Snippets Groups Projects

Jean-Marie Mineau authored 5 months ago

6891b202

6891b202 5 months ago

Name	Last commit	Last update
dex_loader_analyser
README.md
SUJET.md
loadertester.apk
poetry.lock
pyproject.toml

Dex Loader Analyser (Name WIP :-) )

Technique

Methods to hook:

dalvik.system.DexFile->openDexFileNative(java.lang.String;java.lang.String;int;java.lang.ClassLoader;[Ldalvik.system.DexPathList$Element;)

dalvik.system.DexFile->openInMemoryDexFilesNative([Ljava.nio.ByteBuffer;[[B;[I;[I;java.lang.ClassLoader;[Ldalvik.system.DexPathList$Element;)

Travel the Stack:

https://developer.android.com/reference/java/lang/StackWalker

Warning: API level = SDK 34 (ANDROID 14!)

Install

Poetry

Packaging and dependency for this project is handled with poetry.

To install the project dependencies:

poetry install

To enter the venv of the project:

poetry shell

The package define a script that call the main function in dex_loader_analyser/__main__:

dex_loader_analyser --help

Frida

The documentation to install frida is here. To summarize:

Download the last frida-server on the release page. For android emulator on modern computer, select frida-server-XX.Y.Z-android-x86_64.xz (unxz to decompress)
push the server on the emulator:

adb root
adb push frida-server-XX.Y.Z-android-x86_64 /data/local/tmp/frida-server
adb shell 'chmod 755 /data/local/tmp/frida-server'

run the server on the emulator:

adb shell '/data/local/tmp/frida-server &'

Frida gotcha

You need to compile your javascript for Frida. To do so, put your actual code in dex_loader_analyser/hook_origin.js and run frida-compile dex_loader_analyser/hook_origin.js -o dex_loader_analyser/hook.js to compile your code in dex_loader_analyser/hook.js.