[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
14 likes7,614 views
The document discusses hooking techniques in Android systems, specifically focusing on ARM architecture and shared library injection. It outlines the steps for finding, modifying, and using hooks in target libraries and applications, including the use of ptrace and dlopen for library injection. The presentation also covers the process of application creation in Android and provides details on function hooking and its implementation.
![3) Call dlopen() ß Thumb
Debugger Application
Backup Register
Values
Set Breakpoint at Next Instruction
Change Register
Values• pc = dlopen() addr
• r0 = stack addr
• r1 = 0
• lr = next instruction’s
addr (pc)
Restore Registers Values,
Remove Breakpoint
Debugger Applicatio
n
Backup Register
Values
Overwrite Code at Next Instruction
Change Register
Values• pc = pc+4
• r0 = stack addr
• r1 = 0
• lr = next instruction’s
addr (pc)
Restore Registers Values,
Restore Code ,
Remove Breakpoint
• break
• ldr pc, [pc, #0]
• 0x0
• dlopen() address
Thumb 모드 ARM 모드
11](https://image.slidesharecdn.com/2014codeengnconference10hookingonandroid-140713113701-phpapp02/85/2014-CodeEngn-Conference-10-Hooking-on-Android-11-320.jpg)
![4) result
Useage : injector [pid] [Library Full Path]
12
끝](https://image.slidesharecdn.com/2014codeengnconference10hookingonandroid-140713113701-phpapp02/85/2014-CodeEngn-Conference-10-Hooking-on-Android-12-320.jpg)
![2) Install Hooker
14
Target Library
Injected Library
LDR PC, [PC]
Function A
NOP
Hook_FunctionA Addr
Ins 4
Ins 1
Ins 2
Ins 1
Ins 2
Ins 3
Branch
Hook_Function A
Orig_Function A
Target Library
Injected Library
Function A
Push {r5}
add r5, pc, #4
ldr r5, {r5}
bx r5
Hook_FunctionA Addr
Ins 7
pop {r5}
Ins 1
Ins 2
Ins 1
Ins 6
Branch
Hook_Function A
Orig_Function A
ARM->ARM Thumb->ARM](https://image.slidesharecdn.com/2014codeengnconference10hookingonandroid-140713113701-phpapp02/85/2014-CodeEngn-Conference-10-Hooking-on-Android-14-320.jpg)
![Solution
• 귀찮으니 그냥 복사하자…
17
Target Library
Injected Library
LDR PC, [PC]
Function A
NOP
Hook_FunctionA Addr
Ins 4
Ins 1
Ins 2
Hook_Function A
Copied Target Library
Function A
Ins 1
Ins 2
Ins 3
Ins 4
Function Pointer](https://image.slidesharecdn.com/2014codeengnconference10hookingonandroid-140713113701-phpapp02/85/2014-CodeEngn-Conference-10-Hooking-on-Android-17-320.jpg)
![How to use
• download : http://bananapayload.org
20
[library path] [Name / Offset] [Function Type]
/system/lib/libc.so malloc void *malloc(size_t size)
/system/lib/test.so 0x400 void sub400(int, int)
./ genLibrarySource [define File] [output path]
Define Format
Source Code
Edit Source & Edit makefile & make library
Useage : injector [pid] [Library Full Path] Hook Success](https://image.slidesharecdn.com/2014codeengnconference10hookingonandroid-140713113701-phpapp02/85/2014-CodeEngn-Conference-10-Hooking-on-Android-20-320.jpg)
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)
- 1. Hooking on Android 2014.07.05 정광운 exsociety@gmail.com www.CodeEngn.com 2014 CodeEngn Conference 10
- 2. Who am I • 정광운 EXSO (Not EXO) • 27 years old (Single) • CNU & Hackershool & Secu87 • Contact Me – http://facebook.com/exsociety – exsociety@gmail.com – http://bananapayload.org 2
- 4. Android System Overview Applications Application Framework Libraries Linux Kernel Home ....... Music Browser Office Viewer Keypad Driver Display Driver WiFi Driver Camera Driver Flash Memory Driver Audio Driver Power Driver Binder Driver Notification Manager Package Manager Telephony Manager Resource Manager Location Manager Window Manager View System Activity Manager Content Providers OpenGL|ES Surface Manager Free Type SQLite SSL webkit_libmedia_lib libc viewer_lib SGL JNI NDK SDK 앱 레벨 (JAVA) 시스템 레벨 (C/C++) Hooking on ARM Hooking on Android 4
- 5. G al • ARM 기반의 안드로이드 환경 • 시스템의 수정 X (단, 루팅 필요) • 애플리케이션의 수정 X • 애플리케이션의 라이브러리 내 함 수에 대한 후킹 수행 5
- 6. Design of Hooker Shared Library (.so) FunctionA FunctionB Android Application Constructor Target Library Injected Library branch Function A Ins 2 Ins 3 Ins 4 Ins 1 Ins 2 Ins 3 Ins 1 Branch Hook_Function A Orig_Function A 6
- 7. Shared Library Injection • Call dlopen() using ptrace() on application 7
- 8. Shared Library Injection 1) Find dlopen() address Can not found libdl.so on maps /system/bin/linker 소스코드 中 dlopen() /system/bin/linker dlsysm() libdl.so offset dlopen() Address = base address of linker + offset 8
- 9. 2) write library path - use stack - PTRACE_POKEDATA ptrace(PTRACE_POKEDATA, pid, dst address, 4byte_data) 9
- 10. ARM Instruction mode 32-bit 32-bit 32-bit 32-bit 32-bit 16-bit 16-bit 16-bit 16-bit 16-bit ARM Instruction Instruction Instruction Instruction Instruction Thumb 31 0 Function Address CPSR Register T = 0 : ARM Mode T = 1 Thumb Mode 10
- 11. 3) Call dlopen() ß Thumb Debugger Application Backup Register Values Set Breakpoint at Next Instruction Change Register Values• pc = dlopen() addr • r0 = stack addr • r1 = 0 • lr = next instruction’s addr (pc) Restore Registers Values, Remove Breakpoint Debugger Applicatio n Backup Register Values Overwrite Code at Next Instruction Change Register Values• pc = pc+4 • r0 = stack addr • r1 = 0 • lr = next instruction’s addr (pc) Restore Registers Values, Restore Code , Remove Breakpoint • break • ldr pc, [pc, #0] • 0x0 • dlopen() address Thumb 모드 ARM 모드 11
- 12. 4) result Useage : injector [pid] [Library Full Path] 12 끝
- 13. Function Hooking 1) Find function information - Reference Header file - Use Hex-ray 13 https://github.com/EiNSTeiN-/hexrays-python
- 14. 2) Install Hooker 14 Target Library Injected Library LDR PC, [PC] Function A NOP Hook_FunctionA Addr Ins 4 Ins 1 Ins 2 Ins 1 Ins 2 Ins 3 Branch Hook_Function A Orig_Function A Target Library Injected Library Function A Push {r5} add r5, pc, #4 ldr r5, {r5} bx r5 Hook_FunctionA Addr Ins 7 pop {r5} Ins 1 Ins 2 Ins 1 Ins 6 Branch Hook_Function A Orig_Function A ARM->ARM Thumb->ARM
- 15. Why…? • Internal memory reference 15 Function A Orig_Function A Original Code JMP Target Function+N JMP Target Function+N Injected LibraryTarget Library Access Violation Reference Reference Data Offset Code Offet
- 16. • External memory reference 16 Function A Target Function Original Function Original Code JMP Target Function+N JMP Target Function+N Injected LibraryTarget Library Branch Branch Access Violation
- 17. Solution • 귀찮으니 그냥 복사하자… 17 Target Library Injected Library LDR PC, [PC] Function A NOP Hook_FunctionA Addr Ins 4 Ins 1 Ins 2 Hook_Function A Copied Target Library Function A Ins 1 Ins 2 Ins 3 Ins 4 Function Pointer
- 18. Issue 1. Global Hook 18 • 애플리케이션 생성 과정 System Server zygote zygote’ Application ① 앱 실행 요청 ③ 앱 적재② fork() 호출 Activity Manager Activity Manager Package Manager Package Manager Window Manager Window Manager … Dalvik VM libc Dalvik VM libc Preloaded class Preloaded class Preloaded resource Preloaded resource Dalvik VM libc Preloaded class Preloaded class Preloaded resource Preloaded resource Dalvik VM libc Preloaded class Preloaded class Preloaded resource Preloaded resource Android Application
- 19. Issue 2. 대상 라이브러리가 로드되기 전.. • 라이브러리 로드 함수를 후킹 – dlopen() = 10byte // 최소 12바이트 필요 – dvmLoadNativeCode(char const*, Object*, char**) • dvmLoadNativeCode 종료 시점에 추가적인 Hooker 설치 19
- 20. How to use • download : http://bananapayload.org 20 [library path] [Name / Offset] [Function Type] /system/lib/libc.so malloc void *malloc(size_t size) /system/lib/test.so 0x400 void sub400(int, int) ./ genLibrarySource [define File] [output path] Define Format Source Code Edit Source & Edit makefile & make library Useage : injector [pid] [Library Full Path] Hook Success
- 21. 21