SlideShare a Scribd company logo

Inc0gnito 2015 Android DEX Analysis Technique

남준 김
남준 김

KIM NAMJUN (SEJONG SECURITY GROUP)

Engineering
1 of 60
Download to read offline
Android Deep DEX Analysis Technique 세종대학교 SSG 김남준
S.S.G In this session.. • How Android translate DEX file format inside APK file • Deep Analysis of DEX file (class, method recovery) • Translate DEX bytecode • How we extract information from malicious DEX file • Apply to Real World (smishing.kr) 2015. 8. 28. 2
S.S.G About Speaker • 김남준 (20) 세종대학교 정보보호학과 15 (고3 탈출!) + 작년 고등학생 인코 발표자 Newbie of Sejong Security Group UpRoot Researcher KITRI Best of the Best 3기 여친구함
 
 E-mail : admin@smishing.kr 
 Blog : blog.smishing.kr
 Web : smishing.kr
 2015. 8. 28. 3 Special Thanks to @공기반여자반 Pictured by @유정빈
S.S.G What is DEX file • Dalvik Executable File Format • Specially designed for Embedded System • It can run on DVM inside Android • Actually, DVM is different between JVM 2015. 8. 28. 4
S.S.G Standard Android Translation Process 2015. 8. 28. 5 JAVA Code Dalvik bytecode public class MainActivity.. { public static void onCreate(s..) { super.onCreate(savedInsta..) .. public string TAG = “S.S.G”; Log.i(TAG, “sejong S.S.G”); } } .class public Lbunseokbot/MainActivity .source MainActivity.java .method public static onCreate(..)V const-string v0, “S.S.G” const-string v1, “sejong S.S.G” invoke-static {v0, v1}, L/android/util/Log -> i(Ljava/lang/String;Ljava/lang/String;)I return-void
S.S.G Building Android Application 2015. 8. 28. 6 JAVA Code Translator Dalvik Bytecode
S.S.G Translator 2015. 8. 28. 7 Java Translator Dalvik Translator
S.S.G Java Language • Object-Oriented Programming Language • Easy to “DECOMPILE” • Running on Java Virtual Machine as “JAR” File • Actually, JVM is different between DVM • use for “native” (NOT JNI) Android Programming 2015. 8. 28. 8
S.S.G Different between JAR and DEX • Java Archive File -> Package File Format • Java class files + metadata + resources • each class have independent class file • “Class Level File Management” 2015. 8. 28. 9
S.S.G Different between JAR and DEX • Dalvik Execution File • Single DEX file • specified for Embedded..? (Mobile, PDA..?) 2015. 8. 28. 10
S.S.G Different between JVM and DVM 2015. 8. 28. 11 Dalvik Virtual Machine Java Virtual Machine Register Based Stack Based Constant Pool per Application Constant Pool per Class Supply Just-In Time Execution
S.S.G We have to understand and Translate DEX File as different technique 2015. 8. 28. 12
S.S.G Normally.. we use “dex2jar” 2015. 8. 28. 13
S.S.G or.. baksmali! 2015. 8. 28. 14 How baksmali translate it?
S.S.G inside DEX file 2015. 8. 28. 15 Header string_ids type_ids proto_ids Method, Class.. Standalone DEX file Header Info item size item offset Header Structure
S.S.G inside DEX file 2015. 8. 28. 16 Header string_ids type_ids proto_ids Method, Class.. String where code contains (only Address) Class, Method type container (only Address) Class, Method parameter return info (only Address) real Method, Class, Field, Data container
S.S.G inside DEX file 2015. 8. 28. 17 Header Info item size item offset Header Section-name
S.S.G Now, We analyze DEX file 2015. 8. 28. 18 public class MyActivity extends Activity { @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); Log.i(“S.S.G”, “DEX File Analyze Testing”); } } Log/i S.S.G DEX File Analyze Testing
S.S.G How to Analysis DEX file 2015. 8. 28. 19 • DEX Parser for Python v0.0.1 • https://github.com/bunseokbot/dexparser • pip install dexparser
S.S.G 1. DEX Header 2015. 8. 28. 20
S.S.G 1. DEX Header 2015. 8. 28. 21 d.header_info() -> Dictionary Type d.header_info()[‘string_ids_size’] d.header_info()[‘string_ids_off’]
S.S.G 2. Parse string_ids section 2015. 8. 28. 22 • 1. extract string_ids section offset, size • 2. parse string_data offset for access string_data_item • 3. translate to Language from string_data_item
S.S.G 2. Parse string_ids section 2015. 8. 28. 23
S.S.G 2. Parse string_ids section 2015. 8. 28. 24
S.S.G 2. Parse string_ids section 2015. 8. 28. 25 0x40001000 0x40001000 My Test DEX Parser Test String MyActivity LLVM string_ids_item string_data_item
S.S.G 2. Parse string_ids section 2015. 8. 28. 26
S.S.G 3. Parse type_ids section 2015. 8. 28. 27 search from string_ids
S.S.G 3. Parse type_ids section 2015. 8. 28. 28 this is descriptor_idx list
S.S.G 3. Parse type_ids section 2015. 8. 28. 29
S.S.G 3. Parse type_ids section 2015. 8. 28. 30 http://source.android.com/devices/tech/dalvik/dex-format.html#top
S.S.G 4. Parse proto_ids section 2015. 8. 28. 31
S.S.G 4. Parse proto_ids section 2015. 8. 28. 32 parameters_offset Access to “data” section directly and parse offset
S.S.G 4. Parse proto_ids section 2015. 8. 28. 33
S.S.G 4. Parse proto_ids section 2015. 8. 28. 34
S.S.G 5. get Method Information 2015. 8. 28. 35
S.S.G 5. get Method Information 2015. 8. 28. 36 string_ids type_ids proto_ids method_ids
S.S.G 5. get Method Information 2015. 8. 28. 37
S.S.G 5. get Method Information 2015. 8. 28. 38
S.S.G 6. get Class Information 2015. 8. 28. 39 class_idx superclass_idx access_flags class_data_off annotation_off source_file_idx interfaces_off static_values_off each class have it
S.S.G 6. get Class Information 2015. 8. 28. 40 class_idx superclass_idx access_flags class_data_off annotation_off source_file_idx interfaces_off static_values_off ACCESS_FLAG Source File index associated class data offset class level static value offset
S.S.G 6. calculate ACCESS_FLAG 2015. 8. 28. 41 VARIOUS TYPE OF ACCESS_FLAG!
S.S.G 6. calculate ACCESS_FLAG 2015. 8. 28. 42 public static void myFunction() {} ACC_PUBLIC = 0x1 ACC_STATIC = 0x8 —————————— ACCESS_FLAG = 0x9
S.S.G 6. calculate ACCESS_FLAG 2015. 8. 28. 43
S.S.G 6. class_data_item 2015. 8. 28. 44 static_fields_size direct_method_size instance_fields_size direct_methods instances_fields static_fields virtual_method_size virtual_methods each class have it
S.S.G 6. class_data_item 2015. 8. 28. 45
S.S.G 6. leb128? 2015. 8. 28. 46 • Little-Endian Based 128 • Type : Unsigned & Signed • following DWARF Format • for encoding variable-length, arbitrary signed or unsigned int
S.S.G 6. leb128? 2015. 8. 28. 47 return value is (result, size)
S.S.G 6. get Class Information! 2015. 8. 28. 48
S.S.G 6. get Class Information! 2015. 8. 28. 49
S.S.G Apply to Real World 2015. 8. 28. 50 • smishing.kr
S.S.G isolate Real Permission 2015. 8. 28. 51 • Usually, Android Malware Analyzer’s check this thing!
 “Searching Permission info from AndroidManifest.xml” • BUT.. • Recently, Attacker register all uses-permission to AndroidManifest.xml
S.S.G isolate Real Permission 2015. 8. 28. 52 android.permission.* • If application want to use Permission such as INTERNET, ACCESS_COURSE_LOCATION. They must call “Authorized Function”
S.S.G Logical Permission Enforcement 2015. 8. 28. 53 Marakana Inc. Andsec
S.S.G isolate Real Permission 2015. 8. 28. 54 android.permission.* • invoke-* [parameter] [call method]
 -> direct
 -> virtual
 -> super
 -> static
 -> interface
S.S.G isolate Real Permission 2015. 8. 28. 55 android.permission.* • invoke-* [parameter] [call method]
 -> direct
 -> virtual
 -> super
 -> static
 -> interface
S.S.G For Example.. 2015. 8. 28. 56 android.permission.INTERNET invoke-direct {v0, v1}, Lorg/../HttpGet;-><init>(Ljava/lang/String;)V Lorg/../HttpGet class “Approve” to access Internet Module Network connection success!
S.S.G Where to get Function Mapping.. 2015. 8. 28. 57 • inside Android Source…? • “Androguard” have it • https://github.com/androguard/androguard
S.S.G in Androguard 2015. 8. 28. 58 • in androguard/core/bytecodes/api_permission.py
S.S.G Conclusion 2015. 8. 28. 59 • DEX have “Simple” structure • source.android.com have specific DEX file info • If you use “dexparser” in Python, You’ll be easy to parse DEX and analyze. • DEXCrypt, DEXGuard have same structure! • DEX Research is very fun!
S.S.G2015. 8. 28. 감사합니다

Recommended

Understanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolUnderstanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolGabor Paller
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeAlain Leon
 
Dancing with dalvik
Dancing with dalvikDancing with dalvik
Dancing with dalvikThomas Richards
 
The dedexer disassembler
The dedexer disassemblerThe dedexer disassembler
The dedexer disassemblerGabor Paller
 
How to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineHow to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineChun-Yu Wang
 
NDK Primer (Wearable DevCon 2014)
NDK Primer (Wearable DevCon 2014)NDK Primer (Wearable DevCon 2014)
NDK Primer (Wearable DevCon 2014)Ron Munitz
 
Java 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovJava 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovSvetlin Nakov
 
NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)Ron Munitz
 

Recommended

Understanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolUnderstanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolGabor Paller
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeAlain Leon
 
Dancing with dalvik
Dancing with dalvikDancing with dalvik
Dancing with dalvikThomas Richards
 
The dedexer disassembler
The dedexer disassemblerThe dedexer disassembler
The dedexer disassemblerGabor Paller
 
How to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineHow to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineChun-Yu Wang
 
NDK Primer (Wearable DevCon 2014)
NDK Primer (Wearable DevCon 2014)NDK Primer (Wearable DevCon 2014)
NDK Primer (Wearable DevCon 2014)Ron Munitz
 
Java 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovJava 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovSvetlin Nakov
 
NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)Ron Munitz
 
Native code in Android applications
Native code in Android applicationsNative code in Android applications
Native code in Android applicationsDmitry Matyukhin
 
I Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeI Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeAlexander Shopov
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
Android JNI
Android JNIAndroid JNI
Android JNISiva Ramakrishna kv
 
Lifting The Veil - Reading Java Bytecode
Lifting The Veil - Reading Java BytecodeLifting The Veil - Reading Java Bytecode
Lifting The Veil - Reading Java BytecodeAlexander Shopov
 
Lifting The Veil - Reading Java Bytecode During Lunchtime
Lifting The Veil - Reading Java Bytecode During LunchtimeLifting The Veil - Reading Java Bytecode During Lunchtime
Lifting The Veil - Reading Java Bytecode During LunchtimeAlexander Shopov
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Java Course 15: Ant, Scripting, Spring, Hibernate
Java Course 15: Ant, Scripting, Spring, HibernateJava Course 15: Ant, Scripting, Spring, Hibernate
Java Course 15: Ant, Scripting, Spring, HibernateAnton Keks
 
Java Course 2: Basics
Java Course 2: BasicsJava Course 2: Basics
Java Course 2: BasicsAnton Keks
 
College Project - Java Disassembler - Description
College Project - Java Disassembler - DescriptionCollege Project - Java Disassembler - Description
College Project - Java Disassembler - DescriptionGanesh Samarthyam
 
Java Course 3: OOP
Java Course 3: OOPJava Course 3: OOP
Java Course 3: OOPAnton Keks
 
SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationSyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationDavid Jorm
 
Open arkcompiler
Open arkcompilerOpen arkcompiler
Open arkcompileryiwei yang
 
Introduction to java
Introduction to javaIntroduction to java
Introduction to javaAjay Sharma
 
Java se7 features
Java se7 featuresJava se7 features
Java se7 featuresKumaraswamy M
 
Java Course 7: Text processing, Charsets & Encodings
Java Course 7: Text processing, Charsets & EncodingsJava Course 7: Text processing, Charsets & Encodings
Java Course 7: Text processing, Charsets & EncodingsAnton Keks
 
Metamodeling of custom Pharo images
Metamodeling of custom Pharo images Metamodeling of custom Pharo images
Metamodeling of custom Pharo imagesESUG
 
New Features Of JDK 7
New Features Of JDK 7New Features Of JDK 7
New Features Of JDK 7Deniz Oguz
 
Core java
Core javaCore java
Core javakasaragaddaslide
 
Core java complete ppt(note)
Core java complete ppt(note)Core java complete ppt(note)
Core java complete ppt(note)arvind pandey
 
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixOSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixManish Pandit
 
ASP.NET MVC Workshop for Women in Technology
ASP.NET MVC Workshop for Women in TechnologyASP.NET MVC Workshop for Women in Technology
ASP.NET MVC Workshop for Women in TechnologyMałgorzata Borzęcka
 

More Related Content

What's hot

Native code in Android applications
Native code in Android applicationsNative code in Android applications
Native code in Android applicationsDmitry Matyukhin
 
I Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeI Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeAlexander Shopov
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
Lifting The Veil - Reading Java Bytecode
Lifting The Veil - Reading Java BytecodeLifting The Veil - Reading Java Bytecode
Lifting The Veil - Reading Java BytecodeAlexander Shopov
 
Lifting The Veil - Reading Java Bytecode During Lunchtime
Lifting The Veil - Reading Java Bytecode During LunchtimeLifting The Veil - Reading Java Bytecode During Lunchtime
Lifting The Veil - Reading Java Bytecode During LunchtimeAlexander Shopov
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Java Course 15: Ant, Scripting, Spring, Hibernate
Java Course 15: Ant, Scripting, Spring, HibernateJava Course 15: Ant, Scripting, Spring, Hibernate
Java Course 15: Ant, Scripting, Spring, HibernateAnton Keks
 
Java Course 2: Basics
Java Course 2: BasicsJava Course 2: Basics
Java Course 2: BasicsAnton Keks
 
College Project - Java Disassembler - Description
College Project - Java Disassembler - DescriptionCollege Project - Java Disassembler - Description
College Project - Java Disassembler - DescriptionGanesh Samarthyam
 
Java Course 3: OOP
Java Course 3: OOPJava Course 3: OOP
Java Course 3: OOPAnton Keks
 
SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationSyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationDavid Jorm
 
Open arkcompiler
Open arkcompilerOpen arkcompiler
Open arkcompileryiwei yang
 
Introduction to java
Introduction to javaIntroduction to java
Introduction to javaAjay Sharma
 
Java Course 7: Text processing, Charsets & Encodings
Java Course 7: Text processing, Charsets & EncodingsJava Course 7: Text processing, Charsets & Encodings
Java Course 7: Text processing, Charsets & EncodingsAnton Keks
 
Metamodeling of custom Pharo images
Metamodeling of custom Pharo images Metamodeling of custom Pharo images
Metamodeling of custom Pharo imagesESUG
 
New Features Of JDK 7
New Features Of JDK 7New Features Of JDK 7
New Features Of JDK 7Deniz Oguz
 
Core java complete ppt(note)
Core java complete ppt(note)Core java complete ppt(note)
Core java complete ppt(note)arvind pandey
 

What's hot (20)

Native code in Android applications
Native code in Android applicationsNative code in Android applications
Native code in Android applications
 
I Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeI Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java Bytecode
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applications
 
Android JNI
Android JNIAndroid JNI
Android JNI
 
Lifting The Veil - Reading Java Bytecode
Lifting The Veil - Reading Java BytecodeLifting The Veil - Reading Java Bytecode
Lifting The Veil - Reading Java Bytecode
 
Lifting The Veil - Reading Java Bytecode During Lunchtime
Lifting The Veil - Reading Java Bytecode During LunchtimeLifting The Veil - Reading Java Bytecode During Lunchtime
Lifting The Veil - Reading Java Bytecode During Lunchtime
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 
Java Course 15: Ant, Scripting, Spring, Hibernate
Java Course 15: Ant, Scripting, Spring, HibernateJava Course 15: Ant, Scripting, Spring, Hibernate
Java Course 15: Ant, Scripting, Spring, Hibernate
 
Java Course 2: Basics
Java Course 2: BasicsJava Course 2: Basics
Java Course 2: Basics
 
College Project - Java Disassembler - Description
College Project - Java Disassembler - DescriptionCollege Project - Java Disassembler - Description
College Project - Java Disassembler - Description
 
Java Course 3: OOP
Java Course 3: OOPJava Course 3: OOP
Java Course 3: OOP
 
SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationSyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserialization
 
Open arkcompiler
Open arkcompilerOpen arkcompiler
Open arkcompiler
 
Introduction to java
Introduction to javaIntroduction to java
Introduction to java
 
Java se7 features
Java se7 featuresJava se7 features
Java se7 features
 
Java Course 7: Text processing, Charsets & Encodings
Java Course 7: Text processing, Charsets & EncodingsJava Course 7: Text processing, Charsets & Encodings
Java Course 7: Text processing, Charsets & Encodings
 
Metamodeling of custom Pharo images
Metamodeling of custom Pharo images Metamodeling of custom Pharo images
Metamodeling of custom Pharo images
 
New Features Of JDK 7
New Features Of JDK 7New Features Of JDK 7
New Features Of JDK 7
 
Core java
Core javaCore java
Core java
 
Core java complete ppt(note)
Core java complete ppt(note)Core java complete ppt(note)
Core java complete ppt(note)
 

Similar to Inc0gnito 2015 Android DEX Analysis Technique

OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixOSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixManish Pandit
 
ASP.NET MVC Workshop for Women in Technology
ASP.NET MVC Workshop for Women in TechnologyASP.NET MVC Workshop for Women in Technology
ASP.NET MVC Workshop for Women in TechnologyMałgorzata Borzęcka
 
7\9 SSIS 2008R2_Training - Script Task
7\9 SSIS 2008R2_Training - Script Task7\9 SSIS 2008R2_Training - Script Task
7\9 SSIS 2008R2_Training - Script TaskPramod Singla
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentRoy Kim
 
Azure Data Studio Extension Development
Azure Data Studio Extension DevelopmentAzure Data Studio Extension Development
Azure Data Studio Extension DevelopmentDrew Skwiers-Koballa
 
Vortex Tutorial -- Part I
Vortex Tutorial -- Part IVortex Tutorial -- Part I
Vortex Tutorial -- Part IAngelo Corsaro
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondGuardSquare
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondGuardSquare
 
Building Rich Internet Applications with Ext JS
Building Rich Internet Applications with Ext JSBuilding Rich Internet Applications with Ext JS
Building Rich Internet Applications with Ext JSMats Bryntse
 
Multi-tenancy with Rails
Multi-tenancy with RailsMulti-tenancy with Rails
Multi-tenancy with RailsPaul Gallagher
 
Getting started with titanium
Getting started with titaniumGetting started with titanium
Getting started with titaniumNaga Harish M
 
How to generate customized java 8 code from your database
How to generate customized java 8 code from your databaseHow to generate customized java 8 code from your database
How to generate customized java 8 code from your databaseSpeedment, Inc.
 
Silicon Valley JUG - How to generate customized java 8 code from your database
Silicon Valley JUG - How to generate customized java 8 code from your databaseSilicon Valley JUG - How to generate customized java 8 code from your database
Silicon Valley JUG - How to generate customized java 8 code from your databaseSpeedment, Inc.
 
Machine Learning Data Lineage with MLflow and Delta Lake
Machine Learning Data Lineage with MLflow and Delta LakeMachine Learning Data Lineage with MLflow and Delta Lake
Machine Learning Data Lineage with MLflow and Delta LakeDatabricks
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith
 
Getting started with Appcelerator Titanium
Getting started with Appcelerator TitaniumGetting started with Appcelerator Titanium
Getting started with Appcelerator TitaniumTechday7
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
Case Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets at Cisco IntercloudCase Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets at Cisco IntercloudRick Bilodeau
 
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco IntercloudCase Study: Elasticsearch Ingest Using StreamSets @ Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco IntercloudStreamsets Inc.
 

Similar to Inc0gnito 2015 Android DEX Analysis Technique (20)

OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixOSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
 
ASP.NET MVC Workshop for Women in Technology
ASP.NET MVC Workshop for Women in TechnologyASP.NET MVC Workshop for Women in Technology
ASP.NET MVC Workshop for Women in Technology
 
7\9 SSIS 2008R2_Training - Script Task
7\9 SSIS 2008R2_Training - Script Task7\9 SSIS 2008R2_Training - Script Task
7\9 SSIS 2008R2_Training - Script Task
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
 
Azure Data Studio Extension Development
Azure Data Studio Extension DevelopmentAzure Data Studio Extension Development
Azure Data Studio Extension Development
 
PrismTech Vortex Tutorial Part 1
PrismTech Vortex Tutorial Part 1PrismTech Vortex Tutorial Part 1
PrismTech Vortex Tutorial Part 1
 
Vortex Tutorial -- Part I
Vortex Tutorial -- Part IVortex Tutorial -- Part I
Vortex Tutorial -- Part I
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyond
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyond
 
Building Rich Internet Applications with Ext JS
Building Rich Internet Applications with Ext JSBuilding Rich Internet Applications with Ext JS
Building Rich Internet Applications with Ext JS
 
Multi-tenancy with Rails
Multi-tenancy with RailsMulti-tenancy with Rails
Multi-tenancy with Rails
 
Getting started with titanium
Getting started with titaniumGetting started with titanium
Getting started with titanium
 
How to generate customized java 8 code from your database
How to generate customized java 8 code from your databaseHow to generate customized java 8 code from your database
How to generate customized java 8 code from your database
 
Silicon Valley JUG - How to generate customized java 8 code from your database
Silicon Valley JUG - How to generate customized java 8 code from your databaseSilicon Valley JUG - How to generate customized java 8 code from your database
Silicon Valley JUG - How to generate customized java 8 code from your database
 
Machine Learning Data Lineage with MLflow and Delta Lake
Machine Learning Data Lineage with MLflow and Delta LakeMachine Learning Data Lineage with MLflow and Delta Lake
Machine Learning Data Lineage with MLflow and Delta Lake
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
 
Getting started with Appcelerator Titanium
Getting started with Appcelerator TitaniumGetting started with Appcelerator Titanium
Getting started with Appcelerator Titanium
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
Case Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets at Cisco IntercloudCase Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
 
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco IntercloudCase Study: Elasticsearch Ingest Using StreamSets @ Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco Intercloud
 

More from 남준 김

보안 스타트업 분석가가 Django로 웹 서비스 개발하기
보안 스타트업 분석가가 Django로 웹 서비스 개발하기보안 스타트업 분석가가 Django로 웹 서비스 개발하기
보안 스타트업 분석가가 Django로 웹 서비스 개발하기남준 김
 
Pokemon Go Android Malware Analysis
Pokemon Go Android Malware AnalysisPokemon Go Android Malware Analysis
Pokemon Go Android Malware Analysis남준 김
 
숙명여자대학교 식당검색기 gonggang.party 개발기
숙명여자대학교 식당검색기 gonggang.party 개발기숙명여자대학교 식당검색기 gonggang.party 개발기
숙명여자대학교 식당검색기 gonggang.party 개발기남준 김
 
BoB Information Security Conference
BoB Information Security Conference BoB Information Security Conference
BoB Information Security Conference 남준 김
 
RDP Packet Analysis 삽질기 - Basic Level 1
RDP Packet Analysis 삽질기 - Basic Level 1RDP Packet Analysis 삽질기 - Basic Level 1
RDP Packet Analysis 삽질기 - Basic Level 1남준 김
 
나는 캡챠 스미싱이 싫어요!
나는 캡챠 스미싱이 싫어요!나는 캡챠 스미싱이 싫어요!
나는 캡챠 스미싱이 싫어요!남준 김
 

More from 남준 김 (6)

보안 스타트업 분석가가 Django로 웹 서비스 개발하기
보안 스타트업 분석가가 Django로 웹 서비스 개발하기보안 스타트업 분석가가 Django로 웹 서비스 개발하기
보안 스타트업 분석가가 Django로 웹 서비스 개발하기
 
Pokemon Go Android Malware Analysis
Pokemon Go Android Malware AnalysisPokemon Go Android Malware Analysis
Pokemon Go Android Malware Analysis
 
숙명여자대학교 식당검색기 gonggang.party 개발기
숙명여자대학교 식당검색기 gonggang.party 개발기숙명여자대학교 식당검색기 gonggang.party 개발기
숙명여자대학교 식당검색기 gonggang.party 개발기
 
BoB Information Security Conference
BoB Information Security Conference BoB Information Security Conference
BoB Information Security Conference
 
RDP Packet Analysis 삽질기 - Basic Level 1
RDP Packet Analysis 삽질기 - Basic Level 1RDP Packet Analysis 삽질기 - Basic Level 1
RDP Packet Analysis 삽질기 - Basic Level 1
 
나는 캡챠 스미싱이 싫어요!
나는 캡챠 스미싱이 싫어요!나는 캡챠 스미싱이 싫어요!
나는 캡챠 스미싱이 싫어요!
 

Recently uploaded

HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARKOUSTAV SARKAR
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationBhangaleSonal
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptMsecMca
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdfKamal Acharya
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdfKamal Acharya
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086anil_gaur
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Call Girls Mumbai
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.Kamal Acharya
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"mphochane1998
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Servicemeghakumariji156
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projectssmsksolar
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesMayuraD1
 
Rums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdfRums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdfsmsksolar
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptNANDHAKUMARA10
 
Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesRAJNEESHKUMAR341697
 

Recently uploaded (20)

HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
 
Rums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdfRums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdf
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planes
 

Inc0gnito 2015 Android DEX Analysis Technique

  • 1. Android Deep DEX Analysis Technique 세종대학교 SSG 김남준
  • 2. S.S.G In this session.. • How Android translate DEX file format inside APK file • Deep Analysis of DEX file (class, method recovery) • Translate DEX bytecode • How we extract information from malicious DEX file • Apply to Real World (smishing.kr) 2015. 8. 28. 2
  • 3. S.S.G About Speaker • 김남준 (20) 세종대학교 정보보호학과 15 (고3 탈출!) + 작년 고등학생 인코 발표자 Newbie of Sejong Security Group UpRoot Researcher KITRI Best of the Best 3기 여친구함
 
 E-mail : admin@smishing.kr 
 Blog : blog.smishing.kr
 Web : smishing.kr
 2015. 8. 28. 3 Special Thanks to @공기반여자반 Pictured by @유정빈
  • 4. S.S.G What is DEX file • Dalvik Executable File Format • Specially designed for Embedded System • It can run on DVM inside Android • Actually, DVM is different between JVM 2015. 8. 28. 4
  • 5. S.S.G Standard Android Translation Process 2015. 8. 28. 5 JAVA Code Dalvik bytecode public class MainActivity.. { public static void onCreate(s..) { super.onCreate(savedInsta..) .. public string TAG = “S.S.G”; Log.i(TAG, “sejong S.S.G”); } } .class public Lbunseokbot/MainActivity .source MainActivity.java .method public static onCreate(..)V const-string v0, “S.S.G” const-string v1, “sejong S.S.G” invoke-static {v0, v1}, L/android/util/Log -> i(Ljava/lang/String;Ljava/lang/String;)I return-void
  • 6. S.S.G Building Android Application 2015. 8. 28. 6 JAVA Code Translator Dalvik Bytecode
  • 7. S.S.G Translator 2015. 8. 28. 7 Java Translator Dalvik Translator
  • 8. S.S.G Java Language • Object-Oriented Programming Language • Easy to “DECOMPILE” • Running on Java Virtual Machine as “JAR” File • Actually, JVM is different between DVM • use for “native” (NOT JNI) Android Programming 2015. 8. 28. 8
  • 9. S.S.G Different between JAR and DEX • Java Archive File -> Package File Format • Java class files + metadata + resources • each class have independent class file • “Class Level File Management” 2015. 8. 28. 9
  • 10. S.S.G Different between JAR and DEX • Dalvik Execution File • Single DEX file • specified for Embedded..? (Mobile, PDA..?) 2015. 8. 28. 10
  • 11. S.S.G Different between JVM and DVM 2015. 8. 28. 11 Dalvik Virtual Machine Java Virtual Machine Register Based Stack Based Constant Pool per Application Constant Pool per Class Supply Just-In Time Execution
  • 12. S.S.G We have to understand and Translate DEX File as different technique 2015. 8. 28. 12
  • 13. S.S.G Normally.. we use “dex2jar” 2015. 8. 28. 13
  • 14. S.S.G or.. baksmali! 2015. 8. 28. 14 How baksmali translate it?
  • 15. S.S.G inside DEX file 2015. 8. 28. 15 Header string_ids type_ids proto_ids Method, Class.. Standalone DEX file Header Info item size item offset Header Structure
  • 16. S.S.G inside DEX file 2015. 8. 28. 16 Header string_ids type_ids proto_ids Method, Class.. String where code contains (only Address) Class, Method type container (only Address) Class, Method parameter return info (only Address) real Method, Class, Field, Data container
  • 17. S.S.G inside DEX file 2015. 8. 28. 17 Header Info item size item offset Header Section-name
  • 18. S.S.G Now, We analyze DEX file 2015. 8. 28. 18 public class MyActivity extends Activity { @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); Log.i(“S.S.G”, “DEX File Analyze Testing”); } } Log/i S.S.G DEX File Analyze Testing
  • 19. S.S.G How to Analysis DEX file 2015. 8. 28. 19 • DEX Parser for Python v0.0.1 • https://github.com/bunseokbot/dexparser • pip install dexparser
  • 21. S.S.G 1. DEX Header 2015. 8. 28. 21 d.header_info() -> Dictionary Type d.header_info()[‘string_ids_size’] d.header_info()[‘string_ids_off’]
  • 22. S.S.G 2. Parse string_ids section 2015. 8. 28. 22 • 1. extract string_ids section offset, size • 2. parse string_data offset for access string_data_item • 3. translate to Language from string_data_item
  • 23. S.S.G 2. Parse string_ids section 2015. 8. 28. 23
  • 24. S.S.G 2. Parse string_ids section 2015. 8. 28. 24
  • 25. S.S.G 2. Parse string_ids section 2015. 8. 28. 25 0x40001000 0x40001000 My Test DEX Parser Test String MyActivity LLVM string_ids_item string_data_item
  • 26. S.S.G 2. Parse string_ids section 2015. 8. 28. 26
  • 27. S.S.G 3. Parse type_ids section 2015. 8. 28. 27 search from string_ids
  • 28. S.S.G 3. Parse type_ids section 2015. 8. 28. 28 this is descriptor_idx list
  • 29. S.S.G 3. Parse type_ids section 2015. 8. 28. 29
  • 30. S.S.G 3. Parse type_ids section 2015. 8. 28. 30 http://source.android.com/devices/tech/dalvik/dex-format.html#top
  • 31. S.S.G 4. Parse proto_ids section 2015. 8. 28. 31
  • 32. S.S.G 4. Parse proto_ids section 2015. 8. 28. 32 parameters_offset Access to “data” section directly and parse offset
  • 33. S.S.G 4. Parse proto_ids section 2015. 8. 28. 33
  • 34. S.S.G 4. Parse proto_ids section 2015. 8. 28. 34
  • 35. S.S.G 5. get Method Information 2015. 8. 28. 35
  • 36. S.S.G 5. get Method Information 2015. 8. 28. 36 string_ids type_ids proto_ids method_ids
  • 37. S.S.G 5. get Method Information 2015. 8. 28. 37
  • 38. S.S.G 5. get Method Information 2015. 8. 28. 38
  • 39. S.S.G 6. get Class Information 2015. 8. 28. 39 class_idx superclass_idx access_flags class_data_off annotation_off source_file_idx interfaces_off static_values_off each class have it
  • 40. S.S.G 6. get Class Information 2015. 8. 28. 40 class_idx superclass_idx access_flags class_data_off annotation_off source_file_idx interfaces_off static_values_off ACCESS_FLAG Source File index associated class data offset class level static value offset
  • 41. S.S.G 6. calculate ACCESS_FLAG 2015. 8. 28. 41 VARIOUS TYPE OF ACCESS_FLAG!
  • 42. S.S.G 6. calculate ACCESS_FLAG 2015. 8. 28. 42 public static void myFunction() {} ACC_PUBLIC = 0x1 ACC_STATIC = 0x8 —————————— ACCESS_FLAG = 0x9
  • 44. S.S.G 6. class_data_item 2015. 8. 28. 44 static_fields_size direct_method_size instance_fields_size direct_methods instances_fields static_fields virtual_method_size virtual_methods each class have it
  • 46. S.S.G 6. leb128? 2015. 8. 28. 46 • Little-Endian Based 128 • Type : Unsigned & Signed • following DWARF Format • for encoding variable-length, arbitrary signed or unsigned int
  • 47. S.S.G 6. leb128? 2015. 8. 28. 47 return value is (result, size)
  • 48. S.S.G 6. get Class Information! 2015. 8. 28. 48
  • 49. S.S.G 6. get Class Information! 2015. 8. 28. 49
  • 50. S.S.G Apply to Real World 2015. 8. 28. 50 • smishing.kr
  • 51. S.S.G isolate Real Permission 2015. 8. 28. 51 • Usually, Android Malware Analyzer’s check this thing!
 “Searching Permission info from AndroidManifest.xml” • BUT.. • Recently, Attacker register all uses-permission to AndroidManifest.xml
  • 52. S.S.G isolate Real Permission 2015. 8. 28. 52 android.permission.* • If application want to use Permission such as INTERNET, ACCESS_COURSE_LOCATION. They must call “Authorized Function”
  • 53. S.S.G Logical Permission Enforcement 2015. 8. 28. 53 Marakana Inc. Andsec
  • 54. S.S.G isolate Real Permission 2015. 8. 28. 54 android.permission.* • invoke-* [parameter] [call method]
 -> direct
 -> virtual
 -> super
 -> static
 -> interface
  • 55. S.S.G isolate Real Permission 2015. 8. 28. 55 android.permission.* • invoke-* [parameter] [call method]
 -> direct
 -> virtual
 -> super
 -> static
 -> interface
  • 56. S.S.G For Example.. 2015. 8. 28. 56 android.permission.INTERNET invoke-direct {v0, v1}, Lorg/../HttpGet;-><init>(Ljava/lang/String;)V Lorg/../HttpGet class “Approve” to access Internet Module Network connection success!
  • 57. S.S.G Where to get Function Mapping.. 2015. 8. 28. 57 • inside Android Source…? • “Androguard” have it • https://github.com/androguard/androguard
  • 58. S.S.G in Androguard 2015. 8. 28. 58 • in androguard/core/bytecodes/api_permission.py
  • 59. S.S.G Conclusion 2015. 8. 28. 59 • DEX have “Simple” structure • source.android.com have specific DEX file info • If you use “dexparser” in Python, You’ll be easy to parse DEX and analyze. • DEXCrypt, DEXGuard have same structure! • DEX Research is very fun!