SlideShare a Scribd company logo

ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Behavior Exploration

ZongXian Shen
ZongXian Shen

The design memo and hack note of ProbeDroid A dynamic binary instrumentation kit targeting Android(Lollipop) 5.0 and above This is the first complete draft. Improved version will be updated in a few days.

Technology
1 of 53
Download to read offline
ProbeDroid: CraftingYour Own Dynamic Instrument Tool on Android for App Behavior Exploration ZongXian Shen
About Me www.zsshen.org • Passionate Security Researcher and Developer • Earned Master in CS from NCTU,Taiwan • Involved in DSNS Lab andy.zsshen@gmail.com ZSShen @AndyZSShen
Disclaimer • A research project run in my spare time • Still a lot of features to enhance • Slide is the design memo and hack notes
Outline • Intro to dynamic binary instrumentation • Intro to ProbeDroid instrument kit • Design and implementation of ProbeDroid • App analysis with custom instrument tools
Intro to Dynamic Binary Instrumentation
Dynamic Binary Instrumentation • Technique that inserts code into a process to get runtime information or change process behavior without modifying original program binary Definition Source: Intel PIN manual
DBI Application • Performance tuning and bug hunting • Cache performance, memory access footprint • Behavior tracing and data logging • API call sequence, code block control flow relation • Changing process behavior on the fly • Execution path exploration, product hacking
DBI for Android App • Current Android app is mainly coded with Java and run on custom Java runtime named ART • Due to semantic gap, prefer Java level DBI rather than instrumentation directly on native ISA • Class field and object content inspection • Method call sequence and parameter profiling • Changing Java artifacts on the fly
Inspiring Work • ADBI and DDI introduced by Collin Mulliner • https://github.com/crmulliner/adbi • https://github.com/crmulliner/ddi • DBI framework based on Dalvik runtime • Demonstrate how to hook interested Java method and manipulate class field And now ProbeDroid, targeting on ART runtime with enhanced user interface
Intro to ProbeDroid Instrument Kit
ProbeDroid Instrument Kit • Programmable instrumentation • Code your own instrument tools with Java practice • Flexible APIs for you to • Hook interested library or app defined methods • Customize instrument gadgets for different analysis purposes • Modify method in/output to hack app at runtime • Succinct deployment • Only ProbeDroid engine and instrument tools are required • No need to customize Android framework https://github.com/ZSShen/ProbeDroid
ProbeDroid Usage • Source building • Compile launcher, engine, and exported jar • Import jar to Android Studio project for tool creation • Play and hack • Push launcher, engine and tool to experiment device • Run launcher to inject engine to target app ProbeDroid ProjectWiki
Sample Tool Signature of to be instrumented method Create custom instrument gadget Register the gadget to ProbeDroid engine
Sample Tool • Manipulate the trapped input parameters • Do hacks before entering the hooked method • Manipulate the trapped return value • Do hacks after leaving the hooked method
• Be injected into the target app process • Work as a mini runtime • Load and execute the instrument tool • Hook the specified methods and install gadgets • Marshal control flow for hooked methods and gadgets ProbeDroid Tasks Currently support X86 & ARM ISAs and Lollipop 5.0
ProbeDroid Design and Implementation
ProbeDroid Overview Inject Engine Library Launcher Run Library Inited Load Instrument Tool Get Runtime Utilities Hook Specified Methods Method Entered Call Pre-Method Gadget Call Original Method Call Post-Method Gadget 3. Play Music 2. Compose Gadget 1. Deploy Engine 1 & 2 Before App Execution 3 During App Execution
Stage: Deploy Engine libART Android & Java Base Classes libProbeDroid Launcher App Process libART Android & Java Base Classes Zygote Process Attach and Wait for child Control the process Fork process • Library injection • Catch the newly forked app process • Force the app process to load engine library Engine binary Load library
Library Injection • No convenient APIs like WriteProcessMemory() and CreateRemoteThread() dedicated forWindows • Manually crafting ptrace() operation sequence to simulate the procedure on Android
Injection Procedure 1. Attach to Zygote and wait for target app to be forked 2. Attach to app process and release Zygote 3. Resolve the address of mmap() and dlopen() in app process 4. Force app to execute mmap() for stashing library pathname 5. Force app to execute dlopen() for loading engine library Known technique with proper modification
Resolve Function Address /system/lib/libc.so … … … … mmap … … /system/bin/linker … … … … dlopen … … • Resolve /proc/pid/maps for library base address in both processes • Use dlopen() and dlsym() for symbol address in launcher process • Use relative offset to resolve symbol address in app process base_linker Launcher Process addr_dlopen base_libc addr_mmap /system/lib/libc.so … … … … mmap … … /system/bin/linker … … … … dlopen … … App Process (addr_dlopen - base_linker) + base_linker’ base_linker’’ base_libc’’ (addr_mmap - base_libc) + base_libc’’
Remote Function Call 0 0 4096 PROT_READ|WRITE MAP_ANONYMOUS 0 0 base_stack Invalid return address esp  base_stack eip  mmap() eax  addr_libpath 0 4096 PROT_READ|WRITE MAP_ANONYMOUS 0 0 base_stack ARM_sp  base_stack ARM_pc  mmap() ARM_r0  addr_libpath ARM_lr  0 Invalid return address 0 addr_libpath RTLD_NOW Invalid return address base_stack esp  base_stack eip  dlopen() eax  handle_lib ARM_lr  0 addr_libpath RTLD_NOW Invalid return address base_stack ARM_sp  base_stack ARM_pc  dlopen() ARM_r0  handle_lib • Invoke mmap() to allocate space for library path • Invoke dlopen() to load the specified library Force SIGSEGV for wait()
Stage: Compose Gadget libART Android & Java Base Classes App Classes Instrument Classes libProbeDroid Instrument Tool APK App Oat App Process • Bootstrapping • Acquire ART context to start instrument world • Hooks installation • Load instrument tool • Modify ART artifacts to hook interested methods
Bootstrapping • JNI exports helpful utilities for native code to access Java runtime features • ProbeDroid must acquire JNI interface pointer for all the instrument related tasks
JNI Interface Pointer jint JNI_GetCreatedJavaVMs (JavaVM** vms, jsize size, jsize* vm_count); Return Java vm instance pointer of current runtime • First retrieve JavaVM pointer and stash it for subsequent tasks • Then apply JavaVM pointer to acquire per-thread JNIEnv pointer jint AttachCurrentThread (JavaVM* vm, JNIEnv** p_env, void* thr_args); Return JNI interface pointer bound to current thread
Install Hooks • Load instrument gadgets defined in tool APK • Modify ART artifacts to divert the control flow to our space when the specified methods are called
ART Metadata ClassA ClassB ClassZ …… DexCache ArtMethodA ArtMethodB ArtMethodZ …… ArtFieldA ArtFieldB ArtFieldZ …… ClassLoader dex_class_def_idx dex_type_idx Class entry_point_from_ interpreter entry_point_from_ portable_compiled_code entry_point_from_ quick_compiled_code dex_code_item_offset dex_method_index ArtMethod push {r5,r6,r7,lr} sub sp, sp, #16 mov r7, r0 str r0, [sp, #0] …… blx lr code_item ins_size outs_size insns_size insns invoke-super {v1}, AB iget_object v0, v1 if-eqz v0, +3 const/4 v0, #+1 …… native code DEX bytecode
App Compiled Code …… 0x0a: invoke-virtual {v6}, java.lang.ClassLoader android.content.Context.getClassLoader() 0x0d: move-result-object v3 0x0e: invoke-virtual {v3, v7}, java.lang.Class java.lang.ClassLoader.loadClass(java.lang.String) 0x11: move-result-object v0 …… DEX bytecode dex PC: 0x000a …… mov r7, r0 mov r1, r7 mov r2, r11 ldr r0, [r1, #0] dex PC: 0x000e ldr.w r0, [r0, #484] ldr.w lr, [r0, #40] blx lr …… native code Get ClassLoader object Get loadClass() ArtMethod pointer Get compiled code function pointer Branch and link to the callee
Compiled Code Pointer Normal method call flow in most cases Get ArtMethod pointer Get quick compiled code pointer Indirect jump to method code Modify quick compiled code pointer to let it point to hook trampoline Get ArtMethod pointer Get quick compiled code pointer Indirect jump to trampoline Call pre-method gedget Call original method Call post-method gedget
ArtMethod Pointer jmethodID (*GetMethodID) (JNIEnv*, jclass, const char*, const char*); jmethodID (*GetStaticMethodID)(JNIEnv*, jclass, const char*, const char*); jclass (*FindClass)(JNIEnv*, const char*); Get loaded class id by specifying class name Get method id by specifying class id, method name and signature • jmethodID is actually the pointer to ArtMethod class • Refer to art/runtime/art_method.h for ArtMethod class definition and resolve member offset for entry_point_from_quick_compiled_code
About Install Timing • Must be done before the execution of app code • How early is that moment ?
App Init Flow ZygoteInit. runSelectLoop() Wait for forking task from ActivityManager ActivityManagerService. attachApplicationLocked() Handle app initialization and register the relevant metadata ZygoteConnection. handleChildProc() Prepare to specialize the process runtime Call Zygote. forkAndSpecialize() ActivityThread. main() Create an event handler to serve the requests from ActivityManager ActivityThread$H. handleMessage()call ActivityThread.handleBindApplication() Serve requests in event handler: • Load the app Application class • Call its Application.onCreate() Zygote Process App Process ActivityManager Process The base runtime context is ready and the lifecycle management for ContentProvider, Activity, and Service is now started
Install Timing • Before ActivityThread executes Application.onCreate() • The declaring classes of the to be instrumented methods may not be loaded at that early moment • Must intercept the ClassLoader used by ActivityThread to load non-system classes containing app defined methods
Intercept ClassLoader Deploy a special hook for ClassLoader.loadClass() ActivityThread calls ClassLoader.loadClass() Load app Application class ActivityThread calls ClassLoader.loadClass() Intercept app ClassLoader Load declaring classes of target methods Install hooks for target methods Load app Application class• Restore work of ActivityThread • Resolve ArtMethod pointer • Substitute native code pointer • Patch instrument gadget
Stage: Play Music libART Android & Java Base Classes App Classes Instrument Classes libProbeDroid App Process • Method in/output • Extract different types of parameters and return value • Gadget marshalling • Deliver modifiable parameters • Original method invocation • Handle generic method call for different signature types Call method Trap to ProbeDroid Call gadget Call original method
Extract In/Output • Control flow is trapped into trampoline • Extract input parameters for gadget and pass them to the original method • Return from original method • Extract return value for gadget and pass it to caller • How to extract correct data on different ISAs?
Calling Convention Method Register  EAX Entry Spill 1st Chunk  ECX 2nd Chunk  EDX 3rd Chunk  EBX Others stored on stack Return Register Float and Double  XMM0 Long  EAX_EDX Other types  EAX Method Register  R0 Entry Spill 1st Chunk  R1 2nd Chunk  R2 3rd Chunk  R3 Others stored on stack Return Register Double and Long  R0_R1 Float  R0 Other types  R0 X86 ISA ARM ISA • Defined in art/compiler/jni/quick/.* source files • Trampoline must follow the conventions defined on different ISAs
Entry Spill R1 ObjPtr R2 Char R3 Long (Hi) Stk Long (Lo) Int Virtual Method Signature  Func1(CJI)V 1st param 4th param 3rd param 2nd param R1 Byte R2 Double(Hi) R3 Double(Lo) Stk ObjPtr Float Static Method Signature  Func2(BD[SF)V 1st param 4th param 3rd param 2nd param • Parameter index is determined by data type and is not always equal to chunk index • Trampoline must be smart enough to handle this
Marshal Gadgets • Deliver modifiable method in/output for gadgets • Manage object pointer and reference in trampoline
Box In/Output • Trampoline applies JNIs to invoke gadgets • To make primitive in/output modifiable for gadgets, we can box them in wrapper classes byte  Byte short  Short int  Integer long  Long float  Float double  Double boolean  Boolean char  Character • Gadgets manipulate wrapper objects and trampoline must unbox objects for record update when gadgets return
Object Pointer and Reference • Non-primitive data is compiled and managed as object pointer in native code • Object pointer in JNI is boxed and managed as indirect reference that maps to the real pointer jstring str = env->NewStringUTF(“jni0”); env->CallVoidMethod(receiver, method_id, str); Shuffle Function str ObjPtr receiver ObjPtr Indirect Reference Table Ref 1 Idx 1 Ref 2 Idx 2
• Receiver object and non-primitive in/output trapped by trampoline are object pointers • Since JNI only accepts reference, it is necessary to • Wrap object pointers as references to call gadgets • Unwrap reference to object pointer when gadgets return • No exported interface, so manually resolve ART functions relevant to reference management Object Pointer and Reference
Indirect Reference Table struct JNIEnvExt : public JNIEnv { …… void* thread_; void* jvm_; uint32_t local_ref_cookie_; void* local_refs_table_; …… }; Actual definition of JNI interface struct JNIEnvExt : public JNIEnv { …… Thread* const self; JavaVMExt* vm; // Cookie used when using the local // indirect reference table. uint32_t local_ref_cookie; // JNI local references. IndirectReferenceTable locals; …… } Our mirrored structure • Extract the indirect reference table defined in JNIEnvExt structure • Craft a mirrored structure for space layout resolution • Cast JNIEnv pointer to this type for member field access
IndirectRef IndirectReferenceTable:: Add(uint32_t cookie, mirror::Object* obj) bool IndirectReferenceTable:: Remove(uint32_t cookie, IndirectRef iref) Indirect Reference Table mirror::Object* Thread::DecodeJObject(jobject obj) Insert an object pointer and the reference is returned Remove a table entry with the specified reference Get the object pointer with the specified reference • Use dlsym() to resolve ART functions relevant to table manipulation • To fulfill C++ calling convention, pass the table pointer extracted from the casted JNIEnvExt structure as this pointer
Call Original Method • Trampoline never knows the signature type of to be called method until runtime • Impossible to enumerate all the combinations of parameter list and return type with C/C++ • Solution is to make generic function call with assembly programming that fits native ISA
LibFFI • Portable Foreign Function Interface library • Generic C interface to various ISAs that allows users to call functions with signatures specified at runtime • Users apply it to bridge the interpreted and natively compiled code including CPython, OpenJDK, DalvikVM • ProbeDroid uses it to reduce native programming effort LibFFI Project Page
LibFFI Usage ffi_status ffi_prep_cif (ffi_cif *cif, ffi_abi abi, unsigned int nargs, ffi_type *rtype, ffi_type **argtypes) void ffi_call (ffi_cif *cif, void *fn, void *rvalue, void **avalues) FFI context ABI to use Number of parameters Return type specification Parameter types specification FFI context Function pointer To be filled with return value Parameter values to be passed in • Aim to specify function signature • Aim to make generic function call LibFFI API Reference
Generate Function Call at Runtime boolean String.startsWith(String, int) JniEnv* ObjPtr* jmethodID* ObjPtr* Int* ffi_type_ pointer ffi_type_ pointer ffi_type_ pointer ffi_type_ pointer ffi_type_ sint32 Mini Interpreter FFI parameter value array Craft FFI call payload bool* ffi_type_ uint8 FFI parameter type array return value return type
App Analysis with Custom Tools (To be fine tuned with more demo and samples)
Google Maps Demo Forensics for the strings converted from StringBuffer and StringBuilder buffer with tool Click the Picture for demo link StringInspector
Obfuscated App • Detect dynamic code loading and intercept the payload DexClassLoader <init>(String dexPath, String optimizedDirectory, String librarySearchPath, ClassLoader parent) More relevant methods … … Field Class.getDeclaredField(String name) Method Class.getDeclaredMethod(String name) Object Field.get(Object object) Object Method.invoke(Object receiver, Object[] args) More relevant methods … … • Resolve the method and field mutated via Java reflection
Instant Messaging App javax.crypto.Cipher.* relevant methods • Useful to analyze crypto algorithm • Resolve app credential (evil ?) android.net.http.* relevant methods • Useful to analyze authentication protocol • Resolve message content (evil ?)
And more app analysis result …

Recommended

(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis
(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis
(CISC 2013) Real-Time Record and Replay on Android for Malware AnalysisZongXian Shen
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareZongXian Shen
 
(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine
(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine
(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS EngineZongXian Shen
 
Reverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsReverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsGaurav Lochan
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsTom Keetch
 
Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Applicationn|u - The Open Security Community
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 

Recommended

(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis
(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis
(CISC 2013) Real-Time Record and Replay on Android for Malware AnalysisZongXian Shen
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareZongXian Shen
 
(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine
(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine
(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS EngineZongXian Shen
 
Reverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsReverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsGaurav Lochan
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsTom Keetch
 
Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Applicationn|u - The Open Security Community
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
Java notes
Java notesJava notes
Java notesChaitanya Rajkumar Limmala
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBoxKelwin Yang
 
How to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on KubernetesHow to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on KubernetesAndreaMedeghini
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development KitPeter R. Egli
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
NDK Programming in Android
NDK Programming in AndroidNDK Programming in Android
NDK Programming in AndroidArvind Devaraj
 
Native development kit (ndk) introduction
Native development kit (ndk) introductionNative development kit (ndk) introduction
Native development kit (ndk) introductionRakesh Jha
 
Android Malware and Machine Learning
Android Malware and Machine LearningAndroid Malware and Machine Learning
Android Malware and Machine Learningcaleb194331
 
Android Deobfuscation: Tools and Techniques
Android Deobfuscation: Tools and TechniquesAndroid Deobfuscation: Tools and Techniques
Android Deobfuscation: Tools and Techniquescaleb194331
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDKSebastian Mauer
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDKBeMyApp
 
Php com con-2011
Php com con-2011Php com con-2011
Php com con-2011LB Denker
 
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDroidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDario Incalza
 
Unit testing on embedded target with C++Test
Unit testing on embedded target with C++TestUnit testing on embedded target with C++Test
Unit testing on embedded target with C++TestEngineering Software Lab
 
OpenDaylight Developer Experience 2.0
OpenDaylight Developer Experience 2.0 OpenDaylight Developer Experience 2.0
OpenDaylight Developer Experience 2.0Michael Vorburger
 
Android NDK
Android NDKAndroid NDK
Android NDKSentinel Solutions Ltd
 
Effective code reviews
Effective code reviewsEffective code reviews
Effective code reviewsSebastian Marek
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationKelwin Yang
 
CDI In Real Life
CDI In Real LifeCDI In Real Life
CDI In Real LifeAntoine Sabot-Durand
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeAlain Leon
 
Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and ProfitApkudo
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeMário Almeida
 

More Related Content

What's hot

Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBoxKelwin Yang
 
How to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on KubernetesHow to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on KubernetesAndreaMedeghini
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development KitPeter R. Egli
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
NDK Programming in Android
NDK Programming in AndroidNDK Programming in Android
NDK Programming in AndroidArvind Devaraj
 
Native development kit (ndk) introduction
Native development kit (ndk) introductionNative development kit (ndk) introduction
Native development kit (ndk) introductionRakesh Jha
 
Android Malware and Machine Learning
Android Malware and Machine LearningAndroid Malware and Machine Learning
Android Malware and Machine Learningcaleb194331
 
Android Deobfuscation: Tools and Techniques
Android Deobfuscation: Tools and TechniquesAndroid Deobfuscation: Tools and Techniques
Android Deobfuscation: Tools and Techniquescaleb194331
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDKSebastian Mauer
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDKBeMyApp
 
Php com con-2011
Php com con-2011Php com con-2011
Php com con-2011LB Denker
 
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDroidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDario Incalza
 
Unit testing on embedded target with C++Test
Unit testing on embedded target with C++TestUnit testing on embedded target with C++Test
Unit testing on embedded target with C++TestEngineering Software Lab
 
OpenDaylight Developer Experience 2.0
OpenDaylight Developer Experience 2.0 OpenDaylight Developer Experience 2.0
OpenDaylight Developer Experience 2.0Michael Vorburger
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationKelwin Yang
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeAlain Leon
 

What's hot (20)

Java notes
Java notesJava notes
Java notes
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBox
 
How to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on KubernetesHow to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on Kubernetes
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development Kit
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
NDK Programming in Android
NDK Programming in AndroidNDK Programming in Android
NDK Programming in Android
 
Native development kit (ndk) introduction
Native development kit (ndk) introductionNative development kit (ndk) introduction
Native development kit (ndk) introduction
 
Android Malware and Machine Learning
Android Malware and Machine LearningAndroid Malware and Machine Learning
Android Malware and Machine Learning
 
Android Deobfuscation: Tools and Techniques
Android Deobfuscation: Tools and TechniquesAndroid Deobfuscation: Tools and Techniques
Android Deobfuscation: Tools and Techniques
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDK
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDK
 
Php com con-2011
Php com con-2011Php com con-2011
Php com con-2011
 
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDroidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
 
Unit testing on embedded target with C++Test
Unit testing on embedded target with C++TestUnit testing on embedded target with C++Test
Unit testing on embedded target with C++Test
 
OpenDaylight Developer Experience 2.0
OpenDaylight Developer Experience 2.0 OpenDaylight Developer Experience 2.0
OpenDaylight Developer Experience 2.0
 
Android NDK
Android NDKAndroid NDK
Android NDK
 
Effective code reviews
Effective code reviewsEffective code reviews
Effective code reviews
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android Application
 
CDI In Real Life
CDI In Real LifeCDI In Real Life
CDI In Real Life
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik Bytecode
 

Viewers also liked

Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and ProfitApkudo
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeMário Almeida
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
 
IEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationIEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationRufatet Babakishiyev
 

Viewers also liked (6)

Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and Profit
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Understanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineUnderstanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual Machine
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
IEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationIEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android Application
 

Similar to ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Behavior Exploration

From MEAN to the MERN Stack
From MEAN to the MERN StackFrom MEAN to the MERN Stack
From MEAN to the MERN StackTroy Miles
 
React Native: The Development Flow
React Native: The Development FlowReact Native: The Development Flow
React Native: The Development FlowRitesh Kumar
 
Android 101 - Introduction to Android Development
Android 101 - Introduction to Android DevelopmentAndroid 101 - Introduction to Android Development
Android 101 - Introduction to Android DevelopmentAndy Scherzinger
 
Android OS & SDK - Getting Started
Android OS & SDK - Getting StartedAndroid OS & SDK - Getting Started
Android OS & SDK - Getting StartedHemant Chhapoliya
 
Detox: tackling the flakiness of mobile automation
Detox: tackling the flakiness of mobile automationDetox: tackling the flakiness of mobile automation
Detox: tackling the flakiness of mobile automationViktorija Sujetaitė
 
Introduction to Software Development
Introduction to Software DevelopmentIntroduction to Software Development
Introduction to Software DevelopmentZeeshan MIrza
 
JDK Tools For Performance Diagnostics
JDK Tools For Performance DiagnosticsJDK Tools For Performance Diagnostics
JDK Tools For Performance DiagnosticsBaruch Sadogursky
 
Android Automation Using Robotium
Android Automation Using RobotiumAndroid Automation Using Robotium
Android Automation Using RobotiumMindfire Solutions
 
WinAppDriver Development
WinAppDriver DevelopmentWinAppDriver Development
WinAppDriver DevelopmentJeremy Kao
 
Accessing Hardware on Android
Accessing Hardware on AndroidAccessing Hardware on Android
Accessing Hardware on AndroidGary Bisson
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
 
Cordova Tutorial
Cordova TutorialCordova Tutorial
Cordova TutorialJacky Chen
 
Effective Android Development
Effective Android Development Effective Android Development
Effective Android Development Sergii Zhuk
 

Similar to ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Behavior Exploration (20)

React nativebeginner1
React nativebeginner1React nativebeginner1
React nativebeginner1
 
From MEAN to the MERN Stack
From MEAN to the MERN StackFrom MEAN to the MERN Stack
From MEAN to the MERN Stack
 
React Native: The Development Flow
React Native: The Development FlowReact Native: The Development Flow
React Native: The Development Flow
 
Android 101 - Introduction to Android Development
Android 101 - Introduction to Android DevelopmentAndroid 101 - Introduction to Android Development
Android 101 - Introduction to Android Development
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
 
Android OS & SDK - Getting Started
Android OS & SDK - Getting StartedAndroid OS & SDK - Getting Started
Android OS & SDK - Getting Started
 
Detox: tackling the flakiness of mobile automation
Detox: tackling the flakiness of mobile automationDetox: tackling the flakiness of mobile automation
Detox: tackling the flakiness of mobile automation
 
Android concurrency
Android concurrencyAndroid concurrency
Android concurrency
 
Introduction to Software Development
Introduction to Software DevelopmentIntroduction to Software Development
Introduction to Software Development
 
Android class provider in mumbai
Android class provider in mumbaiAndroid class provider in mumbai
Android class provider in mumbai
 
JDK Tools For Performance Diagnostics
JDK Tools For Performance DiagnosticsJDK Tools For Performance Diagnostics
JDK Tools For Performance Diagnostics
 
Android Automation Using Robotium
Android Automation Using RobotiumAndroid Automation Using Robotium
Android Automation Using Robotium
 
WinAppDriver Development
WinAppDriver DevelopmentWinAppDriver Development
WinAppDriver Development
 
Accessing Hardware on Android
Accessing Hardware on AndroidAccessing Hardware on Android
Accessing Hardware on Android
 
Ionic best practices
Ionic best practicesIonic best practices
Ionic best practices
 
Ionic best practices
Ionic best practicesIonic best practices
Ionic best practices
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
 
Cordova Tutorial
Cordova TutorialCordova Tutorial
Cordova Tutorial
 
Effective Android Development
Effective Android Development Effective Android Development
Effective Android Development
 
React Native
React NativeReact Native
React Native
 

Recently uploaded

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Recently uploaded (20)

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Behavior Exploration

  • 1. ProbeDroid: CraftingYour Own Dynamic Instrument Tool on Android for App Behavior Exploration ZongXian Shen
  • 2. About Me www.zsshen.org • Passionate Security Researcher and Developer • Earned Master in CS from NCTU,Taiwan • Involved in DSNS Lab andy.zsshen@gmail.com ZSShen @AndyZSShen
  • 3. Disclaimer • A research project run in my spare time • Still a lot of features to enhance • Slide is the design memo and hack notes
  • 4. Outline • Intro to dynamic binary instrumentation • Intro to ProbeDroid instrument kit • Design and implementation of ProbeDroid • App analysis with custom instrument tools
  • 5. Intro to Dynamic Binary Instrumentation
  • 6. Dynamic Binary Instrumentation • Technique that inserts code into a process to get runtime information or change process behavior without modifying original program binary Definition Source: Intel PIN manual
  • 7. DBI Application • Performance tuning and bug hunting • Cache performance, memory access footprint • Behavior tracing and data logging • API call sequence, code block control flow relation • Changing process behavior on the fly • Execution path exploration, product hacking
  • 8. DBI for Android App • Current Android app is mainly coded with Java and run on custom Java runtime named ART • Due to semantic gap, prefer Java level DBI rather than instrumentation directly on native ISA • Class field and object content inspection • Method call sequence and parameter profiling • Changing Java artifacts on the fly
  • 9. Inspiring Work • ADBI and DDI introduced by Collin Mulliner • https://github.com/crmulliner/adbi • https://github.com/crmulliner/ddi • DBI framework based on Dalvik runtime • Demonstrate how to hook interested Java method and manipulate class field And now ProbeDroid, targeting on ART runtime with enhanced user interface
  • 11. ProbeDroid Instrument Kit • Programmable instrumentation • Code your own instrument tools with Java practice • Flexible APIs for you to • Hook interested library or app defined methods • Customize instrument gadgets for different analysis purposes • Modify method in/output to hack app at runtime • Succinct deployment • Only ProbeDroid engine and instrument tools are required • No need to customize Android framework https://github.com/ZSShen/ProbeDroid
  • 12. ProbeDroid Usage • Source building • Compile launcher, engine, and exported jar • Import jar to Android Studio project for tool creation • Play and hack • Push launcher, engine and tool to experiment device • Run launcher to inject engine to target app ProbeDroid ProjectWiki
  • 13. Sample Tool Signature of to be instrumented method Create custom instrument gadget Register the gadget to ProbeDroid engine
  • 14. Sample Tool • Manipulate the trapped input parameters • Do hacks before entering the hooked method • Manipulate the trapped return value • Do hacks after leaving the hooked method
  • 15. • Be injected into the target app process • Work as a mini runtime • Load and execute the instrument tool • Hook the specified methods and install gadgets • Marshal control flow for hooked methods and gadgets ProbeDroid Tasks Currently support X86 & ARM ISAs and Lollipop 5.0
  • 17. ProbeDroid Overview Inject Engine Library Launcher Run Library Inited Load Instrument Tool Get Runtime Utilities Hook Specified Methods Method Entered Call Pre-Method Gadget Call Original Method Call Post-Method Gadget 3. Play Music 2. Compose Gadget 1. Deploy Engine 1 & 2 Before App Execution 3 During App Execution
  • 18. Stage: Deploy Engine libART Android & Java Base Classes libProbeDroid Launcher App Process libART Android & Java Base Classes Zygote Process Attach and Wait for child Control the process Fork process • Library injection • Catch the newly forked app process • Force the app process to load engine library Engine binary Load library
  • 19. Library Injection • No convenient APIs like WriteProcessMemory() and CreateRemoteThread() dedicated forWindows • Manually crafting ptrace() operation sequence to simulate the procedure on Android
  • 20. Injection Procedure 1. Attach to Zygote and wait for target app to be forked 2. Attach to app process and release Zygote 3. Resolve the address of mmap() and dlopen() in app process 4. Force app to execute mmap() for stashing library pathname 5. Force app to execute dlopen() for loading engine library Known technique with proper modification
  • 21. Resolve Function Address /system/lib/libc.so … … … … mmap … … /system/bin/linker … … … … dlopen … … • Resolve /proc/pid/maps for library base address in both processes • Use dlopen() and dlsym() for symbol address in launcher process • Use relative offset to resolve symbol address in app process base_linker Launcher Process addr_dlopen base_libc addr_mmap /system/lib/libc.so … … … … mmap … … /system/bin/linker … … … … dlopen … … App Process (addr_dlopen - base_linker) + base_linker’ base_linker’’ base_libc’’ (addr_mmap - base_libc) + base_libc’’
  • 22. Remote Function Call 0 0 4096 PROT_READ|WRITE MAP_ANONYMOUS 0 0 base_stack Invalid return address esp  base_stack eip  mmap() eax  addr_libpath 0 4096 PROT_READ|WRITE MAP_ANONYMOUS 0 0 base_stack ARM_sp  base_stack ARM_pc  mmap() ARM_r0  addr_libpath ARM_lr  0 Invalid return address 0 addr_libpath RTLD_NOW Invalid return address base_stack esp  base_stack eip  dlopen() eax  handle_lib ARM_lr  0 addr_libpath RTLD_NOW Invalid return address base_stack ARM_sp  base_stack ARM_pc  dlopen() ARM_r0  handle_lib • Invoke mmap() to allocate space for library path • Invoke dlopen() to load the specified library Force SIGSEGV for wait()
  • 23. Stage: Compose Gadget libART Android & Java Base Classes App Classes Instrument Classes libProbeDroid Instrument Tool APK App Oat App Process • Bootstrapping • Acquire ART context to start instrument world • Hooks installation • Load instrument tool • Modify ART artifacts to hook interested methods
  • 24. Bootstrapping • JNI exports helpful utilities for native code to access Java runtime features • ProbeDroid must acquire JNI interface pointer for all the instrument related tasks
  • 25. JNI Interface Pointer jint JNI_GetCreatedJavaVMs (JavaVM** vms, jsize size, jsize* vm_count); Return Java vm instance pointer of current runtime • First retrieve JavaVM pointer and stash it for subsequent tasks • Then apply JavaVM pointer to acquire per-thread JNIEnv pointer jint AttachCurrentThread (JavaVM* vm, JNIEnv** p_env, void* thr_args); Return JNI interface pointer bound to current thread
  • 26. Install Hooks • Load instrument gadgets defined in tool APK • Modify ART artifacts to divert the control flow to our space when the specified methods are called
  • 28. App Compiled Code …… 0x0a: invoke-virtual {v6}, java.lang.ClassLoader android.content.Context.getClassLoader() 0x0d: move-result-object v3 0x0e: invoke-virtual {v3, v7}, java.lang.Class java.lang.ClassLoader.loadClass(java.lang.String) 0x11: move-result-object v0 …… DEX bytecode dex PC: 0x000a …… mov r7, r0 mov r1, r7 mov r2, r11 ldr r0, [r1, #0] dex PC: 0x000e ldr.w r0, [r0, #484] ldr.w lr, [r0, #40] blx lr …… native code Get ClassLoader object Get loadClass() ArtMethod pointer Get compiled code function pointer Branch and link to the callee
  • 29. Compiled Code Pointer Normal method call flow in most cases Get ArtMethod pointer Get quick compiled code pointer Indirect jump to method code Modify quick compiled code pointer to let it point to hook trampoline Get ArtMethod pointer Get quick compiled code pointer Indirect jump to trampoline Call pre-method gedget Call original method Call post-method gedget
  • 30. ArtMethod Pointer jmethodID (*GetMethodID) (JNIEnv*, jclass, const char*, const char*); jmethodID (*GetStaticMethodID)(JNIEnv*, jclass, const char*, const char*); jclass (*FindClass)(JNIEnv*, const char*); Get loaded class id by specifying class name Get method id by specifying class id, method name and signature • jmethodID is actually the pointer to ArtMethod class • Refer to art/runtime/art_method.h for ArtMethod class definition and resolve member offset for entry_point_from_quick_compiled_code
  • 31. About Install Timing • Must be done before the execution of app code • How early is that moment ?
  • 32. App Init Flow ZygoteInit. runSelectLoop() Wait for forking task from ActivityManager ActivityManagerService. attachApplicationLocked() Handle app initialization and register the relevant metadata ZygoteConnection. handleChildProc() Prepare to specialize the process runtime Call Zygote. forkAndSpecialize() ActivityThread. main() Create an event handler to serve the requests from ActivityManager ActivityThread$H. handleMessage()call ActivityThread.handleBindApplication() Serve requests in event handler: • Load the app Application class • Call its Application.onCreate() Zygote Process App Process ActivityManager Process The base runtime context is ready and the lifecycle management for ContentProvider, Activity, and Service is now started
  • 33. Install Timing • Before ActivityThread executes Application.onCreate() • The declaring classes of the to be instrumented methods may not be loaded at that early moment • Must intercept the ClassLoader used by ActivityThread to load non-system classes containing app defined methods
  • 34. Intercept ClassLoader Deploy a special hook for ClassLoader.loadClass() ActivityThread calls ClassLoader.loadClass() Load app Application class ActivityThread calls ClassLoader.loadClass() Intercept app ClassLoader Load declaring classes of target methods Install hooks for target methods Load app Application class• Restore work of ActivityThread • Resolve ArtMethod pointer • Substitute native code pointer • Patch instrument gadget
  • 35. Stage: Play Music libART Android & Java Base Classes App Classes Instrument Classes libProbeDroid App Process • Method in/output • Extract different types of parameters and return value • Gadget marshalling • Deliver modifiable parameters • Original method invocation • Handle generic method call for different signature types Call method Trap to ProbeDroid Call gadget Call original method
  • 36. Extract In/Output • Control flow is trapped into trampoline • Extract input parameters for gadget and pass them to the original method • Return from original method • Extract return value for gadget and pass it to caller • How to extract correct data on different ISAs?
  • 37. Calling Convention Method Register  EAX Entry Spill 1st Chunk  ECX 2nd Chunk  EDX 3rd Chunk  EBX Others stored on stack Return Register Float and Double  XMM0 Long  EAX_EDX Other types  EAX Method Register  R0 Entry Spill 1st Chunk  R1 2nd Chunk  R2 3rd Chunk  R3 Others stored on stack Return Register Double and Long  R0_R1 Float  R0 Other types  R0 X86 ISA ARM ISA • Defined in art/compiler/jni/quick/.* source files • Trampoline must follow the conventions defined on different ISAs
  • 38. Entry Spill R1 ObjPtr R2 Char R3 Long (Hi) Stk Long (Lo) Int Virtual Method Signature  Func1(CJI)V 1st param 4th param 3rd param 2nd param R1 Byte R2 Double(Hi) R3 Double(Lo) Stk ObjPtr Float Static Method Signature  Func2(BD[SF)V 1st param 4th param 3rd param 2nd param • Parameter index is determined by data type and is not always equal to chunk index • Trampoline must be smart enough to handle this
  • 39. Marshal Gadgets • Deliver modifiable method in/output for gadgets • Manage object pointer and reference in trampoline
  • 40. Box In/Output • Trampoline applies JNIs to invoke gadgets • To make primitive in/output modifiable for gadgets, we can box them in wrapper classes byte  Byte short  Short int  Integer long  Long float  Float double  Double boolean  Boolean char  Character • Gadgets manipulate wrapper objects and trampoline must unbox objects for record update when gadgets return
  • 41. Object Pointer and Reference • Non-primitive data is compiled and managed as object pointer in native code • Object pointer in JNI is boxed and managed as indirect reference that maps to the real pointer jstring str = env->NewStringUTF(“jni0”); env->CallVoidMethod(receiver, method_id, str); Shuffle Function str ObjPtr receiver ObjPtr Indirect Reference Table Ref 1 Idx 1 Ref 2 Idx 2
  • 42. • Receiver object and non-primitive in/output trapped by trampoline are object pointers • Since JNI only accepts reference, it is necessary to • Wrap object pointers as references to call gadgets • Unwrap reference to object pointer when gadgets return • No exported interface, so manually resolve ART functions relevant to reference management Object Pointer and Reference
  • 43. Indirect Reference Table struct JNIEnvExt : public JNIEnv { …… void* thread_; void* jvm_; uint32_t local_ref_cookie_; void* local_refs_table_; …… }; Actual definition of JNI interface struct JNIEnvExt : public JNIEnv { …… Thread* const self; JavaVMExt* vm; // Cookie used when using the local // indirect reference table. uint32_t local_ref_cookie; // JNI local references. IndirectReferenceTable locals; …… } Our mirrored structure • Extract the indirect reference table defined in JNIEnvExt structure • Craft a mirrored structure for space layout resolution • Cast JNIEnv pointer to this type for member field access
  • 44. IndirectRef IndirectReferenceTable:: Add(uint32_t cookie, mirror::Object* obj) bool IndirectReferenceTable:: Remove(uint32_t cookie, IndirectRef iref) Indirect Reference Table mirror::Object* Thread::DecodeJObject(jobject obj) Insert an object pointer and the reference is returned Remove a table entry with the specified reference Get the object pointer with the specified reference • Use dlsym() to resolve ART functions relevant to table manipulation • To fulfill C++ calling convention, pass the table pointer extracted from the casted JNIEnvExt structure as this pointer
  • 45. Call Original Method • Trampoline never knows the signature type of to be called method until runtime • Impossible to enumerate all the combinations of parameter list and return type with C/C++ • Solution is to make generic function call with assembly programming that fits native ISA
  • 46. LibFFI • Portable Foreign Function Interface library • Generic C interface to various ISAs that allows users to call functions with signatures specified at runtime • Users apply it to bridge the interpreted and natively compiled code including CPython, OpenJDK, DalvikVM • ProbeDroid uses it to reduce native programming effort LibFFI Project Page
  • 47. LibFFI Usage ffi_status ffi_prep_cif (ffi_cif *cif, ffi_abi abi, unsigned int nargs, ffi_type *rtype, ffi_type **argtypes) void ffi_call (ffi_cif *cif, void *fn, void *rvalue, void **avalues) FFI context ABI to use Number of parameters Return type specification Parameter types specification FFI context Function pointer To be filled with return value Parameter values to be passed in • Aim to specify function signature • Aim to make generic function call LibFFI API Reference
  • 48. Generate Function Call at Runtime boolean String.startsWith(String, int) JniEnv* ObjPtr* jmethodID* ObjPtr* Int* ffi_type_ pointer ffi_type_ pointer ffi_type_ pointer ffi_type_ pointer ffi_type_ sint32 Mini Interpreter FFI parameter value array Craft FFI call payload bool* ffi_type_ uint8 FFI parameter type array return value return type
  • 49. App Analysis with Custom Tools (To be fine tuned with more demo and samples)
  • 50. Google Maps Demo Forensics for the strings converted from StringBuffer and StringBuilder buffer with tool Click the Picture for demo link StringInspector
  • 51. Obfuscated App • Detect dynamic code loading and intercept the payload DexClassLoader <init>(String dexPath, String optimizedDirectory, String librarySearchPath, ClassLoader parent) More relevant methods … … Field Class.getDeclaredField(String name) Method Class.getDeclaredMethod(String name) Object Field.get(Object object) Object Method.invoke(Object receiver, Object[] args) More relevant methods … … • Resolve the method and field mutated via Java reflection
  • 52. Instant Messaging App javax.crypto.Cipher.* relevant methods • Useful to analyze crypto algorithm • Resolve app credential (evil ?) android.net.http.* relevant methods • Useful to analyze authentication protocol • Resolve message content (evil ?)
  • 53. And more app analysis result …