mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Merge branch 'master' of github.com:HackTricks-wiki/hacktricks
This commit is contained in:
		
						commit
						263d2a3b50
					
				| @ -171,6 +171,18 @@ When the information is saved in logs you can **check statistics like how many t | |||||||
| 
 | 
 | ||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
|  | ### Android in-app native telemetry (no root) | ||||||
|  | 
 | ||||||
|  | On Android, you can instrument native code inside the target app process by preloading a tiny logger library before other JNI libs initialize. This gives early visibility into native behavior without system-wide hooks or root. A popular approach is SoTap: drop libsotap.so for the right ABI into the APK and inject a System.loadLibrary("sotap") call early (e.g., static initializer or Application.onCreate), then collect logs from internal/external paths or Logcat fallback. | ||||||
|  | 
 | ||||||
|  | See the Android native reversing page for setup details and log paths: | ||||||
|  | 
 | ||||||
|  | {{#ref}} | ||||||
|  | ../../mobile-pentesting/android-app-pentesting/reversing-native-libraries.md | ||||||
|  | {{#endref}} | ||||||
|  | 
 | ||||||
|  | --- | ||||||
|  | 
 | ||||||
| ## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers) | ## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers) | ||||||
| 
 | 
 | ||||||
| Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a `jmp rax` or `call rax`.  A small *dispatcher* (typically nine instructions) sets the final target depending on the CPU `ZF`/`CF` flags, completely breaking static CFG recovery. | Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a `jmp rax` or `call rax`.  A small *dispatcher* (typically nine instructions) sets the final target depending on the CPU `ZF`/`CF` flags, completely breaking static CFG recovery. | ||||||
| @ -262,5 +274,6 @@ idc.set_callee_name(call_ea, resolved_addr, 0)  # IDA 8.3+ | |||||||
| ## References | ## References | ||||||
| 
 | 
 | ||||||
| - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/) | - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/) | ||||||
|  | - SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap) | ||||||
| 
 | 
 | ||||||
| {{#include ../../banners/hacktricks-training.md}} | {{#include ../../banners/hacktricks-training.md}} | ||||||
| @ -63,6 +63,42 @@ Java.perform(function () { | |||||||
| ``` | ``` | ||||||
| Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.   | Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.   | ||||||
| 
 | 
 | ||||||
|  | ### Process-local JNI telemetry via preloaded .so (SoTap) | ||||||
|  | 
 | ||||||
|  | When full-featured instrumentation is overkill or blocked, you can still gain native-level visibility by preloading a small logger inside the target process. SoTap is a lightweight Android native (.so) library that logs the runtime behavior of other JNI (.so) libraries within the same app process (no root required). | ||||||
|  | 
 | ||||||
|  | Key properties: | ||||||
|  | - Initializes early and observes JNI/native interactions inside the process that loads it. | ||||||
|  | - Persists logs using multiple writable paths with graceful fallback to Logcat when storage is restricted. | ||||||
|  | - Source-customizable: edit sotap.c to extend/adjust what gets logged and rebuild per ABI. | ||||||
|  | 
 | ||||||
|  | Setup (repack the APK): | ||||||
|  | 1) Drop the proper ABI build into the APK so the loader can resolve libsotap.so: | ||||||
|  |    - lib/arm64-v8a/libsotap.so (for arm64) | ||||||
|  |    - lib/armeabi-v7a/libsotap.so (for arm32) | ||||||
|  | 2) Ensure SoTap loads before other JNI libs. Inject a call early (e.g., Application subclass static initializer or onCreate) so the logger is initialized first. Smali snippet example: | ||||||
|  |    ```smali | ||||||
|  |    const-string v0, "sotap" | ||||||
|  |    invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V | ||||||
|  |    ``` | ||||||
|  | 3) Rebuild/sign/install, run the app, then collect logs. | ||||||
|  | 
 | ||||||
|  | Log paths (checked in order): | ||||||
|  | ``` | ||||||
|  | /data/user/0/%s/files/sotap.log | ||||||
|  | /data/data/%s/files/sotap.log | ||||||
|  | /sdcard/Android/data/%s/files/sotap.log | ||||||
|  | /sdcard/Download/sotap-%s.log | ||||||
|  | # If all fail: fallback to Logcat only | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | Notes and troubleshooting: | ||||||
|  | - ABI alignment is mandatory. A mismatch will raise UnsatisfiedLinkError and the logger won’t load. | ||||||
|  | - Storage constraints are common on modern Android; if file writes fail, SoTap will still emit via Logcat. | ||||||
|  | - Behavior/verbosity is intended to be customized; rebuild from source after editing sotap.c. | ||||||
|  | 
 | ||||||
|  | This approach is useful for malware triage and JNI debugging where observing native call flows from process start is critical but root/system-wide hooks aren’t available. | ||||||
|  | 
 | ||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| ### Recent vulnerabilities worth hunting for in APKs | ### Recent vulnerabilities worth hunting for in APKs | ||||||
| @ -93,6 +129,9 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their | |||||||
| ### References | ### References | ||||||
| 
 | 
 | ||||||
| - Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)   | - Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)   | ||||||
| - NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)  | - NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) | ||||||
|  | - SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap) | ||||||
|  | - SoTap Releases – [github.com/RezaArbabBot/SoTap/releases](https://github.com/RezaArbabBot/SoTap/releases) | ||||||
|  | - How to work with SoTap? – [t.me/ForYouTillEnd/13](https://t.me/ForYouTillEnd/13) | ||||||
| 
 | 
 | ||||||
| {{#include ../../banners/hacktricks-training.md}} | {{#include ../../banners/hacktricks-training.md}} | ||||||
| @ -1,4 +1,4 @@ | |||||||
| # Smali - Decompiling/\[Modifying]/Compiling | # Smali - Decompiling/[Modifying]/Compiling | ||||||
| 
 | 
 | ||||||
| {{#include ../../banners/hacktricks-training.md}} | {{#include ../../banners/hacktricks-training.md}} | ||||||
| 
 | 
 | ||||||
| @ -25,7 +25,7 @@ If **apktool** gives you any error, try[ installing the **latest version**](http | |||||||
| 
 | 
 | ||||||
| Some **interesting files you should look are**: | Some **interesting files you should look are**: | ||||||
| 
 | 
 | ||||||
| - _res/values/strings.xml_ (and all xmls inside res/values/\*) | - _res/values/strings.xml_ (and all xmls inside res/values/*) | ||||||
| - _AndroidManifest.xml_ | - _AndroidManifest.xml_ | ||||||
| - Any file with extension _.sqlite_ or _.db_ | - Any file with extension _.sqlite_ or _.db_ | ||||||
| 
 | 
 | ||||||
| @ -162,7 +162,7 @@ invoke-static {v5, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/Strin | |||||||
| 
 | 
 | ||||||
| Recommendations: | Recommendations: | ||||||
| 
 | 
 | ||||||
| - If you are going to use declared variables inside the function (declared v0,v1,v2...) put these lines between the _.local \<number>_ and the declarations of the variables (_const v0, 0x1_) | - If you are going to use declared variables inside the function (declared v0,v1,v2...) put these lines between the _.local <number>_ and the declarations of the variables (_const v0, 0x1_) | ||||||
| - If you want to put the logging code in the middle of the code of a function: | - If you want to put the logging code in the middle of the code of a function: | ||||||
|   - Add 2 to the number of declared variables: Ex: from _.locals 10_ to _.locals 12_ |   - Add 2 to the number of declared variables: Ex: from _.locals 10_ to _.locals 12_ | ||||||
|   - The new variables should be the next numbers of the already declared variables (in this example should be _v10_ and _v11_, remember that it starts in v0). |   - The new variables should be the next numbers of the already declared variables (in this example should be _v10_ and _v11_, remember that it starts in v0). | ||||||
| @ -186,8 +186,42 @@ move-result-object v12 | |||||||
| invoke-virtual {v12}, Landroid/widget/Toast;->show()V | invoke-virtual {v12}, Landroid/widget/Toast;->show()V | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
|  | ### Loading a Native Library at Startup (System.loadLibrary) | ||||||
| 
 | 
 | ||||||
| {{#include ../../banners/hacktricks-training.md}} | Sometimes you need to preload a native library so it initializes before other JNI libs (e.g., to enable process-local telemetry/logging). You can inject a call to System.loadLibrary() in a static initializer or early in Application.onCreate(). Example smali for a static class initializer (<clinit>): | ||||||
| 
 | 
 | ||||||
|  | ```smali | ||||||
|  | .class public Lcom/example/App; | ||||||
|  | .super Landroid/app/Application; | ||||||
| 
 | 
 | ||||||
|  | .method static constructor <clinit>()V | ||||||
|  |     .registers 1 | ||||||
|  |     const-string v0, "sotap"         # library name without lib...so prefix | ||||||
|  |     invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V | ||||||
|  |     return-void | ||||||
|  | .end method | ||||||
|  | ``` | ||||||
| 
 | 
 | ||||||
|  | Alternatively, place the same two instructions at the start of your Application.onCreate() to ensure the library loads as early as possible: | ||||||
|  | 
 | ||||||
|  | ```smali | ||||||
|  | .method public onCreate()V | ||||||
|  |     .locals 1 | ||||||
|  |      | ||||||
|  |     const-string v0, "sotap" | ||||||
|  |     invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V | ||||||
|  | 
 | ||||||
|  |     invoke-super {p0}, Landroid/app/Application;->onCreate()V | ||||||
|  |     return-void | ||||||
|  | .end method | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | Notes: | ||||||
|  | - Make sure the correct ABI variant of the library exists under lib/<abi>/ (e.g., arm64-v8a/armeabi-v7a) to avoid UnsatisfiedLinkError. | ||||||
|  | - Loading very early (class static initializer) guarantees the native logger can observe subsequent JNI activity. | ||||||
|  | 
 | ||||||
|  | ## References | ||||||
|  | 
 | ||||||
|  | - SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap) | ||||||
|  | 
 | ||||||
|  | {{#include ../../banners/hacktricks-training.md}} | ||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user