Android DEX Security Attack and Defense

 
Http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf
This article was published in Black Hat 2012. Although the content is not fresh enough, many methods may be ineffective at present, but it will still give us a lot of anti-reverse inspiration!

I. Basic DEX knowledge

1. What is DEX?
DEX is short for Dalvik EXecutable.
Package the. class file as a single DEX file and run it on the Dalvik virtual machine.
The DEX file is packaged into the APK file (essentially a jar or zip file ).

During installation, the system extracts the DEX file for check and verification.
During the first running, the system completes DEX optimization and converts it to an odex file.
Odex files are stored in the/data/dalvik-cache directory and loaded into the memory for execution.


2. DEX file format (for more information, visit: http://blog.csdn.net/androidsecurity/article/details/8664778)



3. How to view DEX files
Currently, the following tools can be used to decompile DEX files.



2. How attackers can hide software behavior

Attackers often use the following methods to hide the software:

1. Use reflection to call sensitive APIs



This method allows attackers to "hide" sensitive API calls. However, this method can be easily identified by checking whether JAVA reflection is used.
If combined with the code obfuscation technology, it will increase the difficulty of automatic identification. Dynamic analysis is easier to deal with this "hidden" approach.

2. The Code logic is "hidden" in the resource file

You can hide the code logic by modifying the file suffix, for example:



You can use the file command to check whether the file type matches the suffix easily.
We can also be more advanced. Append the executable binary file of ELF to a valid image file, and use the file command to obtain the correct file type. The image can be normally displayed:

This hiding method requires us to view all the resource files in depth. It looks at jpg image files, but not necessarily all (never trust your own eyes ).
There may be other more advanced methods to hide malicious code.

3. Use DexClassLoader dynamic loading technology

You can use Android DexClassLoader to dynamically load DEX files. DEX files can be attached to assert or raw directories or downloaded from the network at runtime.

Iii. Anti-Reverse Analysis of Android

We can use reverse analysis tools to implement defects to trigger the crash, so as to achieve the purpose of reverse analysis.

Android anti-Reverse Analysis goals:
Baksmali-the most widely used DEX decompilation tool (apktool/antilvl, etc.) (https://code.google.com/p/smali)
Dex2jar-you can decompile DEX into a jar tool and view it through the JD-GUI. Http://code.google.com/p/dex2jar)
IDA Pro-(this is not introduced here !) Https://www.hex-rays.com/index.shtml)
Androguard-is also popular. Https://code.google.com/p/androguard)

1. Build DEX link section to trigger the baksmali tool crash (view the http://blog.csdn.net/androidsecurity/article/details/8664778 for the DEX file structure)

Because the baksmali tool does not support the link section of the DEX file, we can build the DEX link section to trigger the crash of the baksmali tool. For example:


This method is often used to prevent the developer from reverse analyzing the code logic. This method has been used in Lohan + (AntiLVL)/jcase/and other projects. However, this method also has obvious disadvantages. You can easily repair analysis tools based on exception information.

2. Use the known JAR hack Method

Because the APK is essentially a zip/jar package, we can also use the known JAR hack method.
JAR does not have the current length of the file name, but the operating system requires that the file name cannot exceed 255. We can build a long class name that is greater than 255 characters to reverse the reverse.
How to build a long class name greater than 255? First, let's take a look at the format of DEX Class Def Item:



We can build a long class name greater than 255 in the following ways:
1. Add A string greater than 255 to the source code.
2. Compile the source code, modify the DEX file header, and change Class descriptor_id to String_idx of string.

Is the comparison before and after modification:



The modified APK can be installed normally, for example:



This modification method can prevent reverse analysis, such:



We can see why an error is reported when the length exceeds 255 characters.
However, the disadvantage of this method is that it can only deal with backsmali. IDA, Dex2jar, and Androguard can still work normally.
This method is easy to detect and solve. when the length of the class name is greater than 255, be cautious with this application.

3. insertion of invalid bytecode commands causes reverse tool crash

Most reverse tools read and parse bytecode linearly. When an invalid bytecode occurs, The Decompilation tool fails to parse the bytecode.
We can insert invalid bytecode to the DEX file, but make sure that the invalid bytecode will never be executed (otherwise your program will crash !).

1 1201 // Load 0 into v1   2 3801 0300 // A conditional jump which should always succeed, jumps over   3 // next bytes   4 FFFF // Bad opcodes  1201 // Load 0 into v13801 0300 // A conditional jump which should always succeed, jumps over// next bytesFFFF // Bad opcodes

Install and insert an apk file with invalid bytecode. For example:



However, the following error is reported during program execution:


How can an error be reported during running?
The Dalvik virtual machine does not skip invalid bytecode as we expected. It verifies that the bytecode of the class on all call sequences is valid before execution.
Now the question is, how can we bypass the code verification of the Dalvik Virtual Machine?
If we insert Invalid code into a class that is never called, can we bypass the Dalvik runtime time code verification!
See the following insert operation results:

Haha, it runs successfully. Let's take a look at the reverse effects of this method!

(Unfortunately, the backsmali has fixed this bug in 2f81aec886d2, and this method is invalid)


Dex2jar verification is feasible.


Androguard verification is feasible (unfortunately, Androguard quickly fixed the bug)


IDA Verification Failed!


Ded tool Verification Successful! Before you kill the tool process, it will always run during the class processing process where the invalid bytecode is located.
 
The disadvantage of this method is that it is easily repaired by tools. When decompiling the code, the tool only needs to ignore the processing of invalid bytecode. This bug has been fixed by backsmali and androgurad.
This method and it is easy to be automatically monitored. Be cautious if invalid code is encountered!
Reverse analysts should try to use the latest version of the tool.

4. Insert a valid bytecode command, which is followed by an invalid data reference.

Currently, the tool can work normally to insert invalid bytecode instructions. But what if we insert valid bytecode instructions but follow the invalid data reference?

5 1201 // Load 0 into v1   6 3801 0300 // A conditional jump which should always succeed, jumps over   7 // next bytes   8 1a00 FF00 // Load const-string at index 255 (doesn’t exist)  1201 // Load 0 into v13801 0300 // A conditional jump which should always succeed, jumps over// next bytes1a00 FF00 // Load const-string at index 255 (doesn’t exist)

This time we still bypass the Dalvik runtime bytecode Command verification, but we replace the invalid bytecode command with the valid bytecode command.


Backsmali Verification Successful!


Dex2jar Verification Successful!


Androguard is successfully verified, but an error will be reported only when this "valid bytecode instruction" is inserted in the decompilation.


Ded Verification Successful!


IDA Verification Failed!

This method is also easily repaired by tools. The reverse tool only needs to parse a non-existent index without blindly.

5. Attacks against java anti-compiler Defects
Dex2jar + (JD-Gui or JAD) is a commonly used tool for reverse analysis. Dex2jar is used to convert DEX files to java bytecode JAR files, JD-GUI or JAD is used to convert java bytecode to java source code.
We can perform Reverse Analysis Based on java jd-Gui or JAD tool defects. Shows the effect:


6. File Header Processing defects for backsmali
We just talked about baksmali's bug in handling Link section. Is there a similar collapse point? The backsmali code is as follows:

When the DEX Header size is not equal to 0x70, backsmali will also throw an exception to exit!
Header_size the current value is normally equal to 0x70

Constructing such dex files is easy to implement.
The offset of each table item in the file header needs to be fixed.
The size of the modified Header is equal to 0x78.


However, this method can only be used for baksamli tools. The tool can easily fix the bug.
This method can also be used to hide data and code in the DEX Header.
We can hide another Dex data in the DEX file header and load the attached DEX data at runtime.
Build nonstandard Dex files


Call the DexFile class method through reflection to load the attached DEX data (android4.0 or above is the method http://www.bkjia.com/kf/201308/236053.html we need)



Actually calling the openDexFile method of DexFile through reflection

This method allows us to parse dex data through byte [] without storing DEX data in a certain file on the device.
We can read dex data from APK files, memory, dalvik-cache, etc.
Shows the packaged DEX file:
 
This method will cause a problem to the automated analysis tool. The automated tool will process dex files in DEX format instead of the attached dex data. Requires specific tools, a hexadecimal Editor, or manual extraction of embedded dex data.
We can use different methods to increase the difficulty of extracting embedded data, such:
Encrypts the embedded DEX data;
The embedded DEX data is encrypted and then compressed by ZIP;
Use native code for decryption and load directly from memory;
... And so on

This hiding method can be used to determine whether the Dex file header length is greater than 0x70.
 
7. Large-end and small-end reverse Theory
Currently, there is no Android reverse tool to reverse the DEX file (Maybe IDA supports ).
During DEX optimization, the Dalvik virtual machine checks whether the DEX mode is suitable for the current device. If not, the DEX file mode is reversed.
What we need to do is to change the byte structure of the dex file. The reverse DEX file can interrupt the reverse tool but still run on the device.
This attack method is theoretically feasible. We can refer to the inversion of the Android source code implementation. The specific code is located at/dalvik2/libdex/dexSwapAndVerify. cpp.

Iv. Anti-Virtual Machine Technology

How can I check whether the App runtime environment is a qemu Virtual Machine? We can use getprop to obtain relevant information. getprop has many different attributes on qemu virtual machines and mobile devices. For example:

 

There is no public interface in the getprop Android SDK, but we can call it through JAVA reflection.


V. References
Http://code.google.com/p/smali/
Http://code.google.com/p/androguard/
Http://code.google.com/p/dex2jar/
Http://siis.cse.psu.edu/ded/
Http://hex-rays.com/products/ida/index.shtml
Http://source.android.com/tech/dalvik/dex-format.html


Original article: http://blog.csdn.net/jiazhijun/article/details/9428861