The document provides an overview of analyzing obfuscated Android malware. It begins with a quick review of the Android runtime and framework startup process. It then discusses dynamic analysis techniques for fighting encrypted DEX code and native protectors. For encrypted DEX code, it describes preparing an emulator, debugging tools, and tracing plugins to analyze a sample that uses encryption. It explores the sample's decryption and loading logic, class decryption through reflection, and an anti-tampering technique. For native protectors, it discusses unpacking the library through static and dynamic analysis, reviewing the library loading process, and preparing to trace library initialization for monitoring decryption.
In this presentation, the unaware or indirect applications of essential computer science concepts are dicussed as showcase. Jim Huang presented in Department of Computer Science and Engineering, National Taiwan University.
This presentation covers the working model about Process, Thread, system call, Memory operations, Binder IPC, and interactions with Android frameworks.
In this presentation, the unaware or indirect applications of essential computer science concepts are dicussed as showcase. Jim Huang presented in Department of Computer Science and Engineering, National Taiwan University.
This presentation covers the working model about Process, Thread, system call, Memory operations, Binder IPC, and interactions with Android frameworks.
binder-for-linux is an experimental project to evaluate the feasibility of porting Android Binder IPC subsystem to Ubuntu Linux.
GitHub: https://github.com/hungys/binder-for-linux
Android is a Linux-based architecture. In addition to the original Linux driver, Android need other additional device driver, like Android Logger, Binder, Low Memory killer, Power Management for android(wakelock), ASHMEM, etc out of which ashmem ,logger and binder are all character device drivers.
(Presentation at HITcon 2011) This talk introduces how to do Android application reverse engineering by real example. And, it covers the advanced topics like optimized DEX and JNI.
Slides from Android Builder's Summit 2014 in San Jose, CA
In this talk I describe the internal workings of the Android graphics stack from the Application layer down through the stack to pixels on the screen. It is a fairly complex journey, taking in two different 2D rendering engines, applications calling OpenGL ES directory, passing buffers on to the system compositor, SurfaceFlinger, and then down to the display controller or frame buffer.
Embedded Android System Development - Part II talks about Hardware Abstraction Layer (HAL). HAL is an interfacing layer through which Android service can place a request to device. Uses functions provided by Linux system to service the request from android framework. A C/C++ layer with purely vendor specific implementation. Packaged into modules (.so) file & loaded by Android system at appropriate time
AWS를 사용하는 게임 고객사를 대상으로 ‘Amazon GameLift 세션’ 을 준비했습니다.
GameLift는 클라우드에서 세션 기반 멀티플레이 게임 서버를 배포, 운영, 조정하는 데 사용되는 완전 관리형 서비스로, 본 행사에서는 Amazon GameLift를 이용한 세션형 1:1 게임 배포 실습을 진행합니다.
Binder is what differentiates Android from Linux, it is most important internal building block of Android, it is a subject every Android programmer should be familiar with
Security researchers have limited options when it comes to debuggers and dynamic binary instrumentation tools for ARM-based devices. Hardware-based solutions can be expensive or destructive, while software tools are often restricted to user mode. Presented at REcon 2016, this presentation explores a common but often ignored feature of the ARM debug architecture in search of other options. Digging deeper into this hardware component reveals many interesting use-cases for researchers ranging from debugging and instrumentation to building a novel rootkit.
binder-for-linux is an experimental project to evaluate the feasibility of porting Android Binder IPC subsystem to Ubuntu Linux.
GitHub: https://github.com/hungys/binder-for-linux
Android is a Linux-based architecture. In addition to the original Linux driver, Android need other additional device driver, like Android Logger, Binder, Low Memory killer, Power Management for android(wakelock), ASHMEM, etc out of which ashmem ,logger and binder are all character device drivers.
(Presentation at HITcon 2011) This talk introduces how to do Android application reverse engineering by real example. And, it covers the advanced topics like optimized DEX and JNI.
Slides from Android Builder's Summit 2014 in San Jose, CA
In this talk I describe the internal workings of the Android graphics stack from the Application layer down through the stack to pixels on the screen. It is a fairly complex journey, taking in two different 2D rendering engines, applications calling OpenGL ES directory, passing buffers on to the system compositor, SurfaceFlinger, and then down to the display controller or frame buffer.
Embedded Android System Development - Part II talks about Hardware Abstraction Layer (HAL). HAL is an interfacing layer through which Android service can place a request to device. Uses functions provided by Linux system to service the request from android framework. A C/C++ layer with purely vendor specific implementation. Packaged into modules (.so) file & loaded by Android system at appropriate time
AWS를 사용하는 게임 고객사를 대상으로 ‘Amazon GameLift 세션’ 을 준비했습니다.
GameLift는 클라우드에서 세션 기반 멀티플레이 게임 서버를 배포, 운영, 조정하는 데 사용되는 완전 관리형 서비스로, 본 행사에서는 Amazon GameLift를 이용한 세션형 1:1 게임 배포 실습을 진행합니다.
Binder is what differentiates Android from Linux, it is most important internal building block of Android, it is a subject every Android programmer should be familiar with
Security researchers have limited options when it comes to debuggers and dynamic binary instrumentation tools for ARM-based devices. Hardware-based solutions can be expensive or destructive, while software tools are often restricted to user mode. Presented at REcon 2016, this presentation explores a common but often ignored feature of the ARM debug architecture in search of other options. Digging deeper into this hardware component reveals many interesting use-cases for researchers ranging from debugging and instrumentation to building a novel rootkit.
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
This talk will initially cover Device Guard, and how it works. After discussing high level methods of attacking Device Guard, we will go into detail on WMImplant, a tool which can be used to operate on Device Guard protected systems.
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ZongXian Shen
The design memo and hack note of ProbeDroid
A dynamic binary instrumentation kit targeting Android(Lollipop) 5.0 and above
This is the first complete draft.
Improved version will be updated in a few days.
HKG15-300: Art's Quick Compiler: An unofficial overviewLinaro
HKG15-300: Art's Quick Compiler: An unofficial overview
---------------------------------------------------
Speaker: Matteo Franchin
Date: February 11, 2015
---------------------------------------------------
★ Session Summary ★
One of the important technical novelties introduced with the recent release of Android Lollipop is the replacement of Dalvik, the VM which was used to execute the bytecode produced from Java apps, with ART, a new Android Run-Time. One interesting aspect in this upgrade is that the use of Just-In-Time compilation was abandoned in favour of Ahead-Of-Time compilation. This delivers better performance [1], also leaving a good margin for future improvements. ART was designed to support multiple compilers. The compiler that shipped with Android Lollipop is called the “Quick Compiler”. This is simple, fast, and is derived from Dalvik’s JIT compiler. In 2014 our team at ARM worked in collaboration with Google to extend ART and its Quick Compiler to add support for 64-bit and for the A64 instruction set. These efforts culminated with the recent release of the Nexus 9 tablet, the first 64-bit Android product to hit the market. Despite Google’s intention of replacing the Quick Compiler with the so-called “Optimizing Compiler”, the job for the the Quick Compiler is not yet over. Indeed, the Quick Compiler will remain the only usable compiler in Android Lollipop. Therefore, all competing parties in the Android ecosystem have a huge interest in investigating and improving this component, which will very likely be one of the battlegrounds in the Android benchmark wars of 2015. This talk aims to give an unofficial overview of ART’s Quick compiler. It will first focus on the internal organisation of the compiler, adopting the point of view of a developer who is interested in understanding its limitations and strengths. The talk will then move to exploring the output produced by the compiler, discussing possible strategies for improving the generated code, while keeping in mind that this component may have a limited life-span, and that any long-term work would be better directed towards the Optimizing Compiler. [1] The ART runtime, B. Carlstrom, A. Ghuloum, and I. Rogers, Google I/O 2014,https://www.youtube.com/watch?v=EBlTzQsUoOw
--------------------------------------------------
★ Resources ★
Pathable: https://hkg15.pathable.com/meetings/250804
Video: https://www.youtube.com/watch?v=iho-e7EPHk0
Etherpad: N/A
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2015 - #HKG15
February 9-13th, 2015
Regal Airport Hotel Hong Kong Airport
---------------------------------------------------
http://www.linaro.org
http://connect.linaro.org
Attacking and Defending Mobile ApplicationsJerod Brennen
The rapid increase in mobile technology adoption in the workplace has resulted in a rise in mobile application attacks. This presentation provides attendees with insight into how mobile application attacks are perpetuated, as well as how we can develop to defend against them.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
Calendrier des activités de JEADER _ AFRIQUE _ 2016 JEADER
2016 a été une année spéciale grâce à vous ! Merci pour votre support et revisitez les activités phares de 2016.
Ensemble faisons de 2017 une année tout aussi EXTRAORDINAIRE !
Experience the wonders of Sri Lanka from the best individual tour operator with BUDGET PRICES.
TRUST US WITH YOUR HOLIDAYS WE HAVE FOR YOU .WE OFFER A WIDE CHOICE OF TOURS: OUR EXPERTS CAN ALSO “TAILOR “A HOLIDAY TO YOUR PERSONAL WISHES.
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
How to secure microservices running in containers? Strategies for Docker, Kubernetes, Openshift, RancherOS, DC/OS Mesos.
Privileges, resources and visibility constrains with capabilities, cgroups and namespaces. Image vulnerability scanning and behaviour security monitoring with Sysdig Falco.
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE
How to Debug IoT Agents Webinar - 17th April 2019
Corresponding webinar recording: https://youtu.be/FRqJsywi9e8
Chapter: IoT Agents
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
How to debug IoT Agents - investigating what goes wrong and how to fix it.
Byte code manipulation and instrumentalization in JavaAlex Moskvin
In presentation we consider - what bytecode is, how to manipulate it, how does it look like, how to read it and why would anyone needs to manipulate it.
We also develop a java agent that instrumentalizes access to MongoDB Java driver and expose that metrics via JMX.
A set of Tips & Tricks in the resolution of the typical problems that you can find and the reason of them when you work with FIWARE IoT Agents and FIWARE Orion Context Broker
This presentation will provide a high level overview of the current role that desktop applications play in enterprise environments, and the general risks associated with different deployment models. It will also cover common methodologies, techniques, and tools used to identify vulnerabilities in typical desktop application implementations. Although there will be some technical content. The discussion should be interesting and accessible to both operational and management levels.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Android Application WebAPI Development TrainingOESF Education
OESF Authorized Training Course official textbook
Course: Android Application WebAPI Development Training
FULL VERSION
Language: English
Contributed by
Created by: Leading Edge Co.,Ltd.
Translated by: ISB Vietnam Co.,Ltd.
[Attention!]
This textbook is licensed under the Creative Commons License BY-NC-SA 4.0. It is prohibited to use this material for commercial use otherwise you are OESF member or OESF education consortium member.
Similar to Toward dynamic analysis of obfuscated android malware (20)
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
2. About Me
• Passionate Security Researcher and Developer
• Earned Master in CS from NCTU,Taiwan
• Now the system engineer @appier
andy.zsshen@gmail.com
ZSShen
@AndyZSShen
ZongXian Shen
6. ServiceManager
A Linux Daemon
• Marshall framework Binder
inter process communication
• Record the information of
each started servers
(framework services)
• Offer the interface for clients
(apps or framework services)
to access servers
7. Zygote
Original framework process
and Java world creator
• Initialize Android Runtime
• Fork the framework service
process SystemServer
• Wait for the app forking task
requested from
ActivityManagerService
8. Framework Services
Specialized service threads
forked from SystemServer
• App lifecycle management
• Package installation
• Media and Personalization
• Power and Network
• and etc …
9. Startup of Java World
In system/core/rootdir/init.zygote.rc
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
class main
socket zygote stream 660 root system
onrestart write /sys/android_power/request_state wake
onrestart write /sys/power/state on
onrestart restart media
onrestart restart netd
Zygote startup command
Unix domain socket created to
interact with ActivityManagerService
framework/base/cmds/app_process/app_main.cpp
Zygote Native Source Entry
Zygote Creation
14. libart.so
app_main.cpp
runtime.cc
boot.oat
1. Load theVM
library into memory
2. Transfer to ART entry
3. Load the precompiled
framework Java libraries
4. Link the indexes to access
• Java class members
• Method bytecode & its
compiled native code
Dex
ClassField
Method
Dex Info & Bytecode
Native code
Zygote Process Memory Zygote
Initialization
15. libart.so
app_main.cpp
runtime.cc
boot.oat
1. Load theVM
library into memory
2. Transfer to ART entry
3. Load the precompiled
framework Java libraries
4. Link the indexes to access
• Java class members
• Method bytecode & its
compiled native code
Dex
ClassField
Method
Dex Info & Bytecode
Native code
5. Find and transfer
to Zygote Java entry
Zygote Process Memory Zygote
Initialization
16. Zygote Initialization
1. framework/base/core/jni/AndroidRuntime.cpp
2. libnativehelper/JniInvocation.cpp
3. art/runtime/jni_internal.cpp
4. libnativehelper/include/nativehelper/jni.h
Load libart.so
Transfer to libart.so
• Initialize ART environment
• Load the framework libraries
• Index to class definitions
Find and transfer to
Zygote java entry
1 2 3 4
17. ART Initialization
• The heart of Zygote initialization
• Many complicated tasks like initializing theVM
memory layout and the garbage collector
• We focus on how ART find the specified class
and link to the method code – Class Linking
18. Class Linking
• Open the container file in the specified class path
• Classes are compiled and wrapped in Oat file
• Map the located Oat file into memory
• The class field and method definition
• The method bytecode and its compiled native code
• Link the indexes for class member access
• Transfer from ART to a certain compiled method
• Transfer between compiled methods
20. ART to Method Native Code
JNIEnv::GetStaticMethodId()
JNIEnv::CallStaticVoidMethod()
ArtMethod::Invoke()
art_quick_invoke_stub()
entry_point_from_quick_compiled_code()
Get ArtMethod pointer
Construct native
call stack
Dive into method
native code
21. Between Method Native Code
0x00: sget-object v0, Ljava/util/ArrayList; org.dsns.cleango.CleanGo.gRecord
0x02: invoke-virtual {v3}, java.lang.String java.lang.Object.toString()
0x05: move-result-object v1
0x06: invoke-virtual {v0, v1}, boolean java.util.ArrayList.add(java.lang.Object)
……
dex PC: 0x00
……
ldr.w r6, [r0, #432]
mov r1, r8
ldr r0, [r1, #0]
dex PC: 0x02
ldr.w r0, [r0, #396]
ldr.w lr, [r0, #40]
blx lr
……
Native Code Get Object object
Get toString() ArtMethod pointer
Get entry to compiled native code
Branch and link to the callee
Dex Bytecode
22. ART constructs the indexes to access the
class members of framework libraries
Let’s see how boot oat is processed
23. Oat Format
DEX Info &
Byte Code
Compiled
Methods
The Elf file embedded with
• DEX files bundling definition of classes
• Compiled method native codes
• Links between class definition & native code
24. Oat File Parsing
• Iterate through each DEX item
• Parse DEX structure to resolve all the bundled
class definitions
• Class field and method definition
• Method bytecode body
• Use class and method definition ids to access the
Oat indexes for method native code
27. After initialization,ART transfer to the first
Java world method ZygoteInit.main()
JNIEnv::FindClass()
JNIEnv::GetStaticMethod()
JNIEnv::CallStaticVoidMethod()
28. Zygote Routine in Java World
Initialize the domain socket to
interact with ActivityManagerService
Fork SystemServer process
which further forks
framework service threads
Wait for the request from
ActivityManageService
1. framework/base/core/java/com/android/internal/os/Zygote.java
2. framework/base/core/java/com/android/internal/os/RuntimeInit.java
1 2
31. Fobus Surface Info
Requested Permissions
Telephony related privilege for potential:
• Sensitive information stealing
• Premium rate service dialing
32. Fobus Surface Info
Component Definition
Activated when
SMS received
Activated when
boot completed
Activated when device admin
privilege is granted/canceled
Component names are obfuscated
33. Fobus Surface Info
Resource Definition
Disguise itself as legal Android updater
Nice description to
cheat naïve victims
App icon after
installation
36. Fobus Analysis Preparation
1. Select the target API level
(API 18 for Fobus malware)
2. Turn on Android SDK
tools for the created device
CreateVirtual Device
38. Fobus Analysis Preparation
Import Fobus Smali
1. Import the existing Smali
artifacts as Studo project
2. Set the source root for
the newly created project
39. Fobus Analysis Preparation
Repackage Fobus
1. Turn on the
debug flag in
Manifest
java -jar apktool.jar b Fobus -o FobusDbg.apk
2. Apply Apktool to repackage the sample
keytool -genkeypair -alias mykey_alias -keyalg RSA -validity 128 -keystore mykey
3. Create the package key if necessary
jarsigner -keystore mykey -signedjar FobusDbg.apk FobusDbg.apk maykey_alias
4. Sign the package with our key
Target Source
40. Fobus Analysis Preparation
Install and Launch Fobus
adb shell am start -D -n com.zwodrxcj.xnynjps/.L
1. Drag and drop the package for setup
2. Launch the main activity of Fobus
Package/MainActivity
3. Time to start our Smali debugging
41. Fobus Analysis Preparation
Attach to Fobus
1. Open Android Device Monitor
2. Create a remote debugging
configuration bound to port 8700
42. Fobus Analysis Preparation
Attach to Fobus
3. Set our first break point in the
constructor of Fobus Application class
4. Run debugging and we
should stop at the break point
43. Fobus Analysis Objective
• Tracing the code decryption and loading logic
• Dynamic String and class decryption
• Java reflection for class loading and member resolving
• Realizing the anti-tamper technique
• Original signing certificate for code decryption to
prevent software repackaging
• Tiptoeing through part of the malicious actions
44. Fobus Analysis
Overloaded Appliation.onCreate() which is
actually the common decryption routine
• The frequently appearing behavior footprint
• Put the encrypted content in a virtual register
• Invoke the decryption routine
• Set the decrypted result in that register
How do we see the decrypted result?
Dynamic Content Decryption
45. Fobus Analysis
Right click the register and
add it to the watch list
before/after the
decryption
Dynamic Content Decryption
46. Fobus Analysis
1. Decrypt the class name
com.zwodrxcj.xnynjps.Application$RA
2. Resolve the class type
3. Resolve the constructor
4. Prepare the input argument
5. Create the class instance via
the specified constructor
Decryption & Java Reflection
47. Fobus Analysis
Drop the Encrypted Package
1. Decrypt the
package embedded in
a constant string
2. Drop the package in
{PRIVATE}/app_dex/new.apk
and apply DexFile.loadDex()
to load the 2nd layer code
CFG of Application.dfae()
48. Fobus Analysis
Deploy 2nd Layer Analysis
java -jar apktool.jar d new.apk
1. Extract the decrypted payload
from {PRIVATE}/app_dex/new.apk
2. Disassemble and copy the
smali files into our Studio project
3. Set the break point in that class
49. Fobus Analysis
Dive into 2nd Layer
Delete the dropped package
Load Application$d class
Resolve its unpack() method
Call to Application$d.unpack()
Tasks after the 2nd DEX
file is loaded
A more stealthy decryption
routine which restores the
protected malicious code
50. Fobus Analysis
Anti-Tamper Technique
Entry of Application$d.unpack()
1. Get the signing
certificate associated
with the APK
2. Apply the 1st signature
for decryption later
52. Fobus Analysis
Anti-Tamper Technique
CFG of Application$d.unpack()
1. Call to Application$decrypt() with the
APK signing signature for decryption
2. Still drop the package to
{PRIVATE}/app_dex/new.apk
3. Apply DexFile.loadDex()
to load the 3rd layer code
53. Fobus Analysis
Anti-Tamper Technique
• Since we repackage the sample, the 3rd layer code
will not be presented due to wrong signature
• Two possible solutions
• Debug the original sample in the custom ROM with
modified default.prop
• Use dynamic instrumentation to mimic the signature
54. Fobus Analysis
Deploy 3rd Layer Analysis
1. Disassemble the package and we
get the main Activity component
2. Import the Smali files and set the
break points on that Activity
55. • Focusing on the critical parts
• Registering itself as the device administrator to
prevent uninstallation
• Sniffing incoming SMS messages and performing
premium rate dialing
• Key point to capture the complete behavior
• Set break points at the “onXYZ()” series callbacks
to follow the implicit control flow
Fobus Analysis
Malicious Behavior Exploration
56. Fobus Analysis
Register the repeating
launch of “A” and “T”
services to AlarmManager
Tiptoe through the Darkness
Is admin privilege
granted ?
Call to “L.b()”
Call to “L.a()” to start
admin request activity
CFG of “L.onCreate()”
Background Services
• “T” monitors the activation
of admin privilege
• “A” handles the telephony
relevant hacking
Initially, the control flow
should fall through here
57. Fobus Analysis
Acquire Admin Privilege
Still string encryption in
unpacked malicious code
Start the activity to
request admin privilege
Activation of L.a()
58. Fobus Analysis
Lure naïve victims to grant
the admin privilege
Activation of L.onActivityResult()
After privilege granted
Start to hide itself
Acquire Admin Privilege
59. Fobus Analysis
Hide App IconEntry of L.b()
COMPONENT_ENABLED_STATE_DISABLED
DONT_KILL_APP
Apply PackageManager.
setComponentEnabledSetting()
to hide the app icon
60. Fobus Analysis
Prevent Uninstallation
If the victim tries to deactivate the
admin privilege acquired by Fobus
Activation of AD.onDisableRequested()
The defense is triggered
The screen will be locked
63. Locker Surface Info
Manifest Analysis
Disguise itself as the phone performance
booster to lure Chinese users
App icon after
installation
Activated when device admin privilege is granted
64. Locker Surface Info
How about the Code
The app logic is hidden and protected
in the native shared library
69. Library Loading Review
1. bionic/linker/dlfcn.cpp
2. bionic/linker/linker.cpp
3. bionic/linker/linker_phdr.cpp
1 2 3
Dynamic linker/loader
relies on program header
table to load segments for
library execution
Section header table is
“don’t care” here
70. Hard to statically analyze the library code
Must emulate the linker/loader behavior
How about dynamic tracing ?
Must realize the timings to set break points
Things to Think
71. Unpacking Library StaticView
Dynamic Segment
Important information for the linker/loader
• Dependent libraries
• Symbols and Strings
• Address of relocation table
• Library initialization functions
Defined in art/runtime/elf.h
72. Unpacking Library StaticView
Initialization Function
Library initializers specified with
__attribute__((constructor)) or
__attribute__((section(“.init_array”)))
which will be first executed by
the linker/loader when the
library is loaded into memory
73. Library Loading Review Cont.
1. bionic/linker/linker.cpp
1
Invoke the library initializer
stored in .init section
Invoke the library initializers
stored in .init_array sectionWe can force the debugger to stop at
soinfo::CallFunction()
to monitor the library initialization
75. Library Tracing Preparation
Set Debug Server
1. Push the IDAPro Android debug
server under /dbgserv into the emulator
adb push android_server /data/local/tmp
chmod 755 /data/local/tmp/android_server
2. Launch the debug server in the emulator
adb forward tcp:23946 tcp:23946
3. Forward the default
port for the debug server
In Guest
76. Library Tracing Preparation
Launch and Install Locker
adb shell am start -D -n
tx.qq898507339.bzy9/tx.qq898507339.bzy9.MainActivity
2. Launch the main activity of Locker
Package/MainActivity
1. Install the Locker package
3. Time to start our IDA debugging
77. Library Tracing Preparation
Attach to Target Process
1. Attach to the remote
Android debug server
2. Specify the server address
3. Force the debugger to
stop at image load/unload
79. Library Tracing Preparation
Resume the Paused Process
1. Open Android Device Monitor
jdb -connect
com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8700
2. Release the process
paused by JDWP
3. Start IDA debugging session
80. Library Tracing
Stop at Library Loading
Before monitoring library initializers, there is
a worth noting attribute
84. Is it really necessary to trace the
unpacking logic ?
How about set the break point at
JNI_OnLoad() to check the result ?
Things to Think
85. Library Tracing
Trapped by Anti-DebugTricks
Set the break point at JNI_OnLoad()
and resume the process
Not that easy, some anti-debug
tricks set in the unpacking logic
86. Library Tracing
Code around the Targeted SysCalls
SysCall #C0 means mmap() which
may relate to the unpacked data
87. Library Tracing
SVC Call #7D means mprotect()
which may relate to unpacking logic
Change a memory block with
PROT_READ ^ PROT_EXEC permission
and jump to it for execution
Code around the Targeted SysCalls
The successive code block of the
previous snippet
88. Is there more efficient approach to catch
the unpacked original DEX ?
Back to DEX level, can we set the break point
at DexClassLoader.<init>() ?
Things to Think
The list of jar/apk files containing
classes and resources
We can get the original DEX via
the intercepted path string
89. Unpacking Wrapper Tracing
Original DEX Loader
The call trace to create
the class loader for the
original DEX
Set the break point
here to intercept
the original DEX
90. Unpacking Wrapper Tracing
Intercept the Original DEX
adb pull /data/data/tx.qq898507339.bzy9/.cache/classes.jar
Pull out the DEX file for
further analysis
91. Unpacking Wrapper Tracing
Intercept the Original DEX
Not a valid DEX file
and still packed
The protector may implement its own
class loading procedure to evade analysis
92. Is it possible for the protector to fully re-
implements the class loading procedure ?
The procedure crossing Java and native scope is
quite complicated
Likely, it unpacks in some hooked native functions
and passes the legal DEX to the procedure
Things to Think
93. Class Loader Tracing
Work in the native scope
for class loading and linking
Return the valid address of
the linked declaring DexFileAfter DexFile.loadDex(), the legal
DexFile and its containing Oat file
should lie in memory
Deeper Inspection
94. Dynamic Binary Instrumentation
• How do we
• Intercept the timing after DexFile.loadDex() finished
• Scan the process memory for Oat file magic
• Dump the Oat file from memory
• Here comes the DBI gadget based on Xposed
95. Xposed DBI Deployment
1. Apply GenyMotion
emulator with API Level
21 for Locker malware
2. After device booting
up, install GenyFlash for
Xposed deployment
https://github.com/rovo89/GenyFlash
CreateVirtual Device
96. Xposed DBI Deployment
Install Framework1. Drag and drop the package for installation
2. Reboot the device
for Xposed activation
97. DBI Gadget Development
Android Studio Project Setup
1. Link the Xposed library
2. Create the asset file to hint Xposed
Please refer to
https://github.com/rovo89/XposedBridge/w
iki/Development-tutorial for more details
98. DBI Gadget Development
Dex File Hunter Key Steps
• Java scope
1. Stall the process after DexFile.loadDex() finished
2. Invoke the JNI to scan the process memory
• Native scope
3. Open /proc/self/map to hunt for the segments
“/data/data/tx.qq898507339.bzy9/.cache/classes.dex”
4. Dump the segments
99. DBI Gadget Development
Craft DEX File Hunter
1. Load the native memory scanner
2. Hint Xposed to hook the
method DexFile.loadDex()
3. Start to hunt for the unpacked
result loaded in memory
100. DBI Gadget Development
Craft DEX File Hunter
1. Open /proc/self/map
2. Pinpoint the memory
segments which are the
possible unpacked result
3. Dump the segments
for further analysis
101. Locker Unpacking Final
Deploy DBI Gadget
1. Drag and drop the package for installation
2. Activate our Xposed module
(Remember to reboot the device)
3. Push the native memory
scanner to /system/lib
105. Locker Unpacking Final
Finally, the Main Entry
C&C action to lock
the victim’s screen
OK, we end here to close the
complete unpacking story
See https://github.com/ZSShen/XposedGadget
for the related source