feat: add elf loader

Author: cinit

README.md

@@ -1,14 +1,16 @@
-# Libcore-Syscall
+# Libcore-Syscall / Libcore-ElfLoader
 
-Libcore-Syscall is a Java library for Android that allows you to make any Linux system calls directly from Java code.
+Libcore-Syscall is a Java library for Android that allows you to make any Linux system calls or load any ELF shared objects directly from Java code.
 
 ## Features
 
 - Support Android 5.0 - 15
 - Support any system calls (as long as they are permitted by the seccomp filter)
+- Support loading any ELF shared objects (lib*.so) directly from memory
 - Implemented in 100% pure Java 1.8
 - No shared libraries (lib*.so) are shipped with the library
 - No `System.loadLibrary` or `System.load` is used
+- No temporary files are created on the disk (does not require a writable path/mount point)
 - Small, no dependencies
 
 ## Usage
@@ -18,10 +20,63 @@ The library provides the following classes:
 - MemoryAccess/MemoryAllocator: Allocate and read/write native memory.
 - NativeAccess: Register JNI methods, or call native functions (such as `dlopen`, `dlsym`, etc.) directly.
 - Syscall: Make any Linux system calls.
+- DlExtLibraryLoader: Load any ELF shared objects (lib*.so) directly from memory.
 
-## Example
+## Examples
 
-Here is an example of how to use the library. It calls the `uname` system call to get the system information.
+Here are some examples of possible use cases.
+
+### Load ELF Shared Object from Memory
+
+Here is an example of how to load an ELF shared object directly from memory.
+It loads the `libmmkv.so` shared object and calls the `MMKV.initialize` method.
+
+See [TestNativeLoader.java](demo-app/src/main/java/com/example/test/app/TestNativeLoader.java) for the complete example.
+
+<details>
+
+```java
+import com.tencent.mmkv.MMKV;
+
+import dev.tmpfs.libcoresyscall.core.NativeAccess;
+import dev.tmpfs.libcoresyscall.elfloader.DlExtLibraryLoader;
+
+public static long initializeMMKV(@NonNull Context ctx) {
+    String soname = "libmmkv.so";
+    // get the ELF data from somewhere
+    byte[] elfData = getElfData(soname);
+
+    // load the ELF shared object from byte array
+    // if it fails, it throws an UnsatisfiedLinkError
+    long sHandle = DlExtLibraryLoader.dlopenExtFromMemory(elfData, soname, DlExtLibraryLoader.RTLD_NOW, 0, 0);
+
+    // since dlopen from memory is not a standard function, ART does not know it
+    // we need to call JNI_OnLoad manually, as if the shared object is loaded by System.loadLibrary
+    long jniOnLoad = DlExtLibraryLoader.dlsym(sHandle, "JNI_OnLoad");
+    if (jniOnLoad != 0) {
+        long javaVm = NativeAccess.getJavaVM();
+        long ret = NativeAccess.callPointerFunction(jniOnLoad, javaVm, 0);
+        if (ret < 0) {
+            throw new RuntimeException("JNI_OnLoad failed: " + ret);
+        }
+    } else {
+        // should not happen, MMKV uses JNI_OnLoad to register native methods
+        throw new IllegalStateException("JNI_OnLoad not found");
+    }
+    // initialize MMKV, since we have already loaded the libmmkv.so from memory
+    // MMKV does not need to load the libmmkv.so shared object again
+    MMKV.initialize(ctx, libName -> {
+        // no-op
+    });
+    return sHandle;
+}
+```
+
+</details>
+
+### Make System Calls
+
+Here is an example of how to make syscalls with the library. It calls the `uname` system call to get the system information.
 
 See [TestMainActivity.java](demo-app/src/main/java/com/example/test/app/TestMainActivity.java) for the complete example.
 
@@ -94,11 +149,6 @@ To build the demo app:
 ./gradlew :demo-app:assembleDebug
 ```
 
-## The Future
-
-- A symbol resolver that can resolve symbols in loaded native libraries.
-- Loading arbitrary shared libraries (lib*.so) with 100% pure Java code in memory without writing it to the disk.
-
 ## Credits
 
 - [pine](https://github.com/canyie/pine)

core-syscall/src/main/java/dev/tmpfs/libcoresyscall/core/MemoryAccess.java

@@ -12,6 +12,8 @@ private MemoryAccess() {
         throw new AssertionError("no instances");
     }
 
+    private static final boolean IS_64_BIT = NativeHelper.isCurrentRuntime64Bit();
+
     public static long getPageSize() {
         return NativeBridge.getPageSize();
     }
@@ -58,10 +60,26 @@ public static void pokeInt(long address, int value) {
         Memory.pokeInt(address, value, false);
     }
 
-    public static short peekByte(long address) {
+    public static byte peekByte(long address) {
         return Memory.peekByte(address);
     }
 
+    public static void pokeByte(long address, byte value) {
+        Memory.pokeByte(address, value);
+    }
+
+    public static long peekPointer(long address) {
+        return IS_64_BIT ? peekLong(address) : (peekInt(address) & 0xffffffffL);
+    }
+
+    public static void pokePointer(long address, long value) {
+        if (IS_64_BIT) {
+            pokeLong(address, value);
+        } else {
+            pokeInt(address, (int) value);
+        }
+    }
+
     /**
      * Peek a null-terminated string from the specified address.
      *

core-syscall/src/main/java/dev/tmpfs/libcoresyscall/core/NativeHelper.java

@@ -2,6 +2,7 @@
 
 import androidx.annotation.NonNull;
 
+import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -54,7 +55,14 @@ public static int getCurrentRuntimeIsa() {
         return sCurrentRuntimeIsa;
     }
 
-    public static int getIsaFromElfHeader(byte[] header) {
+    /**
+     * Get the ISA value from an ELF header.
+     *
+     * @param header ELF header, must be at least 32 bytes
+     * @return ISA value
+     * @throws IllegalArgumentException if the header is not a valid ELF header
+     */
+    public static int getIsaFromElfHeader(byte[] header) throws IllegalArgumentException {
         if (header.length < 32) {
             throw new IllegalArgumentException("Invalid ELF header: length < 32");
         }
@@ -112,6 +120,39 @@ public static String getIsaName(int isa) {
         }
     }
 
+    /**
+     * Create an ISA value from ELF class and machine.
+     *
+     * @param elfClass ELF class, either {@link #ELF_CLASS_32} or {@link #ELF_CLASS_64}
+     * @param machine  machine value
+     * @return ISA value
+     */
+    public static int forElfClassAndMachine(int elfClass, int machine) {
+        if (elfClass != ELF_CLASS_32 && elfClass != ELF_CLASS_64) {
+            throw new IllegalArgumentException("Invalid ELF class: " + elfClass);
+        }
+        if (machine <= 0 || machine > 0xffff) {
+            throw new IllegalArgumentException("Invalid machine: " + machine);
+        }
+        return (elfClass << 16) | machine;
+    }
+
+    /**
+     * Get the ISA value of an ELF file.
+     *
+     * @param file the ELF file
+     * @return the ISA value
+     * @throws IOException              if file not found or read error
+     * @throws IllegalArgumentException if the file is not an ELF file
+     */
+    public static int getElfIsaFromFile(@NonNull File file) throws IOException, IllegalArgumentException {
+        try (FileInputStream fis = new FileInputStream(file)) {
+            byte[] header = new byte[32];
+            readExactly(fis, header, 0, header.length);
+            return getIsaFromElfHeader(header);
+        }
+    }
+
     public static boolean is64Bit(int isa) {
         return (isa >> 16) == ELF_CLASS_64;
     }

core-syscall/src/main/java/dev/tmpfs/libcoresyscall/core/Syscall.java

@@ -101,18 +101,29 @@ public static long syscall(long number, long... args) throws ErrnoException {
      *
      * @param number the syscall number
      * @param args   the arguments of the syscall, support up to 6 arguments
-     * @return the result of the syscall
-     * @throws ErrnoException if the result is an error
+     * @return the result of the syscall, or -errno if the syscall fails
      */
-    public static long syscallTempFailureRetry(long number, long... args) throws ErrnoException {
+    public static long syscallTempFailureRetryNoCheck(long number, long... args) {
         if (args.length > 6) {
             throw new IllegalArgumentException("Too many arguments: " + args.length);
         }
         long result;
         do {
             result = syscallNoCheck(number, args);
         } while (result == -OsConstants.EINTR);
-        return getResultOrThrow(result, "syscall-" + number);
+        return result;
+    }
+
+    /**
+     * Call the specified syscall with the specified arguments and retry if the result is EINTR.
+     *
+     * @param number the syscall number
+     * @param args   the arguments of the syscall, support up to 6 arguments
+     * @return the result of the syscall
+     * @throws ErrnoException if the result is an error
+     */
+    public static long syscallTempFailureRetry(long number, long... args) throws ErrnoException {
+        return getResultOrThrow(syscallTempFailureRetryNoCheck(number, args), "syscall-" + number);
     }
 
     /**

core-syscall/src/main/java/dev/tmpfs/libcoresyscall/core/impl/ByteArrayUtils.java

@@ -0,0 +1,45 @@
+package dev.tmpfs.libcoresyscall.core.impl;
+
+import androidx.annotation.NonNull;
+
+public class ByteArrayUtils {
+
+    private ByteArrayUtils() {
+        throw new AssertionError("no instances");
+    }
+
+    public static void writeInt32(@NonNull byte[] buffer, int offset, int value) {
+        buffer[offset] = (byte) (value & 0xff);
+        buffer[offset + 1] = (byte) ((value >> 8) & 0xff);
+        buffer[offset + 2] = (byte) ((value >> 16) & 0xff);
+        buffer[offset + 3] = (byte) ((value >> 24) & 0xff);
+    }
+
+    public static void writeInt64(@NonNull byte[] buffer, int offset, long value) {
+        buffer[offset] = (byte) (value & 0xff);
+        buffer[offset + 1] = (byte) ((value >> 8) & 0xff);
+        buffer[offset + 2] = (byte) ((value >> 16) & 0xff);
+        buffer[offset + 3] = (byte) ((value >> 24) & 0xff);
+        buffer[offset + 4] = (byte) ((value >> 32) & 0xff);
+        buffer[offset + 5] = (byte) ((value >> 40) & 0xff);
+        buffer[offset + 6] = (byte) ((value >> 48) & 0xff);
+        buffer[offset + 7] = (byte) ((value >> 56) & 0xff);
+    }
+
+    public static long alignDown(long value, long alignment) {
+        return value & -alignment;
+    }
+
+    public static long alignUp(long value, long alignment) {
+        return (value + alignment - 1) & -alignment;
+    }
+
+    public static long alignDownToPage(long value) {
+        return alignDown(value, NativeBridge.getPageSize());
+    }
+
+    public static long alignUpToPage(long value) {
+        return alignUp(value, NativeBridge.getPageSize());
+    }
+
+}

core-syscall/src/main/java/dev/tmpfs/libcoresyscall/core/impl/FileDescriptorHelper.java

@@ -0,0 +1,64 @@
+package dev.tmpfs.libcoresyscall.core.impl;
+
+import androidx.annotation.NonNull;
+
+import java.io.FileDescriptor;
+import java.lang.reflect.Method;
+
+public class FileDescriptorHelper {
+
+    private FileDescriptorHelper() {
+        throw new AssertionError("no instance for you!");
+    }
+
+    private static Method sGetIntMethod;
+    private static Method sSetIntMethod;
+
+    public static int getInt(@NonNull FileDescriptor fd) {
+        if (sGetIntMethod == null) {
+            try {
+                //noinspection JavaReflectionMemberAccess
+                sGetIntMethod = FileDescriptor.class.getDeclaredMethod("getInt$");
+                sGetIntMethod.setAccessible(true);
+            } catch (NoSuchMethodException e) {
+                throw ReflectHelper.unsafeThrow(e);
+            }
+        }
+        try {
+            //noinspection DataFlowIssue
+            return (int) sGetIntMethod.invoke(fd);
+        } catch (ReflectiveOperationException e) {
+            throw ReflectHelper.unsafeThrowForIteCause(e);
+        }
+    }
+
+    public static void setInt(@NonNull FileDescriptor fdObj, int fdInt) {
+        if (sSetIntMethod == null) {
+            try {
+                //noinspection JavaReflectionMemberAccess
+                sSetIntMethod = FileDescriptor.class.getDeclaredMethod("setInt$", int.class);
+                sSetIntMethod.setAccessible(true);
+            } catch (NoSuchMethodException e) {
+                throw ReflectHelper.unsafeThrow(e);
+            }
+        }
+        if (fdInt < 0) {
+            throw new IllegalArgumentException("invalid raw fd given: " + fdInt);
+        }
+        if (fdObj.valid()) {
+            throw new IllegalArgumentException("the file descriptor object is already has a valid fd set: " + fdObj);
+        }
+        try {
+            sSetIntMethod.invoke(fdObj, fdInt);
+        } catch (ReflectiveOperationException e) {
+            throw ReflectHelper.unsafeThrowForIteCause(e);
+        }
+    }
+
+    public static FileDescriptor wrap(int fd) {
+        FileDescriptor fileDescriptor = new FileDescriptor();
+        setInt(fileDescriptor, fd);
+        return fileDescriptor;
+    }
+
+}

core-syscall/src/main/java/dev/tmpfs/libcoresyscall/core/impl/NativeBridge.java

@@ -4,13 +4,15 @@
 import android.system.Os;
 import android.system.OsConstants;
 
+import androidx.annotation.NonNull;
+
 import java.lang.reflect.Method;
 import java.util.Map;
 
 import dev.tmpfs.libcoresyscall.core.Syscall;
+import dev.tmpfs.libcoresyscall.core.impl.trampoline.BaseShellcode;
 import dev.tmpfs.libcoresyscall.core.impl.trampoline.CommonSyscallNumberTables;
 import dev.tmpfs.libcoresyscall.core.impl.trampoline.ISyscallNumberTable;
-import dev.tmpfs.libcoresyscall.core.impl.trampoline.ITrampolineCreator;
 import dev.tmpfs.libcoresyscall.core.impl.trampoline.TrampolineCreatorFactory;
 import dev.tmpfs.libcoresyscall.core.impl.trampoline.TrampolineInfo;
 import libcore.io.Memory;
@@ -25,6 +27,7 @@ private NativeBridge() {
     private static long sTrampolineBase = 0;
     private static boolean sNativeMethodRegistered = false;
     private static boolean sTrampolineSetReadOnly = false;
+    private static BaseShellcode sShellcode = null;
 
     public static native long nativeSyscall(int number, long arg1, long arg2, long arg3, long arg4, long arg5, long arg6);
 
@@ -54,13 +57,29 @@ public static long getPageSize() {
         return ps;
     }
 
+    /**
+     * Get the base address of the trampoline, this address is typically NOT useful.
+     * If the trampoline is not initialized, this method will return 0.
+     */
+    public static long getTrampolineBase() {
+        return sTrampolineBase;
+    }
+
+    @NonNull
+    public static BaseShellcode getShellcode() {
+        if (sShellcode == null) {
+            sShellcode = TrampolineCreatorFactory.create();
+        }
+        return sShellcode;
+    }
+
     public static synchronized void initializeOnce() {
         if (!sNativeMethodRegistered) {
             // 1. Get the page size.
             long pageSize = getPageSize();
             // 2. Prepare the trampoline.
-            ITrampolineCreator creator = TrampolineCreatorFactory.create();
-            TrampolineInfo trampoline = creator.generateTrampoline((int) pageSize);
+            BaseShellcode shellcode = getShellcode();
+            TrampolineInfo trampoline = shellcode.generateTrampoline();
             // 3. Allocate a memory region for the trampoline.
             final int MAP_ANONYMOUS = 0x20;
             long address;