Posted on

下载 Android 源代码,编译

1
2
3
4
5
$ source build/envsetup.sh
$ lunch
$ make
$ mmm development/tools/idegen/
$ ./development/tools/idegen/idegen.sh

运行后将生成下面几个文件

  • android.ipr (IntelliJ / Android Studio)
  • android.iml (IntelliJ / Android Studio)
  • .classpath (Eclipse)

1) 在Android Studio 中导入 android.ipr

File -> Open 选择 android.ipr, 导入后可以Android Studio 中浏览AOSP 源码

2)设置远程调试配置文件

Run -> Edit Configuration 点击左上角的 + 类型选择 Remote

3)Attack 到需要调试的进程

这里有两种方法,一是使用SDK 提供的 Monitor 二是使用 Android Studio 自带的
Attach debugger to Android Process 按钮。

连接成功后将看到 Connected to the target VM

4)设置断点

设置断点很简单,用鼠标点击源码文件的左边栏,看见红色圆点说明就已经设置成功了。也
可以使用Ctrl + F8 的快捷键。

5)运行程序,触发断点

需要注意的是在调试过程中会出现源码对不上的情况,需要自己选择正确的源码。关于哪些
进程可以调试的问题,上篇已经有记录,这里就不在说了。

参考资料

  1. AOSP Sources in the IDE
    https://newcircle.com/s/post/1720/aosp_sources_in_the_ide
  2. Debugging AOSP Platform code with Android Studio - Part I - Java Debugger
    http://ronubo.blogspot.sg/2016/01/debugging-aosp-platform-code-with.html

Posted on

没有root的设备,要使用gdbserver 调试app 会遇到权限问题。(emulator 没有问题)

1
2
3
1|shell@mako:/data/local/tmp $ ./gdbserver :1234 --attach 16907
Cannot attach to lwp 16907: Operation not permitted (1)
Exiting

Android 系统提供了一个run-as 命令来暂时切换用户,但是这个命令有限制,必须是app
打开了debuggable才行,否则会报 Package xx is not debuggable 的错误。

http://android.googlesource.com/platform/system/core.git/+/master/run-as/run-as.c
的注释来看,主要的作用有两个:

  1. 可以查看开发这自己应用的数据
  2. 可以使用gdb_server 进行native 的debug

我们的需求是第2个,我们希望可以使用gdb_server 来调试 app

1
2
3
4
5
6
shell@mako:/ $ run-as
Usage: run-as <package-name> <command> [<args>]

shell@mako:/ $ 
shell@mako:/ $ run-as system_server /data/tmp/gdbserver --attach 596 :1234
run-as: Package 'system_server' is unknown

翻看源码,发现有下面 代码:

1
2
3
4
5
6
7
8
/* reject system packages */
if (userAppId < AID_APP) {
    panic("Package '%s' is not an application\n", pkgname);
}
/* reject any non-debuggable package */
if (!info.isDebuggable) {
    panic("Package '%s' is not debuggable\n", pkgname);
}

限制比较严格,调试系统app估计是没什么戏,root了应该就没有问题了。但是调试一般的app
还是没有问题的,用apktool 将 AndroidManifest.xml 的 debuggable 设置为true,重新
打包就可以进行native 的 debug 了。

下面以CVE-2014-7911的POC为例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.heen.CVE_2014_7911">

    <application
        android:allowBackup="true"
        android:debuggable="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:theme="@style/AppTheme" >
        <activity
            android:name=".MainActivity"
            android:label="@string/app_name" >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

这个app 正好 android:debuggable=”true” 不用修改了,在模拟器上安装这个app。搭建
gdb调试环境, 分下面几个步骤走:

  1. 创建几个目录
1
2
3
mkdir ~/Android
mkidr ~/Android/system_lib
mkidr ~/Android/vendor_lib
  1. 将Android 设置上的lib下载到本地
1
2
3
4
5
6
7
8
9
10
11
12
13
14
cd ~/Android/system_lib/
adb pull /system/lib

cd ~/Android/vendor_lib/
adb pull /vendor/lib

cd ~/Android

# 在64位系统 /system/bin/app_process32 和 /system/bin/app_process64
adb pull /system/bin/app_process


cd ~/Android
adb pull /system/bin/linker
  1. 上传gdbserver
1
adb push $NDK_PATH/prebuilt/android-arm/gdbserver/gdbserver /data/local/tmp/gdbserver

环境基本搭建好了,测试一下 run-as 命令

1
2
3
4
5
6
7
8
> adb shell ps

...
u0_a86    16907 174   900568 38564 ffffffff 00000000 S com.heen.CVE_2014_7911
...

> adb shell run-as com.heen.CVE_2014_7911 id
uid=10086(u0_a86) gid=10086(u0_a86) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:untrusted_app:s

已经切换过来了,uid 变了,挂上gdbserver

1
2
3
4
> adb shell run-as com.heen.CVE_2014_7911 /data/local/tmp/gdbserver :123 --attach 16907

Can't open socket: Permission denied.
Exiting

报了另外一个错误,还是不行,google 一翻发现有debug-pipe 参数,尝试了一下

1
2
3
> adb shell run-as com.heen.CVE_2014_7911 /data/local/tmp/gdbserver +debug-pipe --attach 16907
Attached; pid = 16907
Listening on Unix socket debug-pipe

恩,现在没有报错了,执行一下端口转发。

1
adb forward tcp:5039 localfilesystem:/data/data/com.heen.CVE_2014_7911/debug-pipe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
> $NDK_PATH/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin/arm-linux-androideabi-gdb ~/Android/app_process 
GNU gdb (GDB) 7.6
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "--host=x86_64-linux-gnu --target=arm-linux-android".
For bug reporting instructions, please see:
<http://source.android.com/source/report-bugs.html>...
Reading symbols from /home/henices/Android/app_process...(no debugging symbols found)...done.
(gdb) target remote :5039
Remote debugging using :5039
warning: Could not load shared library symbols for 100 libraries, e.g. /system/bin/linker.
Use the "info sharedlibrary" command to see the complete listing.
Do you need "set solib-search-path" or "set sysroot"?
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
0x4013a73c in ?? ()

(gdb) info proc
process 16907
cmdline = 'com.heen.CVE_2014_7911'
cwd = '/'
exe = '/system/bin/app_process'

(gdb) set solib-search-path ~/Android:~/Android/system_lib/:~/Android/vendor_lib/
(gdb) info sharedlibrary
0x400f3a60  0x400fe79c  Yes (*)     /home/henices/Android/linker
0x40126070  0x401566ec  Yes (*)     /home/henices/Android/system_lib/libc.so
0x40174828  0x401749c8  Yes (*)     /home/henices/Android/system_lib/libstdc++.so
0x401798f0  0x4018c478  Yes (*)     /home/henices/Android/system_lib/libm.so
0x40114f50  0x40116490  Yes (*)     /home/henices/Android/system_lib/liblog.so
0x4010c38c  0x40110988  Yes (*)     /home/henices/Android/system_lib/libcutils.so
0x401acb1c  0x401af20c  Yes (*)     /home/henices/Android/system_lib/libgccdemangle.so
0x401a81d0  0x401a94ac  Yes (*)     /home/henices/Android/system_lib/libcorkscrew.so
0x4019b780  0x401a1f24  Yes (*)     /home/henices/Android/system_lib/libutils.so
0x401cbc50  0x401d5ba4  Yes (*)     /home/henices/Android/system_lib/libbinder.so
0x402955f0  0x4029585c  Yes (*)     /home/henices/Android/system_lib/libhardware.so
0x402925d0  0x40292834  Yes (*)     /home/henices/Android/system_lib/libmemtrack.so
0x402bbbf0  0x402cb80c  Yes (*)     /home/henices/Android/system_lib/libz.so
0x402a4240  0x402b23fc  Yes (*)     /home/henices/Android/system_lib/libandroidfw.so
0x402d6774  0x402e53a0  Yes (*)     /home/henices/Android/system_lib/libexpat.so
0x403083a8  0x4031e684  Yes (*)     /home/henices/Android/system_lib/libstlport.so

OK, 已经可以调试了。

Posted on

下载源码

先在 https://pdfium.googlesource.com/pdfium/ 下载源码.

1
2
3
4
5
mkdir repo
cd repo
gclient config --unmanaged https://pdfium.googlesource.com/pdfium.git
gclient sync
cd pdfium

gclient 命令在 depot_tools 中, 需要安装 参考下面的文章

http://www.chromium.org/developers/how-tos/install-depot-tools

1
2
git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
export PATH=`pwd`/depot_tools:"$PATH"

gclient sync 同步时需要fq,可以简单的使用环境变量的方法解决。

https_proxy=http://localhost:8118 gclient sync 下载 download google storage过
程中还会遇到一个网络问题,需要编写配置文件 ~/.boto

1
2
3
[Boto]
proxy = 127.0.0.1  # 不带 http://
proxy_port= 8118

export NO_AUTH_BOTO_CONFIG=~/.boto

源码包非常大,大概有1G多,需要耐心等待。

编译

编译需要使用 ubuntu 或者 Debian 系统,其他系统的依赖问题解决起来比较麻烦,
如果是上面两种操作系统的话,有脚本自动安装依赖。

./build/install-build-deps.sh

安装完所有依赖后就可以开始编译了,首先要先生成 gn 文件 (2016 年google 放弃使用原来的 gyp 编译方式)

gn args out/afl 会调用vim 编译器, 输入下面的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# Build arguments go here.
# See "gn args <out_dir> --list" for available build arguments.
use_goma = false # Googlers only. Make sure goma is installed and running first.
is_debug = false  # Enable debugging features.

pdf_use_skia = true # Set true to enable experimental skia backend.
pdf_use_skia_paths = false  # Set true to enable experimental skia backend (paths only).

pdf_enable_xfa = true  # Set false to remove XFA support (implies JS support).
pdf_enable_v8 = true  # Set false to remove Javascript support.
pdf_is_standalone = true  # Set for a non-embedded build.
is_component_build = false # Disable component build (must be false)
v8_static_library = true

clang_use_chrome_plugins = false  # Currently must be false.
use_sysroot = false  # Currently must be false on Linux, but entirely omitted on windows.

use_afl = true
#is_asan = true
enable_nacl = true
optimize_for_fuzzing = true
symbol_level=1

要编译生成 pdfium_test, 必须指定 pdf_is_standalone = true, 执行 ninjia -C out/afl pdfium_test

接下来要解决 afl 的问题了, pdfium 的 third_party中不包含 afl-fuzz 的源代码,需要到 chromium.googlesource.com 项目下载。
chromium 项目支持 libfuzzer 和 afl-fuzz,只要使用开关, use_libfuzzer = true
或者 use_afl = true 即可打开。

https://chromium.googlesource.com/chromium/src/third_party/+/master/afl/

可以直接下载 tgz 文件 https://chromium.googlesource.com/chromium/src/third_party/+archive/master/afl.tar.gz
下载后将源码 copy 到 ~/repo/pdfium/third_party/afl 中, 使用 ninja -C out/afl 编译整个项目。

使用 is_debug=false 可以明显提高fuzzing 速度,应该开启。另外一个比较有用的是
symbol_level, 设置 symbol_level=1 可以添加必要的调试符号,便于gdb调试。

在编译 skia backend 支持时,需要额外处理, 使用 C++14

1
use_cxx11 = false

afl-fuzz

随着 chromium 代码的更新, afl 源码编译出现了一些小问题,需要处理。

src/third_party/afl/patches/0001-fix-build-with-std-c11.patch

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
diff --git a/afl-fuzz.c b/afl-fuzz.c
index 01b4afef0ecc..f0d564a33037 100644
--- a/afl-fuzz.c
+++ b/afl-fuzz.c
@@ -23,7 +23,9 @@
 #define AFL_MAIN
 #define MESSAGES_TO_STDOUT
 
+#ifndef _GNU_SOURCE
 #define _GNU_SOURCE
+#endif
 #define _FILE_OFFSET_BITS 64
 
 #include "config.h"
diff --git a/types.h b/types.h
index 784d3a7a286d..d24d1fdd97e8 100644
--- a/types.h
+++ b/types.h
@@ -78,7 +78,7 @@ typedef int64_t  s64;
 #define STRINGIFY(x) STRINGIFY_INTERNAL(x)
 
 #define MEM_BARRIER() \
-  asm volatile("" ::: "memory")
+  __asm__ volatile("" ::: "memory")
 
 #define likely(_x)   __builtin_expect(!!(_x), 1)
 #define unlikely(_x)  __builtin_expect(!!(_x), 0)

afl-fuzz 的使用和其他项目一样。初始的种子文件有几个地方可以获取:

./afl-fuzz -M 01 -m 1024 -i /home/henices/input -o /home/henices/out -x /tmp/pdf.dict -- ./pdfium_test @@

参考资料

Posted on

主要特色:Intercept HTTP & HTTPS requests and responses and modify them on the fly

使用python编写,可以在windows,Linux, Mac 下运行,这点比 fiddler 有优势。可以修改
报文内容,这点很不错。

1. 安装

参考 http://docs.mitmproxy.org/en/stable/install.html

1
2
sudo dnf install -y python-pip python-devel libffi-devel openssl-devel libxml2-devel libxslt-devel libpng-devel libjpeg-devel
sudo pip install mitmproxy  # or pip install --user mitmproxy

2. 基本使用

mitmproxy -b a.b.c.d -p 8080

  • -b bind address
  • -p bind port
  • -s “script.py –bar”, –script “script.py –bar” Run a script. Surround with quotes to pass script
1
2
3
-b ADDR, --bind-address ADDR
-p PORT, --port PORT  Proxy service port.
-s mitmproxy 脚本

2.1 mitmproxy 界面操作

- ?            显示帮助信息
- i, j, k, l    上下左右,同 vi
- enter         进入具体报文
- tab           详细报文内容页面,显示标签调整
- E             导出报文内容

3. HTTPS

使用mitmproxy 最大的原因就是因为它可以对付https报文。

3.1 导入mitmproxy的 CA

参考 http://docs.mitmproxy.org/en/stable/certinstall.html

mitmproxy 的 CA 证书放在 ~/.mitmproxy 目录, 可以在不同设备中添加。

3.2 目标设备为Linux

☆ Google Chrome

设置 -> HTTPS/SSL -> 证书管理 -> 授权中心

☆ Firefox

没用Firefox,估计也类似。

然后设置浏览器使用mitmproxy代理即可。

3.3 目标设备为 Android

3.3.1 导入证书

adb push ~/.mitmproxy/mitmproxy-ca-cert.cer /sdcard/Download

设置 -> 安全 -> 证书存储 -> 从手机存储安装, 选择上传的CA证书。

3.3.2 设置代理

emulator 上可以通过下面的命令行,设置代理。

./emulator -avd 7.0_x86 -http-proxy http://a.b.c.d:8080

真实的设备上,据网络上的文章说,可以通过设置 APN来实现,没有测试。

3.3.3 启动 mitmproxy

mitmproxy -b a.b.c.d -p 8080

4. 透明模式

mitmproxy 支持透明部署,具体的方法可以参考下面的文章。

http://docs.mitmproxy.org/en/stable/transparent/linux.html

5. 修改报文内容

github 上有很多例子,这次没有需求,可以参考

https://github.com/mitmproxy/mitmproxy/tree/v0.18.2/examples

官方文档上给了个简单例子

1
2
def response(flow):
    flow.response.headers["newheader"] = "foo"

给http响应报文的头部添加一个 newheader 的字段。

6. socks 模式

–socks 作为 SOCKS5 proxy server

7. 总结

这里说到的内容非常少,mitmproxy这个工具还是很强大的。

Posted on

概况

  • MD5: 14792786094250715197540fd3b58439
  • SHA256: 456caeaaa8346c7a9e2198af5a0ca49d87e616a2603884580df22728a49893d7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1208868505 (0x480dde99)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=sc, L=sc, O=maizi, OU=maizi, CN=pktool
        Validity
            Not Before: Sep  9 09:11:13 2015 GMT
            Not After : Jan 25 09:11:13 2043 GMT
        Subject: C=CN, ST=sc, L=sc, O=maizi, OU=maizi, CN=pktool
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:93:57:2d:52:af:c1:71:cf:7a:cb:2f:6a:6c:0a:
                    b2:3f:4b:60:a6:a7:d0:9d:ba:36:a1:0f:0d:cc:9e:
                    32:ea:23:df:80:a3:b3:9f:2b:93:b9:53:c4:e5:bf:
                    05:32:21:23:c1:13:78:b0:72:08:19:8e:5e:c0:a0:
                    13:11:19:d6:23:8a:b6:44:2b:73:e0:1d:f3:b3:f4:
                    ab:6c:2e:af:78:2f:8b:e2:dc:b0:d6:06:af:8e:3f:
                    29:54:1a:59:44:55:73:98:2f:fd:8b:18:b0:de:c6:
                    9c:ee:0c:c7:f7:04:9d:0c:a7:62:06:45:4f:08:20:
                    2e:ca:a9:20:88:0e:08:2b:f1:9c:a9:24:5d:35:85:
                    02:bb:c0:ff:37:98:4b:c7:6f:f2:75:81:43:78:f8:
                    4b:cc:63:8c:f5:0e:c9:95:05:3d:ee:a1:85:cd:94:
                    97:b8:48:93:02:b3:71:6e:fb:39:6f:63:5d:a7:24:
                    c1:dc:77:a9:9c:de:5d:76:63:a8:ad:1d:e9:d6:84:
                    9b:ee:8d:37:38:4b:7c:ff:94:c9:df:dd:17:80:8c:
                    e8:d1:94:5d:05:dc:ef:d8:dc:90:4c:8b:75:22:6d:
                    57:6e:ee:4c:5f:62:96:5c:72:64:a4:5b:0f:29:e0:
                    f3:31:11:99:6a:b4:e5:6c:16:4d:8a:44:46:06:8f:
                    06:05
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                A6:8F:86:BB:A7:0A:DB:29:2E:E9:26:A6:F1:8C:BF:2F:4B:58:99:39
    Signature Algorithm: sha256WithRSAEncryption
         82:62:98:a8:39:10:3b:f5:09:42:97:de:e9:4c:57:6c:4e:58:
         a3:1a:31:29:a4:79:98:3f:c9:68:3c:e5:90:be:7f:b0:98:2b:
         8f:95:9e:4e:d2:bc:82:6e:bf:32:56:35:87:c8:19:08:ae:af:
         9c:db:94:71:d4:db:73:d9:25:e2:e5:f1:92:a0:a4:c4:bd:27:
         21:b2:c8:ec:e2:2a:c3:bb:a2:85:97:78:2b:4a:94:cc:fc:dc:
         75:6a:11:c8:ba:da:30:be:11:e9:e7:4a:5e:e1:ae:af:4d:36:
         14:69:31:ab:68:16:69:ed:a8:bb:c7:be:bf:8b:ca:4c:01:d0:
         7e:65:45:31:72:0f:7b:8d:7e:76:40:86:45:8d:ee:a3:b2:ee:
         ac:d3:0e:60:29:b0:fd:dc:8c:6a:25:06:01:99:81:96:f5:4c:
         1d:1a:1d:dc:0e:4b:66:15:80:e8:f5:1c:cd:98:60:71:08:de:
         f9:4f:69:b0:22:ec:05:18:6b:cd:5a:05:ce:3a:fe:57:4b:e7:
         8b:64:b4:f7:4a:cd:63:c1:03:01:e2:b0:aa:81:2d:89:e1:4d:
         da:fb:8f:b9:37:02:ad:85:64:de:87:73:1a:7a:36:50:3f:e6:
         9a:73:65:a0:33:af:81:c6:c8:55:89:e6:a8:03:6a:c6:da:f0:
         a5:cc:1c:6e

样本通过apktool重打包激情浏览器,引诱下载达到感染的目的。样本安装后启动两个服务常驻手机,
通过广告来获得经济收益,安装应用后访问以下链接:

1
2
3
4
5
6
http://dw.cnscns.com/upload/adIcon/2015-10-07/55c01eff-e66a-4186-9658-977d025c5395.png
http://dw.cnscns.com/upload/adOnline/2015-10-07/db90fe85-dd23-4674-9bbc-767c978acb8c.jpg
http://dw.cnscns.com/upload/adIcon/2015-09-06/eccb1bfd-7c3a-44a3-bfc8-e559eb995b49.png
http://dw.cnscns.com/upload/adOnline/2015-09-06/2cd2516c-6f55-4d99-8913-e121fd34abbd.jpg
http://dw.cnscns.com/upload/adIcon/2015-06-18/a7a41435-51e6-4a02-8bb5-1d96edf1a403.png
http://dw.cnscns.com/upload/adOnline/2015-09-19/2e3fe3ec-8043-4a03-ac6d-6b815dc2c144.jpg

http://dw.cnscns.com 是一个移动广告平台。

分析

关键的地方是两个service和一个Receiver

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<service android:name="net.tend.dot.DZS" />
<service android:exported="true" android:name="net.tend.dot.DZK" android:process=":daemon" />
<activity android:configChanges="keyboard|keyboardHidden|orientation|screenSize" android:excludeFromRecents="true" android:launchMode="singleInstance" android:name="net.tend.dot.DZA" android:theme="@android:style/Theme.Translucent.NoTitleBar" />
<receiver android:name="net.tend.dot.DZR">
<intent-filter>
    <action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
    <action android:name="android.intent.action.USER_PRESENT" />
    <action android:name="com.dz.downloadmanager" />
    <action android:name="action.dz.start" />
</intent-filter>
<intent-filter>
    <action android:name="android.intent.action.PACKAGE_ADDED" />
    <action android:name="android.intent.action.PACKAGE_REMOVED" />
    <data android:scheme="package" />
</intent-filter>
</receiver>

但是这两个Service和Receiver的代码并不在App代码中,而是在动态加载的dex中,其中的对于关系如下:

  • net.tend.dot.DZS -> mkit.dz.vol.MFSS
  • net.tend.dot.DZK -> mkit.dz.vol.MFKS
  • net.tend.dot.DZR -> mkit.dz.vol.MFBR
  • net.tent.dot.DZA -> mkit.dz.vol.MFAC

而动态加载的dex 由 assets/dzsm 解密而来。样本的文件转换图如下:

assets/dzsm 使用DES加密,文件的前32个字节为key,后面的为加密的内容,可以使用下面的java代码进行
解密。解密出来的文件为dex文件,可以用jeb正常分析。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;

import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;

public class decrypt {

    public static void main(String[] args) {
        try {
            String key = "8q6e81ssaiem1msqii9ixasmumsxxxqq";

            FileInputStream fis2 = new FileInputStream("/tmp/dzsm");
            FileOutputStream fos2 = new FileOutputStream("decrypted");
            decrypt(key, fis2, fos2);
        } catch (Throwable e) {
            e.printStackTrace();
        }
    }

    public static void encrypt(String key, InputStream is, OutputStream os) throws Throwable {
        encryptOrDecrypt(key, Cipher.ENCRYPT_MODE, is, os);
    }

    public static void decrypt(String key, InputStream is, OutputStream os) throws Throwable {
        encryptOrDecrypt(key, Cipher.DECRYPT_MODE, is, os);
    }

    public static void encryptOrDecrypt(String key, int mode, InputStream is, OutputStream os) throws Throwable {

        DESKeySpec dks = new DESKeySpec(key.getBytes());
        SecretKeyFactory skf = SecretKeyFactory.getInstance("DES");
        SecretKey desKey = skf.generateSecret(dks);
        Cipher cipher = Cipher.getInstance("DES");

        if (mode == Cipher.ENCRYPT_MODE) {
            cipher.init(Cipher.ENCRYPT_MODE, desKey);
            CipherInputStream cis = new CipherInputStream(is, cipher);
            doCopy(cis, os);
        } else if (mode == Cipher.DECRYPT_MODE) {
            cipher.init(Cipher.DECRYPT_MODE, desKey);
            CipherOutputStream cos = new CipherOutputStream(os, cipher);
            doCopy(is, cos);
        }
    }

    public static void doCopy(InputStream is, OutputStream os) throws IOException {
        byte[] bytes = new byte[64];
        int numBytes;
        while ((numBytes = is.read(bytes)) != -1) {
            os.write(bytes, 0, numBytes);
        }
        os.flush();
        os.close();
        is.close();
    }

}

MainActivity是 com.dz.browser.WelActivity

1
2
3
4
5
6
7
8
<activity android:icon="@drawable/icon1"
          android:label="@string/main_name"
          android:name="com.dz.browser.WelActivity" android:screenOrientation="portrait">
    <intent-filter>
        <action android:name="android.intent.action.MAIN" />
        <category android:name="android.intent.category.LAUNCHER" />
    </intent-filter>
</activity>

WelActivity 里干几件事:

1) 隐藏图标

1
2
3
4
5
6
private void setComponentEnabled(Context context, Class arg6, boolean enabled) {
    ComponentName v0 = new ComponentName(context, arg6.getName());
    PackageManager v3 = context.getPackageManager();
    int v1 = enabled ? 1 : 2;
    v3.setComponentEnabledSetting(v0, v1, 1);
}

2) 动态加载dex

1
2
3
4
5
6
7
8
9
10
private void GoMain() {
    new Handler().postDelayed(new Runnable() {
        public void run() {
            WelActivity.this.setComponentEnabled(WelActivity.this, WelActivity.class, false);
        }
    }, 5000);
    Intent v0 = new Intent();
    v0.setClass(((Context)this), GuideActivity.class);
    this.startActivity(v0);
}

GuideActivity 的 onCreate 调用 DZM.getInstance(((Context)this)).init(); 加载 dex。
GuideActivity 同时向广告服务器发送本机信息

1
2
3
4
5
6
7
8
9
10
11
new Thread(new Runnable() {
    public void run() {
        try {
            Log.i("ads", "==" + HttpUtils.post(String.valueOf(Constant.reportUrl) + Utils.getQID(
                    GuideActivity.this), GuideActivity.this.Params.reqparams()));
        }
        catch(PackageManager$NameNotFoundException v1) {
            v1.printStackTrace();
        }
    }
}).start();

http://mob.s2s.nooobi.com/api-mobvista/sdkback%3Fappkey%3DSexTubeMobvista1

1
2
3
4
5
6
7
8
POST /api-mobvista/sdkback?appkey=SexTubeMobvista1 HTTP/1.1
Content-Length: 59
Content-Type: application/x-www-form-urlencoded
Host: mob.s2s.nooobi.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

country=CN&ip=220.231.27.156&model=sdk&imei=000000000000000

同时加载dex还有另外一个入口,通过 Receiver

1
2
3
4
5
6
7
8
9
10
11
12
13
<receiver android:name="net.tend.dot.DZR">
    <intent-filter>
        <action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
        <action android:name="android.intent.action.USER_PRESENT" />
        <action android:name="com.dz.downloadmanager" />
        <action android:name="action.dz.start" />
    </intent-filter>
    <intent-filter>
        <action android:name="android.intent.action.PACKAGE_ADDED" />
        <action android:name="android.intent.action.PACKAGE_REMOVED" />
        <data android:scheme="package" />
    </intent-filter>
</receiver>

当网络变化,用户锁屏等操作时将自动加载dex

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

public class DZR extends BroadcastReceiver {
    public DZR() {
        super();
    }

    private void a(Context context, Intent intent) {
        try {
            a.a(context, i.class).onReceive(context, intent);
        }
        catch(Exception v0) {
            Log.e("ads", "", ((Throwable)v0));
        }
    }

    public void onReceive(Context context, Intent intent) {
        Context context = context.getApplicationContext();
        String action = intent.getAction();
        System.out.println("SV=" + dzm_version.DZM_1_2_5);
        if(action.equals("android.intent.action.USER_PRESENT")) {
            DZM.getInstance(context);
        }

        l.start_thread(context);
        if(l.str_dzmb_kiup_act().equals(action)) {
            l.loadDex(context, intent);
        }
        else {
            this.a(context, intent);
        }
    }
}
1
2
3
4
5
6
<receiver android:name="com.dz.browser.MyReceiver">
<meta-data android:name="android.app.device_admin" android:resource="@xml/lockourscreen" />
<intent-filter>
    <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
</intent-filter>
</receiver>

lockourscreen.xml 里申请了锁屏权限

1
2
3
4
5
<device-admin xmlns:android="http://schemas.android.com/apk/res/android">
    <uses-policies>
        <force-lock />
    </uses-policies>
</device-admin>

但是Receiver里什么也没有干,这只是为了阻止普通用户卸载app。

样本会访问下面URL 获得ip地址信息

http://ip.taobao.com/service/getIpInfo2.php?ip=myip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
code: 0,
data: {
country: "中国",
country_id: "CN",
area: "华北",
area_id: "100000",
region: "北京市",
region_id: "110000",
city: "北京市",
city_id: "110100",
county: "",
county_id: "-1",
isp: "华瑞信通",
isp_id: "1000146",
ip: "220.231.27.156"
}
}

从分析看样本主要是获取广告,下载apk,安装apk 这几个功能,还可以使用浏览器打开指定URL

daemon 分析

两个服务中,daemon 是 arm elf 可执行文件,app安装后自动执行。daemon程序由 dz.jar 的 assets/oilive 释放出来。
在手机上得到下面的命令行

1
/data/data/org.dz.passion.browser/app_bin/daemon -p org.dz.passion.browser -s net.tend.dot.DZK -t 120

daemon 使用说明

usage: %s -p package-name -s daemon-service-name -t interval-time

daemon 进程的父进程是init,结束应用进程不会结束daemon进程,将应用进程结束后过120秒,daemon将会重新自动启动
服务程序。

1
2
3
u0_a45    999   36    193564 32452 ffffffff 40033a40 S org.dz.passion.browser:daemon
u0_a45    1016  36    192640 35772 ffffffff 40033a40 S org.dz.passion.browser
u0_a45    1028  1     728    296   c0099f1c 40032c88 S /data/data/org.dz.passion.browser/app_bin/daemon

这个搞法似类以前的双进程监控,不容易干掉,上面说过启动App就启动两个服务 DZS 和 DZK,而DZK的代码其实在MFKS中,
从下面的代码可以看到,MFKS在Service 的 OnCreate 是就把daemon 运行起来了,daemon 又会检查app的服务的状态,有会自动
启动服务,比较流氓啊!这么做目的还是为了常驻手机,长期运行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
public class MFKS {
    private Service service;

    public MFKS() {
        super();
    }

    public IBinder onBind(Intent arg2) {
        return null;
    }

    public void onCreate() {
        run_daemon.install(this.service.getApplicationContext(), config.get_kvp_classObject(this.service  // net.tend.dot.DZK
                .getApplicationContext()), 120);
        this.service.startService(new Intent(this.service.getApplicationContext(), config.get_svp_classObject(  // net.tend.dot.DZS
                this.service.getApplicationContext())));
    }

    public void onStart(Intent arg1, int arg2) {
    }

    public void setService(Service arg1) {
        this.service = arg1;
    }
}

附录

访问的URL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

http://ip.taobao.com/service/getIpInfo2.php%3Fip%3Dmyip
http://api.nooobi.com/api-unlock/getlockappconfig
http://api.nooobi.com/api-unlock/insertimei
http://mob.s2s.nooobi.com/api-mobvista/sdkback%3Fappkey%3DSexTubeMobvista1
http://api.nooobi.com/api-unlock/getapptype
http://api.nooobi.com/api-unlock/kitup
http://alog.umeng.com/app_logs
http://api.nooobi.com/api-unlock/getadlist
http://dw.cnscns.com/upload/adIcon/2015-10-07/55c01eff-e66a-4186-9658-977d025c5395.png
http://dw.cnscns.com/upload/adOnline/2015-10-07/db90fe85-dd23-4674-9bbc-767c978acb8c.jpg
http://dw.cnscns.com/upload/adIcon/2015-09-06/eccb1bfd-7c3a-44a3-bfc8-e559eb995b49.png
http://dw.cnscns.com/upload/adOnline/2015-09-06/2cd2516c-6f55-4d99-8913-e121fd34abbd.jpg
http://dw.cnscns.com/upload/adIcon/2015-06-18/a7a41435-51e6-4a02-8bb5-1d96edf1a403.png
http://dw.cnscns.com/upload/adOnline/2015-09-19/2e3fe3ec-8043-4a03-ac6d-6b815dc2c144.jpg
http://api.nooobi.com/api-unlock/unlockaction

总结

DZSM 这个样本使用了动态加载dex的技术,使得其检测更加困难。代码结构良好,异常处理充分,
是一个专业程序员的作品。使用了简单的加密技术,也是为了逃避检查。

Posted on

1. 使用kill 发送 SIGNAL_QUIT

这种方法只能用于zygote 的子进程 (比如所有的 app 进程, 都是由zygote fork 而来).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# kill -3 pid

# cat /data/anr/traces.txt

...

suspend all histogram:  Sum: 290us 99% C.I. 2us-40us Avg: 14.500us Max: 40us
DALVIK THREADS (12):
"Signal Catcher" daemon prio=5 tid=2 Runnable
  | group="system" sCount=0 dsCount=0 obj=0x32c070a0 self=0xaecca000
  | sysTid=1918 nice=0 cgrp=bg_non_interactive sched=0/0 handle=0xb4406930
  | state=R schedstat=( 228351607 17443703 83 ) utm=12 stm=9 core=0 HZ=100
  | stack=0xb430a000-0xb430c000 stackSize=1014KB
  | held mutexes= "mutator lock"(shared held)
  native: #00 pc 00370e01  /system/lib/libart.so (_ZN3art15DumpNativeStackERNSt3__113basic_ostreamIcNS0_11char_traitsIcEEEEiPKcPNS_9ArtMethodEPv+160)
  native: #01 pc 0035046f  /system/lib/libart.so (_ZNK3art6Thread4DumpERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEE+150)
  native: #02 pc 0035a373  /system/lib/libart.so (_ZN3art14DumpCheckpoint3RunEPNS_6ThreadE+442)
  native: #03 pc 0035af31  /system/lib/libart.so (_ZN3art10ThreadList13RunCheckpointEPNS_7ClosureE+212)
  native: #04 pc 0035b45f  /system/lib/libart.so (_ZN3art10ThreadList4DumpERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEE+142)
  native: #05 pc 0035bb6f  /system/lib/libart.so (_ZN3art10ThreadList14DumpForSigQuitERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEE+334)
  native: #06 pc 00333cb7  /system/lib/libart.so (_ZN3art7Runtime14DumpForSigQuitERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEE+74)
  native: #07 pc 0033b01d  /system/lib/libart.so (_ZN3art13SignalCatcher13HandleSigQuitEv+928)
  native: #08 pc 0033b901  /system/lib/libart.so (_ZN3art13SignalCatcher3RunEPv+340)
  native: #09 pc 0003f45f  /system/lib/libc.so (_ZL15__pthread_startPv+30)
  native: #10 pc 00019b43  /system/lib/libc.so (__start_thread+6)
  (no managed stack frames)

"main" prio=5 tid=1 Native
  | group="main" sCount=1 dsCount=0 obj=0x74abb2a0 self=0xb4d76500
  | sysTid=1914 nice=0 cgrp=bg_non_interactive sched=0/0 handle=0xb6f3fb34
  | state=S schedstat=( 76934470 21396828 203 ) utm=3 stm=3 core=0 HZ=100
  | stack=0xbe55e000-0xbe560000 stackSize=8MB
  | held mutexes=
  native: #00 pc 00040894  /system/lib/libc.so (__epoll_pwait+20)
  native: #01 pc 00019e6f  /system/lib/libc.so (epoll_pwait+26)

  ...

结果写在 /data/anr/traces.txt 文件中, anr 是 ANR(Application Not Response)的意思.

https://android.googlesource.com/platform/art/+/android-7.1.1_r13/runtime/runtime.cc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
void Runtime::InitNonZygoteOrPostFork(
    JNIEnv* env, bool is_system_server, NativeBridgeAction action, const char* isa) {

...

  // Create the thread pools.
  heap_->CreateThreadPool();
  // Reset the gc performance data at zygote fork so that the GCs
  // before fork aren't attributed to an app.
  heap_->ResetGcPerformanceInfo();
  if (!is_system_server &&
      !safe_mode_ &&
      (jit_options_->UseJitCompilation() || jit_options_->GetSaveProfilingInfo()) &&
      jit_.get() == nullptr) {
    // Note that when running ART standalone (not zygote, nor zygote fork),
    // the jit may have already been created.
    CreateJit();
  }
  StartSignalCatcher();
  // Start the JDWP thread. If the command-line debugger flags specified "suspend=y",
  // this will pause the runtime, so we probably want this to come last.
  Dbg::StartJdwp();
}

可以看出非zygote的进程都会启动 Signal Catcher的 线程.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@shamu:/ # ps -t 2089
USER      PID   PPID  VSIZE  RSS   WCHAN            PC  NAME
u0_a58    2089  386   1565280 53732 SyS_epoll_ b6cb0894 S com.hujiang.dict:pushservice
u0_a58    2092  2089  1565280 53732 do_sigtime b6cb0b68 S Signal Catcher
u0_a58    2095  2089  1565280 53732 unix_strea b6cb194c S JDWP
u0_a58    2096  2089  1565280 53732 futex_wait b6c875e8 S ReferenceQueueD
u0_a58    2097  2089  1565280 53732 futex_wait b6c875e8 S FinalizerDaemon
u0_a58    2099  2089  1565280 53732 futex_wait b6c875e8 S FinalizerWatchd
u0_a58    2100  2089  1565280 53732 futex_wait b6c875e8 S HeapTaskDaemon
u0_a58    2101  2089  1565280 53732 binder_thr b6cb09c0 S Binder_1
u0_a58    2102  2089  1565280 53732 binder_thr b6cb09c0 S Binder_2
u0_a58    2107  2089  1565280 53732 SyS_epoll_ b6cb0894 S Thread-123
u0_a58    2108  2089  1565280 53732 futex_wait b6c875e8 S taskService-pro

zygote 自己没有该线程.

root@shamu:/ # ps | grep -i zy
root      386   1     1528448 67416 poll_sched b6cb0a5c S zygote

127|root@shamu:/ # ps -t 386
USER      PID   PPID  VSIZE  RSS   WCHAN            PC  NAME
root      386   1     1528448 67416 poll_sched b6cb0a5c S zygote
root      2203  386   1528448 67416 futex_wait b6c875e8 S ReferenceQueueD
root      2204  386   1528448 67416 futex_wait b6c875e8 S FinalizerDaemon
root      2205  386   1528448 67416 futex_wait b6c875e8 S FinalizerWatchd
root      2206  386   1528448 67416 futex_wait b6c875e8 S HeapTaskDaemon

https://android.googlesource.com/platform/art/+/android-7.1.1_r13/runtime/signal_catcher.cc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
...

void SignalCatcher::Output(const std::string& s) {
  if (stack_trace_file_.empty()) {
    LOG(INFO) << s;
    return;
  }
...

void SignalCatcher::HandleSigQuit() {
  Runtime* runtime = Runtime::Current();
  std::ostringstream os;
  os << "\n"
      << "----- pid " << getpid() << " at " << GetIsoDate() << " -----\n";
  DumpCmdLine(os);
  // Note: The strings "Build fingerprint:" and "ABI:" are chosen to match the format used by
  // debuggerd. This allows, for example, the stack tool to work.
  std::string fingerprint = runtime->GetFingerprint();
  os << "Build fingerprint: '" << (fingerprint.empty() ? "unknown" : fingerprint) << "'\n";
  os << "ABI: '" << GetInstructionSetString(runtime->GetInstructionSet()) << "'\n";
  os << "Build type: " << (kIsDebugBuild ? "debug" : "optimized") << "\n";
  runtime->DumpForSigQuit(os);
  if ((false)) {
    std::string maps;
    if (ReadFileToString("/proc/self/maps", &maps)) {
      os << "/proc/self/maps:\n" << maps;
    }
  }
  os << "----- end " << getpid() << " -----\n";
  Output(os.str());
}

...

while (true) {
    int signal_number = signal_catcher->WaitForSignal(self, signals);
    if (signal_catcher->ShouldHalt()) {
      runtime->DetachCurrentThread();
      return nullptr;
    }
    switch (signal_number) {
    case SIGQUIT:
      signal_catcher->HandleSigQuit();
      break;
    case SIGUSR1:
      signal_catcher->HandleSigUsr1();
      break;
    default:
      LOG(ERROR) << "Unexpected signal %d" << signal_number;
      break;
    }
  }
...

从源码中发现除了SIGQUIT 还可以发送 SIGUSR1 , 这个信号可以使进程java 虚拟机执行GC
操作 kill -10 pid

1
2
3
4
void SignalCatcher::HandleSigUsr1() {
  LOG(INFO) << "SIGUSR1 forcing GC (no HPROF)";
  Runtime::Current()->GetHeap()->CollectGarbage(false);
}

2. 使用 debugged 命令行

这种方法是全系统通用的, 可以用于非zygote的进程.

1
2
Usage: -b [<tid>]
  -b dump backtrace to console, otherwise dump full tombstone file

通过 -b 参数指定进程pid, 即可.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# debuggerd -b 23850

Sending request to dump task 23850.


----- pid 23850 at 1970-01-27 03:57:11 -----
Cmd line: /sbin/adbd
ABI: 'arm'

"adbd" sysTid=23850
  #00 pc 0002b158  /sbin/adbd
  #01 pc 0002467f  /sbin/adbd
  #02 pc 00020854  [stack]

"adbd" sysTid=23851
  #00 pc 0002fd38  /sbin/adbd
  #01 pc 0002a501  /sbin/adbd
  #02 pc 0000000b  <unknown>

"adbd" sysTid=23852
  #00 pc 0002b624  /sbin/adbd
  #01 pc 000106cf  /sbin/adbd
  #02 pc 00010301  /sbin/adbd
  #03 pc 0002a613  /sbin/adbd
  #04 pc 00030283  /sbin/adbd

"adbd" sysTid=23853
  #00 pc 0002b628  /sbin/adbd
  #01 pc 00013999  /sbin/adbd
  #02 pc 000112ed  /sbin/adbd
  #03 pc 000104e1  /sbin/adbd
  #04 pc 0002a613  /sbin/adbd
  #05 pc 00030283  /sbin/adbd

"adbd" sysTid=23862
  #00 pc 0002b888  /sbin/adbd
  #01 pc 0000a503  /sbin/adbd
  #02 pc 00009527  /sbin/adbd
  #03 pc 0002a613  /sbin/adbd
  #04 pc 00030283  /sbin/adbd

----- end 23850 -----
  ...

3. java 代码中打印调用栈

1
2
3
4
5
6
try {  
 ...  
} catch (RemoteException e) {  
  e.printStackTrace();  
  ...  
}

4. C++代码中打印调用栈

CallStack.cpp

1
2
3
4
5
6
7
8
9
#include <utils/CallStack.h>

int main() {
    android::CallStack stack;
    stack.update(); 
    stack.dump(1);

    return 0;
}

Android.mk

1
2
3
4
5
6
7
8
9
10
11
LOCAL_PATH:= $(call my-dir)


include $(CLEAR_VARS)
LOCAL_SRC_FILES:= CallStack.cpp
LOCAL_SHARED_LIBRARIES += libutils
LOCAL_LDLIBS += -ldl -lutils

LOCAL_CFLAGS := $(common_CFLAGS)
LOCAL_MODULE := CallStack
include $(BUILD_EXECUTABLE)

执行后显示类似下面的结果

1
2
3
4
5

root@shamu:/data/local/tmp # ./CallStack
#00 pc 000006d1  /data/local/tmp/CallStack
#01 pc 00017359  /system/lib/libc.so (__libc_init+44)
#02 pc 0000074c  /data/local/tmp/CallStack