wip
This commit is contained in:
Jean-Marie Mineau
parent
cd6bf3fcbc
commit
3f5bf8226b
GPG key ID:
B66AEEDA9B645AD2
9 changed files with 2083 additions and 851 deletions
|
|
@ -1,3 +1,5 @@
|
|||
#import "@preview/diagraph:0.3.5": render
|
||||
|
||||
#import "../lib.typ": SDK, num, mypercent, ART, ie, APKs, API,
|
||||
#import "../lib.typ": todo, jfl-note
|
||||
#import "X_var.typ": *
|
||||
|
|
@ -170,10 +172,10 @@ public class Main {
|
|||
}
|
||||
```,
|
||||
caption: [Code of the main class of the application showed by Jadx, before patching],
|
||||
)<fig:th-demo-before>
|
||||
)<lst:th-demo-before>
|
||||
|
||||
A first analysis of the contant of the application shows that the application contains one `Activity` that instanciate the class `Main` and call `Main.main()`.
|
||||
@fig:th-demo-before shows the most of the code of `Main` as returned by Jadx.
|
||||
@lst:th-demo-before shows the most of the code of `Main` as returned by Jadx.
|
||||
We can see that the class contains another #DEX file encoded in base 64 and loaded in the `InMemoryDexClassLoader` `cl`.
|
||||
A class is then loaded from this class loader, and two methods from this class loader are called.
|
||||
The names of this class and methods are not directly accessible as they have been chipĥered and are decoded just before beeing used at runtime.
|
||||
|
|
@ -185,7 +187,7 @@ This is not particularly surprising considering the obfusctation methods used.
|
|||
|
||||
Then we run the dynamic analysis we described in @sec:th-dyn on the application and apply the transformation described in @sec:th-trans to add the dynamic informations to it.
|
||||
This time, Flowdroid compute a larger callgraph of 76 edges, and does find a data leak.
|
||||
Indeed, when looking at the new application with Jadx, we notice a new class `Malicious`, and the code of `Main.main()` is now as shown in @fig:th-demo-after:
|
||||
Indeed, when looking at the new application with Jadx, we notice a new class `Malicious`, and the code of `Main.main()` is now as shown in @lst:th-demo-after:
|
||||
the method called in the loop is either `Malicious.get_data`, `Malicious.send_data()` or `Method.invoke()`.
|
||||
Although self explanatory, verifying the code of those methods indeed confirm that `get_data()` calls `Utils.source()` and `send_data()` calls `Utils.sink()`.
|
||||
|
||||
|
|
@ -207,7 +209,30 @@ Although self explanatory, verifying the code of those methods indeed confirm th
|
|||
}
|
||||
```,
|
||||
caption: [Code of `Main.main()` showed by Jadx, after patching],
|
||||
)<fig:th-demo-after>
|
||||
)<lst:th-demo-after>
|
||||
|
||||
#figure(
|
||||
render(
|
||||
read("figs/demo_main_main.dot"),
|
||||
width: 100%,
|
||||
alt: (
|
||||
"",
|
||||
).join(),
|
||||
),
|
||||
caption: [Call Graph of `Main.main()` view by Androguard before patching],
|
||||
) <fig:th-cg-before>
|
||||
|
||||
#figure(
|
||||
render(
|
||||
read("figs/patched_main_main.dot"),
|
||||
width: 100%,
|
||||
alt: (
|
||||
"",
|
||||
).join(),
|
||||
),
|
||||
caption: [Call Graph of `Main.main()` view by Androguard after patching],
|
||||
) <fig:th-cg-after>
|
||||
|
||||
|
||||
|
||||
#todo[androgard call graph]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue