DIFFDroid_Anto_Joseph_HIP_2016
6 likes3,099 views
This document introduces Diff-Droid, a tool for dynamic instrumentation of Android applications. Diff-Droid uses Frida to hook both native and Java methods with editable scripts and a web UI. It allows instant changes to hooks without needing to restart applications. The document demonstrates Diff-Droid and explains how it works based on Frida, communicating over ADB with a Redis message queue. It also provides examples of writing hooks for Dalvik and native code and lists future plans and resources.
![WRITING A NEW HOOK NATIVE STYLE
Interceptor.attach (Module.findExportByName ( "libc.so", open"), {
onEnter: function (args) {
send (Memory.readUtf8String (args [1])); }
});](https://image.slidesharecdn.com/6f4d7edb-1be3-473f-abbb-98c3e2bbe9be-160701142823/85/DIFFDroid_Anto_Joseph_HIP_2016-20-320.jpg)
DIFFDroid_Anto_Joseph_HIP_2016
- 1. ANTO JOSEPH
- 2. @whoami Security Engineer @ Intel Past Speaker / Trainer @ Brucon, HITB Amsterdam, NullCon, GroundZero , c0c0n Will be Speaking @ Defcon , Blackhat Mobile Security / IOT Enthusiast Intrested in Machine Learning / Neural Networks When not hacking , you can find me filling visa applictions :|
- 3. DYNAMIC INSTRUMENTATION Using Xposed Modules Using adbi Other tools using Library Injection Techniques , LD_PRELOAD Xposed Framework being the most famous with larger user / developer base
- 5. How its done currently ? Xposed Framework Xposed modules are indented to make long lasting changes to devices Install Xposed Installer , which installs the xposed bridge Replaces app_process with a modified version which loads the bridge which enables the hooking func Write app using java ( android studio ) using the deps and install it on the device To activate the module , reboot If you need to change something , reboot
- 6. DEMO XPOSED
- 8. What Do We Want In Our Solution ? Should be Fast Should Be Simple Should be Easy to Learn Should Just Work !
- 9. DIFF-DROID
- 10. DIFF-DROID Based on Frida Supports Hooking Native and Java Methods Web UI , with editable scripts to hook Android Methods Re-usable Modules which can be combined as well Instant changes in hooking scripts No Restarts at allJ
- 11. DEMO
- 12. RUNNING DROID-FF Start redis server Start gunicorn diff-gui:app --worker-class gevent --bind 127.0.0.1:80 Start android emulator ( Android 4.4.4) Push frida-server to /data/local/tmp Exec frida-server Browse to http://127.0.0.1
- 14. How Does It Work Frida : The core of the app is handled by frida. Takes care of hooking native and java code Written by Ole Andre Vadla Ravnas Supports Win/ Unix /Android/IOS platforms
- 15. INTERNALS Frida-server injects a native library into the process using the ptrace api . This is the only support injection mechanism for now . Loads the hook code and replaces / logs the fuction/arguments accordingly Send method is used to send data from JVM to python side Java.perfrom is used to hook Dalvik Code Interceptor.attach is used to hook Native Code Most exceptions are handled gracefully with a detailed stacktrace
- 16. CONT .. Zero Modification to the device Just push frida-server binary to the device and exec ( requires root ) Communicates to the system component over adb Updates from the instrumentation script is pushed to the web using Server side push for real-time updates Using redis-server as message que
- 18. Look Up The Api
- 22. FUTURE Adding more modules ( Contributions are welcome ) Support IOS Supporting Frida in ART ( its almost on its way )
- 23. FEW WORDS FROM OLE ANDR VADLA RAVNS Future of Frida is the Community ! We have an active irc @ freenode #frida Frida Mailing List Happy to have community contributions in terms of Code / Documentation / Apps based on Frida
- 24. RESOURCES https://rotlogix.com/2015/09/13/defeating-ssl-pinning-in-coin-for-android/ https://cedricvb.be/post/seccon-2015-reverse-engineering-android-apk-2-400-writeup/ http://blog.csdn.net/autohacker/article/details/50503261 http://blog.mdsec.co.uk/2015/04/instrumenting-android-applications-with.html
- 25. MERCI Question ?