This commit is contained in:
Jean-Marie Mineau
parent
d1dba30426
commit
471a176683
GPG key ID:
B66AEEDA9B645AD2
16 changed files with 181 additions and 149 deletions
|
|
@ -1,4 +1,5 @@
|
|||
#import "../lib.typ": todo, APK, IDE, SDK, DEX, ADB, ART, eg, XML, AXML, API, jfl-note
|
||||
#import "../lib.typ": APK, IDE, SDK, DEX, ADB, ART, eg, XML, AXML, API, paragraph
|
||||
#import "../lib.typ": jfl-note, todo
|
||||
|
||||
=== Reverse Engineering Tools <sec:bg-tools>
|
||||
|
||||
|
|
@ -13,8 +14,7 @@ This time, the application is executed and the analyst will scrutinise the behav
|
|||
Frida is a good option to help this dynamic analysis,
|
||||
It is a toolkit that can be use to intercept method call and execute custom while an application is running.
|
||||
|
||||
==== Android Studio <sec:bg-android-studio>
|
||||
|
||||
#paragraph[*Android Studio*][
|
||||
The whole Android developement ecosystem is packaged by Google in the #IDE Android Studio#footnote[https://developer.android.com/studio].
|
||||
In practice, Android Studio is a source-code editor that wrap arround the different tools of the android #SDK.
|
||||
The #SDK tools and packages can be installed manually with the `sdkmanager` tool.
|
||||
|
|
@ -40,15 +40,15 @@ Among the notable tools in the #SDK, they are:
|
|||
Behind the scene, it converts #XML to binary #AXML and ensure that each files have the right compression and alignment. (#eg some ressource files are mapped in memory by the #ART, and thus need to be aligned and not compressed).
|
||||
- `apksigner`: the tool used to sign an #APK file.
|
||||
When repackaging an application, for example with Apktool, the new application need to be signed.
|
||||
]
|
||||
|
||||
==== Apktool <sec:bg-apktool>
|
||||
|
||||
#paragraph[*Apktool*][
|
||||
Apktool#footnote[https://apktool.org/] is a _reengineering tool_ for Android #APK files.
|
||||
It can be used to disassemble an application: it will extract the files from the #APK file, convert the binary #AXML to text #XML, and use smali/backsmali#footnote[https://github.com/JesusFreke/smali] to convert the #DEX files to smali, an assembler-like langage that match the Dalvik bytecode instructions.
|
||||
The main strenght of Apktool is that after having disassemble an application, the content of the application can be edited and reassemble into a new #APK. #jfl-note[limites? ca marche toujours?]
|
||||
]
|
||||
|
||||
==== Androguard <sec:bg-androguard>
|
||||
|
||||
#paragraph[*Androguard*][
|
||||
Androguard#footnote[https://github.com/androguard/androguard]~@desnos:adnroguard:2011 is a python library for parsing and disassembling #APK files.
|
||||
It can be used to automatically read Android manifests, ressources, and bytecode.
|
||||
Contrary to Apktool wich generate text files, it can be used as a library to programatically to analyse the application.
|
||||
|
|
@ -56,16 +56,16 @@ However, contrary to Apktool, it cannot repackage a modified application.
|
|||
|
||||
In addition, it can perform additionnal analysis, like computing a call graph or control flow graph of the application.
|
||||
We will explain what are those graphs later in @sec:bg-static.
|
||||
]
|
||||
|
||||
==== Jadx <sec:bg-jadx>
|
||||
|
||||
#paragraph[*Jadx*][
|
||||
Jadx#footnote[https://github.com/skylot/jadx] is an application decompiler.
|
||||
It convert #DEX files to Java source code.
|
||||
It is not always capable of decompiling all classes of an application, so it cannot be used to recompile a new application, but the code generated can be very helpful to reverse an application.
|
||||
In addition to decompilling #DEX files, Jadx can also decode Android manifests and application ressources.
|
||||
]
|
||||
|
||||
==== Soot <sec:bg-soot>
|
||||
|
||||
#paragraph[*Soot*][
|
||||
Soot#footnote[https://github.com/soot-oss/soot]~@Arzt2013 was originaly a Java optimization framework.
|
||||
It could leaft java bytecode to other intermediate representations that can could be optimized, then converted back to bytecode.
|
||||
Because Dalvik bytecode and Java bytecode are equivalent, support for Android was added to Soot, and Soot features are now leveraged to analyse and modify Android applications.
|
||||
|
|
@ -73,9 +73,9 @@ One of the best known example of Soot usage for Android analysis is Flowdroid~@A
|
|||
|
||||
A new version of Soot, SootUp#footnote[https://github.com/soot-oss/SootUp], is currently beeing worked on.
|
||||
Compared to Soot, it has a modernize interface and architecture, but it is not yet feature complete and some tools like Flowdroid are still using Soot.
|
||||
]
|
||||
|
||||
==== Frida <sec:bg-frida>
|
||||
|
||||
#paragraph[*Frida*][
|
||||
Frida#footnote[https://frida.re/] is a dynamic intrumentation toolkit.
|
||||
It allows the reverse engineer to inject and run javascript code inside a running application.
|
||||
|
||||
|
|
@ -86,6 +86,7 @@ This make Frida a powerful tool capable of collecting runtime informations or mo
|
|||
|
||||
The main drawback of using Frida is that it is a known tools easily detected by applications.
|
||||
Malware might implement countermeasures that avoid running malicious payload in presence of Frida.
|
||||
]
|
||||
|
||||
#v(2em)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue