paper.rverse.engineers.mobile.apps.meyers source meet
TRANSCRIPT
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
1/80
Reverse Engineering Mobile Malware
ADAM MEYERS
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
2/80
IntroductionDisclaimer
Types of Mobile DevicesPlatform Models
ARM PrimerMalware on MobileStatic AnalysisDynamic AnalysisConclusionQ&A
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
3/80
Who are you, and what are you doinghere? CrowdStrike
Stealth mode Startup
Hand picked A Team of technical talent
26 Million Venture Funding
You dont have a malware problem, you have an adversary problem
Adam Director of Intelligence
10 years at SRA International - Defense Contractor
Security Consultant/Penetration Test Team/Forensic Technician/Security Architect
Reverse Code Analysis
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
4/80
Goal
Learn about ARM/RISC processors, assembly, nuances versus x86
Learn about diferent mobile operating system architectures
Learn approaches for static and dynamic reverse engineering
Have fun!
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
5/80
Hacker Fail
Fall 2008 a promise is made
Meet JK Benites
This genius left his name (unobfuscated) in the malware he wrote to steal banking
credentials and ended up at a certain US Government Agency
i'm JK Benites.I like the music, i love the rock N metal, i'm aperson that like stranges things, likeadredaline, be good with friends, make newthings... i play the guitar, my guitar is my life,with she i can show that i feel.i like the Pcs, too....Visit my profil in Hi5: http://jkprotection.hi5.comCity: PiuraHometown: Piura
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
6/80
Compliance
Angry Birds
lulz
APT
Cyberwar
Kill Chain DFIR
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
7/80
IntroductionDisclaimerTypes of Mobile DevicesPlatform ArchitecturesARM PrimerMalware on MobileStatic AnalysisDynamic AnalysisConclusionQ&A
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
8/80
Disclaimer
Standard legal-mumbo jumbo.
You have the right to remain si lent. Anything you say or do can and will be used against you in a court of law. Youhave the right to an attorney. If you cannot a ford an attorney, one will be appointed to you.
Prohibition on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile,or disassemble the SOFTWARE PRODUCT, except and only t o the extent that such activity is expressly permitted byapplicable law notwithstanding this limitation.
The right of the people to be secure in their persons, houses, papers, and efects, against unreasonable searchesand seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath orarmation, and particularly describing the place to be searched, and the persons or things to be seized.
(2) Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section1602 (n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms aredefined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
I pledge allegiance to the flag of the United States of America, and to the republic for which it st ands, one nationunder God, indivisible, with liberty and justice for all
Energy can be transformed (changed from one form to another), but cannot be created or destroyed.
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
9/80
IntroductionDisclaimerTypes of Mobile DevicesPlatform ArchitecturesARM PrimerMalware on MobileStatic AnalysisDynamic AnalysisConclusionQ&A
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
10/80
Why mobile is important
Increase 3Q11 from 3Q10 = 34,000,000
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
11/80
Diferent Flavors
IOS (iPhone/iPad/AppleTV)
Android (Multiple Types)
Symbian
Windows Mobile
Blackberry Q2 2011
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
12/80
Diferent Platforms
Same OS
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
13/80
Similar Platforms
Diferent OS
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
14/80
IntroductionDisclaimerTypes of Mobile DevicesPlatform ArchitecturesARM PrimerMalware on MobileStatic AnalysisDynamic AnalysisConclusionQ&A
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
15/80
About
Platform Architecture is a high level overview of the way a complex system isimplemented
Understanding mobile system architecture is important to understanding how toReverse Engineer on that platform
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
16/80
Android Architecture
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
17/80
IOS Architecture
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
18/80
Cocoa UI Framework
Address Book UI Eventkit UI Gamekit iAd MapKit Message UI UIKit
Media Frameworks
Assets Library AV Foundation Core Audio Core Graphics Core MIDI Core Text
Core Video Image I/O Media Player OpenAL OpenGL Quartz Core
Core Services Frameworks
Address Book CFNetwork Core Data Core Foundation Core Location Core Media
Core Telephony Event Kit Foundation Mobile Core Quick Look Store Kit SysConf
Core OS Layer
Accelerate External Accessory Security System
IOS Frameworks
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
19/80
Cocoa Touch
Multitasking Printing Data Protection Push Notification
Local Notification Push Notification
File Sharing
P2P View Controller External Display
Media Layer
Graphics Technologies Audio Technologies AirPlayVideo Technologies
Core Services Layer
Block Objects Grand Central Dispatch In-App Purchase SQLite XLM Support
Core OS Layer
Accelerate External Accessory Security System
IOS Layer
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
20/80
Windows Mobile
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
21/80
Windows Mobile
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
22/80
Symbian
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
23/80
Blackberry
Blackberry classes net.rim.device.api.system
Application Interfaces
Hardware Interfaces (SMS, Radio, Etc)
Events
Etc
Java classes Error Handling
Memory
JVM
MIDP
CLDC
etc
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
24/80
If you really need a pic
19
net.rim.device.api.system
Application Hardware Interfaces Security System
Java J2E
MIDP CLDC Garbage Handler Memory Manager Error Handling
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
25/80
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
26/80
What is ARM
Most mobile and embedded devices run on a CPU architecture called ARM
Advanced Risc Machine (ARM) (a/k/a Acorn RISC Machine)
Reduced Instruction Set Computer
RISC emerged in the 1970s, the concept was simpler CPU instructions would increase performance
Made possible by higher (than assm) level languages
First chips emerged 1987
ARM Processor Families
ARM7/ARM9/ARM11/ARMCortex
Difer from ARM Architecture (eg ARMv7 == Cortex)
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
27/80
ARM versus x86
Reduced Instruction Set
More instructions per complex operation as compared to x86assembly
Fixed Width Instructions
x86 can have variable length instructions
ARM has fixed 32 bit instructions*
Memory Alignment
ARM/RISC requires aligned memory (impacts on exploit dev)
Aligned memory requires padding
Conditional Execution
Top 4 bits of each instruction contain a condition code**
EQ Equal
NE Not Equal
CS Carry Set
HS Unsigned High
CC Carry Clear
LO Unsigned Lower
MI Minus or Negative Result
PL Positive or Zero Result
VS Overflow
VC No Overflow
HI Unsigned Higher
LS Unsigned Lower
GE Signed Greater or Equal
LT Signed Less Than
GT Signed Greater Than
LE Signed Less Than or Equal
LA Always
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
28/80
Thumb-State
Thumb state is designed to optimize code density by allowing the processor toenter a state that uses fixed instructions of 16 bit size
Thumb == 16bit mode
Several diferent implementations of Thumb modes exist depending on processor
Thumb
Thumb2 (additional features/instructions)
32bit unconditional instructions
ThumbEE Jazelle Runtime Compilation Target (RCT)
Jazelle
Direct Bytecode eXecution (DBX) feature supporting Java byte code execution
Initiated using the Branch and eXchange to Java (BXJ) instruction
Thumb mode 16 bit equivalent instructions are defined when applicable
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
29/80
ARM Registers
ARM 16 general purpose registers
Named R
R0 - R15
R0 - Argument1/Return Value/Temporary Register
R1 - Argument2/second 32 bits of return value (optional)/Temporary Register
R2/R3 - Arguments/Temporary Registers
R4-R10 Permanent Registers
R11 ARM Frame Pointer/Permanent Register
R12 Temporary Register
R13 Stack Pointer/Permanent Register
R14 Link Register/Permanent Register (Return Address stored here)
R15 Program Counter
CPSR Current Program Status Register
Upper four bits contain conditional flags: Negative, Zero, Carry, oVerflow
Additional control codes in lower 8 eg: Thumb Instruction Set, Operating Mode Etc
SPSR Saved Program Status Register (Exception modes)
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
30/80
CPSR
31 30 29 28 7 6 5 4 3 2 1 0
N Z C V I F TM4
M3
M2
M1
M0
{Conditional Flags:
NegativeZeroCarryoVerflow
{
Interrupt Table
Thumb Mode
OperatingMode
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
31/80
Operating Modes
User: This mode is used to run the application code. Once in user mode the CPSRcannot be written to and modes can only be changed when an exception isgenerated.
FIQ: (Fast Interrupt reQuest) This supports high speed interrupt handling. Generallyit is used for a single critical interrupt source in a system
IRQ: (Interrupt ReQuest) This supports all other interrupt sources in a system
Supervisor: A protected mode for running system level code to access hardwareor run OS calls.
Abort: If an instruction or data is fetched from an invalid memory region, an abortexception will be generated
Undefined Instruction: If a FETCHED opcode is not an ARM instruction, anundefined instruction exception will be generated.
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
32/80
Exception Modes
Exceptions occur for three possible reasons
Executing an Instruction (e.g.: Bad Instruction)
Side efect of executing and instruction (e.g.: fetching from invalid memory)
Exception unrelated to execution (e.g.: Interrupt)
Exception Flow
Switch to Processor to Privileged Mode
PC+4 -> LR
SPSR == CPSR
Interrupts Disabled
PC == Exception Vector Address
Vector Address derived from exception vector table
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
33/80
A Rx by any other name
R15 == PC (Program Counter)
R14 == LR (Link Register/Address)
R13 == SP (Stack Pointer)
R12 == IP (Inter Procedure Call Stack Register)
R11 == FP (Frame Pointer) R10 == SL (Stack Limit)
R9 == SB (Stack Base)
R4-R11 == V1-V8 (Variable Registers)
Ro-R3 == A1-A4 (Scratch Registers)
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
34/80
ARM Instructions
Branching Instructions
B, BL, BX, BLX, BXJ
Arithmetic
ADD, ADC, SUB, RSB, SBC, RSC
Bitwise Operations
ASR, LSR, LSL, ROR, RRX Logical Operations
AND, ORR, EOR, BIC, ORN
Comparisons
CMP, CMN
Data manipulation
MOV, MVN, MOVT
Detailed breakdown:
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
35/80
Branching
B = Branch
Branch can include condition
BL - Branch with Link
Calling a routine
PC+4 -> LR
SubRoutine Address -> PC
Return PC -> LR
BX/BLX = Branch eXchange Instruction (Switch between Thumb and ARM Mode)
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
36/80
Diferent than x86
ADD R11, SP, #0x12ADD Operand1, Operand2 (optional)
SUB R11, SP, #0x12SUB Operand1, Operand2 (optional)
LDMIA R1, {R2, R3}LDMIA Memory Location {Destination 1, Destination 2}
SUBS R11, SP, #0x12 ; Status Flags SetSUBS Operand1, Operand2 (optional)
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
37/80
IntroductionDisclaimerTypes of Mobile DevicesPlatform Architectures
ARM PrimerMalware on MobileStatic AnalysisDynamic AnalysisConclusionQ&A
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
38/80
Malware On Mobile
Lots of devices out there and malware is beginning to target these devices which inaddition to everyday life are quickly invading the corporate network - Oh noes!
Malware on mobile has a few places to live
Mobile Application (User land)
Mobile Platform/OS (Kernel land)
Other (SIM chip, Bootloader, Baseband, etc)
Detection/Prevention is dicult do to limited security tools (Mobile DeviceManagement)
So many diferent platforms this makes malware tracking and analysis a movingtarget
k
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
39/80
Attacker Vectors
Mobile malware can originate in diferent locations
AppStore Malware
Google Appstore
3rd Party Appstores
iTunes AppStore
etc
Attack Payload Drive-by (Web attack)
Spearphish/Social Engineering
mdot seeding (m.mydomain.com)
Malicious Mobile Apps get all the attention right now:
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
40/80
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
41/80
D W
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
42/80
Dog Wars
August 2011 Kage games releases Dog Wars
Beta code circulated on Warez sites
Modified apk contains class rabbies
Rabbies generates SMS message to contacts
"I take pleasure in hurting small animals, just thought you shouldknow that"
S dB
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
43/80
Kernel
SandBoxes Access Control System/Profiles == Sandbox
...in computing, sandboxes should be applied broadlyto all apps, ideallyensuring that they cannot cause much harm if they get compromised. -Apple
MyApplication
SystemSandBoxSubSystem
User Mode Calls
User Land
Kernel Land
SandboxKernel
ComponentyesNo
Code Signing
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
44/80
Code Signing
Ensure that if an app is signed and this is validated by the appstore, it *should* besafe
Asymmetric Cryptographic Systems
Reverse Engineering Challenge
Primarily impacts IOS due to iTunes distribution mechanism
IPA - more on static analysis
Sample Collections
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
45/80
Sample Collections
Contagio Mobile Malware Mini-dump
Searching google: site:.cn filetype:apk == win
Searching google: site:.cn filetype:jad
Etc
Mobile Packages
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
46/80
Mobile Packages
Blackberry - JAD/COD
WinMo - CAB (Cabinet Archive)
Android APK
Contains:
AndroidManifest.xml
META-INF
classes.dex
res/ resources.arsc
iPhone/iPod/iPad IPA
Contains:
iTunesMetadata.plist
iTunesArtwork
Payload/.app
Symbian SiS/SiSX
Contains:
private/
resource/
sys (/bin/(application name>.exe)
Typically these files are compressed and contain amanifest of some form and binary executable code
iOS Malware packages may be designed for jailbrokenphones, this is typically a more realistic attack vectorto avoid vendor detection - this will be manifested asa gzipped package
Device Forensics
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
47/80
Device Forensics
Device forensics can assist in identifying malicious applications
Blackberry - Look for .cod files that shouldnt be there
IOS - Most malware requires jailbreak, th is will generally leave forensics artifactssuch as Cydia
Android - Harvest apk files from OS, unfortunately the location of an APK can varybased on a number of factors
Symbian/WinMo/etc
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
48/80
IntroductionDisclaimerTypes of Mobile DevicesPlatform Architectures
ARM PrimerMalware on MobileStatic AnalysisDynamic AnalysisConclusionQ&A
About
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
49/80
About
Static analysis analyzes something in a non-executing state
Little danger of compromise
Diferent approaches depending on system
Meta Data Extraction:
Strings
Dump Manifest File
Android: DeCompilation, diferent approach due to Davlik EXecutable (DEX), this can reproducenearly compilable code
IOS/Symbian/WinMO: IDA Pro/Hex-Rays DeCompiler
BBerry:Coddec (Good luck)
Tools
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
50/80
Tools
IDA Pro (www.hex-rays.com/)
HexRays ARM Decompiler (www.hex-rays.com/)
Dex2jar (code.google.com/p/dex2jar/)
Sisxplorer (www.symbian-toys.com/sisxplorer.aspx)
AXMLPrinter2.jar
Apktool.jar Coddec
Cheat Sheet
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
51/80
Cheat Sheet
Operating System Static Analysis Tool
iOS Strings, IDA Pro
Android
AAPT, Dex2Jar, JD-GUI
SymbianStrings, IDA Pro
WinMO Strings, IDA Pro
Blackberry Coddec
Encryption/Signing
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
52/80
Encryption/Signing
Android Applications are signed by the developer
Apple applications are signed by the developer, applications obtained via iTunesgenerally have an encrypted component courtesy of FairPlay DRM
Detection can be accomplished by unpacking the ipa and using the Apple object tool (otool)
Symbian packages may be signed, in some cases they are not and the user can signusing something like Symbiansigned.com
Blackberry .cod files are signed and utilize the Rimm cryptographic package Windows Mobile has two diferent signing mechanisms depending on distribution
method
Windows Marketplace Method
Windows Mobile Code Signing via Verisign
Obfuscation
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
53/80
Obfuscation
Various obfuscation techniques are available for mobile applications
Proguard ( ) - Java Obfuscator Android and probably Blackberry
Objective C (iOS) manual techniques, which might be optimized out by compiler
dotfuscator, a commercial solution from PreEmptive Solutions is typically used for obfuscatingWindows Mobile
Not very common
Obfuscation varies on the available platforms and is not widely used, thoughincreasingly Android malware seems to be using it
Developer.Android.Com recommends the use of ProGuard and mentions it isintegrated into build system
Package Contents
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
54/80
Package Contents
Packages in general contain graphics images resourced by the application
Various configuration files either in a binary format or text
The configuration files contain lots of useful information about the application you are reversing
Binary executables (The application) may be spread across diferent files dependingon the mobile platform
WinMo may have an installer exe and several executables
The application functions may be spread across diferent binaries to limit memory footprint
Package Analysis
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
55/80
Package Analysis
Most packages can be decompressed and analyzed with zip or other commericalopen source compression utilities
Windows Mobile uses Cabinet files thus requiring cabextract
Symbian .sis files requires special tools to extract (e.g.: sisxplorer)
MetaData Extraction Symbian
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
56/80
MetaData Extraction Symbian
Several files to look at
$ strings *.rscREGIFileRegisterExit
Registration
Enter license keyEnter license keyRegistration successful!B"
Registration
Registration**\resource\apps\Registration_0x20033401.mifRegistration_0x20033401&&\resource\apps\Registration_0x20033401
Resource Files
$ strings malware.exeEPOC*}OK15XLeaveException11CSMSHandler19MMsvSessionObserver15CCommController19MNotifyCommObserver19CGpsPositionRequest15CContactManager18MContactDbObserver
8CIMEIApp8CIMSIApp12CCallHandler17CRemoteSmsReciverc:\data\loc.txt15CDeviceLocationAPGRFX{000a0000}[10003a3c].DLLCNTMODEL{000a0000}[10003a71].DLLCOMMSDAT{000a0000}[10204ddb].DLLESTLIB{000a0000}[10003b0b].DLL...http://***REDACTED***/servicerequest.phpMalware Client17MHTTPDataSupplier24MHTTPTransactionCallback8CIMEIApp8CIMSIApp21TRegistrationItemdata
Binary Files
MetaData Extraction WinMo
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
57/80
eta ata t act o o
Several files to look at
$ strings _setup.xml
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
58/80
Several files to look at
appleIdiTunes user who installedartistId365399302artistNameApp Maker USA, Inc.
bundleShortVersionString2.1.1bundleVersion2.1.1copyright2011 App Maker USA, Inc.
drmVersionNumber0
Plist Files
o~*hAOQaqtLwx1)k^^S'6L`j^Lo+86,(p&Aa0W1`7$_9f[F];3Bd@b Ee^FJ0EYC/
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
59/80
yp g
Dumping requires a jail broken device
Per Stefan Essers recommendation I use an iPod 4G with a tethered jailbreak (nodealing with baseband etc)
Use DumpDecrypted Tool ( ) also byStefan
MyAppM A
MyApp
MetaData Extraction iOS Dumped IPA
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
60/80
MetaData Extraction iOS Dumped IPA
Several files to look at
appleIdiTunes user who installedartistId365399302artistNameApp Maker USA, Inc.bundleShortVersionString2.1.1bundleVersion2.1.1copyright2011 App Maker USA, Inc.
drmVersionNumber0
Plist Files
setViewControllers:arrayWithObject:SETTING_RATINGURLsetAppStoreID:sharedInstanceMFMailComposeViewControllerDelegateapplicationProtectedDataDidBecomeAvailable:applicationProtectedDataWillBecomeUnavailable:applicationWillEnterForeground:applicationDidEnterBackground:application:didReceiveLocalNotification:application:didReceiveRemoteNotification:application:didFailToRegisterForRemoteNotificationsWithError:application:didRegisterForRemoteNotificationsWithDeviceToken:application:didChangeStatusBarFrame:v28@0:4@8{CGRect={CGPoint=f}{CGSize=f}}12application:willChangeStatusBarFrame:application:didChangeStatusBarOrientation:...
Binary Files
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
61/80
MetaData Extraction iOS JB/Cydia
Several files to look at
bplist00CFBundleIdentifier_CFBundleInfoDictionaryVersion_CFBundleResourceSpecification_CFBundleVersion_CFBundleExecutable_LSRequiresIPhoneOS_CFBundleDisplayName_MinimumOSVersion_CFBundleSupportedPlatforms_CFBundlePackageType_CFBundleSignature]NSMainNibFile^DTPlatformNameYDTSDKName_CFBundleDevelopmentRegion\CFBundleName_com.yourcompany.malwareS6.0_
Plist Files
__dyld_make_delayed_module_initializer_calls__dyld_mod_term_funcswindow@"UIWindow"viewController@"MyFilesViewController"setWindow:v12@0:4@8@8@0:4setViewController:dealloc
v8@0:4applicationDidFinishLaunching:T@"MyFilesViewController",&,N,VviewControllerT@"UIWindow",&,N,VwindowMyFilesAppDelegatereleaseviewmakeKeyAndVisible
...
Binary Files
Disassembly
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
62/80
Remember that our disassembly will be for ARM
Beyond the diference in the instruction set the primary thing to be cognizant of iswhen the application has switched to Thumb-mode
MOVLS R0, R4MOVLS R1, SPBLS sub_BF40CMP R4, #4BNE sub_8000MOV R0, SPLDR R4, [SP,#arg_10]TST R4, #0x20LDRNE R1, [SP,#arg_50]
Decompilation - HexRays
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
63/80
Works as expected :D
Automatic Thumbswitch (you may need to go manual if something looks wrong)
int __fastcall sub_8010(int a1, int a2){int v2; // r4@1int v3; // r5@1int v4; // r0@1
v2 = a2;v3 = a1;*(_DWORD *)(a2 + 60) = 0;v4 = UserHeap::SetupThreadHeap();if ( !v4 )v4 = sub_BF38(*(_DWORD *)(v2 + 8), *(_DWORD *)(v2 + 12), v3);
return User::Exit(v4);}
ARM Calling Conventions
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
64/80
myHandle = Loadlibrary(DLL.dll)
IOS
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
65/80
Objective C is detected by IDA
This can be a little ofputting at first but the analysis by IDA is very nice to have forparsing the structures
objc_msgSend(*(void **)&v2->UIViewController_opaque[*(_DWORD *)dword_7860], "setHidden:", 1);objc_msgSend(*(void **)&v2->UIViewController_opaque[*(_DWORD *)dword_7880], "setHidden:", 1);objc_msgSend(*(void **)&v2->UIViewController_opaque[*(_DWORD *)dword_788C], "setHidden:", 1);
DeCompiling Android
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
66/80
Diferent approaches are possible, this is one
Tools:
Dex2Jar ( ) multiple tools for converting DEX to Java Class
Eclipse (http://www.eclipse.org) - Opensource Integrated Development Environment (IDE)
Android SDK (http://developer.android.com/sdk/) - Android toolchain for developers
JD-GUI ( ) - Java DeCompiler
Other decompilers: JAD, Mocha, JadClipse, etc
Basic premise:
Unpack APK (Not required to DeCompile but contents may be interesting)
Convert DEX to Java using Dex2Jar
Decompile using JD-GUI
Dex2Jar
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
67/80
$ sh ../dex2jar.sh malware.apkdex2jar version: translator-0.0.9.7dex2jar malware.apk -> malware_dex2jar.jarDone.$
JD-GUI
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
68/80
Where to start?
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
69/80
Depends
Android Asset Packaging Tool (AAPT) - from SDK will decode the contents of theAndroidManifest.xml inside of the APK
launchable-activity: name=package: name='kagegames.apps.DWBeta' versionCode='18' versionName='0.981'sdkVersion:'4'targetSdkVersion:'9'uses-permission:'android.permission.VIBRATE'uses-permission:'android.permission.INTERNET'uses-permission:'android.permission.ACCESS_COARSE_LOCATION'uses-permission:'android.permission.READ_PHONE_STATE'uses-permission:'android.permission.SEND_SMS'uses-permission:'android.permission.WRITE_SMS'
uses-permission:'android.permission.READ_CONTACTS'uses-permission:'android.permission.RECEIVE_BOOT_COMPLETED'application-label:'Dog Wars - Beta'application-icon-160:'res/drawable-hdpi/icon.png'application-icon-240:'res/drawable-hdpi/icon.png'application: label='Dog Wars - Beta' icon='res/drawable-hdpi/icon.png'launchable-activity: name='kagegames.apps.DWBeta.DogWars' label='Dog Wars - Beta'icon=''uses-feature:'android.hardware.location'
uses-feature:'android.hardware.location.network'uses-feature:'android.hardware.telephony'uses-feature:'android.hardware.touchscreen'uses-feature:'android.hardware.screen.landscape'uses-feature:'android.hardware.screen.portrait'mainapp-widgetother-activitiesother-receiversother-servicessupports-screens: 'normal' 'large' 'xlarge'supports-any-density: 'true'locales: '--_--'densities: '160' '240'
I t d ti
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
70/80
IntroductionDisclaimerTypes of Mobile DevicesPlatform Architectures
ARM PrimerMalware on MobileStatic AnalysisDynamic AnalysisConclusionQ&A
About
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
71/80
Dynamic analysis on mobile platforms is dicult
Options for analysis are emulator or real hardware device
Emulators are clunky and detectable
Real Hardware is expensive
Either way potentially detectable that the device is being debugged
Emulators
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
72/80
iOS
Simulator package comes with xTools
Limited capability to install Application and dicult to jailbreak
iEmu is Qemu emulator for iOS (http://www.iemu.org/index.php/Main_Page) supportsdebugging :D
Android
Android SDK contains very functional emulator
Supports control from host including installation of arbitrary packages, and fuzzing user input/behavior
Possible to build automated sandbox very easily (Ive done this in python)
Windows Mobile
Requires Visual Studio (definitely works with VS10) and platform SDK
Supports debugging via Visual Studio
Symbian
Depends on hardware platform targeted S60/N97
Part of SDK
IDA supports
Blackberry
Emulator is part of the SDK (painful on non-windows)
Supports on-device debugging or emulator debugging
Theory
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
73/80
Dynamic analysis on mobile platforms is dependent on the platform and target
Analysis
Fire up an emulator in a controlled environment
install package (via web/appstore/manual)
attach debugger
launch targeted application
simulate input from user dump logs (capture trac if network enabled)
refresh the emulator*
This can be scripted
Demo time
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
74/80
Introduction
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
75/80
IntroductionDisclaimerTypes of Mobile DevicesPlatform Architectures
ARM PrimerMalware on MobileStatic AnalysisDynamic AnalysisConclusionQ&A
Conclusion
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
76/80
Reversing on mobile is not too diferent than on conventional platforms
ARM instruction set is very diferent than what we may be used to
Plenty of (mal)code sources out there with some creative googling
Static analysis is more or less the same
iOS Fairplay exception
Dynamic analysis requires a little more efort than firing up a windows virtual
machine Instrumentation of debugger is a little harder
Reverse engineering mobile applications is fun :D
Secure Mobile Best Practices
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
77/80
Code Hardening
Code Signing
Principle of Least Privilege
App Sandboxing
Privilege Separation
Introduction
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
78/80
IntroductionDisclaimerTypes of Mobile DevicesPlatform Architectures
ARM PrimerMalware on MobileStatic AnalysisDynamic AnalysisConclusionQ&A
Questions?
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
79/80
Twi4er:@Adam_Cyber
-
7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET
80/80