从binder数据传输的角度来分析binder通信的过程

Binder 数据分析

0x00 前言

前一阵弄了一个和binder有关的小工具 https://github.com/EggUncle/Hermes ,大概就是通过对ioctl进行hook,读取到binder的数据信息。

binder的具体原理等细节这里就不讨论了,我们此处仅仅从数据的角度来分析一下获取手机imei时,binder的请求和响应过程。

操作环境: Nexus5x aosp 7.1.2

0x01 获取数据

首先使用注入工具对com.android.phone 进行hook,并且使用工具获取其服务的相关信息。

注入工具可以使用这个: https://github.com/EggUncle/PtraceInject (仅支持android7以及7以下的系统)

获取服务信息的工具可以使用这个: https://github.com/EggUncle/DumpAndroidServicesInfo (获取到的结果是一个json文件)

注入工具之后,打开测试用的获取imei的app,点击获取imei的按钮,打开logcat,搜索关键字获取LIB_BINDER_HOOK,到的数据如下(时间的信息已经删除,时间的log信息和此处的分析没有关系)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
6094-6105/? E/LIB_BINDER_HOOK: ---------------------------------
6094-6105/? E/LIB_BINDER_HOOK: read BR_TRANSACTION
6094-6105/? E/LIB_BINDER_HOOK: PID = 11804, code = 124, dump name : @)com.android.internal.telephony.ITelephonycom.test.androidbinderhook , pname size is 69, data size is 152 , target is 777fcde708 777fcde708
6094-6105/? D/LIB_BINDER_HOOK: 04004001 29000000 63006f00 6d002e00 ..@.)...c.o.m...
6094-6105/? D/LIB_BINDER_HOOK: 61006e00 64007200 6f006900 64002e00 a.n.d.r.o.i.d...
6094-6105/? D/LIB_BINDER_HOOK: 69006e00 74006500 72006e00 61006c00 i.n.t.e.r.n.a.l.
6094-6105/? D/LIB_BINDER_HOOK: 2e007400 65006c00 65007000 68006f00 ..t.e.l.e.p.h.o.
6094-6105/? D/LIB_BINDER_HOOK: 6e007900 2e004900 54006500 6c006500 n.y...I.T.e.l.e.
6094-6105/? D/LIB_BINDER_HOOK: 70006800 6f006e00 79000000 1a000000 p.h.o.n.y.......
6094-6105/? D/LIB_BINDER_HOOK: 63006f00 6d002e00 74006500 73007400 c.o.m...t.e.s.t.
6094-6105/? D/LIB_BINDER_HOOK: 2e006100 6e006400 72006f00 69006400 ..a.n.d.r.o.i.d.
6094-6105/? D/LIB_BINDER_HOOK: 62006900 6e006400 65007200 68006f00 b.i.n.d.e.r.h.o.
6094-6105/? D/LIB_BINDER_HOOK: 6f006b00 00000000 o.k.....
6094-6105/? E/LIB_BINDER_HOOK: write BC_TRANSACTION
6094-6105/? E/LIB_BINDER_HOOK: PID = 0, code = 53, dump name : @android.app.IActivityManager.android.permission.READ_PRIVILEGED_PHONE_STATE.n' , pname size is 79, data size is 176 , target is 777fcde804 777fcde804
6094-6105/? D/LIB_BINDER_HOOK: 04004001 1c000000 61006e00 64007200 ..@.....a.n.d.r.
6094-6105/? D/LIB_BINDER_HOOK: 6f006900 64002e00 61007000 70002e00 o.i.d...a.p.p...
6094-6105/? D/LIB_BINDER_HOOK: 49004100 63007400 69007600 69007400 I.A.c.t.i.v.i.t.
6094-6105/? D/LIB_BINDER_HOOK: 79004d00 61006e00 61006700 65007200 y.M.a.n.a.g.e.r.
6094-6105/? D/LIB_BINDER_HOOK: 00000000 2e000000 61006e00 64007200 ........a.n.d.r.
6094-6105/? D/LIB_BINDER_HOOK: 6f006900 64002e00 70006500 72006d00 o.i.d...p.e.r.m.
6094-6105/? D/LIB_BINDER_HOOK: 69007300 73006900 6f006e00 2e005200 i.s.s.i.o.n...R.
6094-6105/? D/LIB_BINDER_HOOK: 45004100 44005f00 50005200 49005600 E.A.D._.P.R.I.V.
6094-6105/? D/LIB_BINDER_HOOK: 49004c00 45004700 45004400 5f005000 I.L.E.G.E.D._.P.
6094-6105/? D/LIB_BINDER_HOOK: 48004f00 4e004500 5f005300 54004100 H.O.N.E._.S.T.A.
6094-6105/? D/LIB_BINDER_HOOK: 54004500 00000000 1c2e0000 6e270000 T.E.........n'..
6094-6105/? E/LIB_BINDER_HOOK: ---------------------------------
6094-6105/? E/LIB_BINDER_HOOK: ---------------------------------
6094-6105/? E/LIB_BINDER_HOOK: read BR_REPLY
6094-6105/? E/LIB_BINDER_HOOK: PID = 0, code = 0, dump name : , pname size is 0, data size is 8 , target is 777fcde708 777fcde708
6094-6105/? D/LIB_BINDER_HOOK: 00000000 ffffffff ........
6094-6105/? E/LIB_BINDER_HOOK: write BC_TRANSACTION
6094-6105/? E/LIB_BINDER_HOOK: PID = 0, code = 53, dump name : @android.app.IActivityManager#android.permission.READ_PHONE_STATE.n' , pname size is 68, data size is 152 , target is 777fcde810 777fcde810
6094-6105/? D/LIB_BINDER_HOOK: 04004001 1c000000 61006e00 64007200 ..@.....a.n.d.r.
6094-6105/? D/LIB_BINDER_HOOK: 6f006900 64002e00 61007000 70002e00 o.i.d...a.p.p...
6094-6105/? D/LIB_BINDER_HOOK: 49004100 63007400 69007600 69007400 I.A.c.t.i.v.i.t.
6094-6105/? D/LIB_BINDER_HOOK: 79004d00 61006e00 61006700 65007200 y.M.a.n.a.g.e.r.
6094-6105/? D/LIB_BINDER_HOOK: 00000000 23000000 61006e00 64007200 ....#...a.n.d.r.
6094-6105/? D/LIB_BINDER_HOOK: 6f006900 64002e00 70006500 72006d00 o.i.d...p.e.r.m.
6094-6105/? D/LIB_BINDER_HOOK: 69007300 73006900 6f006e00 2e005200 i.s.s.i.o.n...R.
6094-6105/? D/LIB_BINDER_HOOK: 45004100 44005f00 50004800 4f004e00 E.A.D._.P.H.O.N.
6094-6105/? D/LIB_BINDER_HOOK: 45005f00 53005400 41005400 45000000 E._.S.T.A.T.E...
6094-6105/? D/LIB_BINDER_HOOK: 1c2e0000 6e270000 ....n'..
6094-6105/? E/LIB_BINDER_HOOK: ---------------------------------
6094-6105/? E/LIB_BINDER_HOOK: ---------------------------------
6094-6105/? E/LIB_BINDER_HOOK: read BR_REPLY
6094-6105/? E/LIB_BINDER_HOOK: PID = 0, code = 0, dump name : , pname size is 0, data size is 8 , target is 777fcde708 777fcde708
6094-6105/? D/LIB_BINDER_HOOK: 00000000 00000000 ........
6094-6105/? E/LIB_BINDER_HOOK: write BC_TRANSACTION
6094-6105/? E/LIB_BINDER_HOOK: PID = 0, code = 2, dump name : @'com.android.internal.app.IAppOpsService3n'com.test.androidbinderhook , pname size is 70, data size is 156 , target is 777fcde810 777fcde810
6094-6105/? D/LIB_BINDER_HOOK: 04004001 27000000 63006f00 6d002e00 ..@.'...c.o.m...
6094-6105/? D/LIB_BINDER_HOOK: 61006e00 64007200 6f006900 64002e00 a.n.d.r.o.i.d...
6094-6105/? D/LIB_BINDER_HOOK: 69006e00 74006500 72006e00 61006c00 i.n.t.e.r.n.a.l.
6094-6105/? D/LIB_BINDER_HOOK: 2e006100 70007000 2e004900 41007000 ..a.p.p...I.A.p.
6094-6105/? D/LIB_BINDER_HOOK: 70004f00 70007300 53006500 72007600 p.O.p.s.S.e.r.v.
6094-6105/? D/LIB_BINDER_HOOK: 69006300 65000000 33000000 6e270000 i.c.e...3...n'..
6094-6105/? D/LIB_BINDER_HOOK: 1a000000 63006f00 6d002e00 74006500 ....c.o.m...t.e.
6094-6105/? D/LIB_BINDER_HOOK: 73007400 2e006100 6e006400 72006f00 s.t...a.n.d.r.o.
6094-6105/? D/LIB_BINDER_HOOK: 69006400 62006900 6e006400 65007200 i.d.b.i.n.d.e.r.
6094-6105/? D/LIB_BINDER_HOOK: 68006f00 6f006b00 00000000 h.o.o.k.....
6094-6105/? E/LIB_BINDER_HOOK: ---------------------------------
6094-6105/? E/LIB_BINDER_HOOK: ---------------------------------
6094-6105/? E/LIB_BINDER_HOOK: read BR_REPLY
6094-6105/? E/LIB_BINDER_HOOK: PID = 0, code = 0, dump name : , pname size is 0, data size is 8 , target is 777fcde708 777fcde708
6094-6105/? D/LIB_BINDER_HOOK: 00000000 00000000 ........
6094-6105/? E/LIB_BINDER_HOOK: write BC_REPLY
6094-6105/? E/LIB_BINDER_HOOK: PID = 0, code = 0, dump name : 354360070189667 , pname size is 15, data size is 40 , target is 777fcde810 777fcde810
6094-6105/? D/LIB_BINDER_HOOK: 00000000 0f000000 33003500 34003300 ........3.5.4.3.
6094-6105/? D/LIB_BINDER_HOOK: 36003000 30003700 30003100 38003900 6.0.0.7.0.1.8.9.
6094-6105/? D/LIB_BINDER_HOOK: 36003600 37000000 6.6.7...
11804-11804/com.test.androidbinderhook I/LIB_BINDER_HOOK: onClick: 354360070189667
6094-6105/? E/LIB_BINDER_HOOK: ---------------------------------
6094-6105/? E/LIB_BINDER_HOOK: write BC_REPLY
6094-6105/? E/LIB_BINDER_HOOK: PID = 0, code = 0, dump name : 354360070189667 , pname size is 15, data size is 40 , target is 777fcde810 777fcde810
6094-6105/? D/LIB_BINDER_HOOK: 00000000 0f000000 33003500 34003300 ........3.5.4.3.
6094-6105/? D/LIB_BINDER_HOOK: 36003000 30003700 30003100 38003900 6.0.0.7.0.1.8.9.
6094-6105/? D/LIB_BINDER_HOOK: 36003600 37000000 6.6.7...

0x02 binder传输的数据结构

在对binder的数据进行分析之前,我们还是很有必要看一下binder本身在传输过程中的数据结构信息的。在binder传输数据的时候,它会使用到一个叫binder_write_read的结构体,它的信息如下:

1
2
3
4
5
6
7
8
struct binder_write_read {
binder_size_t write_size; /* bytes to write */
binder_size_t write_consumed; /* bytes consumed by driver */
binder_uintptr_t write_buffer;
binder_size_t read_size; /* bytes to read */
binder_size_t read_consumed; /* bytes consumed by driver */
binder_uintptr_t read_buffer;
};

其中存储了上文中数据的成员是write_consumed和read_consumed,他们分别对应读和写的时候的一些指令时用到的数据。
binder数据传输的过程如下图:


图片摘自https://paul.pub/android-binder-driver/

其中的write_consumed部分的数据包括BC_TRANSACTION和BC_REPLY,read_consumed部分的数据包括BR_TRANSACTION和BR_REPLY。

接下来再看一下write_consumed中存储的数据的数据结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
struct binder_transaction_data {
/* The first two are only used for bcTRANSACTION and brTRANSACTION,
* identifying the target and contents of the transaction.
*/
union {
/* target descriptor of command transaction */
__u32 handle;
/* target descriptor of return transaction */
binder_uintptr_t ptr;
} target;
binder_uintptr_t cookie; /* target object cookie */
__u32 code; /* transaction command */
/* General information about the transaction. */
__u32 flags;
pid_t sender_pid;
uid_t sender_euid;
binder_size_t data_size; /* number of bytes of data */
binder_size_t data_offsets; /* number of bytes of offsets */
/* If this transaction is inline, the data immediately
* follows here; otherwise, it ends with a pointer to
* the data buffer.
*/
union {
struct {
/* transaction data */
binder_uintptr_t buffer;
/* offsets from buffer to flat_binder_object structs */
binder_uintptr_t offsets;
} ptr;
__u8 buf[8];
} data;
};

其中的code,为对应的binder服务提供的方法的编号(这里可以通过源码或者上文中的工具获取到的服务信息来通过服务名称和编号来找到对应的方法),target相当于一个句柄,用来标识相关的发起请求的对象,而data即为实际传输的数据。接下来就可以开始实际的分析数据了。

0x03 数据分析

这里从第一条数据看起

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
6094-6105/? E/LIB_BINDER_HOOK: read BR_TRANSACTION
6094-6105/? E/LIB_BINDER_HOOK: PID = 11804, code = 124, dump name : @)com.android.internal.telephony.ITelephonycom.test.androidbinderhook , pname size is 69, data size is 152 , target is 777fcde708 777fcde708
6094-6105/? D/LIB_BINDER_HOOK: 04004001 29000000 63006f00 6d002e00 ..@.)...c.o.m...
6094-6105/? D/LIB_BINDER_HOOK: 61006e00 64007200 6f006900 64002e00 a.n.d.r.o.i.d...
6094-6105/? D/LIB_BINDER_HOOK: 69006e00 74006500 72006e00 61006c00 i.n.t.e.r.n.a.l.
6094-6105/? D/LIB_BINDER_HOOK: 2e007400 65006c00 65007000 68006f00 ..t.e.l.e.p.h.o.
6094-6105/? D/LIB_BINDER_HOOK: 6e007900 2e004900 54006500 6c006500 n.y...I.T.e.l.e.
6094-6105/? D/LIB_BINDER_HOOK: 70006800 6f006e00 79000000 1a000000 p.h.o.n.y.......
6094-6105/? D/LIB_BINDER_HOOK: 63006f00 6d002e00 74006500 73007400 c.o.m...t.e.s.t.
6094-6105/? D/LIB_BINDER_HOOK: 2e006100 6e006400 72006f00 69006400 ..a.n.d.r.o.i.d.
6094-6105/? D/LIB_BINDER_HOOK: 62006900 6e006400 65007200 68006f00 b.i.n.d.e.r.h.o.
6094-6105/? D/LIB_BINDER_HOOK: 6f006b00 00000000 o.k.....
6094-6105/? E/LIB_BINDER_HOOK: write BC_TRANSACTION
6094-6105/? E/LIB_BINDER_HOOK: PID = 0, code = 53, dump name : @android.app.IActivityManager.android.permission.READ_PRIVILEGED_PHONE_STATE.n' , pname size is 79, data size is 176 , target is 777fcde804 777fcde804
6094-6105/? D/LIB_BINDER_HOOK: 04004001 1c000000 61006e00 64007200 ..@.....a.n.d.r.
6094-6105/? D/LIB_BINDER_HOOK: 6f006900 64002e00 61007000 70002e00 o.i.d...a.p.p...
6094-6105/? D/LIB_BINDER_HOOK: 49004100 63007400 69007600 69007400 I.A.c.t.i.v.i.t.
6094-6105/? D/LIB_BINDER_HOOK: 79004d00 61006e00 61006700 65007200 y.M.a.n.a.g.e.r.
6094-6105/? D/LIB_BINDER_HOOK: 00000000 2e000000 61006e00 64007200 ........a.n.d.r.
6094-6105/? D/LIB_BINDER_HOOK: 6f006900 64002e00 70006500 72006d00 o.i.d...p.e.r.m.
6094-6105/? D/LIB_BINDER_HOOK: 69007300 73006900 6f006e00 2e005200 i.s.s.i.o.n...R.
6094-6105/? D/LIB_BINDER_HOOK: 45004100 44005f00 50005200 49005600 E.A.D._.P.R.I.V.
6094-6105/? D/LIB_BINDER_HOOK: 49004c00 45004700 45004400 5f005000 I.L.E.G.E.D._.P.
6094-6105/? D/LIB_BINDER_HOOK: 48004f00 4e004500 5f005300 54004100 H.O.N.E._.S.T.A.
6094-6105/? D/LIB_BINDER_HOOK: 54004500 00000000 1c2e0000 6e270000 T.E.........n'..

首先这里有两条命令

第一条是BR_TRANSACTION,这里com.android.phone作为服务端,接受了br的请求,pid为 11804,这里是获取imei的测试app的pid,然后可以通过报文中的字符串信息看到与它通信的服务是ITelephony,然后在上文中获取到的服务信息中搜索相应的code,可以看到对应的方法的信息,即getDeviceId,获取imei的方法,同时它需要传入一个报名作为参数,而报文中也有包名相关的信息(com.test.androidbinderhook)

1
2
3
4
5
6
7
{
"code": 124,
"methodName": "getDeviceId",
"paramTypeList": [
"java.lang.String"
]
},

接下来详细分析其中的数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
6094-6105/? D/LIB_BINDER_HOOK: 04004001 29000000 63006f00 6d002e00 ..@.)...c.o.m...
6094-6105/? D/LIB_BINDER_HOOK: 61006e00 64007200 6f006900 64002e00 a.n.d.r.o.i.d...
6094-6105/? D/LIB_BINDER_HOOK: 69006e00 74006500 72006e00 61006c00 i.n.t.e.r.n.a.l.
6094-6105/? D/LIB_BINDER_HOOK: 2e007400 65006c00 65007000 68006f00 ..t.e.l.e.p.h.o.
6094-6105/? D/LIB_BINDER_HOOK: 6e007900 2e004900 54006500 6c006500 n.y...I.T.e.l.e.
6094-6105/? D/LIB_BINDER_HOOK: 70006800 6f006e00 79000000 1a000000 p.h.o.n.y.......
6094-6105/? D/LIB_BINDER_HOOK: 63006f00 6d002e00 74006500 73007400 c.o.m...t.e.s.t.
6094-6105/? D/LIB_BINDER_HOOK: 2e006100 6e006400 72006f00 69006400 ..a.n.d.r.o.i.d.
6094-6105/? D/LIB_BINDER_HOOK: 62006900 6e006400 65007200 68006f00 b.i.n.d.e.r.h.o.
6094-6105/? D/LIB_BINDER_HOOK: 6f006b00 00000000 o.k.....
04004001 这部分和后面的字符串组成请求binder的对象的的标识,一般在binder的客户端部分用data.writeInterfaceToken(DESCRIPTOR)设置
29000000 对应着10进制的41,代表着后续字符串的长度com.android.internal.telephony.ITelephony
1a000000 对应着10进制的26,代表着后续字符串的长度com.test.androidbinderhook
00000000 这个我也没整明白是个啥,可能是对齐用的数据

然后看看源码,从代码角度看看这个地方执行的过程,首先找到TelephonyManager 的getDeviceId的方法

1
2
3
4
5
6
7
8
9
10
11
12
843 public String getDeviceId() {
844 try {
845 ITelephony telephony = getITelephony();
846 if (telephony == null)
847 return null;
848 return telephony.getDeviceId(mContext.getOpPackageName());
849 } catch (RemoteException ex) {
850 return null;
851 } catch (NullPointerException ex) {
852 return null;
853 }
854 }

这里可以看到它调用了ITelephony的getDeviceId并传入包名

接下来是第二个命令BC_TRANSACTION,我这里的理解是,phone中的服务,作为客户端,与其他binder进行交互,所以这里使用了BC_TRANSACTION的指令.从解析出来的字符串可知这里请求的相关服务为android.app.IActivityManager,code 53 对应的方法是如下: (这里补充以下,我提供的获取服务信息的工具,由于权限问题导致部分服务的信息获取不到,此处的的方法信息,是通过源码找到的)

public int checkPermission(String permission, int pid, int uid)

接下来看报文

1
2
3
4
5
6
7
8
9
10
11
12
13
14
6094-6105/? D/LIB_BINDER_HOOK: 04004001 1c000000 61006e00 64007200 ..@.....a.n.d.r.
6094-6105/? D/LIB_BINDER_HOOK: 6f006900 64002e00 61007000 70002e00 o.i.d...a.p.p...
6094-6105/? D/LIB_BINDER_HOOK: 49004100 63007400 69007600 69007400 I.A.c.t.i.v.i.t.
6094-6105/? D/LIB_BINDER_HOOK: 79004d00 61006e00 61006700 65007200 y.M.a.n.a.g.e.r.
6094-6105/? D/LIB_BINDER_HOOK: 00000000 2e000000 61006e00 64007200 ........a.n.d.r.
6094-6105/? D/LIB_BINDER_HOOK: 6f006900 64002e00 70006500 72006d00 o.i.d...p.e.r.m.
6094-6105/? D/LIB_BINDER_HOOK: 69007300 73006900 6f006e00 2e005200 i.s.s.i.o.n...R.
6094-6105/? D/LIB_BINDER_HOOK: 45004100 44005f00 50005200 49005600 E.A.D._.P.R.I.V.
6094-6105/? D/LIB_BINDER_HOOK: 49004c00 45004700 45004400 5f005000 I.L.E.G.E.D._.P.
6094-6105/? D/LIB_BINDER_HOOK: 48004f00 4e004500 5f005300 54004100 H.O.N.E._.S.T.A.
6094-6105/? D/LIB_BINDER_HOOK: 54004500 00000000 1c2e0000 6e270000 T.E.........n'..
前面都一样,和上文中相同的方式存储字符串数据
1c2e0000 这里是进程id,数据以小端存储,即2e1c,对应的10进制是11804,对应测试app的进程号
6e270000 这里是对应的uid的16进制形式

第二段的数据和这里比较相似,不再分析

然后是第三段数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
6094-6105/? E/LIB_BINDER_HOOK: read BR_REPLY
6094-6105/? E/LIB_BINDER_HOOK: PID = 0, code = 0, dump name : , pname size is 0, data size is 8 , target is 777fcde708 777fcde708
6094-6105/? D/LIB_BINDER_HOOK: 00000000 00000000 ........
6094-6105/? E/LIB_BINDER_HOOK: write BC_TRANSACTION
6094-6105/? E/LIB_BINDER_HOOK: PID = 0, code = 2, dump name : @'com.android.internal.app.IAppOpsService3n'com.test.androidbinderhook , pname size is 70, data size is 156 , target is 777fcde810 777fcde810
6094-6105/? D/LIB_BINDER_HOOK: 04004001 27000000 63006f00 6d002e00 ..@.'...c.o.m...
6094-6105/? D/LIB_BINDER_HOOK: 61006e00 64007200 6f006900 64002e00 a.n.d.r.o.i.d...
6094-6105/? D/LIB_BINDER_HOOK: 69006e00 74006500 72006e00 61006c00 i.n.t.e.r.n.a.l.
6094-6105/? D/LIB_BINDER_HOOK: 2e006100 70007000 2e004900 41007000 ..a.p.p...I.A.p.
6094-6105/? D/LIB_BINDER_HOOK: 70004f00 70007300 53006500 72007600 p.O.p.s.S.e.r.v.
6094-6105/? D/LIB_BINDER_HOOK: 69006300 65000000 33000000 6e270000 i.c.e...3...n'..
6094-6105/? D/LIB_BINDER_HOOK: 1a000000 63006f00 6d002e00 74006500 ....c.o.m...t.e.
6094-6105/? D/LIB_BINDER_HOOK: 73007400 2e006100 6e006400 72006f00 s.t...a.n.d.r.o.
6094-6105/? D/LIB_BINDER_HOOK: 69006400 62006900 6e006400 65007200 i.d.b.i.n.d.e.r.
6094-6105/? D/LIB_BINDER_HOOK: 68006f00 6f006b00 00000000 h.o.o.k.....

首先这里的指令为BC_TRANSACTION,phone进程作为客户端,向IAppOpsService服务发送请求数据,code为2,对应的方法信息如下

1
2
3
4
5
6
7
8
9
10
11
{
"code": 2,
"methodName": "noteOperation",
"paramTypeList": [
"int",
"int",
"java.lang.String"
]
},
它的声明信息为
public int noteOperation(int code, int uid, String packageName)

查阅了相关资料,发现它是给用户设置权限的方法,接下来来看报文信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
6094-6105/? D/LIB_BINDER_HOOK: 04004001 27000000 63006f00 6d002e00 ..@.'...c.o.m...
6094-6105/? D/LIB_BINDER_HOOK: 61006e00 64007200 6f006900 64002e00 a.n.d.r.o.i.d...
6094-6105/? D/LIB_BINDER_HOOK: 69006e00 74006500 72006e00 61006c00 i.n.t.e.r.n.a.l.
6094-6105/? D/LIB_BINDER_HOOK: 2e006100 70007000 2e004900 41007000 ..a.p.p...I.A.p.
6094-6105/? D/LIB_BINDER_HOOK: 70004f00 70007300 53006500 72007600 p.O.p.s.S.e.r.v.
6094-6105/? D/LIB_BINDER_HOOK: 69006300 65000000 33000000 6e270000 i.c.e...3...n'..
6094-6105/? D/LIB_BINDER_HOOK: 1a000000 63006f00 6d002e00 74006500 ....c.o.m...t.e.
6094-6105/? D/LIB_BINDER_HOOK: 73007400 2e006100 6e006400 72006f00 s.t...a.n.d.r.o.
6094-6105/? D/LIB_BINDER_HOOK: 69006400 62006900 6e006400 65007200 i.d.b.i.n.d.e.r.
6094-6105/? D/LIB_BINDER_HOOK: 68006f00 6f006b00 00000000 h.o.o.k.....
前面相同的部分这里不再解析了
33000000 10进制为51,这里是对应的操作码,它的对应信息可以从这里查看http://androidxref.com/7.1.2_r36/xref/frameworks/base/core/java/android/app/AppOpsManager.java 可以看到51为OP_READ_PHONE_STATE,即为读取手机状态的权限
6e270000 这里上文中也提到了,是测试app的uid

接着我们继续下一段

1
2
3
4
5
6094-6105/? E/LIB_BINDER_HOOK: write BC_REPLY
6094-6105/? E/LIB_BINDER_HOOK: PID = 0, code = 0, dump name : 354360070189667 , pname size is 15, data size is 40 , target is 777fcde810 777fcde810
6094-6105/? D/LIB_BINDER_HOOK: 00000000 0f000000 33003500 34003300 ........3.5.4.3.
6094-6105/? D/LIB_BINDER_HOOK: 36003000 30003700 30003100 38003900 6.0.0.7.0.1.8.9.
6094-6105/? D/LIB_BINDER_HOOK: 36003600 37000000 6.6.7...

这里的消息就比较简单了,就是将imei的数据写入binder驱动,至此整个binder请求数据的过程就结束了,补充一下,为什么这里获取到的结果,最前面是00000000呢,这里可以看一下parcel.java的源码http://androidxref.com/7.1.2_r36/xref/frameworks/base/core/java/android/os/Parcel.java 其中提到了string 类型的表示,即为0,而0f即为后续字符串的长度,15.

0x04 总结

从binder数据角度来看获取imei的整个过程,大致上分为以下几步:

  • 发出请求
  • 检查权限
  • 授予权限
  • 返回数据

0x05 参考