maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

Browse Source
This commit is contained in:
carlospolop 2025-09-04 11:14:20 +02:00
commit a2fb5a5cdd
3 changed files with 92 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
View File

@ -171,6 +171,18 @@ When the information is saved in logs you can **check statistics like how many t
---
### Android in-app native telemetry (no root)
On Android, you can instrument native code inside the target app process by preloading a tiny logger library before other JNI libs initialize. This gives early visibility into native behavior without system-wide hooks or root. A popular approach is SoTap: drop libsotap.so for the right ABI into the APK and inject a System.loadLibrary("sotap") call early (e.g., static initializer or Application.onCreate), then collect logs from internal/external paths or Logcat fallback.
See the Android native reversing page for setup details and log paths:
{{#ref}}
../../mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
{{#endref}}
---
## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers)
Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a `jmp rax` or `call rax`. A small *dispatcher* (typically nine instructions) sets the final target depending on the CPU `ZF`/`CF` flags, completely breaking static CFG recovery.
@ -262,5 +274,6 @@ idc.set_callee_name(call_ea, resolved_addr, 0) # IDA 8.3+
## References
- [Unit42 Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
- SoTap: Lightweight in-app JNI (.so) behavior logger [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
{{#include ../../banners/hacktricks-training.md}}

39
src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
View File

@ -63,6 +63,42 @@ Java.perform(function () {
```
Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later earlier versions failed to locate padding for inline hooks.
### Process-local JNI telemetry via preloaded .so (SoTap)
When full-featured instrumentation is overkill or blocked, you can still gain native-level visibility by preloading a small logger inside the target process. SoTap is a lightweight Android native (.so) library that logs the runtime behavior of other JNI (.so) libraries within the same app process (no root required).
Key properties:
- Initializes early and observes JNI/native interactions inside the process that loads it.
- Persists logs using multiple writable paths with graceful fallback to Logcat when storage is restricted.
- Source-customizable: edit sotap.c to extend/adjust what gets logged and rebuild per ABI.
Setup (repack the APK):
1) Drop the proper ABI build into the APK so the loader can resolve libsotap.so:
- lib/arm64-v8a/libsotap.so (for arm64)
- lib/armeabi-v7a/libsotap.so (for arm32)
2) Ensure SoTap loads before other JNI libs. Inject a call early (e.g., Application subclass static initializer or onCreate) so the logger is initialized first. Smali snippet example:
```smali
const-string v0, "sotap"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
```
3) Rebuild/sign/install, run the app, then collect logs.
Log paths (checked in order):
```
/data/user/0/%s/files/sotap.log
/data/data/%s/files/sotap.log
/sdcard/Android/data/%s/files/sotap.log
/sdcard/Download/sotap-%s.log
# If all fail: fallback to Logcat only
```
Notes and troubleshooting:
- ABI alignment is mandatory. A mismatch will raise UnsatisfiedLinkError and the logger wont load.
- Storage constraints are common on modern Android; if file writes fail, SoTap will still emit via Logcat.
- Behavior/verbosity is intended to be customized; rebuild from source after editing sotap.c.
This approach is useful for malware triage and JNI debugging where observing native call flows from process start is critical but root/system-wide hooks arent available.
---
### Recent vulnerabilities worth hunting for in APKs
@ -94,5 +130,8 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their
- Frida 16.x change-log (Android hooking, tiny-function relocation) [frida.re/news](https://frida.re/news/)
- NVD advisory for `libwebp` overflow CVE-2023-4863 [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
- SoTap: Lightweight in-app JNI (.so) behavior logger [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
- SoTap Releases [github.com/RezaArbabBot/SoTap/releases](https://github.com/RezaArbabBot/SoTap/releases)
- How to work with SoTap? [t.me/ForYouTillEnd/13](https://t.me/ForYouTillEnd/13)
{{#include ../../banners/hacktricks-training.md}}

46
src/mobile-pentesting/android-app-pentesting/smali-changes.md
View File

@ -1,4 +1,4 @@
# Smali - Decompiling/\[Modifying]/Compiling
# Smali - Decompiling/[Modifying]/Compiling
{{#include ../../banners/hacktricks-training.md}}
@ -25,7 +25,7 @@ If **apktool** gives you any error, try[ installing the **latest version**](http
Some **interesting files you should look are**:
- _res/values/strings.xml_ (and all xmls inside res/values/\*)
- _res/values/strings.xml_ (and all xmls inside res/values/*)
- _AndroidManifest.xml_
- Any file with extension _.sqlite_ or _.db_
@ -162,7 +162,7 @@ invoke-static {v5, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/Strin
Recommendations:
- If you are going to use declared variables inside the function (declared v0,v1,v2...) put these lines between the _.local \<number>_ and the declarations of the variables (_const v0, 0x1_)
- If you are going to use declared variables inside the function (declared v0,v1,v2...) put these lines between the _.local <number>_ and the declarations of the variables (_const v0, 0x1_)
- If you want to put the logging code in the middle of the code of a function:
- Add 2 to the number of declared variables: Ex: from _.locals 10_ to _.locals 12_
- The new variables should be the next numbers of the already declared variables (in this example should be _v10_ and _v11_, remember that it starts in v0).
@ -186,8 +186,42 @@ move-result-object v12
invoke-virtual {v12}, Landroid/widget/Toast;->show()V
```
### Loading a Native Library at Startup (System.loadLibrary)
Sometimes you need to preload a native library so it initializes before other JNI libs (e.g., to enable process-local telemetry/logging). You can inject a call to System.loadLibrary() in a static initializer or early in Application.onCreate(). Example smali for a static class initializer (<clinit>):
```smali
.class public Lcom/example/App;
.super Landroid/app/Application;
.method static constructor <clinit>()V
.registers 1
const-string v0, "sotap" # library name without lib...so prefix
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
return-void
.end method
```
Alternatively, place the same two instructions at the start of your Application.onCreate() to ensure the library loads as early as possible:
```smali
.method public onCreate()V
.locals 1
const-string v0, "sotap"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
invoke-super {p0}, Landroid/app/Application;->onCreate()V
return-void
.end method
```
Notes:
- Make sure the correct ABI variant of the library exists under lib/<abi>/ (e.g., arm64-v8a/armeabi-v7a) to avoid UnsatisfiedLinkError.
- Loading very early (class static initializer) guarantees the native logger can observe subsequent JNI activity.
## References
- SoTap: Lightweight in-app JNI (.so) behavior logger [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
{{#include ../../banners/hacktricks-training.md}}