Hooking on Android
2014.07.05정광운
www.CodeEngn.com2014 CodeEngn Conference 10
Who am I
• 정광운 EXSO (Not EXO)• 27 years old (Single)• CNU & Hackershool & Secu87• Contact Me
– http://facebook.com/exsociety– [email protected]– http://bananapayload.org
2
Android System OverviewApplications
Application Framework
Libraries
Linux Kernel
Home ....... Music Browser Office Viewer
Keypad Driver
Display Driver
WiFi Driver
Camera Driver Flash MemoryDriver
Audio Driver Power Driver
Binder Driver
NotificationManager
PackageManager
TelephonyManager
ResourceManager
LocationManager
WindowManager
ViewSystem
ActivityManager
ContentProviders
OpenGL|ES
Surface Manager
Free Type
SQLite
SSL
webkit_libmedia_lib
libc
viewer_lib
SGL
JNI
NDK
SDK
앱 레벨(JAVA)
시스템 레벨(C/C++)
Hooking on ARM
Hooking on Android
4
Design of Hooker
Shared Library(.so)
Function A
Function B
Android Application
Constructor
Target Library
Injected Library
branch
Function A
Ins 2Ins 3Ins 4
Ins 1Ins 2Ins 3
Ins 1Branch
Hook_Function A
Orig_Function A
6
Shared Library Injection
1) Find dlopen() addressCan not found libdl.so on maps
/system/bin/linker 소스코드 中
dlopen()
/system/bin/linker
dlsysm()
libdl.sooffset
dlopen() Address= base address of linker + offset
8
2) write library path- use stack
- PTRACE_POKEDATAptrace(PTRACE_POKEDATA, pid, dst address, 4byte_data)
9
ARM Instruction mode
32-bit
32-bit
32-bit
32-bit
32-bit
16-bit
16-bit
16-bit
16-bit
16-bit
ARM
Instruction
Instruction
Instruction
Instruction
Instruction
Thumb
31 0
Function Address
CPSR Register
T = 0 : ARM ModeT = 1 Thumb Mode
10
3) Call dlopen() ß Thumb
Debugger Application
Backup Register Values
Set Breakpoint at Next Instruction
Change Register Values• pc = dlopen() addr
• r0 = stack addr• r1 = 0• lr = next instruction’s
addr (pc)
Restore Registers Values, Remove Breakpoint
Debugger Application
Backup Register Values
Overwrite Code at Next Instruction
Change Register Values• pc = pc+4
• r0 = stack addr• r1 = 0• lr = next instruction’s
addr (pc)
Restore Registers Values,Restore Code ,
Remove Breakpoint
• break• ldr pc, [pc, #0]• 0x0• dlopen() address
Thumb 모드 ARM 모드
11
Function Hooking
1) Find function information- Reference Header file- Use Hex-ray
13
https://github.com/EiNSTeiN-/hexrays-python
2) Install Hooker
14
Target Library
Injected Library
LDR PC, [PC]
Function A
NOPHook_FunctionA Addr
Ins 4
Ins 1Ins 2
Ins 1Ins 2Ins 3
Branch
Hook_Function A
Orig_Function A
Target Library
Injected Library
Function A
Push {r5}add r5, pc, #4
ldr r5, {r5}bx r5
Hook_FunctionA AddrIns 7
pop {r5} Ins 1Ins 2
Ins 1
Ins 6Branch
Hook_Function A
Orig_Function A
ARM->ARM Thumb->ARM
Why…?
• Internal memory reference
15
Function A Orig_Function A
Original Code
JMP Target Function+N
JMP Target Function+N
Injected LibraryTarget Library
Access Violation
Reference Reference
Data OffsetCode Offet
• External memory reference
16
Function A
Target Function Original Function
Original Code
JMP Target Function+N
JMP Target Function+N
Injected LibraryTarget Library
Branch BranchAccess Violation
Solution
• 귀찮으니 그냥 복사하자…
17
Target Library
Injected Library
LDR PC, [PC]
Function A
NOPHook_FunctionA Addr
Ins 4
Ins 1Ins 2
Hook_Function A
Copied Target Library
Function A
Ins 1Ins 2Ins 3Ins 4
Function Pointer
Issue 1. Global Hook
18
• 애플리케이션 생성 과정
System Server zygote zygote’ Application
① 앱 실행 요청 ③ 앱 적재② fork() 호출
ActivityManagerActivityManager
PackageManagerPackageManager
WindowManagerWindowManager
…
Dalvik VM
libc
Dalvik VM
libc
Preloadedclass
Preloadedclass
Preloadedresource
Preloadedresource
Dalvik VM
libc
Preloadedclass
Preloadedclass
Preloadedresource
Preloadedresource
Dalvik VM
libc
Preloadedclass
Preloadedclass
Preloadedresource
Preloadedresource
AndroidApplication
Issue 2. 대상 라이브러리가로드되기 전..
• 라이브러리 로드 함수를 후킹– dlopen() = 10byte // 최소 12바이트 필요– dvmLoadNativeCode(char const*, Object*, char**)
• dvmLoadNativeCode 종료 시점에 추가적인 Hooker 설치
19
How to use
• download : http://bananapayload.org
20
[library path] [Name / Offset] [Function Type]/system/lib/libc.so malloc void *malloc(size_t size)/system/lib/test.so 0x400 void sub400(int, int)
./ genLibrarySource [define File] [output path]
Define Format
Source Code
Edit Source & Edit makefile & make library
Useage : injector [pid] [Library Full Path] Hook Success