This commit is contained in:
Jean-Marie 'Histausse' Mineau
parent
c998dc27ac
commit
f127c5533e
GPG key ID:
B66AEEDA9B645AD2
5 changed files with 95 additions and 28 deletions
|
|
@ -270,7 +270,7 @@ We took special care to process the least possible files in the #APKs, and only
|
|||
Unfortunately, we did not have time to compare the robustness of our solution to existing tools like Apktool and Soot, but we did a quick performance comparison, summarised in @sec:th-lib-perf.
|
||||
In hindsight, we probably should have taken the time to find a way to use smali/backsmali (the backend of Apktool) as a library or use SootUp to do the instrumentation, but neither option has documentation to instrument applications this way.
|
||||
At the time of writing, the feature is still being developed, but in the future, Androguard might also become an option to modify #DEX files.
|
||||
Nevertheless, we published our instrumentation library, Androscalpel, for anyone who wants to use it (see @sec:soft). #todo[Update is CS says no]
|
||||
Nevertheless, we published our instrumentation library, Androscalpel, for anyone who wants to use it (see @sec:soft).
|
||||
|
||||
#midskip
|
||||
|
||||
|
|
|
|||
|
|
@ -307,14 +307,19 @@ Although self-explanatory, verifying the code of those methods indeed confirms t
|
|||
caption: [Code of `Main.main()`, as shown by Jadx, after patching],
|
||||
)<lst:th-demo-after>
|
||||
|
||||
#todo[alt text for @fig:th-cg-before and @fig:th-cg-after]
|
||||
#figure([
|
||||
#figure(
|
||||
render(
|
||||
read("figs/demo_main_main.dot"),
|
||||
width: 100%,
|
||||
alt: (
|
||||
"",
|
||||
"A tree diagram. At the top, a node is labelled `Main->main()V`. ",
|
||||
"Arrows goe from this node, down to four other nodes: ",
|
||||
"`Main->decrypt(String)String`, `Method->invoke(Object [Object)Object`, ",
|
||||
"`ClassLoader->loadClass(String)Class` and `Class->getMethod(String [Class)Method`. ",
|
||||
"Arrows go down from `Main->decrypt(String)String` to 5 other nodes: ",
|
||||
"Base64->decode(String I)[B`, `Cipher->init(I Key)V`, `Cipher->doFinal([B)[B`, ",
|
||||
"`Cipher->getInstance(String)Cipher` and `String-><init>([)V`."
|
||||
).join(),
|
||||
),
|
||||
caption: [Call Graph of `Main.main()` generated by Androguard before patching],
|
||||
|
|
@ -325,7 +330,13 @@ Although self-explanatory, verifying the code of those methods indeed confirms t
|
|||
read("figs/patched_main_main.dot"),
|
||||
width: 100%,
|
||||
alt: (
|
||||
"",
|
||||
"The same tree diagram as in the previous figure, but this time, they ",
|
||||
"are 4 additionnal nodes under `Main->main()V`: ",
|
||||
"`T->check_is_Malicious_send_data(Method)Z` and `T->check_is_Malicious_get_data(Method)Z`, ",
|
||||
"both with a grey background, and `Malicious->send_data(String Activity)String` and ",
|
||||
"`Malicious->get_data(String Activity)String`, both with a red background. ",
|
||||
"An arrow goes from `Malicious->get_data` to a `Utils->sink(Activity String)V` ",
|
||||
"node, and an arrow goes from `Malicious->get_data` to a `Utils->source(String)String` node."
|
||||
).join(),
|
||||
),
|
||||
caption: [Call Graph of `Main.main()` generated by Androguard after patching],
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue