其實並不是要分析Dns流程的,一開始是分析Android設置wifi代理,怎麼起到全局代理的作用的。
因爲壞習慣,在線看源碼,全憑記憶,沒有做筆記的習慣,忽略了一個點,直接分析到dns了,回過頭才發現分析過了。而之前羣裏有人問應用進程hook hosts文件能不能改dns,很久之前分析過4.1,記得是有個遠程進程負責dns解析的,但是太久了,細節都忘光了。
所以分析完了wifi代理、dns後記錄下吧,年紀大了記憶力真的不如以前了。
下一篇 wifi代理流程。
除了http外,ftp和webview是怎麼代理的。
以及6.0以下不用root,不申請特殊權限,怎麼設置wifi代理。由此引出app檢測代理的必要,之前考慮實際的攻擊場景可能就是釣魚wifi,dns劫持等,所以認爲一些app檢測代理或者不走代理主要是應對滲透抓包,但是忽略了安卓6.0及以下版本惡意app可以設置wifi代理,把http(s)代理到服務器的,如果沒有做正確的證書校驗或者誘導用戶安裝證書,https也可以中間人。
以及除了root後監控網卡解析出http代理和使用VpnService外怎麼通用的hook達到代理的目的,比如自己封裝發送http協議,不使用標準api,第三方框架等、比如直接socket連接,寫http。因爲工作中還是有一部分這樣不走尋常路的應用,往往web滲透的同事即沒root機器,版本還很高(比如8.0的手機信任證書),甚至還在駐場的情況,對其進行支持就很頭疼(多開框架)。
```
URL url = new URL("https://www.baidu.com");
Proxy proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress("192.168.2.1", 8081));
HttpURLConnection connection = (HttpURLConnection) url.openConnection(/*proxy*/);
connection.setConnectTimeout(10000);
// connection.addRequestProperty("accept","text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3");
connection.addRequestProperty("accept-encoding", "gzip, deflate, br");
// connection.addRequestProperty("accept-language", "zh-CN,zh;q=0.9");
connection.setRequestMethod("GET");
InputStream is = connection.getInputStream();
Map<String, List<String>> map = connection.getHeaderFields();
for (Map.Entry<String, List<String>> entry : map.entrySet()) {
Log.e("zhuo", entry.getKey()+"="+entry.getValue());
}
GZIPInputStream gis = new GZIPInputStream(is);
byte buf[] = new byte[1024];
gis.read(buf);
Log.e("zhuo", new String(buf));
connection.disconnect();
```
以上是一個簡單到網絡請求,而如果使用proxy的話會產生異常,我們藉助異常堆棧可以較清晰的看到函數調用流程。(至於爲什麼產生這個異常,最後分析,而有經驗的可能看下異常已經知道了)
```
W/System.err: java.net.ConnectException: failed to connect to localhost/127.0.0.1 (port 8081) after 10000ms: isConnected failed: ECONNREFUSED (Connection refused)
W/System.err: at libcore.io.IoBridge.isConnected(IoBridge.java:223)
at libcore.io.IoBridge.connectErrno(IoBridge.java:161)
at libcore.io.IoBridge.connect(IoBridge.java:112)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:192)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:459)
at java.net.Socket.connect(Socket.java:843)
at com.android.okhttp.internal.Platform.connectSocket(Platform.java:131)
at com.android.okhttp.Connection.connect(Connection.java:101)
at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:294)
at com.android.okhttp.internal.http.HttpEngine.sendSocketRequest(HttpEngine.java:255)
at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:206)
at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:345)
at com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:296)
at com.android.okhttp.internal.http.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:179)
at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:246)
```
可以發現真正的網絡請求是從getInputStream開始。但是爲什麼完全瞭解整個流程,我們還是簡單看下Url類
```
transient URLStreamHandler streamHandler;
//僅是包裝,而streamHandler的賦值是在構造函數
public URLConnection openConnection() throws IOException {
return streamHandler.openConnection(this);
}
public URL(String spec) throws MalformedURLException {
this((URL) null, spec, null);
}
//被上面的構造函數調用
public URL(URL context, String spec, URLStreamHandler handler) throws MalformedURLException {
if (spec == null) {
throw new MalformedURLException();
}
if (handler != null) {
streamHandler = handler;
}
spec = spec.trim();
protocol = UrlUtils.getSchemePrefix(spec);
int schemeSpecificPartStart = protocol != null ? (protocol.length() + 1) : 0;
// If the context URL has a different protocol, discard it because we can't use it.
if (protocol != null && context != null && !protocol.equals(context.protocol)) {
context = null;
}
// Inherit from the context URL if it exists.
if (context != null) {
set(context.protocol, context.getHost(), context.getPort(), context.getAuthority(),
context.getUserInfo(), context.getPath(), context.getQuery(),
context.getRef());
if (streamHandler == null) {
streamHandler = context.streamHandler;
}
} else if (protocol == null) {
throw new MalformedURLException("Protocol not found: " + spec);
}
if (streamHandler == null) {
//賦值
setupStreamHandler();
if (streamHandler == null) {
throw new MalformedURLException("Unknown protocol: " + protocol);
}
}
// Parse the URL. If the handler throws any exception, throw MalformedURLException instead.
try {
streamHandler.parseURL(this, spec, schemeSpecificPartStart, spec.length());
} catch (Exception e) {
throw new MalformedURLException(e.toString());
}
}
void setupStreamHandler() {
...
else if (protocol.equals("http")) {
try {
String name = "com.android.okhttp.HttpHandler";
streamHandler = (URLStreamHandler) Class.forName(name).newInstance();
} catch (Exception e) {
throw new AssertionError(e);
}
} else if (protocol.equals("https")) {
try {
String name = "com.android.okhttp.HttpsHandler";
streamHandler = (URLStreamHandler) Class.forName(name).newInstance();
} catch (Exception e) {
throw new AssertionError(e);
}
}
...
}
```
(因爲基本上所有的https相關的類都是繼承自http,覆蓋某些方法,整體邏輯是類似的,爲了少些跳轉,我們直接看http相關的即可)
根據以上分析,發現最終實現類爲com.android.okhttp.HttpsHandler,但是在源碼裏搜索並沒有找到這個類。找到的有external/okhttp/android/main/java/com/squareup/okhttp/HttpHandler.java
看一下external/okhttp/jarjar-rules.txt
rule com.squareup.** com.android.@1
所以會在編譯後改包名,所以就是我們要找的HttpHandler,而這個模塊好像是早期的okhttp,集成進來改名應該是爲了防止衝突,影響應用使用更新的okhttp。
```
public class HttpHandler extends URLStreamHandler {
@Override protected URLConnection openConnection(URL url) throws IOException {
return newOkHttpClient(null /* proxy */).open(url);
}
@Override protected URLConnection openConnection(URL url, Proxy proxy) throws IOException {
if (url == null || proxy == null) {
throw new IllegalArgumentException("url == null || proxy == null");
}
return newOkHttpClient(proxy).open(url);
}
@Override protected int getDefaultPort() {
return 80;
}
protected OkHttpClient newOkHttpClient(Proxy proxy) {
OkHttpClient client = new OkHttpClient();
client.setFollowProtocolRedirects(false);
if (proxy != null) {
client.setProxy(proxy);
}
return client;
}
}
//可以看到確實如所說的http和https的關係,所以之後的分析,不在列出https專屬部分
public final class HttpsHandler extends HttpHandler {
private static final List<String> ENABLED_TRANSPORTS = Arrays.asList("http/1.1");
@Override protected int getDefaultPort() {
return 443;
}
@Override
protected OkHttpClient newOkHttpClient(Proxy proxy) {
OkHttpClient client = super.newOkHttpClient(proxy);
client.setTransports(ENABLED_TRANSPORTS);
HostnameVerifier verifier = HttpsURLConnection.getDefaultHostnameVerifier();
// Assume that the internal verifier is better than the
// default verifier.
if (!(verifier instanceof DefaultHostnameVerifier)) {
client.setHostnameVerifier(verifier);
}
return client;
}
}
```
分析發現openConnection調用的是OkHttpClient的open函數。
```
//對應上了我們異常日誌中的HttpsURLConnectionImpl,看名字也知道肯定是繼承自HttpsURLConnection
HttpURLConnection open(URL url, Proxy proxy) {
String protocol = url.getProtocol();
OkHttpClient copy = copyWithDefaults();
copy.proxy = proxy;
if (protocol.equals("http")) return new HttpURLConnectionImpl(url, copy);
if (protocol.equals("https")) return new HttpsURLConnectionImpl(url, copy);
throw new IllegalArgumentException("Unexpected protocol: " + protocol);
}
/**
* Returns a shallow copy of this OkHttpClient that uses the system-wide default for
* each field that hasn't been explicitly configured.
*/
private OkHttpClient copyWithDefaults() {
OkHttpClient result = new OkHttpClient(this);
result.proxy = proxy;
result.proxySelector = proxySelector != null ? proxySelector : ProxySelector.getDefault();
result.cookieHandler = cookieHandler != null ? cookieHandler : CookieHandler.getDefault();
result.responseCache = responseCache != null ? responseCache : ResponseCache.getDefault();
result.sslSocketFactory = sslSocketFactory != null
? sslSocketFactory
: HttpsURLConnection.getDefaultSSLSocketFactory();
result.hostnameVerifier = hostnameVerifier != null
? hostnameVerifier
: OkHostnameVerifier.INSTANCE;
result.authenticator = authenticator != null
? authenticator
: HttpAuthenticator.SYSTEM_DEFAULT;
result.connectionPool = connectionPool != null ? connectionPool : ConnectionPool.getDefault();
result.followProtocolRedirects = followProtocolRedirects;
result.transports = transports != null ? transports : DEFAULT_TRANSPORTS;
result.connectTimeout = connectTimeout;
result.readTimeout = readTimeout;
return result;
}
```
看異常知道還是調用的HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:179),略過https
```
@Override public final InputStream getInputStream() throws IOException {
if (!doInput) {
throw new ProtocolException("This protocol does not support input");
}
//觸發在這裏
HttpEngine response = getResponse();
// if the requested file does not exist, throw an exception formerly the
// Error page from the server was returned if the requested file was
// text/html this has changed to return FileNotFoundException for all
// file types
if (getResponseCode() >= HTTP_BAD_REQUEST) {
throw new FileNotFoundException(url.toString());
}
InputStream result = response.getResponseBody();
if (result == null) {
throw new ProtocolException("No response body exists; responseCode=" + getResponseCode());
}
return result;
}
private HttpEngine getResponse() throws IOException {
//HttpEngine賦值
initHttpEngine();
if (httpEngine.hasResponse()) {
return httpEngine;
}
while (true) {
if (!execute(true)) {
continue;
}
...
}
private boolean execute(boolean readResponse) throws IOException {
try {
httpEngine.sendRequest();
if (readResponse) {
httpEngine.readResponse();
}
return true;
} catch (IOException e) {
if (handleFailure(e)) {
return false;
} else {
throw e;
}
}
}
```
最終調用HttpEngine類的sendRequest
```
public final void sendRequest() throws IOException {
...
//略過設置請求頭,緩存等
if (responseSource.requiresConnection()) {
sendSocketRequest();
} else if (connection != null) {
client.getConnectionPool().recycle(connection);
connection = null;
}
}
private void sendSocketRequest() throws IOException {
if (connection == null) {
//連接
connect();
}
if (transport != null) {
throw new IllegalStateException();
}
transport = (Transport) connection.newTransport(this);
if (hasRequestBody() && requestBodyOut == null) {
// Create a request body if we don't have one already. We'll already
// have one if we're retrying a failed POST.
requestBodyOut = transport.createRequestBody();
}
}
/** Connect to the origin server either directly or via a proxy. */
protected final void connect() throws IOException {
if (connection != null) {
return;
}
if (routeSelector == null) {
String uriHost = uri.getHost();
if (uriHost == null) {
throw new UnknownHostException(uri.toString());
}
SSLSocketFactory sslSocketFactory = null;
HostnameVerifier hostnameVerifier = null;
if (uri.getScheme().equalsIgnoreCase("https")) {
sslSocketFactory = client.getSslSocketFactory();
hostnameVerifier = client.getHostnameVerifier();
}
//這一部分待會回來再分析
Address address = new Address(uriHost, getEffectivePort(uri), sslSocketFactory,
hostnameVerifier, client.getAuthenticator(), client.getProxy(), client.getTransports());
routeSelector = new RouteSelector(address, uri, client.getProxySelector(),
client.getConnectionPool(), Dns.DEFAULT, client.getRoutesDatabase());
}
//待會分析
connection = routeSelector.next(method);
if (!connection.isConnected()) {
//最終調用的是connection.connect
connection.connect(client.getConnectTimeout(), client.getReadTimeout(), getTunnelConfig());
client.getConnectionPool().maybeShare(connection);
client.getRoutesDatabase().connected(connection.getRoute());
} else {
connection.updateReadTimeout(client.getReadTimeout());
}
connected(connection);
if (connection.getRoute().getProxy() != client.getProxy()) {
// Update the request line if the proxy changed; it may need a host name.
requestHeaders.getHeaders().setRequestLine(getRequestLine());
}
}
```
```
public Connection(Route route) {
this.route = route;
}
public void connect(int connectTimeout, int readTimeout, TunnelRequest tunnelRequest)
throws IOException {
if (connected) {
throw new IllegalStateException("already connected");
}
connected = true;
//這裏是直接new Socket()
socket = (route.proxy.type() != Proxy.Type.HTTP) ? new Socket(route.proxy) : new Socket();
//後面的不用再追,因爲在這裏傳入route.inetSocketAddress已經是127.0.0.1(因爲我們自定義了proxy,如果沒有使用,則域名已經變爲ip),之後我們往回追,因爲後面的就是socket建立連接,和本篇關係不大了。
Platform.get().connectSocket(socket, route.inetSocketAddress, connectTimeout);
socket.setSoTimeout(readTimeout);
in = socket.getInputStream();
out = socket.getOutputStream();
if (route.address.sslSocketFactory != null) {
upgradeToTls(tunnelRequest);
}
// Use MTU-sized buffers to send fewer packets.
int mtu = Platform.get().getMtu(socket);
if (mtu < 1024) mtu = 1024;
if (mtu > 8192) mtu = 8192;
in = new BufferedInputStream(in, mtu);
out = new BufferedOutputStream(out, mtu);
}
```
至此順着異常日誌大概知道了網絡請求的流程。
## Dns流程
按照倒敘的方式,我們看下
```
connection = routeSelector.next(method);
public Connection next(String method) throws IOException {
// Always prefer pooled connections over new connections.
for (Connection pooled; (pooled = pool.get(address)) != null; ) {
if (method.equals("GET") || pooled.isReadable()) return pooled;
pooled.close();
}
// Compute the next route to attempt.
if (!hasNextTlsMode()) {
if (!hasNextInetSocketAddress()) {
if (!hasNextProxy()) {
if (!hasNextPostponed()) {
throw new NoSuchElementException();
}
return new Connection(nextPostponed());
}
lastProxy = nextProxy();
resetNextInetSocketAddress(lastProxy);
}
lastInetSocketAddress = nextInetSocketAddress();
resetNextTlsMode();
}
boolean modernTls = nextTlsMode() == TLS_MODE_MODERN;
//根據前面的分析route.inetSocketAddress=lastInetSocketAddress
Route route = new Route(address, lastProxy, lastInetSocketAddress, modernTls);
if (routeDatabase.shouldPostpone(route)) {
postponedRoutes.add(route);
// We will only recurse in order to skip previously failed routes. They will be
// tried last.
return next(method);
}
return new Connection(route);
}
```
根據前面的route.inetSocketAddress,我們可以簡單看下Route這個類,
```
public Route(Address address, Proxy proxy, InetSocketAddress inetSocketAddress,
boolean modernTls) {
if (address == null) throw new NullPointerException("address == null");
if (proxy == null) throw new NullPointerException("proxy == null");
if (inetSocketAddress == null) throw new NullPointerException("inetSocketAddress == null");
this.address = address;
this.proxy = proxy;
this.inetSocketAddress = inetSocketAddress;
this.modernTls = modernTls;
}
```
因爲inetSocketAddress不能爲空,所以lastInetSocketAddress肯定就是後面用到的route.inetSocketAddress,而lastInetSocketAddress由nextInetSocketAddress函數賦值。
```
private InetSocketAddress nextInetSocketAddress() throws UnknownHostException {
InetSocketAddress result =
new InetSocketAddress(socketAddresses[nextSocketAddressIndex++], socketPort);
if (nextSocketAddressIndex == socketAddresses.length) {
socketAddresses = null; // So that hasNextInetSocketAddress() returns false.
nextSocketAddressIndex = 0;
}
return result;
}
```
返回的是private InetAddress[] socketAddresses數組內的一個值,而對該數組賦值的函數只有一個,可以直接定位到真是幸福。
```
private void resetNextInetSocketAddress(Proxy proxy) throws UnknownHostException {
socketAddresses = null; // Clear the addresses. Necessary if getAllByName() below throws!
String socketHost;
if (proxy.type() == Proxy.Type.DIRECT) {
socketHost = uri.getHost();
socketPort = getEffectivePort(uri);
} else {
SocketAddress proxyAddress = proxy.address();
if (!(proxyAddress instanceof InetSocketAddress)) {
throw new IllegalArgumentException(
"Proxy.address() is not an " + "InetSocketAddress: " + proxyAddress.getClass());
}
InetSocketAddress proxySocketAddress = (InetSocketAddress) proxyAddress;
socketHost = proxySocketAddress.getHostName();
socketPort = proxySocketAddress.getPort();
}
// Try each address for best behavior in mixed IPv4/IPv6 environments.
socketAddresses = dns.getAllByName(socketHost);
nextSocketAddressIndex = 0;
}
```
dns.getAllByName函數傳入的是域名"www.baidu.com",返回的域名對應的ip數組。
dns在上面的代碼中設置過,爲Dns.DEFAULT
```
routeSelector = new RouteSelector(address, uri, client.getProxySelector(),
client.getConnectionPool(), Dns.DEFAULT, client.getRoutesDatabase());
public interface Dns {
Dns DEFAULT = new Dns() {
@Override public InetAddress[] getAllByName(String host) throws UnknownHostException {
return InetAddress.getAllByName(host);
}
};
InetAddress[] getAllByName(String host) throws UnknownHostException;
}
```
Dns爲接口只有一個默認的實現,調用InetAddress類的getAllByName
```
private static InetAddress[] lookupHostByName(String host) throws UnknownHostException {
...
//略過查找緩存,第一次沒有緩存
StructAddrinfo hints = new StructAddrinfo();
hints.ai_flags = AI_ADDRCONFIG;
hints.ai_family = AF_UNSPEC;
// If we don't specify a socket type, every address will appear twice, once
// for SOCK_STREAM and one for SOCK_DGRAM. Since we do not return the family
// anyway, just pick one.
hints.ai_socktype = SOCK_STREAM;
//入口
InetAddress[] addresses = Libcore.os.getaddrinfo(host, hints);
// TODO: should getaddrinfo set the hostname of the InetAddresses it returns?
for (InetAddress address : addresses) {
address.hostName = host;
}
addressCache.put(host, addresses);
}
```
最終獲取dns又由Libcore.os.getaddrinfo實現,而這個Libcore.os,追過的朋友應該知道有兩三層包裝,這裏就不再浪費時間去追,直接看函數對應的native函數。
```
NATIVE_METHOD(Posix, getaddrinfo, "(Ljava/lang/String;Llibcore/io/StructAddrinfo;)[Ljava/net/InetAddress;"),
對應的c++實現爲Posix_getaddrinfo
static jobjectArray Posix_getaddrinfo(JNIEnv* env, jobject, jstring javaNode, jobject javaHints) {
...
//略過一些無關緊要的代碼
addrinfo* addressList = NULL;
errno = 0;
int rc = getaddrinfo(node.c_str(), NULL, &hints, &addressList);
UniquePtr<addrinfo, addrinfo_deleter> addressListDeleter(addressList);
if (rc != 0) {
throwGaiException(env, "getaddrinfo", rc);
return NULL;
}
...
//result爲addressList->ai_addr
return result;
}
```
代碼有些多,省略掉,主要就是getaddrinfo函數,之後返回的類數組賦值取的是addressList中的值,所以我們關注的是getaddrinfo函數的第四個參數。實現在libc中,bionic/libc/netbsd/net/getaddrinfo.c
```
int
getaddrinfo(const char *hostname, const char *servname,
const struct addrinfo *hints, struct addrinfo **res)
{
return android_getaddrinfoforiface(hostname, servname, hints, NULL, 0, res);
}
//該函數內容特別多,
int
android_getaddrinfoforiface(const char *hostname, const char *servname,
const struct addrinfo *hints, const char *iface, int mark, struct addrinfo **res)
{
......
// 取ANDROID_DNS_MODE環境變量。只有Netd進程設置了它
const char* cache_mode = getenv("ANDROID_DNS_MODE");
......
// 由於Netd進程設置了此環境變量,故Netd進程繼續下面的流程,至於android_getaddrinfo_proxy函數,這裏不寫了或者開其他篇章再寫,簡單描述這個函數作用,通過socket和遠程進程Netd通信,把參數封裝後傳輸過去,就是要Netd進程代理解析dns,而這個Netd進程最後也會調用到libc中的android_getaddrinfoforiface函數,所以從這裏開始,我們後面分析的代碼其實已經不是應用進程了,二是Netd進程在執行。
if (cache_mode == NULL || strcmp(cache_mode, "local") != 0) {
// we're not the proxy - pass the request to them
return android_getaddrinfo_proxy(hostname, servname, hints, res, iface);
}
/*
* hostname as alphabetical name.
* we would like to prefer AF_INET6 than AF_INET, so we'll make a
* outer loop by AFs.
*/
for (ex = explore; ex->e_af >= 0; ex++) {
*pai = ai0;
/* require exact match for family field */
if (pai->ai_family != ex->e_af)
continue;
if (!MATCH(pai->ai_socktype, ex->e_socktype,
WILD_SOCKTYPE(ex))) {
continue;
}
if (!MATCH(pai->ai_protocol, ex->e_protocol,
WILD_PROTOCOL(ex))) {
continue;
}
if (pai->ai_socktype == ANY && ex->e_socktype != ANY)
pai->ai_socktype = ex->e_socktype;
if (pai->ai_protocol == ANY && ex->e_protocol != ANY)
pai->ai_protocol = ex->e_protocol;
//代碼太多,不知道該怎麼描述分析過程了,簡單來說反推得出該函數爲解析dns,*res = sentinel.ai_next;->cur = &sentinel;
error = explore_fqdn(pai, hostname, servname,
&cur->ai_next, iface, mark);
while (cur && cur->ai_next)
cur = cur->ai_next;
}
/* XXX */
if (sentinel.ai_next)
error = 0;
if (error)
goto free;
if (error == 0) {
if (sentinel.ai_next) {
good:
*res = sentinel.ai_next;
return SUCCESS;
} else
error = EAI_FAIL;
}
free:
bad:
if (sentinel.ai_next)
freeaddrinfo(sentinel.ai_next);
*res = NULL;
return error;
}
```
代碼很多,之後轉入explore_fqdn,我們關心參數res。忽略了傳入的host爲數字的情況,即直接是ip的,不再列出了,再開分支感覺很亂。
```
//
static int
explore_fqdn(const struct addrinfo *pai, const char *hostname,
const char *servname, struct addrinfo **res, const char *iface, int mark)
{
struct addrinfo *result;
struct addrinfo *cur;
int error = 0;
//_files_getaddrinfo爲讀取system/etc/hosts文件
//_dns_getaddrinfo就是訪問dns服務器了
static const ns_dtab dtab[] = {
NS_FILES_CB(_files_getaddrinfo, NULL)
{ NSSRC_DNS, _dns_getaddrinfo, NULL }, /* force -DHESIOD */
NS_NIS_CB(_yp_getaddrinfo, NULL)
{ 0, 0, 0 }
};
assert(pai != NULL);
/* hostname may be NULL */
/* servname may be NULL */
assert(res != NULL);
result = NULL;
/*
* if the servname does not match socktype/protocol, ignore it.
*/
if (get_portmatch(pai, servname) != 0)
return 0;
switch (nsdispatch(&result, dtab, NSDB_HOSTS, "getaddrinfo",
default_dns_files, hostname, pai, iface, mark)) {
case NS_TRYAGAIN:
error = EAI_AGAIN;
goto free;
case NS_UNAVAIL:
error = EAI_FAIL;
goto free;
case NS_NOTFOUND:
error = EAI_NODATA;
goto free;
case NS_SUCCESS:
error = 0;
for (cur = result; cur; cur = cur->ai_next) {
GET_PORT(cur, servname);
/* canonname should be filled already */
}
break;
}
*res = result;
return 0;
free:
if (result)
freeaddrinfo(result);
return error;
}
```
雖然explore_fqdn函數比較長,但是其實只有一個點nsdispatch,其實這個函數就是執行dtab中的函數,下面貼出代碼,就不詳細分析了。
```
static nss_method
_nsmethod(const char *source, const char *database, const char *method,
const ns_dtab disp_tab[], void **cb_data)
{
int curdisp;
if (disp_tab != NULL) {
for (curdisp = 0; disp_tab[curdisp].src != NULL; curdisp++) {
if (strcasecmp(source, disp_tab[curdisp].src) == 0) {
*cb_data = disp_tab[curdisp].cb_data;
return (disp_tab[curdisp].callback);
}
}
}
*cb_data = NULL;
return (NULL);
}
int
/*ARGSUSED*/
nsdispatch(void *retval, const ns_dtab disp_tab[], const char *database,
const char *method, const ns_src defaults[], ...)
{
va_list ap;
int i, result;
const ns_src *srclist;
int srclistsize;
nss_method cb;
void *cb_data;
/* retval may be NULL */
/* disp_tab may be NULL */
assert(database != NULL);
assert(method != NULL);
assert(defaults != NULL);
if (database == NULL || method == NULL || defaults == NULL)
return (NS_UNAVAIL);
srclist = defaults;
srclistsize = 0;
while (srclist[srclistsize].name != NULL)
srclistsize++;
result = 0;
for (i = 0; i < srclistsize; i++) {
cb = _nsmethod(srclist[i].name, database, method,
disp_tab, &cb_data);
result = 0;
if (cb != NULL) {
va_start(ap, defaults);
result = (*cb)(retval, cb_data, ap);
va_end(ap);
if (defaults[0].flags & NS_FORCEALL)
continue;
if (result & srclist[i].flags)
break;
}
}
result &= NS_STATUSMASK; /* clear private flags in result */
return (result ? result : NS_NOTFOUND);
}
```
到這裏出現了兩個分支,一個是讀取本地的hosts,一個是訪問dns,先看本地的。
```
//NS_FILES_CB宏展開爲
#define NSSRC_FILES "files"
{ NSSRC_FILES, F, __UNCONST(C) },
//default_dns_files爲
static const ns_src default_dns_files[] = {
{ NSSRC_FILES, NS_SUCCESS },
{ NSSRC_DNS, NS_SUCCESS },
{ 0, 0 }
};
//讀取本地hosts
#define _PATH_HOSTS "/system/etc/hosts"
static void
_sethtent(FILE **hostf)
{
if (!*hostf)
*hostf = fopen(_PATH_HOSTS, "r" );
else
rewind(*hostf);
}
static int
_files_getaddrinfo(void *rv, void *cb_data, va_list ap)
{
const char *name;
const struct addrinfo *pai;
struct addrinfo sentinel, *cur;
struct addrinfo *p;
FILE *hostf = NULL;
name = va_arg(ap, char *);
pai = va_arg(ap, struct addrinfo *);
// fprintf(stderr, "_files_getaddrinfo() name = '%s'\n", name);
memset(&sentinel, 0, sizeof(sentinel));
cur = &sentinel;
//讀取本地hosts
_sethtent(&hostf);
//讀取每一行解析域名和ip
while ((p = _gethtent(&hostf, name, pai)) != NULL) {
cur->ai_next = p;
while (cur && cur->ai_next)
cur = cur->ai_next;
}
_endhtent(&hostf);
*((struct addrinfo **)rv) = sentinel.ai_next;
if (sentinel.ai_next == NULL)
return NS_NOTFOUND;
return NS_SUCCESS;
}
```
以上就是解析本地hosts,如果找到對應的域名、ip,就返回,如果沒有,執行訪問dns服務器,最後一個很長的函數。
```
static int
_dns_getaddrinfo(void *rv, void *cb_data, va_list ap)
{
struct addrinfo *ai;
querybuf *buf, *buf2;
const char *name;
const struct addrinfo *pai;
struct addrinfo sentinel, *cur;
struct res_target q, q2;
res_state res;
const char* iface;
int mark;
name = va_arg(ap, char *);
pai = va_arg(ap, const struct addrinfo *);
iface = va_arg(ap, char *);
mark = va_arg(ap, int);
//fprintf(stderr, "_dns_getaddrinfo() name = '%s'\n", name);
memset(&q, 0, sizeof(q));
memset(&q2, 0, sizeof(q2));
memset(&sentinel, 0, sizeof(sentinel));
cur = &sentinel;
buf = malloc(sizeof(*buf));
if (buf == NULL) {
h_errno = NETDB_INTERNAL;
return NS_NOTFOUND;
}
buf2 = malloc(sizeof(*buf2));
if (buf2 == NULL) {
free(buf);
h_errno = NETDB_INTERNAL;
return NS_NOTFOUND;
}
switch (pai->ai_family) {
case AF_UNSPEC:
/* prefer IPv6 */
q.name = name;
q.qclass = C_IN;
q.answer = buf->buf;
q.anslen = sizeof(buf->buf);
int query_ipv6 = 1, query_ipv4 = 1;
if (pai->ai_flags & AI_ADDRCONFIG) {
// Only implement AI_ADDRCONFIG if the application is not
// using its own DNS servers, since our implementation
// only works on the default connection.
if (_using_default_dns(iface)) {
query_ipv6 = _have_ipv6();
query_ipv4 = _have_ipv4();
}
}
if (query_ipv6) {
q.qtype = T_AAAA;
if (query_ipv4) {
q.next = &q2;
q2.name = name;
q2.qclass = C_IN;
q2.qtype = T_A;
q2.answer = buf2->buf;
q2.anslen = sizeof(buf2->buf);
}
} else if (query_ipv4) {
q.qtype = T_A;
} else {
free(buf);
free(buf2);
return NS_NOTFOUND;
}
break;
case AF_INET:
q.name = name;
q.qclass = C_IN;
q.qtype = T_A;
q.answer = buf->buf;
q.anslen = sizeof(buf->buf);
break;
case AF_INET6:
q.name = name;
q.qclass = C_IN;
q.qtype = T_AAAA;
q.answer = buf->buf;
q.anslen = sizeof(buf->buf);
break;
default:
free(buf);
free(buf2);
return NS_UNAVAIL;
}
res = __res_get_state();
if (res == NULL) {
free(buf);
free(buf2);
return NS_NOTFOUND;
}
/* this just sets our iface val in the thread private data so we don't have to
* modify the api's all the way down to res_send.c's res_nsend. We could
* fully populate the thread private data here, but if we get down there
* and have a cache hit that would be wasted, so we do the rest there on miss
*/
res_setiface(res, iface);
res_setmark(res, mark);
if (res_searchN(name, &q, res) < 0) {
__res_put_state(res);
free(buf);
free(buf2);
return NS_NOTFOUND;
}
ai = getanswer(buf, q.n, q.name, q.qtype, pai);
if (ai) {
cur->ai_next = ai;
while (cur && cur->ai_next)
cur = cur->ai_next;
}
if (q.next) {
ai = getanswer(buf2, q2.n, q2.name, q2.qtype, pai);
if (ai)
cur->ai_next = ai;
}
free(buf);
free(buf2);
if (sentinel.ai_next == NULL) {
__res_put_state(res);
switch (h_errno) {
case HOST_NOT_FOUND:
return NS_NOTFOUND;
case TRY_AGAIN:
return NS_TRYAGAIN;
default:
return NS_UNAVAIL;
}
}
_rfc6724_sort(&sentinel);
__res_put_state(res);
*((struct addrinfo **)rv) = sentinel.ai_next;
return NS_SUCCESS;
}
```
而dns服務器的設置、獲取,具體的流程,其他篇幅再分析。
至此整個網絡請求到dns的流程已經出來了,也已經知道了之前的問題,hosts不會在應用進程解析(如果應用進程自己解析、讀取除外),所以hook應用進程讀取hosts是無效的。
總結以下,應用進程解析dns流程如下:
InetAddress.getByName ->
getAllByNameImpl ->
lookupHostByName ->
Libcore.os.getaddrinfo -> //包裝,調用natvie函數
getaddrinfo -> //bionic\libc\netbsd\net\getaddrinfo.c
android_getaddrinfoforiface ->
android_getaddrinfo_proxy -> //這裏cache_mode爲空,netd設置的ANDROID_DNS_MODE環境變量只在進程中有效。
connect //這裏的socket name是/dev/socket/dnsproxyd,也就是通過dnsproxd來和netd dameon進程交互。
fprintf //往dnsproxyd寫getaddrinfo命令,接下來就交由netd進程處理。
遠程系統進程netd:
new DnsProxyListener -> //system/netd/main.cpp
dpl->startListener ->
pthread_create ->
SocketListener::threadStart ->
me->runListener ->
select
accept
onDataAvailable -> //FrameworkListener.cpp 客戶端寫消息到socket dnsproxyd中,dnsproxyd是在FrameworkListener中註冊。
dispatchCommand ->
runCommand ->
DnsProxyListener::GetAddrInfoCmd::runCommand ->
new DnsProxyListener::GetAddrInfoHandler
handler->start ->
DnsProxyListener::GetAddrInfoHandler::start ->
DnsProxyListener::GetAddrInfoHandler::threadStart -> //DnsProxyListener.cpp netd初始化後會啓動dnsProxyListener線程監聽/dev/socket/dnsproxd來的消息。
handler->run ->
DnsProxyListener::GetAddrInfoHandler::run ->
android_getaddrinfoforiface -> //這裏不會跑android_getaddrinfo_proxy了,因爲此時的ANDROID_DNS_MODE值是local了,所以直接獲取dns地址。
explore_fqdn ->
nsdispatch ->
_files_getaddrinfo //從文件/system/etc/hosts獲取
_dns_getaddrinfo //或者從dns服務器獲取
sendLenAndData //返回給應用進程
其實在分析到進入dns的時候就懷疑自己過了,因爲雖然可以在解析dns的時候返回代理服務器的ip和端口,但是並沒有傳入域名,怎麼區分這次是http請求還是socket連接,像brup之類的http代理服務並不會代理socket。
最後剩一個問題,就是爲什麼一開始的代碼異常了,192.168.xxx.xxx會被解析成localhost,localhost解析爲127.0.0.1,所以無法代理。
而一個詭異的情況是安卓6.0上測試沒問題(這個待會分析),wifi設置的代理也沒問題。
```
private void resetNextInetSocketAddress(Proxy proxy) throws UnknownHostException {
socketAddresses = null; // Clear the addresses. Necessary if getAllByName() below throws!
String socketHost;
if (proxy.type() == Proxy.Type.DIRECT) {
socketHost = uri.getHost();
socketPort = getEffectivePort(uri);
} else {//設置了proxy
SocketAddress proxyAddress = proxy.address();
if (!(proxyAddress instanceof InetSocketAddress)) {
throw new IllegalArgumentException(
"Proxy.address() is not an " + "InetSocketAddress: " + proxyAddress.getClass());
}
InetSocketAddress proxySocketAddress = (InetSocketAddress) proxyAddress;
socketHost = proxySocketAddress.getHostName();//返回localhost
socketPort = proxySocketAddress.getPort();
}
// Try each address for best behavior in mixed IPv4/IPv6 environments.
//localhost解析爲127.0.0.1
socketAddresses = dns.getAllByName(socketHost);
nextSocketAddressIndex = 0;
}
```
經過比對代碼,發現wifi代理生成Proxy時needResolved爲false。
```
//Wi-Fi代理時系統設置needResolved爲false,而上面代碼是true
InetSocketAddress(String hostname, int port, boolean needResolved) {
if (hostname == null || port < 0 || port > 65535) {
throw new IllegalArgumentException("host=" + hostname + ", port=" + port);
}
InetAddress addr = null;
if (needResolved) {
try {
addr = InetAddress.getByName(hostname);
hostname = null;
} catch (UnknownHostException ignored) {
}
}
this.addr = addr;
this.hostname = hostname;
this.port = port;
}
```
所以我們生成時使其爲false即可使用192.168的代理ip。
而6.0的系統不出錯是因爲調用的函數address.getHostAddress();
返回的是ip地址。
```
private void resetNextInetSocketAddress(Proxy proxy) throws IOException {
// Clear the addresses. Necessary if getAllByName() below throws!
inetSocketAddresses = new ArrayList<>();
String socketHost;
int socketPort;
if (proxy.type() == Proxy.Type.DIRECT || proxy.type() == Proxy.Type.SOCKS) {
socketHost = address.getUriHost();
socketPort = getEffectivePort(uri);
} else {
SocketAddress proxyAddress = proxy.address();
if (!(proxyAddress instanceof InetSocketAddress)) {
throw new IllegalArgumentException(
"Proxy.address() is not an " + "InetSocketAddress: " + proxyAddress.getClass());
}
InetSocketAddress proxySocketAddress = (InetSocketAddress) proxyAddress;
socketHost = getHostString(proxySocketAddress);
socketPort = proxySocketAddress.getPort();
}
if (socketPort < 1 || socketPort > 65535) {
throw new SocketException("No route to " + socketHost + ":" + socketPort
+ "; port is out of range");
}
// Try each address for best behavior in mixed IPv4/IPv6 environments.
for (InetAddress inetAddress : network.resolveInetAddresses(socketHost)) {
inetSocketAddresses.add(new InetSocketAddress(inetAddress, socketPort));
}
nextInetSocketAddressIndex = 0;
}
static String getHostString(InetSocketAddress socketAddress) {
InetAddress address = socketAddress.getAddress();
if (address == null) {
// The InetSocketAddress was specified with a string (either a numeric IP or a host name). If
// it is a name, all IPs for that name should be tried. If it is an IP address, only that IP
// address should be tried.
return socketAddress.getHostName();
}
// The InetSocketAddress has a specific address: we should only try that address. Therefore we
// return the address and ignore any host name that may be available.
return address.getHostAddress();
}
```