[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
•
14 j'aime•7,573 vues
2014 CodeEngn Conference 10 앱의 라이브러리를 내맘대로~ 후킹은 이미 분석이나 개발등 다양한 목적으로 많이 사용되고 있다. 기존의 함수 후킹을 ARM 아키텍처 환경인 안드로이드에서 어떻게 구현했는지에 대해 알아보고 구현된 도구를 통해 안드로이드 환경에서 후킹을 어떻게 활용할 수 있는지에 대해 알아본다. http://codeengn.com/conference/10 http://codeengn.com/conference/archive
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (9)
Similaire à [2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
Similaire à [2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android) (20)
Plus de GangSeok Lee
Plus de GangSeok Lee (20)
Dernier
Dernier (20)
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
- 1. Hooking on Android 2014.07.05 정광운 exsociety@gmail.com www.CodeEngn.com 2014 CodeEngn Conference 10
- 2. Who am I • 정광운 EXSO (Not EXO) • 27 years old (Single) • CNU & Hackershool & Secu87 • Contact Me – http://facebook.com/exsociety – exsociety@gmail.com – http://bananapayload.org 2
- 4. Android System Overview Applications Application Framework Libraries Linux Kernel Home ....... Music Browser Office Viewer Keypad Driver Display Driver WiFi Driver Camera Driver Flash Memory Driver Audio Driver Power Driver Binder Driver Notification Manager Package Manager Telephony Manager Resource Manager Location Manager Window Manager View System Activity Manager Content Providers OpenGL|ES Surface Manager Free Type SQLite SSL webkit_libmedia_lib libc viewer_lib SGL JNI NDK SDK 앱 레벨 (JAVA) 시스템 레벨 (C/C++) Hooking on ARM Hooking on Android 4
- 5. G al • ARM 기반의 안드로이드 환경 • 시스템의 수정 X (단, 루팅 필요) • 애플리케이션의 수정 X • 애플리케이션의 라이브러리 내 함 수에 대한 후킹 수행 5
- 6. Design of Hooker Shared Library (.so) FunctionA FunctionB Android Application Constructor Target Library Injected Library branch Function A Ins 2 Ins 3 Ins 4 Ins 1 Ins 2 Ins 3 Ins 1 Branch Hook_Function A Orig_Function A 6
- 7. Shared Library Injection • Call dlopen() using ptrace() on application 7
- 8. Shared Library Injection 1) Find dlopen() address Can not found libdl.so on maps /system/bin/linker 소스코드 中 dlopen() /system/bin/linker dlsysm() libdl.so offset dlopen() Address = base address of linker + offset 8
- 9. 2) write library path - use stack - PTRACE_POKEDATA ptrace(PTRACE_POKEDATA, pid, dst address, 4byte_data) 9
- 10. ARM Instruction mode 32-bit 32-bit 32-bit 32-bit 32-bit 16-bit 16-bit 16-bit 16-bit 16-bit ARM Instruction Instruction Instruction Instruction Instruction Thumb 31 0 Function Address CPSR Register T = 0 : ARM Mode T = 1 Thumb Mode 10
- 11. 3) Call dlopen() ß Thumb Debugger Application Backup Register Values Set Breakpoint at Next Instruction Change Register Values• pc = dlopen() addr • r0 = stack addr • r1 = 0 • lr = next instruction’s addr (pc) Restore Registers Values, Remove Breakpoint Debugger Applicatio n Backup Register Values Overwrite Code at Next Instruction Change Register Values• pc = pc+4 • r0 = stack addr • r1 = 0 • lr = next instruction’s addr (pc) Restore Registers Values, Restore Code , Remove Breakpoint • break • ldr pc, [pc, #0] • 0x0 • dlopen() address Thumb 모드 ARM 모드 11
- 12. 4) result Useage : injector [pid] [Library Full Path] 12 끝
- 13. Function Hooking 1) Find function information - Reference Header file - Use Hex-ray 13 https://github.com/EiNSTeiN-/hexrays-python
- 14. 2) Install Hooker 14 Target Library Injected Library LDR PC, [PC] Function A NOP Hook_FunctionA Addr Ins 4 Ins 1 Ins 2 Ins 1 Ins 2 Ins 3 Branch Hook_Function A Orig_Function A Target Library Injected Library Function A Push {r5} add r5, pc, #4 ldr r5, {r5} bx r5 Hook_FunctionA Addr Ins 7 pop {r5} Ins 1 Ins 2 Ins 1 Ins 6 Branch Hook_Function A Orig_Function A ARM->ARM Thumb->ARM
- 15. Why…? • Internal memory reference 15 Function A Orig_Function A Original Code JMP Target Function+N JMP Target Function+N Injected LibraryTarget Library Access Violation Reference Reference Data Offset Code Offet
- 16. • External memory reference 16 Function A Target Function Original Function Original Code JMP Target Function+N JMP Target Function+N Injected LibraryTarget Library Branch Branch Access Violation
- 17. Solution • 귀찮으니 그냥 복사하자… 17 Target Library Injected Library LDR PC, [PC] Function A NOP Hook_FunctionA Addr Ins 4 Ins 1 Ins 2 Hook_Function A Copied Target Library Function A Ins 1 Ins 2 Ins 3 Ins 4 Function Pointer
- 18. Issue 1. Global Hook 18 • 애플리케이션 생성 과정 System Server zygote zygote’ Application ① 앱 실행 요청 ③ 앱 적재② fork() 호출 Activity Manager Activity Manager Package Manager Package Manager Window Manager Window Manager … Dalvik VM libc Dalvik VM libc Preloaded class Preloaded class Preloaded resource Preloaded resource Dalvik VM libc Preloaded class Preloaded class Preloaded resource Preloaded resource Dalvik VM libc Preloaded class Preloaded class Preloaded resource Preloaded resource Android Application
- 19. Issue 2. 대상 라이브러리가 로드되기 전.. • 라이브러리 로드 함수를 후킹 – dlopen() = 10byte // 최소 12바이트 필요 – dvmLoadNativeCode(char const*, Object*, char**) • dvmLoadNativeCode 종료 시점에 추가적인 Hooker 설치 19
- 20. How to use • download : http://bananapayload.org 20 [library path] [Name / Offset] [Function Type] /system/lib/libc.so malloc void *malloc(size_t size) /system/lib/test.so 0x400 void sub400(int, int) ./ genLibrarySource [define File] [output path] Define Format Source Code Edit Source & Edit makefile & make library Useage : injector [pid] [Library Full Path] Hook Success
- 21. 21