JNI Static Linking

Linking must be done “manually”, by the binary code, before the methods are used.

Allows methods to have any name (read obfuscation!).
A fixed method (JNI_OnLoad) is called after the lib is loaded.
Library registers the mapping between Java methods and native methods using RegisterNatives.
- Must do this once for each method called.

jint RegisterNatives(JNIEnv *env, jclass clazz, const JNINativeMethod *methods, jint nMethods);
typedef struct {
    char *name;
    char *signature;
    void *fnPtr;
} JNINativeMethod;

Reverse engineering of the library blob is the most viable alternative.

Some symbols must always be available: JNI_Load.
The remaining symbols usually are available, although they may have obfuscated names.

Process

Load the library in a tool: ghidra, IDA, BinaryNinja, R2, etc…
Find the JNI_Load method.
Determine when RegisterNatives is called.
Determine the arguments passed to the function.
- This will allow determining the method mapping and the arguments of each function.
- The arguments may also help identify the method.

PreviousJNI Dynamic Linking NextExercise 5 and 6

Last updated 7 months ago