forked from abcz316/SKRoot-linuxKernelRoot
-
Notifications
You must be signed in to change notification settings - Fork 0
/
testRoot.cpp
209 lines (182 loc) · 6.4 KB
/
testRoot.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
#include "testRoot.h"
#include <sstream>
#include <thread>
#include <sys/capability.h>
#include "kernel_root_helper.h"
#include "kernel_root_key.h"
#include "process64_inject.h"
#include "process_cmdline_utils.h"
#include "init64_process_helper.h"
#include "su_install_helper.h"
#include "myself_path_utils.h"
#include "../su/su_hide_path_utils.h"
void show_capability_info() {
printf("Current process information:\n");
__uid_t now_uid, now_euid, now_suid;
if (getresuid(&now_uid, &now_euid, &now_suid)) {
perror("FAILED getresuid()");
return;
}
__gid_t now_gid, now_egid, now_sgid;
if (getresgid(&now_gid, &now_egid, &now_sgid)) {
perror("FAILED getresgid()");
return;
}
printf("uid=%d, euid=%d, suid=%d, gid=%d, egid=%d, sgid=%d\n",
now_uid, now_euid, now_suid,
now_gid, now_egid, now_sgid);
struct __user_cap_header_struct cap_header_data;
cap_user_header_t cap_header = &cap_header_data;
struct __user_cap_data_struct cap_data_data;
cap_user_data_t cap_data = &cap_data_data;
cap_header->pid = getpid();
cap_header->version = _LINUX_CAPABILITY_VERSION_3; //_1、_2、_3
if (capget(cap_header, cap_data) < 0) {
perror("FAILED capget()");
return;
}
printf("cap effective:0x%x, cap permitted:0x%x, cap inheritable:0x%x\n", cap_data->effective, cap_data->permitted, cap_data->inheritable);
printf("native check SELinux status: %d\n", kernel_root::is_disable_selinux_status() ? 0 : 1);
FILE* fp = popen("getenforce", "r");
if (fp) {
char shell[512] = { 0 };
fread(shell, 1, sizeof(shell), fp);
pclose(fp);
printf("read system SELinux status: %s\n", shell);
}
}
void test_root() {
show_capability_info();
printf("get_root ret:%zd\n", kernel_root::get_root(ROOT_KEY));
show_capability_info();
//system("id");
//system("/data/local/tmp/getmyinfo");
//system("insmod /sdcard/rwProcMem37.ko ; echo $?");
//system("cat /proc/1/maps");
//system("ls /proc");
//system("screencap -p /sdcard/temp.png");
return;
}
void test_run_root_cmd(const char* shell) {
printf("test_run_root_cmd(%s)\n", shell);
ssize_t err;
std::string result = kernel_root::run_root_cmd(ROOT_KEY, shell, err);
printf("test_run_root_cmd err:%zd\n", err);
printf("test_run_root_cmd result:%s\n", result.c_str());
}
void test_run_init64_cmd(const char* cmd) {
printf("test_run_init64_cmd(%s)\n", cmd);
ssize_t err;
std::string result = run_init64_cmd_wrapper(ROOT_KEY, cmd, err);
printf("run_init64_cmd_wrapper err:%zd\n", err);
printf("run_init64_cmd_wrapper result:%s\n", result.c_str());
}
void test_install_su_env() {
char myself_path[1024] = { 0 };
char processname[1024];
get_executable_path(myself_path, processname, sizeof(myself_path));
TRACE("my directory:%s\nprocessname:%s\n", myself_path, processname);
//1.安装su工具套件
ssize_t err;
std::string su_hide_full_path = install_su(ROOT_KEY, myself_path, std::string(myself_path + std::string("/su")).c_str(), err);
printf("install su hide full path:%s, err:%zd\n", su_hide_full_path.c_str(), err);
}
void test_su_env_inject(const char* target_pid_cmdline) {
char myself_path[1024] = { 0 };
char processname[1024];
get_executable_path(myself_path, processname, sizeof(myself_path));
TRACE("my directory:%s\nprocessname:%s\n", myself_path, processname);
if (kernel_root::get_root(ROOT_KEY) != 0) {
return;
}
//1.获取su_xxx隐藏目录
std::string su_hide_path = find_su_hide_folder_path(myself_path, "su");
printf("su_hide_path ret val:%s\n", su_hide_path.c_str());
if (su_hide_path.empty()) {
return;
}
//2.杀光所有历史进程
std::vector<pid_t> vOut;
ssize_t err = find_all_cmdline_process(ROOT_KEY, target_pid_cmdline, vOut);
printf("find_all_cmdline_process err:%zd, cnt:%zu\n", err, vOut.size());
if (err != 0) {
return;
}
for (pid_t pid : vOut) {
err = kill_process(ROOT_KEY, pid);
printf("kill err:%zd\n", err);
if (err != 0) {
return;
}
}
//3.注入su环境变量到指定进程
printf("test_auto_su_env_inject Waiting for process creation(%s)\n", target_pid_cmdline);
pid_t pid;
err = wait_and_find_cmdline_process(ROOT_KEY, target_pid_cmdline, 60 * 1000, pid);
printf("test_auto_su_env_inject(%zd)\n", err);
err = inject_process_env64_PATH_wrapper(ROOT_KEY, pid, su_hide_path.c_str());
printf("test_auto_su_env_inject ret val:%zd, error:%s\n", err, strerror(errno));
}
void test_clean_su_env() {
char myself_path[1024] = { 0 };
char processname[1024];
get_executable_path(myself_path, processname, sizeof(myself_path));
TRACE("my directory:%s\nprocessname:%s\n", myself_path, processname);
ssize_t err = uninstall_su(ROOT_KEY, myself_path, "su");
printf("uninstall_su err:%zd\n", err);
}
int main(int argc, char* argv[]) {
printf(
"======================================================\n"
"本工具名称: SKRoot - Linux 完美内核级隐藏ROOT演示\n"
"本工具功能列表:\n"
"\t1.显示自身权限信息\n"
"\t2.获取ROOT权限\n"
"\t3.执行ROOT命令\n"
"\t4.执行原生内核命令\n"
"\t5.安装部署隐藏版su\n"
"\t6.注入su到指定进程\n"
"\t7.完全卸载清理su\n"
"\t新一代SKRoot,跟面具完全不同思路,摆脱面具被检测的弱点,完美隐藏root功能,兼容安卓APP直接JNI稳定调用。\n"
"======================================================\n"
);
++argv;
--argc;
if (argc == 0 || strcmp(argv[0], "id") == 0) { //1.显示自身权限信息
show_capability_info();
} else if (strcmp(argv[0], "get") == 0) { //2.获取ROOT权限
test_root();
} else if (argc >= 2 && strcmp(argv[0], "cmd") == 0) { //3.执行ROOT命令
std::stringstream sstrCmd;
for (int i = 1; i < argc; i++) {
sstrCmd << argv[i];
if (i != (argc - 1)) {
sstrCmd << " ";
}
}
test_run_root_cmd((char*)sstrCmd.str().c_str());
} else if (argc >= 2 && strcmp(argv[0], "init") == 0) { //4.执行原生内核命令
std::stringstream sstrCmd;
for (int i = 1; i < argc; i++) {
sstrCmd << argv[i];
if (i != argc) {
sstrCmd << " ";
}
}
test_run_init64_cmd((char*)sstrCmd.str().c_str());
} else if (strcmp(argv[0], "su") == 0) { //5.安装部署隐藏版su
test_install_su_env();
} else if (argc > 1 && strcmp(argv[0], "process") == 0) { //6.注入su到指定进程
std::stringstream sstrCmd;
sstrCmd << argv[1];
if (sstrCmd.str().length()) {
test_su_env_inject(sstrCmd.str().c_str());
}
} else if (strcmp(argv[0], "cleansu") == 0) { //7.完全卸载清理su
test_clean_su_env();
} else {
printf("unknown command.\n");
return 1;
}
return 0;
}