Log state of g_array in libc

See JingMatrix/NeoZygisk#50 for details of this detection point.

Author: JingMatrix

app/src/main/cpp/CMakeLists.txt

@@ -29,7 +29,7 @@ set(CMAKE_CXX_STANDARD 20)
 # used in the AndroidManifest.xml file.
 add_library(${CMAKE_PROJECT_NAME} SHARED
         # List C/C++ source files with relative paths to this CMakeLists.txt.
-        elf_util.cpp native-lib.cpp smap.cpp solist.cpp vmap.cpp)
+        atexit.cpp elf_util.cpp native-lib.cpp smap.cpp solist.cpp vmap.cpp)
 
 target_include_directories(${CMAKE_PROJECT_NAME} PUBLIC include)
 # Specifies libraries CMake should link to your target library. You

app/src/main/cpp/atexit.cpp

@@ -0,0 +1,169 @@
+#include "atexit.hpp"
+
+#include "elf_util.h"
+#include "logging.h"
+
+template <typename T>
+inline T *getExportedFieldPointer(const SandHook::ElfImg &libc,
+                                  const char *name) {
+  auto *addr = reinterpret_cast<T *>(libc.getSymbAddress(name));
+
+  return addr == nullptr ? nullptr : addr;
+}
+
+namespace Atexit {
+
+bool AtexitArray::append_entry(const AtexitEntry &entry) {
+  if (size_ >= capacity_ && !expand_capacity())
+    return false;
+
+  size_t idx = size_++;
+
+  set_writable(true, idx, 1);
+  array_[idx] = entry;
+  ++total_appends_;
+  set_writable(false, idx, 1);
+
+  return true;
+}
+// Extract an entry and return it.
+AtexitEntry AtexitArray::extract_entry(size_t idx) {
+  AtexitEntry result = array_[idx];
+
+  set_writable(true, idx, 1);
+  array_[idx] = {};
+  ++extracted_count_;
+  set_writable(false, idx, 1);
+
+  return result;
+}
+
+void AtexitArray::recompact() {
+  if (!needs_recompaction()) {
+    LOGD("needs_recompaction returns false");
+    // return;
+  }
+
+  set_writable(true, 0, size_);
+
+  // Optimization: quickly skip over the initial non-null entries.
+  size_t src = 0, dst = 0;
+  while (src < size_ && array_[src].fn != nullptr) {
+    ++src;
+    ++dst;
+  }
+
+  // Shift the non-null entries forward, and zero out the removed entries at the
+  // end of the array.
+  for (; src < size_; ++src) {
+    const AtexitEntry entry = array_[src];
+    array_[src] = {};
+    if (entry.fn != nullptr) {
+      array_[dst++] = entry;
+    }
+  }
+
+  // If the table uses fewer pages, clean the pages at the end.
+  size_t old_bytes = page_end_of_index(size_);
+  size_t new_bytes = page_end_of_index(dst);
+  if (new_bytes < old_bytes) {
+    madvise(reinterpret_cast<char *>(array_) + new_bytes, old_bytes - new_bytes,
+            MADV_DONTNEED);
+  }
+
+  set_writable(false, 0, size_);
+
+  size_ = dst;
+  extracted_count_ = 0;
+}
+
+// Use mprotect to make the array writable or read-only. Returns true on
+// success. Making the array read-only could protect against either
+// unintentional or malicious corruption of the array.
+void AtexitArray::set_writable(bool writable, size_t start_idx,
+                               size_t num_entries) {
+  if (array_ == nullptr)
+    return;
+
+  const size_t start_byte = page_start_of_index(start_idx);
+  const size_t stop_byte = page_end_of_index(start_idx + num_entries);
+  const size_t byte_len = stop_byte - start_byte;
+
+  const int prot = PROT_READ | (writable ? PROT_WRITE : 0);
+  if (mprotect(reinterpret_cast<char *>(array_) + start_byte, byte_len, prot) !=
+      0) {
+    PLOGE("mprotect failed on atexit array: %m");
+  }
+}
+
+// Approximately double the capacity. Returns true if successful (no overflow).
+// AtexitEntry is smaller than a page, but this function should still be correct
+// even if AtexitEntry were larger than one.
+bool AtexitArray::next_capacity(size_t capacity, size_t *result) {
+  if (capacity == 0) {
+    *result = page_end(sizeof(AtexitEntry)) / sizeof(AtexitEntry);
+    return true;
+  }
+  size_t num_bytes;
+  if (__builtin_mul_overflow(page_end_of_index(capacity), 2, &num_bytes)) {
+    PLOGE("__cxa_atexit: capacity calculation overflow");
+    return false;
+  }
+  *result = num_bytes / sizeof(AtexitEntry);
+  return true;
+}
+
+bool AtexitArray::expand_capacity() {
+  size_t new_capacity;
+  if (!next_capacity(capacity_, &new_capacity))
+    return false;
+  const size_t new_capacity_bytes = page_end_of_index(new_capacity);
+
+  set_writable(true, 0, capacity_);
+
+  bool result = false;
+  void *new_pages;
+  if (array_ == nullptr) {
+    new_pages = mmap(nullptr, new_capacity_bytes, PROT_READ | PROT_WRITE,
+                     MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  } else {
+    // mremap fails if the source buffer crosses a boundary between two VMAs.
+    // When a single array element is modified, the kernel should split then
+    // rejoin the buffer's VMA.
+    new_pages = mremap(array_, page_end_of_index(capacity_), new_capacity_bytes,
+                       MREMAP_MAYMOVE);
+  }
+  if (new_pages == MAP_FAILED) {
+    PLOGE("__cxa_atexit: mmap/mremap failed to allocate %zu bytes: %m",
+          new_capacity_bytes);
+  } else {
+    result = true;
+    prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, new_pages, new_capacity_bytes,
+          "atexit handlers");
+    array_ = static_cast<AtexitEntry *>(new_pages);
+    capacity_ = new_capacity;
+  }
+  set_writable(false, 0, capacity_);
+  return result;
+}
+
+AtexitArray *findAtexitArray() {
+  SandHook::ElfImg libc("libc.so");
+  auto p_array = getExportedFieldPointer<AtexitEntry *>(libc, "_ZL7g_array.0");
+  auto p_size = getExportedFieldPointer<size_t>(libc, "_ZL7g_array.1");
+  auto p_extracted_count =
+      getExportedFieldPointer<size_t>(libc, "_ZL7g_array.2");
+  auto p_capacity = getExportedFieldPointer<size_t>(libc, "_ZL7g_array.3");
+  auto p_total_appends =
+      getExportedFieldPointer<uint64_t>(libc, "_ZL7g_array.4");
+
+  if (p_array == nullptr || p_size == nullptr || p_extracted_count == nullptr ||
+      p_capacity == nullptr || p_total_appends == nullptr) {
+    LOGD("failed to find exported g_array fields in memory");
+    return nullptr;
+  }
+
+  return reinterpret_cast<AtexitArray *>(p_array);
+}
+
+} // namespace Atexit

app/src/main/cpp/include/atexit.hpp

@@ -0,0 +1,130 @@
+#pragma once
+
+#include <pthread.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/auxv.h>
+#include <sys/cdefs.h>
+#include <sys/mman.h>
+#include <sys/param.h>
+#include <sys/prctl.h>
+#include <sys/user.h>
+
+#include <memory>
+#include <sstream>
+
+namespace Atexit {
+
+inline size_t page_size() {
+#if defined(PAGE_SIZE)
+  return PAGE_SIZE;
+#else
+  static const size_t page_size = getauxval(AT_PAGESZ);
+  return page_size;
+#endif
+}
+
+// The maximum page size supported on any Android device. As
+// of API level 35, this is limited by ART.
+constexpr size_t max_android_page_size() {
+#if defined(PAGE_SIZE)
+  return PAGE_SIZE;
+#else
+  return 16384;
+#endif
+}
+
+// Returns the address of the page containing address 'x'.
+inline uintptr_t page_start(uintptr_t x) { return x & ~(page_size() - 1); }
+
+// Returns the offset of address 'x' in its page.
+inline uintptr_t page_offset(uintptr_t x) { return x & (page_size() - 1); }
+
+// Returns the address of the next page after address 'x', unless 'x' is
+// itself at the start of a page.
+inline uintptr_t page_end(uintptr_t x) {
+  return page_start(x + page_size() - 1);
+}
+
+struct AtexitEntry {
+  void (*fn)(void *); // the __cxa_atexit callback
+  void *arg;          // argument for `fn` callback
+  void *dso;          // shared module handle
+};
+
+class AtexitArray {
+public:
+  AtexitArray(AtexitEntry *existing_array, size_t current_size,
+              size_t current_capacity, size_t initial_extracted_count,
+              uint64_t initial_total_appends)
+      : array_(existing_array), size_(current_size),
+        extracted_count_(initial_extracted_count), capacity_(current_capacity),
+        total_appends_(initial_total_appends) {}
+
+  std::string format_state_string() const {
+    std::stringstream ss;
+
+    // Use the << operator to stream text and variables into the stringstream.
+    // The '\n' and '\t' characters provide the desired logcat formatting.
+    ss << "\n--- Live AtexitArray Snapshot State ---\n";
+    ss << "\t(this pointer):  " << static_cast<const void *>(this) << "\n";
+    ss << "\tarray_:          " << static_cast<const void *>(array_) << "\n";
+
+    // For numeric values, show both decimal and hexadecimal for easier
+    // debugging.
+    ss << "\tsize_:           " << size_ << " (0x" << std::hex << size_
+       << std::dec << ")\n";
+    ss << "\textracted_count_: " << extracted_count_ << " (0x" << std::hex
+       << extracted_count_ << std::dec << ")\n";
+    ss << "\tcapacity_:       " << capacity_ << " (0x" << std::hex << capacity_
+       << std::dec << ")\n";
+    ss << "\ttotal_appends_:  " << total_appends_ << " (0x" << std::hex
+       << total_appends_ << std::dec << ")\n";
+
+    ss << "---------------------------------------";
+
+    // The .str() method returns the complete, concatenated string.
+    return ss.str();
+  }
+
+  size_t size() const { return size_; }
+  uint64_t total_appends() const { return total_appends_; }
+  const AtexitEntry &operator[](size_t idx) const { return array_[idx]; }
+
+  bool append_entry(const AtexitEntry &entry);
+  AtexitEntry extract_entry(size_t idx);
+  void recompact();
+
+private:
+  AtexitEntry *array_;
+  size_t size_;
+  size_t extracted_count_;
+  size_t capacity_;
+
+  // An entry can be appended by a __cxa_finalize callback. Track the number of
+  // appends so we restart concurrent __cxa_finalize passes.
+  uint64_t total_appends_;
+
+  static size_t page_start_of_index(size_t idx) {
+    return page_start(idx * sizeof(AtexitEntry));
+  }
+  static size_t page_end_of_index(size_t idx) {
+    return page_end(idx * sizeof(AtexitEntry));
+  }
+
+  // Recompact the array if it will save at least one page of memory at the end.
+  bool needs_recompaction() const {
+    return page_end_of_index(size_ - extracted_count_) <
+           page_end_of_index(size_);
+  }
+
+  void set_writable(bool writable, size_t start_idx, size_t num_entries);
+  static bool next_capacity(size_t capacity, size_t *result);
+  bool expand_capacity();
+};
+
+AtexitArray *findAtexitArray();
+
+} // namespace Atexit

app/src/main/cpp/native-lib.cpp

@@ -1,3 +1,4 @@
+#include "atexit.hpp"
 #include "logging.h"
 #include "smap.h"
 #include "solist.hpp"
@@ -17,6 +18,10 @@ Java_org_matrix_demo_MainActivity_stringFromJNI(JNIEnv *env,
   VirtualMap::MapInfo *abnormal_vmap = VirtualMap::DetectInjection();
   size_t module_injected = SoList::DetectModules();
   VirtualMap::DumpStackStrings();
+  auto g_array = Atexit::findAtexitArray();
+  if (g_array != nullptr) {
+    LOGD("g_array status: %s", g_array->format_state_string().c_str());
+  }
 
   if (abnormal_soinfo != nullptr) {
     solist_detection =