[移动开发]监控android内存被dump实现

监控原理

通常加固会在程序运行前完成对text的解密，所以脱壳可以通过
/proc/pid/mem或/proc/pid/pagemap或/proc/pid/maps，获取到加固后解密的代码内容。

可以通过Inotify系列api来监控mem或pagemap的打开或访问事件，
一旦发生触发了事件就结束进程来阻止android的内存被dump。

代码实现

//监控内存是否被修改事件
void thread_watchIntifyDump()
{
char dirName[NAME_MAX]={0};
//用于监控/proc/pid/maps的数据
snprintf(dirName,NAME_MAX,"/proc/%d/maps",getpid());

int fd = inotify_init();
if (fd < 0)
{
LOGA("inotify_init err.\n");
return;

}

int wd = inotify_add_watch(fd,dirName,IN_ALL_EVENTS);
if (wd < 0)
{
LOGA("inotify_add_watch err.\n");
close(fd);

return;

}

const int buflen=sizeof(struct inotify_event) * 0x100;
char buf[buflen]={0};
fd_set readfds;

while(1)
{

FD_ZERO(&readfds);
FD_SET(fd, &readfds);

int iRet = select(fd+1,&readfds,0,0,0); // 此处阻塞
LOGB("iRet的返回值:%d\n",iRet);
if(-1==iRet)
break;

if (iRet)
{

memset(buf,0,buflen);
int len = read(fd,buf,buflen);

int i=0;

while(i < len)
{

struct inotify_event *event = (struct inotify_even

t*)&buf[i];

LOGB("1 event mask的数值为:%d\n",event->mask);

if( (event->mask==IN_OPEN) )
{

// 此处判定为有true,执行崩溃.

LOGB("2 有人打开pagemap,第%d次.\n\n",i);

}i += sizeof (struct inotify_event) + event->len;

}

}
}

inotify_rm_watch(fd,wd);
close(fd);


return;

}

//接口函数调用
void main()
{

// 监控/proc/pid/mem

pthread_t ptMem,t,ptPageMap;

int iRet=0;

// 监控/proc/pid/pagemap

iRet=pthread_create(&ptPageMap,NULL,(PPP)thread_watchInotifyDump,NULL);

if (0!=iRet)
{

LOGA("Create,thread_watchDumpPagemap,error!\n");

return;

}

iRet=pthread_detach(ptPageMap);

if (0!=iRet)
{

LOGA("pthread_detach,thread_watchDumpPagemap,error!\n");
return;

}

LOGB("pid:%d\n",getpid());

return;

}