Android Security Lecture layer Nineth (ii) memory dump

Recently, more and more applications on Android have increased the emphasis on their own protection mechanisms, mainly in several aspects.

1 Dex Packers

2 So Packers

3 Dex is hidden in so and released at the appropriate time.

This is a technological advance, and there are professional companies that provide the entire security solution, such as anti-ptrace, or encrypting Dex files. However, at the technical level, the CPU's instructions must also be supported by the CPU, unless it is not considered efficient to use a complex dynamic memory mechanism to protect the code, in general, files such as the loaded memory, so or DEX, are all instruction sets that can be executed by the pristine CPU.

Because sometimes hackers want to crack your elaborate algorithm is a very troublesome thing, he asked for a piece of boring assembly code, not to reach, but the efficiency is particularly low. So this time memory dump is often used by hackers as a means.

Linux memory dump can not be separated from ptrace, so some security programs directly prevent other processes to its ptrace, the main means is to ptrace live their own. Even so, there are still tireless hackers have successfully bypassed the protection mechanism to prevent ptrace, on this matter, I have time to write a special article to share. Today only tells how memory dump, memory dump requires the Ptrace target process.

To facilitate my personal use, I have written a memdump tool which is an elf executable file that can be executed directly after the ADB shell goes inside the android system. First, let's talk about the use of this tool.

[Email protected]:/# memdumpusage:memdump pid start_addr end_addr filaname255| [Email protected]:/#

The usage is very simple, the memdump through the ADB push copy to your phone inside, I was placed under the/system/bin, so I do not have to find the path, directly run the command.

Then there are 4 parameters to follow.

PID                     to dump the process number of the target process start_addr         to dump the virtual start address of the target process data end_addr           to dump the target process data virtual end address filename            Dump out the data to save the file name (requires a path)

OK introduction of the command to use the method, the next step is how to use the specific operation.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/26/EE/wKiom1NvM3DQMHvpAARWmCgkncg722.jpg "title=" Screenshot from 2014-05-11 16:18:52.png "alt=" Wkiom1nvm3dqmhvpaarwmcgkncg722.jpg "/>

One

I wrote a package named Com.example.socketcomm APK application, which loaded a libsocketback.so library, opened its process number 11164, by viewing its maps information, found its executable

Code Snippets in

56d34000-56d37000 R-xp 00000000 103:04 579426   /data/data/com.example.socketcomm/lib/libsocketback.so

On these three physical pages

Since the physical page is 0x1000 to it, I don't know the size of this so, but it doesn't matter, first dump it all out

Do the processing again.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/26/EE/wKiom1NvNXyS4km_AAUhNLE3rzM887.jpg "title=" Screenshot from 2014-05-11 16:27:49.png "alt=" Wkiom1nvnxys4km_aauhnle3rzm887.jpg "/>

Such as

Memdump 11164 0x56d34000 0x56d37000/sdcard/dump.so

By this command, libsocketback.so dump to/sdcard/dump.so.

Then, after exiting ADB cmdline, pull the/sdcard/dump.so onto the Linux host machine via ADB pulls

Then use readelf-h dump.so to view the elf file head, sure enough is

Type:dyn (Shared object file)

This shared object.

A careful classmate will see

Readelf:Error:Unable to read in 0x370 bytes of sections headers

The reason for this error is that Linux is loaded as a program view when loading so, and the main concern is

Start of Program headers:52 (bytes to file)

This initial header information is not sensitive to data such as the segment name of the link way view, so the data directly from the memory dump is not. Symstrtab. Symtab. Strtab these paragraphs, so parsing errors are also normal. The general commonly used patching so method is to get the original so, this you just have to have this application should be able to get, and then according to the elf file head, find

Start of section headers:12600 (bytes to file)

Cong The offset address in the file, splicing a file, the program needs to have a certain understanding of the elf file, I will be based on their research and learning to supplement some of the ELF format related blog posts.

In essence, the instructions in so much of this time should be in accordance with the business logic of the instructions, Dex file extraction is the same, this time you can use the IDA tool for static analysis.

Accessories: Memdump Tools, I compressed a bit, decompression can, about the source code, who need to leave a mailbox below, I sent the past can.