检测目标程序ELF bit是32还是64

时间:2022-10-07 15:19:33

android操作系统在5.0之后加入了对64位程序的支持,同时兼容运行32位的进程

android的进程绝大部分是zygote父进程fork出来的子进程

zygote进程fork出来的进程是32位进程

zygote64进程fork出来的进程是64位进程

但是有一些在zygote启动之前的进程,那就是init进程fork出来的,都属于64bit进程

zygote进程在fork出子进程之后,更改了进程的名字(setNiceName)

如果想根据进程名找到进程文件,通过读取elf头的方法来判断目标进程的elf bit

不是太理想

 

通过man proc查阅文档可以知道,解析目标进程的auxv文件可以判断elf bit

内核支持从2.6开始,android的内核版本在这之后,检测auxv文件判断elf bit是可靠的

 

先上makefile,Application.mk

APP_ABI := arm64-v8a 
APP_PLATFORM := android-21

只编译64位的版本,如果系统无法跑64位程序,证明整个系统都是32位的

Android.mk

# Copyright (C) 2009 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
LOCAL_PATH := $(call my-dir)

include $(CLEAR_VARS)
LOCAL_MODULE    := auxv
LOCAL_SRC_FILES := auxv.c
LOCAL_ARM_MODE := arm
include $(BUILD_EXECUTABLE)

源码auxv.c

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

/*
 * Parsing auxv: if you parse the auxv structure yourself (not relying on the dynamic loader), then there's 
 * a bit of a conundrum: the auxv structure follows the rule of the process it describes, so sizeof(unsigned 
 * long) will be 4 for 32-bit processes and 8 for 64-bit processes. We can make this work for us. In 
 * order for this to work on 32-bit systems, all key codes must be 0xffffffff or less. On a 64-bit system,
 * the most significant 32 bits will be zero. Intel machines are little endians, so these 32 bits follow
 * the least significant ones in memory.

 * As such, all you need to do is:

 * 1. Read 16 bytes from the `auxv` file.
 * 2. Is this the end of the file?
 * 3.   Then it's a 64-bit process.
 * 4.   Done.
 * 5. Is buf[4], buf[5], buf[6] or buf[7] non-zero?
 * 6.   Then it's a 32-bit process.
 * 7.   Done.
 * 8. Go to 1.
 */

int check_auxv(int pid)
{
    if(pid < 0)
    {
        printf("invalid process id\n");
        return -1;
    }

    char auxv[256];
    snprintf(auxv, 256, "/proc/%d/auxv", pid);
    int fd = open(auxv, O_RDONLY);
    if(fd < 0)
    {
        printf("%s does not exist\nprocess %d maybe running in 32 bit elf mode", auxv, pid);
        return 0;
    }
    const int SIZE = 16;
    char buf[SIZE];
    do {
        int nread = read(fd, buf, SIZE);
        if(nread < SIZE)
        {
            printf("process %d running in 64 bit elf mode\n", pid);
            break;
        }
        
        if(buf[4] && buf[5] && buf[6])
        {
            printf("process %d running in 32 bit elf mode @ line %d\n", pid, __LINE__);
            printf("%x, %x, %x, %x\n", buf[4], buf[5], buf[6], buf[7]);
            break;
        }
        else if(buf[7])
        {
            printf("process %d running in 32 bit elf mode\n", pid);
            break;
        }
    } while(1);

    close(fd);

    return 0;
}

int main(int argc, char* argv[])
{
    if(argc <= 1)
    {
        printf("usage:auxv pid1 [pid2 pid3 ...]\n");
        return 0;
    }
    int i = 0;
    for(i = 1; i < argc; ++i)
    {
        int pid = atoi(argv[i]);
        check_auxv(pid);
    }
    
    return 0;
}

编译命令

call ndk-build NDK_PROJECT_PATH=. NDK_APPLICATION_MK=./Application.mk

 

目录结构

|---Application.mk
|---build.bat
|---jni
||---Android.mk
||---auxv.c