Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik...
Transcript of Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik...
![Page 1: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/1.jpg)
Playing Hide and Seek with DalvikExecutables
Axelle Apvrille
Hack.Lu, October 2013
![Page 2: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/2.jpg)
Who am i?
whoami
#!/usr/bin/perl -w
my $self = {
realname => ’Axelle Apvrille’,
nickname => ’Crypto Girl’,
twitter => ’@cryptax’,
job => ’Malware Analyst and Researcher’,
# reverse engineering of incoming mobile malware
# research and tools in related areas
title => ’Senior’, # white hair
company => ’Fortinet, FortiGuard Labs’,
before => ’Security software eng.: protocols, crypto...’,
languages => ’French, English, Hexadecimal :)’
};
Hack.Lu 2013 - A. Apvrille 2/20
![Page 3: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/3.jpg)
Quick background
Android mobile phone
Applications: APK
Inside the APK: DEX
Dalvik Executable with Dalvik bytecodedex.035.V..d..$g
Inside the DEX
Classes, methods, fields, strings’bytes’, ’** I am Mr Hyde **’, ’<init>’...
Hack.Lu 2013 - A. Apvrille 3/20
![Page 4: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/4.jpg)
Quick background
Android mobile phone Applications: APK
Inside the APK: DEX
Dalvik Executable with Dalvik bytecodedex.035.V..d..$g
Inside the DEX
Classes, methods, fields, strings’bytes’, ’** I am Mr Hyde **’, ’<init>’...
Hack.Lu 2013 - A. Apvrille 3/20
![Page 5: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/5.jpg)
Quick background
Android mobile phone Applications: APK
Inside the APK: DEX
Dalvik Executable with Dalvik bytecodedex.035.V..d..$g
Inside the DEX
Classes, methods, fields, strings’bytes’, ’** I am Mr Hyde **’, ’<init>’...
Hack.Lu 2013 - A. Apvrille 3/20
![Page 6: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/6.jpg)
Quick background
Android mobile phone Applications: APK
Inside the APK: DEX
Dalvik Executable with Dalvik bytecodedex.035.V..d..$g
Inside the DEX
Classes, methods, fields, strings’bytes’, ’** I am Mr Hyde **’, ’<init>’...
Hack.Lu 2013 - A. Apvrille 3/20
![Page 7: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/7.jpg)
Part 1: Hiding a method
Application source code
public void thisishidden(boolean ismrhyde) {
Log.i("HideAndSeek",
"In thisishidden(): set mrhyde="
+ismrhyde);
try {
File dir;
if (context !=null) {
...
Method thisishidden(): hidden to dissassemblers
I Baksmali does not see it
I dex2jar does not see it
I IDA Pro does not see it
I Androguard does not see it
Hack.Lu 2013 - A. Apvrille 4/20
![Page 8: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/8.jpg)
Hiding / Revealing demo
→
→
Demo
https://github.com/cryptax/dextools
Hack.Lu 2013 - A. Apvrille 5/20
![Page 9: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/9.jpg)
Hiding / Revealing demo
→ →
Demo
https://github.com/cryptax/dextools
Hack.Lu 2013 - A. Apvrille 5/20
![Page 10: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/10.jpg)
Format of a DEX file
Header
Arrays
Data
List of String Ids List of Type Ids List of Fields Ids
List of Method Ids List of Class Defs
Hack.Lu 2013 - A. Apvrille 6/20
![Page 11: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/11.jpg)
Format of a DEX file
Header
Arrays
Data
List of String Ids List of Type Ids List of Fields Ids
List of Method Ids List of Class Defs
Hack.Lu 2013 - A. Apvrille 6/20
![Page 12: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/12.jpg)
Inside the list of class definitions
encoded methodI access flags:
ACC PUBLIC,ACC PRIVATE,ACC STATIC...
I code off: offset tocode frombeginning of DEXfile
I method idx diff:increment tomethod indexes
Header
Arrays
Data
class def item
Type Ids
class data item
Off
setto
classd
ataitem
List of fields Direct methods:
encoded method
Virtual methods:
encoded method
Hack.Lu 2013 - A. Apvrille 7/20
![Page 13: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/13.jpg)
Inside the list of class definitions
encoded methodI access flags:
ACC PUBLIC,ACC PRIVATE,ACC STATIC...
I code off: offset tocode frombeginning of DEXfile
I method idx diff:increment tomethod indexes
Header
Arrays
Data
class def item Type Ids
class data item
Off
setto
classd
ataitem
List of fields Direct methods:
encoded method
Virtual methods:
encoded method
Hack.Lu 2013 - A. Apvrille 7/20
![Page 14: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/14.jpg)
Inside the list of class definitions
encoded methodI access flags:
ACC PUBLIC,ACC PRIVATE,ACC STATIC...
I code off: offset tocode frombeginning of DEXfile
I method idx diff:increment tomethod indexes
Header
Arrays
Data
class def item Type Ids
class data item
Off
setto
classd
ataitem
List of fields Direct methods:
encoded method
Virtual methods:
encoded method
Hack.Lu 2013 - A. Apvrille 7/20
![Page 15: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/15.jpg)
How to hide
Trick
Modify the chaining of methods and skip the hidden methodThe info for the hidden method is still there, but won’t be read
Implementation
I method idx diff:I modify for hidden methodI + modify for the ’other’ method
I code off: refer the other method
I access flags: nothing to do
I direct methods size (or virtual methods size): nothing to do
Hack.Lu 2013 - A. Apvrille 8/20
![Page 16: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/16.jpg)
Visual representation of chaining
Method Ids
[1] A
[2] B
[3] C
Encoded Method A Encoded Method B Encoded Method C
Code
Code of A
Code of B
Code of C
Code of B
Encoded Method B
Hack.Lu 2013 - A. Apvrille 9/20
![Page 17: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/17.jpg)
Visual representation of chaining
Method Ids
[1] A
[2] B
[3] C
Encoded Method A Encoded Method B Encoded Method C
Code
Code of A
Code of B
Code of C
Code of B
Encoded Method B
Hack.Lu 2013 - A. Apvrille 9/20
![Page 18: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/18.jpg)
Visual representation of chaining
Method Ids
[1] A
[2] B
[3] C
Encoded Method A Encoded Method B Encoded Method C
Code
Code of A
Code of B
Code of C
Code of B
Encoded Method B
Hack.Lu 2013 - A. Apvrille 9/20
![Page 19: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/19.jpg)
Visual representation of chaining
Method Ids
[1] A
[2] B
[3] C
Encoded Method A
Encoded Method B
Encoded Method C
Code
Code of A
Code of B
Code of C
Code of B
Encoded Method B
Hack.Lu 2013 - A. Apvrille 9/20
![Page 20: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/20.jpg)
Visual representation of chaining
Method Ids
[1] A
[2] B
[3] C
Encoded Method A
Encoded Method B
Encoded Method C
Code
Code of A
Code of B
Code of C
Code of B
Encoded Method B
Hack.Lu 2013 - A. Apvrille 9/20
![Page 21: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/21.jpg)
Hiding - for advanced users
Some more tricksI Access flags: you may modify but must choose a flag within
direct methods or virtual methods
I Single method? Set direct methods size (orvirtual methods size) and nullify encoded method
Hack.Lu 2013 - A. Apvrille 10/20
![Page 22: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/22.jpg)
Re-build the APK
Build a valid DEXI Compute the SHA-1 of the new DEX
I Write to header
I Compute the checksum of the new DEX
I Write to header
I https://github.com/cryptax/dextools
Re-build APKI Unzip original APK: retrieve manifest, resources...
I Zip new APK with new DEX + same manifest and resources
I Sign package (jarsigner)
Hack.Lu 2013 - A. Apvrille 11/20
![Page 23: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/23.jpg)
Part 2: calling the hidden method
calling thisishidden()
I The method is hidden to disassemblers
I ... but it can be run!
The strange case of Dr Jekyll and MrHyde – R. Stevenson
I Split personalities: Dr Jekyll or MrHyde
I Only one way to change into MrHyde:call thisishidden()
I Current personality displayed in mainactivity
Hack.Lu 2013 - A. Apvrille 12/20
![Page 24: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/24.jpg)
Demo
DEMO :)
Hack.Lu 2013 - A. Apvrille 13/20
![Page 25: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/25.jpg)
Implementation - Step 1/4
Load the current DEX file
openNonAsset() not directly accessible → use reflection
// get AssetManager class via reflection
Class localClass = Class.forName("....AssetManager");
Class[] arrayOfClass = new Class[1];
arrayOfClass[0] = String.class;
// get openNonAsset method
Method localMethod = localClass.getMethod("openNonAsset", ...
AssetManager localAssetManager = this.context.getAssets();
Object[] arrayOfObject = new Object[1];
arrayOfObject[0] = paramString;
// invoke method
InputStream localInputStream = (InputStream)localMethod.invoke(...);
Hack.Lu 2013 - A. Apvrille 14/20
![Page 26: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/26.jpg)
Implementation - Step 2/4
Patch the DEX
Undo what we did - re-chain the hidden method, re-hash andchecksum the DEX
int patch_index = 0x2c99;
dex[patch_index++]= 1; // method_idx_diff
dex[patch_index++]= 1; // access flag
dex[patch_index++]= (byte)0xcc; // code offset
dex[patch_index++]= (byte)0x28;
dex[patch_index++]= 1;
Hack.Lu 2013 - A. Apvrille 15/20
![Page 27: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/27.jpg)
Implementation - Step 3/4
Open the modified DEX
I use reflection to call openDexFile()
native private static int
openDexFile(byte[] fileContents);
I returns a cookie = pointer to internal struct for DEX
I load modified class using defineClass()
Class patchedHyde = null;
Log.i("HideAndSeek", "retrieving patched MrHyde class");
if (defineClassMethod != null) {
patchedHyde = (Class) defineClassMethod.invoke(
dexFileClass, params);
Hack.Lu 2013 - A. Apvrille 16/20
![Page 28: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/28.jpg)
Implementation - Step 4/4
Invoke the hidden methodI Search for the hidden method (getDeclaredMethods())
I Instantiate an object
I Call thisishidden()
Object obj = patchedHyde.getDeclaredConstructor(Context.class)
.newInstance(context);
Log.i("HideAndSeek", "after new Instance");
arg[0] = Boolean.valueOf(true);
Log.i("HideAndSeek", "invoking thisishidden()..
thisishiddenMethod.invoke(obj, arg);
Hack.Lu 2013 - A. Apvrille 17/20
![Page 29: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/29.jpg)
It’s two different classes
MrHyde Modified MrHyde
Static field
Instance field
thisishidden
Static field
Instance field
thisishidden
Does not work!
Use shared files
Hack.Lu 2013 - A. Apvrille 18/20
![Page 30: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/30.jpg)
It’s two different classes
MrHyde Modified MrHyde
Static field
Instance field
thisishidden
Static field
Instance field
thisishidden
Does not work!
Use shared files
Hack.Lu 2013 - A. Apvrille 18/20
![Page 31: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/31.jpg)
It’s two different classes
MrHyde Modified MrHyde
Static field
Instance field
thisishidden
Static field
Instance field
thisishidden
Does not work!
Use shared files
Hack.Lu 2013 - A. Apvrille 18/20
![Page 32: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/32.jpg)
It’s two different classes
MrHyde Modified MrHyde
Static field
Instance field
thisishidden
Static field
Instance field
thisishidden
Does not work!
Use shared files
Hack.Lu 2013 - A. Apvrille 18/20
![Page 33: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/33.jpg)
Hiding, so what?
Dangers
It can be used to hide some malicious feature
Detection
The strings are not hiddenThe bytecode is there
SolutionsI Use my patch/unpatch tool: hidex.pl
I Disassemble bytecode at a given location: androdis.py
I Fix Android: verify consistency of encoded method
I Google notified in June 2013
Hack.Lu 2013 - A. Apvrille 19/20
![Page 34: Playing Hide and Seek with Dalvik Executables · 2016-05-26 · Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2e423f44d9684fdc349eb8/html5/thumbnails/34.jpg)
Thank You !
Thanks!
to @pof ... and for your attention!
FortiGuard Labs
Follow us on twitter: @FortiGuardLabsor on our blog http://blog.fortinet.com
Me
twitter: @cryptaxe-mail: aapvrille at fortinet dot comsource code: https://github.com/cryptax/dextools
Are those PowerPoint slides? No way! It’s LATEX+ TikZ + Beamer + Lobster
Hack.Lu 2013 - A. Apvrille 20/20