Reverse debugging of enterprise shell and analysis of hook detection

1. Write at the beginning

Recently in the study Bang Bang shell, in the process of debugging encountered reverse debugging, is very distressed, and every debugging will be interrupted, a friend sent a post "1" introduced one of the Anti-tune, after learning a lot, gave me the direction, and then to other counter debugging to add, if there are omissions to please the big guys criticized. 2. Reverse debugging time Thread detection

After starting debugging is the post "1" verification, the process is roughly as follows:

After running brpt.py all the way F9,

...
#下断点
# in memory get module base
= findmodule (' linker ');

#.text:00002464     blx        R4
addr = base + 0x2464; #该偏移值需要使用IDA静态查看linker模块的偏移值
#给linker下断点
addbpt ( addr);

#在libc. So,
addbpt (locbyname (' fopen ') of the breakpoint under the library function);
ADDBPT (Locbyname (' ptrace '));
...

When LR is the PB54EB0CAE49198754C66F4A57BDB01DF function, the first counter-debugged thread is created, and then the libDexHelper.so:pDD8ABF73B0AE99BD998BC5C954A74856 is called,

Press F9 again to break to the fopen function mentioned in the post

After performing the fopen, go back to the call function LibDexHelper.so:p8878CAA1006835C9D43174C88143BA8B, and then under the breakpoint below, F9 execution here, observe the register value and make the corresponding modification, The concrete idea is to skip libDexHelper.so:AEDC62A8 BLX SUB_AEDA6ECC this function call.

After the execution, will jump out of the call function, to the following map of the R0 register to modify the value of 0, or to change the command to #0 can be.

And break down at the P39D6B1EED99DC7E506A9D4E07BD58D3A,

After the F9 is done, it jumps to the p39d6b1eed99dc7e506a9d4e07bd58d3a place,

The function is similar to kill, the specific process reference post "1".

Then you know the creation point of the time thread through static analysis, as follows:

The specific time detection function is as follows:

The main thing is to call the Gettimeofday function, get the time, and then do the following comparisons:

Kill if you don't meet the conditions.

The above is the function of time detection. 3. Ptrace test of Reverse debugging

Next is the ptrace detection function, through the static analysis Ptrace was called 3 times, first Ptrace_attach, the second call after the comparison with 0, and finally Ptrace_detach, as follows:

Another case 13 will call PF77EA32766D841ED6BD10130E181CB0D () is also ptrace detection,

Ptrace detection is also called at the p9392640b2e38b72373213c945704ca08.

The specific function looks like this:

where p1ebfb58d66c99cad7405904c9b93559d ()->p39d6b1eed99dc7e506a9d4e07bd58d3a. 4. Function approximate flow

After the above analysis, the process of organizing the general call flow is as follows (drawing):

xposed detection of 5.Hook detection

For xposed detection, the main thing is to compare the related strings, as shown in the following illustration:

After finishing the comparison, return 0 and 1, and finally call the P39D681EED99DC7E506A9D4E07BD58D3A function that you wrote, which, as mentioned earlier, functions like a Kill, where you renamed P3_linux_syscal_kill.

6. Substrace Detection of hook detection

The static analysis shows that the PAFD3E6E79D2F88D9F3563AE570866D51 function calls the PB4DACEC3279252082ECED1471A664BF7 function in Case2, and this function is the substrace detection point.

The specific function looks like this:

Of course, the comparison of the string, based on the above information can be installed in the mobile phone frame for dynamic verification, because my environment did not install the hook framework, it has not been dynamic verification. 7. Summary

According to the above analysis, over the above debugging is very easy, the specific operation is not difficult, no longer repeat, the method can refer to the post "2". I used Idapython script around, and finally can be happy debugging, the above of course not all the anti-tune, there are other details of the processing of the analysis according to the specific situation, which also has inotify no analysis, specific can refer to another post "3". Of course, for the Bang Bang shell This is just the first step, there are a lot of content waiting for us to dig. 8. Reference Reference

"1" https://bbs.pediy.com/thread-223808.htm

"2" https://bbs.pediy.com/thread-218938.htm

"3" https://bbs.pediy.com/thread-223320.htm

* Original Author: y0nlandroid, this article belongs to Freebuf Original award scheme, without permission to reprint

Original address: http://www.freebuf.com/articles/es/160656.html