View
359
Download
1
Category
Preview:
Citation preview
Function Hooking with XposedJaime Geiger
1
http://tiny.cc/bsidesroc-xposed
Agenda● Intro - whoami, whoareyou, what is xposed?
● Tools (brief) - JD-gui, jad, apktool, aapt, dex2jar
● What to hook - making sense of obfuscation, finding the right function to
hook
● Basic hooks - hooking code, changing return values/parameters
● Reversing - making the app do the work, dumping API keys
● Disabling Security Checks - certificate pinning
2
# whoami
● @jgeigerm / wumb0 - wumb0.in
● InfoSec @ RIT (or CSEC, whatever)
● Working for Grimm after graduation in VA (grimm-co.com)
● Hobbies/Interests:○ CTFs, Reversing, Exploitation
○ Collecting acronyms: RC3, KDR, CCDC, SI, R2D2, ACDC, etc. etc.
○ Poking android (in all the right places )○ Red team & malware development
4
# who -u
● RIT Students?
● Java programmers?
● Android users?
● Android application programmers?
● Used xposed before?
● Written xposed modules before?
● None of the above?
5
What’s an Xposed? Sounds hot.
● Function and resource hooking framework○ Modify functions (returns, parameters, exceptions) & UI elements
● Written and maintained by rovo89 (GitHub)
● Replaces app_process to allow access to ART/Dalvik
● It is hot!
6
How does xposed work?
● Does not change an app’s signature
● Replacement app_process that adds a jar to the java classpath
○ service zygote /system/bin/app_process -Xzygote /system/bin
--zygote --start-system-server
○ All processes are forked from zygote - hook zygote, hook all
apps!
○ Jar added is the xposedbridge!
● (Yes you need root to do this!)
7
JD-GUI/jad
9
● Java decompilers
● JD-GUI takes jar/class files and has a browser
● Jad takes class files only○ but better decompilation, IMO
dex2jar/apktool
● dex2jar converts dex (classes in an APK) into JAR
● apktool extracts smali (Java bytecode) and resources from an
APK
10
aapt
● Part of build-tools in the Android SDK
● Lets you see resources inside an APK without unpacking it
● Decompiled code has references to string values by number○ Jad has them in hex
○ JD-GUI has them in decimal
● Need this to search strings completely
aapt d strings the.apk | grep “looking for this string”
11
Custom Tools to help!● apkdecompile.sh - unpacks and decompiles all classes in APK
○ Requires dex2jar and jad
○ Has a --shitty option (see unzipshittyobfuscatedjar.sh...)
● searchstring.sh - search a string value in an APK by hex or
decimal number○ Requires aapt
● unzipshittyobfuscatedjar.sh - sometimes obfuscated class names
are Aa.class AND AA.class AND aa.class
● Find them here12
Process
14
1. Get the apk○ @ www.apk4fun.com (pls no piracy) or /data/app on device
2. Convert to JAR (d2j-dex2jar the.apk) and extract (apktool d
the.apk)
3. Decompile with jad or jd-gui
4. (maybe) smash head against obfuscation○ Look at strings, related functions, etc.
5. Identify relevant classes and functions
Important imports!
● XposedBridge.jar - contains all necessary classes for module dev
● XposedHelpers.findAndHookMethod
● XposedHelpers.callMethod
● IXposedHookLoadPackage - base class loaded on app init
● XC_MethodReplacement/XC_MethodHook
● Callbacks.XC_LoadPackage.LoadPackageParam - package
information
● XposedBridge - helpers (logging)
16
Xposed Project Module Structurelibs/XposedBridge.jar -> ../XposedBridge/app/build/intermediates/packaged/release/classes.jar
build.gradle - root project build fileLocal.properties - specifies Android SDK directoryapp/
build.gradle - details module, includes XposedBridge from libs
src/mainAndroidManifest.xml - defines the app permissions and suchassets/xposed_init - tells xposed what class to run on startres/ - any resources you need (strings, layouts, etc.)java/your/company/appname/Hooks.java - hooks to install
See xposed skeleton creator in the GitHub repo for this talk!17
Side Note: Building and Installing Modules
● Build with gradle (gradle build)
● Output APK is at app/build/outputs/apk/app-debug.apk○ Feel free to sign it
● adb install -r app/build/outputs/apk/app-debug.apk
18
Package hooking skeleton
public class Hooks implements IXposedHookLoadPackage {public void handleLoadPackage(final LoadPackageParam lpparam)
throws Throwable {if (!lpparam.packageName.equals("the.package.name"))
return;//find and hook methods here
}}
19
findAndHookMethod● Finds a class method by name and hooks it with whatever you
want1. Return a constant
2. Ignore it completely
3. Do something before the function is called
4. Do something else instead
5. Do something after the function is called successfully
findAndHookMethod(“com.app.classname”, lpparam.classLoader,
“functionName”, [func arg1 class], [func arg2 class], hook);20
Scenario 1: Make a function return a constant value
● We want verifyPasscode(String passcode) in class com.bank.
app.Main to always return true○ Assume it returns a boolean
findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,
“verifyPasscode”, String.class, XC_MethodReplacement.returnConstant
(true));
21
Scenario 2: Ignore the function completely
● We want checkSecurity() in class com.bank.app.Main to be
ignored○ Mostly used with void functions!
findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,
“checkSecurity”, XC_MethodReplacement.DO_NOTHING);
22
Scenario 3: Do something before the function is called
● We want to check the parameter for function transferFunds
(String toAccount) in class com.bank.app.Main and change it
23
Scenario 3: Do something before the function is called
findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,
“transferFunds”, String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod (MethodHookParam param) throws
Throwable {
param.args[0] = “12345678”;
XposedBridge.log(“changed account number!!”);
}
});
24
Scenario 4: Do something else instead
● We want checkPasswordOK(String password) in class com.
bank.app.Main to always return true, but also dump to the logs.○ Assuming the function returns a boolean
25
Scenario 4: Do something else instead
findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,
“checkPasswordOK”, String.class, new XC_MethodReplacement() {
@Override
protected Object replaceHookedMethod(MethodHookParam param)
throws Throwable {
XposedBridge.log((String)param.args[0]);
return true;
}
});
26
Scenario 5: Do something after the function is called
● We want to get the return value of generateToken() in class
com.bank.app.Main and dump it to the logs○ Assuming it returns a string with the token
27
Scenario 5: Do something after the function is called
findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,
“generateToken”, new XC_MethodHook() {
@Override
protected void afterHookedMethod (MethodHookParam param) throws
Throwable {
XposedBridge.log((String)param.getResult());
}
});
28
Practical Example & Demo: Words With Friends
Word checking is done client side, so we’ll disable the check
1. Decompile/unpack
2. Find where word validation is done
3. Hook function to always return true (XC_MethodReplacement)
4. Cheat!
29
��
Getting to the Goods
● Obfuscated code/variables/keys can be annoying to find in an
app
● If the app checks it’s own signature decompiling, editing, and
recompiling is ruled out
● Dump variables to the logs after they have been
deobfuscated/calculated
31
Practical Example & Demo: Yik Yak
32
● API key is calculated based on the app’s signature (YikYak.a)
● getBytes method is used on the variable when requests are
being signed (post calculation)○ Part of java.lang.String
● Dump key out to the logs, acquire API key, make requests with
python!
● And yes, every time they update the app, the obfuscation
changes...
Android Application Auditing
34
● Man-in-the-middle-ing is useful○ If the app employs certificate pinning you are out of luck
○ Alternative method is static code analysis
● You can disable certificate pinning with xposed!
Practical Example & Demo: Yik Yak (pt. 2)
35
● SSLPeerUnverifiedException is thrown if the certificate is
invalid○ A few hours of reversing told me this. I’ll spare you that demo :)
● Find the SSLPeerUnverifiedException, hook the function it’s
thrown in, and cert pinning goes away
● Let’s MITM
Other Resources and Code
36
● Code from this presentation: rev_tools, xposed_mods
● rovo89’s module development tutorial
● XDA forum for xposed modules and development
● Xposed source code
● Snapprefs source code
Recommended