dexcalibur
play

DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies - PowerPoint PPT Presentation

DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies https://github.com/FrenchYeti/dexcalibur.git WHO AM I ? GEORGES-B. MICHEL @FrenchYeti yeti@0xff.ninja Aka @FrenchYeti Software Security Evaluator at Thales Day


  1. DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies https://github.com/FrenchYeti/dexcalibur.git

  2. WHO AM I ? GEORGES-B. MICHEL ▸ @FrenchYeti ▸ yeti@0xff.ninja Aka @FrenchYeti ▸ Software Security Evaluator at Thales ▸ Day : Reverse engineering (Android + TEE) apps HCE Payment applications, Trusted Applications, ARM binaries ▸ ▸ Night : Develop reverse / pentest / appsec tools Frida addict ▸

  3. EXAMPLE OF AN OBFUSCATED ANDROID APPLICATION

  4. MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER 
 DECIPHER & LOAD CLASS LOADER DEX LOADER APP CLASSES & METHODS Ciphered secondary 
 NATIVE 
 .dex file FUNCTIONS Clear .dex file & JNI libs

  5. MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER 
 DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION APP CLASSES & METHODS Ciphered secondary 
 NATIVE 
 .dex file FUNCTIONS Clear .dex file & JNI libs

  6. MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER 
 DECIPHER & LOAD DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION APP CLASSES WHITE BOX 
 & METHODS CRYPTO Ciphered secondary 
 NATIVE 
 .dex file FUNCTIONS Ciphered JNI lib Clear .dex file & JNI libs

  7. MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER 
 DECIPHER & LOAD DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES WHITE BOX 
 & METHODS CRYPTO Ciphered secondary 
 NATIVE 
 DOWNLOAD, 
 .dex file FUNCTIONS DECIPHER & LOAD Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network 
 (NetworkClassLoader)

  8. MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER 
 DECIPHER & LOAD DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES WHITE BOX 
 & METHODS CRYPTO Ciphered secondary 
 NATIVE 
 DOWNLOAD, 
 .dex file FUNCTIONS DECIPHER & LOAD Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network 
 (NetworkClassLoader)

  9. MOTIVATION WHAT CAN I HOOK ? PACKER 
 DECIPHER DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES & METHODS Ciphered secondary 
 NATIVE 
 DOWNLOAD, 
 .dex file FUNCTIONS DECIPHER & LOAD Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network 
 YOU CAN HOOK 
 (NetworkClassLoader) ONLY WHAT YOU SEE

  10. MOTIVATION WHAT IS INTERESTING TO HOOK ? PACKER 
 DECIPHER DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES & METHODS Ciphered secondary 
 NATIVE 
 DOWNLOAD, 
 .dex file FUNCTIONS DECIPHER & LOAD Clear .dex file Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network 
 (NetworkClassLoader) IT REQUIRES SEVERAL 
 HOOKING SESSIONS

  11. MOTIVATION

  12. THE IDEA MOTIVATION ▸ Deobfuscate waste of time

  13. THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy

  14. THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy ▸ Manual tasks can be automated (start App, …)

  15. THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy ▸ Manual tasks can be automated (start App, …) ▸ Several devices hooked simultaneously

  16. THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy ▸ Manual tasks can be automated (start App, …) ▸ Several devices hooked simultaneously ▸ Application size explore bytecode/libs is boring

  17. THE IDEA CHRISTMAS WISH LIST 1/2 : ▸ Show functions invoked dynamically as « xrefs » ▸ Discover automatically classes & bytecode loaded dynamically (DexFile ..) ▸ Generate hook with a single click on the function ▸ Debug a single hook while others are active ▸ Enable/disable hook without lose 
 or pollute the source code

  18. THE IDEA CHRISTMAS WISH LIST 2/2 : ▸ Multi-user : share the same instrumentation with my friends ▸ Instrumente several devices and merge hook logs 
 (Workflow / IoT) ▸ Be able to run with rooted & non-rooted devices ▸ Offer user-friendly GUI and API, ▸ Free & open-source ! ( license APACHE 2 )

  19. WHAT IS DEXCALIBUR ?

  20. WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER

  21. WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS

  22. WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER

  23. WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL

  24. WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL MODULAR HEURISTIC & SEARCH ENGINE

  25. WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS

  26. WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL CONTROLS & CUSTOMIZE MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS WEB SERVER & UI

  27. WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER IMPROVES AT 
 INSTRUMENTATION TOOL RUNTIME CONTROLS & CUSTOMIZE MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS WEB SERVER & UI

  28. WHAT IS DEXCALIBUR ? DEXCALIBUR NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER IMPROVES AT 
 INSTRUMENTATION TOOL RUNTIME CONTROLS & CUSTOMIZE MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS WEB SERVER & UI

  29. WHAT IS DEXCALIBUR ? NICE TOOLS :-) POWERED BY … APKTOOL + 
 BAKSMALI ANDROID SDK Today NATIVE HOOK CANNOT BE GENERATED 
 NO BYTECODE SYMBOLIC EXEC Functions contained into JNI/native libs 
 can be hooked, but decompilers/analyzers 
 dont support it. So, native hook cannot be 
 generated.

  30. WHAT IS DEXCALIBUR ? NICE TOOLS :-) POWERED BY … AND MORE ! SMALI VM Z3 SOLVER APKTOOL R2 LIEF LIEF + 
 BAKSMALI RetDec ANDROID SDK Today Tomorrow NATIVE HOOK CANNOT BE GENERATED 
 ADD NATIVE LIBRARIES SUPPORT NO BYTECODE SYMBOLIC EXEC SMALI SYMBOLIC EXEC Functions contained into JNI/native libs 
 can be hooked, but decompilers/analyzers 
 dont support it. So, native hook cannot be 
 generated.

  31. DEMO #1

  32. HOW IT WORKS ?

  33. HOW IT WORKS ? 1) START PHASE - FILE ANALYSIS 4 Files identified & categorized: 
 2 Parse APK content key stores, libs, properties, xml, 
 FILE 
 ANALYZER shared pref, cache, … Undetected / high entropy files 
 are tagged UNCOMPRESS APK FILE 1 notify APK Pull Application data 
 3 /data/data/xxx … DEVICE

  34. HOW IT WORKS ? 1) START PHASE - ANDROID API ANALYSIS FILE 
 ANALYZER UNCOMPRESS APK FILE APK DEVICE Application 
 Graph 1 2 Statically built ANDROID DEX SAST Create app 
 API/STUB DISASSEMBLER 3 graph

  35. HOW IT WORKS ? 1) START PHASE - APPLICATION BYTE CODE ANALYSIS FILE 
 ANALYZER UNCOMPRESS 1 APK FILE notify APK 3 2 Update app 
 DEX 4 SAST DISASSEMBLER graph DEVICE Application 
 Graph Statically built ANDROID DEX SAST API/STUB DISASSEMBLER

  36. HOW IT WORKS ? 2) INSTRUMENTATION PHASE - BEFORE RUN Application 
 + 
 Android API 
 Graph Statically built MODULAR HEURISTIC ENGINE notify 1 DYNAMIC BYTE ARRAY FILE ACCESS KEY STORES LOADER CLASSIFIER … Categorized Files

  37. HOW IT WORKS ? 2) INSTRUMENTATION PHASE - BEFORE RUN Application 
 + 
 Android API 
 Graph Search pattern & 
 2 method Statically built MODULAR HEURISTIC ENGINE notify 1 FILE ACCESS DYNAMIC NATIVE DESCRIPTORS KEY STORE LOADER LIB / JNI STREAMS … Correlate static files 
 2’ Categorized Bind a file to a method Files

  38. HOW IT WORKS ? 2) INSTRUMENTATION PHASE - BEFORE RUN Generate 
 5 Get method 
 frida code 4 HOOK 
 signature MANAGER HOOKS Application 
 + 
 Android API 
 Graph 3 ASK FOR INSTRUMENTATION Statically built MODULAR HEURISTIC ENGINE FILE ACCESS DYNAMIC NATIVE DESCRIPTORS KEY STORE LOADER LIB / JNI STREAMS … Categorized Files

  39. HOW IT WORKS ? 2) INSTRUMENTATION PHASE - RUNTIME Starts app & 
 6 deploys HOOK 
 DEVICE MANAGER HOOKS Application 
 + 
 Android API 
 Graph Hook data : args, 
 Correlate graph & 
 7 8 return, this, … Statically built intercepted data MODULAR HEURISTIC ENGINE FILE ACCESS DYNAMIC NATIVE DESCRIPTORS KEY STORE LOADER LIB / JNI STREAMS …

Recommend


More recommend