如何在现有的Android SO库中添加一个导入的函数？

Question

I'm currently developing the SO plugin loader for the existing SO library (GTA SA for Android). The SO libraries on Android are Unix ELF files. Having no source code of the library I cannot simply add the imported function in source code and compile the SO library again.

There is libGTASA.so, which I want to edit and alter the import table, adding a new symbol RunSOpluginLoader, which would be implemented in libFastman92pluginLoader.so, which is already loaded before libGTASA.so gets loaded, by Java code (classes.dex) that I also have modified.

For EXE files on Windows there are plenty of programs to edit the imports and I'd use LordPE. For ELF file I need a different solution however and I'm having a trouble with finding one.

I tried using HT Editor, which is supposed to open and edit the ELF files, but few seconds after libGTASA.so gets opened in HT Editor the application simply crashes.

I need a solution to add an import to SO library, preferably the solution that would run on Windows, but if there's none then I am willing to do it on Linux system.

After properly adding an import I am going to edit a bit of ARM code inside the libGTASA.so to actually call the newly imported function.

Essentially:
libGTASA.so - I want to add an imported symbol RunSOpluginLoader to this file.

Answer 1

Few days after I wrote the question I figured out how to do this task. I had written a simple ELF file manager class in C++ and program, which does the following:

• load the ELF file - create a representation of header, sections and program segments, dynamic table (pointed by PT_DYNAMIC)
• added new section (.fastman92_code, with permissions RWX)
• added new program segment that covers a new section
• I noticed the program segment must be aligned, I made an alignment of 32768 and it worked.
• added new string to string table (pointed by this->header.e_shstrndx), string "fastman92.code", it's the section name.
• sections are rellocated and will be written at the end of file, elfManager.header.e_shoff had to be updated.
• rellocated .dynstr (the section pointed by DT_STRTAB), adding two importedentries to it:
  {"libFastman92pluginLoader.so"}, {"ProcessPluginLoading"}
• rellocated .dynsym, adding these two entries to the array.
• reallocated section pointed by DT_JMPREL from dynamic table, added one entry to point into ProcessLoadingPlugin, near my added Jni_OnLoad function
• rellocated program segments, added PT_DYNAMIC entry, which is neccessary, because the program segments are longer a part of the first loadable segment. They're no longer a part of segment with virtual address of 0x0.
• added a simple function, a replacement of Jni_OnLoad which would call an imported symbol ProcessPluginLoading, which is implemented in libFastman92pluginLoader.so, then execute functions from .init_array, then call real an original Jni_OnLoad. A symbol "Jni_OnLoad" had to be pointed to my few function.
• edited dynamic table, added DT_NEEDED with offset of string pointing to "libFastman92pluginLoader.so"
• edited dynamic table, disabled .init_array, set up a size of it to be zero (InitArraySzIt->d_un.d_val = 0;) where auto InitArraySzIt = elfManager.FindFirstEntryInDynamicTableWithTag(0x1B);
• save a new .so file

If you want to learn more about or get the code, feel free to contact me.