Hooking on Android

2014.07.05정광운

exsociety@gmail.com

www.CodeEngn.com2014 CodeEngn Conference 10

Who am I

• 정광운 EXSO (Not EXO)• 27 years old (Single)• CNU & Hackershool & Secu87• Contact Me

– http://facebook.com/exsociety– exsociety@gmail.com– http://bananapayload.org

2

What is Hooking?

3

Android System OverviewApplications

Application Framework

Libraries

Linux Kernel

Home ....... Music Browser Office Viewer

Keypad Driver

Display Driver

WiFi Driver

Camera Driver Flash MemoryDriver

Audio Driver Power Driver

Binder Driver

NotificationManager

PackageManager

TelephonyManager

ResourceManager

LocationManager

WindowManager

ViewSystem

ActivityManager

ContentProviders

OpenGL|ES

Surface Manager

Free Type

SQLite

SSL

webkit_libmedia_lib

libc

viewer_lib

SGL

JNI

NDK

SDK

앱 레벨(JAVA)

시스템 레벨(C/C++)

Hooking on ARM

Hooking on Android

4

G al

• ARM 기반의 안드로이드 환경• 시스템의 수정 X (단, 루팅 필요)• 애플리케이션의 수정 X• 애플리케이션의 라이브러리 내 함수에 대한 후킹 수행

5

Design of Hooker

Shared Library(.so)

Function A

Function B

Android Application

Constructor

Target Library

Injected Library

branch

Function A

Ins 2Ins 3Ins 4

Ins 1Ins 2Ins 3

Ins 1Branch

Hook_Function A

Orig_Function A

6

Shared Library Injection

• Call dlopen() using ptrace() on application

7

Shared Library Injection

1) Find dlopen() addressCan not found libdl.so on maps

/system/bin/linker 소스코드 中

dlopen()

/system/bin/linker

dlsysm()

libdl.sooffset

dlopen() Address= base address of linker + offset

8

2) write library path- use stack

- PTRACE_POKEDATAptrace(PTRACE_POKEDATA, pid, dst address, 4byte_data)

9

ARM Instruction mode

32-bit

32-bit

32-bit

32-bit

32-bit

16-bit

16-bit

16-bit

16-bit

16-bit

ARM

Instruction

Instruction

Instruction

Instruction

Instruction

Thumb

31 0

Function Address

CPSR Register

T = 0 : ARM ModeT = 1 Thumb Mode

10

3) Call dlopen() ß Thumb

Debugger Application

Backup Register Values

Set Breakpoint at Next Instruction

Change Register Values• pc = dlopen() addr

• r0 = stack addr• r1 = 0• lr = next instruction’s

addr (pc)

Restore Registers Values, Remove Breakpoint

Debugger Application

Backup Register Values

Overwrite Code at Next Instruction

Change Register Values• pc = pc+4

• r0 = stack addr• r1 = 0• lr = next instruction’s

addr (pc)

Restore Registers Values,Restore Code ,

Remove Breakpoint

• break• ldr pc, [pc, #0]• 0x0• dlopen() address

Thumb 모드 ARM 모드

11

4) resultUseage : injector [pid] [Library Full Path]

12

끝

Function Hooking

1) Find function information- Reference Header file- Use Hex-ray

13

https://github.com/EiNSTeiN-/hexrays-python

2) Install Hooker

14

Target Library

Injected Library

LDR PC, [PC]

Function A

NOPHook_FunctionA Addr

Ins 4

Ins 1Ins 2

Ins 1Ins 2Ins 3

Branch

Hook_Function A

Orig_Function A

Target Library

Injected Library

Function A

Push {r5}add r5, pc, #4

ldr r5, {r5}bx r5

Hook_FunctionA AddrIns 7

pop {r5} Ins 1Ins 2

Ins 1

Ins 6Branch

Hook_Function A

Orig_Function A

ARM->ARM Thumb->ARM

Why…?

• Internal memory reference

15

Function A Orig_Function A

Original Code

JMP Target Function+N

JMP Target Function+N

Injected LibraryTarget Library

Access Violation

Reference Reference

Data OffsetCode Offet

• External memory reference

16

Function A

Target Function Original Function

Original Code

JMP Target Function+N

JMP Target Function+N

Injected LibraryTarget Library

Branch BranchAccess Violation

Solution

• 귀찮으니 그냥 복사하자…

17

Target Library

Injected Library

LDR PC, [PC]

Function A

NOPHook_FunctionA Addr

Ins 4

Ins 1Ins 2

Hook_Function A

Copied Target Library

Function A

Ins 1Ins 2Ins 3Ins 4

Function Pointer

Issue 1. Global Hook

18

• 애플리케이션 생성 과정

System Server zygote zygote’ Application

① 앱 실행 요청 ③ 앱 적재② fork() 호출

ActivityManagerActivityManager

PackageManagerPackageManager

WindowManagerWindowManager

…

Dalvik VM

libc

Dalvik VM

libc

Preloadedclass

Preloadedclass

Preloadedresource

Preloadedresource

Dalvik VM

libc

Preloadedclass

Preloadedclass

Preloadedresource

Preloadedresource

Dalvik VM

libc

Preloadedclass

Preloadedclass

Preloadedresource

Preloadedresource

AndroidApplication

Issue 2. 대상 라이브러리가로드되기 전..

• 라이브러리 로드 함수를 후킹– dlopen() = 10byte // 최소 12바이트 필요– dvmLoadNativeCode(char const*, Object*, char**)

• dvmLoadNativeCode 종료 시점에 추가적인 Hooker 설치

19

How to use

• download : http://bananapayload.org

20

[library path] [Name / Offset] [Function Type]/system/lib/libc.so malloc void *malloc(size_t size)/system/lib/test.so 0x400 void sub400(int, int)

./ genLibrarySource [define File] [output path]

Define Format

Source Code

Edit Source & Edit makefile & make library

Useage : injector [pid] [Library Full Path] Hook Success

21

22

www.CodeEngn.com2014 CodeEngn Conference 10