Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
ANTO JOSEPH
@whoami
• Security	Engineer	@	Intel
• Past	Speaker	/	Trainer	@	Brucon,	HITB	Amsterdam,	NullCon,	GroundZero ,	c0c0n	…
• Wil...
DYNAMIC	INSTRUMENTATION
• Using	Xposed Modules	
• Using	adbi
• Other	tools	using	Library	Injection	Techniques	,	LD_PRELOAD...
What	Is	Hooking	?
How	it’s	done	currently	?
• Xposed Framework	
• Xposed modules	are	indented	to	make		long	lasting	changes	to		devices
• In...
DEMO	– XPOSED
What	Do	We	Want	In	Our	Solution	?
• Should	be	Fast
• Should	Be	Simple
• Should	be	Easy	to	Learn
• Should	Just	Work	!
DIFF-DROID
DIFF-DROID
• Based	on	Frida
• Supports	 Hooking	Native	and	Java	Methods
• Web	UI	,	with	editable	scripts	to	hook	Android	M...
DEMO
RUNNING	DROID-FF
• Start	redis server
• Start	 gunicorn diff-gui:app --worker-class	gevent --bind	127.0.0.1:80
• Start	and...
How	Does	It	Work
• Frida	:
• The	core	of	the	app	is	handled	by	frida.
• Takes	care	of	hooking	native	and	java	code
• Writt...
INTERNALS
• Frida-server	injects	a	native	library	into	the	process	using	the	ptrace api .	This	is	the	only	support	
inject...
CONT ..
• Zero	Modification	to	the	device
• Just	push	frida-server	binary	to	the	device	and	exec	(	requires	root	)
• Commu...
How	Do	We	Write	A	Hook	?
Look	Up	The	Api
WRITING	A	NEW	HOOK	- DALVIK
Java.perform(function	()	{												
var	TM	=	Java.use("android.os.Debug");												
TM.i...
WRITING	A	NEW	HOOK	– NATIVE	STYLE
Interceptor.attach	(Module.findExportByName	(	"libc.so",	”open"),	{				
onEnter:	functio...
SOURCE	CODE	:
• https://github.com/antojoseph/diff-gui
FUTURE
• Adding	 more	modules	(	Contributions	 are	welcome	)
• Support	 IOS
• Supporting	 Frida	in	ART	(	its	almost	on	its...
FEW	WORDS	FROM	OLE	ANDRÉ VADLA RAVNÅS
• Future	of	Frida	is	the	Community	!
• We	have	an	active	irc @	freenode #frida
• Fri...
RESOURCES
• https://rotlogix.com/2015/09/13/defeating-ssl-pinning-in-coin-for-android/
• https://cedricvb.be/post/seccon-2...
MERCI
• Question	?
DIFFDroid_Anto_Joseph_HIP_2016
DIFFDroid_Anto_Joseph_HIP_2016
Prochain SlideShare
Chargement dans…5
×

DIFFDroid_Anto_Joseph_HIP_2016

  • Identifiez-vous pour voir les commentaires

DIFFDroid_Anto_Joseph_HIP_2016

  1. 1. ANTO JOSEPH
  2. 2. @whoami • Security Engineer @ Intel • Past Speaker / Trainer @ Brucon, HITB Amsterdam, NullCon, GroundZero , c0c0n … • Will be Speaking @ Defcon , Blackhat • Mobile Security / IOT Enthusiast • Intrested in Machine Learning / Neural Networks • When not hacking , you can find me filling visa applictions :|
  3. 3. DYNAMIC INSTRUMENTATION • Using Xposed Modules • Using adbi • Other tools using Library Injection Techniques , LD_PRELOAD • Xposed Framework being the most famous with larger user / developer base
  4. 4. What Is Hooking ?
  5. 5. How it’s done currently ? • Xposed Framework • Xposed modules are indented to make long lasting changes to devices • Install Xposed Installer , which installs the xposed –bridge • Replaces app_process with a modified version which loads the bridge which enables the hooking func • Write app using java ( android studio ) using the deps and install it on the device • To activate the module , reboot • If you need to change something , reboot
  6. 6. DEMO – XPOSED
  7. 7. What Do We Want In Our Solution ? • Should be Fast • Should Be Simple • Should be Easy to Learn • Should Just Work !
  8. 8. DIFF-DROID
  9. 9. DIFF-DROID • Based on Frida • Supports Hooking Native and Java Methods • Web UI , with editable scripts to hook Android Methods • Re-usable Modules which can be combined as well • Instant changes in hooking scripts • No Restarts at allJ
  10. 10. DEMO
  11. 11. RUNNING DROID-FF • Start redis server • Start gunicorn diff-gui:app --worker-class gevent --bind 127.0.0.1:80 • Start android emulator ( Android 4.4.4) • Push frida-server to /data/local/tmp • Exec frida-server • Browse to http://127.0.0.1
  12. 12. How Does It Work • Frida : • The core of the app is handled by frida. • Takes care of hooking native and java code • Written by Ole Andre Vadla Ravnas • Supports Win/ Unix /Android/IOS platforms
  13. 13. INTERNALS • Frida-server injects a native library into the process using the ptrace api . This is the only support injection mechanism for now . • Loads the hook code and replaces / logs the fuction/arguments accordingly • Send method is used to send data from JVM to python side • Java.perfrom is used to hook Dalvik Code • Interceptor.attach is used to hook Native Code • Most exceptions are handled gracefully with a detailed stacktrace
  14. 14. CONT .. • Zero Modification to the device • Just push frida-server binary to the device and exec ( requires root ) • Communicates to the system component over adb • Updates from the instrumentation script is pushed to the web using Server side push for real-time updates • Using redis-server as message que
  15. 15. How Do We Write A Hook ?
  16. 16. Look Up The Api
  17. 17. WRITING A NEW HOOK - DALVIK Java.perform(function () { var TM = Java.use("android.os.Debug"); TM.isDebuggerConnected.implementation = function () { return false; }; });
  18. 18. WRITING A NEW HOOK – NATIVE STYLE Interceptor.attach (Module.findExportByName ( "libc.so", ”open"), { onEnter: function (args) { send (Memory.readUtf8String (args [1])); } });
  19. 19. SOURCE CODE : • https://github.com/antojoseph/diff-gui
  20. 20. FUTURE • Adding more modules ( Contributions are welcome ) • Support IOS • Supporting Frida in ART ( its almost on its way )
  21. 21. FEW WORDS FROM OLE ANDRÉ VADLA RAVNÅS • Future of Frida is the Community ! • We have an active irc @ freenode #frida • Frida Mailing List • Happy to have community contributions in terms of Code / Documentation / Apps based on Frida
  22. 22. RESOURCES • https://rotlogix.com/2015/09/13/defeating-ssl-pinning-in-coin-for-android/ • https://cedricvb.be/post/seccon-2015-reverse-engineering-android-apk-2-400-writeup/ • http://blog.csdn.net/autohacker/article/details/50503261 • http://blog.mdsec.co.uk/2015/04/instrumenting-android-applications-with.html
  23. 23. MERCI • Question ?

×