編輯:關於Android編程
最近在做一個項目,客戶需要在應用成獲取臨時root權限,剛開始覺得很簡單,Android就自帶有su命令,只是沒編譯進去,想著直接編譯進去就行,就一口答應客戶1天搞好,各種加班悲劇就是這樣開始的。
先在Android源碼下找了一下,2分鐘找到su源代碼system/extras/su。修改了一下Android.mk,mmm編譯後push到系統,(我們做系統,所以很多東西可以直接改源碼),然後adb shell進入系統執行su,提示沒有權限,沒權限咱們就給權限被,於是adb root,adb remount 後再adb shell進入系統,chmod 777 /system/xbin/su,在執行su,還是提示permission denied,查看了一下su權限的確是-rwxrwxrwx沒錯,查看su源碼,其實核心就是setuid(0),了解了,su就是切換uid,所以su還得加上s位,chmod 6777 su。在執行,成功了,以為大工告成。su源碼如下:
/* ** ** Copyright 2008, The Android Open Source Project ** ** Licensed under the Apache License, Version 2.0 (the "License"); ** you may not use this file except in compliance with the License. ** You may obtain a copy of the License at ** ** http://www.apache.org/licenses/LICENSE-2.0 ** ** Unless required by applicable law or agreed to in writing, software ** distributed under the License is distributed on an "AS IS" BASIS, ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ** See the License for the specific language governing permissions and ** limitations under the License. */ #define LOG_TAG "su" #include #include #include #include #include #include #include #include #include #include void pwtoid(const char *tok, uid_t *uid, gid_t *gid) { struct passwd *pw; pw = getpwnam(tok); if (pw) { if (uid) *uid = pw->pw_uid; if (gid) *gid = pw->pw_gid; } else { uid_t tmpid = atoi(tok); if (uid) *uid = tmpid; if (gid) *gid = tmpid; } } void extract_uidgids(const char *uidgids, uid_t *uid, gid_t *gid, gid_t *gids, int *gids_count) { char *clobberablegids; char *nexttok; char *tok; int gids_found; if (!uidgids || !*uidgids) { *gid = *uid = 0; *gids_count = 0; return; } clobberablegids = strdup(uidgids); strcpy(clobberablegids, uidgids); nexttok = clobberablegids; tok = strsep(&nexttok, ","); pwtoid(tok, uid, gid); tok = strsep(&nexttok, ","); if (!tok) { /* gid is already set above */ *gids_count = 0; free(clobberablegids); return; } pwtoid(tok, NULL, gid); gids_found = 0; while ((gids_found < *gids_count) && (tok = strsep(&nexttok, ","))) { pwtoid(tok, NULL, gids); gids_found++; gids++; } if (nexttok && gids_found == *gids_count) { fprintf(stderr, "too many group ids\n"); } *gids_count = gids_found; free(clobberablegids); } /* * SU can be given a specific command to exec. UID _must_ be * specified for this (ie argc => 3). * * Usage: * su 1000 * su 1000 ls -l * or * su [uid[,gid[,group1]...] [cmd]] * E.g. * su 1000,shell,net_bw_acct,net_bw_stats id * will return * uid=1000(system) gid=2000(shell) groups=3006(net_bw_stats),3007(net_bw_acct) */ int main(int argc, char **argv) { struct passwd *pw; uid_t uid, myuid; gid_t gid, gids[10]; /* Until we have something better, only root and the shell can use su. */ myuid = getuid(); if (myuid != AID_ROOT && myuid != AID_SHELL) { fprintf(stderr,"su: uid %d not allowed to su\n", myuid); return 1; } if(argc < 2) { uid = gid = 0; } else { int gids_count = sizeof(gids)/sizeof(gids[0]); extract_uidgids(argv[1], &uid, &gid, gids, &gids_count); if(gids_count) { if(setgroups(gids_count, gids)) { fprintf(stderr, "su: failed to set groups\n"); return 1; } } } if(setgid(gid) || setuid(uid)) { fprintf(stderr,"su: permission denied\n"); return 1; } /* User specified command for exec. */ if (argc == 3 ) { if (execlp(argv[2], argv[2], NULL) < 0) { int saved_errno = errno; fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2], strerror(errno)); return -saved_errno; } } else if (argc > 3) { /* Copy the rest of the args from main. */ char *exec_args[argc - 1]; memset(exec_args, 0, sizeof(exec_args)); memcpy(exec_args, &argv[2], sizeof(exec_args)); if (execvp(argv[2], exec_args) < 0) { int saved_errno = errno; fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2], strerror(errno)); return -saved_errno; } } /* Default exec shell. */ execlp("/system/bin/sh", "sh", NULL); fprintf(stderr, "su: exec failed\n"); return 1; } 嘗試在app中調用 Runtime.getRuntime().exec(“su”);,居然返回錯誤su:uid5542 not allowed to su,查看su源碼 if (myuid != AID_ROOT && myuid != AID_SHELL) { fprintf(stderr,"su: uid %d not allowed to su\n", myuid); return 1; } 原來是不是ROOT和SHEEL用戶不讓調用su,把這段話注釋掉,然後還是出錯,su:permission denied.這就奇怪了,明明adb shell是可以執行的,app提示還是沒有權限,查找了一些博客,說selnux權限設置問題,花了好長時間修改了還是不行,直接把selinux關掉還不行,郁悶呀,後來在發現SANSUNG還做了band,郁悶呀,z最後放棄了這種方法。 因為init進程肯定是有權限的,所以就想著寫一個services通過init啟動,這樣就有權限,app通過socket通信創建鏈接,花了兩天,編譯到系統,初見成效,決定分享下,將serivce在init.rc中啟動 services suserver /system/xbin/suserver classs main APP 調用方式 Runtime.getRuntime().exec(“suclient”)代碼如下: 目前還有個問題,執行ls等輸出比較多的命令時,如果頻繁執行的話,會造層service 掛掉,init要很久才能重啟這個service,原因是輸出比較多時outpuustream卡死,所以service掛了如果不執行這種命令的話目前還沒發現其他問題,因為目前也不會一直執行這種命令,所以想著以後有機會再改! Client: #include #include #include #include #include #include #include int main(int argc, char *argv[]) { int client_sockfd; int len; int i; char sendline[17824]; struct sockaddr_in remote_addr; //服務器端網絡地址結構體 char buf[17824] = { '\0' }; //數據傳送的緩沖區 for (i = 1; i < argc; i++) { strcat(buf, argv[i]); printf("%s\n", buf); strcat(buf, " "); } strcat(buf, " 2>&1\0"); //printf("%s\n", buf); memset(&remote_addr, 0, sizeof(remote_addr)); //數據初始化--清零 remote_addr.sin_family = AF_INET; //設置為IP通信 remote_addr.sin_addr.s_addr = inet_addr("127.0.0.1"); //服務器IP地址 remote_addr.sin_port = htons(40000); //服務器端口號 if((argc < 2 )||(strncmp(buf,"cct",3)==0)||(strncmp(buf,"su",2)==0)){ while(1){ fgets(sendline, 17824, stdin); if(sendline[0]==10) continue; for(i=0;i<17824;i++){ if(sendline[i]==10){ sendline[i]=32; break; } } strcat(sendline," 2>&1\0"); //printf("sendline :%s\n", sendline); if(strncmp(sendline,"exit",4)==0){ return 0; } if ((client_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); return 1; } /*將套接字綁定到服務器的網絡地址上*/ if (connect(client_sockfd, (struct sockaddr *) &remote_addr, sizeof(struct sockaddr)) < 0) { perror("connect"); return 1; } len = send(client_sockfd, sendline, strlen(sendline), 0); len = recv(client_sockfd, buf, 17824, 0); buf[len] = '\0'; if(strstr(buf,"not found")!=NULL){ write(2,buf,len); } else printf("received:\n%s\n", buf); close(client_sockfd); } return 0; } /*創建客戶端套接字--IPv4協議,面向連接通信,TCP協議*/ if ((client_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); return 1; } /*將套接字綁定到服務器的網絡地址上*/ if (connect(client_sockfd, (struct sockaddr *) &remote_addr, sizeof(struct sockaddr)) < 0) { perror("connect"); return 1; } len = send(client_sockfd, buf, strlen(buf), 0); len = recv(client_sockfd, buf, 17824, 0); buf[len] = '\0'; printf("received:\n%s\n", buf); close(client_sockfd); //關閉套接字 return 0; } Service : #include #include #include #include #include #include #include #include #include #include #define MAXFILE 65535 // 最大的文件描述符 char* result; long lenght = 8192; void executeCMD(const char *cmd) { char buf_ps[8192]; char ps[8192] = { 0 }; int i = 1; char *result2 = NULL; FILE *ptr = NULL; strcpy(ps, cmd); if ((ptr = popen(ps, "r")) != NULL) { result = (char *) malloc(lenght * sizeof(char)); char *result2 = (char *) malloc(lenght * sizeof(char)); while (fgets(buf_ps, 8192, ptr) != NULL) { result = (char *) malloc(lenght * i * sizeof(char)); if (result2 != NULL) strcpy(result, result2); strcat(result, buf_ps); i++; result2 = (char *) malloc(lenght * (i - 1) * sizeof(char)); strcpy(result2, result); } pclose(ptr); ptr = NULL; } else { printf("popen %s error\n", ps); } } int main() { pid_t pc; int i, fd; /* pc = fork(); if (pc < 0) { printf("error fork/n"); exit(1); } else if (pc > 0) exit(0); // 父進程退出 , 這個子進程變成孤兒進程 , 由 init 進程接管 , */ setsid(); // 變為後台程序 chdir("/"); umask(0); // 對所有的權限開放 for (i = 0; i < MAXFILE; i++) close(i); // 關閉所有的不需要的文件描述符 int server_sockfd; //服務器端套接字 int client_sockfd; //客戶端套接字 int len; struct sockaddr_in my_addr; //服務器網絡地址結構體 struct sockaddr_in remote_addr; //客戶端網絡地址結構體 int sin_size; char buf[8192]; //數據傳送的緩沖區 memset(&my_addr, 0, sizeof(my_addr)); //數據初始化--清零 my_addr.sin_family = AF_INET; //設置為IP通信 my_addr.sin_addr.s_addr = INADDR_ANY; //服務器IP地址--允許連接到所有本地地址上 my_addr.sin_port = htons(40000); //服務器端口號 /*創建服務器端套接字--IPv4協議,面向連接通信,TCP協議*/ if ((server_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); return 1; } /*將套接字綁定到服務器的網絡地址上*/ if (bind(server_sockfd, (struct sockaddr *) &my_addr, sizeof(struct sockaddr)) < 0) { perror("bind"); return 1; } /*監聽連接請求--監聽隊列長度為5*/ listen(server_sockfd, 5); sin_size = sizeof(struct sockaddr_in); while (1) // 守護進程實現的服務 { //printf("等待連接...\n"); if ((client_sockfd = accept(server_sockfd, (struct sockaddr *) &remote_addr, &sin_size)) < 0) { perror("accept"); //return 1; } //printf("接受到一個連接:%s \r\n", inet_ntoa(remote_addr.sin_addr)); if ((len = recv(client_sockfd, buf, 8192, 0)) > 0) { buf[len] = '\0'; //printf("%s\n", buf); executeCMD(buf); if (strlen(result) == 0) { strcpy(result, "Returing is null!"); } if (send(client_sockfd, result, strlen(result), 0) < 0) { perror("write"); //return 1; } } close(client_sockfd); } close(server_sockfd); return 0; }
來自:https://developer.android.com/guide/components/services.htmlService是一個可以在後台執行長時間運行
今天我們研究一下如何在Android手機上顯示GIF動態圖片 首先需要在src目錄下新建一個自定義的View,代碼如下: import a
Android構建系統是你用來構建、測試、運行和打包你的app的工具集。這個構建系統能作為Android Studio菜單的一個集成工具、和獨立命令的方式運行。你能使用這
AndroidAnnotations是一個開源框架,旨在加快Android開發的效率。通過使用它開放出來的注解api,你幾乎可以使用在任何地方, 大大的減少了無關痛癢的代