CN108229107A - A kind of hulling method and container of Android platform application program - Google Patents
A kind of hulling method and container of Android platform application program Download PDFInfo
- Publication number
- CN108229107A CN108229107A CN201611189649.8A CN201611189649A CN108229107A CN 108229107 A CN108229107 A CN 108229107A CN 201611189649 A CN201611189649 A CN 201611189649A CN 108229107 A CN108229107 A CN 108229107A
- Authority
- CN
- China
- Prior art keywords
- shelling
- application program
- container
- activity
- objects
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 230000000694 effects Effects 0.000 claims abstract description 76
- 230000008569 process Effects 0.000 claims abstract description 11
- 230000006870 function Effects 0.000 claims description 23
- 230000008439 repair process Effects 0.000 claims description 14
- 230000027455 binding Effects 0.000 claims description 11
- 238000009739 binding Methods 0.000 claims description 11
- 238000010276 construction Methods 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 5
- 241000406668 Loxodonta cyclotis Species 0.000 claims 1
- 230000004048 modification Effects 0.000 abstract description 7
- 238000012986 modification Methods 0.000 abstract description 7
- 238000005516 engineering process Methods 0.000 description 4
- 230000002787 reinforcement Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 2
- 238000005215 recombination Methods 0.000 description 2
- 230000006798 recombination Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/125—Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a kind of hulling methods of Android platform application program, it is located at applied to one in the preset shelling container of application layer, by obtaining the path of externally input application program for shelling, in the file directory which is copied to shelling container;The Manifest files of application program for shelling are parsed, obtain its main Activity and resource information, resource information includes at least resource path;According to the path of application program for shelling, the resource path of the application program for shelling and code are loaded into the process space of shelling container;Obtain the dex file structures of the application program for shelling;It is shelled according to the dex file structures to the application program for shelling.The invention also discloses a kind of shelling container, including parsing module, dlm (dynamic loading module), core shelling module.The present invention is without root authority, and without modification system source code, it is convenient to realize, shelling is efficient.
Description
Technical field
The present invention relates to the hulling methods and appearance of field of information security technology more particularly to Android platform application program
Device.
Background technology
Android system has the characteristic increased income in itself, with the continuous promotion of mobile terminal performance, Android platform
Application program development is swift and violent.However, the malicious application in Android platform is also more and more, the privacy of user has been seriously endangered
And assets security.Nowadays the malicious application in Android platform can hide patrolling for its malicious code using reinforcement technique mostly
Volume, to bypass the killing of antivirus engine, user is caused to seriously endanger.For this problem, the shelling of Android reinforcement applications
Technology is come into being.
The existing shelling scheme for Android applications is broadly divided into the following two kinds:The first is adjusted by some dynamics
In Android application operations file is written to realize in internal storage data by trial work tool, and this mode needs manually to participate in, and needs
Root authority, and at present reinforcement technique many preventive means are taken to this mode, cause this shelling mode efficiency, into
Power is all very low.The second way is by changing system layer virtual machine(Such as Dalvik virtual machine or ART virtual machines), to obtain
With the relevant data structure of dex files, data are reformulated to the file of a new shelling.This mode can be realized automatically
The hulling machine of change, but need to change system code, and often modification once just needs brush machine again, got up very using update
It is cumbersome, the usage scenario of unsuitable ordinary user.
Invention content
The purpose of the present invention is to provide a kind of hulling methods and container of Android platform application program, are suitble to common
The usage scenario of user, without root authority, it is convenient to realize, shelling is efficient.
To achieve these goals, the invention discloses a kind of hulling method of Android platform application program, it is applied to
One is located in the preset shelling container of application layer, and the hulling method includes the following steps:
It obtains the path of externally input application program for shelling, and by the application for shelling, copies the file of shelling container to
In catalogue;
The Manifest files of application program for shelling are parsed, obtain its main Activity and resource information, the resource information
Including at least resource path;
According to the path of application program for shelling, the resource path of the application program for shelling and code are loaded into shelling container
The process space in;The code loading includes the following steps:Start acquired main Activity, and by a scapegoat
The start-up parameter of Activity is sent to system layer, and the scapegoat Activity is Manifest files in the shelling container
Activity;The start-up parameter that system layer obtains scapegoat Activity carries out Activity management;Shelling container is the master
Activity creates a new ClassLoader objects, and the ClassLoader object bindings to system layer are used to load
On the loader of Activity classes;It is loaded using the function completion code of the ClassLoader object reference loading classes;
Obtain the dex file structures of the application program for shelling;
It is shelled according to the dex file structures to the application program for shelling.
Further, the management of Activity includes life cycle management, stack management or the verification of authenticity.
Further, the method for binding ClassLoader objects includes the following steps:Pass through system function
GetPackageInfoNoCheck () builds the LoadeAPK objects of application program for shelling;By the ClassLoader of construction
Object replaces the mClassLoader member variables of application program for shelling;CurrentThread objects are obtained by reflection, and
Member variable mPackages therein is obtained, the LoadeAPK objects created are added in the Map of mPackages.
Further, the method for loading resource path includes:An AssetManager object is created, passes through the side of reflection
Formula calls the addAssetPath functions in AssetManager, and the resource path of application program for shelling is loaded into
In AssetManager;The Resources objects of application for shelling are created according to the AssetManager;By establishment
Resources objects are added in the caching resource table of shelling container.
Further, it is shelled according to the dex file structures of the application program for shelling to the application program for shelling
Include the following steps:According to the size of dex files corresponding gDvm.userDexFiles structures in memory open up one it is new
Space, for store repair after dex files;Current DexFile is obtained by gDvm.userDexFiles structures to tie
Structure body parses DexFile structures, determines the structure for needing to repair;Each structure is repaired, and to all DexClassData
Structure is recombinated, and forms the dex files after the reparation in memory;By the dex files after reparation from memory Dump
To corresponding output directory.
To achieve these goals, the invention also discloses a kind of shelling container, in Android platform application layer
It shelling to application program, the shelling container includes parsing module, dlm (dynamic loading module), core shelling module, wherein:
The parsing module is used to obtain the path of externally input application program for shelling, which copies to
In the file directory of container that shells;And the Manifest files of application program for shelling are parsed, obtain its main Activity and money
Source information, the resource information include at least resource path;
The dlm (dynamic loading module) is used for the path according to application program for shelling, by the resource path of the application program for shelling
And code is loaded into the process space of shelling container;The code loading includes the following steps:Start acquired master
Activity, and the start-up parameter of a scapegoat Activity is sent to system layer, the scapegoat Activity holds for the shelling
The Activity of Manifest files in device;The start-up parameter that system layer obtains scapegoat Activity carries out Activity management;
Dlm (dynamic loading module) creates a new ClassLoader objects for the main Activity, and by the ClassLoader object bindings
It is used to load the loader of Activity classes to system layer;Function using the ClassLoader object reference loading classes is complete
It is loaded into code;
The core shelling module is used to obtain the dex file structures of the application program for shelling;According to the dex file structures pair
The application program for shelling shells.
Further, the management of Activity includes life cycle management, stack management or the verification of authenticity.
Further, the method for binding ClassLoader objects includes the following steps:Pass through system function
GetPackageInfoNoCheck () builds the LoadeAPK objects of application program for shelling;By the ClassLoader of construction
Object replaces the mClassLoader member variables of application program for shelling;CurrentThread objects are obtained by reflection, and
Member variable mPackages therein is obtained, the LoadeAPK objects created are added in the Map of mPackages.
Further, the method for the dlm (dynamic loading module) loading resource path includes:Create an AssetManager
Object calls the addAssetPath functions in AssetManager by way of reflection, by the money of application program for shelling
Source is loaded into AssetManager;The Resources objects of application for shelling are created according to the AssetManager;It will create
Resources objects be added to shelling container caching resource table in.
Further, shelling is carried out to the application program for shelling according to the dex file structures to include the following steps:According to
The size of dex files corresponding gDvm.userDexFiles structures in memory opens up a new space, is repaiied for storing
Dex files after multiple;Current DexFile structures are obtained by gDvm.userDexFiles structures, parse DexFile
Structure determines the structure for needing to repair;Each structure is repaired, and all DexClassData structures are recombinated,
The dex files after the reparation are formed in memory;By the dex files after reparation, Dump exports mesh to corresponding from memory
Record.
Further, after the dlm (dynamic loading module) completes the loading of resource path and code, shelling container calls the master
The OnCreate functions of Activity call core shelling module in the function.
Compared with the prior art, the invention has the advantages that:Existing shelling mode needs to intervene application program for shelling
Process, it is therefore desirable to obtain the root authority of application program for shelling.And the present invention is treated this using the principle of dynamic load
The resource path and code for the application program that shells, which are loaded into, to be realized in a default shelling container application program is taken off in application layer
Shell.The present invention is not due to carrying out striding course operation, and there is no need to root authority, and the present invention is without modification system source code,
The usage scenario of ordinary user is can be suitably used for, it is convenient to realize, shelling is efficient.
Description of the drawings
Fig. 1 is a kind of flow chart of the hulling method of Android platform application program of the present invention.
Fig. 2 is the flow chart of code of the present invention loading.
Fig. 3 is the flow chart that the present invention shells to the application program for shelling.
Fig. 4 is the structure diagram of present invention shelling container.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, the present invention is made below in conjunction with attached drawing into
One step it is described in detail.
Although the step in the present invention is arranged with label, it is not used to limit the precedence of step, unless
Specify the order of step or based on the execution of certain step needs other steps, otherwise the relative rank of step is
It is adjustable.
The present invention intends realizing the shelling to reinforcement application, and the core that shells is the reconstruct being to dex file structures, resonable
It should be understood that the relevant information of lower dex file structures before the solution present invention.
The application installation package of Android platform is all existing in the form of apk first, and apk is exactly a ZIP in fact
Compressed package can obtain some resource files, signature file, configuration file and the executable text of an Android application after decompression
Part class.dex files, the structure of class.dex files are as shown in table 1.
Table 1
In logic, dex files can be divided into 3 areas, i.e. file header, index area and data field.The ids suffix of index area
For the abbreviation of identifiers, the identification code of certain part thing is meant.The data in the area are directed to the pointer of data field more.
Header in dex files, it is other each also in file other than the fileinfo of description .dex files
The index in region, structure are as follows:
struct DexHeader { ubyte magic[8]; /* includes version number */ uint
checksum; /* adler32 checksum */ ubyte signature[kSHA1DigestLen]; /* SHA-1
hash */ uint fileSize; /* length of entire file */ uint headerSize; /* offset
to start of next section */ uint endianTag; uint linkSize; uint linkOff; uint
mapOff; uint stringIdsSize; uint stringIdsOff; uint typeIdsSize; uint
typeIdsOff; uint protoIdsSize; uint protoIdsOff; uint fieldIdsSize; uint
fieldIdsOff; uint methodIdsSize; uint methodIdsOff; uint classDefsSize; uint
classDefsOff; uint dataSize; uint dataOff; };
The field references of wherein font-weight the information of of dex files itself, such as magic magic fields, the word in dex files
Section is fixed as:dex.035;Checksum is the check value of entire dex files, to ensure the integrality of file and anti-tamper.Its
His field all occurs in pairs, the position in the manipulative indexing area that they are represented and size:As sting_ids_off is represented
The position in community string index community area, string_ids_size represent size of this index area etc..
Entire dex file structures are described with the structure of DexFile, DexHeader is described in android system
The header information of dex files, the information of each class is described with ClassDef structures, and ClassDef structures are de-hulling process
The structure of middle primary operational, the class_data_off in ClassDef structures have been directed toward the knot of a DexClassData
Structure, DexClassData structures describe the specifying information in this class, including:Static member's variable and example member variable,
Static method and instance method, method therein are described by the structure of DexMethod, and DexMethod structures are again
The structure of a DexCode is contained, for describing the relevant information of this method specific instruction.It is mainly grasped in de-hulling process
What is made is exactly the data of this three level of DexClassData, DexMethod, DexCode.
Certain specific embodiments of the invention are given below.
Embodiment 1
With reference to shown in Fig. 1, in some embodiments, the hulling method of Android platform application program disclosed by the invention, application
It is located in the preset shelling container of application layer in one, it is possible to understand that, which is also a kind of application program, is had certainly
Oneself Manifest files.The hulling method of the present invention includes the following steps:
S01 obtains the path of externally input application program for shelling, by the application for shelling, copies the text of shelling container to
In part catalogue.
S02 parses the Manifest files of application program for shelling, obtains its main Activity and resource information.
Its main Activity is included for the character string for the Activity that homepage is described, and resource information includes:
Picture, icon, XML file and resource path.
According to the path of application program for shelling, the code of the application program for shelling and resource path are loaded by S03
In the process space of container that shells.
The resource path of application program for shelling is added in the system resource management class of shelling container by S031.It can be with
Understand, system can also complete the loading of the resources such as picture, icon, XML file.
Specifically, firstly the need of an AssetManager object is created, it can theoretically pass through calling
AddAssetPath methods in AssetManager are realized is loaded into Resources pairs by the resource path of an apk file
As in.But since addAssetPath is to hide api not directly invoking apk files, creating AssetManager
After object must also use reflection call its method, the path of application program for shelling is transmitted to addAssetPath, with realize by
Resource path is loaded into AssetManager.Since application program is generally using Resource object accesses resources, go back
It needs to create a new Resources object by AssetManager again, and the resource for being added to shelling container is delayed
It deposits in table.
S032, code loading.With reference to shown in Fig. 2, code loading includes the following steps:
S0321 starts acquired main Activity.
The start-up parameter of one scapegoat Activity is sent to system layer by S0322, and scapegoat Activity is the shelling container
The scapegoat Activity is denoted as StubActivity by the Activity of middle Manifest files hereinafter.
S0323, system layer obtain the start-up parameter of StubActivity to complete the management of Activity.
The present invention is used to manage Activity with fraud system layer using StubActivity as the scapegoat of main Activity
ActivityManagerService classes(Hereinafter referred to as AMS), so as to fulfill to Activity life cycle management, stack pipe
The work such as the verification of reason or authenticity.
S0324, shelling container create a new ClassLoader objects, and should for the main Activity
On ClassLoader object bindings to the loader of system layer loading Activity classes.
The source dex paths of the ClassLoader are exactly the path after S01 copies.Theoretically, Android platform can profit
It realizes that code loads with the path of the ClassLoader object loading application programs of itself, but loads in this way
The component of application program be no life cycle, that is to say, that be that can not normally start main Activity in this way
's.Component in order to allow loading has life cycle, it is therefore desirable to create one new ClassLoader pairs with shelling container
As, and by this object binding to system layer loading on the loader of Activity classes.
In order to make it easy to understand, now introduce the hierarchical relationship of ClassLoader objects:ClassLoader objects exist
In LoadeApk objects, LoadeApk objects are in the mPackages of CurrentThread objects, and system layer uses
LoadeApk objects in mPackages.
The method for binding ClassLoader objects is as follows:It is built by system function getPackageInfoNoCheck ()
The LoadeAPK objects of application program for shelling;The ClassLoader objects of construction are replaced into application program for shelling
MClassLoader member variables;CurrentThread objects are obtained, and obtain member variable therein by reflection
The LoadeAPK objects created are added in the Map of mPackages by mPackages.
It should be understood that system layer calls the function LoadClass completion codes of loading classes to add using the ClassLoader
It carries.
Existing shelling mode needs the process for intervening application program for shelling, it is therefore desirable to obtain application program for shelling
Root authority.And the resource path of the application program for shelling and code are loaded by the present invention using the principle of dynamic load
It is realized in one default shelling container in shelling of the application layer to application program.The present invention due to not carrying out striding course operation,
Without root authority, and the present invention can be suitably used for the usage scenario of ordinary user, realization side without modification system source code
Just, it shells efficient.
S04 obtains the dex file structures of the application program for shelling.
Obtain the dex files of application program for shelling corresponding gDvm.userDexFiles structures in memory.
S05 shells to the application program for shelling according to the dex file structures.With reference to shown in Fig. 3:
S051 opens up a new space according to gDvm.userDexFiles sizes, for storing the Dex files after repairing.
S052 obtains current DexFile structures by gDvm.userDexFiles, then parses DexFile knots
Structure body obtains data therein, according to the header data in the structure, traverses entire DexFile files, determines to need to repair
Structure.
Specific traversal level determines to need by DexClassData to DexMethod, then to specific DexCode structures
The structure to be repaired, it is a remote address such as to judge the class_data_off in DexClassData, it is determined that its
It needs to repair;It is a remote address such as to judge the code_off in DexMethod, it is determined that it needs to repair;As judged
The instruction for going out insns in DexCode structures is sky, it is determined that it needs to repair.
S053 repairs each structure, and all DexClassData structures are recombinated, and forms one in memory newly
Dex files.
Repair each structure, it is corresponding with S052, as the class_data_off in DexClassData be one remotely
Location then copies the value that the address is directed toward to again in the space newly opened up;If the code_off in DexMethod is one remote
The structure for the DexMethod being remotely directed toward then is copied to the corresponding position in new opening space by journey address;Such as DexCode
The instruction of insns is sky in structure, then is restored instruction therein by the insns in Method objects.
All DexClassData structures are recombinated, i.e., by repairing the DexClassData structures completed,
Offset is recalculated, and is inserted in the structure that DexFile corresponds to offset.
The data on the head in DexFile are recalculated, wherein some data are changeless, such as the evil spirit of dex files
Art field, head size, string_ids_off etc. can be inserted directly, some data such as type_ids_off, proto_
The data such as ids_off needs are inserted after recalculating offset, after the completion of which repairs, are formed a new Dex
File.
S054, by the new Dex files after recombination, Dump out writes corresponding output mesh in the form of a file from memory
In record, this document is the file after shelling.
Embodiment 2
As shown in figure 4, a kind of shelling container, described de- for shelling in Android platform application layer to application program
Shell container includes parsing module 10, dlm (dynamic loading module) 20, core shelling module 30, wherein:
The parsing module 10 is used to obtain the path of externally input application program for shelling, by the application for shelling, copy
Into the file directory of shelling container;And parse the Manifest files of application program for shelling, obtain its main Activity and
Resource information.Its main Activity is included for the character string for the Activity that homepage is described, and resource information is at least
Including resource path.
The dlm (dynamic loading module) 20 is used for the path according to application program for shelling, by the generation of the application program for shelling
Code and resource path are loaded into the class that main Activity is created in shelling container.Specifically:
1st, resource path loads:An AssetManager object is created, it theoretically can be by calling in AssetManager
AddAssetPath methods realization the resource path of one apk file is loaded into Resources objects.But due to
AddAssetPath is to hide api not directly invoking apk files, therefore, must also after AssetManager objects are created
Its method is called with reflection, the path of application program for shelling is transmitted to addAssetPath, is loaded resource path with realizing
Into AssetManager.Since application program is generally using Resource object accesses resources, also need to pass through again
AssetManager creates a new Resources object, and is added in the caching resource table of shelling container.
2nd, code loads, including the following contents:
(1)Start acquired main Activity.
(2)The start-up parameter of one scapegoat Activity is sent to system layer, scapegoat Activity is in the shelling container
The scapegoat Activity is denoted as StubActivity by the Activity of Manifest files hereinafter.
(3)System layer obtains the start-up parameter of StubActivity to complete the management of Activity.
The present invention is used to manage Activity with fraud system layer using StubActivity as the scapegoat of main Activity
ActivityManagerService classes(Hereinafter referred to as AMS), so as to fulfill to Activity life cycle management, stack pipe
The work such as the verification of reason or authenticity.
(4)Dlm (dynamic loading module) 20 creates a new ClassLoader objects, and should for the main Activity
On ClassLoader object bindings to the loader of system layer loading Activity classes.It is realized by way of dynamic proxy
The startup of Activity.
Specifically, dlm (dynamic loading module) 20 creates a new ClassLoader objects for the main Activity, then pass through
System function getPackageInfoNoCheck () builds the LoadeAPK objects of application program for shelling;By construction
ClassLoader objects replace the mClassLoader member variables of application program for shelling;It is obtained by reflecting
CurrentThread objects, and member variable mPackages therein is obtained, the LoadeAPK objects created are added to
In the Map of mPackages.
It should be understood that system layer also calls the function LoadClass completion codes of loading classes using the ClassLoader
Loading.
Existing shelling mode needs the process for intervening application program for shelling, it is therefore desirable to obtain application program for shelling
Root authority.And the resource path of the application program for shelling and code are loaded by the present invention using the principle of dynamic load
It is realized in one default shelling container in shelling of the application layer to application program.The present invention due to not carrying out striding course operation,
Without root authority, and the present invention can be suitably used for the usage scenario of ordinary user, realization side without modification system source code
Just, it shells efficient.
After the dlm (dynamic loading module) 20 completes the loading of resource path and code, shelling container calls the master
The OnCreate functions of Activity call core shelling module 30 in the function.
The core shelling module 30 includes following functions:
1st, for obtaining the dex file structures of the application program for shelling, that is, including the dex files for obtaining application program for shelling
Corresponding gDvm.userDexFiles structures in depositing.
2nd, it is shelled according to the dex file structures to the application program for shelling.Specifically:
(1)One new space is opened up according to gDvm.userDexFiles sizes, for storing the Dex files after repairing.
(2)Current DexFile structures are obtained by gDvm.userDexFiles, then parse DexFile structures
Body obtains data therein, according to the header data in the structure, traverses entire DexFile files and determines the knot for needing to repair
Structure body.
(3)Restore each structure, all DexClassData structures recombinated, formed in memory one it is new
Dex files.
If the class_data_off in DexClassData is a remote address, then the value being directed toward the address is again
It copies in the space newly opened up;If the code_off in DexMethod is a remote address, then will remotely be directed toward
The structure of DexMethod copies the corresponding position in new opening space to;Instruction such as insns in DexCode structures is sky,
Then instruction therein is restored by the insns in Method objects.
All DexClassData structures are recombinated, i.e., by repairing the DexClassData structures completed,
Offset is recalculated, and is inserted in the structure that DexFile corresponds to offset.
The data on the head in DexFile are recalculated, wherein some data are changeless, such as the evil spirit of Dex files
Art field, head size, string_ids_off etc. can be inserted directly, some data such as type_ids_off, proto_
The data such as ids_off needs are inserted after recalculating offset, after the completion of which repairs, are formed a new Dex
File.
(4)By the new Dex files after recombination, Dump out writes corresponding output directory in the form of a file from memory
In, this document is the file after shelling.
Several preferred embodiments of the present invention have shown and described in above description, but as previously described, it should be understood that the present invention
Be not limited to form disclosed herein, be not to be taken as the exclusion to other embodiment, and available for various other combinations,
Modification and environment, and the above teachings or related fields of technology or knowledge can be passed through in the scope of the invention is set forth herein
It is modified.And changes and modifications made by those skilled in the art do not depart from the spirit and scope of the present invention, then it all should be in this hair
In the protection domain of bright appended claims.
Claims (10)
1. a kind of hulling method of Android platform application program is located at applied to one in the preset shelling container of application layer,
It is characterized in that, the hulling method includes the following steps:
It obtains the path of externally input application program for shelling, and by the application for shelling, copies the file of shelling container to
In catalogue;
The Manifest files of application program for shelling are parsed, obtain its main Activity and resource information, the resource information
Including at least resource path;
According to the path of application program for shelling, the resource path of the application program for shelling and code are loaded into shelling container
The process space in;The code loading includes the following steps:Start acquired main Activity, and by a scapegoat
The start-up parameter of Activity is sent to system layer, and the scapegoat Activity is Manifest files in the shelling container
Activity;The start-up parameter that system layer obtains scapegoat Activity carries out Activity management;Shelling container is the master
Activity creates a new ClassLoader objects, and the ClassLoader object bindings to system layer are used to load
On the loader of Activity classes;It is loaded using the function completion code of the ClassLoader object reference loading classes;
Obtain the dex file structures of the application program for shelling;
It is shelled according to the dex file structures to the application program for shelling.
2. hulling method as described in claim 1, which is characterized in that the management of Activity includes life cycle management, stack
Management or the verification of authenticity.
3. hulling method as described in claim 1, which is characterized in that the method for binding ClassLoader objects includes following
Step:The LoadeAPK objects of application program for shelling are built by system function getPackageInfoNoCheck ();It will
The ClassLoader objects of construction replace the mClassLoader member variables of application program for shelling;It is obtained by reflecting
CurrentThread objects, and member variable mPackages therein is obtained, the LoadeAPK objects created are added to
In the Map of mPackages.
4. hulling method as described in claim 1, which is characterized in that the method for loading resource path includes:Create one
AssetManager objects call the addAssetPath functions in AssetManager by way of reflection, will be for shelling
The resource path of application program is loaded into AssetManager;Application for shelling is created according to the AssetManager
Resources objects;The Resources objects of establishment are added in the caching resource table of shelling container.
5. hulling method as described in claim 1, which is characterized in that according to the dex file structures of the application program for shelling
Shelling is carried out to the application program for shelling to include the following steps:It is corresponding in memory according to dex files
The size of gDvm.userDexFiles structures opens up a new space, for storing the dex files after repairing;Pass through
GDvm.userDexFiles structures obtain current DexFile structures, parse DexFile structures, determine to need to repair
Structure;Each structure is repaired, and all DexClassData structures are recombinated, forms the reparation in memory
Dex files afterwards;By the dex files after reparation from memory Dump to corresponding output directory.
6. a kind of shelling container of Android platform application program, in Android platform application layer to application program into
Row shelling, which is characterized in that the shelling container includes parsing module, dlm (dynamic loading module), core shelling module, wherein:
The parsing module is used to obtain the path of externally input application program for shelling, which copies to
In the file directory of container that shells;And the Manifest files of application program for shelling are parsed, obtain its main Activity and money
Source information, the resource information include at least resource path;
The dlm (dynamic loading module) is used for the path according to application program for shelling, by the resource path of the application program for shelling
And code is loaded into the process space of shelling container;The code loading includes the following steps:Start acquired master
Activity, and the start-up parameter of a scapegoat Activity is sent to system layer, the scapegoat Activity holds for the shelling
The Activity of Manifest files in device;The start-up parameter that system layer obtains scapegoat Activity carries out Activity management;
Dlm (dynamic loading module) creates a new ClassLoader objects for the main Activity, and by the ClassLoader object bindings
It is used to load the loader of Activity classes to system layer;Function using the ClassLoader object reference loading classes is complete
It is loaded into code;
The core shelling module is used to obtain the dex file structures of the application program for shelling;According to the dex file structures pair
The application program for shelling shells.
7. shelling container as claimed in claim 6, which is characterized in that the dlm (dynamic loading module) binds ClassLoader pairs
The method of elephant includes the following steps:Application program for shelling is built by system function getPackageInfoNoCheck ()
LoadeAPK objects;The ClassLoader objects of construction are replaced to the mClassLoader member variables of application program for shelling;
CurrentThread objects are obtained, and obtain member variable mPackages therein by reflection, by what is created
LoadeAPK objects are added in the Map of mPackages.
8. shelling container as claimed in claim 6, which is characterized in that the method for the dlm (dynamic loading module) loading resource path
Including:An AssetManager object is created, the addAssetPath in AssetManager is called by way of reflection
The resource of application program for shelling is loaded into AssetManager by function;It is created according to the AssetManager for shelling
The Resources objects of application;The Resources objects of establishment are added in the caching resource table of shelling container.
9. shelling container as claimed in claim 6, which is characterized in that the core shells module according to the dex file structures
Shelling is carried out to the application program for shelling to include the following steps:It is corresponding in memory according to dex files
The size of gDvm.userDexFiles structures opens up a new space, for storing the dex files after repairing;Pass through
GDvm.userDexFiles structures obtain current DexFile structures, parse DexFile structures, determine to need to repair
Structure;Each structure is repaired, and all DexClassData structures are recombinated, forms the reparation in memory
Dex files afterwards;By the dex files after reparation from memory Dump to corresponding output directory.
10. shelling container as claimed in claim 6, which is characterized in that the dlm (dynamic loading module) completes resource path and generation
After the loading of code, shelling container calls the OnCreate functions of the main Activity, and the core is called in OnCreate functions
Heart shelling module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611189649.8A CN108229107B (en) | 2016-12-21 | 2016-12-21 | Shelling method and container for Android platform application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611189649.8A CN108229107B (en) | 2016-12-21 | 2016-12-21 | Shelling method and container for Android platform application program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108229107A true CN108229107A (en) | 2018-06-29 |
| CN108229107B CN108229107B (en) | 2021-06-25 |
Family
ID=62650994
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611189649.8A Active CN108229107B (en) | 2016-12-21 | 2016-12-21 | Shelling method and container for Android platform application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108229107B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111581639A (en) * | 2020-03-27 | 2020-08-25 | 北京大学 | Universal automatic shelling method and system for Android shell-adding application program |
| CN111625290A (en) * | 2020-05-06 | 2020-09-04 | 小船出海教育科技(北京)有限公司 | Layout file preloading method and device under Android platform and electronic equipment |
| CN112068932A (en) * | 2020-09-01 | 2020-12-11 | 北京指掌易科技有限公司 | Application program integration and monitoring method, device, system, equipment and medium |
| CN112214250A (en) * | 2019-06-24 | 2021-01-12 | 北京京东尚科信息技术有限公司 | Application program assembly loading method and device |
| CN112214267A (en) * | 2020-10-12 | 2021-01-12 | 广州大学 | Android shelling acceleration method and device, storage medium and computer equipment |
| CN112230927A (en) * | 2020-09-17 | 2021-01-15 | 贝壳技术有限公司 | File redirection method, code loading control method and device |
| CN112883374A (en) * | 2021-02-02 | 2021-06-01 | 电子科技大学 | General Android platform application program shelling method and system based on ART environment |
| CN114385261A (en) * | 2021-12-23 | 2022-04-22 | 湖南小算科技信息有限公司 | Method for loading program in process |
| CN116662270A (en) * | 2022-09-09 | 2023-08-29 | 荣耀终端有限公司 | File analysis method and related device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8892876B1 (en) * | 2012-04-20 | 2014-11-18 | Trend Micro Incorporated | Secured application package files for mobile computing devices |
| CN105574411A (en) * | 2015-12-25 | 2016-05-11 | 北京奇虎科技有限公司 | Dynamic unshelling method, device and equipment |
| CN105930692A (en) * | 2016-04-20 | 2016-09-07 | 北京鼎源科技有限公司 | Dynamic shelling method for Android application |
| CN105989252A (en) * | 2015-12-12 | 2016-10-05 | 武汉安天信息技术有限责任公司 | Function level packing-oriented unpacking method and system |
| CN106203120A (en) * | 2016-07-15 | 2016-12-07 | 北京邮电大学 | A kind of multiple spot Hook reverse method for Android reinforcement application |
-
2016
- 2016-12-21 CN CN201611189649.8A patent/CN108229107B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8892876B1 (en) * | 2012-04-20 | 2014-11-18 | Trend Micro Incorporated | Secured application package files for mobile computing devices |
| CN105989252A (en) * | 2015-12-12 | 2016-10-05 | 武汉安天信息技术有限责任公司 | Function level packing-oriented unpacking method and system |
| CN105574411A (en) * | 2015-12-25 | 2016-05-11 | 北京奇虎科技有限公司 | Dynamic unshelling method, device and equipment |
| CN105930692A (en) * | 2016-04-20 | 2016-09-07 | 北京鼎源科技有限公司 | Dynamic shelling method for Android application |
| CN106203120A (en) * | 2016-07-15 | 2016-12-07 | 北京邮电大学 | A kind of multiple spot Hook reverse method for Android reinforcement application |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112214250A (en) * | 2019-06-24 | 2021-01-12 | 北京京东尚科信息技术有限公司 | Application program assembly loading method and device |
| CN112214250B (en) * | 2019-06-24 | 2024-05-17 | 北京京东尚科信息技术有限公司 | Application program component loading method and device |
| CN111581639B (en) * | 2020-03-27 | 2022-10-14 | 北京大学 | Universal automatic shelling method and system for Android shelling application program |
| CN111581639A (en) * | 2020-03-27 | 2020-08-25 | 北京大学 | Universal automatic shelling method and system for Android shell-adding application program |
| CN111625290B (en) * | 2020-05-06 | 2023-03-24 | 小船出海教育科技(北京)有限公司 | Layout file preloading method and device under Android platform and electronic equipment |
| CN111625290A (en) * | 2020-05-06 | 2020-09-04 | 小船出海教育科技(北京)有限公司 | Layout file preloading method and device under Android platform and electronic equipment |
| CN112068932A (en) * | 2020-09-01 | 2020-12-11 | 北京指掌易科技有限公司 | Application program integration and monitoring method, device, system, equipment and medium |
| CN112230927A (en) * | 2020-09-17 | 2021-01-15 | 贝壳技术有限公司 | File redirection method, code loading control method and device |
| CN112214267A (en) * | 2020-10-12 | 2021-01-12 | 广州大学 | Android shelling acceleration method and device, storage medium and computer equipment |
| CN112883374A (en) * | 2021-02-02 | 2021-06-01 | 电子科技大学 | General Android platform application program shelling method and system based on ART environment |
| CN112883374B (en) * | 2021-02-02 | 2022-07-01 | 电子科技大学 | General Android platform application program shelling method and system based on ART environment |
| CN114385261A (en) * | 2021-12-23 | 2022-04-22 | 湖南小算科技信息有限公司 | Method for loading program in process |
| CN116662270A (en) * | 2022-09-09 | 2023-08-29 | 荣耀终端有限公司 | File analysis method and related device |
| CN116662270B (en) * | 2022-09-09 | 2024-05-10 | 荣耀终端有限公司 | File analysis method and related device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108229107B (en) | 2021-06-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108229107A (en) | A kind of hulling method and container of Android platform application program | |
| CN111095338B (en) | System and method for executing different types of blockchain contracts | |
| CN103530156B (en) | Dynamic load and the method and device of caller | |
| US6324637B1 (en) | Apparatus and method for loading objects from a primary memory hash index | |
| US6983460B1 (en) | Method for loading applications into a multiapplication embedded system equipped with data processing resources, corresponding embedded system and execution method | |
| US6802006B1 (en) | System and method of verifying the authenticity of dynamically connectable executable images | |
| CN109614165B (en) | Multi-version parallel operation method and device for COM (component object model) component | |
| CN106371940A (en) | Solution method and device for program crash | |
| TW202101206A (en) | System and method for data processing | |
| CN108229148B (en) | Sandbox unshelling method and sandbox unshelling system based on Android virtual machine | |
| AU2004218703A1 (en) | Security-related programming interface | |
| CN103530535A (en) | Shell adding and removing method for Android platform application program protection | |
| AU2005201407A1 (en) | Efficient patching | |
| CN107506221A (en) | Application program updating method, apparatus and equipment | |
| CN106778099A (en) | The generation method and device of anti-tamper APK, install and operation method and device | |
| CN112835975A (en) | Method for deploying, updating and calling intelligent contracts in block chain | |
| US7197600B2 (en) | Transferring data along with code for program overlays | |
| JP5225071B2 (en) | Method for verifying pseudo code loaded on embedded systems, especially smart cards | |
| CN113946602A (en) | Data searching method, device, equipment and medium | |
| CN118051910A (en) | Intelligent confusion method and system based on security section aiming at mobile terminal application | |
| EP1303802B1 (en) | System and method of verifying the authenticity of dynamically connectable executable images | |
| FR2841997A1 (en) | APPLICATION SECURITY DOWNLOADED IN PARTICULAR FROM A CHIP CARD | |
| CN113077260A (en) | Data access method and device based on block chain and electronic equipment | |
| CN106775843B (en) | Dalvik byte code optimization method based on memory loading | |
| JP2006236327A (en) | Code morphing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 430000 No.C20 Building of Wuhan Software New Town Industry Phase III, No.8 Huacheng Avenue, Donghu New Technology Development Zone, Wuhan City, Hubei Province Applicant after: WUHAN ANTIY INFORMATION TECHNOLOGY Co.,Ltd. Address before: Room 01, 12 / F, building B4, phase 4-1, software industry, No.1, Software Park East Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province, 430000 Applicant before: WUHAN ANTIY INFORMATION TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |