338 lines
12 KiB
Python
338 lines
12 KiB
Python
import logging
|
|
|
|
FORMAT = "[%(levelname)s] %(name)s %(filename)s:%(lineno)d: %(message)s"
|
|
logging.basicConfig(format=FORMAT)
|
|
# logging.getLogger().setLevel(logging.DEBUG)
|
|
logging.getLogger().setLevel(logging.WARNING)
|
|
|
|
import json
|
|
import zipfile as z
|
|
import re
|
|
from pathlib import Path
|
|
|
|
from androscalpel import Apk, IdType, IdMethodType, ins, DexString, IdMethod, Code, utils, Field, IdField # type: ignore
|
|
|
|
RED = "\033[38:2:255:0:0m"
|
|
GREEN = "\033[38:2:0:255:0m"
|
|
ENDC = "\033[0m"
|
|
|
|
RE_CHECK_DEXFILE = re.compile(r"classes\d*.dex")
|
|
|
|
|
|
def is_dexfile(filename: str) -> bool:
|
|
return bool(RE_CHECK_DEXFILE.fullmatch(filename))
|
|
|
|
|
|
ORIGINAL_APK = Path(__file__).parent / "origin-release.apk"
|
|
DYN_LOAD_APK = Path(__file__).parent / "ut-dyn-load-release.apk"
|
|
DEX_NAME = "classes.dex"
|
|
|
|
clazz_id = IdType("Lcom/example/ut_dyn_load/Loader;")
|
|
proto_id = IdMethodType(IdType.void(), [IdType("Landroid/content/Context;")])
|
|
method_id = IdMethod("load", proto_id, clazz_id)
|
|
|
|
|
|
def load_apk(path_apk: Path) -> Apk:
|
|
print(f"[+] Load bytecode ")
|
|
apk = Apk()
|
|
with z.ZipFile(path_apk) as zipf:
|
|
for file in filter(is_dexfile, zipf.namelist()):
|
|
print(f"[-] {file}")
|
|
with zipf.open(file, "r") as dex_f:
|
|
dex = dex_f.read()
|
|
apk.add_dex_file(dex)
|
|
return apk
|
|
|
|
|
|
print(f"[+] Load bytecode ")
|
|
dyn_load_apk = load_apk(DYN_LOAD_APK)
|
|
|
|
clazz = dyn_load_apk.classes[clazz_id]
|
|
method = clazz.virtual_methods[method_id]
|
|
code = method.code
|
|
|
|
# logging.getLogger().setLevel(logging.WARNING)
|
|
|
|
|
|
def is_evasion_method(meth: IdMethod) -> bool:
|
|
return (
|
|
method.class_ == IdType.from_smali("Ldalvik/system/PathClassLoader;")
|
|
or (
|
|
method.class_ == IdType.from_smali("Ljava/lang/Class;")
|
|
and method.name == "newInstance"
|
|
)
|
|
or (
|
|
method.class_ == IdType.from_smali("Ljava/lang/Class;")
|
|
and method.name == "getMethod"
|
|
)
|
|
or method.class_ == IdType.from_smali("Ljava/lang/reflect/Method;")
|
|
)
|
|
|
|
|
|
print(f"[+] Code of {method_id} ")
|
|
for i, inst in enumerate(code.insns):
|
|
match inst:
|
|
case ins.InvokeVirtual(args=args, method=method) if is_evasion_method(method):
|
|
print(f"{i:>03} {RED}{inst}{ENDC}")
|
|
case ins.SGetObject(to=to, field=field):
|
|
print(f"{i:>03} {inst}")
|
|
print(
|
|
f" val: {GREEN}{dyn_load_apk.classes[field.class_].static_fields[field].value}{ENDC}"
|
|
)
|
|
case inst:
|
|
print(f"{i:>03} {inst}")
|
|
|
|
malicious_class_id = IdType("Lcom/example/ut_dyn_load/SmsReceiver;")
|
|
|
|
mal_cls_in_apk = malicious_class_id in dyn_load_apk.classes
|
|
if mal_cls_in_apk:
|
|
color = GREEN
|
|
else:
|
|
color = RED
|
|
|
|
print(f"[+] {malicious_class_id} in loaded apk: {color}{mal_cls_in_apk}{ENDC}")
|
|
|
|
print(f"[+] Load bytecode in assets/classes")
|
|
with z.ZipFile(DYN_LOAD_APK) as zipf:
|
|
with zipf.open("assets/classes", "r") as dex_f:
|
|
dex = dex_f.read()
|
|
# dyn_load_apk.add_dex_file(dex)
|
|
|
|
mal_cls_in_apk = malicious_class_id in dyn_load_apk.classes
|
|
if mal_cls_in_apk:
|
|
color = GREEN
|
|
else:
|
|
color = RED
|
|
print(f"[+] {malicious_class_id} in loaded apk: {color}{mal_cls_in_apk}{ENDC}")
|
|
|
|
print(
|
|
f"[+] -- very simplified steep, see https://developer.android.com/reference/java/lang/Class#getMethod(java.lang.String,%20java.lang.Class%3C?%3E[]) --"
|
|
)
|
|
name = "a"
|
|
args = [
|
|
IdType("Landroid/content/Context;"),
|
|
IdType("Landroid/content/BroadcastReceiver;"),
|
|
]
|
|
# malicious_class = dyn_load_apk.classes[malicious_class_id]
|
|
#
|
|
# potential_meth = []
|
|
# for m_id in malicious_class.direct_methods:
|
|
# if m_id.name == name and m_id.proto.get_parameters() == args:
|
|
# potential_meth.append((m_id, "direct"))
|
|
# for m_id in malicious_class.virtual_methods:
|
|
# if m_id.name == name and m_id.proto.get_parameters() == args:
|
|
# potential_meth.append((m_id, "virtual"))
|
|
#
|
|
# print("[+] Potential methods:")
|
|
# for m_id, t in potential_meth:
|
|
# print(f" {m_id}({t})")
|
|
#
|
|
# m_id, t = potential_meth[0]
|
|
#
|
|
# new_insns = (
|
|
# code.insns[:42]
|
|
# + [
|
|
# ins.NewInstance(1, IdType("Lcom/example/ut_dyn_load/SmsReceiver;")),
|
|
# ins.InvokeVirtual(m_id, [1, 8, 1]),
|
|
# ]
|
|
# + code.insns[62:]
|
|
# )
|
|
#
|
|
# print(f"[+] New code ")
|
|
# for i, inst in enumerate(new_insns):
|
|
# if i >= 42 and i < 44:
|
|
# print(f"{i:>03} {GREEN}{inst}{ENDC}")
|
|
# continue
|
|
# match inst:
|
|
# case ins.InvokeVirtual(args=args, method=method) if is_evasion_method(method):
|
|
# print(f"{i:>03} {RED}{inst}{ENDC}")
|
|
# case ins.SGetObject(to=to, field=field):
|
|
# print(f"{i:>03} {inst}")
|
|
# print(
|
|
# f" val: {GREEN}{dyn_load_apk.classes[field.class_].static_fields[field].value}{ENDC}"
|
|
# )
|
|
# case inst:
|
|
# print(f"{i:>03} {inst}")
|
|
#
|
|
# new_code = Code(code.registers_size, code.ins_size, code.outs_size, new_insns)
|
|
# dyn_load_apk.set_method_code(method_id, code)
|
|
|
|
NB_APK = 8665
|
|
|
|
list_cls = list(dyn_load_apk.classes.keys())
|
|
list_cls.sort()
|
|
print(f"[+] NB classes: {len(list_cls)}")
|
|
for cls in list_cls[NB_APK:]:
|
|
dyn_load_apk.remove_class(cls)
|
|
|
|
print("[+] Recompile")
|
|
dex_raw = dyn_load_apk.gen_raw_dex()
|
|
|
|
print("[+] Repackage")
|
|
# utils.replace_dex(
|
|
# DYN_LOAD_APK,
|
|
# DYN_LOAD_APK.parent
|
|
# / (DYN_LOAD_APK.name.removesuffix(".apk") + "-instrumented.apk"),
|
|
# dex_raw,
|
|
# Path(__file__).parent.parent / "my-release-key.jks",
|
|
# zipalign=Path.home() / "Android" / "Sdk" / "build-tools" / "34.0.0" / "zipalign",
|
|
# apksigner=Path.home() / "Android" / "Sdk" / "build-tools" / "34.0.0" / "apksigner",
|
|
# )
|
|
|
|
|
|
MAX_REQ = 8
|
|
|
|
|
|
def cmp(a, b, req=0):
|
|
if req > MAX_REQ:
|
|
return
|
|
if type(a) == dict:
|
|
cmp_dict(a, b, req)
|
|
elif type(a) == list:
|
|
cmp_list(a, b, req)
|
|
else:
|
|
cmp_other(a, b, req)
|
|
|
|
|
|
def nice_bool(b) -> str:
|
|
if b:
|
|
return "\033[32mTrue\033[0m"
|
|
else:
|
|
return "\033[31mFalse\033[0m"
|
|
|
|
|
|
def cmp_other(a, b, req=0):
|
|
ident = " " * req
|
|
for f in dir(a):
|
|
if getattr(getattr(a, f), "__call__", None) is None and (
|
|
len(f) < 2 or f[:2] != "__"
|
|
):
|
|
eq = getattr(a, f) == getattr(b, f)
|
|
print(f"{f'{ident}{f}: ':<150}{nice_bool(eq)}")
|
|
if not eq:
|
|
if "descriptor" in dir(a):
|
|
global last_id
|
|
last_id = a.descriptor
|
|
cmp(getattr(a, f), getattr(b, f), req + 1)
|
|
|
|
|
|
def cmp_dict(a, b, req=0):
|
|
ident = " " * req
|
|
keys_a = set(a.keys())
|
|
keys_b = set(b.keys())
|
|
if keys_a != keys_b:
|
|
print(f"{ident}a.keys() != b.keys()")
|
|
tot = 0
|
|
nb_failed = 0
|
|
for key in keys_a & keys_b:
|
|
eq = a[key] == b[key]
|
|
tot += 1
|
|
if not eq:
|
|
print(f"{f'{ident}{str(key)}: ':<150}{nice_bool(eq)}")
|
|
nb_failed += 1
|
|
global last_id
|
|
last_id = key
|
|
cmp(a[key], b[key], req + 1)
|
|
print(f"\033[32m{tot-nb_failed}\033[0m + \033[31m{nb_failed}\033[0m = {tot}")
|
|
|
|
|
|
def cmp_list(a, b, req=0):
|
|
ident = " " * req
|
|
la = len(a)
|
|
lb = len(b)
|
|
if la != lb:
|
|
print(f"{ident}len(a) != len(b)")
|
|
for i in range(min(la, lb)):
|
|
eq = a[i] == b[i]
|
|
print(f"{f'{ident}{str(i)}: ':<150}{nice_bool(eq)}")
|
|
if not eq:
|
|
print(f"{ident}: {str(a[i])} != {str(b[i])}")
|
|
cmp(a[i], b[i], req + 1)
|
|
|
|
|
|
instrumented_apk = Apk()
|
|
instrumented_apk.add_dex_file(dex_raw[0])
|
|
|
|
print("wtf?")
|
|
|
|
# cmp(instrumented_apk, dyn_load_apk)
|
|
|
|
MAX_REQ = 5
|
|
|
|
tys = [
|
|
IdType("Landroidx/compose/foundation/MutatePriority;"),
|
|
IdType(
|
|
"Landroidx/compose/ui/input/pointer/PointerInteropFilter$DispatchToViewState;"
|
|
),
|
|
IdType("Landroidx/compose/ui/autofill/AutofillType;"),
|
|
IdType("Landroidx/compose/material3/TextFieldType;"),
|
|
IdType("Landroidx/compose/material3/SnackbarResult;"),
|
|
IdType("Landroidx/compose/ui/layout/MeasuringIntrinsics$IntrinsicMinMax;"),
|
|
IdType("Landroidx/compose/foundation/text/Handle;"),
|
|
IdType("Landroidx/compose/foundation/text/selection/SelectionMode;"),
|
|
IdType("Landroidx/compose/material3/SliderComponents;"),
|
|
IdType("Landroidx/lifecycle/Lifecycle$Event;"),
|
|
IdType("Landroidx/compose/ui/focus/FocusStateImpl;"),
|
|
IdType("Landroidx/fragment/app/strictmode/FragmentStrictMode$Flag;"),
|
|
IdType("Landroidx/compose/ui/text/style/ResolvedTextDirection;"),
|
|
IdType("Landroidx/compose/foundation/text/KeyCommand;"),
|
|
IdType("Landroidx/compose/ui/text/AnnotationType;"),
|
|
IdType("Landroidx/compose/foundation/layout/SizeMode;"),
|
|
IdType("Landroidx/compose/ui/semantics/NodeLocationHolder$ComparisonStrategy;"),
|
|
IdType("Landroidx/compose/material3/DrawerValue;"),
|
|
IdType("Landroidx/compose/ui/input/pointer/PointerEventPass;"),
|
|
IdType("Landroidx/compose/foundation/layout/Direction;"),
|
|
IdType("Landroidx/compose/ui/node/LayoutNode$UsageByParent;"),
|
|
IdType("Landroidx/compose/material3/tokens/TypographyKeyTokens;"),
|
|
IdType("Landroidx/compose/animation/core/RepeatMode;"),
|
|
IdType("Landroidx/compose/ui/layout/IntrinsicMinMax;"),
|
|
IdType("Landroidx/compose/ui/text/input/TextInputServiceAndroid$TextInputCommand;"),
|
|
IdType("Landroidx/compose/ui/unit/LayoutDirection;"),
|
|
IdType("Landroidx/collection/SparseArrayCompat;"),
|
|
IdType("Landroidx/compose/material3/TabSlots;"),
|
|
IdType("Landroidx/compose/material3/tokens/ColorSchemeKeyTokens;"),
|
|
IdType("Landroidx/annotation/RestrictTo$Scope;"),
|
|
IdType("Landroidx/profileinstaller/FileSectionType;"),
|
|
IdType("Landroidx/lifecycle/Lifecycle$State;"),
|
|
IdType("Landroidx/compose/animation/EnterExitState;"),
|
|
IdType("Landroidx/compose/animation/core/MutatePriority;"),
|
|
IdType("Landroidx/compose/ui/layout/MeasuringIntrinsics$IntrinsicWidthHeight;"),
|
|
IdType("Landroidx/loader/content/ModernAsyncTask$Status;"),
|
|
IdType("Landroidx/annotation/InspectableProperty$ValueType;"),
|
|
IdType("Landroidx/compose/foundation/layout/LayoutOrientation;"),
|
|
IdType("Landroidx/compose/ui/node/NodeMeasuringIntrinsics$IntrinsicMinMax;"),
|
|
IdType("Landroidx/compose/material3/tokens/ShapeKeyTokens;"),
|
|
IdType("Landroidx/compose/ui/node/LayoutNode$LayoutState;"),
|
|
IdType("Landroidx/compose/runtime/InvalidationResult;"),
|
|
IdType("Landroidx/compose/ui/layout/IntrinsicWidthHeight;"),
|
|
IdType("Landroidx/compose/ui/node/NodeMeasuringIntrinsics$IntrinsicWidthHeight;"),
|
|
IdType("Landroidx/compose/runtime/Recomposer$State;"),
|
|
IdType("Landroidx/compose/foundation/gestures/Orientation;"),
|
|
IdType("Landroidx/compose/material3/ScaffoldLayoutContent;"),
|
|
IdType("Landroidx/compose/foundation/text/selection/HandleReferencePoint;"),
|
|
IdType("Landroidx/compose/material3/SnackbarDuration;"),
|
|
IdType("Landroidx/compose/ui/platform/TextToolbarStatus;"),
|
|
IdType("Landroidx/compose/material3/InputPhase;"),
|
|
IdType("Landroidx/compose/ui/window/SecureFlagPolicy;"),
|
|
IdType("Landroidx/collection/LongSparseArray;"),
|
|
IdType("Landroidx/compose/animation/core/AnimationEndReason;"),
|
|
IdType("Landroidx/compose/foundation/text/HandleState;"),
|
|
IdType("Landroidx/compose/ui/state/ToggleableState;"),
|
|
IdType("Landroidx/compose/ui/text/android/animation/SegmentType;"),
|
|
IdType("Landroidx/compose/ui/platform/actionmodecallback/MenuItemOption;"),
|
|
IdType("Landroidx/compose/foundation/layout/IntrinsicSize;"),
|
|
IdType("Landroidx/compose/ui/platform/actionmodecallback/MenuItemOption;"),
|
|
]
|
|
instrumented_apk_classes = instrumented_apk.classes
|
|
dyn_load_apk_classes = dyn_load_apk.classes
|
|
for ty in tys:
|
|
if instrumented_apk_classes[ty].annotations != dyn_load_apk_classes[ty].annotations:
|
|
print(f"-> {str(ty)}")
|
|
# invoke-virtual {0} Landroid/animation/Animator;->end()V != invoke-virtual {0} [Ljava/lang/Object;->clone()Ljava/lang/Object;
|
|
cmp(
|
|
instrumented_apk.classes[ty],
|
|
dyn_load_apk.classes[ty],
|
|
)
|
|
|
|
# direct: Landroidx/compose/foundation/layout/IntrinsicSize;->values()[Landroidx/compose/foundation/layout/IntrinsicSize;
|
|
# insns[3]: Landroidx/compose/foundation/layout/IntrinsicSize;->values()[Landroidx/compose/foundation/layout/IntrinsicSize;:
|