看雪论坛
发新帖

[原创]梆梆加固APP分析记录(小结)

phyman 2017-7-17 11:20 422

这次分析主要针对梆梆加固的子进程反调功能,主要流程如下:


一、fork创建子进程

p0C7DD907A4972190E28826F976662FB9函数中开始fork操作;
fork()返回为0时,开始执行子进程逻辑;


二、子进程创建反调试检测线程

后续子进程会创建两个线程sub_23890和sub_21550;
在线程sub_23890中,会循环执行分析记录(一)中提到的三个反调检测函数,返回为1则表示存在调试操作,就会杀死进程;

在线程sub_21550中,会监视/proc/%ld/mem和/proc/%ld/pagemap文件,还会创建一个线程循环检测,循环检测函数如下:

libDexHelper.so:760F32E8                 PUSH            {R4-R7,LR} ; t4
libDexHelper.so:760F32EA                 MOVS            R5, #0x10
libDexHelper.so:760F32EC                 LDR             R3, =(dword_76113B44 - 0x760F32F4)
libDexHelper.so:760F32EE                 LDR             R4, =0xFFFFFD44
libDexHelper.so:760F32F0                 ADD             R3, PC ; dword_76113B44
libDexHelper.so:760F32F2                 LDR             R3, [R3]
libDexHelper.so:760F32F4                 ADD             SP, R4
libDexHelper.so:760F32F6                 ADD             R4, SP, #0x28
libDexHelper.so:760F32F8                 LDR             R3, [R3]
libDexHelper.so:760F32FA                 STR             R3, [SP,#0x2B4]
libDexHelper.so:760F32FC                 LDR             R3, [R0]
libDexHelper.so:760F32FE                 STR             R3, [SP,#0xC]
libDexHelper.so:760F3300                 BLX             free
libDexHelper.so:760F3304                 MOVS            R0, R4
libDexHelper.so:760F3306                 MOVS            R1, #0
libDexHelper.so:760F3308                 MOVS            R2, R5
libDexHelper.so:760F330A                 BLX             memset_0
libDexHelper.so:760F330E                 LDR             R3, =(dword_76113C58 - 0x760F3316)
libDexHelper.so:760F3310                 MOVS            R1, R4
libDexHelper.so:760F3312                 ADD             R3, PC ; dword_76113C58
libDexHelper.so:760F3314                 LDR             R3, [R3]
libDexHelper.so:760F3316                 ADD             R4, SP, #0xA0
libDexHelper.so:760F3318                 MOVS            R2, #0
libDexHelper.so:760F331A                 MOVS            R0, #0xA
libDexHelper.so:760F331C                 STR             R3, [SP,#0x28]
libDexHelper.so:760F331E                 BLX             sigaction_0
libDexHelper.so:760F3322                 MOVS            R1, #0
libDexHelper.so:760F3324                 MOVS            R2, #0x12
libDexHelper.so:760F3326                 MOVS            R0, R4
libDexHelper.so:760F3328                 BLX             memset_0
libDexHelper.so:760F332C                 MOVS            R2, #0xB0
libDexHelper.so:760F332E                 STRB            R2, [R4,#3]
libDexHelper.so:760F3330                 MOVS            R2, #0xB2
libDexHelper.so:760F3332                 STRB            R2, [R4,#4]
libDexHelper.so:760F3334                 MOVS            R2, #0xAF
libDexHelper.so:760F3336                 STRB            R2, [R4,#5]
libDexHelper.so:760F3338                 MOVS            R2, #0xA3
libDexHelper.so:760F333A                 STRB            R2, [R4,#6]
libDexHelper.so:760F333C                 MOVS            R2, #0xE5
libDexHelper.so:760F333E                 STRB            R2, [R4,#8]
libDexHelper.so:760F3340                 MOVS            R2, #0xAC
libDexHelper.so:760F3342                 STRB            R2, [R4,#9]
libDexHelper.so:760F3344                 MOVS            R2, #0xA4
libDexHelper.so:760F3346                 STRB            R2, [R4,#0xA]
libDexHelper.so:760F3348                 MOVS            R2, #0xB4
libDexHelper.so:760F334A                 STRB            R2, [R4,#0xC]
libDexHelper.so:760F334C                 MOVS            R2, #0xA1
libDexHelper.so:760F334E                 STRB            R2, [R4,#0xD]
libDexHelper.so:760F3350                 MOVS            R2, #0xB3
libDexHelper.so:760F3352                 STRB            R2, [R4,#0xE]
libDexHelper.so:760F3354                 MOVS            R2, #0xAB
libDexHelper.so:760F3356                 MOVS            R3, #0xEF
libDexHelper.so:760F3358                 STRB            R2, [R4,#0xF]
libDexHelper.so:760F335A                 MOVS            R1, #0xF
libDexHelper.so:760F335C                 MOVS            R2, #0xD0
libDexHelper.so:760F335E                 MOVS            R0, R4
libDexHelper.so:760F3360                 STRB            R3, [R4,#2]
libDexHelper.so:760F3362                 STRB            R3, [R4,#7]
libDexHelper.so:760F3364                 STRB            R3, [R4,#0xB]
libDexHelper.so:760F3366                 STRB            R3, [R4,#0x10]
libDexHelper.so:760F3368                 STRB            R5, [R4,#1]
libDexHelper.so:760F336A                 BL              decodeStr
libDexHelper.so:760F336E                 ADD             R3, SP, #0xB4
libDexHelper.so:760F3370                 MOVS            R0, R3
libDexHelper.so:760F3372                 MOVS            R1, R4
libDexHelper.so:760F3374                 LDR             R2, [SP,#0xC]
libDexHelper.so:760F3376                 STR             R3, [SP,#8]
libDexHelper.so:760F3378                 BLX             sprintf
libDexHelper.so:760F337C
libDexHelper.so:760F337C loc_760F337C                            ; CODE XREF: libDexHelper.so:760F3386j
libDexHelper.so:760F337C                                         ; libDexHelper.so:760F3462j
libDexHelper.so:760F337C                 LDR             R0, [SP,#8]
libDexHelper.so:760F337E                 BLX             opendir
libDexHelper.so:760F3382                 STR             R0, [SP,#4]
libDexHelper.so:760F3384                 CMP             R0, #0
libDexHelper.so:760F3386                 BEQ             loc_760F337C
libDexHelper.so:760F3388
libDexHelper.so:760F3388 loc_760F3388                            ; CODE XREF: libDexHelper.so:760F33D0j
libDexHelper.so:760F3388                                         ; libDexHelper.so:760F33DCj ...
libDexHelper.so:760F3388                 LDR             R0, [SP,#4]
libDexHelper.so:760F338A                 BLX             readdir
libDexHelper.so:760F338E                 SUBS            R4, R0, #0
libDexHelper.so:760F3390                 BEQ             loc_760F3456
libDexHelper.so:760F3392                 MOVS            R7, #0
libDexHelper.so:760F3394                 MOVS            R3, #0xE3
libDexHelper.so:760F3396                 ADD             R6, SP, #0x14
libDexHelper.so:760F3398                 STR             R7, [SP,#0x14]
libDexHelper.so:760F339A                 STRB            R3, [R6,#1]
libDexHelper.so:760F339C                 MOVS            R3, #0x52
libDexHelper.so:760F339E                 MOVS            R1, #1
libDexHelper.so:760F33A0                 MOVS            R2, #0x9F
libDexHelper.so:760F33A2                 MOVS            R0, R6
libDexHelper.so:760F33A4                 STRB            R3, [R6,#2]
libDexHelper.so:760F33A6                 BL              decodeStr
libDexHelper.so:760F33AA                 MOVS            R3, #4
libDexHelper.so:760F33AC                 ADD             R5, SP, #0x18
libDexHelper.so:760F33AE                 STR             R7, [SP,#0x18]
libDexHelper.so:760F33B0                 STRB            R3, [R5,#1]
libDexHelper.so:760F33B2                 MOVS            R3, #0xBB
libDexHelper.so:760F33B4                 MOVS            R1, #2
libDexHelper.so:760F33B6                 MOVS            R0, R5
libDexHelper.so:760F33B8                 MOVS            R2, #0x91
libDexHelper.so:760F33BA                 ADDS            R4, #0x13
libDexHelper.so:760F33BC                 STRB            R7, [R5,#4]
libDexHelper.so:760F33BE                 STRB            R3, [R5,#2]
libDexHelper.so:760F33C0                 STRB            R3, [R5,#3]
libDexHelper.so:760F33C2                 BL              decodeStr
libDexHelper.so:760F33C6                 MOVS            R0, R4
libDexHelper.so:760F33C8                 MOVS            R1, R6
libDexHelper.so:760F33CA                 BLX             strcmp_0
libDexHelper.so:760F33CE                 CMP             R0, R7
libDexHelper.so:760F33D0                 BEQ             loc_760F3388
libDexHelper.so:760F33D2                 MOVS            R0, R4
libDexHelper.so:760F33D4                 MOVS            R1, R5
libDexHelper.so:760F33D6                 BLX             strcmp_0
libDexHelper.so:760F33DA                 CMP             R0, R7
libDexHelper.so:760F33DC                 BEQ             loc_760F3388
libDexHelper.so:760F33DE                 MOVS            R2, #0x80
libDexHelper.so:760F33E0                 ADD             R6, SP, #0x1B4
libDexHelper.so:760F33E2                 ADD             R5, SP, #0x20
libDexHelper.so:760F33E4                 MOVS            R1, R7
libDexHelper.so:760F33E6                 LSLS            R2, R2, #1
libDexHelper.so:760F33E8                 MOVS            R0, R6
libDexHelper.so:760F33EA                 BLX             memset_0
libDexHelper.so:760F33EE                 MOVS            R0, R5
libDexHelper.so:760F33F0                 MOVS            R1, R7
libDexHelper.so:760F33F2                 MOVS            R2, #7
libDexHelper.so:760F33F4                 BLX             memset_0
libDexHelper.so:760F33F8                 MOVS            R3, #0x5A
libDexHelper.so:760F33FA                 MOVS            R2, #0x9D
libDexHelper.so:760F33FC                 STRB            R3, [R5,#1]
libDexHelper.so:760F33FE                 MOVS            R3, #0xCB
libDexHelper.so:760F3400                 STRB            R2, [R5,#2]
libDexHelper.so:760F3402                 STRB            R2, [R5,#4]
libDexHelper.so:760F3404                 MOVS            R0, R5
libDexHelper.so:760F3406                 MOVS            R1, #4
libDexHelper.so:760F3408                 MOVS            R2, #0xE2
libDexHelper.so:760F340A                 STRB            R3, [R5,#3]
libDexHelper.so:760F340C                 STRB            R3, [R5,#5]
libDexHelper.so:760F340E                 BL              decodeStr
libDexHelper.so:760F3412                 MOVS            R1, R5
libDexHelper.so:760F3414                 MOVS            R3, R4
libDexHelper.so:760F3416                 MOVS            R0, R6
libDexHelper.so:760F3418                 LDR             R2, [SP,#8]
libDexHelper.so:760F341A                 ADD             R5, SP, #0x38
libDexHelper.so:760F341C                 BLX             sprintf
libDexHelper.so:760F3420                 MOVS            R0, R6
libDexHelper.so:760F3422                 MOVS            R1, R5
libDexHelper.so:760F3424                 BLX             lstat_0
libDexHelper.so:760F3428                 ADDS            R3, R0, #1
libDexHelper.so:760F342A                 BEQ             loc_760F3388
libDexHelper.so:760F342C                 MOVS            R3, #0xF0
libDexHelper.so:760F342E                 LDR             R2, [R5,#0x10]
libDexHelper.so:760F3430                 LSLS            R3, R3, #8
libDexHelper.so:760F3432                 ANDS            R3, R2
libDexHelper.so:760F3434                 MOVS            R2, #0x4000
libDexHelper.so:760F3438                 CMP             R3, R2
libDexHelper.so:760F343A                 BNE             loc_760F3388
libDexHelper.so:760F343C                 MOVS            R0, R4
libDexHelper.so:760F343E                 BLX             atoi
libDexHelper.so:760F3442                 BL              sub_760F30D4
libDexHelper.so:760F3446                 MOVS            R0, R4
libDexHelper.so:760F3448                 BLX             atoi
libDexHelper.so:760F344C                 MOVS            R1, R0
libDexHelper.so:760F344E                 LDR             R0, [SP,#0xC]
libDexHelper.so:760F3450                 BL              loc_760F31C0
libDexHelper.so:760F3454                 B               loc_760F3388
libDexHelper.so:760F3456 ; ---------------------------------------------------------------------------
libDexHelper.so:760F3456
libDexHelper.so:760F3456 loc_760F3456                            ; CODE XREF: libDexHelper.so:760F3390j
libDexHelper.so:760F3456                 LDR             R0, [SP,#4]
libDexHelper.so:760F3458                 BLX             closedir
libDexHelper.so:760F345C                 MOVS            R0, #2
libDexHelper.so:760F345E                 BLX             sleep
libDexHelper.so:760F3462                 B               loc_760F337C

在线程sub_21550中,还会通过select函数进行交互,实现反调功能。


三、hook libc.so中的ptrace函数并调用ptrace函数

通过分析记录(二)中的hook函数对ptrace进行hook,hook后的代码如下:



原始ptrace代码如下:

libc.so:400CC53C ptrace
libc.so:400CC53C
libc.so:400CC53C var_C           = -0xC
libc.so:400CC53C var_4           = -4
libc.so:400CC53C
libc.so:400CC53C                 SUB             R12, R0, #1
libc.so:400CC540                 STR             LR, [SP,#var_4]!
libc.so:400CC544
libc.so:400CC544 loc_400CC544                            ; CODE XREF: debug093:76E91008j
libc.so:400CC544                                         ; DATA XREF: debug093:76E91008o
libc.so:400CC544                 CMP             R12, #2
libc.so:400CC548                 SUB             SP, SP, #0xC
libc.so:400CC54C                 BHI             loc_400CC56C
libc.so:400CC550                 ADD             R3, SP, #0x10+var_C
libc.so:400CC554                 BL              __ptrace
libc.so:400CC558                 CMP             R0, #0
libc.so:400CC55C                 LDREQ           R0, [SP,#0x10+var_C]
libc.so:400CC560                 MOVNE           R0, #0xFFFFFFFF
libc.so:400CC564
libc.so:400CC564 loc_400CC564                            ; CODE XREF: ptrace+34j
libc.so:400CC564                 ADD             SP, SP, #0xC
libc.so:400CC568                 LDMFD           SP!, {PC}
libc.so:400CC56C ; ---------------------------------------------------------------------------
libc.so:400CC56C
libc.so:400CC56C loc_400CC56C                            ; CODE XREF: ptrace+10j
libc.so:400CC56C                 BL              __ptrace
libc.so:400CC570                 B               loc_400CC564
libc.so:400CC570 ; End of function ptrace

然后调用ptrace函数对父进程进行监控,达到防调试和防注入的效果。


本主题帖已收到 0 次赞赏,累计¥0.00
最新回复 (3)
1
隔壁雷哥 6天前
2
沙发
龙飞雪 6天前
3
分析的不错,顶个
phyman 6天前
4
龙飞雪 分析的不错,顶个
谢谢,有什么好样本可以分享一下,好想分析一下新东西
返回



©2000-2017 看雪学院 | Based on Xiuno BBS | 知道创宇带宽支持 | 微信公众号:ikanxue
Time: 0.012, SQL: 9 / 京ICP备10040895号-17