2014 CodeEngn Conference 10
앱의 라이브러리를 내맘대로~
후킹은 이미 분석이나 개발등 다양한 목적으로 많이 사용되고 있다. 기존의 함수 후킹을 ARM 아키텍처 환경인 안드로이드에서 어떻게 구현했는지에 대해 알아보고 구현된 도구를 통해 안드로이드 환경에서 후킹을 어떻게 활용할 수 있는지에 대해 알아본다.
http://codeengn.com/conference/10
http://codeengn.com/conference/archive
2. Who am I
• 정광운 EXSO (Not EXO)
• 27 years old (Single)
• CNU & Hackershool & Secu87
• Contact Me
– http://facebook.com/exsociety
– exsociety@gmail.com
– http://bananapayload.org
2
13. Function Hooking
1) Find function information
- Reference Header file
- Use Hex-ray
13
https://github.com/EiNSTeiN-/hexrays-python
14. 2) Install Hooker
14
Target Library
Injected Library
LDR PC, [PC]
Function A
NOP
Hook_FunctionA Addr
Ins 4
Ins 1
Ins 2
Ins 1
Ins 2
Ins 3
Branch
Hook_Function A
Orig_Function A
Target Library
Injected Library
Function A
Push {r5}
add r5, pc, #4
ldr r5, {r5}
bx r5
Hook_FunctionA Addr
Ins 7
pop {r5}
Ins 1
Ins 2
Ins 1
Ins 6
Branch
Hook_Function A
Orig_Function A
ARM->ARM Thumb->ARM
15. Why…?
• Internal memory reference
15
Function A Orig_Function A
Original Code
JMP
Target Function+N
JMP
Target Function+N
Injected LibraryTarget Library
Access Violation
Reference Reference
Data Offset
Code Offet
16. • External memory reference
16
Function A
Target Function Original Function
Original Code
JMP
Target Function+N
JMP
Target Function+N
Injected LibraryTarget Library
Branch
Branch
Access Violation
17. Solution
• 귀찮으니 그냥 복사하자…
17
Target Library
Injected Library
LDR PC, [PC]
Function A
NOP
Hook_FunctionA Addr
Ins 4
Ins 1
Ins 2
Hook_Function A
Copied Target Library
Function A
Ins 1
Ins 2
Ins 3
Ins 4
Function Pointer
18. Issue 1. Global Hook
18
• 애플리케이션 생성 과정
System Server zygote zygote’ Application
① 앱 실행 요청 ③ 앱 적재② fork() 호출
Activity
Manager
Activity
Manager
Package
Manager
Package
Manager
Window
Manager
Window
Manager
…
Dalvik VM
libc
Dalvik VM
libc
Preloaded
class
Preloaded
class
Preloaded
resource
Preloaded
resource
Dalvik VM
libc
Preloaded
class
Preloaded
class
Preloaded
resource
Preloaded
resource
Dalvik VM
libc
Preloaded
class
Preloaded
class
Preloaded
resource
Preloaded
resource
Android
Application
19. Issue 2. 대상 라이브러리가
로드되기 전..
• 라이브러리 로드 함수를 후킹
– dlopen() = 10byte // 최소 12바이트 필요
– dvmLoadNativeCode(char const*, Object*, char**)
• dvmLoadNativeCode 종료 시점에 추가적인 Hooker 설치
19
20. How to use
• download : http://bananapayload.org
20
[library path] [Name / Offset] [Function Type]
/system/lib/libc.so malloc void *malloc(size_t size)
/system/lib/test.so 0x400 void sub400(int, int)
./ genLibrarySource [define File] [output path]
Define Format
Source Code
Edit Source & Edit makefile & make library
Useage : injector [pid] [Library Full Path] Hook Success