Challenges in Android Debugging - Black Hat [PDF]

Click to edit Master title style • Click to edit Master text styles — Second level

DABiD • Third level

— Fourth level » Fifth level

The Powerful Interactive Android Debugger for Android Malware Analysis

Click to edit Reversing Android Masterapplication title style • Static Analysis Click to edit Master text styles — — Analyze Secondintent level of application by decoding DEX(Dalvik Executable) into readable bytecode • Third level

•

• ex) Apktool, JEB — Fourth level Dynamic Analysis » Fifth level

— Monitor behavior of android application at runtime • ex) DroidBox, Mobile Sandbox, Anubis etc.

— Conduct step by step debugging with disassembled Dalvik executable code • ex) SmaliDebugging, IDAPro

Click toExecutable Dalvik edit Master Debugging title style ••

Smali ClickDebugging to edit Master

text styles

— Use apktool and NetBeans(Java IDE) in combination

— Second • Apktool :level disassemble DEX and repackage app in debug mode ••

Java IDElevel : support step by step debugging Third

— Fourth level » Fifth level

Click toExecutable Dalvik edit Master Debugging title style ••

IDA Proto Debugging Click edit Master

text styles

— Supports dalvik debugging from version 6.6 — levelDebugging but use own DEX disassembler — Second Similar to Smali

• Third level

— Fourth level » Fifth level

Click toExecutable Dalvik edit Master Debugging title style • Smali Debugging VS. IDA Pro Debugging • Click to edit Master text styles — SecondPreprocessing level

Dalvik Executable Disassemble

• Third levelDebugging Application Modification

Smali Debugging

— Fourth level » Fifth level Jdwp socket host & port modified as debuggable

IDA Pro

Settings

Package & lauchable activity name

Should be done manually!

Debugging

Disassembler

Register Type

Debugging Starting Point

Smali

Correct Type

First BP hit after debugger attached

IDA Pro

All registers casted as “Object” (java.lang.Object)

Bad Type Fault!

What if…The dex I am debugging is not the one running??

Methods at launchable activity Can’t debug from the start..

Dex Used In Debugging

Extracted from apk

Click to editinMaster Challenges Android title Analysis style : Modification of DEX bytes at runtime BlueBox verified tempering davik bytecode during •• Click toSecurity edit Master text styles runtime is possible

— level — Second Load library and execute function which write bytes into memory where executable •dalvik Third level is loaded • •

Find codeItemlevel of “add()” method from DEX loaded in memory — Fourth Write bytes into codeItem of “add()” method

» Fifth level

“Ljava/lang/String;”

“add”

ClassIdItem

MethodIdItem

Find codeItem of “add()” CodeItem

Write “inject” bytes into codeItem

Click to editinMaster Challenges Android title Analysis style : Dynamic DEX Loading encrypted • • GoogleAppsToy Click to edit malware Masterload text styles DEX at runtime —Analysts can obtain classes.dex from APK and conduct static or dynamic

— Second analysis onlevel classes.dex

• Third level from APK has no malicious actions —But, classes.dex • Only dynamic loading routine exist in classes.dex — decrypt Fourthand level • No ?way»to debug Fifth malicious level code…. classes.dex ?

classes.dex classes.dex Loading Stub Loading Stub

classes.dex Loading Stub Loading Stub

Encrypted dex dex Encrypted (Asset) (Asset) File System File System

Dynamically Dynamically loaded dex loaded dex Malcode Malcode Process Process

Click to editinMaster Challenges Android title Debugging style • DEX(Dalvik Executable) can be different in memory Click to edit Master text styles — Second level • Third level Classes.dex — Fourth level in APK» Fifth level

≈

Classes.dex in Dalvk-cache (optimized)

≠

Dex in Memory

Analysis Target

Analysis with current analyzers might be useless..

Click to edit Master title style • Click to edit Master text styles — Second level

DABiD : • Third level

— Fourth level » Fifth level

Dynamic Android Binary Debugger

Click to edit Master title style Goal • To develop android debugger which is able to debug Click to edit Master text styles “the same DEX” — Second level running on memory • Third level

• To make android debugging more effective and — Fourth level convenient » for Fifthanalysts level

ClickApproach Our to edit Master (1/2) title style • To develop android debugger which is able to debug Click to edit Master text styles “the same DEX” — Second level running on memory — Monitor dynamic changes in memory and reflect them to • Third level debugger — Fourth level • Self modification » Fifth level of DEX bytes in memory • Dynamic DEX loading

• To make android debugging more effective and convenient for analysts

ClickApproach Our to edit Master (2/2) title style • To develop android debugger which is able to debug Click to edit Master text styles “the same DEX” — Second level running on memory • To make android • Third level debugging more effective and convenient forlevel analysts — Fourth Fifth leveldebugging features — Provide»advanced • Code update by analyst • Register value acquisition — Automate bothersome settings for android debugging

Click to- edit DABiD Overview Master title style DABiD Master text styles • Click to edit DEX disassembler — Second level

J D I

JDWP

Debug Event • Third level Handler

A D B D

D

App Process classes.dex libraries.so

— Fourth level » Fifth level

•

Resembles java debugger structure — DEX disassembler : disassemble DEX from both apk file and memory — Debug Event Handler : create and handle debugging event from JDWP

•

But, JDWP has limitations…

Click to- edit DABiD Overview Master title style DABiD Master text styles • Click to edit DEX disassembler — Second level

J D I

DABiD Service

• Third Module level Manager Eventlevel —Debug Fourth Handler » Fifth level

JDWP

A D B D

D

App Process classes.dex

DABiD Service Module

libraries.so libdabid.so

•

Make our service module reside in application process — —

Notify supervision results of dynamic changes in memory Give a control over the application

Monitoring Dynamic Changes Click to edit Master title style : Self modification of DEX bytes ••

DABiD detects memory write function call Click Service to editmodule Master textthat styles is made and alarm debugger when event happens

— Second level • Third level

— Fourth level » Fifth level

• Analysts is now able to analyze hidden bytes

Monitoring Dynamic Changes Click to edit Master title style : Dynamic DEX loading ••

DABiD findtext and dump new DEX bytes in memory Click Service to editmodule Master styles

— Second level • Third level — Fourth level » Fifth level

•

With DABiD, Analysts no longer need to — Find the location of hidden or newly downloaded DEXs — Conduct static analysis for new DEXs by pulling them to local

Advanced Debugging Feature Click to edit Master title style : Code update by Analyst

• Analysts bytecodes on the fly Click to can editmodify Master text styles — input bytes from DABiD — Analysts Second can level

— DABiD • Thirdservice level module writes input bytes to proper location in memory — Fourth level — Debuggee runslevel with modified bytes » Fifth

• Analysts are able to — Force to execute code — Skip code part should not be executed to continue analysis

Force to execute code before the time of event

Advanced Debugging Feature Click to edit Master title style : Register value acquisition •

provides register values only with debug symbols • JDI Click to edit Master text styles — But, Not all registers have debug symbols

— Second level Java

int a = 3; Log.d(“Info”, “a :” +a);

• Third level •

Bytecode .local name :’v0’ type: int const/4 v0, 3 const-string v1, “info” new-instance v2, Ljava/lang/StringBuilder; const-string v3 “a : “ Invoke-direct {v2, v3} StringBuilder.init() Invoke-virtual {v2, v0} StringBuilder.append() …

DebugSymbol ‘v0’ – int

— Fourth level Modify JDI to»getFifth values level of registers — — —

Get register value using slot number Eliminate evaluation check whether the register is visible variable or not Cast value with type information by emulating bytecodes in DEX disassembler Java int a = 3; Log.d(“Info”, “a :” +a);

Bytecode .local name :’v0’ type: int const/4 v0, 3 const-string v1, “info” new-instance v2, Ljava/lang/StringBuilder; const-string v3 “a : “ Invoke-direct {v2, v3} StringBuilder.init() Invoke-virtual {v2, v0} StringBuilder.append() …

DebugSymbol ‘v0’ ‘v1’ ‘v2’ ‘v3’

– int – Ljava/lang/String; – Ljava/lang/StringBuilder; – Ljava/lang/String;

Analyzed type info

Automation of Master debuggingtitle setting Click to edit style • DABiD automates followings to aid debugging Click to edit Master text styles — — — — —

Transform application into debuggable Second level Install and start application • Third level Set — jdwp socket Fourth levelconnection Set breakpoints at the starting point of application » Fifth level

Click to edit Master title style • Click to edit Master text styles — Second level

DEMO

• Third level — Fourth level » Fifth level

Click towork Future edit Master title style forMaster Android text Runtime (ART) •• Debugging Click to edit styles — Second Supportlevel ART features — — •Resolve Code Protections on ART Third level — Fourth level coverage » Fifth level

• Code — Support native code debug included in APK • Anti-Debugging — Counter anti-debugging techniques