CN106203120A - A kind of multiple spot Hook reverse method for Android reinforcement application - Google Patents
A kind of multiple spot Hook reverse method for Android reinforcement application Download PDFInfo
- Publication number
- CN106203120A CN106203120A CN201610557339.0A CN201610557339A CN106203120A CN 106203120 A CN106203120 A CN 106203120A CN 201610557339 A CN201610557339 A CN 201610557339A CN 106203120 A CN106203120 A CN 106203120A
- Authority
- CN
- China
- Prior art keywords
- class
- function
- dex
- application
- buffer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a kind of multiple spot Hook reverse method for Android reinforcement application, belong to information security field, specifically comprise the following steps that first, the Android application that certain is tested is loaded in internal memory;In loading procedure, choose some different function entrance points carry out Hook operation simultaneously, each function is loaded respectively the Hook point of correspondence;When virtual machine goes to different function, obtain this function invoked class formation ClassLoader by Hook point;Then, obtain each function and function place class deviation post in internal memory by each class formation ClassLoader, obtain the dex source code of each function of program and form dex file, carry out repairing perfect in internal memory;Finally, from internal memory, dump repairs the dex file after improving.Advantage is: dynamically multiple function entrance points therein is carried out Hook in application running to be analyzed, can evade conventional art and cannot completely, correctly obtain the drawback of program dex, obtain the complete dex code that traditional analysis is difficult to obtain.
Description
Technical field
The invention belongs to information security field, relate to reverse-engineering, mobile terminal safety, be specifically related to a kind of for
The multiple spot Hook reverse method of Android reinforcement application.
Background technology
Nearly 3 years, mobile Internet was to break out form fast development, and intelligent terminal's sales volume of various brands is also with to refer to
Number form state promotion, adds up according to " Strategy Analytics 2015Q1 ", and within 2014, global smart mobile phone shipment amount increases every year
30%, reach 1,300,000,000.
Under the overall background that mobile Internet rises, Android platform forcibly occupies whole mobile Internet in terms of occupation rate
Market.Up-to-date for the survey institute Strategy Analytics report third season shows, Android with 81.2% market
Occupation rate is sure to occupy first of Mobile operating system market.Shipment amount is 2.68 hundred million, and the same period last year is 2.06 hundred million, the market share by
81.4% rises to 83.6%.
From the point of view of the mobile Internet market of China, along with the rise of android system, market is applicable to Android
The application software meeting the various function of consumer emerge in an endless stream." the 2015 the first half of the year China mobiles issued by Alibaba
Application development trend study is reported " (Android version) middle display, Android platform App is in Chinese market, by consumer not
Same demand, the App quantity of discrete function type presents the growth of explosion type, also embodies it in following development trend.
But, along with the outburst of Android platform application software emerges in large numbers, also bring various problem.Intelligence is eventually
In end application program, it is no lack of and contains defect code, leak even malicious code, cause the privacy information of user, Ge Rencai
Produce and be faced with leakage, the threat of loss." the second quarter in 2015 China mobile of the most well-known internet security manufacturer 360
Safe condition is reported " in, the second quarter in 2015, Android mobile platform increases rogue program sample 5,500,000 newly, ratio 2015 years the
Increase 1,410,000 the first quarter.Add your mobile phone average every day nearly 6.04 ten thousand of rogue program sample, adds up to detect that mobile terminal is used
Rogue program 65,730,000 person-times is infected at family, and average every day, rogue program infective dose reached 72.2 ten thousand person-times.According to 2015 second
Season mobile terminal rogue program new increment and infective dose statistics, according to the criteria for classification of Chinese anti-internet worm alliance, 360 interconnections
In the classified statistic of the mobile platform rogue program that net security centre monitored the second quarter in 2015 visible, the second season in 2015
Degree Android platform increases rogue program newly and is mainly rate consumption, and accounting is up to 80.5%;Secondly for malice deduct fees (14.5%) and
Privacy steals (4.5%), and this three classes rogue program accounts for the 99.5% of total amount, and the rogue program new increment of remaining type accounts for
0.5%.
Along with the development of Malware, the resist technology of self is the most constantly strengthened by Malware, and all kinds of malice are soft
Part is reinforced by the APK of self is installed file, it is achieved that back analysis to a certain extent, regurgitation to, cause malice
The difficulty that software carries out technical Analysis is the most increasing, in order to accurately identify, analyze, process all kinds of Malware, for
The Android APK reinforced carries out conversed analysis and has become as a kind of important malware analysis detection means.
The most commonly used shelling and APK reverse method are mainly static analysis and dynamic-analysis method, static analysis method
By APK file self is analyzed, thus obtains its dex program file and realize analyzing;Dynamic-analysis method then for shell adding,
The APK reinforced cannot this feature of static analysis, when program is run, dynamically from internal memory, dump obtains the mode of dex and enters
Row is analyzed, but current all kinds of reinforcement technique has been realized in code dynamic load when running so that common dynamic analysis
Method obtained dex file when obtaining dex program file is imperfect, the most full of prunes.
Summary of the invention
The present invention is directed to traditional Android application analysis method, when in the face of dynamic reinforcement technique, conversed analysis is obtained
The Android application APK got cannot install, and it is incorrect or be the problems such as sky to run function code in dex file, it is proposed that
A kind of multiple spot Hook reverse method for Android reinforcement application.
Specifically comprise the following steps that
Step one, for certain tested Android application, utilize Dalvek virtual machine to be loaded in internal memory;
Step 2, tested application program load during, choose the some different function entrance of tested application program
Point carries out Hook operation simultaneously, and each function loads the Hook point of correspondence respectively;
Different function entrance includes: app.attachbaseContext, app.onCreat and
Activity.onCreat;
Step 3, when virtual machine goes to different function, adjusted by Hook point this function of acquisition added by this function
Class formation ClassLoader;
Step 4, obtained each function and function place class by each class formation ClassLoader in internal memory
Deviation post, and obtain the dex source code of each function of program;
ClassLoader contains the details of this function, the details of this function place class and pointer;Pointer
Point to is this function and the position of function place class, embodies by side-play amount;What this position preserved is the dex source of this function
Code;
Step 5, the dex source code of tested each function of application program is formed dex file, carry out having repaired in internal memory
Kind;
Specifically comprise the following steps that
Step 501, dex file to tested application program resolve, and traversal has the head construction index of category information
DexClassDef;
Head construction index DexClassDef includes: entry class_def_items that each class of tested application is corresponding,
The basic header information of tested application and the global data of tested application;
By analyzing the relevant information of entry class_def_items tested each class of application of acquisition of each class, and respectively
The memory address skew class_data_off of individual class;
Step 502, information to head configuration index DexClassDef preserve respectively;
Each entry class_def_items is saved in index temporary storage area buffer_classdef;Will be basic
Header information is saved in buffer_header, global data is saved in buffer_data;
Step 503, address offset class_data_off according to each class, obtain each class actual code, and will obtain
The code got preserves to the buffer_classdata of data temporary storage area;
Step 504, judge each class read during, if having the address offset class_data_off of certain class to point to
Illegal address beyond application memory space;If it has, call class constructing definitions method to reconfigure such configuration index
Classdefine, and such address is modified, carry out write-back with correct address to buffer_classdef, and revise
Class_data_off corresponding in buffer_classdef, enters step 505;Otherwise, keep constant;
Step 505, to index temporary storage area buffer_classdef, data temporary storage area buffer_
Classdata, apply basic header information buffer_header, application tetra-buffer districts of data buffer_data spell
Dress, forms interim dex file in internal memory;
Step 506, call verification and calculate function calculate whole interim dex file verification and, and sign;
Call verification and calculate function dexComputeChecksum calculate whole interim dex file verification and, and return
Fill out interim dex file and apply the checksum in basic header information structure buffer_header, then calculate by secure Hash
Cryptographic Hash sha1 of the method whole interim dex of calculating is backfilling into the signature of buffer_header.
Step 507, will signature after internal memory interim dex file export to file, i.e. obtained the dex generation that reparation is perfect
Code.
Step 6, from internal memory dump repair improve after dex file, i.e. obtain the complete dex file of tested application.
It is an advantage of the current invention that:
1, a kind of multiple spot Hook reverse method for Android reinforcement application, dynamic in application running to be analyzed
State carries out Hook to multiple function entrance points therein, can evade conventional art and cannot completely, correctly obtain the fraud of program dex
End, obtains the complete dex code that traditional analysis is difficult to obtain.
2, a kind of multiple spot Hook reverse method for Android reinforcement application, conventional dynamic is analyzed method and is opened in program
Time dynamic, the code of dump is wrong or function body is empty, and this method dynamically obtains its real code and protects when function performs
Deposit position so that the final code obtained is correct, complete.
3, a kind of multiple spot Hook reverse method for Android reinforcement application so that the dex head that traditional method gets
Portion's structure is wrong, causes the dex inversely obtained cannot repack execution, and this method is by the reparation to dex, it is ensured that
The dex inversely obtained functionally is capable of completely the same with original dex, to guarantee reverse reliability and effectiveness.
4, a kind of multiple spot Hook reverse method for Android reinforcement application, solves tradition reverse method and recovers
Dex exist afunction, install time cannot pass through system check, cannot the serious problems such as normal mounting and operation.
Accompanying drawing explanation
Fig. 1 is the flow chart of a kind of multiple spot Hook reverse method for Android reinforcement application of the present invention;
Fig. 2 is that the dex source code of tested each function of application program is carried out repairing perfect flow chart by the present invention;
Fig. 3 is that Android of the present invention application starts schematic diagram;
Fig. 4 is Hook technology schematic diagram of the present invention;
Fig. 5 is that dex of the present invention inversely and repairs schematic flow sheet;
Fig. 6 is the dex schematic diagram obtained by tradition dex reverse method of the present invention;
Fig. 7 is the concrete grammar schematic diagram that dump of the present invention obtains dex file;
Fig. 8 is the dex file of the present invention structural representation in internal memory;
Fig. 9 is the ClassObject of the present invention structural representation in internal memory;
The dex schematic diagram that the reverse mode of APP that Figure 10 is traditional obtains;
Figure 11 is the dex schematic diagram that the present invention inversely obtains;
Figure 12 is dex file comparison diagram obtained by the present invention and old reverse method.
Detailed description of the invention
Below in conjunction with accompanying drawing, the present invention is described in further detail.
At present, the method obtaining app source code is generally static analysis or single-point Hook, causes the app source code of acquisition not
Completely, or the app that can use cannot be reverted to;Although the point selected by multiple spot hook has certain arbitrariness, but in order to
To app respectively perform branch, function, class cover, use and preferably function entrance point carried out hook, by multiple spot Hook
Reverse method, applies the Android reinforced and carries out Hook in different positions, and obtain according to diverse location
ClassLoader gets dex deviation post in internal memory further, obtains the dex source code of program each several part, the most right
Acquired all dex carry out arrangement combination and repair, and finally obtain complete application dex, make answering of Android conversed analysis
Obtain greatly extending with face, reached to apply dynamic reinforcement means effectively to analyze for all kinds of Android
Level, there is the advantages such as application type is wide, result is the most reliable, for Android malicious application, reinforcement application detection have
There is particularly important meaning.
As it is shown in figure 1, specifically comprise the following steps that
Step one, for certain tested Android application, utilize Dalvek virtual machine to be loaded in internal memory;
Android application program runs in Dalvik virtual machine, and Dalvik virtual machine is made with traditional Java Virtual Machine
With identical, being considered as the mobile version that Dalvik virtual machine is Java Virtual Machine, all Android program are all by virtual machine
Operate in android system process, the corresponding Dalvik example of each process.The Android application being analysed to loads,
Entering the Dalvek virtual machine of Android platform, Android application to be analyzed is decompressed and loads by virtual machine automatically,
The complete structure being analysed to Android application is loaded in internal memory.
After the complete kernel of android system start-up loading, init process is first carried out, equipment is initialized, then read
Take init.rc file, and start important external program Zygote in system.Zygote process is incubating of all processes of Android
Changing device process, first it initialize Dalvik virtual machine after starting, then start system_server and enter Zygote mould
Formula, is waited for instructions by socket.When performing an Android application program, system_server process is passed through
It is virtual that Binder IPC mode sends commands to create a Dalvik by fork self after Zygote, Zygote receive order
The example of machine performs the entrance function of application program, and program has started.
Zygote provides the method creating process in three:
Fork (), creates a Zygote process;
ForkAndSpecialize (), creates a non-Zygote process;
ForkSystemServer (), creates a system service process.
Wherein, Zygote process can go out other processes by fork () again, non-Zygote process then can not other processes of fork,
And system service process its subprocess after termination also must terminate.
When, after the success of program fork, Dalvik virtual machine has just been given in the work of execution.Dalvik virtual machine first passes through
LoadClassFromDex function completes the loading of class, and each class can have a ClassObject type after successfully resolving
Data structure storage operationally environment in, virtual machine use gDvm.loadedClasses overall situation Hash table store and look into
Asking the class that all loadings are come in, subsequently, the code loaded is verified by byte code verifier, then searches and loads main side
Method, initializes interpreter subsequently and performs byte code stream.
By research Android application program launching source code, concrete Booting sequence such as Fig. 3 of Android application program app
Shown in, particularly as follows:
Step 101, user send the instruction starting application program to android system, and android system receives finger
Order, by the Launcher assembly of system Application Framework layer to resident service
ActivityManagerService sends and starts request;
The instruction sending startup application program is generally clicked on by user or end command startup;
Step 102, ActivityManagerService inquiry system upon receiving a request has been turned on application program
Whether this application of list has been turned on, if finding to there is not this application program in list, the most not actuated, sends one to Zygote process
The request of individual establishment program process;Otherwise, step 103 is entered;
Clone themselves (Fork) is gone out a subprocess A after receiving request by step 103, Zygote process, creates simultaneously
One ActivityThread object, and the entrance function of A process is replaced with the entrance function of ActivityThread;
Subprocess A includes a Dalvik VM example and relevant bottom JNI interface, and for JVM, DVM is not
Container when providing one to run, what it provided is a process being used for sharing, all of application program in android system
It is all independent for running, and the process of OS rank is directly affected by resources control and the scheduling of OS aspect, and simply they are total to
Enjoy the class of the prestrain of Zygote.
The subprocess A created is started by step 104, Zygote, and one ActivityThread of process A instantiation enters
The entrance function of ActivityThread, journey of serving as theme creates a message queue, for driver application;
Step 105, process A are called attach () method and are initialized it, are written to needing the application message started
In ActivityThread example;
Write information include Apply Names, contained assembly, resource file path, library file path and for loading,
Resolve the loader etc. of application;
Step 106, complete the initialization to ActivityThread example after, main thread inbound message circulate;
Method attachBaseContext in Application class of calling adjusts the context of application program launching
Environment, uses the Classes.dex file in system default loader loading application programs;
Step 107, the main thread of process A enter the main-inlet of application program, start application program app;
Generally the main-inlet of application program is the onCreate () method of Application apoplexy due to endogenous wind.
Step 2, tested application program load during, choose the some differences of tested application program and important letter
Number entrance carries out Hook operation simultaneously, and each function loads the Hook point of correspondence respectively;
Ptrace additional process can be passed through in android, then inject so storehouse to remote process, thus reach monitoring
And remote process Key Functions hook.At present, the injection hook on android is essentially all based on amendment got table, thus
Reach hook interception result.Such as, in android, binder communications package is inside libbinder.so, libbinder.so
Neutralizing binder driving and coming into contacts with is to call ioctl by system, therefore intercepts ioctl and resolves parameter therein, it is possible to
Obtain the crucial privacy information of some in binder communication process.But, ioctl is the functor derived in libc.so
Number, really realizing ioctl function performance is in libc.so.As a example by source code, in libc.so, ioctl realizes being divided into two portions
Point:
1._ioctl.S code
2.ioctl code
From being analyzed above it is known that ioctl completes actual functional capability by calling implementation by assembly _ ioctl.
Relative to amendment got table, it is also possible to realize function hook function by inline hook.Inline hook be exactly
In the storehouse that function realizes, arrive purpose by distorting the assembly instruction of function execution.Such as assume test function, assembly code
As follows:
stmfd sp!,{r4,r5,r6,r7}
ldmfd ip,{r4,r5,r6}
str r5,[r1,#-4]
str r6,[r1,#-8]
Ldr r7 ,=_ NR_xx
swi#0
movs r0,r0
beq 1f
If needing this test function of inline hook, it is necessary to analyze this function assembler code, find point of penetration,
Distort the instruction of function, such as by stmfd sp in this function!, { r4, r5, r6, r7} instruction is distorted as ldr xx.Certainly,
Inline hook is not so easy, it needs to be determined that code is thum instruction or arm refers to during inline hook
Order, and also storehouse is balance after performing hook function after must ensureing to have distorted instruction, before the most just completing hook
The function of function.
Below with a figure explanation inline hook.As shown in Figure 4, the left side is the function A1 needing hook, A2, A3 table
Show the realization instruction of func function.Intermediate representation intercepts func function hook, and hurdle, the right one represents former of func function of storage
Instruction A1, and return to perform the jump instruction of instruction A2.Therefore, if it is desirable to inline hook func function, it is necessary first to
Applying for space in remote process, this space can store former instructions of func function, and jump back to the follow-up finger of func function
The jump instruction of order.Secondly, need func function address is redirected to hook function.
When application performs func function time, owing to being redirected to hook function before, hook therefore can be first carried out
Code, hook function can process the parameter come into, after having processed, jump to the right A1 place, herein A1 execution
Be equivalent to perform the jump instruction that followed by performs that the A1, A1 of func function performed and jump at func A2 execution.Therefore,
After transfer, func function is by complete execution.
Amendment got table and inline hook compare:
1. the interception of amendment got table is easier than inline hook interception, it is only necessary to know the ground calling external symbol in elf file
Location.
The information that 2.inline hook realizes intercepting is enriched than amendment got table.Such as amendment got table, intercepts in application
Connect function can only intercept application and access network by java layer and call request link, if but applying and oneself pass through jni side
Formula calls socket connect method, it will can not intercept.If using inline hook, it is obvious that connect function is
It is the instruction needing to perform to realize connect function eventually, and instructs and realize storehouse by hook, so can reach to intercept purpose.
Choose for there being multiple functions of greater probability to enter during Android application program launching and in running
Mouthful point carries out Hook, to ensure to cover the dex code of all classes in application, as app.attachbaseContext,
The functions such as app.onCreat, Activity.onCreat so that in application, the code of each class can be covered by Hook
Arrive, the accessible analysis to all kinds of dynamic protection technology can be accomplished, ClassLoader then can be used in next step to take
Obtain its dex code;
Step 3, when virtual machine goes to different function, adjusted by Hook point this function of acquisition added by this function
Class formation ClassLoader;
Added Hook point is utilized to obtain ClassLoader.ClassLoader is the loader of class in JVM virtual machine, passes through
The bytecode of class is loaded in JVM container and brings into operation by ClassLoader, JVM, and Android application is substantially a kind of
Special Java file, the program file that its virtual machine runs is dex file, so employing one in android system
DexClassLoader, by this loader, Android virtual machine achieves the function that dex file carries out load and run.
Owing to each function entrance point of application having been carried out Hook operation at back, get the Hook point of respective class,
When virtual machine goes to different functions, by relevant Hook point, get relevant class when this function is called
DexClassLoader, wherein, contains function and the details of place class.
Android is correlated with after source code is analyzed and draws Android platform ClassLoader relation, as shown in Figure 5:
In Android platform, the loading (loading of dex file) to an application class, acquiescence uses
PathClassLoader, completes to load and resolve.By analyzing, its parent is BaseClassLoader, realizes at it
During, relating to DexPathList class, this class is that the native calling dexfile has realized the loading to dex file
And findClass, and construct Element structural array, lib, res and dexfile letter required when process is run
Breath carries out record.BaseClassLoader is inherited from java class ClassLoader, thus the readjustment inheriting ClassLoader is patrolled
Volume, it is achieved that to logics such as the lookup of class, parsings.
Step 4, obtained each function and function place class by each class formation ClassLoader in internal memory
Deviation post, and obtain the dex source code of each function of program;
By the dexClassLoader obtained in abovementioned steps, the run-time memory wherein preserved can be obtained
Dex address, and then dex save location in internal memory can be obtained.
ClassLoader in Android platform, is all based on the singular succession relational implementation of ClassLoader,
As shown in Figure 6, the skew in internal memory of the dex file can be extracted from ClassLoader, i.e. shown in Fig. 6
mCookie.In each ClassLoader, there is this structure tree, wherein there is the member of a DexPathList class,
DexPathList class is to run during startup optimization in application in Android platform, for ClassLoader provide address, storehouse,
Resource address and storage are loaded the information of file.More it is important that an Element type number in the member of this class
Group, the index of the most in store loaded file and type mark, say for dex file two, be then to store a java
The DexFile class object of layer, completes to load and resolve the work of dex by DexFile class, returns to structure place after dex loads
Memory address i.e. mCookie.
By the analysis of Android application start-up course is understood after ClassLoader loads dex, need by
ClassLoader pointer is filled in mBoundApplication.info.In brief, by obtaining this member variable,
Can be obtained by dex address in internal memory.
It is true that carry out hook by experiment each node in app runs, achieve the mCookie in said structure,
The i.e. save location of each several part dex code in internal memory.
Step 5, the dex source code of tested each function of application program is formed dex file, carry out having repaired in internal memory
Kind;
Split is carried out for various piece dex code acquired in internal memory, obtains the dex of whole application, due to some
Android reinforces APP and employs internal memory dynamic dex reduction technique.Elf is after employing said method so that dex is in internal memory
Controlled, real-time loading can be accomplished, it is also possible to accomplish burst, owing to application to be analyzed is probably through dynamic protection, so
It is wrong that this dex is probably imperfect or each section of code offset, therefore needs to repair the dex file obtained, tool
The recovery technique of body is: analyze according to dex source code, it is achieved the de-parsing of dex, calculates the actual inclined of each class in Header
Move, then reconstruct Header deviant, carry out class and the backfill of method body, calculating Sha1 backfill, thus repair dex, after reparation
Dex can ensure functionally to keep consistent with former dex, improve the reliability of conversed analysis result and effectiveness.
Specifically, application software, when loading dex and running, understands the attribute of dynamic modification method, and present
The codeItem of dex can be hidden by Scheme of Strengthening, displacement etc. processes, in the reverse mode of tradition preventing liaison section dump.
So needing in Dex-Reconstruction submodule, each member data of target DexFile being traveled through, has repaired
After whole dex data, it is written to file, thus obtains dex file, specific as follows.
As in figure 2 it is shown, specifically comprise the following steps that
Step 501, dex file to tested application program resolve, and traversal has the head construction index of category information
DexClassDef;
Head construction index DexClassDef includes: entry class_def_items that each class of tested application is corresponding,
The basic header information of tested application and the global data of tested application;
By analyzing the relevant information of entry class_def_items tested each class of application of acquisition of each class, and respectively
The memory address skew class_data_off of individual class;
Step 502, information to head configuration index DexClassDef preserve respectively;
Each entry class_def_items is saved in index temporary storage area buffer_classdef;Will be basic
Header information is saved in buffer_header, global data is saved in buffer_data;
Step 503, address offset class_data_off according to each class, obtain each class actual code, and will obtain
The code got preserves to the buffer_classdata of data temporary storage area;
According to class_data_off, all of class_data_items is saved in buffer_classdata;
Step 504, judge each class read during, if having the address offset class_data_off of certain class to point to
Illegal address beyond application memory space;If it has, call class constructing definitions method to reconfigure such configuration index
Classdefine, and such address is modified, carry out write-back with correct address to buffer_classdef, and revise
Class_data_off corresponding in buffer_classdef, enters step 505;Otherwise, keep constant;
Point to perimeter if there is class_data_off, this class is carried out classdefine, finds its position
Put copy to return in buffer_classdata, and revise class_data_off corresponding in buffer_classdef.
In copy DexFile file, DexClassDef structure front portion is assigned in buffer_header, and copy rear portion is assigned to
In buffer_data.
All of code_item_off in traversal buffer_classdata, confirm its whether in the space of DexFile it
In, and further confirm that its accessFlag value is the most legal.
Step 505, to index temporary storage area buffer_classdef, data temporary storage area buffer_
Classdata, apply basic header information buffer_header, application tetra-buffer districts of data buffer_data spell
Dress, forms interim dex file in internal memory;
Step 506, call verification and calculate function calculate whole interim dex file verification and, and sign;
Call verification and calculate function dexComputeChecksum calculate whole interim dex file verification and, and return
Fill out interim dex file and apply the verification in basic header information structure buffer_header and checksum, then use safety
Cryptographic Hash sha1 of the hash algorithm whole interim dex of calculating is backfilling into the signature of buffer_header.
Step 507, will signature after internal memory interim dex file export to file, i.e. obtained the dex generation that reparation is perfect
Code.
Generally speaking, dex file is resolved, the ClassDef structure content having category information is carried out traversal and reads
Take, therefrom extract codeoff, and store, until traversal terminates, it is thus achieved that all Class information.So far we obtain
All of class in dex.Then other parts in dex file are traveled through, it is thus achieved that overall structure.Recalculate dex's
Checksum and sha1 value, backfills.Finally all data are written out to file successively, obtain dex.
Step 6, from internal memory dump repair improve after dex code, i.e. obtain the complete dex of application to be analyzed
The concrete grammar that dump obtains dex file is as follows:
The Dex mapped file structure at internal memory can be obtained by Cookie value, obtain its class and each variable information, will
It is write the file in bin and saves as dex, these three step as it is shown in fig. 7, obtain DexOrJar successively,
RawDexFile, DvmDex and DexFile, then reconfigure the dex file structure got, finally give
The binary system bytecode output of dex file.
After dex file is processed by opt optimization, it is mapped in internal memory, multiple file structures defined in dvm, defines
Dex file structure in internal memory, as shown in Figure 8, including DexOrJar, RawDexFile, DvmDex and DexFile, depends on
The secondary inclusive that belongs to: wherein DexFile is exactly the form definition of dex file, and strictly speaking, DexFile is dex warp
Crossing the odex file format definition after opt optimizes, dex file format is analyzed in chapter 2, for avoiding repeating, only gives
Go out its definition source code:
When dvm resolves dex, generate ClassObject by DvmDex so that program is run, and ClassObject is
Java class entity in virtual machine, the namely performance of the class defined in source code, be also the basic of Android application program
Unit, it has forgiven the method table of a certain class, membership table, code information etc..In other words, ClassObject is that class is at internal memory
In true form, its structure in internal memory as it is shown in figure 9, wherein Object be the parent structure of ClassObject,
Method part is the method list of class, and including commonsense method, empty method etc., StaticField is static member's variable, directly
Preserving variate-value, InstField is example member variable, preserves the internal memory offset address of variable;DvmDex carries as centre
Body is incited somebody to action, ClassObject with DexFile couples together.Find it at internal memory by resolving DexFile according to member each in structure
In data, therefore according to DexOrJar position, obtain DexFile and in internal memory, it resolved, now basis
The data that DexFile dynamically obtains, i.e. can get dex file.
Contrast underneath with the old and new's reverse method first, to show the advantage of this method.
APP is reinforced for certain Android, uses the dex obtained by the reverse mode of traditional APP to obtain after carrying out dis-assembling
Code as shown in Figure 10, can as seen from the figure, the method body reduced for sky, show its dex file reduce existence not
Complete problem, this dex cannot be properly functioning, for follow-up research also the most in all senses.
And use reverse method of the present invention reduced the dex obtained as shown in figure 11, method body is complete, it is shown that its
Reduction effect is reliably effective, and dex can be properly functioning, reduces successfully.
As shown in figure 12, for using Hex Compare instrument that the dex file obtained by new and old reverse method is carried out difference
The result of contrast, the part that wherein left side is different after showing file contrast, it can be seen that have relatively big difference, in conjunction with aforementioned conventional
Imperfect method body obtained by app reverse method is as a result, it is possible to show new-type reverse method and the tradition that the present invention introduced
Method is compared bigger advantage.
Claims (3)
1. the multiple spot Hook reverse method for Android reinforcement application, it is characterised in that specifically comprise the following steps that
Step one, for certain tested Android application, utilize Dalvek virtual machine to be loaded in internal memory;
Step 2, tested application program load during, choose the some different function entrance points of tested application program with
Shi Jinhang Hook operates, and each function loads the Hook point of correspondence respectively;
Different function entrance includes: app.attachbaseContext, app.onCreat and Activity.onCreat;
Step 3, when virtual machine goes to different function, invoked by Hook point this function of acquisition added by this function
Class formation ClassLoader;
Step 4, obtained each function and the skew in internal memory of the function place class by each class formation ClassLoader
Position, and obtain the dex source code of each function of program;
Step 5, the dex source code of tested each function of application program is formed dex file, carry out repairing perfect in internal memory;
Step 6, from internal memory dump repair improve after dex file, i.e. obtain the complete dex file of tested application.
A kind of multiple spot Hook reverse method for Android reinforcement application, it is characterised in that
Described ClassLoader contains the details of this function, the details of this function place class and pointer;Pointer points to
Be this function and the position of function place class, embody by side-play amount;What this position preserved is the dex source code of this function.
A kind of multiple spot Hook reverse method for Android reinforcement application, it is characterised in that
Described step 5 is specific as follows:
Step 501, dex file to tested application program resolve, and traversal has the head construction index of category information
DexClassDef;
Head construction index DexClassDef includes: entry class_def_items that each class of tested application is corresponding, tested
The basic header information of application and the global data of tested application;
The relevant information of tested each class of application, and each class is obtained by entry class_def_items analyzing each class
Memory address skew class_data_off;
Step 502, information to head configuration index DexClassDef preserve respectively;
Each entry class_def_items is saved in index temporary storage area buffer_classdef;By basic head
Information is saved in buffer_header, global data is saved in buffer_data;
Step 503, address offset class_data_off according to each class, obtain each class actual code, and will get
Code preserve in the buffer_classdata of data temporary storage area;
Step 504, judge that each class reads during, if having the address offset class_data_off of certain class to point to super
Go out the illegal address in application memory space;If it has, call class constructing definitions method to reconfigure such configuration index
Classdefine, and such address is modified, carry out write-back with correct address to buffer_classdef, and revise
Class_data_off corresponding in buffer_classdef, enters step 505;Otherwise, keep constant;
Step 505, to index temporary storage area buffer_classdef, data temporary storage area buffer_
Classdata, apply basic header information buffer_header, application tetra-buffer districts of data buffer_data spell
Dress, forms interim dex file in internal memory;
Step 506, call verification and calculate function calculate whole interim dex file verification and, and sign;
Call verification and calculate function dexComputeChecksum calculate whole interim dex file verification and, and be backfilling into
The checksum in basic header information structure buffer_header applied by interim dex file, then uses Secure Hash Algorithm meter
Cryptographic Hash sha1 calculating whole interim dex is backfilling into the signature of buffer_header;
Step 507, will signature after internal memory interim dex file export to file, i.e. obtained the dex code that reparation is perfect.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610557339.0A CN106203120B (en) | 2016-07-15 | 2016-07-15 | A kind of multiple spot Hook reverse method for Android reinforcement application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610557339.0A CN106203120B (en) | 2016-07-15 | 2016-07-15 | A kind of multiple spot Hook reverse method for Android reinforcement application |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106203120A true CN106203120A (en) | 2016-12-07 |
| CN106203120B CN106203120B (en) | 2019-03-05 |
Family
ID=57474411
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610557339.0A Active CN106203120B (en) | 2016-07-15 | 2016-07-15 | A kind of multiple spot Hook reverse method for Android reinforcement application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106203120B (en) |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106843919A (en) * | 2016-12-12 | 2017-06-13 | 北京奇虎科技有限公司 | The storage method and device of a kind of dex files |
| CN107133517A (en) * | 2017-05-08 | 2017-09-05 | 成都德涵信息技术有限公司 | A kind of data restoration method encrypted and calculated based on data in EMS memory |
| CN107391970A (en) * | 2017-06-07 | 2017-11-24 | 武汉斗鱼网络科技有限公司 | Function access control method and device in Flash application programs |
| CN107392018A (en) * | 2017-06-30 | 2017-11-24 | 阿里巴巴集团控股有限公司 | Application program hulling method and device |
| CN107742078A (en) * | 2017-05-04 | 2018-02-27 | 四川大学 | A kind of automatic hulling method of general DEX and system |
| CN108229107A (en) * | 2016-12-21 | 2018-06-29 | 武汉安天信息技术有限责任公司 | A kind of hulling method and container of Android platform application program |
| CN108259182A (en) * | 2018-01-08 | 2018-07-06 | 中国人民大学 | Packet inspection method and device are beaten again in a kind of Android applications |
| CN108304233A (en) * | 2018-01-10 | 2018-07-20 | 武汉斗鱼网络科技有限公司 | Application object moving method, storage medium, electronic equipment and system |
| CN108446186A (en) * | 2018-01-30 | 2018-08-24 | 国家计算机网络与信息安全管理中心 | Method for recovering Dex source file from shell-added Android application program |
| CN109214148A (en) * | 2018-09-03 | 2019-01-15 | 平安普惠企业管理有限公司 | A kind of dex file abstracting method, system and terminal device |
| CN109214179A (en) * | 2017-06-30 | 2019-01-15 | 武汉斗鱼网络科技有限公司 | A kind of program module safety detection method and device |
| CN109214184A (en) * | 2018-07-20 | 2019-01-15 | 北京大学 | A kind of Android reinforcement application program general automated shelling method and apparatus |
| TWI649694B (en) * | 2017-10-30 | 2019-02-01 | 國立臺灣大學 | Android dynamic framework and method thereof |
| CN109344577A (en) * | 2018-09-25 | 2019-02-15 | 四川大学 | A kind of method for carrying out software protection using self-modifying technology under ART |
| CN109871285A (en) * | 2017-12-05 | 2019-06-11 | 北京嘀嘀无限科技发展有限公司 | Dynamic adjusting method, device, server, mobile terminal and readable storage medium storing program for executing |
| CN110610097A (en) * | 2019-09-09 | 2019-12-24 | 杭州天宽科技有限公司 | File transmission security system based on android application |
| CN111104104A (en) * | 2019-11-04 | 2020-05-05 | 珠海亿智电子科技有限公司 | Method and device for visualizing function call time and statistical result and readable medium |
| CN111240766A (en) * | 2020-01-22 | 2020-06-05 | 北京字节跳动网络技术有限公司 | Application starting method and device, electronic equipment and computer readable storage medium |
| CN112765608A (en) * | 2021-01-20 | 2021-05-07 | 每日互动股份有限公司 | Target apk source code acquisition method, electronic device and medium |
| CN112860224A (en) * | 2019-11-28 | 2021-05-28 | 北京达佳互联信息技术有限公司 | Function execution environment construction method and device, electronic equipment and storage medium |
| CN113051122A (en) * | 2019-12-26 | 2021-06-29 | 百度在线网络技术(北京)有限公司 | Performance data acquisition method, performance data acquisition device, electronic equipment and medium |
| CN113190235A (en) * | 2021-05-27 | 2021-07-30 | 武汉斗鱼鱼乐网络科技有限公司 | Code analysis method and device, electronic terminal and storage medium |
| CN113641426A (en) * | 2021-08-31 | 2021-11-12 | 福建省天奕网络科技有限公司 | Shelling search and implementation method and system based on source code modification of android terminal |
| CN113836531A (en) * | 2021-09-25 | 2021-12-24 | 上海蛮犀科技有限公司 | Detection method for dynamic restoration of mobile application code memory |
| CN116467221A (en) * | 2023-06-16 | 2023-07-21 | 荣耀终端有限公司 | Pile inserting method and system based on interpreter and related electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102043932A (en) * | 2010-12-31 | 2011-05-04 | 中国航空工业集团公司第六三一研究所 | Method for preventing Java program from being decompiled |
| CN103473509A (en) * | 2013-09-30 | 2013-12-25 | 清华大学 | Android platform malware automatic detecting method |
| US8892876B1 (en) * | 2012-04-20 | 2014-11-18 | Trend Micro Incorporated | Secured application package files for mobile computing devices |
| US20150199514A1 (en) * | 2014-01-10 | 2015-07-16 | Bitdefender IPR Management Ltd. | Computer Security Systems And Methods Using Virtualization Exceptions |
| CN105046116A (en) * | 2015-06-25 | 2015-11-11 | 上海斐讯数据通信技术有限公司 | Method for protecting dex file from being decompiled in Android system |
-
2016
- 2016-07-15 CN CN201610557339.0A patent/CN106203120B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102043932A (en) * | 2010-12-31 | 2011-05-04 | 中国航空工业集团公司第六三一研究所 | Method for preventing Java program from being decompiled |
| US8892876B1 (en) * | 2012-04-20 | 2014-11-18 | Trend Micro Incorporated | Secured application package files for mobile computing devices |
| CN103473509A (en) * | 2013-09-30 | 2013-12-25 | 清华大学 | Android platform malware automatic detecting method |
| US20150199514A1 (en) * | 2014-01-10 | 2015-07-16 | Bitdefender IPR Management Ltd. | Computer Security Systems And Methods Using Virtualization Exceptions |
| CN105046116A (en) * | 2015-06-25 | 2015-11-11 | 上海斐讯数据通信技术有限公司 | Method for protecting dex file from being decompiled in Android system |
Non-Patent Citations (1)
| Title |
|---|
| 巫志文等: "基于Android平台的软件加固方案的设计与实现", 《电信工程技术与标准化》 * |
Cited By (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106843919A (en) * | 2016-12-12 | 2017-06-13 | 北京奇虎科技有限公司 | The storage method and device of a kind of dex files |
| CN108229107B (en) * | 2016-12-21 | 2021-06-25 | 武汉安天信息技术有限责任公司 | Shelling method and container for Android platform application program |
| CN108229107A (en) * | 2016-12-21 | 2018-06-29 | 武汉安天信息技术有限责任公司 | A kind of hulling method and container of Android platform application program |
| CN107742078A (en) * | 2017-05-04 | 2018-02-27 | 四川大学 | A kind of automatic hulling method of general DEX and system |
| CN107133517A (en) * | 2017-05-08 | 2017-09-05 | 成都德涵信息技术有限公司 | A kind of data restoration method encrypted and calculated based on data in EMS memory |
| CN107133517B (en) * | 2017-05-08 | 2020-01-07 | 成都德涵信息技术有限公司 | Data recovery method based on data encryption and calculation in memory |
| CN107391970B (en) * | 2017-06-07 | 2020-08-04 | 武汉斗鱼网络科技有限公司 | Function access control method and device in Flash application program |
| CN107391970A (en) * | 2017-06-07 | 2017-11-24 | 武汉斗鱼网络科技有限公司 | Function access control method and device in Flash application programs |
| CN109214179B (en) * | 2017-06-30 | 2021-04-27 | 武汉斗鱼网络科技有限公司 | Program module security detection method and device |
| CN107392018B (en) * | 2017-06-30 | 2020-09-15 | 阿里巴巴集团控股有限公司 | Application program shelling method and device |
| CN109214179A (en) * | 2017-06-30 | 2019-01-15 | 武汉斗鱼网络科技有限公司 | A kind of program module safety detection method and device |
| CN107392018A (en) * | 2017-06-30 | 2017-11-24 | 阿里巴巴集团控股有限公司 | Application program hulling method and device |
| TWI649694B (en) * | 2017-10-30 | 2019-02-01 | 國立臺灣大學 | Android dynamic framework and method thereof |
| CN109871285A (en) * | 2017-12-05 | 2019-06-11 | 北京嘀嘀无限科技发展有限公司 | Dynamic adjusting method, device, server, mobile terminal and readable storage medium storing program for executing |
| CN108259182B (en) * | 2018-01-08 | 2021-01-05 | 中国人民大学 | Android application repacking detection method and device |
| CN108259182A (en) * | 2018-01-08 | 2018-07-06 | 中国人民大学 | Packet inspection method and device are beaten again in a kind of Android applications |
| CN108304233A (en) * | 2018-01-10 | 2018-07-20 | 武汉斗鱼网络科技有限公司 | Application object moving method, storage medium, electronic equipment and system |
| CN108304233B (en) * | 2018-01-10 | 2022-02-08 | 武汉斗鱼网络科技有限公司 | Application object migration method, storage medium, electronic device and system |
| CN108446186A (en) * | 2018-01-30 | 2018-08-24 | 国家计算机网络与信息安全管理中心 | Method for recovering Dex source file from shell-added Android application program |
| CN109214184A (en) * | 2018-07-20 | 2019-01-15 | 北京大学 | A kind of Android reinforcement application program general automated shelling method and apparatus |
| CN109214184B (en) * | 2018-07-20 | 2021-08-20 | 北京大学 | Universal automatic shelling method and device for Android reinforced application program |
| CN109214148A (en) * | 2018-09-03 | 2019-01-15 | 平安普惠企业管理有限公司 | A kind of dex file abstracting method, system and terminal device |
| CN109344577A (en) * | 2018-09-25 | 2019-02-15 | 四川大学 | A kind of method for carrying out software protection using self-modifying technology under ART |
| CN110610097A (en) * | 2019-09-09 | 2019-12-24 | 杭州天宽科技有限公司 | File transmission security system based on android application |
| CN111104104A (en) * | 2019-11-04 | 2020-05-05 | 珠海亿智电子科技有限公司 | Method and device for visualizing function call time and statistical result and readable medium |
| CN112860224B (en) * | 2019-11-28 | 2023-12-12 | 北京达佳互联信息技术有限公司 | Function execution environment construction method and device, electronic equipment and storage medium |
| CN112860224A (en) * | 2019-11-28 | 2021-05-28 | 北京达佳互联信息技术有限公司 | Function execution environment construction method and device, electronic equipment and storage medium |
| CN113051122A (en) * | 2019-12-26 | 2021-06-29 | 百度在线网络技术(北京)有限公司 | Performance data acquisition method, performance data acquisition device, electronic equipment and medium |
| CN113051122B (en) * | 2019-12-26 | 2023-09-15 | 百度在线网络技术(北京)有限公司 | Performance data acquisition method, device, electronic equipment and medium |
| CN111240766A (en) * | 2020-01-22 | 2020-06-05 | 北京字节跳动网络技术有限公司 | Application starting method and device, electronic equipment and computer readable storage medium |
| CN111240766B (en) * | 2020-01-22 | 2023-12-29 | 抖音视界有限公司 | Application starting method and device, electronic equipment and computer readable storage medium |
| CN112765608A (en) * | 2021-01-20 | 2021-05-07 | 每日互动股份有限公司 | Target apk source code acquisition method, electronic device and medium |
| CN113190235B (en) * | 2021-05-27 | 2022-05-10 | 武汉斗鱼鱼乐网络科技有限公司 | Code analysis method and device, electronic terminal and storage medium |
| CN113190235A (en) * | 2021-05-27 | 2021-07-30 | 武汉斗鱼鱼乐网络科技有限公司 | Code analysis method and device, electronic terminal and storage medium |
| CN113641426A (en) * | 2021-08-31 | 2021-11-12 | 福建省天奕网络科技有限公司 | Shelling search and implementation method and system based on source code modification of android terminal |
| CN113836531A (en) * | 2021-09-25 | 2021-12-24 | 上海蛮犀科技有限公司 | Detection method for dynamic restoration of mobile application code memory |
| CN116467221A (en) * | 2023-06-16 | 2023-07-21 | 荣耀终端有限公司 | Pile inserting method and system based on interpreter and related electronic equipment |
| CN116467221B (en) * | 2023-06-16 | 2024-04-02 | 荣耀终端有限公司 | Pile inserting method and system based on interpreter and related electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106203120B (en) | 2019-03-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106203120B (en) | A kind of multiple spot Hook reverse method for Android reinforcement application | |
| US10866823B2 (en) | System and method for implementing different types of blockchain contracts | |
| US10007501B1 (en) | Method of deploying applications rapidly based on customized android platform | |
| US10705866B2 (en) | System and method for executing different types of blockchain contracts | |
| CN108229148B (en) | Sandbox unshelling method and sandbox unshelling system based on Android virtual machine | |
| JP2022535785A (en) | Methods and Contract Rewriting Framework Systems for Supporting Smart Contracts in Blockchain Networks | |
| CN111179086B (en) | Intelligent contract virtual machine based on WebAsssemly | |
| CN108229107B (en) | Shelling method and container for Android platform application program | |
| CN108090360B (en) | Behavior feature-based android malicious application classification method and system | |
| CN105786538A (en) | Software upgrading method and device based on Android system | |
| CN112835975B (en) | Method for deploying, updating and calling intelligent contracts in blockchain | |
| CN109784039B (en) | Construction method of safe operation space of mobile terminal, electronic equipment and storage medium | |
| Weissbacher et al. | {ZigZag}: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities | |
| CN111090581A (en) | Intelligent contract testing method and device, computer equipment and storage medium | |
| Kasampalis et al. | IELE: A rigorously designed language and tool ecosystem for the blockchain | |
| CN115659333A (en) | Sandbox based on binary instrumentation, memory isolation method and storage medium | |
| CN111523097A (en) | APP brush user identification method and device based on android system and storage medium | |
| Fan et al. | Arm-afl: Coverage-guided fuzzing framework for arm-based IoT devices | |
| CN103001942B (en) | A kind of a kind of method of virtual server and defending against network attacks | |
| CN116668202A (en) | Method and system for detecting memory horses in container environment | |
| CN114091028B (en) | Android application information leakage detection method based on data flow | |
| CN110807195A (en) | Intelligent contract issuing method, issuing platform device and issuing system | |
| CN111666596B (en) | Data processing method, device and medium | |
| CN113987395A (en) | Test website building method and system based on cloud service WEB monitoring | |
| CN110321135B (en) | Thermal restoration method, device, equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Xu Guoai Inventor after: Guo Yanhui Inventor after: Gao Yuhao Inventor after: Wu Bo Inventor after: Zhang Miao Inventor after: Xu Guosheng Inventor after: Wang Chenyu Inventor before: Guo Yanhui Inventor before: Gao Yuhao Inventor before: Wu Bo Inventor before: Zhang Miao |