0

I'm new to the binary analysis field. What I want to do is to analyze the JNI native interface functions (e.g., RegisterNatives or other functions listed here by using the SimProcedures provided by Angr. The shared libraries (*.so files) suppose to be part of Android apps. However, I noticed that these JNI native interface functions do not show as symbols in the shared libraries. So my questions are:

  1. Why these JNI native interface functions do not have corresponding symbols in the shared libraries? Did I do something wrong or they suppose like this?
  2. In Angr, SimProcedures can only bind to symbols if I did not miss anything. So if there are no such symbols, what should I do to make it work?
Jun Gao
  • 3
  • 2

1 Answers1

2

The various functions are exposed by the JVM as table of function pointers. See here, for example.

A call to env->FindClass would be represented in assembly as something like (C pseudocode):

fp = env + 6 * sizeof(void *);
fp(env, ...)

Perhaps you can teach this angr thing about this function pointer table?

Botje
  • 26,269
  • 3
  • 31
  • 41
  • I'm aware of the function pointers and such pointers can be spotted. But I'm still wondering how the symbols work and why these functions are not symbolized? I also checked with `radare2` and `objdump`. It's all the same, no corresponding symbols. – Jun Gao Aug 08 '20 at 12:39
  • Simplest answer: all the functions are declared as static (so no external symbol) and only referenced in the function pointer table **inside the JVM**. The Android library simply uses the exposed function pointers. Your best bet is to define a type for the `JNIEnv` with all the function pointers so you know which one is called. – Botje Aug 08 '20 at 13:25
  • By further check, I found out that the missing symbols are caused by NDK of Android. Since I tried with NDK version 15 with debug version (latest Android Studio will also strip off all these symbols in the release version of APK). Symbols for relevant JNI interface functions can be found. – Jun Gao Aug 09 '20 at 09:37