With the rapid development of information technology, the attackers have become interested in not only normal applications but also various systems such as web, mobile and embedded system. Consequently, there is an evergrowing number of applications that should be analyzed, and the lack of time and manpower has been one of the biggest problems for the defenders. To this end, we present “BinProxy”, an application analysis framework that makes an easy environment for dynamic analysis of applications. Our approach provides web proxylike analysis environments for an easy analysis, and does not required any analysis tools such as debugger, decompiler and other reversing tools. Furthermore, BinProxy can be applied to Windows, Linux, Mac or other kinds of mobile platforms including Android and iOS. In this presentation, we show several techniques for implementing BinProxy and demonstrate some use cases by using BinProxy. We believe that our framework solves the lack of time and manpower problem and presents a new paradigm for program analysis. # PoC - Basic : http://youtu.be/ZjKEGEzYvJw - Android(monitor) : http://youtu.be/xS8lcn0plrU - Android(modify) : http://youtu.be/az-jsx8apgw - iOS(monitor) : http://youtu.be/Eq3I21O3EhE

1. BinProxy
A New Paradigm for Binary Analysis
Dongjoo Ha (NSHC) Hyunwoo Choi (KAIST)
Sunyoung Sim (AhnLab) Joobong Cho (RaonWhitehat)
Jisun Kim (AhnLab) Gyeongik Jang (NSHC)

2. Objective
We have to defeat the enemies
and save the earth!!

3. Our contributions
● Introduce a new concept of analysis
framework to use easily
o perform analysis of normal application by using web
proxy
● Introduce methodologies for implementing
our concept
o pros and cons of the methodologies
● Demonstrate use cases

4. Define Keyword
● Web Application
o consist of usually script languages
o operate based on web server/client
● Normal Application
o executable binary except for web applicaton
o PE, ELF, etc.
● Web Proxy
o a tool for web application analysis
o Burp suite, paros, fiddler, etc.

5. What’s wrong?
Background

6. Existing methodologies/tools
for application analysis
Web Application analysis
● easy to use and operate using a web proxy (burp, paros,
fiddler, etc.)
● monitor and modify the contents without difficulty

7. Existing methodologies/tools
(cont’d)
Normal Application(excutables) analysis
● much harder and complex than web application(GDB, IDA,
Ollydbg, windbg, etc.)
● In secure channel, how can we check the contents?

8. Challenges for application
analysis
We cannot
save the earth
using our resources
Lack of time and manpower

9. How to solve a problem?
Need a EASY tool

10. So what??
BinProxy : A New Paradigm for Binary
Analysis

11. Let’s get started with Demo!

12. Key Features
We do not need gdb and ollydbg
to analyze applications any more.

13. Key Features (cont’d)
2. modify return value
1. original return value
3. Click Forward Button
Should we use the difficult tools for simple analysis?
You can monitor and control the normal applications
with your favorite web proxy

14. Key Features (cont’d)
We do not want to use difficult IDA tool
to analyze applications any more.

15. Key Features (cont’d)
You can know what functions are existed in target apps and
what functions can be monitored.

16. Overall Achitecture

17. Components
● Target application
o smart phone apps, excutable program based on Windows, OSX and etc.
● Web Proxy
o A user-friendly proxy to be used for analysis (ex. burp,
paros, ..)
● BinProxy Client
o is Operated in the target application is installed
o communication module : communicate with BinProxy server
o hooking module : modify the flow of functions.
● BinProxy Server
o is Operated in the web proxy is installed
o communication module : communicate with BinProxy client and web
proxy

18. What You Need
Need things to make BinProxy

19. Intercept function call &
Forward it to a Web proxy
Main techniques for implementation
how to control function calls by using web proxy
Convert Functions

20. Function monitoring and
Function Controlling
Main techniques for implementation (cont’d)
API / User-defined function
Hooking

21. Function monitoring and
Function Controlling
Main techniques for implementation (cont’d)
Dynamic function Hooking
No need a pre-compiled hooking code
Dynamic target function selection

22. Function monitoring and
Function Controlling
Main techniques for implementation (cont’d)
Return value,
primitive / refernce
type arguments

23. Target function selection
Main techniques for implementation (cont’d)
Extraction API lists

24. Target function selection
(cont’d)
Main techniques for implementation (cont’d)
Extracting user-defined fuctions
and Finding out Args and Types

25. Target function selection
(cont’d)
Main techniques for implementation (cont’d)
Monitoring function calls and statistics
-> Selecting target functions easily

26. How to make?
the way of building BinProxy

27. How to interwork with a web
proxy - BinProxy Client
* hooked_func send before_call message to BinProxy Server through
communication module.
* before_call message = function name + the value of arguments
* After sending a before_call message, the hooked_func will be blocked until
getting response from BinProxy Server.

28. How to interwork with a web
proxy - BinProxy Server
BinProxy Server convert a before_call message into
HTTP request format for delivering the message to
Web Proxy.
POST http://127.0.0.1:53388/function_name
Host: target_app_name
User-Agent: BinProxy
01_414141

29. How to interwork with a web
proxy - Web Proxy

30. How to interwork with a web
proxy - BinProxy Client
execute an original function
After sending an after_call message,
hooked_func will be blocked until getting response from BinProxy Server.

31. How to interwork with a web
proxy - BinProxy Server
BinProxy Server convert a after_call message into
HTTP response format for delivering the message to
Web Proxy.
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 17:22:59 GMT
Server: BinProxy
Content-Length: 1
Connection: close
Content-Type: application/return
0

32. How to interwork with a web
proxy - Web Proxy

33. How to interwork with a web
proxy - BinProxy Client
return the value

34. How to make?
Ways of build android client & PoC

35. Key Requirements
Function
What

37. How

39.
To

40. Extract

41. ???

42.
How

43. to

44. Hook

45. ???

47. Key Requirements
- What How To extract ..

48. We can use for hooking in Android :
• Cydia substrate for Android
• Introspy-Android (GUI Interface + Cydia Substrate )
• AndHook(Android Hooking Framework)
• ADBI(Android Dynamic Binary Instrumentation Toolkit)
• [Paper] Hooking on Android -2014 CodeEngn Conference
….
Key Requirements
- What How To extract ..

49. ADBI
(Android Binary Instrumentation Toolkit)
Intercept/Use DVM Methods
on Dalvik VM Library
(libdvm.so)
Dynamic Dalvik Instrumentation Framework for Android (old)
- Collin Mulliner, SummerCon 2013.
https://github.com/crmulliner/adbi (current)

50. Binproxy Client modules for Android
TARGET (App.)
HOOKY
(shared library)
Binproxy Server
(Users)
COMMUNICATOR
(user interaction)
INJECTOR
HOOKY
(shared library)
COMM.
(user interaction)

51. ● INJECTOR
: Inject the HOOKER(.so) into Target App.(running
process)
● HOOKER
: Hook the java/Android standard API for analysis.
: loaded as the shared library(so) developed using JNI
● COMMUNICATOR
: Interactive interface for communication with user
: Send/receive values for Hooking, Monitoring,
Modifying
Binproxy Client modules … (cont’d)

52. How to implement Android Client
Implemented using JNI(Java Native Interface)

53.
- Get the method Information loaded
- Define/Prototype new function(native) for target
function(method)
- Call Original Method from new function.
- Monitor/Modify a argument/return value

54. DVM
Original
method
New(JNI)
Find

55. Class/Method

56.
(dvmFindXXXX)

57. 1

58. Replace

59. the

60. original

61. method

64. with

65. a

66. new

67. native

68. function

69.
(dvmUseJNIBridge)

70.
3

71. Define

72. new

73. native

74. function

75.
2
Call

76. the

77. original

78. function

80.
from

81. new

82. native

83. function

84.
(callback)

85.
4
How to implement … (Cont’d)
Monitor/Modify

86. How to implement .. (Cont’d)
Call return type Method!

87. DEMO - PoC for Android App
DEMO

90. How to make?
Ways of build iOS client PoC

91. Key Requirements - How To hook ..
● We can use for hooking in iOS:
a. Cydia Substrate for iOS
b. fishhook
c. Mach-O-Hook

92. How to implement iOS client
● Use a CydiaSubstrate
a. Why CydiaSubstrate?
- verified stability
● Most of Apps in Cydia are use a
CydiaSubstrate!
● Component of CydiaSubstrate
a. MobileHooker
b. MobileLoader
c. Safe Mode

93. Key Requirements - What How
extract...
● Mach-O File Format

94. Key Requirements - What How
extract...
● API
LC_SYMTAB
Symbol Table
String Table

95. Key Requirements - What How
extract...
● Objective-C and User Function Address
LC_FUNCTION_STARTS
Function Starts

96. How to implement iOS client
● Target API and method selection
a. Extracting Objective C classes
methods
b. Extracting API lists
c. Finding out user-defined function’s
args and types
● Monitoring an entire method and API by
using hooking (Logging?) (Logging?)

97. DEMO - PoC for iOS App
DEMO

99. Anything else?
Future Works

100. Implementation Methods
● How to obtain a target application’s
function list and detail informations of
the function
● How to utilize database information to
distinct functions

101. Additional Functions
● arbitrary function execution
● arbitrary code execution
● memory scan and patch
● function control based on script
languages
● disassemble and decompilation
And…
● Performance Improvement
● Additional OS Support

102. 谢谢
Any Other Questions or Comments?
email : binproxy@0-day.me