLLECT,"maxPixel= %d",maxPixel_Int);
(*env)->DeleteLocalRef(env, obj);
}
(*env)->DeleteLocalRef(env, outputSizes);
}
//获取传感器方向
jobject ori=wdCallObjectMethod(env,cameraCharacteristics,"get"
,"(Landroid/hardware/camera2/CameraCharacteristics$Key;)Ljava/lang/Object;",SENSOR_ORIENTATION);
if(ori!=NULL){
int ori_num=wdCallIntMethod(env,ori,"intValue","()I");
cJSON_AddNumberToObject(item_json_item,"ori",ori_num);
logd(WD_COLLECT,"ori= %d",ori_num);
}
//获取补偿范围
jobject aeRange=wdCallObjectMethod(env,cameraCharacteristics,"get"
,"(Landroid/hardware/camera2/CameraCharacteristics$Key;)Ljava/lang/Object;",CONTROL_AE_COMPENSATION_RANGE);
if(aeRange!=NULL){
jobject lower=wdCallObjectMethod(env,aeRange,"getLower","()Ljava/lang/Comparable;");
jobject upper=wdCallObjectMethod(env,aeRange,"getUpper","()Ljava/lang/Comparable;");
char temp[0x100]={0};
snprintf(temp,0x100,"%dx%d",wdCallIntMethod(env,lower,"intValue","()I"),
wdCallIntMethod(env,upper,"intValue","()I"));
cJSON_AddStringToObject(item_json_item,"aeRange",temp);
logd(WD_COLLECT,"aeRange= %s",temp);
(*env)->DeleteLocalRef(env, lower);
(*env)->DeleteLocalRef(env, upper);
}
//获取maxAe
jobject maxAe=wdCallObjectMethod(env,cameraCharacteristics,"get"
,"(Landroid/hardware/camera2/CameraCharacteristics$Key;)Ljava/lang/Object;",CONTROL_MAX_REGIONS_AE);
if(maxAe!=NULL){
int num=wdCallIntMethod(env,maxAe,"intValue","()I");
cJSON_AddNumberToObject(item_json_item,"maxAe",num);
logd(WD_COLLECT,"maxAe= %d",num);
}
//获取maxAf
jobject maxAf=wdCallObjectMethod(env,cameraCharacteristics,"get"
,"(Landroid/hardware/camera2/CameraCharacteristics$Key;)Ljava/lang/Object;",CONTROL_MAX_REGIONS_AF);
if(maxAf!=NULL){
int num=wdCallIntMethod(env,maxAf,"intValue","()I");
cJSON_AddNumberToObject(item_json_item,"maxAf",num);
logd(WD_COLLECT,"maxAf= %d",num);
}
//获取物理尺寸
jobject phy=wdCallObjectMethod(env,cameraCharacteristics,"get"
,"(Landroid/hardware/camera2/CameraCharacteristics$Key;)Ljava/lang/Object;",SENSOR_INFO_PHYSICAL_SIZE);
if (phy != NULL) {
jstring str_jstring = wdCallObjectMethod(env,phy,"toString","()Ljava/lang/String;");
const char *str =(*env)->GetStringUTFChars(env,str_jstring,0);
cJSON_AddStringToObject(item_json_item,"phy",str);
logd(WD_COLLECT,"phy= %s",str);
(*env)->ReleaseStringUTFChars(env,str_jstring, str);
(*env)->DeleteLocalRef(env, str_jstring);
}
//获取最大的像素阵列
jobject pixel=wdCallObjectMethod(env,cameraCharacteristics,"get"
,"(Landroid/hardware/camera2/CameraCharacteristics$Key;)Ljava/lang/Object;",SENSOR_INFO_PIXEL_ARRAY_SIZE);
if (pixel != NULL) {
jstring str_jstring =wdCallObjectMethod(env,pixel,"toString","()Ljava/lang/String;");
const char *str =(*env)->GetStringUTFChars(env,str_jstring,0);
cJSON_AddStringToObject(item_json_item,"pixel",str);
logd(WD_COLLECT,"pixel= %s",str);
(*env)->ReleaseStringUTFChars(env,str_jstring, str);
(*env)->DeleteLocalRef(env, str_jstring);
}
cJSON_AddItemToArray(item_json, item_json_item);
(*env)->ReleaseStringUTFChars(env,cameraId, camera_str);
(*env)->DeleteLocalRef(env, cameraId);
(*env)->DeleteLocalRef(env, cameraCharacteristics);
(*env)->DeleteLocalRef(env, maxZoom);
(*env)->DeleteLocalRef(env, pixel);
(*env)->DeleteLocalRef(env, phy);
(*env)->DeleteLocalRef(env, maxAf);
(*env)->DeleteLocalRef(env, maxAe);
(*env)->DeleteLocalRef(env, aeRange);
(*env)->DeleteLocalRef(env, ori);
(*env)->DeleteLocalRef(env, maxPixel);
}
(*env)->DeleteLocalRef(env, camera_Str);
(*env)->DeleteLocalRef(env, cameraManager_obj);
(*env)->DeleteLocalRef(env, cameraIdList_Obj);
cJSON_AddItemToObject(json, "camera", item_json);
}
void collect_battery_info(JNIEnv *env, cJSON *json) {
......@@ -380,38 +531,45 @@ void collect_battery_info(JNIEnv *env, cJSON *json) {
}
void collect_env(JNIEnv *env, cJSON *json) {
//todo
cJSON* env_item = cJSON_CreateObject();
char* path = getenv("PATH");
cJSON_AddStringToObject(env_item, "PATH", path);
cJSON_AddItemToObject(json, "env", env_item);
}
void collect_libs_info(JNIEnv *env, cJSON *json) {
cJSON* item = cJSON_CreateObject();
int pid = WDSYSCALL(SYS_getpid);
logd(WD_COLLECT, "my pid: %d", pid);
const char* lib_names[] = {"libwdun.so", "libc.so"};
for(int j = 0; j < sizeof(lib_names)/sizeof(const char*); ++j) {
char cmd[64] = {0};
char line[1024] = {0};
snprintf(cmd, 63, "cat /proc/self/maps | grep %s", lib_names[j]);
snprintf(cmd, 63, "cat /proc/%d/maps | grep %s", pid, lib_names[j]);
FILE *fp = g_funcs.wd_popen(cmd, "r");
if(fgets(line, 1024, fp)) {
int pos = 0;
sscanf(line, "%*lx-%*lx %*4s %*lx %*lx:%*lx %*d%n", &pos);
char* path = wd_util_trim(line + pos);
int fd = WDSYSCALL(SYS_openat, AT_FDCWD, path, O_RDONLY, 0);
if(fd < 0) break;
int size = lseek(fd, 0, SEEK_END);
//映射内存
int mmap_call_num = 222;
uint8_t* base = (uint8_t*) WDSYSCALL(WD_SYS_mmap, 0, size, PROT_READ, MAP_SHARED, fd, 0);
uint8_t out[16] = {0};
char md5_str[32 + 1] = {0};
MD5(base, size, out);
bytes2Hex(out, md5_str, 16, 0);
cJSON_AddStringToObject(item, lib_names[j], md5_str);
//取消内存映射
WDSYSCALL(SYS_munmap, base, size);
//关闭文件
WDSYSCALL(SYS_close, fd);
if(fp){
if(fgets(line, 1024, fp)) {
int pos = 0;
sscanf(line, "%*lx-%*lx %*4s %*lx %*lx:%*lx %*d%n", &pos);
char* path = wd_util_trim(line + pos);
int fd = WDSYSCALL(SYS_openat, AT_FDCWD, path, O_RDONLY, 0);
if(fd < 0) break;
int size = lseek(fd, 0, SEEK_END);
//映射内存
int mmap_call_num = 222;
uint8_t* base = (uint8_t*) WDSYSCALL(WD_SYS_mmap, 0, size, PROT_READ, MAP_SHARED, fd, 0);
uint8_t out[16] = {0};
char md5_str[32 + 1] = {0};
MD5(base, size, out);
bytes2Hex(out, md5_str, 16, 0);
cJSON_AddStringToObject(item, lib_names[j], md5_str);
//取消内存映射
WDSYSCALL(SYS_munmap, base, size);
//关闭文件
WDSYSCALL(SYS_close, fd);
}
g_funcs.wd_pclose(fp);
}
g_funcs.wd_pclose(fp);
}
cJSON_AddItemToObject(json, "libs", item);
logd(WD_COLLECT, "%s", "collect libs_md5 finished...");
......@@ -692,26 +850,28 @@ void collect_time_info(JNIEnv *env, cJSON *json) {
// 收集风控信息
void collect_risk_info(JNIEnv *env, cJSON *json) {
cJSON * risk_item = cJSON_CreateObject();
//root
//su
char su[64] = {0};
int res = read_cmd("which su", "r", su, 63);
cJSON_AddStringToObject(json, "su", su);
cJSON_AddStringToObject(risk_item, "su", su);
//magisk
char magisk[64] = {0};
res = read_cmd("which magisk", "r", magisk, 63);
cJSON_AddStringToObject(json, "magisk", magisk);
cJSON_AddStringToObject(risk_item, "magisk", magisk);
//vpn
char* vpn = "/sys/class/net/tun0";
if(!is_file_exists(vpn)) {
char *vpn = "/sys/class/net/tun0";
if (!is_file_exists(vpn)) {
vpn = "";
}
cJSON_AddStringToObject(json, "vpn", vpn);
cJSON_AddStringToObject(risk_item, "vpn", vpn);
//emulator
const char* emulator_files[] = {
const char *emulator_files[] = {
"/dev/socket/qemud",
"/dev/qemu_pipe",
"/goldfish",
......@@ -725,9 +885,6 @@ void collect_risk_info(JNIEnv *env, cJSON *json) {
"/system/bin/ttVM-prop",
"/system/bin/droid4x-prop",
"/data/.bluestacks.prop",
"/data/app/com.bluestacks.appmart-1.apk",
"/data/app/com.bluestacks.home-1.apk",
"/data/app/com.bluestacks.searchapp-1.apk",
"/data/data/com.bluestacks.setup",
"/dev/vboxuser",
"/fstab.vbox86",
......@@ -758,14 +915,83 @@ void collect_risk_info(JNIEnv *env, cJSON *json) {
"/system/lib/vpipe_novt.ko",
"/system/lib/vboxguest.ko",
"/system/lib/vboxsf.ko",
// "/system/lib/libhoudini.so", //x86转arm架构
"/sys/bus/virtio",
"/sys/module/virtio_net",
"/sys/module/virtio_pci",
"/sys/class/virtio_pt/virtiopt",
"/sys/devices/virtual/virtio_pt/virtiopt",
"/sys/class/virtio_pt",
"/dev/virtiopt",
"/sys/bus/pci/drivers/virtio-pci",
"/proc/sys/fs/binfmt_misc/arm"
};
cJSON* emulator = cJSON_CreateArray();
for(int i = 0; i < sizeof(emulator_files)/sizeof(const char*); ++i) {
if(is_file_exists(emulator_files[i])) {
cJSON *emulator = cJSON_CreateArray();
for (int i = 0; i < sizeof(emulator_files) / sizeof(const char *); ++i) {
if (is_file_exists(emulator_files[i])) {
cJSON_AddItemToArray(emulator, cJSON_CreateString(emulator_files[i]));
}
}
cJSON_AddItemToObject(json, "emulator", emulator);
cJSON_AddItemToObject(risk_item, "emulator", emulator);
//hook
//inject
cJSON *inject = cJSON_CreateArray();
const char* xposed_strs[] = {
"libriru.so", "libriru_edxp.so", "libsandhook.edxp.so", "liblspd.so", "XposedBridge.jar",
"frida-agent-32.so", "frida-agent-64.so", "libsubstrate.so", "libxposed_art.so"
};
int pid = WDSYSCALL(SYS_getpid);
for(int i = 0; i < sizeof(xposed_strs)/sizeof(const char*); ++i) {
char cmd[64] = {0};
snprintf(cmd, 63, "cat /proc/%d/maps | grep %s", pid, xposed_strs[i]);
FILE* fp = popen(cmd, "r");
char line[1024] = {0};
if(fgets(line, 1023, fp)){
int pos = 0;
sscanf(line, "%*lx-%*lx %*4s %*lx %*lx:%*lx %*d%n", &pos);
char* path = wd_util_trim(line + pos);
if(path) {
cJSON_AddItemToArray(inject, cJSON_CreateString(path));
}
}
pclose(fp);
}
cJSON_AddItemToObject(risk_item, "inject", inject);
//system_lib_funcs
cJSON* sys_funcs = cJSON_CreateObject();
struct so_info* si = fake_dlopen("libc.so", 0);
if(si) {
const char* symbols[] = {
"syscall", "open", "read", "fopen", "fread", "popen", "__system_property_get", "__system_property_set"
};
for(int i = 0; i < sizeof(symbols)/sizeof(const char*); ++i) {
void* addr = fake_dlsym(si, symbols[i]);
char data[32 + 1] = {0};
if(addr) {
char val[16] = {0};
memcpy(val, addr, 16);
bytes2Hex(val, data, 16, 0);
}
cJSON_AddStringToObject(sys_funcs, symbols[i], data);
}
fake_dlclose(si);
}
cJSON_AddItemToObject(risk_item, "sys_funcs", sys_funcs);
//sdk_funcs
cJSON* sdk_funcs = cJSON_CreateObject();
//todo
cJSON_AddItemToObject(risk_item, "sdk_funcs", sdk_funcs);
cJSON_AddItemToObject(json, "risk", risk_item);
}
wandun/src/main/cpp/core.c
......@@ -34,6 +34,7 @@ JNIEXPORT void jni_init(JNIEnv* env, jobject thiz, jobject context) {
}
JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) {
logd("wdun_core", "%s", "enter jni_onload...");
JNIEnv* env = NULL;
if((*vm)->GetEnv(vm, (void**)&env, JNI_VERSION_1_6) == JNI_OK) {
jclass cls = (*env)->FindClass(env, WDMAIN_CLASS_NAME);
......@@ -43,12 +44,20 @@ JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) {
(*env)->DeleteLocalRef(env, cls);
}
//find lic needed symbol
logd("wdun_core", "%s", "find libc symbol...");
//find libc needed symbol
struct so_info* si = fake_dlopen("libc.so", 0);
g_funcs.wd_popen = fake_dlsym(si, "popen");
g_funcs.wd_pclose = fake_dlsym(si, "pclose");
g_funcs.wd_system_property_get = fake_dlsym(si, "__system_property_get");
fake_dlclose(si);
if(si != NULL) {
g_funcs.wd_popen = fake_dlsym(si, "popen");
g_funcs.wd_pclose = fake_dlsym(si, "pclose");
g_funcs.wd_system_property_get = fake_dlsym(si, "__system_property_get");
fake_dlclose(si);
}
if(!g_funcs.wd_popen) g_funcs.wd_popen = popen;
if(!g_funcs.wd_pclose) g_funcs.wd_pclose = pclose;
if(!g_funcs.wd_system_property_get) g_funcs.wd_system_property_get = __system_property_get;
logd("wdun_core", "%s", "leave jni_onload...");
return JNI_VERSION_1_6;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment