Java层的Socket及SSL的hook点分析

编写示例代码

通过自己编译且运行Socket示例的客户端(手机)与服务端代码,通过hook的方式来快速分析Socket发送流程。
客户端代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
import android.util.Log;

import org.json.JSONException;
import org.json.JSONObject;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
import java.util.Date;

public class MySocket {
    private String serverIp = "192.168.3.23";
    private int serverPort = 9999;
    private Socket serverSocket = null;
    private OutputStream outputstream = null;
    private InputStream inputStream = null;
    private long lastheartresponse = 0;
    public  boolean connected = false;

    public void sendMessage(String msg){
        Thread thread = new Thread(new Runnable() {
            @Override
            public void run() {
                if (connected == false) {
                    Log.i("dta => ", "watting connect......");
                } else {
                    try {
                        if (outputstream != null) {
                            String crypt = msg;
                            outputstream.write(crypt.getBytes("utf-8"));
                            outputstream.flush();
                        }

                    } catch (IOException e) {
                        close();
                        e.printStackTrace();
                    }
                }
            }
        });
        thread.start();
    }

    public void close() {
        try {
            if (serverSocket != null) {
                serverSocket.close();
            }

        } catch (IOException e) {
            e.printStackTrace();
        }
        inputStream = null;
        outputstream = null;
        connected = false;
    }

    public void heart(){
        Thread thread = new Thread(new Runnable() {
            @Override
            public void run() {
                while (true) {
                    Date date = new Date();
                    String timestamp = String.valueOf(date.getTime());
                    long currenttime = Long.valueOf(timestamp);;
                    if (lastheartresponse != 0) {
                        long offset = currenttime - lastheartresponse;
                        int seconds = (int) (offset / 1000);
                        if (seconds > 10) {
                            close();
                        }
                    }
                    try {
                        Thread.currentThread().sleep(5000);
                    } catch (InterruptedException e) {
                        e.printStackTrace();
                    }

                }
            }
        });
        thread.start();
    }

    public void receiveMessage(){
        Thread thread = new Thread(new Runnable() {
            @Override
            public void run() {
                int arraysize = 1024;
                byte[] content = new byte[arraysize];
                while (true) {
                    if (inputStream != null) {
                        try {
                            int count = inputStream.read(content);
                            if (count > 0 && count < arraysize) {
                                byte[] tmparray = new byte[count];
                                System.arraycopy(content, 0, tmparray, 0, count);
                                String str = new String(tmparray, "utf-8");
                                Log.i("dta => ", str);
                            }
                        } catch (IOException e) {
                            e.printStackTrace();
                            close();
                            break;
                        }
                    } else {
                        close();
                        break;
                    }
                }
            }
        });
        thread.start();
    }

    public void service(){
        Thread thread = new Thread(new Runnable() {
            @Override
            public void run() {
                while (true) {
                    if (connected == false) {
                        try {
                            serverSocket = new Socket(serverIp, serverPort);
                            serverSocket.setSoTimeout(10*1000);
                            connected = true;
                            outputstream = serverSocket.getOutputStream();
                            inputStream = serverSocket.getInputStream();
                            receiveMessage();
                        } catch (IOException e) {
                            e.printStackTrace();
                            connected = false;
                            serverSocket = null;
                            outputstream = null;
                            inputStream = null;
                        }
                    }
                    if (outputstream != null) {
                        try {
                            JSONObject object = new JSONObject();
                            object.put("dta", "hello server");
                            sendMessage(object.toString());
                        } catch (JSONException e) {
                            e.printStackTrace();
                        }
                    }
                    try {
                        Thread.currentThread().sleep(5000);
                    } catch (InterruptedException e) {
                        e.printStackTrace();
                    }

                }
            }
        });
        thread.start();
    }
}

服务端代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# coding=utf-8
import json
import threading
import socket

socket_list = []

s = socket.socket()
s.bind(('0.0.0.0', 9999))
s.listen()


def read_from_client(s):
    try:
        return s.recv(1024).decode('utf-8')
    except:
        socket_list.remove(s)


def server_target(s):
    try:
        while True:
            content = read_from_client(s)
            if content is None:
                break
            length = len(content)
            if length > 0:
                print("receive:" + content)
                send_message = {"dta": "hello client"}
                print("send:" + str(send_message))
                s.send(json.dumps(send_message).encode('utf-8'))
    except IOError as e:
        print(e.strerror)


while True:
    c, addr = s.accept()
    socket_list.append(c)
    threading.Thread(target=server_target, args=(c,)).start()

通过objection获取所有socket类

先通过objection的android hooking search 来查找相应的Socket类,并复制这些类到一个txt文件当中然后通过Alt+Shift+鼠标拖拽光标的方式给所有类加上一句android hooking watch class
picture 3

picture 2

通过objection -g 包名 explore -c 文件名.txt来在启动objection的时候批量hook这些类,当然这过程当中很可能经常会崩,把崩的那句一条条的删掉。
picture 1

来到这里
picture 4
虽然objection崩了,但是还是hook到了关键类的信息

1
2
3
4
Called java.net.SocketOutputStream.write([B)
Called java.net.SocketOutputStream.socketWrite([B, int, int)
Called java.net.AbstractPlainSocketImpl.acquireFD()
Called java.net.SocketOutputStream.socketWrite0(java.io.FileDescriptor, [B, int, int)                                           Called java.net.AbstractPlainSocketImpl.releaseFD()

java.net.AbstractPlainSocketImpl看到这个是一个抽象类就不用管这个类了。直接看SocketOutputStream
picture 5

SocketOutputStream,通过Wallbreaker在内存当中搜索一下这个类的其中一个实例看看有没有我们需要的东西。
picture 6
该实例的域里存在着两个对象,通过这两个对象可以拿到目标的ip(addr)、目标的port(port)、本地的发送端口(localPort)
那我们再看看java.net.SocketOutputStream的函数的一些信息。
picture 8
picture 9

picture 10
可以看到所有的函数最后都会经过private native void socketWrite0(FileDescriptor fd, byte[] b, int off, int len) throws IOException;
我们通过frida来打印一下它的参数是什么。
picture 11
此处可以看到byte[]数组就是我们发送的数据~

此处附上打印byte数组的方法:

1
2
3
4
5
6
7
8
9
function printByteArray(byteArray){
    var content = '';
    for(var i = 0;i < byteArray.length; i++){
        if(byteArray[i] > 32 && byteArray[i] < 126){
            content += String.fromCharCode(byteArray[i])
        }
    }
    console.log(content);
}

因为其是一个native函数,说明该函数是Java层与JNI层的一个“桥梁”,也就是Java的Socket最终发送到JNI的那么一个点。可以通杀Java层。

把刚才的那些hook点在文本当中去掉再用objection hook一遍,以便我们拿到服务端返回的信息的Hook点。
picture 12
直接看源码。
picture 13
看了源码之后发现,其最终走的是private native int socketRead0(FileDescriptor fd, byte b[], int off, int len, int timeout)

通过对比socketWrite0和SocketOutputStream的名称发现,这两个类可以说是成对出现的,即写——读成对。

以上是SocketOutputStream和SocketInputStream两个hook点socketWrite0socketRead0的分析流程。

hook ssl握手之前的点

按照上面的做法进行android hooking search ssl,找到所有关于ssl的类,并把垃圾类都删掉之后进行objection的trace。时间关系这边直接给出那个待trace的类的log

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
android hooking watch class android.net.SSLCertificateSocketFactory
android hooking watch class android.net.SSLCertificateSocketFactory$1
android hooking watch class android.net.SSLSessionCache
android hooking watch class android.net.ssl.SSLSockets
android hooking watch class com.android.org.conscrypt.ConscryptFileDescriptorSocket$SSLInputStream
android hooking watch class com.android.org.conscrypt.ConscryptFileDescriptorSocket$SSLOutputStream
android hooking watch class com.android.org.conscrypt.DefaultSSLContextImpl
android hooking watch class com.android.org.conscrypt.NativeCrypto$SSLHandshakeCallbacks
android hooking watch class com.android.org.conscrypt.NativeRef$SSL_SESSION
android hooking watch class com.android.org.conscrypt.NativeSsl
android hooking watch class com.android.org.conscrypt.NativeSsl$1
android hooking watch class com.android.org.conscrypt.NativeSsl$BioWrapper
android hooking watch class com.android.org.conscrypt.NativeSslSession
android hooking watch class com.android.org.conscrypt.NativeSslSession$1
android hooking watch class com.android.org.conscrypt.NativeSslSession$Impl
android hooking watch class com.android.org.conscrypt.NativeSslSession$Impl$1
android hooking watch class com.android.org.conscrypt.OpenSSLBIOInputStream
android hooking watch class com.android.org.conscrypt.OpenSSLContextImpl
android hooking watch class com.android.org.conscrypt.OpenSSLProvider
android hooking watch class com.android.org.conscrypt.OpenSSLServerSocketFactoryImpl
android hooking watch class com.android.org.conscrypt.OpenSSLSignature
android hooking watch class com.android.org.conscrypt.OpenSSLSignature$1
android hooking watch class com.android.org.conscrypt.OpenSSLSignature$EngineType
android hooking watch class com.android.org.conscrypt.OpenSSLSocketFactoryImpl
android hooking watch class com.android.org.conscrypt.OpenSSLSocketImpl
android hooking watch class com.android.org.conscrypt.OpenSSLX509CRL
android hooking watch class com.android.org.conscrypt.OpenSSLX509CertPath
android hooking watch class com.android.org.conscrypt.OpenSSLX509CertPath$1
android hooking watch class com.android.org.conscrypt.OpenSSLX509CertPath$Encoding
android hooking watch class com.android.org.conscrypt.OpenSSLX509Certificate
android hooking watch class com.android.org.conscrypt.OpenSSLX509CertificateFactory
android hooking watch class com.android.org.conscrypt.OpenSSLX509CertificateFactory$1
android hooking watch class com.android.org.conscrypt.OpenSSLX509CertificateFactory$2
android hooking watch class com.android.org.conscrypt.OpenSSLX509CertificateFactory$Parser
android hooking watch class com.android.org.conscrypt.OpenSSLX509CertificateFactory$ParsingException
android hooking watch class com.android.org.conscrypt.SSLClientSessionCache
android hooking watch class com.android.org.conscrypt.SSLParametersImpl
android hooking watch class com.android.org.conscrypt.SSLServerSessionCache
android hooking watch class com.android.org.conscrypt.SSLUtils
android hooking watch class com.android.org.conscrypt.SSLUtils$SessionType
android hooking watch class javax.net.ssl.ExtendedSSLSession
android hooking watch class javax.net.ssl.HandshakeCompletedEvent
android hooking watch class javax.net.ssl.HandshakeCompletedListener
android hooking watch class javax.net.ssl.SSLContext
android hooking watch class javax.net.ssl.SSLContextSpi
android hooking watch class javax.net.ssl.SSLHandshakeException
android hooking watch class javax.net.ssl.SSLParameters
android hooking watch class javax.net.ssl.SSLPeerUnverifiedException
android hooking watch class javax.net.ssl.SSLProtocolException
android hooking watch class javax.net.ssl.SSLServerSocketFactory
android hooking watch class javax.net.ssl.SSLSession
android hooking watch class javax.net.ssl.SSLSessionBindingEvent
android hooking watch class javax.net.ssl.SSLSessionBindingListener
android hooking watch class javax.net.ssl.SSLSessionContext

然后找到带有read或者write方法的类,只有这些类才是我们想要的类。

注意,可能也不会走这个ssl类,在OpenSSLSocketFactoryImpl.java有另一个ssl分支
picture 1

而在android8.1以下没有这种情况,这是由于8.1以上这部分开始换成工厂模式重新编写了一下,android8.1以下ssl hook这个点OpenSSLSocketImpl即可。

谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

一只从Java到爬虫未来将会到安全的软件工程师。