Android Reverse Engineering tools Not the Usual Suspects. Axelle Apvrille - Fortinet

Similar documents
ANDROID REVERSE ENGINEERING TOOLS: NOT THE USUAL SUSPECTS Axelle Apvrille Fortinet, France

Android Malware Reverse Engineering

droidcon Greece Thessaloniki September 2015

OWASP German Chapter Stammtisch Initiative/Ruhrpott. Android App Pentest Workshop 101

Playing Hide and Seek with Dalvik Executables

Android System Development Training 4-day session

CS260 Intro to Java & Android 04.Android Intro

Small footprint inspection techniques for Android

GreHack. Pre-filtering Mobile Malware with. Heuristic Techniques. Institut Mines-Telecom

Android Debugging ART

InsomniDroid CrackMe Spoiler Insomni hack 2012

Mobile hacking. Marit Iren Rognli Tokle

Android meets Docker. Jing Li

Reverse Engineering Malware Binary Obfuscation and Protection

Thursday, October 25, 12. How we tear into that little green man

Android Reverse Engineering Tools From an anti-virus analyst's perspective

Reverse Engineering Malware Dynamic Analysis of Binary Malware II

Reconstructing DALVIK. Applications. Marc Schönefeld CANSECWEST 2009, MAR18

Background. How it works. Parsing. Virtual Deobfuscator

A Hands on Introduction to Docker

Android Application Sandbox. Thomas Bläsing DAI-Labor TU Berlin

Classification Techniques

SD Module- Android Programming

Breaking and Securing Mobile Apps

Man in the middle attack on TextSecure Signal. David Wind IT SeCX 2015

Lecture 1 - Introduction to Android

Mobile Hacking & Security. Ir. Arthur Donkers & Ralph Moonen, ITSX

Hacking a Moving Target

Mobile application tamper detection scheme using dynamic code injection against repackaging attacks

Android Analysis Tools. Yuan Tian

Android App Development

Technical Report. Verifying the Integrity of Open Source Android Applications. Michael Macnair. RHUL MA March 2015

Man in the Middle Attacks and Secured Communications

Unpacking the Packed Unpacker

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

IJRDTM Kailash ISBN No Vol.17 Issue

Dockerfile & docker CLI Cheat Sheet

Android. (XKE Mars 2009) Erwan Alliaume.

CHAPTER 2: SYSTEM STRUCTURES. By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

Choose OS and click on it

IP Protection in Java Based Software

Android App Development. Muhammad Sharjeel COMSATS Institute of Information Technology, Lahore

Are Your Mobile Apps Well Protected? Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic Unviersity

SD Card with Eclipse/Emulator

SQL Server containers with in-container data

Android: Under the Hood. GDG-SG DevFest 5th Nov 2016 Jason Zaman

CUHK CSE ADAM: An Automatic & Extensible Platform Stress Test Android Anti-Virus Systems John Spark Patrick C.S. Lui ZHENG Min P.C.

Red Hat Containers Cheat Sheet

A Framework for Evaluating Mobile App Repackaging Detection Algorithms

Docker Cheat Sheet. Introduction

Ethical Hacking Konferencia 2015

Abusing Android In-app Billing feature thanks to a misunderstood integration. Insomni hack 18 22/03/2018 Jérémy MATOS

VirtualSwindle: An Automated Attack Against In-App Billing on Android

A Method-Based Ahead-of-Time Compiler For Android Applications

Introduction to Android development

Introduction. Lecture 1. Operating Systems Practical. 5 October 2016

MultiBrowser Documentation

CTF Workshop. Crim Synopsys, Inc. 1

The Security of Android APKs

PVS Deployment in the Cloud. Last Updated: June 17, 2016

/ Cloud Computing. Recitation 5 September 27 th, 2016

BrowseEmAll Documentation

SECURE2013 ANDROTOTAL A SCALABLE FRAMEWORK FOR ANDROID ANTIMALWARE TESTING

Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor via

Sista: Improving Cog s JIT performance. Clément Béra

The missing link in the chain? Android network analysis. Rowland Yu Senior Threat Researcher II

Who is Docker and how he can help us? Heino Talvik

Chapter 2: Operating-System Structures. Operating System Concepts 9 th Edit9on

Japan Linux Symposium Daisuke Numaguchi Tetsuo Handa Giuseppe La Tona NTT DATA CORPORATION

Mobile OS. Symbian. BlackBerry. ios. Window mobile. Android

Chapter 2. Operating-System Structures

IEMS 5722 Mobile Network Programming and Distributed Server Architecture

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

ID: Sample Name: badoo.apk Cookbook: defaultandroidfilecookbook.jbs Time: 12:51:18 Date: 29/05/2018 Version:

Android SDK under Linux

Operating Systems (2INC0) 2018/19. Introduction (01) Dr. Tanir Ozcelebi. Courtesy of Prof. Dr. Johan Lukkien. System Architecture and Networking Group

BUILDING A TEST ENVIRONMENT FOR ANDROID ANTI-MALWARE TESTS Hendrik Pilz AV-TEST GmbH, Klewitzstr. 7, Magdeburg, Germany

File System Interpretation

Reversing with Radare2.

Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates

Open Mobile Platforms. EE 392I, Lecture-6 May 4 th, 2010

Introduction to MATLAB application deployment

/ Cloud Computing. Recitation 5 February 14th, 2017

Chapter 2: Operating-System Structures

Obfuscating Transformations. What is Obfuscator? Obfuscation Library. Obfuscation vs. Deobfuscation. Summary

Git Command Line Tool Is Not Installed

Dissecting the Dyre Loader

Installing and configuring an Android device emulator. EntwicklerCamp 2012

Optimization Techniques

T Jarkko Turkulainen, F-Secure Corporation

ID: Sample Name: com.cleanmaster.mguard_ apk Cookbook: defaultandroidfilecookbook.jbs Time: 18:32:59 Date: 27/02/2018 Version: 22.0.

Copyright

Dr. Memory MEMORY DEBUGGER FOR WINDOWS AND LINUX WGM #47 GUSTAVO ROVELO MARCH 1 ST, 2012

Wirtschaftsinformatik Skiseminar ao. Prof. Dr. Rony G. Flatscher. Seminar paper presentation Dennis Robert Stöhr

Chapter 2: Operating-System Structures. Operating System Concepts 9 th Edition

Research compiler that will become Scala 3 Type system internals redesigned, inspired by DOT, but externally very similar More info:

Singularity: container formats

12.1 Introduction OpenCV4Android SDK Getting the SDK

Command-line arguments processing in bash

No con Name Facebook CTF Quals 2013

Transcription:

Android Reverse Engineering tools Not the Usual Suspects Axelle Apvrille - Fortinet aapvrille@fortinet.com Virus Bulletin, October 2017

Virus Bulletin Oct 2017 - A. Apvrille 2/34 Outline 1 Docker environment 2 JEB2 scripting 3 Debugging 4 MITM 5 Radare2

Virus Bulletin Oct 2017 - A. Apvrille 3/34 Docker container with Android RE environment You can share it with peers Install is as simple as: Portable (Windows, Linux, Mac...) docker pull cryptax/android-re

Virus Bulletin Oct 2017 - A. Apvrille 3/34 Docker container with Android RE environment Download size: a few MB to 3 GB in worst cases

Virus Bulletin Oct 2017 - A. Apvrille 3/34 Docker container with Android RE environment Lighter + better perf than a VM Download size with VirtualBox: 5 GB

Docker container with Android RE environment Open source: you can customize, enhance the container, easier to maintain Dockerfile: http://github.com/cryptax/androidre Virus Bulletin Oct 2017 - A. Apvrille 3/34

Demo Virus Bulletin Oct 2017 - A. Apvrille 4/34

Virus Bulletin Oct 2017 - A. Apvrille 5/34 Launching several daemons in a container Problem CMD [ "command1" ] CMD [ "command2" ] Second command supersedes first one :( Solution: Task Manager Install supervisor Configure /etc/supervisor/conf.d/supervisord.conf to launch both cmd1 and cmd2 CMD [ "/usr/bin/supervisord" ]

Virus Bulletin Oct 2017 - A. Apvrille 6/34 Installing the Android SDK It can be scripted! RUN wget -q -O "/opt/tools-linux.zip" https://dl.google.com/android/repository/tools_ $ANDROID_SDK_VERSION-linux.zip RUN unzip /opt/tools-linux.zip -d /opt/android-sdk-linux RUN echo y android update sdk --filter tools --no-ui --force -a RUN echo y android update sdk --filter platform-tools --no-ui --force -a...

Virus Bulletin Oct 2017 - A. Apvrille 7/34 Outline 1 Docker environment 2 JEB2 scripting 3 Debugging 4 MITM 5 Radare2

Virus Bulletin Oct 2017 - A. Apvrille 8/34 JEB2 scripts: automating reverse engineering tasks Note: I am not affiliated to PNF software

Virus Bulletin Oct 2017 - A. Apvrille 9/34 Case study: De-obfuscate Android/Ztorg strings Android/Ztorg is an active family of advanced Android trojan: Anti-emulator features String obfuscation Downloads remote content Our goal: de-obfuscate strings d.a = c.a(new byte[]{13, 73, 66,...}); d.a = channel/channel.txt ;

Virus Bulletin Oct 2017 - A. Apvrille 10/34 Get inspiration from existing scripts $ cd./scripts $ ls JEB2AsyncTask.py JEB2JavaASTDecryptStrings.py JEB2JavaASTDemo.py... Open and edit JEB2JavaASTDecryptStrings.py Resources: https://github.com/pnfsoftware/ jeb2-samplecode/tree/master/scripts

Virus Bulletin Oct 2017 - A. Apvrille 11/34 Get first opened project = sample class JEB2JavaASTDecryptStrings(IScript): def run(self, ctx): engctx = ctx.getenginescontext() if not engctx: print('back-end engines not initialized') return projects = engctx.getprojects() # get all opened projects if not projects: print('there is no opened project') return prj = projects[0] # get first project

Virus Bulletin Oct 2017 - A. Apvrille 12/34 Get decompiled code units = decompiled class Our script will process all decompiled sources we have opened. self.codeunit = RuntimeProjectUtil.findUnitsByType(prj, ICodeUnit, False)[0] # bytecode disassembly self.units = RuntimeProjectUtil.findUnitsByType(prj, IJavaSourceUnit, False) # Java source

Virus Bulletin Oct 2017 - A. Apvrille 13/34 Remove code specific to Android/Obad Remove this: completely different for Android/Ztorg! if not projects: print('there is no opened project') return prj = projects[0]... # the encryption keys could be determined by analyzing the decryption method self.targetclass = 'MainActivity' self.keys = [409, 62, -8]... units = RuntimeProjectUtil.findUnitsByType(prj, IJavaSourceUnit, False)

Virus Bulletin Oct 2017 - A. Apvrille 14/34 Get class object for unit in self.units: # for each decompiled source javaclass = unit.getclasselement() # get class The type of javaclass is IJavaClass

Virus Bulletin Oct 2017 - A. Apvrille 15/34 Locate static constructor In Android/Ztorg, obfuscated strings are grouped in the static constructor. Let s locate the static constructor of our class. for m in javaclass.getmethods(): if m.getname() == '<clinit>': # only in static constructors

Virus Bulletin Oct 2017 - A. Apvrille 16/34 Locate an assignment Methods (and constructors) are made of statements (lines). value = c.a(...); We are looking for a assignment. Resource: List of statement types for statement in m.getbody(): # read all lines if statement.getelementtype() == JavaElementType. Assignment :

Virus Bulletin Oct 2017 - A. Apvrille 17/34 Locating calls to de-obfuscating routine d.a = c.a( byte array ); left : the variable d.a right : what we assign In our case, we are interested in lines with a call to our de-obfuscating routine c.a() decode_method = 'La/b/c;->a([B)Ljava/lang/String;' # prototype of deobfuscation routine if isinstance( statement.getright(),ijavacall) and statement.getright().getmethod().getsignature() == decode_method}:

Virus Bulletin Oct 2017 - A. Apvrille 18/34 Retrieve the obfuscated bytes 1 Get the arguments of our call 2 Is it a new byte []...? d.a = c.a( new byte[]{13, 73, 66, 75, 6...} ); 3 If so, get the values and store them in a Python array (encbytes) for argument in elem. getarguments() : if isinstance(argument, IJavaNewArray): encbytes = [] for v in argument.getinitialvalues(): # retrieve the encoded values encbytes.append(v.getbyte())

Virus Bulletin Oct 2017 - A. Apvrille 19/34 De-obfuscate the bytes Implement the routine in Python, using reverse engineering of sample def decodebytes(self, buf): key0 = buf[0] key1 = buf[len(buf)-1] # copy buffer result = buf[1:len(buf)-1] # decode for i in range(0, len(result)): result[i] = result[i] ^ key1 result[i] = result[i] ^ key0 return result

Virus Bulletin Oct 2017 - A. Apvrille 20/34 Modify the line and replace with de-obfuscated string replacesubelement replaces part of a statement replacesubelement( oldelement, newelement ) oldelement is c.a(new byte [] {...}) newelement is the deobfuscated string Convert byte [] to string:.join(map(chr, decbytes)) decbytes = self.decodebytes(encbytes) deobfuscated string = self.cstbuilder.createstring (''.join(map(chr,decbytes))) father.replacesubelement( elem, deobfuscated string )

Virus Bulletin Oct 2017 - A. Apvrille 21/34 Notify / Refresh the UI unit.notifylisteners(jebevent(j.unitchange)) DONE - JEB2 script is finished

Virus Bulletin Oct 2017 - A. Apvrille 22/34 Have a look As simple as loading the script and so helpful http://github.com/cryptax/misc-code

Virus Bulletin Oct 2017 - A. Apvrille 23/34 Outline 1 Docker environment 2 JEB2 scripting 3 Debugging 4 MITM 5 Radare2

Virus Bulletin Oct 2017 - A. Apvrille 24/34 Running a sample step by step Rather heavy Launches an Android emulator Recompiles the sample (check corporate ethics) Has improved much since March 2017 JEB2 You can also jump into native ARM code! https://www.pnfsoftware.com CodeInspect It s not smali, it s not Java, it s... Jimple! https://codeinspect.sit.fraunhofer.de/

Virus Bulletin Oct 2017 - A. Apvrille 25/34 Step debugging with CodeInspect Problem: Riskware/InnerSnail!Android loads a DEX file, but it s difficult to find its name with static analysis. Solution: step debug the riskware Note: I am not affiliated to CodeInspect

Step debugging with CodeInspect (backup slide) Virus Bulletin Oct 2017 - A. Apvrille 26/34

Virus Bulletin Oct 2017 - A. Apvrille 27/34 Outline 1 Docker environment 2 JEB2 scripting 3 Debugging 4 MITM 5 Radare2

Virus Bulletin Oct 2017 - A. Apvrille 28/34 HTTPS Flow inspection HTTPS @50x12b1fAJxFF291s Encrypted data Internet

Virus Bulletin Oct 2017 - A. Apvrille 28/34 HTTPS Flow inspection Man in the middle Internet Read all data (and modify)

Virus Bulletin Oct 2017 - A. Apvrille 28/34 HTTPS Flow inspection Man in the middle Internet Read all data (and modify) Tool: mitmproxy

Virus Bulletin Oct 2017 - A. Apvrille 29/34 HTTPS Flow inspection Proxy settings CA I am the CA adb push mitmproxy-ca.cer

Virus Bulletin Oct 2017 - A. Apvrille 29/34 HTTPS Flow inspection $./mitmproxy Proxy settings CA I am the CA adb push mitmproxy-ca.cer

Mitmproxy: example on Android Virus Bulletin Oct 2017 - A. Apvrille 30/34

Virus Bulletin Oct 2017 - A. Apvrille 31/34 Outline 1 Docker environment 2 JEB2 scripting 3 Debugging 4 MITM 5 Radare2

Virus Bulletin Oct 2017 - A. Apvrille 32/34 Demo Radare2 de-obfuscating script on Android/Ztorg http://github.com/cryptax/misc-code

Virus Bulletin Oct 2017 - A. Apvrille 33/34 Radare2 for Dalvik: take away Shortest cheat sheet ever ;-) Launch: r2 classes.dex Searching: iz mystring, ic mystring, afl mystring Cross references to: axt name, from: axf name Comment: CC mycomment R2 scripts In the script: import r2pipe r2p = r2pipe.open() r2p.cmd('s 0xdeadbeef') # launch a R2 command Launching the script: #!pipe python file.py args

Virus Bulletin Oct 2017 - A. Apvrille 34/34 Thanks for your attention! Questions? Shameless ad Smart devices CTF (including Android) Nov 29 - French riviera https://ph0wn.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback