Malware and Vulnerability Analysis Lecture3-2 Malware Analysis #3-2
Agenda 안드로이드악성코드분석
악성코드분석 안드로이드악성코드정적분석
APK 추출 #1 adb 명령 안드로이드에설치된패키지리스트추출 adb shell pm list packages v0nui-macbook-pro-2:lecture3 v0n$ adb shell pm usage: pm list packages [-f] [-d] [-e] [-s] [-3] [-i] [-u] [FILTER] You will get full package list on your device pm list permission-groups pm list permissions [-g] [-f] [-d] [-u] [GROUP] pm list instrumentation [-f] [TARGET-PACKAGE] pm list features pm list libraries pm path PACKAGE You will get a path of package pm install [-l] [-r] [-t] [-i INSTALLER_PACKAGE_NAME] [-s] [-f] [--algo <algorithm name> --key <key-in-hex> --iv <IV-in-hex>] PATH pm uninstall [-k] PACKAGE
APK 추출 #1 adb 명령 안드로이드에설치된패키지리스트추출 adb shell pm list packages adb shell pm list packages -f
APK 추출 #1 adb 명령 adb shell pm list packages -f
APK 추출 #1 adb 명령 adb pull
APK 추출 #2 File 관리앱
APK 추출 #2 File 관리앱
APK 추출 #2 File 관리앱 /sdcard/backup_apps/[filename].apk
APK 정적분석 Unzip APK APK 는 ZIP 으로압축한파일이므로내용확인을위해 Unzip AndroidManifest.xml Encoding 되어있으므로 Decoding 이필요 classes.dex DEX JAR(JD-GUI) libxxxxxx.so IDAPro
APK 정적분석 : AndroidManifest.xml
APK 정적분석 : AndroidManifest.xml
APK 정적분석 : AndroidManifest.xml
안드로이드앱을개발할때, java class/jar dex clases.dex 를분석할때 (from dex to jar), dex jar java
JAR 는 Class 파일 Archive Class 파일의 Decompile 을통해 Java 코드를구할수있음 Java Decompile jd-gui : http://jd.benow.ca jad : http://varaneckas.com/jad/
jd-gui 를사용한 Decomplie
jd-gui 의문제점 : // ERROR //(Decompile 오류로인해 Java 코드볼수없음 )
Decompile 오류로코드를읽을수없는경우대처방안 jad smali(apktool) : http://ibotpeaches.github.io/apktool/ dex smali code
jad 사용법 class java(jad) jad -o -r -sjava **/*.class jad -o -sjava [name].class
jad 사용법 class java(jad) jad -o -r -sjava **/*.class jad -o -sjava [name].class
jad 사용법 class java(jad)
apktool 사용법 apktool d[ecode] [OPTS] <file.apk> [<dir>] apktool b[uild] [OPTS] [<app_path>] [<out_file>]
apktool 사용법 apktool d 를사용하여 Decompile 할때, Resource Error 가발생할경우 apktool 을 update 하거나 r 옵션사용
apktool 은 Decompile 한결과코드를 smali 디렉토리에저장
smali 디렉토리는 classes 구조그대로디렉토리구조로저장
apktool : smali/baksmli assembler/disassembler dex smali baksmali smali code
smali code 분석 http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
smali code 분석 #1.method public constructor <init>()v.locals 1.prologue.line 64 invoke-direct {p0}, Lcom/kt/android/showtouch/base/BaseActivity;-><init>()V.line 66 const-string v0, "MOCA_Wallet UserJoinActivity iput-object v0, p0, Lcom/kt/android/showtouch/activity/main/UserJoinActivity;->TAG:Ljava/lang/String;.line 77 const/4 v0, 0x0 iput-boolean v0, p0, Lcom/kt/android/showtouch/activity/main/UserJoinActivity;->isKeyboard:Z.line 121 new-instance v0, Lcom/kt/android/showtouch/activity/main/UserJoinActivity$1; invoke-direct {v0, p0}, Lcom/kt/android/showtouch/activity/main/UserJoinActivity$1;-><init>(Lcom/kt/android/showtouch/activity/main/UserJoinActivity;)V iput-object v0, p0, Lcom/kt/android/showtouch/activity/main/UserJoinActivity;->getHeightThread:Ljava/lang/Thread;.line 64 return-void.end method # virtual methods.method public d(ljava/lang/string;)i.locals 2.parameter "msg".prologue.line 59 iget v0, p0, Lcom/skt/wifiauth/SimpleLogger;->mLogLevel:I
smali code 분석 #2.line 155 :try_start_0 const-string v3, "/moca/newsetkmcsms.php" invoke-virtual {v0, v3}, Lcom/kt/android/showtouch/manager/ApiManager;->setApiUri(Ljava/lang/String;)Lcom/kt/android/showtouch/manager/ApiManager; move-result-object v3 invoke-virtual {v3}, Lcom/kt/android/showtouch/manager/ApiManager;->clearParams()Lcom/kt/android/showtouch/manager/ApiManager; move-result-object v3 iget-object v4, p0, Lcom/kt/android/showtouch/activity/main/UserJoinActivity;->userRegParamList:Ljava/util/ArrayList; invoke-virtual {v3, v4}, Lcom/kt/android/showtouch/manager/ApiManager;->appendParamList(Ljava/util/List;)Lcom/kt/android/showtouch/manager/ApiManager; move-result-object v3
smali code 분석 #3 invoke-virtual {v3}, Lcom/kt/android/showtouch/manager/ApiManager;->read()Z :try_end_0.catch Ljava/lang/Exception; {:try_start_0.. :try_end_0} :catch_0.line 161 :goto_0 invoke-direct {p0}, Lcom/kt/android/showtouch/activity/main/UserJoinActivity;->setSmsReceiverHandler()V.line 162 return-void.line 156 :catch_0 move-exception v1.line 157.local v1, e:ljava/lang/exception; const-string v3, "MOCA_Wallet UserJoinActivity" new-instance v4, Ljava/lang/StringBuilder; invoke-direct {v4}, Ljava/lang/StringBuilder;-><init>()V
smali code 분석 #4 new-instance v6, Ljava/lang/StringBuilder; invoke-static {p2}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String; move-result-object v7 invoke-direct {v6, v7}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V const-string v7, "(" invoke-virtual {v6, v7}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v6 array-length v7, p3 invoke-virtual {v6, v7}, Ljava/lang/StringBuilder;->append(I)Ljava/lang/StringBuilder; move-result-object v6 const-string v7, ")" invoke-virtual {v6, v7}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v6 invoke-virtual {v6}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String; move-result-object v6 invoke-virtual {p0, v6}, Lcom/skt/wifiauth/SimpleLogger;->i(Ljava/lang/String;)I
APK 정적분석 : libxxxxxx.so
APK 정적분석 : Decompile classes.dex jar(dex2jar) classes.dex smali(apktool) class java( jad)
Q&A