Instrumenting Android Apps with Soot
来源:互联网 发布:淘宝品控怎么处理 编辑:程序博客网 时间:2024/05/29 15:10
I am excited to let you know that we have recently committed to thedevelopment Branch of Soot support for reading and writing Dalvik bytecode with Soot. (This code will also be contained in Soot’s upcoming release.) This supports consists of two major modules. One is calledDexpler, mainly developed by a group around Alexandre Bartel, and with some enhancements by Ben Bellamy and myself as well as Frank Hartmann and Michael Markert, two students of mine.Dexpler converts Dalvik bytecode into Jimple’s three-address code. This may sound simple – after all Dalvik code is register based and Jimple uses local variables which are quite similar to logical registers. However, things get tricky with respect to typing. Jimple is typed; every local variable is of some declared type. In Dalvik, registers are untyped, and during the execution of a method the same register can hold values of quite different types. Constants in Dalvik are also untyped: when loading a double or a long into a register, Dalvik just loads an eight-byte bit-pattern into the register without telling you whether it’s a long or double. But in Jimple we need this information. Thus getting the typing of Jimple locals right is quite tricky and took us a while. On the other hand, typed locals are great, as they allow for a simpler and more precise pointer analysis, among other things.
The second component does just the opposite: it converts Jimple back into Dalvik code. This component was completed quite recently by Thomas Pilot, another one of my students. One of the main obstacles here is again the mismatch between local variables and registers: Soot needs to perform an at least somewhat clever register allocation to avoid using up too many registers. This currently works well enough to produce functional Dalvik code, however the code may sometimes not have the same structure as the original Dalvik code you read into Soot.
How to instrument
First grab the latest version of Soot, for instance ournightly build. Also check out the directory athttps://github.com/Sable/android-platforms. This directory contains different versions of the Android standard library that Soot requires for resolving types of apps you analyze or instrument.
(以上两个网址里面的必须下载,第一个是最新的soot包,第二个在后面会用到,分析Android必不可少)
Next we implement a driver class with a main method into which we stick the following code:
//prefer Android APK files// -src-prec apkOptions.v().set_src_prec(Options.src_prec_apk);//output as APK, too//-f JOptions.v().set_output_format(Options.output_format_class);//设置成输出class格式// resolve the PrintStream and System soot-classesScene.v().addBasicClass("java.io.PrintStream",SootClass.SIGNATURES);Scene.v().addBasicClass("java.lang.System",SootClass.SIGNATURES);
The first option instructs Soot to load Android APK files. The second one instructs Soot to produce a Dex/APK file as output. (In theory you could also convert Java into Dex or Dex into Java and so on.) The last two options tell Soot to load two classes which we will require for our instrumentation but which may otherwise not be required by the instrumented APK.
Next we add a Transform to Soot:
PackManager.v().getPack("jtp").add(new Transform("jtp.myInstrumenter", new BodyTransformer() {@Overrideprotected void internalTransform(final Body b, String phaseName, @SuppressWarnings("rawtypes") Map options) {final PatchingChain units = b.getUnits();//important to use snapshotIterator herefor(Iterator iter = units.snapshotIterator(); iter.hasNext();) {final Unit u = iter.next();u.apply(new AbstractStmtSwitch() {public void caseInvokeStmt(InvokeStmt stmt) {//code here}});}}}));
This will walk through all Units of all Bodies in the APK and on every InvokeStmt will invoke the code which I labeled with “code here”.
At this place we can now insert the following:
InvokeExpr invokeExpr = stmt.getInvokeExpr();if(invokeExpr.getMethod().getName().equals("onDraw")) {Local tmpRef = addTmpRef(b);Local tmpString = addTmpString(b); // insert "tmpRef = java.lang.System.out;" units.insertBefore(Jimple.v().newAssignStmt( tmpRef, Jimple.v().newStaticFieldRef( Scene.v().getField("").makeRef())), u); // insert "tmpLong = 'HELLO';" units.insertBefore(Jimple.v().newAssignStmt(tmpString, StringConstant.v("HELLO")), u); // insert "tmpRef.println(tmpString);" SootMethod toCall = Scene.v().getSootClass("java.io.PrintStream").getMethod("void println(java.lang.String)"); units.insertBefore(Jimple.v().newInvokeStmt( Jimple.v().newVirtualInvokeExpr(tmpRef, toCall.makeRef(), tmpString)), u); //check that we did not mess up the Jimple b.validate();}
This causes Soot to insert a System.out.println("HELLO") just before the method invocation but only if the target of this invocation is anonDraw method.
Last but not least, don’t forget to actually call Soot’s main method:
soot.Main.main(args);
And that’s it! Piece of cake, isn’t it? All you now need to do is run your driver class with the following arguments:
-android-jars path/to/android-platforms -process-dir your.apk
Here path/to/android-platforms is the path to the platform JAR files you downloaded earlier andyour.apk is the path to the APK you with to instrument. The option-process-dir instructs Soot to process all classes inside this APK.
As a result you will find a new APK with the same name inside the directory ./sootOutput.
(分析过后会产生.class文件,如上图)
You can download the entire code of the example here: AndroidInstrument.java
If you find any bugs in those components (or other parts of Soot) please help us out by reporting themin our issue tracker.
- Instrumenting Android Apps with Soot
- 基于Soot的Android Apps检测
- Instrumenting Java Bytecode with ASM
- soot实现Android Apps插桩(一)
- soot实现Android Apps插桩(二)
- android-Interacting with Other Apps
- Android TV-Building TV Apps,Get Started with TV Apps
- Coloring Android Apps with Palette(译文)
- Building Apps Faster with Android Data Binding
- soot
- [EBOOK] Building Android Apps with HTML, CSS, and JavaScript
- Android Developers -- Building Apps With Content Sharing(第一章)
- Android Building Apps with Over 65K Methods (Multiple DEX)
- Android开发官方文档---Interacting with Other Apps
- Android Auto-Building Apps for Auto,Getting Started with Auto
- android-Building Apps for Work,Ensuring Compatibility with Managed Profiles
- Android TV -1.1- Get Started with TV Apps
- Creating a class from scratch with Soot
- VS2008 C++ 项目添加“依赖”、“库目录”和“包含目录”
- 国家集训队论文分类
- activity的切换方式
- C语言朴素模式匹配
- 正则表达式详解
- Instrumenting Android Apps with Soot
- Tomcat性能调优方案
- 为什么C语言里不推荐强制转换malloc的返回值?
- C#常见编译错误
- CodeForces 398B 概率DP 记忆化搜索
- android 工具类篇 ResourceUtils
- USACO Friday the Thirteenth
- C#程序将DLL包进EXE方法
- java多线程实战( 多个线程 修改同一个变量)