CN112214267A - Android shelling acceleration method and device, storage medium and computer equipment - Google Patents
Android shelling acceleration method and device, storage medium and computer equipment Download PDFInfo
- Publication number
- CN112214267A CN112214267A CN202011087560.7A CN202011087560A CN112214267A CN 112214267 A CN112214267 A CN 112214267A CN 202011087560 A CN202011087560 A CN 202011087560A CN 112214267 A CN112214267 A CN 112214267A
- Authority
- CN
- China
- Prior art keywords
- calling
- shelling
- android
- file
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/448—Execution paradigms, e.g. implementations of programming paradigms
- G06F9/4488—Object-oriented
- G06F9/449—Object-oriented method invocation or resolution
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the invention provides an android shelling acceleration method, an android shelling acceleration device, a storage medium and computer equipment. The method comprises the steps of selecting a function arrival path and selecting a shelling point, accurately calling a calling method based on a filtering mechanism, finishing virtual calling of JAVA layer functions on a JNI layer by using the calling method, repairing a Dex file to realize finding a universal shelling point under a complex and changeable source code environment, loading all classes in the Dex file by using a mode of constructing virtual parameters and calling, solving time consumption caused by calling all classes in the shelling process by adding a class white list file, filtering some unnecessarily loaded classes to accelerate reverse security analysis efficiency, modifying at the lowest cost as possible, preferably using methods or classes existing in android system development, and avoiding installing new modules and units to enable android shelling to be simpler and faster.
Description
[ technical field ] A method for producing a semiconductor device
The invention relates to the field of android reinforcement reverse analysis, in particular to an android shelling acceleration method, an android shelling acceleration device, a storage medium and computer equipment.
[ background of the invention ]
The first generation of Android reinforcement technology is used to protect the logic of an application from being reversed and analyzed, and was most commonly used in malware, which is mainly based on the dynamic loading technology provided by the Java virtual machine. Compared with the first generation reinforcement technology, the second generation reinforcement technology is perfect in the aspect of Android application Package file Apk (Android Package, Apk for short) modification, and can achieve zero interference on development. In the development process, any special treatment is not needed to be carried out on the application, and only protection is needed to be carried out before final release. In order to realize the zero-interference process, the protector needs to handle the life cycle of the Android components. Since second generation consolidation techniques only encrypt at the file level, it has the problem that the load in memory is continuous and can be easily accessed by attackers. The third generation reinforcement technology improves the part and reduces the protection level to the function level. Third generation consolidation techniques emphasize protection at the function level, using an interpreter executing code within the virtual machine, but have drawbacks that may be recorded. The fourth generation reinforcement technology uses a custom interpreter to avoid the defects of the third generation, and the custom interpreter cannot directly call other functions in the Android system, and needs to use a Java Native Interface (JNI) Interface for calling. According to the content, the Android reinforcement technology undergoes four-generation technology change before and after, the protection level is improved in each generation, but the inherent safety defect and compatibility problem are not solved all the time.
Shelling technology for reinforcing Android applications has attracted great attention in the industry. The research shelling technology is the first line of defense for Android mobile terminal safety, so that the daily application program can be protected, and meanwhile malicious programs can be prevented from escaping detection to harm network ecology by using the reinforcement technology. Therefore, a plurality of researchers at home and abroad make contribution to the development of the reinforcing technology, which cannot be worn out.
There are a number of technical researchers who have demonstrated the results of manually shelling applications at some meetings. For example, Strazzere and Sawyer et al report their tools Android-unpacker, cracking four companies including APKProtect, Bangcle, 360 Mobile and LIAPP.
Researchers in the future become aware of the root of the problem and turn attention to the field of shelling. ZjDroid issued by Baidu relies on Xposed and mounts to BaseDexClassLoader through it at runtime to locate the dex file to obtain DexOrJar.
Renovo, Kang et al, which considers that the original code should be present in memory and decrypted for execution at some point during runtime. Renovo will monitor program execution and memory writes at runtime. If the code being executed is newly generated, it will extract the hidden code of the executable file, thus completing the shelling. Justin proposed by Fanglu Guo et al employs heuristic methods such as dirty page execution, memory de-shelling, stack pointer check and command line parameter access to enhance detection of end of unpacking.
AppSpear gathers a runtime Dalvik Data Structure (DDS) in memory to reassemble a normal Dex file. Generally, an application can only complete the conversion through some fixed system services. Thus, AppSpear chooses to collect the Dalvik data structure by monitoring certain JNI interfaces and determining when to begin collecting the Dalvik data structures. Secondly, Dalvik rarely modifies the semantics of the original bytecode no matter how complex the reinforcement vendor encrypts the original data. After the Dex loading process is finished, the accurate content of the byte code of the original App can be observed from the DDS. And finally, taking out the anti-analysis code, further integrating the Dex file, the manifest file and other resource files, repacking the file and performing unpacking analysis.
Fupk3 is an Android semi-automatic huller, and firstly, a dvmUserDexFiles structure in gDvm is traversed to obtain all cookies; and traversing the trigger function for the Dex file in the memory, intercepting the decrypted code _ item by inserting a pile at the resolver, and directly returning to not execute the function after obtaining. And then, recombining the data intercepted from the memory to generate a Dex file. And finally, repairing the dex file under the dump by using the modified smali/bakamali. Fupk3 is developed based on the Android system KTU84P, and can dump Java layer functions which are not virtualized.
[ summary of the invention ]
In view of this, embodiments of the present invention provide an android shelling acceleration method, an apparatus, a storage medium, and a computer device, which are used to find a relatively universal shelling point in a complex and changeable source code environment, load all classes in a Dex file in a manner of constructing virtual parameters and calling, solve time consumption caused by calling all classes in a shelling process by adding a class white list file, filter out some unnecessarily loaded classes, thereby accelerating reverse security analysis efficiency, modify the classes at a lowest cost as possible, preferably use methods or classes existing in android system development, and avoid installing new modules and units more, so that android shelling is simpler and faster.
In one aspect, an embodiment of the present invention provides an android shelling acceleration method, including:
selecting a function arrival path and selecting a shelling point;
carrying out accurate calling on the calling method based on a filtering mechanism;
completing virtual calling of JAVA layer functions in a JNI layer by using a calling method;
and repairing the Dex file.
Optionally, the selecting a function arrival path and selecting a shelling point specifically includes:
the Quick code mode or Interpreter mode is selected and finally the ExecuteWitchImpl function is entered.
Optionally, the precisely calling the calling method based on the filtering mechanism specifically includes:
acquiring a class loader to which a process is finally attached;
setting a path of a white list file with a filtering mechanism;
and periodically refreshing the content of the white list file.
Optionally, the completing, at the JNI layer, the virtual call of the JAVA layer function specifically includes:
setting an active calling chain identifier;
invoking the Invoke method of ArtMethod initiates the call.
Optionally, the repairing the Dex file specifically includes:
acquiring a binary file dumped at the ArtMethod;
and recombining Dex according to the binary file.
On the other hand, an embodiment of the present invention provides an android shelling acceleration device, including:
the selection module is used for selecting a function arrival path and selecting a shelling point;
the first calling module is used for calling the calling method accurately based on a filtering mechanism;
the second calling module is used for completing virtual calling of JAVA layer functions in a JNI layer by using a calling method;
and the repair module is used for repairing the Dex file.
Optionally, the selection module is specifically configured to:
the Quick code mode or Interpreter mode is selected and finally the ExecuteWitchImpl function is entered.
Optionally, the first calling module specifically includes:
the second acquisition module is used for acquiring the class loader to which the process is finally attached;
the setting module is used for setting a path of the white list file with the filtering mechanism;
and the refreshing module is used for periodically refreshing the content of the class white list file.
In another aspect, an embodiment of the present invention provides a storage medium, where the storage medium includes a stored program, and when the program runs, a device on which the storage medium is located is controlled to execute the foregoing android shelling acceleration method.
In another aspect, an embodiment of the present invention provides a computer device, including a memory and a processor, where the memory is used to store information including program specification, and the processor is used to control execution of program instructions, where the program instructions are loaded by the processor and executed to implement the steps of the above-mentioned android shelling acceleration method.
In the technical scheme of the android shelling acceleration method, device, storage medium and computer equipment provided by the embodiment of the invention, selecting a function arrival path and selecting a shelling point, accurately calling a calling method based on a filtering mechanism, finishing virtual calling of JAVA layer functions in a JNI layer by using the calling method, repairing the Dex file realizes finding a more universal shelling point under a complex and changeable source code environment, and uses the mode of constructing virtual parameter and calling to load all classes in Dex file, the time consumption caused by calling all class methods in the shelling process is solved by adding the class white list file, some classes which are not required to be loaded are filtered out, so that the reverse security analysis efficiency is accelerated, the android unshelling is more convenient and quicker by modifying with low cost as much as possible and preferably using the method or the class existing in the development of the android system to avoid installing more new modules and units.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive labor.
Fig. 1 is an overall flowchart of an android shelling acceleration method according to an embodiment of the present invention;
fig. 2 is an overall flowchart of an android shelling acceleration method according to another embodiment of the present invention;
fig. 3 is a schematic structural diagram of an android shelling device according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a computer device according to an embodiment of the present invention;
FIG. 5 is a flow chart of five tuple content construction for dumping into a binary file according to an embodiment of the present invention;
fig. 6 is a configuration diagram of a filtering mechanism white list according to an embodiment of the present invention.
[ detailed description ] embodiments
For better understanding of the technical solutions of the present invention, the following detailed descriptions of the embodiments of the present invention are provided with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that the term "and/or" as used herein is merely one type of associative relationship that describes an associated object, meaning that three types of relationships may exist, e.g., A and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
Fig. 1 is an overall flowchart of an android shelling acceleration method according to an embodiment of the present invention, as shown in fig. 1, the method includes:
And 102, accurately calling the calling method based on a filtering mechanism.
And 103, completing virtual calling of the JAVA layer function in the JNI layer by using a calling method.
And step 104, repairing the Dex file.
In the android shelling acceleration method provided by this embodiment, a function arrival path is selected, a shelling point is selected, a calling method is precisely called based on a filtering mechanism, a calling method is used to complete virtual calling of JAVA layer functions in a JNI layer, repairing the Dex file realizes finding a more universal shelling point under a complex and changeable source code environment, and uses the mode of constructing virtual parameter and calling to load all classes in Dex file, the time consumption caused by calling all class methods in the shelling process is solved by adding the class white list file, some classes which are not required to be loaded are filtered out, so that the reverse security analysis efficiency is accelerated, the android unshelling is modified at low cost as far as possible, and methods or classes existing in android system development are preferably used, so that more new modules and units are prevented from being installed, and android unshelling is simpler, more convenient and quicker.
Fig. 2 is a flowchart of an android shelling acceleration method according to another embodiment of the present invention, as shown in fig. 2, the method includes:
In the embodiment of the invention, two methods for Android to execute Java under ART in the Android 8.1.0 version are provided, one is a Quick code mode, and the other is an Interpreter mode. The two modes are chosen by using _ Interpreter _ entrypoint parameter in PerformmCall function, and if the value is true, the Interpreter mode is entered. Entering the immediate mode in the Quick code mode requires passing through the art _ Quick _ to _ immediate _ bridge function. The execution method used for compiling only influences the running speed of the application and does not influence whether an interpreter is finally used when the program is executed. Both methods eventually enter the Execute function, but we eventually choose an Execute switchimpl function that enters slightly later than it, where the shelling can theoretically be deeper than the Execute function execution path-degree.
In the embodiment of the invention, Google gradually discards the Goto jump table from android7.0 in the default mode for realizing the interpreter until the trace of the Google cannot be seen in version 8.0, and starts to make the assembly interpreter used in the default mode. Java methods are closely related to Native layers, and the important thing is the ArtMethod object. For a function with an Artmethod object, there is an API (Application Programming Interface, abbreviated API; also called Application Programming Interface) in the source code: getDexFile, the DexFile object to which it belongs can be obtained. The DexFile object is internally provided with a Begin () method and a Size () method which are used for acquiring the start address and the file Size of the corresponding Dex file in the memory respectively. If a Java method needs to be executed, it must be interpreted by an interpreter, and the only way in this process is to enter the Execute function in the source code of the interpreter.
If the reinforcement vendor does not disable dex2oat when loading the shell with DexClassLoader, then only the initialization function will run in interpreted mode. If dex2oat is disabled, then the initialization function and other functions are both running in interpretation mode. Since such an initialization function is irrelevant to the presence or absence of the disabled dex2oat by the reinforcement manufacturer, it will always run in the interpretation mode, which will inevitably enter the ART interpreter. As can be seen from the above, the initialization function of the class also enters the Execute function.
The selection of the shelling points also has good and bad points, the good shelling points can allow all the App added with shells to enter the shelling process, and the bad shelling points can only meet the requirements of partial reinforcement manufacturers. Since the flow, such as dex2oat, also has a dexfile object, these shells of vendors that disable the dex2oat flow cannot be removed if this is taken as a generic shelling point. Since Execute is an inline function, it is difficult to modify the logic of Execute in hook form.
In the embodiment of the present invention, as an alternative, the DeClassLoader is a common class loader, and details are not described here.
In the embodiment of the present invention, as an alternative, dex2oat is a commonly used optimization, and details are not described here.
And step 202, carrying out accurate calling on the calling method based on a filtering mechanism.
Step 202 specifically includes:
step 2021, obtain the class loader to which the process is finally attached.
As shown in fig. 6, in the embodiment of the present invention, the virtual call has an advantage of covering all functions in the Dex, thereby completing more thorough repair of function granularity. The calling component can call all functions, fundamentally solves the defect of low code coverage rate, and is a calling method for simulating various scenes. Of course, this is also a double-sided blade in itself, which sacrifices time in exchange for an increase in code coverage. It is unnecessary to actively load all classes, we can selectively load the function body that we want, we can get the class names of all classes in Dex according to the primary shelling feedback that users receive at two shelling points of Execute and dexfile object, and store it as class list txt file, choose to be actively loaded and decrypted in many methods extracted by function, and create a white list file that users can self-define and input and want to load class names, through the content of this text, the precise calling of the shelling system is realized, and this step can finish the calling to the class method in Dex dynamically.
In the embodiment of the invention, the ClassLoader to which the shell-added App is finally attached is obtained through a Java reflection principle, namely the ClassLoader after the life cycle is corrected, because the class in the Dex of the App is loaded through the class loader.
Firstly, calling a static function currentActivityThread of an ActivityThread class through reflection to obtain a current ActivityThread object; then acquiring mBoundApplicated member variables of the ActivityThread object; then, an info member variable of the mBoundAppplication object is obtained, wherein the info is a LoadedApk type; finally acquiring mAppplication member variables of the info object, wherein the type of the mAppplication member variables is Application; and finally, obtaining the Classloader attached to the current process by calling the Application getClassLoader method.
Step 2022, set up the path of the class white list file with filtering mechanism.
In the embodiment of the invention, the white list file is initially set under the/sdcard directory. However, this has a problem: if any other apps exist in the system, as long as the apps are endowed with the authority of reading and writing sdcard by the user, each installed App can enter the shelling process by modifying the source code, so that the apps can read the white list file and further execute the class loading process. If the path is specified to be such that no changes are made, the system will attempt to unload even if the classes described in the class white list file are not present in other apps, thus making it very inefficient. The solution is to skillfully use the private directory of the App to construct the storage path, namely to use the getFilesDir method of the Application object to obtain the private directory. Storing the class white list file which each App wants to load under the private directory can complete the 'inter-process separation access'.
Step 2023, periodically refreshing the content of the category white list file.
In the embodiment of the invention, the content of the read white list-like file is refreshed at intervals of 60, so that considerable time is reserved for updating the content of the configuration file as required, and the method and the device are convenient to use persistently.
And step 203, completing the virtual calling of the JAVA layer function in the JNI layer by using a calling method.
Step 203 specifically includes:
step 2031, set up the active call chain id.
In the embodiment of the invention, only the active call chain identifier needs to be set, other parameters can be forged according to the variable types of the active call chain identifier, for example, the thread parameter can be Null, the character string parameter can be abc and the like, so that necessary identification conditions are provided for subsequently judging whether to enter the function of the call chain, and the call chain identifier needs to be judged in the first step before construction. Finally Invoke the Invoke method of ArtMethod to start a "virtual" call.
Step 2032, Invoke the Invoke method of ArtMethod to start the invocation.
In the embodiment Of the invention, the operation mode Of the ART belongs to the advanced-Of-Time (AOT for short), and each Java method is compiled into an object code by Dex2OAT when the Apk is installed, but not a bytecode executed by a virtual machine but a Dex bytecode still exists in an OAT process, so that the code execution Of the ART supports both a QuickCompiledCode mode and an interpreter mode as well as a JIT execution mode. Invoke may enter OAT optimization, Interpreter mode execution methods. If the current is Interpreter mode, call art:: Interpreter: EnterterInterpreterFromInvoke; if the OAT mode is selected, call art _ quick _ invoke _ stub (stub for short). The EnterInterpreterfomInvote function determines whether Native or interpreter execution.
From the LinkCode part of the Android source code, it can be known that whether a class method is executed by an interpreter or directly by a local machine instruction, its Entry point is obtained by the member function getentrypoingfromcompildcode of the ArtMethod class, and the Entry point is not NULL. However, Invoke does not set an address value directly at this point, but rather calls indirectly through stub. This is because ART requires setting some special registers. When the function is determined to enter the call chain from the entry point, the Dex file is directly traced back and dumped at the beginning execution part of the Invoke function according to the API of the ArtMethod object, namely the GetDexFile function.
In the embodiment of the present invention, as an alternative, Dex2oat is a pre-compilation operation on a Dex file in ART, and as a result, a locally executable ELF file is generated and can be directly executed by a local processor.
And step 204, repairing the Dex file.
Step 204 comprises:
step 2041, obtain the binary file dumped at ArtMethod.
As shown in fig. 5, in the embodiment of the present invention, since the ArtMethod object corresponding to the Java method at the Native layer has been successfully obtained by this step, we can use its API: the GetDexFile method is used for acquiring the dexfile object, so that the position and the size of the Dex file in the memory can be obtained, and the Dex file can be successfully dumped. Meanwhile, we add another function in the process: the CodeItem bytecode portion of the ArtMethod object is dumped. Because the format of the Java method stored in the Dex is just the CodeItem form, if only the Dex file is dumped and the function body null and offset processing cannot be solved, the function extraction type reinforcement protection key is solved only by finding the deep function call decryption opportunity through the deception call chain. And finally, by the Dex file dumped just one step, the Try. Judging whether the class method has a Try. When a Try. When there is no try. The dump format is a binary bin format.
In the embodiment of the present invention, as an alternative, a Handler is a field at the end of the try.. catch field.
And 2042, recombining the Dex according to the binary file.
In the embodiment of the present invention, the final product to be obtained is the Dex file of the backfilled function body, and therefore, after the binary file is obtained in step 2041, a process of decryption and reassembly needs to be performed according to the format of the Dex file dumped together with the binary file by using a script. Reading the content of the quintuple into an array for storage by analyzing a binary file, finding a corresponding position in the new Dex through the offset and the code _ item _ len in the quintuple, decrypting the ins content Base64, backfilling, supplementing the rest of the original Dex into the new Dex, and repeating the steps.
In the android shelling acceleration method provided by the embodiment of the invention, a function arrival path is selected, a shelling point is selected, the calling method is accurately called based on a filtering mechanism, the calling method is utilized to complete virtual calling of JAVA layer functions in a JNI layer, repairing the Dex file realizes finding a more universal shelling point under a complex and changeable source code environment, and uses the mode of constructing virtual parameter and calling to load all classes in Dex file, the time consumption caused by calling all class methods in the shelling process is solved by adding the class white list file, some classes which are not required to be loaded are filtered out, so that the reverse security analysis efficiency is accelerated, the android unshelling is modified at low cost as far as possible, and methods or classes existing in android system development are preferably used, so that more new modules and units are prevented from being installed, and android unshelling is simpler, more convenient and quicker.
An embodiment of the present invention provides an android shelling accelerating apparatus, where the apparatus is applied to a computer device, and fig. 3 is a schematic structural diagram of an android shelling apparatus provided in an embodiment of the present invention, and as shown in fig. 3, the apparatus includes: the device comprises a selection module 11, a first calling module 12, a second calling module 13 and a repair module 14.
The selection module 11 is configured to select a function reaching path and select a shelling point, the first call module 12 is configured to perform precise call on a call method based on a filtering mechanism, the second call module 13 is configured to complete virtual call of a JAVA layer function in a JNI layer by using the call method, and the repair module 14 is configured to repair a Dex file.
In the embodiment of the present invention, the selection module 11 is specifically configured to: the Quick code mode or Interpreter mode is selected and finally the ExecuteWitchImpl function is entered.
In the embodiment of the present invention, the first calling module 12 specifically includes: the second acquisition module is used for acquiring a class loader to which the process is finally attached, the setting module is used for setting a path of a class white list file with a filtering mechanism, and the refreshing module is used for periodically refreshing the content of the class white list file.
The android shelling accelerating apparatus provided in this embodiment may be used to implement the android shelling accelerating method in fig. 1 or fig. 2, and for specific description, reference may be made to an embodiment of the android shelling accelerating method described above, and a description thereof is not repeated here.
In the technical scheme provided by the embodiment of the invention, a function arrival path is selected, a shelling point is selected, a calling method is accurately called based on a filtering mechanism, the calling method is utilized to complete virtual calling of JAVA layer functions at a JNI layer, a Dex file is repaired, a universal shelling point is found under a complex and changeable source code environment, all classes in the Dex file are loaded in a mode of constructing virtual parameters and calling, time consumption caused by calling all class methods in a shelling process is solved by adding a class white list file, unnecessary classes are filtered, thus reverse security analysis efficiency is accelerated, modification is carried out at low cost as far as possible, methods or classes existing in android system development are preferably used, and the situation that more new modules and units are installed to make android shelling more convenient and quicker is avoided.
Fig. 4 is a schematic diagram of a computer device according to an embodiment of the present invention. As shown in fig. 4, the computer device 20 of this embodiment includes: the processor 21, the memory 22, and the computer program 23 stored in the memory 22 and capable of running on the processor 21, where the computer program 23 when executed by the processor 21 implements the method for accelerating the android shelling, and in order to avoid repetition, the details are not repeated herein. Alternatively, the computer program is executed by the processor 21 to implement the functions of the models/units applied to the android shelling acceleration apparatus in the embodiment, which are not repeated herein.
The computer device 20 includes, but is not limited to, a processor 21, a memory 22. Those skilled in the art will appreciate that 5 is merely an example of a computing device 20 and is not intended to limit the computing device 20 and may include more or fewer components than those shown, or some of the components may be combined, or different components, e.g., the computing device may also include input output devices, network access devices, buses, etc.
The Processor 21 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The storage 22 may be an internal storage unit of the computer device 20, such as a hard disk or a memory of the computer device 20. The memory 22 may also be an external storage device of the computer device 20, such as a plug-in hard disk provided on the computer device 20, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 22 may also include both internal storage units of the computer device 20 and external storage devices. The memory 22 is used for storing computer programs and other programs and data required by the computer device. The memory 22 may also be used to temporarily store data that has been output or is to be output.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a Processor (Processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The present invention is not limited to the above preferred embodiments, and any modifications, equivalent substitutions, improvements, etc. within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. An android shelling acceleration method is characterized by comprising the following steps:
selecting a function arrival path and selecting a shelling point;
carrying out accurate calling on the calling method based on a filtering mechanism;
completing virtual calling of JAVA layer functions in a JNI layer by using a calling method;
and repairing the Dex file.
2. The method of claim 1, wherein selecting a function arrival path and selecting a shelling point specifically comprises:
the Quick code mode or Interpreter mode is selected and finally the ExecuteWitchImpl function is entered.
3. The method of claim 1, wherein the precisely calling the calling method based on the filtering mechanism specifically comprises:
acquiring a class loader to which a process is finally attached;
setting a path of a white list file with a filtering mechanism;
and periodically refreshing the content of the white list file.
4. The method according to claim 1, wherein completing the virtual call of the JAVA layer function at the JNI layer specifically comprises:
setting an active calling chain identifier;
invoking the Invoke method of ArtMethod initiates the call.
5. The method according to claim 1, wherein repairing the Dex file specifically comprises:
acquiring a binary file dumped at the ArtMethod;
and recombining Dex according to the binary file.
6. An android shelling accelerating device, comprising:
the selection module is used for selecting a function arrival path and selecting a shelling point;
the first calling module is used for calling the calling method accurately based on a filtering mechanism;
the second calling module is used for completing virtual calling of JAVA layer functions in a JNI layer by using a calling method;
and the repair module is used for repairing the Dex file.
7. The apparatus of claim 6, wherein the selection module is specifically configured to:
the Quick code mode or Interpreter mode is selected and finally the ExecuteWitchImpl function is entered.
8. The apparatus of claim 6, wherein the first calling module specifically comprises:
the second acquisition module is used for acquiring the class loader to which the process is finally attached;
the setting module is used for setting a path of the white list file with the filtering mechanism;
and the refreshing module is used for periodically refreshing the content of the class white list file.
9. A storage medium comprising a stored program, wherein the program, when executed, controls a device on which the storage medium is located to execute the android shelling acceleration method of any one of claims 1 to 5.
10. A computer device comprising a memory for storing information including program specifications and a processor for controlling the execution of program instructions, wherein the program instructions are loaded into and executed by the processor to implement the steps of the android shelling acceleration method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011087560.7A CN112214267A (en) | 2020-10-12 | 2020-10-12 | Android shelling acceleration method and device, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011087560.7A CN112214267A (en) | 2020-10-12 | 2020-10-12 | Android shelling acceleration method and device, storage medium and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112214267A true CN112214267A (en) | 2021-01-12 |
Family
ID=74053654
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011087560.7A Pending CN112214267A (en) | 2020-10-12 | 2020-10-12 | Android shelling acceleration method and device, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112214267A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113378123A (en) * | 2021-06-10 | 2021-09-10 | 福建省天奕网络科技有限公司 | Method and system for realizing android terminal extracting shell |
| CN115640269A (en) * | 2022-12-23 | 2023-01-24 | 北京麟卓信息科技有限公司 | Android application installation acceleration method based on-demand copying |
| CN116467221A (en) * | 2023-06-16 | 2023-07-21 | 荣耀终端有限公司 | Pile inserting method and system based on interpreter and related electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108154011A (en) * | 2018-01-12 | 2018-06-12 | 广州汇智通信技术有限公司 | Hulling method, system, equipment and readable storage medium storing program for executing based on art patterns |
| CN108229107A (en) * | 2016-12-21 | 2018-06-29 | 武汉安天信息技术有限责任公司 | A kind of hulling method and container of Android platform application program |
-
2020
- 2020-10-12 CN CN202011087560.7A patent/CN112214267A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108229107A (en) * | 2016-12-21 | 2018-06-29 | 武汉安天信息技术有限责任公司 | A kind of hulling method and container of Android platform application program |
| CN108154011A (en) * | 2018-01-12 | 2018-06-12 | 广州汇智通信技术有限公司 | Hulling method, system, equipment and readable storage medium storing program for executing based on art patterns |
Non-Patent Citations (5)
| Title |
|---|
| HANBINGLE: "[原创]FART:ART环境下基于主动调用的自动化脱壳方案", 《看雪论坛:HTTPS://BBS.PEDIY.COM/THREAD-252630.HTM》 * |
| 一颗金柚子: "[原创]将FART和Youpk结合来做一次针对函数抽取壳的全面提升", 《看雪论坛:HTTPS://BBS.PEDIY.COM/THREAD-260052.HTM》 * |
| 乐德广等: "一种抵御逆向工程的安卓应用混淆技术研究", 《小型微型计算机系统》 * |
| 李维勇: "《Android应用开发项目化教程》", 30 April 2017, 北京:北京航空航天大学出版社 * |
| 袁晓筱等: "Android系统应用程序DEX文件保护方法研究", 《信息网络安全》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113378123A (en) * | 2021-06-10 | 2021-09-10 | 福建省天奕网络科技有限公司 | Method and system for realizing android terminal extracting shell |
| CN115640269A (en) * | 2022-12-23 | 2023-01-24 | 北京麟卓信息科技有限公司 | Android application installation acceleration method based on-demand copying |
| CN115640269B (en) * | 2022-12-23 | 2023-03-10 | 北京麟卓信息科技有限公司 | Android application installation acceleration method based on-demand copying |
| CN116467221A (en) * | 2023-06-16 | 2023-07-21 | 荣耀终端有限公司 | Pile inserting method and system based on interpreter and related electronic equipment |
| CN116467221B (en) * | 2023-06-16 | 2024-04-02 | 荣耀终端有限公司 | Pile inserting method and system based on interpreter and related electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Backes et al. | Artist: The android runtime instrumentation and security toolkit | |
| KR102255767B1 (en) | Systems and methods for virtual machine auditing | |
| CN108229148B (en) | Sandbox unshelling method and sandbox unshelling system based on Android virtual machine | |
| CA2761563C (en) | Annotating virtual application processes | |
| CN112214267A (en) | Android shelling acceleration method and device, storage medium and computer equipment | |
| CN105574411B (en) | A kind of dynamic hulling method, device and equipment | |
| Schütte et al. | Condroid: Targeted dynamic analysis of android applications | |
| CN105760787B (en) | System and method for the malicious code in detection of random access memory | |
| JP2012230724A (en) | Software system with controlled access to objects | |
| CN109255235B (en) | Mobile application third-party library isolation method based on user state sandbox | |
| CN113256296B (en) | Intelligent contract execution method, system, device and storage medium | |
| CN108763924B (en) | Method for controlling access authority of untrusted third party library in android application program | |
| US11222122B2 (en) | Method and system for runtime instrumentation of software methods | |
| CN111625225A (en) | Program specified data output method and device | |
| WO2022017242A1 (en) | Method and apparatus for running second system application in first system, device, and medium | |
| Lancia et al. | Java card virtual machine compromising from a bytecode verified applet | |
| JP5423063B2 (en) | Information processing apparatus, method, and program | |
| CN112214266A (en) | Android shelling method and device for deception call chain, storage medium and computer equipment | |
| CN113168320A (en) | Selective replacement of legacy loader modules with classes for execution in a JAVA virtual machine | |
| CN108446186A (en) | Method for recovering Dex source file from shell-added Android application program | |
| CN114936368A (en) | Java memory Trojan detection method, terminal device and storage medium | |
| EP2819055B1 (en) | System and method for detecting malicious software using malware trigger scenarios | |
| Luo et al. | Context-aware system service call-oriented symbolic execution of android framework with application to exploit generation | |
| Casolare et al. | 2 Faces: a new model of malware based on dynamic compiling and reflection | |
| RU2815242C1 (en) | Method and system for intercepting .net calls by means of patches in intermediate language |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |