Click to edit Master title style
Click to edit Master title style
• Click to edit Master text styles
— Second level
DABiD
• Third level
— Fourth level
» Fifth level
The Powerful Interactive Android Debugger
for Android Malware Analysis
Click to edit
Reversing
Android
Masterapplication
title style
• Static
Analysis
Click to
edit Master text styles
—
— Analyze
Secondintent
level of application by decoding DEX(Dalvik
Executable) into readable bytecode
• Third level
•
• ex) Apktool, JEB
— Fourth level
Dynamic Analysis
» Fifth level
— Monitor behavior of android application at runtime
• ex) DroidBox, Mobile Sandbox, Anubis etc.
— Conduct step by step debugging with disassembled Dalvik
executable code
• ex) SmaliDebugging, IDAPro
Click toExecutable
Dalvik
edit Master
Debugging
title style
••
Smali
ClickDebugging
to edit Master
text styles
— Use apktool and NetBeans(Java IDE) in combination
— Second
• Apktool :level
disassemble DEX and repackage app in debug mode
••
Java
IDElevel
: support step by step debugging
Third
— Fourth level
» Fifth level
Click toExecutable
Dalvik
edit Master
Debugging
title style
••
IDA
Proto
Debugging
Click
edit Master
text styles
— Supports dalvik debugging from version 6.6
—
levelDebugging but use own DEX disassembler
— Second
Similar to Smali
• Third level
— Fourth level
» Fifth level
Click toExecutable
Dalvik
edit Master
Debugging
title style
• Smali Debugging VS. IDA Pro Debugging
• Click to edit Master text styles
— SecondPreprocessing
level
Dalvik Executable Disassemble
• Third
levelDebugging
Application
Modification
Smali
Debugging
— Fourth level
» Fifth
level
Jdwp
socket
host & port
modified as
debuggable
IDA Pro
Settings
Package &
lauchable
activity name
Should be done manually!
Debugging
Disassembler
Register Type
Debugging
Starting Point
Smali
Correct Type
First BP hit
after debugger
attached
IDA Pro
All registers
casted as
“Object”
(java.lang.Object)
Bad Type Fault!
What if…The dex I am debugging
is not the one running??
Methods at
launchable
activity
Can’t debug
from the start..
Dex Used In
Debugging
Extracted
from apk
Click to editinMaster
Challenges
Android
title
Analysis
style
: Modification of DEX bytes at runtime
BlueBox
verified tempering
davik bytecode during
•• Click
toSecurity
edit Master
text styles
runtime is possible
—
level
— Second
Load library
and execute function which write bytes into memory where
executable
•dalvik
Third
level is loaded
•
•
Find
codeItemlevel
of “add()” method from DEX loaded in memory
— Fourth
Write bytes into codeItem of “add()” method
» Fifth level
“Ljava/lang/String;”
“add”
ClassIdItem
MethodIdItem
Find codeItem of “add()”
CodeItem
Write “inject” bytes into codeItem
Click to editinMaster
Challenges
Android
title
Analysis
style
: Dynamic DEX Loading
encrypted
• • GoogleAppsToy
Click to edit malware
Masterload
text
styles DEX at runtime
—Analysts can obtain classes.dex from APK and conduct static or dynamic
— Second
analysis onlevel
classes.dex
• Third
level from APK has no malicious actions
—But,
classes.dex
• Only
dynamic loading routine exist in classes.dex
— decrypt
Fourthand
level
• No ?way»to debug
Fifth malicious
level code….
classes.dex
?
classes.dex
classes.dex
Loading Stub
Loading Stub
classes.dex
Loading Stub
Loading Stub
Encrypted
dex dex
Encrypted
(Asset)
(Asset)
File System
File System
Dynamically
Dynamically
loaded dex
loaded dex
Malcode
Malcode
Process
Process
Click to editinMaster
Challenges
Android
title
Debugging
style
• DEX(Dalvik
Executable)
can be
different in memory
Click to edit
Master text
styles
— Second level
• Third level
Classes.dex
— Fourth level
in
APK» Fifth level
≈
Classes.dex
in
Dalvk-cache
(optimized)
≠
Dex
in
Memory
Analysis Target
Analysis with current analyzers might be useless..
Click to edit Master title style
• Click to edit Master text styles
— Second level
DABiD :
• Third level
— Fourth level
» Fifth level
Dynamic Android
Binary Debugger
Click to edit Master title style
Goal
• To
develop
android
debugger
which is able to debug
Click
to edit
Master
text styles
“the
same DEX”
— Second
level running on memory
• Third level
• To make
android
debugging
more
effective
and
— Fourth level
convenient
» for
Fifthanalysts
level
ClickApproach
Our
to edit Master
(1/2) title style
• To
develop
android
debugger
which is able to debug
Click
to edit
Master
text styles
“the
same DEX”
— Second
level running on memory
— Monitor
dynamic changes in memory and reflect them to
• Third level
debugger
— Fourth level
• Self modification
» Fifth level of DEX bytes in memory
• Dynamic DEX loading
• To make android debugging more effective and
convenient for analysts
ClickApproach
Our
to edit Master
(2/2) title style
• To
develop
android
debugger
which is able to debug
Click
to edit
Master
text styles
“the
same DEX”
— Second
level running on memory
• To make
android
• Third
level debugging more effective and
convenient
forlevel
analysts
— Fourth
Fifth leveldebugging features
— Provide»advanced
• Code update by analyst
• Register value acquisition
— Automate bothersome settings for android debugging
Click to- edit
DABiD
Overview
Master title style
DABiD Master text styles
• Click to edit
DEX disassembler
— Second
level
J
D
I
JDWP
Debug Event
• Third
level
Handler
A
D
B
D
D
App Process
classes.dex
libraries.so
— Fourth level
» Fifth level
•
Resembles java debugger structure
— DEX disassembler : disassemble DEX from both apk file and memory
— Debug Event Handler : create and handle debugging event from JDWP
•
But, JDWP has limitations…
Click to- edit
DABiD
Overview
Master title style
DABiD Master text styles
• Click to edit
DEX disassembler
— Second
level
J
D
I
DABiD Service
• Third
Module level
Manager
Eventlevel
—Debug
Fourth
Handler
» Fifth level
JDWP
A
D
B
D
D
App Process
classes.dex
DABiD
Service Module
libraries.so
libdabid.so
•
Make our service module reside in application process
—
—
Notify supervision results of dynamic changes in memory
Give a control over the application
Monitoring
Dynamic
Changes
Click to edit
Master
title style
: Self modification of DEX bytes
••
DABiD
detects
memory write function call
Click Service
to editmodule
Master
textthat
styles
is made and alarm debugger when event happens
— Second level
• Third level
— Fourth level
» Fifth level
• Analysts is now able to analyze hidden bytes
Monitoring
Dynamic
Changes
Click to edit
Master
title style
: Dynamic DEX loading
••
DABiD
findtext
and dump
new DEX bytes in memory
Click Service
to editmodule
Master
styles
— Second level
• Third level
— Fourth level
» Fifth level
•
With DABiD, Analysts no longer need to
— Find the location of hidden or newly downloaded DEXs
— Conduct static analysis for new DEXs by pulling them to local
Advanced
Debugging
Feature
Click to edit
Master
title style
: Code update by Analyst
• Analysts
bytecodes
on the fly
Click to can
editmodify
Master
text styles
—
input bytes from DABiD
— Analysts
Second can
level
— DABiD
• Thirdservice
level module writes input bytes to proper location
in memory
— Fourth level
— Debuggee
runslevel
with modified bytes
» Fifth
• Analysts are able to
— Force to execute code
— Skip code part should not be
executed to continue analysis
Force to execute code
before the time of event
Advanced
Debugging
Feature
Click to edit
Master
title style
: Register value acquisition
•
provides register values only with debug symbols
• JDI
Click
to edit Master text styles
— But, Not all registers have debug symbols
— Second level
Java
int a = 3;
Log.d(“Info”, “a :” +a);
• Third level
•
Bytecode
.local name :’v0’ type: int
const/4
v0, 3
const-string
v1, “info”
new-instance
v2, Ljava/lang/StringBuilder;
const-string
v3 “a : “
Invoke-direct
{v2, v3} StringBuilder.init()
Invoke-virtual
{v2, v0} StringBuilder.append()
…
DebugSymbol
‘v0’ – int
— Fourth level
Modify JDI to»getFifth
values
level
of registers
—
—
—
Get register value using slot number
Eliminate evaluation check whether the register is visible variable or not
Cast value with type information by emulating bytecodes in DEX disassembler
Java
int a = 3;
Log.d(“Info”, “a :” +a);
Bytecode
.local name :’v0’ type: int
const/4
v0, 3
const-string
v1, “info”
new-instance
v2, Ljava/lang/StringBuilder;
const-string
v3 “a : “
Invoke-direct
{v2, v3} StringBuilder.init()
Invoke-virtual
{v2, v0} StringBuilder.append()
…
DebugSymbol
‘v0’
‘v1’
‘v2’
‘v3’
– int
– Ljava/lang/String;
– Ljava/lang/StringBuilder;
– Ljava/lang/String;
Analyzed
type info
Automation
of Master
debuggingtitle
setting
Click to edit
style
• DABiD
automates
followings
to aid debugging
Click to
edit Master
text styles
—
—
—
—
—
Transform
application into debuggable
Second level
Install
and
start application
• Third
level
Set —
jdwp
socket
Fourth
levelconnection
Set breakpoints
at the starting point of application
» Fifth level
Click to edit Master title style
• Click to edit Master text styles
— Second level
DEMO
• Third level
— Fourth level
» Fifth level
Click towork
Future
edit Master title style
forMaster
Android text
Runtime
(ART)
•• Debugging
Click to edit
styles
— Second
Supportlevel
ART features
—
— •Resolve
Code Protections on ART
Third level
— Fourth level
coverage
» Fifth level
• Code
— Support native code debug included in APK
• Anti-Debugging
— Counter anti-debugging techniques
© Copyright 2024