Attack Android injection "1", attack android "1"
Preface
This series was originally shared by the company and has a large amount of content. Therefore, we reorganized this PPT into a blog, hoping to help you learn it. I will first use an "text message interception" as an example to throw a problem and propose a "injection"-based technical solution to increase the interception priority. Then I will focus on the injection technical details. Finally, I will share with you an AIM (Android IPC Manager) framework for development and injection in my spare time ). Of course, this framework is different from the current XPosed and CydiaStructe frameworks.
SMS Interception
Scenario
If a security payment application and an unknown Trojan are installed on the same mobile phone, Trojan will intercept all verification code text messages.
Problem
Is there any way to ensure that security payment applications can receive verification code text messages more preferentially than Trojans?
The solution is actually a matter of preemptible priority. It should be clear to all the friends who develop the text message function, because the boss is concerned about this. The general feasible solution is as follows:
- Improves the BroadcastReceiver priority;
- Register BroadcastReceiver dynamically;
- The earlier the registration time, the better;
Based on the above three points, we can make the following optimizations:
- Listen to the boot broadcast event BOOT_COMPLETED of Android, early registration time;
- Start a Service and register BroadcastReceiver dynamically;
- The registration priority is adjusted to the highest -- Integer. MAX_VALUE;
The key code is as follows:
IntentFilter filter = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");filter.setPriority(Integer.MAX_VALUE);registerReceiver(new SmsReceiver(), filter);
This solution solves some of the problems. However, this method is completely technical and is not a problem for hackers on the technical front line, they not only adopt the same technology, but also do better. In terms of "The earlier the registration time, the better", they add several additional triggers as follows:
- WIFI_STATE_CHANED
- CONNECTIVITY_CHANGE
- ACCESS_NETWORK_STATE
- ACCESS_WIFI_STATE
These system events are triggered earlier than BOOT_COMPLETED, so Trojans can certainly take precedence over text messages. Based on this confrontation, do we have to fight together with Trojans? Is there a better solution? The answer is yes. The most effective way to promote the development of science and technology is war. In this technological confrontation, it is also the most likely to produce new ideas and solutions.
The basic idea is that after the broadcast is sent, we may be in the descending order. Is there a way to adjust the order before broadcasting? We know that Android broadcasts are routed and forwarded by ActivityManagerService (AMS). Therefore, AMS certainly stores information and order of each BroadcastReceiver, if we have a way to go to AMS and use reflection techniques, can we adjust the broadcast sending sequence before each broadcast is sent?
This is the technical solution I want to share with you-implementing the absolute priority blocking of text messages through injection. The basic idea of the technology is as follows. We first add system_process to the system process, intercept the broadcastIntent method of AMS, and insert our adjustment logic.
In II, I will focus on the technical principles of injection, and then explain the technical points involved in this solution through a series of demos.
How can Allen have the key in the second episode of the attacking giant? When did his father give it to him?
It was not a dream to inject medicine. Then Alan went to the lab with the key.
Why did his father inject medicine into the 26 episodes of Yanni that attacked giant ???
Here, the cartoon party hasn't provided a clear answer yet. Please wait for the author.
