[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)

Hooking on Android
2014.07.05
정광운
exsociety@gmail.com
www.CodeEngn.com
2014 CodeEngn Conference 10

Who am I
• 정광운 EXSO (Not EXO)
• 27 years old (Single)
• CNU & Hackershool & Secu87
• Contact Me
– http://facebook.com/exsociety
– exsociety@gmail.com
– http://bananapayload.org
2

Android System Overview
Applications
Application Framework
Libraries
Linux Kernel
Home ....... Music Browser Office
Viewer
Keypad Driver
Display Driver
WiFi Driver
Camera Driver Flash Memory
Driver
Audio Driver Power Driver
Binder Driver
Notification
Manager
Package
Manager
Telephony
Manager
Resource
Manager
Location
Manager
Window
Manager
View
System
Activity
Manager
Content
Providers
OpenGL|ES
Surface
Manager
Free Type
SQLite
SSL
webkit_libmedia_lib
libc
viewer_lib
SGL
JNI
NDK
SDK
앱 레벨
(JAVA)
시스템 레벨
(C/C++)
Hooking on ARM
Hooking on Android
4

G al
• ARM 기반의 안드로이드 환경
• 시스템의 수정 X (단, 루팅 필요)
• 애플리케이션의 수정 X
• 애플리케이션의 라이브러리 내 함
수에 대한 후킹 수행
5

Design of Hooker
Shared
Library
(.so)
FunctionA
FunctionB
Android Application
Constructor
Target Library
Injected Library
branch
Function A
Ins 2
Ins 3
Ins 4
Ins 1
Ins 2
Ins 3
Ins 1
Branch
Hook_Function A
Orig_Function A
6

Shared Library Injection
• Call dlopen() using ptrace() on
application
7

Shared Library Injection
1) Find dlopen() address
Can not found libdl.so on maps
/system/bin/linker 소스코드 中
dlopen()
/system/bin/linker
dlsysm()
libdl.so
offset
dlopen() Address
= base address of linker +
offset
8

2) write library path
- use stack
- PTRACE_POKEDATA
ptrace(PTRACE_POKEDATA, pid, dst address, 4byte_data)
9

ARM Instruction mode
32-bit
32-bit
32-bit
32-bit
32-bit
16-bit
16-bit
16-bit
16-bit
16-bit
ARM
Instruction
Instruction
Instruction
Instruction
Instruction
Thumb
31 0
Function Address
CPSR Register
T = 0 : ARM Mode
T = 1 Thumb Mode
10

3) Call dlopen() ß Thumb
Debugger Application
Backup Register
Values
Set Breakpoint at Next Instruction
Change Register
Values• pc = dlopen() addr
• r0 = stack addr
• r1 = 0
• lr = next instruction’s
addr (pc)
Restore Registers Values,
Remove Breakpoint
Debugger Applicatio
n
Backup Register
Values
Overwrite Code at Next Instruction
Change Register
Values• pc = pc+4
• r0 = stack addr
• r1 = 0
• lr = next instruction’s
addr (pc)
Restore Registers Values,
Restore Code ,
Remove Breakpoint
• break
• ldr pc, [pc, #0]
• 0x0
• dlopen() address
Thumb 모드 ARM 모드
11

4) result
Useage : injector [pid] [Library Full Path]
12
끝

Function Hooking
1) Find function information
- Reference Header file
- Use Hex-ray
13
https://github.com/EiNSTeiN-/hexrays-python

2) Install Hooker
14
Target Library
Injected Library
LDR PC, [PC]
Function A
NOP
Hook_FunctionA Addr
Ins 4
Ins 1
Ins 2
Ins 1
Ins 2
Ins 3
Branch
Hook_Function A
Orig_Function A
Target Library
Injected Library
Function A
Push {r5}
add r5, pc, #4
ldr r5, {r5}
bx r5
Hook_FunctionA Addr
Ins 7
pop {r5}
Ins 1
Ins 2
Ins 1
Ins 6
Branch
Hook_Function A
Orig_Function A
ARM->ARM Thumb->ARM

Why…?
• Internal memory reference
15
Function A Orig_Function A
Original Code
JMP
Target Function+N
JMP
Target Function+N
Injected LibraryTarget Library
Access Violation
Reference Reference
Data Offset
Code Offet

• External memory reference
16
Function A
Target Function Original Function
Original Code
JMP
Target Function+N
JMP
Target Function+N
Injected LibraryTarget Library
Branch
Branch
Access Violation

Solution
• 귀찮으니 그냥 복사하자…
17
Target Library
Injected Library
LDR PC, [PC]
Function A
NOP
Hook_FunctionA Addr
Ins 4
Ins 1
Ins 2
Hook_Function A
Copied Target Library
Function A
Ins 1
Ins 2
Ins 3
Ins 4
Function Pointer

Issue 1. Global Hook
18
• 애플리케이션 생성 과정
System Server zygote zygote’ Application
① 앱 실행 요청 ③ 앱 적재② fork() 호출
Activity
Manager
Activity
Manager
Package
Manager
Package
Manager
Window
Manager
Window
Manager
…
Dalvik VM
libc
Dalvik VM
libc
Preloaded
class
Preloaded
class
Preloaded
resource
Preloaded
resource
Dalvik VM
libc
Preloaded
class
Preloaded
class
Preloaded
resource
Preloaded
resource
Dalvik VM
libc
Preloaded
class
Preloaded
class
Preloaded
resource
Preloaded
resource
Android
Application

Issue 2. 대상 라이브러리가
로드되기 전..
• 라이브러리 로드 함수를 후킹
– dlopen() = 10byte // 최소 12바이트 필요
– dvmLoadNativeCode(char const*, Object*, char**)
• dvmLoadNativeCode 종료 시점에 추가적인 Hooker 설치
19

How to use
• download : http://bananapayload.org
20
[library path] [Name / Offset] [Function Type]
/system/lib/libc.so malloc void *malloc(size_t size)
/system/lib/test.so 0x400 void sub400(int, int)
./ genLibrarySource [define File] [output path]
Define Format
Source Code
Edit Source & Edit makefile & make library
Useage : injector [pid] [Library Full Path] Hook Success

22
www.CodeEngn.com
2014 CodeEngn Conference 10

[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)

More Related Content

What's hot

Viewers also liked

More from Code Engn

Recently uploaded

[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)