精华内容
下载资源
问答
  • Hotpatch 是一个允许正在运行的进程动态加载一个 so 库的 C 库,类似于 Win32 上的 CreateRemoteThread() API。 和其他现有的动态加载方案相比,Hotpatch 的优点是在加载 so 库之后将会恢复原先进程的运行状态。 ...
  • HotPatch-EMC

    2017-08-25 16:39:25
    1.介绍主角  E(Excalibur)M(Modules)C(Common)架构以高内聚、低耦合为主要的特点,以面向接口...HotPatch-EMC的架构主要目标在于解决移动APP的稳定性问题。通过RN与Native的主备,可以减少系统APP出错带来的失误成本

    1.介绍主角

       E(Excalibur)M(Modules)C(Common)架构以高内聚、低耦合为主要的特点,以面向接口编程为出发点,降低了模块与模块之间的联系。HotPatch-EMC的架构主要目标在于解决移动APP的稳定性问题。通过RN与Native的主备,可以减少系统APP出错带来的失误成本


    展开全文
  • Hotpatch-SimpleServer 用于热补丁的服务器,简单的实现。
  • 本次HotPatch的研究主要基于一片文章:《Android-HotPatch在线热补丁方案》和一个实践,手机淘宝HotPatch项目。 特性(Features): 不用安装,直接修改当前APK的逻辑。 缺陷(Defect): 1,无法更改程序版本号码。...

    本次HotPatch的研究主要基于一片文章:《Android-HotPatch在线热补丁方案》和一个实践,手机淘宝HotPatch项目。

    特性(Features):

         不用安装,直接修改当前APK的逻辑。

    缺陷(Defect):

        1,无法更改程序版本号码。

        2,每次程序启动,都需要载入Patch。不能真正修改原始APK。

    局限(Confine):

        平台: API Level :  [9,10]U[14-19]   Android 2.3 - Android 4.X  中间不包含 Android3.X 

        CPU: ARM 支持, x86不支持。

        系统: 阿里云系统不支持。

        虚拟机: Dalvik 支持, ART 不支持。

    安全(Security):

         在主APK应用此技术后,当无防范措施时,极有可能给不安全代码以可乘之机。特别注意!!!

            1,打包apk必须使用主app签名文件签名;

            2,主app对加载的patch apk做签名和无篡改校验

    自手淘项目实践的一个简单HotPatch过程。


    Hotpatch的工作流程是:

             1.实现一个从服务器端获取Patch信息的接口(上传本地客户端版本等信息,服务器好根据这些信息来判断是否有对应的Patch包),并将这个信息注入给HotpatchManager。

             2.检测客户端是否可以支持。(Android L和Android M)目前都不支持,最低支持2.3

             3.如果客户端支持,那就调用第一步注入的Patch包获取类,获取到对应的Patch信息。下载Patch apk文件。

             4.校验。获取下载好的Patch apk md5签名信息和服务器给的Patch信息的md5值是否一样,然后还要校验Patch apk和宿主apk签名是否一致。加校验是为了防止Patch apk被篡改,如果load进去了一个第三方的Patch,那就是引狼入室了。一定不能去掉校验,不能去掉,不能去掉,重要的事情说三遍!!!

             5.校验成功,就load Patch apk。


    可提升的部分:

         1,获取PATCH的接口可以增加通过推送来推动更新,这样能够增加实时性,出现严重问题时,直接热修补。

         2,在程序入口和Patch程序下载完成后都需要需要启动Patch过程。

         3,建议Patch框架程序中设置有维护PatchAPK和Patch列表的数据存储,以及恢复机制。以便当Patch丢失或者损毁时,自动下载并Patch.

         4,Patch的下载存储目录,强烈建议放置到应用的私有目录下,提升安全级别。防止被误删误清。


    BTW在使用过程中,如果主APK已经混淆,需要通过打包时的map.txt文件找到函数混淆后的名字。



    参考:

    《阿里巴巴HotPatch开源项目》github地址 https://github.com/alibaba/dexposed

    Android-HotPatch在线热补丁方案》原文的地址:http://www.jianshu.com/p/2a7d16ab29e8

    “手机淘宝HotPatch实践”《Android HotPatch系列之-项目介绍》 地址:http://my.oschina.net/fengcunhan/blog/487296








    转载于:https://my.oschina.net/u/1396564/blog/614827

    展开全文
  • 该项目的状态 目前正在等待。 最近在这里采取了一些措施,RFC似乎即将合并。 考虑到我无论如何都在忙着上学,所以我会一直坚持下去,直到每天晚上都有内在的...use hotpatch :: * ; #[patchable] fn foo () { } fn ma
  • adpatch options=hotpatch

    2016-12-07 18:12:00
    --no need to shutdown application and no need to enable maintenance mode ...adpatch options=hotpatch find . -name FAS420.rdf -bash-3.2$ strings -a ./fa/12.0.0/reports/US/FAS420.rdf|grep '$Header' S...

     

    --no need to shutdown application and no need to enable maintenance mode

    adpatch options=hotpatch

    find . -name FAS420.rdf -bash-3.2$ strings -a ./fa/12.0.0/reports/US/FAS420.rdf|grep '$Header'

    SQL> select bug_id,application_short_name from ad_bugs where bug_number='9287896';

        BUG_ID APPLICATION_SHORT_NAME ---------- --------------------------------------------------     882825

      SQL> select count(1) from ad_applied_patches where patch_name='9287896';

      COUNT(1) ----------          1

             --history log -bash-3.2$ adpatch options=hotpatch

                         Copyright (c) 2002 Oracle Corporation                         Redwood Shores, California, USA

                             Oracle Applications AutoPatch

                                     Version 12.0.0

    NOTE: You may not use this utility for custom development       unless you have written permission from Oracle Corporation.

    Attention: AutoPatch no longer checks for unapplied pre-requisite patches. You must use OAM Patch Wizard for this feature. Alternatively, you can review the README for pre-requisite information.

    Your default directory is '/u02/TM12/apps/apps_st/appl'. Is this the correct APPL_TOP [Yes] ?

    AutoPatch records your AutoPatch session in a text file you specify.  Enter your AutoPatch log file name or press [Return] to accept the default file name shown in brackets.

    Filename [adpatch.log] :

    Options = "hotpatch".

    You can be notified by email if a failure occurs. Do you wish to activate this feature [No] ?

    Please enter the batchsize [1000] :

    Please enter the name of the Oracle Applications System that this APPL_TOP belongs to.

    The Applications System name must be unique across all Oracle Applications Systems at your site, must be from 1 to 30 characters long, may only contain alphanumeric and underscore characters, and must start with a letter.

    Sample Applications System names are: "prod", "test", "demo" and "Development_2".

    Applications System Name [TM12] : TM12 *

    NOTE: If you do not currently have certain types of files installed in this APPL_TOP, you may not be able to perform certain tasks.

    Example 1: If you don't have files used for installing or upgrading the database installed in this area, you cannot install or upgrade the database from this APPL_TOP.

    Example 2: If you don't have forms files installed in this area, you cannot generate them or run them from this APPL_TOP.

    Example 3: If you don't have concurrent program files installed in this area, you cannot relink concurrent programs or generate reports from this APPL_TOP.

    Do you currently have files used for installing or upgrading the database installed in this APPL_TOP [YES] ? YES *

    Do you currently have Java and HTML files for HTML-based functionality installed in this APPL_TOP [YES] ? YES *

    Do you currently have Oracle Applications forms files installed in this APPL_TOP [YES] ? YES *

    Do you currently have concurrent program files installed in this APPL_TOP [YES] ? YES *

    Please enter the name Oracle Applications will use to identify this APPL_TOP.

    The APPL_TOP name you select must be unique within an Oracle Applications System, must be from 1 to 30 characters long, may only contain alphanumeric and underscore characters, and must start with a letter.

    Sample APPL_TOP Names are: "prod_all", "demo3_forms2", and "forms1".

    APPL_TOP Name [prcsgidb1] : prcsgidb1 *

     

    You are about to apply a patch to the installation of Oracle Applications in your ORACLE database 'TM12' using ORACLE executables in '/u02/TM12/apps/tech_st/10.1.2'.

    Is this the correct database [Yes] ?

    AutoPatch needs the password for your 'SYSTEM' ORACLE schema in order to determine your installation configuration.

    Enter the password for your 'SYSTEM' ORACLE schema:

    The ORACLE username specified below for Application Object Library uniquely identifies your existing product group: APPLSYS

    Enter the ORACLE password of Application Object Library [APPS] :

    AutoPatch is verifying your username/password. The status of various features in this run of AutoPatch is:

                                               <-Feature version in-> Feature                          Active?   APPLTOP    Data model    Flags ------------------------------   -------   --------   -----------   ----------- CHECKFILE                        Yes       1          1             Y N N Y N Y PREREQ                           Yes       6          6             Y N N Y N Y CONCURRENT_SESSIONS              No        2          2             Y Y N Y Y N PATCH_TIMING                     Yes       2          2             Y N N Y N Y PATCH_HIST_IN_DB                 Yes       6          6             Y N N Y N Y SCHEMA_SWAP                      Yes       1          1             Y N N Y Y Y JAVA_WORKER                      Yes       1          1             Y N N Y N Y CODELEVEL                        Yes       1          1             Y N N Y N Y

     

    Identifier for the current session is 549206

    Reading product information from file...

    Reading language and territory information from file...

    Reading language information from applUS.txt ...

    AutoPatch warning:  Product Data File  /u02/TM12/apps/apps_st/appl/admin/zfaprod.txt  does not exist for product "zfa". This product is registered in the database but the above file does not exist in APPL_TOP.  The product will be ignored without error.

    AutoPatch warning:  Product Data File  /u02/TM12/apps/apps_st/appl/admin/zsaprod.txt  does not exist for product "zsa". This product is registered in the database but the above file does not exist in APPL_TOP.  The product will be ignored without error.

    AutoPatch warning:  Product Data File  /u02/TM12/apps/apps_st/appl/admin/jtsprod.txt  does not exist for product "jts". This product is registered in the database but the above file does not exist in APPL_TOP.  The product will be ignored without error.

    Reading database to see what industry is currently installed.

    Reading FND_LANGUAGES to see what is currently installed. Currently, the following languages are installed:

    Code   Language                                Status ----   --------------------------------------- --------- US     American English                        Base ZHS    Simplified Chinese                      Install

    Reading language information from applZHS.txt ...

    Your base language will be AMERICAN.

    Your other languages to install are: SIMPLIFIED CHINESE

    Setting up module information. Reading database for information about the modules. Saving module information. Reading database for information about the products. Reading database for information about how products depend on each other. Reading topfile.txt ...

    Saving product information.

    AD code level : [B.1]

    Not checking the system maintenance mode.

     

    Trying to obtain a lock...

    Attempting to instantiate the current-view snapshot...

      Was already instantiated. So no instantiation done this time.

         **************** S T A R T   O F   U P L O A D ****************

    Start date: Thu Nov 17 2016 16:43:57

     

    0 "left over" javaupdates.txt files uploaded to DB: Thu Nov 17 2016 16:43:57

    0 patches uploaded from the ADPSV format patch history files: Thu Nov 17 2016 16:43:57

    Uploading information about files copied during the previous runs ...

    0 "left over" filescopied_<session_id>.txt files uploaded to DB: Thu Nov 17 2016 16:43:57

         ****************** E N D   O F   U P L O A D ******************

     

    End date: Thu Nov 17 2016 16:43:57

     

    Enter the directory where your Oracle Applications patch has been unloaded

    The default directory is [/u02/adpatchtest/9287896] :

    Please enter the name of your AutoPatch driver file : u9287896.drv

    Getting Oracle Applications Release...

    Current installed release is  12.1.1

    Reading patch driver file...

      Parsing and loading patch driver file...          46 lines processed.

      Not checking patch integrity as integrity checking flag is turned off.

    Successfully read patch driver file.

    Determining target release...

    Current target    release is  12.1.1

    This Patch seems to have been applied already. Would you like to continue anyway  [N] ? y

    -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - This base patch contains files which may require translation depending on the languages you currently have installed.

    Oracle Corporation recommends that you obtain any translated versions of this patch for each of your non-US languages PRIOR to applying this base patch.

    The translated version of the patch should be applied immediately AFTER applying this base patch. -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Do you wish to apply this patch now [No] ? yes

    Determining which bug fixes to apply...

    Done determining which bug fixes to apply.

    Log and Info File sync point:   Thu Nov 17 2016 16:44:23

    Turning off actions that reference unrecognized products.

    Log and Info File sync point:   Thu Nov 17 2016 16:44:23

    End of unrecognized products checking.

     

    AD utilities can support a maximum of 999 workers. Your current database configuration supports a maximum of 150 workers. Oracle recommends that you use between 48 and 96 workers.

    Enter the number of parallel workers [48] : 24

    AutoPatch will run in parallel mode.

    Did not need to apply new applterr.txt.

    Applying new applprod.txt (if any)...

      Did not need to apply new applprod.txt.

    Performing version checking for driver files...

    Copying driver files into installation area...

      No driver files were selected for copying.

    Skipping...  ForceCopy driver files into installation area for Specified driver  since no such action is present for this driver file

    Screening out files not valid for this installation...

    Determining valid on-site files...

    Skipping...  Extract object modules from libraries for Specified driver  since no such action is present for this driver file

    Performing version checking...

    Log and Info File sync point:   Thu Nov 17 2016 16:44:27   AutoPatch found some files which it will not apply.   These files are listed in the AutoPatch informational message file.

    Skipping...  Determine directories to create for Specified driver  since no such action is present for this driver file

    Skipping...  Determine executables to link for Specified driver  since no such action is present for this driver file

    Skipping...  Determine forms to generate for Specified driver  since no such action is present for this driver file

    Skipping...  Determine Oracle Reports libraries to generate for Specified driver  since no such action is present for this driver file

    Determining what Oracle Reports files to generate...

    Skipping...  Determine if need to generate message files for Specified driver  since no such action is present for this driver file

    Looking for active bug fixes with no active actions...

    Reading customized files list (if any)...

    Did not find customized files registration file "/u02/TM12/apps/apps_st/appl/admin/applcust.txt" The file may have been uploaded to the database.

    This patch replaces the following customized files:

      No customized files are replaced by this patch.

    Copying files into installation area...

      No files were selected for copying.

    Skipping...  ForceCopy files into installation area for Specified driver  since no such action is present for this driver file

    Skipping...  Archive object modules into product libraries for Specified driver  since no such action is present for this driver file

    Skipping...  Create Directories for Specified driver  since no such action is present for this driver file

    Skipping...  Relink for Specified driver  since no such action is present for this driver file

    Performing second half of mirrored copies...

      No mirrored copies were executed in this patch.

    Updating Oracle Applications Java files if necessary...

      No Oracle Applications Java files required updates.

      Checking to see if any files possibly included in the product JAR files   were copied by this patch...

        No files possibly included in the product JAR files     were copied by this patch.

    Skipping ...   Running AutoConfig to instantiate templates which affect   the generation of JAR files since none of these templates   were patched during this run of adpatch.

     

       No product JAR files need to be re-generated.

    Checking to see if adjborg.txt or any files included in   adjborg.txt were copied by this patch...

       Neither adjborg.txt nor any file included in    adjborg.txt was copied by this patch.

      Checking to see if adjborg2.txt or any files included in   adjborg2.txt were copied by this patch...

       Neither adjborg2.txt nor any file included in    adjborg2.txt was copied by this patch.

    Compiling JSP files...

      Not compiling JSPs: no JSPs in patch.

      No JSP files were compiled.

    Skipping...  Run SQL scripts and EXEC commands for Specified driver  since no such action is present for this driver file

    Skipping...  Compile invalid objects for Specified driver  since no such action is present for this driver file

    Skipping...  Generate forms library files for Specified driver  since no such action is present for this driver file

    Skipping...  Generate forms menu files for Specified driver  since no such action is present for this driver file

    Skipping...  Generate forms for Specified driver  since no such action is present for this driver file

    Skipping...  Generate reports libraries for Specified driver  since no such action is present for this driver file

    Generating reports...

      No reports were selected for generation.

    Skipping...  Generate Messages for Specified driver  since no such action is present for this driver file

    Skipping...  Generate Workflow resource files for Specified driver  since no such action is present for this driver file

    Skipping ...  Running AutoConfig since none of its templates were  patched during this run of adpatch.

    Saving Patch History information to Database...

    Trying to obtain a lock...

    > Inserted 1 patch history records (total).

    Gathering Statistics for AD_PATCH_HIST_TEMP

    Done Gathering Statistics for AD_PATCH_HIST_TEMP

    >>> Inserted 1 bug history records for this patch (total). >>>>> Inserted 0 action history records for this bug (total).

    Gathering Statistics for AD_PATCH_HIST_TEMP

    Done Gathering Statistics for AD_PATCH_HIST_TEMP

    >>> Inserted 1 bug history records for this patch (total). >>>>> Inserted 0 action history records for this bug (total).

     

      Updating the current-view snapshot...

      Done saving Patch History information.

    About to do IREP processing...

      Attempting to process IREP files ...

      Successfully processed IREP files.

    Done IREP processing.

    Copying applprod.tmp to applprod.txt (if needed)...

      Did not need to copy applprod.tmp to applprod.txt.

    Copying admin/<sid>/applterr.txt to admin/applterr.txt (if needed)...

    Did not need to copy admin/TM12/applterr.txt to admin/applterr.txt.

    There is no timing information available for the current session.

    AutoPatch is complete.

    AutoPatch may have written informational messages to the file /u02/TM12/apps/apps_st/appl/admin/TM12/log/adpatch.lgi

    Errors and warnings are listed in the log file /u02/TM12/apps/apps_st/appl/admin/TM12/log/adpatch.log

    and in other log files in the same directory.

     

    转载于:https://www.cnblogs.com/ayumie/p/6142225.html

    展开全文
  • 果真,仅仅理解hotpatch的原理,而不实战的话,只能写出玩具。细节的处理非常麻烦。 本文是下面两篇文章的续集: Linux内核如何替换内核函数并调用原始函数:...

    zhejiang wenzhou skinshoe wet, rain flooding water will not fat!


    果真,仅仅理解hotpatch的原理,而不实战的话,只能写出玩具。细节的处理非常麻烦。

    本文是下面两篇文章的续集:
    Linux内核如何替换内核函数并调用原始函数https://blog.csdn.net/dog250/article/details/84201114
    x86_64运行时动态替换函数的hotpatch机制https://blog.csdn.net/dog250/article/details/84258601

    如果说一个内核函数的hotpatch是用一个模块实现的(这几乎是一定的,不然还能怎样?),那么这个模块在卸载时需要做什么就是必须要考虑的问题。

    最近几年,我经常遇到卸载模块发生panic的问题,很多是hook段被释放,系统跑飞导致,这是一个非常令人蛋疼的问题,如果程序段本身就不是你能控制的,那么什么锁机制都无法做好同步,非常恶心的一件事。

    我们先来看一个序列:

    									EIP
    									|
    									|
    									v
    CPU0:----hooked_func call------------------hooked_func exit-----> time
    CPU1:-----------------------hook unload-------------------------> time
    

    嗯,是的,在hook函数正在执行的时候,将其二进制代码卸载,系统就会跑飞,这是显而易见的,毕竟内存都释放了,取指的结果是不确定的。

    怎么办?

    我在做这个hotpatch之前就曾提出过一个问题,就在我们把一个原始函数的头5个字节替换成相对地址jump的时候,如果有一个task正在执行这5个字节的指令,会发生什么?毕竟我们知道memcpy一下子拷贝5个字节的内存,这并不是原子的操作,那么结果很明显,程序会跑飞。

    后来我明白Linux内核并不是简单使用memcpy来实现指令替换的,而是使用了text_poke_smp这个函数。看了text_poke_smp的实现,发现其中的妙招在于 把memcpy作为stop_machine的一个回调函数来调用 ,便 部分地解决了这个问题。请注意,是部分的!

    stop_machine在调用其回调函数时,只能保证当前整个系统中只有当前CPU的当前一个执行绪,其它的CPU全部处在停机状态。因此如果其它CPU上的执行绪在未完成被hook函数的前5个字节前被停机,等到系统resume后,还是会有问题,换句话说,stop_machine调用并不解决 原子patch 问题!

    不管是hook一个函数,还是unhook一个函数,都会出现 如果Action的时候,有执行绪正在执行怎么办? 这样的棘手问题。本文试图讨论一下这个问题的解法。


    不管是hook还是unhook,其本质都是一个内存指令替换操作,正规的符合常理的做法,应该执行下面的逻辑:

    int OK = 0;
    static int hotpatch_poke_test_and_poke(...)
    {
    	char stack[INFO_SIZE];
    	hotpatch_dump_stack(stack); // 获取当前的所有CPU的栈信息
    	if (strstr(stack, hook->function_name)) {
    		// 如果有CPU的栈上有被hook/unhook函数的符号名称
    		// 说明有CPU正在执行该函数,直接返回。
    		return 0;
    	}
    	// 否则,说明没有CPU上的线程在执行被hook/unhook函数,执行指令替换。
    	OK = 1;
    	memcpy(....);
    	return 0;
    }
    
    static void hotpatch_poke_text(...)
    {
    	while (!OK) { // 若未成功,则稍后再试一下。
    		stop_machine(hotpatch_poke_test_and_poke, ...);
    		cpu_relax();
    	}
    }
    

    hotpatch_poke_text总是不返回的概率随着被hook/unhook函数的调用频率的升高而升高,而这个同样正比于CPU的核心数量,因此这种方法是不可扩展的,non scaleable的。

    更加不幸的是,如果所有的CPU发生了 全局同步 ,被hook/unhook的函数在各个CPU上被back-to-back调用,即 C P U n CPU_n CPUn上还没出来, C P U n + 1 CPU_{n+1} CPUn+1上又进去了,就比较悲哀了,hotpatch_poke_text将永远也出不来了。

    显然,我们需要一个 更好 的方案,来解决这个让人蛋疼的问题。

    更好的方法就是:

    • 不让人将模块卸载
      这很容易实现,将module_exit函数删除即可。

    但是这种oneshot的方法根本就不优雅,不是一个技术洁癖患者的做派。

    想了好久,在回深圳探亲返程的飞机上,想到一个方案(最后我同样否决了这个方案,但是看看过程也不错!)。本文接下来就说说这个方案。


    把我推荐进厂的哥们儿告诉我Linux的kprobe在x86平台可以被优化成 relative jump 的方法,而不使用耗时的 int 3 机制。所谓的relative jump方案,其实就是我使用的hook的方案, 将函数的某些字节替换成jmp指令 ,但是这里,我恰恰要借用一下非优化版本的 int 3 方案。

    我们先来看看int 3的kprobe机制。

    非常简单,看下面的逻辑,我将Linux内核的kprobe机制做了一定的简化:

    struct kprobe {
    	char	*name; // 函数名称
    	void	*addr; //函数开始地址
    	u8	inst;	// 函数指令的第一个字节
    	handle_t	pre_hook(struct kprobe *p, ...); // 前处理hook
    	handle_t	post_hook(struct kprobe *p, ...); // 后处理hook
    	struct list_head list;
    };
    
    char int3[1] = {0xcc};
    int register(struct kprobe *p)
    {
    	p->addr = find_symbol(p->name);
    	list_add(&p->list, &probe_list);
    	p->inst = p->addr[0];
    	*(p->addr[0]) = int3[0]; // 单字节原子赋值操作
    	return 0;
    }
    
    // 执行int 3指令时,发生异常,陷入异常处理程序。
    do_int3(char *addr...)
    {
    	struct kprobe *probe, *p;
    	...
    	// 根据异常地址找到kprobe结构体
    	list_for_each(...) {
    		p = container_of(...);
    		...
    		if (addr == p->addr)
    			probe = p;
    			break;
    	}
    	// 调用前处理函数
    	probe->pre_hook(probe, ...);
    	// 恢复IP为function的原始指令,这样在int 3返回时就可以继续执行原始逻辑了
    	regs->eip = probe->inst; 
    	...
    }
    

    可见,kprobe的int3机制非常简单直接,毫不依赖其它的数据和代码,仅仅单字节的int3指令,即0xcc就能搞定一切,其妙处在于:

    1. 注册kprobe的时候,将整个结构体注册在了一个全局链表中;
    2. 在int 3的异常处理中,能通过出现异常的addr从全局链表中找到kprobe结构图;
    3. 从找到的kprobe结构体中可以找到被替换成int3的原始指令;
    4. 在执行完pre_hook之后,可以用原始指令恢复已经由于int3异常压栈的EIP寄存器;

    整个过程一气呵成,如果说它效率低,原因不外乎下面的两点:

    • 有两次上下文切换动作,伴随的是一系列的压栈,弹出,刷cache的动作;
    • 有链表遍历操作,伴随这lock以及可扩展性问题。

    然而正是这两点让我们可以轻松利用kprobe的无依赖特性,世界是和谐的。


    现在,让我们看看到底应该怎么做。

    static int hold(...)
    {
    	read_lock(&hook_lock);
    	return 0;
    }
    
    static int release(...)
    {
    	read_unlock(&hook_lock);
    	return 0;
    }
    
    struct kprobe probe = {
    	.name = "function",
    	.pre_hook = hold,
    	.post_hook = release,
    };
    static void hotpatch_poke_text(...)
    {
    	register(&probe); // 借用kprobe的pre/post机制
    	write_lock(&hook_lock);
    	if (hook) {
    		// 备份指令 (注意,不能截断指令~)
    		memcpy(saved_inst, probe.addr, HOOK_SIZE);
    		// 安全替换
    		memcpy(probe.addr, jump_inst, HOOK_SIZE);
    		// 用新替换后的指令重置probe结构体的字段
    		probe.inst = probe.addr[0];
    		// 防止替换操作将借用的int3指令冲刷掉,手工修改
    		*(probe.addr[0]) = int3[0];
    		
    		
    	} else if(unhook) {
    		// 安全恢复!
    		memcpy(probe.addr, saved_inst, HOOK_SIZE);
    		// 用新替换后的指令重置probe结构体的字段
    		probe.inst = probe.addr[0];
    		// 防止替换操作将借用的int3指令冲刷掉,手工修改
    		*(probe.addr[0]) = int3[0];
    	}
    	write_unlock(&hook_lock);
    	unregister(&probe); // kprobe功成身退,卸载kprobe
    }
    

    很直白的序列:

    • 用int3替换被hook/unhook函数的第一个字节,同时注册kprobe;
    • pre处理中获取read lock,post处理中释放read lock;
    • hook或者unhook操作中,获取write lock,此时只要有thread仍在函数中,就会等待;
    • 在hook/unhook获取到write lock后,只要有thread需要进入function,就会等待在read lock上;
    • 如果hook/unhook释放了write lock,等待在read lock上的thread进入function,然而由于已经修改了inst,它将进入到被成功hook或者unhook的function中!

    这其实是一个典型的RCU场景,我却没有用内核提供的RCU机制,挺可笑的。其实在这里使用现成的RCU是有问题的,你可能会觉得使用RCU的版本会是下面的样子:

    void rcu_callback()
    {
    	if (hook) {
    		// 备份指令 (注意,不能截断指令~)
    		memcpy(saved_inst, probe.addr, HOOK_SIZE);
    		// 安全替换
    		memcpy(probe.addr, jump_inst, HOOK_SIZE);
    		// 用新替换后的指令重置probe结构体的字段
    		probe.inst = probe.addr[0];
    		// 防止替换操作将借用的int3指令冲刷掉,手工修改
    		*(probe.addr[0]) = int3[0];
    		
    		
    	} else if(unhook) {
    		// 安全恢复!
    		memcpy(probe.addr, saved_inst, HOOK_SIZE);
    		// 用新替换后的指令重置probe结构体的字段
    		probe.inst = probe.addr[0];
    		// 防止替换操作将借用的int3指令冲刷掉,手工修改
    		*(probe.addr[0]) = int3[0];
    	}
    }
    
    static void hotpatch_poke_text(...)
    {
    	register(&probe); // 借用kprobe的pre/post机制
    	call_rcu(..., rcu_callback);  // 时间点T调用!
    	sync_rcu();
    	unregister(&probe); // kprobe功成身退,卸载kprobe
    }
    

    这其实是不对的,call_rcu只能保证在时间点T所有在function中的thread全体出来后调用指令替换,但是不能保证在时间点T之后没有新的thread会进入到function,所有RCU用了也是白用!

    这里的关键点有两个,我们希望能有两道防护:

    1. 确保在一个时间点T之后所有新的thread不再进入function;
    2. 确保在另一个时间点T+n后没有thread在function中。

    既然我们无法保证上述第1点(比如你hook了do_fork函数…),那么就只能忙等第2点成真了。


    其实,说了这么多,总结下来,我感觉这篇文章白写了,因为我发现这个 最终的所谓的更好的方案,其实和那个最开始的stop_machine是一样的!!无非就是用write_lock替换了stop_machine,本质上都是要保证在执行替换指令的时候,没有thread在被替换指令的函数中,不同的是,stop_machine方案采用自定义忙等的方法,而rwlock则使用了读写锁机制。

    因此读写锁的方案也会遇到全局同步的问题。

    都是一样的,没意思!


    涉及到细节的时候,总是会遇到二八大法,一个玩具只有成品的20%不到的代码,甚至10%以内,然而最终上线的成品却要多出80%到90%的代码去处理这些边边角角的异常问题。

    做产品和做技术预研是完全不同的,同样,学术界的和工程界的代码也是完全不同的。


    还有更多的细节,不能在本文一一列举,这里只解释一个。

    Intel的跳转指令很少用到 长跳转, 一般都是16bit,8bit的跳转,甚至32bit的跳转都很罕见,Intel给出的解释大致是 程序一般都很小,且具有局部性聚集特征, 但无论如何,Intel还是提供了32bit和64bit的跳转机制,其中32bit的跳转如下:

    0xe9 addr[0...7] addr[8...15] addr[16...23] addr[24...31];   jump $relative_address
    

    而64bit的跳转指令如下:

    0x48 0xb8 addr[0...63];	mov rax $absolute_address
    0xff 0xe0;	jmp raw
    

    显然,32bit的跳转更加好用,而这并不是每次都能用的。

    如果说你的hook函数和原始的函数真的距离比较远,那就没法用32bit跳转了,具体来讲就是超过了2G的空间距离,这是因为32bit寻址4G的空间,而jmp指令可以前后跳转,因此relative address是一个singed int型的32bit数字,有符号的,可正可负。所以说0xe9 jmp指令只能往前后2G的范围内跳转。

    内核模块里的函数地址和kernel函数之间的距离很多都超过了2G,所以就必须使用12字节的绝对地址跳转序列,那么就相当于要在函数的开头至少覆盖12字节的指令。

    此外,注意rax寄存器的使用。如果hook函数里使用了rax寄存器,那么当心这里有被覆盖的风险。谢天谢地,这里只是函数的开头,而Intel规定的传参寄存器里并没有使用rax,见这张图:
    在这里插入图片描述
    所以这个绝对地址跳转并不会带来副作用。如果是想hook函数中间的逻辑,就要势必考虑rax寄存器的改变带来的影响。

    本文完!


    短短不到两天时间,还没跟小小多说几句话,又要赶回杭州工作,但如果不需要上班又会觉得无聊。

    人本来就应该不断迁徙的,不能一直在一个地方。移民不是目标,移民只是一个过程,现代交通,通信,物流以及国际准入逐渐发达,当迁徙不再是一种有钱人的特权或者穷人迫不得已的无奈时,我们应该享受怎样的人生呢?

    矛盾,虚伪,贪婪,欺骗,幻想,疑惑,简单,善变。

    我们应该明白,天长地久不过是个谎言,聚散离合不断的上演。。。

    昨天小小演讲比赛获了奖,讲着讲着把自己给讲哭了,代入感极强,真性情,所以我每次走时都不跟小小告别,不然她肯定会舍不得,会哭。

    小小是上辈子辜负的情人,这辈子有缘再续前缘,感谢上天的恩赐!?

    男人有个女儿是多么幸福的事情,可以公开光明正大的对除了老婆之外的第二个女人表达真爱,多么幸福!

    非常想小小!


    浙江温州皮鞋湿,下雨进水不会胖!

    展开全文
  • 最近我根据 RehabMan 的 hotpatch 添加了一些路径做了一个屏蔽独显得 hotpatch 来屏蔽独显解决一些升级 10.13 后因为 nv_disable 参数失效而卡在 Window Server Service only ran for 0 seconds 的错误,发现有些...
  • hotpatch热修补

    2012-10-13 14:46:00
    hotpatch热修补 查看系统函数的反汇编代码时会发现开头有个"mov edi,edi"(2字节),再往前则是5个nop指令(当然这不会引人注意),可是"mov edi,edi"有什么用了.上网搜索"mov edi,edi",结果让人惊奇,据说...
  • 我的小小要是能用钢琴弹出《二泉映月》,我就要努力用二胡拉出《卡农》! 最近写了三篇和网络技术无关的三篇文章: ...x86_64运行时动态替换函数的hotpatch机制 :https://blog.csdn.net/dog250/article/d...
  • so 动态加载库 Hotpatch

    千次阅读 2013-04-16 14:46:31
    so 动态加载库 Hotpatch 作者 fmms 2011-10-10 22:04:50 Hotpatch 是一个允许正在运行的进程动态加载一个 so 库的 C 库,类似于 Win32 上的 CreateRemoteThread() API。 和其他现有的动态加载...
  • Oracle EBS使用adpatch工具打patch过程 hotpatch mode
  • 2.将libapp_fix.so和hotpatch-resource.zip复制到sd卡的根目录 3.点击app中的启动老版本可查看旧版本的内容,然后将app逐步杀掉,再打开app,点击热更新,可实现sd卡中的libapp_fix.so和hotpatch-resource.zip动态...
  • 屎蛋 · 2016/06/22 10:11author:[emailprotected]0x00 “Hotpatch”简介IOS App的开发者们经常会出现这类问题:当一个新版本上线后发现存在一个严重的bug,有可能因为一个逻辑问题导致支付接口存在被薅羊毛的风险,...
  • OC-Little:OpenCore的ACPI Hotpatch示例 描述 与OpenCore Bootloader一起使用的ACPI Hotpatches和二进制重命名的纲要。 免责声明:这是我对的英文翻译。 所有的功劳都归她/他/他们所有。我只是在这里添加了一些...
  • hotpatch 的hook 方式

    千次阅读 2011-03-11 22:54:00
    hotpatch的技法则是首先在函数上方,一般会因为对齐,或者编译时使用/hotpatch选项而预留出几字节的空间,首先在这些空间里写入一个5字节的远程跳转,然后再将函数的俩字节mov edi,edi指令换成一个近跳转,跳...
  • 最近在iOS群里面看到某应用因为Hotpatch审核被拒绝, 如果Hotpatch全面被封禁, 那还不如全切swift, 又能提高性能, 又能减少编码中犯的错误. 仔细想想如果swift也有办法被Hotpatch, 不就更加完美了?Hotpatch是无法被...
  • 参见《x86_64动态替换内核函数的hotpatch模块卸载问题》。 非常简单的case,如果我在成功注册kprobe的时候,有CPU的thread进入了hook函数的中间,岂不是在该thread退出hook函数的时候,在没有read_lock(因为进入函数...
  • linux 实现一个热补丁 ...https://github.com/vikasnkumar/hotpatch https://www.jianshu.com/p/9269836e0bd6 https://blog.csdn.net/chrisnotfound/article/details/79099711...
  • 对swift hotpatch的原理做一个简单的介绍和简单的示例, 但基础的原理分析并不能确定真实的可行性. 为此想通过这篇文章来做一个更复杂的例子. 0x1 先来一个简单的例子 来一个例子, 实现用js patch swift的方法, 功能...
  • adpatch 可以接一些 options 参数, 其中 hotpatch 在 R12.1 版本中可以使用, 具体原理待研究后补充。 但是hotpatch 只适用于小于1M 的小补丁, 而不适合较大的补丁实施 。 adpatch potions=hotpatch, nocompiledb ...
  • Created: Sunday, October 16 2011 12:23.26 CDT ...https://www.openrce.org/blog/view/1761/DLL_Injection_on_Linux_using_Hotpatch  Printer Friendly ... DLL Injection on Linux usi
  • Android HotPatch

    千次阅读 2010-12-09 13:42:00
    如果要 patch 掉系统的一些服务,例如 installd, ps 之类,可以直接把 /system/bin/ 目录下的文件直接重命名,然后把 patch 的新文件用原来的名字保存到这个目录下,重启手机后生效。但是直接写文件是不行的,会遇到...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 920
精华内容 368
关键字:

hotpatch