maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/generic-methodologies-and-resources/basic-forensic-meth

Browse Source
This commit is contained in:
Translator 2025-09-04 02:41:18 +00:00
parent 64ad895e9c
commit e2088670d8
3 changed files with 218 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
View File

@ -1,8 +1,8 @@
# Uchambuzi wa Malware
# Malware Uchambuzi
{{#include ../../banners/hacktricks-training.md}}
## Karatasi za Udanganyifu za Forensics
## CheatSheets za Forensics
[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)
@ -14,7 +14,7 @@
- [Intezer](https://analyze.intezer.com)
- [Any.Run](https://any.run/)
## Zana za Antivirus na Ugunduzi za Offline
## Zana za Antivirus na Ugunduzi Zisizo Mtandaoni
### Yara
@ -22,10 +22,10 @@
```bash
sudo apt-get install -y yara
```
#### Andaa sheria
#### Tayarisha rules
Tumia skripti hii kupakua na kuunganisha sheria zote za yara malware kutoka github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Unda saraka ya _**rules**_ na uitekeleze. Hii itaunda faili inayoitwa _**malware_rules.yar**_ ambayo ina sheria zote za yara za malware.
Tumia script hii kupakua na kuunganisha yote yara malware rules kutoka github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Unda saraka ya _**rules**_ na uiendeshe. Hii itaunda faili iitwayo _**malware_rules.yar**_ ambayo ina yara rules zote za malware.
```bash
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
@ -36,9 +36,9 @@ python malware_yara_rules.py
yara -w malware_rules.yar image #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder
```
#### YaraGen: Angalia kwa malware na Unda sheria
#### YaraGen: Angalia malware na unda yara rules
You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Check out these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
Unaweza kutumia zana [**YaraGen**](https://github.com/Neo23x0/yarGen) kutengeneza yara rules kutoka kwa binary. Angalia mafunzo haya: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
```bash
python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m ../../mals/
@ -49,7 +49,7 @@ python3.exe yarGen.py --excludegood -m ../../mals/
```
sudo apt-get install -y clamav
```
#### Scan
#### Skana
```bash
sudo freshclam #Update rules
clamscan filepath #Scan 1 file
@ -57,26 +57,26 @@ clamscan folderpath #Scan the whole folder
```
### [Capa](https://github.com/mandiant/capa)
**Capa** inagundua uwezo wa **hatari** katika executable: PE, ELF, .NET. Hivyo itapata mambo kama mbinu za Att\&ck, au uwezo wa kushangaza kama:
**Capa** hugundua inaweza kuwa hatari **sifa** katika faili zinazotekelezeka: PE, ELF, .NET. Hivyo itaona vitu kama Att\&ck tactics, au sifa zenye shaka kama:
- angalia kosa la OutputDebugString
- endesha kama huduma
- tengeneza mchakato
- angalia OutputDebugString error
- run as a service
- create process
Pata katika [**Github repo**](https://github.com/mandiant/capa).
Pata kwenye [**Github repo**](https://github.com/mandiant/capa).
### IOCs
IOC inamaanisha Kielelezo cha Kuathiriwa. IOC ni seti ya **masharti yanayobaini** baadhi ya programu zisizohitajika au **malware** iliyothibitishwa. Timu za Blue hutumia aina hii ya ufafanuzi ili **kutafuta aina hii ya faili za hatari** katika **mifumo** yao na **mitandao**.\
Kushiriki ufafanuzi huu ni muhimu sana kwani wakati malware inatambuliwa kwenye kompyuta na IOC kwa malware hiyo inaundwa, timu nyingine za Blue zinaweza kuitumia ili kutambua malware hiyo haraka.
IOC inamaanisha Indicator Of Compromise. IOC ni seti ya **vigezo vinavyoitambulisha** baadhi ya programu zinazoweza kutakiwa au kuthibitishwa kuwa **malware**. Blue Teams hutumia aina hii ya ufafanuzi ili **kutafuta aina hizi za faili zenye madhara** katika **mifumo** na **mitandao** yao.\
Kushiriki ufafanuzi hizi ni muhimu kwa sababu wakati malware inapotambuliwa kwenye kompyuta na IOC ya malware hiyo ikianzishwa, Blue Teams wengine wanaweza kuitumia kutambua malware kwa haraka.
Zana ya kuunda au kubadilisha IOCs ni [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) ili **kutafuta IOCs zilizofafanuliwa kwenye kifaa**.
Chombo cha kuunda au kubadilisha IOCs ni [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) kutafuta **IOCs zilizofafanuliwa kwenye kifaa**.
### Loki
[**Loki**](https://github.com/Neo23x0/Loki) ni skana ya Viashiria Rahisi vya Kuathiriwa.\
Ugunduzi unategemea mbinu nne za ugunduzi:
[**Loki**](https://github.com/Neo23x0/Loki) ni scanner kwa Simple Indicators of Compromise.\
Ugundaji unategemea mbinu nne za kugundua:
```
1. File Name IOC
Regex match on full file path/name
@ -92,41 +92,41 @@ Compares process connection endpoints with C2 IOCs (new since version v.10)
```
### Linux Malware Detect
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni skana ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, ambayo imeundwa kuzingatia vitisho vinavyokabiliwa katika mazingira ya mwenyeji wa pamoja. Inatumia data za vitisho kutoka kwa mifumo ya kugundua uvamizi kwenye ukingo wa mtandao ili kutoa malware inayotumika kwa shambulio na kuunda saini za kugundua. Zaidi ya hayo, data za vitisho pia zinatokana na michango ya watumiaji kupitia kipengele cha LMD checkout na rasilimali za jamii ya malware.
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni scan ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, iliyobuniwa kuangalia vitisho vinavyokumbwa katika mazingira ya hosting ya pamoja. Inatumia data za vitisho kutoka kwa mfumo wa kugundua uvamizi kwenye mipaka ya mtandao ili kupata malware zinazotumika katika mashambulio na kuzalisha saini za kugundua. Zaidi ya hayo, data za vitisho hupatikana pia kutoka kwa michango ya watumiaji kupitia kipengele cha LMD checkout na rasilimali za jamii za malware.
### rkhunter
Zana kama [**rkhunter**](http://rkhunter.sourceforge.net) zinaweza kutumika kuangalia mfumo wa faili kwa ajili ya **rootkits** na malware.
Vyombo kama [**rkhunter**](http://rkhunter.sourceforge.net) vinaweza kutumika kukagua filesystem kwa uwezekano wa **rootkits** na malware.
```bash
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
```
### FLOSS
[**FLOSS**](https://github.com/mandiant/flare-floss) ni chombo ambacho kitajaribu kupata nyuzi zilizofichwa ndani ya executable kwa kutumia mbinu tofauti.
[**FLOSS**](https://github.com/mandiant/flare-floss) ni zana itakayejaribu kupata obfuscated strings ndani ya executables kwa kutumia mbinu mbalimbali.
### PEpper
[PEpper ](https://github.com/Th3Hurrican3/PEpper) inakagua mambo ya msingi ndani ya executable (data ya binary, entropy, URLs na IPs, baadhi ya sheria za yara).
[PEpper ](https://github.com/Th3Hurrican3/PEpper) huchunguza mambo ya msingi ndani ya executable (binary data, entropy, URLs and IPs, some yara rules).
### PEstudio
[PEstudio](https://www.winitor.com/download) ni chombo kinachoruhusu kupata taarifa za Windows executables kama vile imports, exports, headers, lakini pia kitakagua virus total na kupata mbinu za Att\&ck zinazoweza kuwa.
[PEstudio](https://www.winitor.com/download) ni zana inayowezesha kupata taarifa za Windows executables kama imports, exports, headers, lakini pia itakagua virus total na kubaini potential Att\&ck techniques.
### Detect It Easy(DiE)
[**DiE**](https://github.com/horsicq/Detect-It-Easy/) ni chombo cha kugundua kama faili ime **encrypted** na pia kupata **packers**.
[**DiE**](https://github.com/horsicq/Detect-It-Easy/) ni zana ya kugundua kama faili ime **encrypted** na pia kupata **packers**.
### NeoPI
[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI) ni script ya Python inayotumia mbinu mbalimbali za **statistical methods** kugundua maudhui yaliyofichwa na **encrypted** ndani ya faili za maandiko/script. Kusudi lililokusudiwa la NeoPI ni kusaidia katika **detection of hidden web shell code**.
[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI) ni script ya Python inayotumia aina mbalimbali za **statistical methods** kugundua **obfuscated** na **encrypted** content ndani ya text/script files. Madhumuni ya NeoPI ni kusaidia katika **detection of hidden web shell code**.
### **php-malware-finder**
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) inajitahidi sana kugundua **obfuscated**/**dodgy code** pamoja na faili zinazotumia **PHP** functions ambazo mara nyingi hutumiwa katika **malwares**/webshells.
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) hufanya kila iwezalo kugundua **obfuscated**/**dodgy code** pamoja na files zinazotumia **PHP** functions zinazotumiwa mara kwa mara na **malwares**/webshells.
### Apple Binary Signatures
Unapokagua baadhi ya **malware sample** unapaswa kila wakati **check the signature** ya binary kwani **developer** aliyeisaini inaweza kuwa tayari **related** na **malware.**
Wakati wa kukagua baadhi ya **malware sample** unapaswa kila mara **check the signature** ya binary kwani **developer** aliyesaini anaweza kuwa tayari **related** na **malware**.
```bash
#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
@ -137,29 +137,41 @@ codesign --verify --verbose /Applications/Safari.app
#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app
```
## Mbinu za Kugundua
## Detection Techniques
### Kuunganisha Faili
### File Stacking
Ikiwa unajua kwamba folda fulani inayoshikilia **faili** za seva ya wavuti ilifanywa **kupdate kwa tarehe fulani**. **Angalia** **tarehe** zote za **faili** katika **seva ya wavuti zilizoumbwa na kubadilishwa** na ikiwa tarehe yoyote ni **ya kushangaza**, angalia faili hiyo.
Ikiwa unajua kwamba folda fulani iliyo na **faili** za seva ya wavuti ilisasishwa **mwisho tarehe fulani**, **angalia** **tarehe** ambazo **faili** zote kwenye **seva ya wavuti** ziliundwa na kubadilishwa, na ikiwa tarehe yoyote ni **ya kushuku**, angalia faili hiyo.
### Msingi
### Baselines
Ikiwa faili za folda **hazipaswi kubadilishwa**, unaweza kuhesabu **hash** ya **faili za asili** za folda na **kulinganisha** na zile za **sasa**. Kila kitu kilichobadilishwa kitakuwa **cha kushangaza**.
Kama **faili** za folda **hazikutakiwa kubadilishwa**, unaweza kuhesabu **hash** ya **faili za awali** za folda na kuzi **linganisha** na za **sasa**. Kile chochote kilichobadilishwa kitakuwa **cha kushuku**.
### Uchambuzi wa Takwimu
### Statistical Analysis
Wakati habari inahifadhiwa katika kumbukumbu unaweza **kuangalia takwimu kama vile ni mara ngapi kila faili ya seva ya wavuti ilifikiriwa kama shell ya wavuti inaweza kuwa moja ya**.
Wakati taarifa zinahifadhiwa kwenye logs unaweza **kuangalia takwimu, kwa mfano ni mara ngapi kila faili ya seva ya wavuti ilifikiwa, kwani web shell inaweza kuwa miongoni mwa zilizofikiwa mara nyingi**.
---
## Kuondoa Ufafanuzi wa Mwelekeo wa Kudumu (JMP/CALL RAX Dispatchers)
### Android in-app native telemetry (no root)
Familia za kisasa za malware zinatumia sana ufichaji wa Mchoro wa Mwelekeo (CFG): badala ya kuruka/kuita moja kwa moja wanahesabu marudio wakati wa utendaji na kutekeleza `jmp rax` au `call rax`. *Dispatcher* ndogo (kawaida maagizo tisa) inaweka lengo la mwisho kulingana na bendera za CPU `ZF`/`CF`, ikivunja kabisa urejeleaji wa static CFG.
On Android, unaweza kuiweka instrument native code ndani ya mchakato wa target app kwa preload library ndogo ya logger kabla libraries nyingine za JNI hazijaanzishwa. Hii inatoa uonekano wa mapema juu ya tabia za native bila hooks za mfumo mzima au root. Mbinu maarufu ni SoTap: weka libsotap.so kwa ABI sahihi ndani ya APK na ingiza wito wa System.loadLibrary("sotap") mapema (mfano, static initializer au Application.onCreate), kisha ukusanye logs kutoka njia za ndani/za nje au kwa fallback ya Logcat.
Mbinu hii iliyowasilishwa na mzigo wa SLOW#TEMPEST inaweza kushindwa kwa mchakato wa hatua tatu unaotegemea tu IDAPython na emulator ya CPU ya Unicorn.
See the Android native reversing page for setup details and log paths:
### 1. Pata kila kuruka / kuita isiyo ya moja kwa moja
{{#ref}}
../../../mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
{{#endref}}
---
## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers)
Familia za kisasa za malware zinatumia kupitiliza obfuscation ya Control-Flow Graph (CFG): badala ya jump/call ya moja kwa moja wanahesabu marudio wakati wa utekelezaji na kutekeleza `jmp rax` au `call rax`. *dispatcher* ndogo (kawaida maagizo tisa) huweka lengo la mwisho kulingana na bendera za CPU `ZF`/`CF`, ikivunja kabisa urejeshaji wa CFG kwa static.
The technique showcased by the SLOW#TEMPEST loader can be defeated with a three-step workflow that only relies on IDAPython and the Unicorn CPU emulator.
### 1. Pata kila jump / call isiyo ya moja kwa moja
```python
import idautils, idc
@ -183,7 +195,7 @@ size = jmp_ea + idc.get_item_size(jmp_ea) - start
code = idc.get_bytes(start, size)
open(f"{start:X}.bin", "wb").write(code)
```
### 3. Iiga mara mbili kwa kutumia Unicorn
### 3. Iga mara mbili na Unicorn
```python
from unicorn import *
from unicorn.x86_const import *
@ -199,9 +211,9 @@ mu.reg_write(UC_X86_REG_RAX, 0)
mu.emu_start(BASE, BASE+len(code))
return mu.reg_read(UC_X86_REG_RAX)
```
Kimbia `run(code,0,0)` na `run(code,1,1)` ili kupata malengo ya tawi *false* na *true*.
Endesha `run(code,0,0)` na `run(code,1,1)` ili kupata malengo ya matawi *false* na *true*.
### 4. Rudisha nyuma kuruka moja kwa moja / wito
### 4. Rekebisha tena direct jump / call
```python
import struct, ida_bytes
@ -210,27 +222,28 @@ op = 0xE8 if is_call else 0xE9 # CALL rel32 or JMP rel32
disp = target - (ea + 5) & 0xFFFFFFFF
ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))
```
Baada ya kurekebisha, kulazimisha IDA kuchambua tena kazi ili CFG kamili na matokeo ya Hex-Rays yarudishwe:
Baada ya patching, lazimishe IDA kuchambua upya function ili CFG kamili na output ya Hex-Rays virudishwe:
```python
import ida_auto, idaapi
idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))
```
### 5. Label indirect API calls
### 5. Lebo wito za API zisizo za moja kwa moja
Mara tu marudio halisi ya kila `call rax` yanapojulikana unaweza kumwambia IDA ni nini ili aina za parameta na majina ya mabadiliko yaweze kurejeshwa kiotomatiki:
Mara tu mahali halisi pa kila `call rax` linapojulikana, unaweza kumwambia IDA ni ipi ili aina za parameter & majina ya vigezo zirudishwe kiotomatiki:
```python
idc.set_callee_name(call_ea, resolved_addr, 0) # IDA 8.3+
```
### Faida za Kivitendo
### Manufaa ya vitendo
* Inarejesha CFG halisi → decompilation inabadilika kutoka *10* mistari hadi maelfu.
* Inaruhusu cross-reference za nyuzi & xrefs, ikifanya ujenzi wa tabia kuwa rahisi.
* Scripts zinaweza kutumika tena: ziacha kwenye loader yoyote iliyo na ulinzi wa hila hiyo hiyo.
* Inarejesha CFG halisi → decompilation inatoka kwenye mistari *10* hadi maelfu.
* Huwezesha string-cross-reference & xrefs, ikifanya ujenzi upya wa tabia kuwa rahisi.
* Scripts zinaweza kutumika tena: ziweke ndani ya loader yoyote iliyolindwa na trick ile ile.
---
## Marejeleo
## Marejeo
- [Unit42 Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
- SoTap: logger mwepesi wa tabia ndani ya app wa JNI (.so) [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
{{#include ../../banners/hacktricks-training.md}}

116
src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
View File

@ -2,47 +2,49 @@
{{#include ../../banners/hacktricks-training.md}}
**Kwa maelezo zaidi angalia:** [**https://maddiestone.github.io/AndroidAppRE/reversing_native_libs.html**](https://maddiestone.github.io/AndroidAppRE/reversing_native_libs.html)
Programu za Android zinaweza kutumia maktaba za asili, ambazo kwa kawaida zimeandikwa kwa C au C++, kwa kazi zinazohitaji utendaji wa juu. Waumbaji wa programu za hasara pia wanatumia vibaya maktaba hizi kwa sababu vitu vya ELF vinavyoshirikiwa bado ni vigumu zaidi kutafsiri kuliko nambari ya byte ya DEX/OAT. Ukurasa huu unalenga kwenye *mifumo ya kazi* ya *vitendo* na *mboresho* ya zana za hivi karibuni (2023-2025) ambazo zinafanya kurudi nyuma kwa faili za Android `.so` kuwa rahisi.
**For further information check:** [**https://maddiestone.github.io/AndroidAppRE/reversing_native_libs.html**](https://maddiestone.github.io/AndroidAppRE/reversing_native_libs.html)
Android apps can use native libraries, typically written in C or C++, for performance-critical tasks. Malware creators also abuse these libraries because ELF shared objects are still harder to decompile than DEX/OAT byte-code.
This page focuses on *practical* workflows and *recent* tooling improvements (2023-2025) that make reversing Android `.so` files easier.
---
### Mchakato wa haraka wa triage kwa `libfoo.so` iliyovutwa hivi karibuni
### Quick triage-workflow for a freshly pulled `libfoo.so`
1. **Toa maktaba**
1. **Extract the library**
```bash
# Kutoka kwa programu iliyosakinishwa
# From an installed application
adb shell "run-as <pkg> cat lib/arm64-v8a/libfoo.so" > libfoo.so
# Au kutoka kwa APK (zip)
# Or from the APK (zip)
unzip -j target.apk "lib/*/libfoo.so" -d extracted_libs/
```
2. **Tambua usanifu & ulinzi**
2. **Identify architecture & protections**
```bash
file libfoo.so # arm64 au arm32 / x86
readelf -h libfoo.so # OS ABI, PIE, NX, RELRO, nk.
file libfoo.so # arm64 or arm32 / x86
readelf -h libfoo.so # OS ABI, PIE, NX, RELRO, etc.
checksec --file libfoo.so # (peda/pwntools)
```
3. **Orodhesha alama zilizotolewa & viunganishi vya JNI**
3. **List exported symbols & JNI bindings**
```bash
readelf -s libfoo.so | grep ' Java_' # JNI iliyo na kiungo cha dinamik
strings libfoo.so | grep -i "RegisterNatives" -n # JNI iliyoandikishwa kwa statiki
readelf -s libfoo.so | grep ' Java_' # dynamic-linked JNI
strings libfoo.so | grep -i "RegisterNatives" -n # static-registered JNI
```
4. **Pakia kwenye decompiler** (Ghidra ≥ 11.0, IDA Pro, Binary Ninja, Hopper au Cutter/Rizin) na uendeshe uchambuzi wa kiotomatiki.
Toleo jipya la Ghidra limeleta decompiler ya AArch64 inayotambua PAC/BTI stubs na MTE tags, ikiboresha sana uchambuzi wa maktaba zilizojengwa na Android 14 NDK.
5. **Amua kati ya kurudi nyuma kwa statiki na dinamik:** nambari iliyondolewa, iliyofichwa mara nyingi inahitaji *kufanya kazi* (Frida, ptrace/gdbserver, LLDB).
4. **Load in a decompiler** (Ghidra ≥ 11.0, IDA Pro, Binary Ninja, Hopper or Cutter/Rizin) and run auto-analysis.
Newer Ghidra versions introduced an AArch64 decompiler that recognises PAC/BTI stubs and MTE tags, greatly improving analysis of libraries built with the Android 14 NDK.
5. **Decide on static vs dynamic reversing:** stripped, obfuscated code often needs *instrumentation* (Frida, ptrace/gdbserver, LLDB).
---
### Ufunguo wa Dinamik (Frida ≥ 16)
### Dynamic Instrumentation (Frida ≥ 16)
Mfululizo wa 16 wa Frida ulileta maboresho kadhaa maalum kwa Android ambayo yanasaidia wakati lengo linatumia uboreshaji wa kisasa wa Clang/LLD:
Fridas 16-series brought several Android-specific improvements that help when the target uses modern Clang/LLD optimisations:
* `thumb-relocator` sasa inaweza *kuunganisha kazi ndogo za ARM/Thumb* zinazozalishwa na usawa mkali wa LLD (`--icf=all`).
* Kuorodhesha na kuunganisha *vitu vya uagizaji vya ELF* inafanya kazi kwenye Android, ikiruhusu urekebishaji wa `dlopen()`/`dlsym()` kwa kila moduli wakati viunganishi vya ndani vinakataliwa.
* Kuunganisha Java kuliwekwa sawa kwa **ART quick-entrypoint** mpya inayotumika wakati programu zinapojengwa na `--enable-optimizations` kwenye Android 14.
* `thumb-relocator` can now *hook tiny ARM/Thumb functions* generated by LLDs aggressive alignment (`--icf=all`).
* Enumerating and rebinding *ELF import slots* works on Android, enabling per-module `dlopen()`/`dlsym()` patching when inline hooks are rejected.
* Java hooking was fixed for the new **ART quick-entrypoint** used when apps are compiled with `--enable-optimizations` on Android 14.
Mfano: kuorodhesha kazi zote zilizorekebishwa kupitia `RegisterNatives` na kutupa anwani zao wakati wa wakati wa kukimbia:
Example: enumerating all functions registered through `RegisterNatives` and dumping their addresses at runtime:
```javascript
Java.perform(function () {
var Runtime = Java.use('java.lang.Runtime');
@ -59,38 +61,76 @@ console.log('[+] RegisterNatives on ' + clazz.getName() + ' -> ' + count + ' met
});
});
```
Frida itafanya kazi moja kwa moja kwenye vifaa vya PAC/BTI (Pixel 8/Android 14+) mradi utumie frida-server 16.2 au baadaye toleo la awali lilishindwa kupata padding kwa ajili ya hooks za ndani. citeturn5search2turn5search0
Frida itaenda moja kwa moja kwenye vifaa vinavyounga mkono PAC/BTI (Pixel 8/Android 14+) mradi tu unatumia frida-server 16.2 au baadaye toleo za mapema zilishindwa kupata padding kwa inline hooks.
### Telemetri ya JNI ndani ya mchakato kupitia .so iliyopakiwa kabla (SoTap)
Wakati instrumentation yenye sifa kamili ni ya ziada au imezuiwa, bado unaweza kupata uonekano wa ngazi ya native kwa kupakia kabla logger ndogo ndani ya mchakato lengwa. SoTap ni maktaba nyepesi ya Android native (.so) inayorekodi tabia za runtime za maktaba nyingine za JNI (.so) ndani ya mchakato moja la app (no root required).
Sifa kuu:
- Inaanzishwa mapema na inafuatilia mwingiliano wa JNI/native ndani ya mchakato unaoipakia.
- Inahifadhi logi kwa kutumia njia kadhaa zinazoweza kuandikwa na inarudi kwa Logcat kwa upole wakati uhifadhi umepunguzwa.
- Inayoweza kubadilishwa kwa chanzo: hariri sotap.c ili kupanua/kubadilisha kinachorekodiwa na ujenge tena kwa kila ABI.
Usanidi (repack the APK):
1) Weka build sahihi ya ABI ndani ya APK ili loader iweze kutatua libsotap.so:
- lib/arm64-v8a/libsotap.so (for arm64)
- lib/armeabi-v7a/libsotap.so (for arm32)
2) Hakikisha SoTap inapakiwa kabla ya maktaba nyingine za JNI. Weka wito mapema (km., Application subclass static initializer au onCreate) ili logger ianzishwe kwanza. Mfano wa snippet ya Smali:
```smali
const-string v0, "sotap"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
```
3) Jenga upya/sign/install, endesha app, kisha kusanya logi.
Log paths (checked in order):
```
/data/user/0/%s/files/sotap.log
/data/data/%s/files/sotap.log
/sdcard/Android/data/%s/files/sotap.log
/sdcard/Download/sotap-%s.log
# If all fail: fallback to Logcat only
```
Notes and troubleshooting:
- Ulinganifu wa ABI ni lazima. Kosa la mismatch litasababisha UnsatisfiedLinkError na logger haitapakia.
- Vizuizi vya uhifadhi ni kawaida kwenye Android za kisasa; ikiwa uandishi wa faili unashindwa, SoTap bado itaonyesha kupitia Logcat.
- Tabia/uvuvi wa taarifa (behavior/verbosity) imetengenezwa ili kurekebishwa; jenga tena kutoka source baada ya kuhariri sotap.c.
Njia hii ni muhimu kwa malware triage na JNI debugging ambapo kuangalia mtiririko wa antcall za native tangu kuanzishwa kwa process ni muhimu lakini root/kuweka hooks za mfumo mzima hazipatikani.
---
### Uthibitisho wa hivi karibuni unaofaa kutafutwa katika APKs
### Toleo la hivi karibuni la udhaifu zinazostahili kutafutwa ndani ya APKs
| Mwaka | CVE | Maktaba iliyoathirika | Maelezo |
| Year | CVE | Affected library | Notes |
|------|-----|------------------|-------|
|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Overflow ya buffer ya heap inayoweza kufikiwa kutoka kwa msimbo wa asili unaodecode picha za WebP. Programu kadhaa za Android zinakusanya toleo zenye udhaifu. Unapokutana na `libwebp.so` ndani ya APK, angalia toleo lake na jaribu kutumia au kurekebisha.| citeturn2search0|
|2024|Mbalimbali|Mfululizo wa OpenSSL 3.x|Masuala kadhaa ya usalama wa kumbukumbu na padding-oracle. Mifuko mingi ya Flutter & ReactNative inasafirisha `libcrypto.so` zao wenyewe.|
|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
|2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|
Unapokutana na *faili za .so* za upande wa tatu ndani ya APK, kila wakati thibitisha hash zao dhidi ya taarifa za juu. SCA (Software Composition Analysis) sio ya kawaida kwenye simu, hivyo toleo za zamani zenye udhaifu ni nyingi.
Unapoona faili za *third-party* `.so` ndani ya APK, daima linganisha hash yao dhidi ya advisories za upstream. SCA (Software Composition Analysis) haijaenea sana kwenye mobile, hivyo builds zilizozee na zilizo na udhaifu ni nyingi.
---
### Mwelekeo wa Kupinga Kurejea & Kuimarisha (Android 13-15)
### Mwelekeo ya Anti-Reversing & Hardening (Android 13-15)
* **Uthibitisho wa Pointer (PAC) & Utambulisho wa Lengo la Tawi (BTI):** Android 14 inaruhusu PAC/BTI katika maktaba za mfumo kwenye silicon inayounga mkono ARMv8.3+. Decompilers sasa zinaonyesha pseudo-maagizo yanayohusiana na PAC; kwa uchambuzi wa dynamic Frida inaingiza trampolines *baada ya* kuondoa PAC, lakini trampolines zako za kawaida zinapaswa kuita `pacda`/`autibsp` inapohitajika.
* **MTE & Scudo allocator iliyoimarishwa:** utagu wa kumbukumbu ni wa hiari lakini programu nyingi zinazojua Play-Integrity zinajengwa na `-fsanitize=memtag`; tumia `setprop arm64.memtag.dump 1` pamoja na `adb shell am start ...` ili kukamata makosa ya tag.
* **LLVM Obfuscator (predicates zisizo wazi, kupunguza mtiririko wa udhibiti):** pakers za kibiashara (mfano, Bangcle, SecNeo) zinaendelea kulinda *msimbo* wa asili, sio tu Java; tarajia mtiririko wa udhibiti wa uwongo na blobs za nyuzi zilizofichwa katika `.rodata`.
* **Pointer Authentication (PAC) & Branch Target Identification (BTI):** Android 14 inawasha PAC/BTI katika system libraries kwenye silicon inayounga mkono ARMv8.3+. Decompilers sasa zinaonyesha pseudo-instructions zinazohusiana na PAC; kwa dynamic analysis Frida huingiza trampolines *baada ya* kuondoa PAC, lakini trampolines zako za custom zinapaswa kuita `pacda`/`autibsp` pale inapohitajika.
* **MTE & Scudo hardened allocator:** memory-tagging ni opt-in lakini apps nyingi zinazoelewa Play-Integrity hujenga kwa `-fsanitize=memtag`; tumia `setprop arm64.memtag.dump 1` pamoja na `adb shell am start ...` ili kukamata tag faults.
* **LLVM Obfuscator (opaque predicates, control-flow flattening):** packers za kibiashara (mfano, Bangcle, SecNeo) mara nyingi zinazuia natively code, sio Java pekee; tarajia control-flow bandia na blob za strings zilizofumwa katika `.rodata`.
---
### Rasilimali
### Resources
- **Kujifunza ARM Assembly:** [Azeria Labs Misingi ya ARM Assembly](https://azeria-labs.com/writing-arm-assembly-part-1/)
- **Dokumentesheni ya JNI & NDK:** [Oracle JNI Spec](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html) · [Vidokezo vya Android JNI](https://developer.android.com/training/articles/perf-jni) · [Miongozo ya NDK](https://developer.android.com/ndk/guides/)
- **Kukarabati Maktaba za Asili:** [Debug Android Native Libraries Using JEB Decompiler](https://medium.com/@shubhamsonani/how-to-debug-android-native-libraries-using-jeb-decompiler-eec681a22cf3)
- **Learning ARM Assembly:** [Azeria Labs ARM Assembly Basics](https://azeria-labs.com/writing-arm-assembly-part-1/)
- **JNI & NDK Documentation:** [Oracle JNI Spec](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html) · [Android JNI Tips](https://developer.android.com/training/articles/perf-jni) · [NDK Guides](https://developer.android.com/ndk/guides/)
- **Debugging Native Libraries:** [Debug Android Native Libraries Using JEB Decompiler](https://medium.com/@shubhamsonani/how-to-debug-android-native-libraries-using-jeb-decompiler-eec681a22cf3)
### Marejeleo
### References
- Frida 16.x change-log (Android hooking, tiny-function relocation) [frida.re/news](https://frida.re/news/) citeturn5search0
- NVD advisory kwa `libwebp` overflow CVE-2023-4863 [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0
- Frida 16.x change-log (Android hooking, tiny-function relocation) [frida.re/news](https://frida.re/news/)
- NVD advisory for `libwebp` overflow CVE-2023-4863 [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
- SoTap: Lightweight in-app JNI (.so) behavior logger [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
- SoTap Releases [github.com/RezaArbabBot/SoTap/releases](https://github.com/RezaArbabBot/SoTap/releases)
- How to work with SoTap? [t.me/ForYouTillEnd/13](https://t.me/ForYouTillEnd/13)
{{#include ../../banners/hacktricks-training.md}}

117
src/mobile-pentesting/android-app-pentesting/smali-changes.md
View File

@ -1,85 +1,86 @@
# Smali - Decompiling/\[Modifying]/Compiling
# Smali - Decompiling/[Modifying]/Compiling
{{#include ../../banners/hacktricks-training.md}}
Wakati mwingine ni ya kuvutia kubadilisha msimbo wa programu ili kupata habari zilizofichwa kwako (labda nywila au bendera zilizofichwa vizuri). Kisha, inaweza kuwa ya kuvutia decompile apk, badilisha msimbo na ucompile tena.
**Marejeleo ya Opcodes:** [http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html)
Wakati mwingine inavutia kurekebisha msimbo wa programu ili kupata taarifa zilizofichwa kwako (labda nywila zilizofichwa vizuri au flags). Kisha, inaweza kuwa muhimu ku-decompile apk, kubadilisha msimbo na ku-recompile tena.
**Opcodes reference:** [http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html)
## Njia ya Haraka
Kwa kutumia **Visual Studio Code** na nyongeza ya [APKLab](https://github.com/APKLab/APKLab), unaweza **decompile kiotomatiki**, badilisha, **compile tena**, saini na kusakinisha programu bila kutekeleza amri yoyote.
Ukikitumia **Visual Studio Code** na extension ya [APKLab](https://github.com/APKLab/APKLab), unaweza **automatically decompile**, modify, **recompile**, sign & install the application bila kutekeleza amri yoyote.
**Script** nyingine inayorahisisha kazi hii sana ni [**https://github.com/ax/apk.sh**](https://github.com/ax/apk.sh)
Another **script** that facilitates this task a lot is [**https://github.com/ax/apk.sh**](https://github.com/ax/apk.sh)
## Decompile APK
## Decompile the APK
Kwa kutumia APKTool unaweza kufikia **msimbo wa smali na rasilimali**:
Ukigitumia APKTool unaweza kupata **smali code and resources**:
```bash
apktool d APP.apk
```
Ikiwa **apktool** inakupa makosa yoyote, jaribu [kusanidi **toleo jipya zaidi**](https://ibotpeaches.github.io/Apktool/install/)
Ikiwa **apktool** inakupa kosa lolote, jaribu[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/)
Baadhi ya **faili za kuvutia unapaswa kuangalia ni**:
Baadhi ya **mafaili ya kuvutia unayopaswa kuyatazama ni**:
- _res/values/strings.xml_ (na xml zote ndani ya res/values/\*)
- _res/values/strings.xml_ (na xml zote ndani ya res/values/*)
- _AndroidManifest.xml_
- Faili yoyote yenye kiendelezi _.sqlite_ au _.db_
- Faili yoyote yenye ugani _.sqlite_ au _.db_
Ikiwa `apktool` ina **shida katika kufafanua programu**, angalia [https://ibotpeaches.github.io/Apktool/documentation/#framework-files](https://ibotpeaches.github.io/Apktool/documentation/#framework-files) au jaribu kutumia hoja **`-r`** (Usifafanue rasilimali). Kisha, ikiwa shida ilikuwa katika rasilimali na si katika msimbo wa chanzo, hutakuwa na shida hiyo (hutaweza pia kufafanua rasilimali).
Ikiwa `apktool` ina **matatizo ku-decode programu** angalia [https://ibotpeaches.github.io/Apktool/documentation/#framework-files](https://ibotpeaches.github.io/Apktool/documentation/#framework-files) au jaribu kutumia hoja **`-r`** (Usidecode rasilimali). Kisha, ikiwa tatizo lilikuwa kwenye rasilimali na si kwenye msimbo wa chanzo, hautakuwa na tatizo hilo (pia hauta-decompile rasilimali).
## Badilisha msimbo wa smali
## Change smali code
Unaweza **kubadilisha** **maagizo**, kubadilisha **thamani** ya baadhi ya mabadiliko au **kuongeza** maagizo mapya. Ninabadilisha msimbo wa Smali kwa kutumia [**VS Code**](https://code.visualstudio.com), kisha unasanidi **smalise extension** na mhariri atakuambia ikiwa kuna **agizo lolote lililo sahihi**.\
Baadhi ya **esemples** zinaweza kupatikana hapa:
Unaweza **kubadilisha** **maelekezo**, kubadilisha **thamani** ya baadhi ya vigezo au **kuongeza** maelekezo mapya. Mimi hubadilisha msimbo wa Smali kwa kutumia [**VS Code**](https://code.visualstudio.com), kisha instalisha **smalise extension** na mhariri atakuambia ikiwa maelekezo yoyote ni yasiyo sahihi.\
Some **examples** can be found here:
- [Mifano ya mabadiliko ya Smali](smali-changes.md)
- [Google CTF 2018 - Je, Tutacheza Mchezo?](google-ctf-2018-shall-we-play-a-game.md)
- [Smali changes examples](smali-changes.md)
- [Google CTF 2018 - Shall We Play a Game?](google-ctf-2018-shall-we-play-a-game.md)
Au unaweza [**kuangalia hapa chini baadhi ya mabadiliko ya Smali yaliyoelezewa**](smali-changes.md#modifying-smali).
Or you can [**check below some Smali changes explained**](smali-changes.md#modifying-smali).
## Recompile APK
## Recompile the APK
Baada ya kubadilisha msimbo unaweza **kurekebisha** msimbo kwa kutumia:
Baada ya kubadilisha msimbo unaweza **recompile** msimbo ukitumia:
```bash
apktool b . #In the folder generated when you decompiled the application
```
Itakuwa **nafasi** ya **kuunda** APK mpya **ndani** ya folda _**dist**_.
Ita **compile** APK mpya **inside** folda _**dist**_.
Ikiwa **apktool** itatoa **makosa**, jaribu[ kufunga **toleo jipya**](https://ibotpeaches.github.io/Apktool/install/)
Kama **apktool** ikitupa **error**, try[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/)
### **Saini APK mpya**
Kisha, unahitaji **kuunda funguo** (utahitaji kupewa nenosiri na taarifa zingine ambazo unaweza kujaza kwa bahati):
Kisha, utahitaji **generate a key** (utaulizwa password na baadhi ya taarifa ambazo unaweza kujaza kwa nasibu):
```bash
keytool -genkey -v -keystore key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias <your-alias>
```
Hatimaye, **saini** APK mpya:
Mwishowe, **saini** APK mpya:
```bash
jarsigner -keystore key.jks path/to/dist/* <your-alias>
```
### Optimize new application
### Boresha programu mpya
**zipalign** ni chombo cha kuoanisha archive ambacho kinatoa uboreshaji muhimu kwa faili za programu za Android (APK). [More information here](https://developer.android.com/studio/command-line/zipalign).
**zipalign** ni zana ya upangilio wa archive inayotoa uboreshaji muhimu kwa faili za Android application (APK). [Taarifa zaidi hapa](https://developer.android.com/studio/command-line/zipalign).
```bash
zipalign [-f] [-v] <alignment> infile.apk outfile.apk
zipalign -v 4 infile.apk
```
### **Saini APK mpya (tena?)**
Ikiwa unataka kutumia [**apksigner**](https://developer.android.com/studio/command-line/) badala ya jarsigner, **unapaswa kusaini apk** baada ya kutumia **ukandamizaji na** zipaling. LAKINI KUMBUKA KWAMBA UNAPASWA **KUSAINI PROGRAMU MARA MOJA TU** KWA jarsigner (kabla ya zipalign) AU KWA aspsigner (baada ya zipaling).
Ikiwa **unapendelea** kutumia [**apksigner**](https://developer.android.com/studio/command-line/) badala ya jarsigner, **unapaswa kusaini apk** baada ya kutumia **maboresho kwa** zipaling. LAKINI KUMBUKA KWAMBA UNAHITAJI **KUSAINI PROGRAMU MARA MOJA TU** NA jarsigner (kabla ya zipalign) AU NA aspsigner (baada ya zipaling).
```bash
apksigner sign --ks key.jks ./dist/mycompiled.apk
```
## Kubadilisha Smali
Kwa msimbo wa Hello World Java ufuatao:
Kwa msimbo ufuatao wa Hello World wa Java:
```java
public static void printHelloWorld() {
System.out.println("Hello World")
}
```
Kod ya Smali itakuwa:
Msimbo wa Smali utakuwa:
```java
.method public static printHelloWorld()V
.registers 2
@ -89,13 +90,13 @@ invoke-virtual {v0,v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
return-void
.end method
```
The Smali instruction set is available [here](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions).
Seti ya maagizo ya Smali inapatikana [here](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions).
### Mabadiliko ya Mwanga
### Mabadiliko Madogo
### Badilisha thamani za awali za kigezo ndani ya kazi
### Badilisha thamani za awali za variable ndani ya function
Baadhi ya vigezo vinafafanuliwa mwanzoni mwa kazi kwa kutumia opcode _const_, unaweza kubadilisha thamani zake, au unaweza kufafanua mpya:
Baadhi ya variables zimetangazwa mwanzoni mwa function kwa kutumia opcode _const_, unaweza kubadilisha thamani zake, au unaweza kuunda mpya:
```bash
#Number
const v9, 0xf4240
@ -128,7 +129,7 @@ goto :goto_6 #Always go to: :goto_6
```
### Mabadiliko Makubwa
### Kurekodi
### Logging
```bash
#Log win: <number>
iget v5, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Get this.o inside v5
@ -139,17 +140,17 @@ invoke-static {v5, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/Strin
```
Mapendekezo:
- Ikiwa unataka kutumia mabadiliko yaliyotangazwa ndani ya kazi (yaliyotangazwa v0,v1,v2...) weka mistari hii kati ya _.local \<nambari>_ na matangazo ya mabadiliko (_const v0, 0x1_)
- Ikiwa unataka kuweka msimbo wa kuandika katikati ya msimbo wa kazi:
- Ongeza 2 kwa idadi ya mabadiliko yaliyotangazwa: Mfano: kutoka _.locals 10_ hadi _.locals 12_
- Mabadiliko mapya yanapaswa kuwa nambari zinazofuata za mabadiliko yaliyotangazwa tayari (katika mfano huu yanapaswa kuwa _v10_ na _v11_, kumbuka kwamba inaanza na v0).
- Badilisha msimbo wa kazi ya kuandika na tumia _v10_ na _v11_ badala ya _v5_ na _v1_.
- Ikiwa utatumia variables zilizotangazwa ndani ya function (v0,v1,v2...) weka mistari hii kati ya _.local <number>_ na tamko la variables (_const v0, 0x1_)
- Ikiwa unataka kuweka logging code katikati ya code ya function:
- Ongeza 2 kwenye idadi ya variables zilizotangazwa: Mfano: kutoka _.locals 10_ hadi _.locals 12_
- Variables mpya ziwe nambari zinazofuata za variables zilizotangazwa awali (katika mfano huu ziwe _v10_ na _v11_, kumbuka inaanza kwa v0).
- Badilisha code ya logging function na tumia _v10_ na _v11_ badala ya _v5_ na _v1_.
### Toasting
Kumbuka kuongeza 3 kwa idadi ya _.locals_ mwanzoni mwa kazi.
Kumbuka kuongeza 3 kwenye idadi ya _.locals_ mwanzoni mwa function.
Msimbo huu umeandaliwa kuingizwa katika **katikati ya kazi** (**badilisha** nambari ya **mabadiliko** kama inavyohitajika). Itachukua **thamani ya this.o**, **kubadilisha** kuwa **String** na kisha **kufanya** **toast** na thamani yake.
Code hii imeandaliwa ili iingizwe katika **katikati ya function** (**badilisha** idadi ya **variables** inapohitajika). Itachukua **value ya this.o**, **iibadilishe** kuwa **String** kisha **itengeneze** **toast** yenye thamani yake.
```bash
const/4 v10, 0x1
const/4 v11, 0x1
@ -161,4 +162,38 @@ invoke-static {p0, v11, v12}, Landroid/widget/Toast;->makeText(Landroid/content/
move-result-object v12
invoke-virtual {v12}, Landroid/widget/Toast;->show()V
```
### Kupakia Maktaba ya native mwanzoni (System.loadLibrary)
Wakati mwingine unahitaji kupakia awali maktaba ya native ili ianze kabla ya maktaba nyingine za JNI (kwa mfano, kuwezesha telemetry/logging ya mchakato pekee). Unaweza kuingiza mwito wa System.loadLibrary() katika static initializer au mapema katika Application.onCreate(). Mfano smali wa static class initializer (<clinit>):
```smali
.class public Lcom/example/App;
.super Landroid/app/Application;
.method static constructor <clinit>()V
.registers 1
const-string v0, "sotap" # library name without lib...so prefix
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
return-void
.end method
```
Badala yake, weka maagizo hayo mawili mwanzoni mwa Application.onCreate() ili kuhakikisha maktaba inapakia mapema iwezekanavyo:
```smali
.method public onCreate()V
.locals 1
const-string v0, "sotap"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
invoke-super {p0}, Landroid/app/Application;->onCreate()V
return-void
.end method
```
Vidokezo:
- Hakikisha toleo sahihi la ABI la maktaba lipo chini ya lib/<abi>/ (kwa mfano, arm64-v8a/armeabi-v7a) ili kuepuka UnsatisfiedLinkError.
- Kupakia mapema sana (class static initializer) kunahakikisha native logger anaweza kuona shughuli za JNI zinazofuata.
## Marejeo
- SoTap: logger mdogo wa tabia za JNI (.so) ndani ya app [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
{{#include ../../banners/hacktricks-training.md}}