Secure Programming Lecture1 : Introduction

Size: px

Start display at page:

Download "Secure Programming Lecture1 : Introduction"

원미 종
5 years ago
Views:

1 Malware and Vulnerability Analysis Lecture3-2 Malware Analysis #3-2

2 Agenda 안드로이드악성코드분석

3 악성코드분석 안드로이드악성코드정적분석

4 APK 추출 #1 adb 명령 안드로이드에설치된패키지리스트추출 adb shell pm list packages v0nui-macbook-pro-2:lecture3 v0n$ adb shell pm usage: pm list packages [-f] [-d] [-e] [-s] [-3] [-i] [-u] [FILTER] You will get full package list on your device pm list permission-groups pm list permissions [-g] [-f] [-d] [-u] [GROUP] pm list instrumentation [-f] [TARGET-PACKAGE] pm list features pm list libraries pm path PACKAGE You will get a path of package pm install [-l] [-r] [-t] [-i INSTALLER_PACKAGE_NAME] [-s] [-f] [--algo <algorithm name> --key <key-in-hex> --iv <IV-in-hex>] PATH pm uninstall [-k] PACKAGE

5 APK 추출 #1 adb 명령 안드로이드에설치된패키지리스트추출 adb shell pm list packages adb shell pm list packages -f

6 APK 추출 #1 adb 명령 adb shell pm list packages -f

7 APK 추출 #1 adb 명령 adb pull

8 APK 추출 #2 File 관리앱

9 APK 추출 #2 File 관리앱

10 APK 추출 #2 File 관리앱 /sdcard/backup_apps/[filename].apk

11 APK 정적분석 Unzip APK APK 는 ZIP 으로압축한파일이므로내용확인을위해 Unzip AndroidManifest.xml Encoding 되어있으므로 Decoding 이필요 classes.dex DEX JAR(JD-GUI) libxxxxxx.so IDAPro

12 APK 정적분석 : AndroidManifest.xml

13 APK 정적분석 : AndroidManifest.xml

14 APK 정적분석 : AndroidManifest.xml

15 안드로이드앱을개발할때, java class/jar dex clases.dex 를분석할때 (from dex to jar), dex jar java

17 JAR 는 Class 파일 Archive Class 파일의 Decompile 을통해 Java 코드를구할수있음 Java Decompile jd-gui : jad :

18 jd-gui 를사용한 Decomplie

19 jd-gui 의문제점 : // ERROR //(Decompile 오류로인해 Java 코드볼수없음 )

20 Decompile 오류로코드를읽을수없는경우대처방안 jad smali(apktool) : dex smali code

21 jad 사용법 class java(jad) jad -o -r -sjava **/*.class jad -o -sjava [name].class

22 jad 사용법 class java(jad) jad -o -r -sjava **/*.class jad -o -sjava [name].class

23 jad 사용법 class java(jad)

24 apktool 사용법 apktool d[ecode] [OPTS] <file.apk> [<dir>] apktool b[uild] [OPTS] [<app_path>] [<out_file>]

25 apktool 사용법 apktool d 를사용하여 Decompile 할때, Resource Error 가발생할경우 apktool 을 update 하거나 r 옵션사용

26 apktool 은 Decompile 한결과코드를 smali 디렉토리에저장

27 smali 디렉토리는 classes 구조그대로디렉토리구조로저장

28 apktool : smali/baksmli assembler/disassembler dex smali baksmali smali code

29 smali code 분석

30 smali code 분석 #1.method public constructor <init>()v.locals 1.prologue.line 64 invoke-direct {p0}, Lcom/kt/android/showtouch/base/BaseActivity;-><init>()V.line 66 const-string v0, "MOCA_Wallet UserJoinActivity iput-object v0, p0, Lcom/kt/android/showtouch/activity/main/UserJoinActivity;->TAG:Ljava/lang/String;.line 77 const/4 v0, 0x0 iput-boolean v0, p0, Lcom/kt/android/showtouch/activity/main/UserJoinActivity;->isKeyboard:Z.line 121 new-instance v0, Lcom/kt/android/showtouch/activity/main/UserJoinActivity$1; invoke-direct {v0, p0}, Lcom/kt/android/showtouch/activity/main/UserJoinActivity$1;-><init>(Lcom/kt/android/showtouch/activity/main/UserJoinActivity;)V iput-object v0, p0, Lcom/kt/android/showtouch/activity/main/UserJoinActivity;->getHeightThread:Ljava/lang/Thread;.line 64 return-void.end method # virtual methods.method public d(ljava/lang/string;)i.locals 2.parameter "msg".prologue.line 59 iget v0, p0, Lcom/skt/wifiauth/SimpleLogger;->mLogLevel:I

31 smali code 분석 #2.line 155 :try_start_0 const-string v3, "/moca/newsetkmcsms.php" invoke-virtual {v0, v3}, Lcom/kt/android/showtouch/manager/ApiManager;->setApiUri(Ljava/lang/String;)Lcom/kt/android/showtouch/manager/ApiManager; move-result-object v3 invoke-virtual {v3}, Lcom/kt/android/showtouch/manager/ApiManager;->clearParams()Lcom/kt/android/showtouch/manager/ApiManager; move-result-object v3 iget-object v4, p0, Lcom/kt/android/showtouch/activity/main/UserJoinActivity;->userRegParamList:Ljava/util/ArrayList; invoke-virtual {v3, v4}, Lcom/kt/android/showtouch/manager/ApiManager;->appendParamList(Ljava/util/List;)Lcom/kt/android/showtouch/manager/ApiManager; move-result-object v3

32 smali code 분석 #3 invoke-virtual {v3}, Lcom/kt/android/showtouch/manager/ApiManager;->read()Z :try_end_0.catch Ljava/lang/Exception; {:try_start_0.. :try_end_0} :catch_0.line 161 :goto_0 invoke-direct {p0}, Lcom/kt/android/showtouch/activity/main/UserJoinActivity;->setSmsReceiverHandler()V.line 162 return-void.line 156 :catch_0 move-exception v1.line 157.local v1, e:ljava/lang/exception; const-string v3, "MOCA_Wallet UserJoinActivity" new-instance v4, Ljava/lang/StringBuilder; invoke-direct {v4}, Ljava/lang/StringBuilder;-><init>()V

33 smali code 분석 #4 new-instance v6, Ljava/lang/StringBuilder; invoke-static {p2}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String; move-result-object v7 invoke-direct {v6, v7}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V const-string v7, "(" invoke-virtual {v6, v7}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v6 array-length v7, p3 invoke-virtual {v6, v7}, Ljava/lang/StringBuilder;->append(I)Ljava/lang/StringBuilder; move-result-object v6 const-string v7, ")" invoke-virtual {v6, v7}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v6 invoke-virtual {v6}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String; move-result-object v6 invoke-virtual {p0, v6}, Lcom/skt/wifiauth/SimpleLogger;->i(Ljava/lang/String;)I

34 APK 정적분석 : libxxxxxx.so

35 APK 정적분석 : Decompile classes.dex jar(dex2jar) classes.dex smali(apktool) class java( jad)

36 Q&A

[Smali 코드배우기 ] 작성 : 테스트를위해안드로이드앱을리패키징할일이있는데, 이때 smali에대한지식이필요하다. 그래서웹상에있는정보들을모아정리했다. Understanding the dalvik bytecode with the dedexer t

[Smali 코드배우기 ] 작성 : 테스트를위해안드로이드앱을리패키징할일이있는데, 이때 smali에대한지식이필요하다. 그래서웹상에있는정보들을모아정리했다. Understanding the dalvik bytecode with the dedexer t [Smali 코드배우기 ] 작성 : ttamna@i2sec 테스트를위해안드로이드앱을리패키징할일이있는데, 이때 smali에대한지식이필요하다. 그래서웹상에있는정보들을모아정리했다. Understanding the dalvik bytecode with the dedexer tool. : Dalvik 구조와, 바이트코드등이설명되어있고, Smali to Java를연습해볼수있도록구성되어있음