From f746f7c22838f9eddd9ab2f7ad37cf95ae91e4e2 Mon Sep 17 00:00:00 2001 From: Translator Date: Thu, 4 Sep 2025 09:33:36 +0000 Subject: [PATCH] Translated ['src/mobile-pentesting/android-app-pentesting/smali-changes. --- .../malware-analysis.md | 82 +++++++++---------- .../reversing-native-libraries.md | 74 ++++++++--------- .../android-app-pentesting/smali-changes.md | 68 +++++++-------- 3 files changed, 112 insertions(+), 112 deletions(-) diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md index 1eb547502..762a187f8 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md @@ -1,8 +1,8 @@ -# Malware Uchambuzi +# Malware Analysis {{#include ../../banners/hacktricks-training.md}} -## CheatSheets za Forensics +## Forensics CheatSheets [https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/) @@ -14,7 +14,7 @@ - [Intezer](https://analyze.intezer.com) - [Any.Run](https://any.run/) -## Zana za Antivirus na Ugunduzi Zisizo Mtandaoni +## Zana za Antivirus na Utambuzi zisizo za Mtandaoni ### Yara @@ -22,10 +22,10 @@ ```bash sudo apt-get install -y yara ``` -#### Tayarisha rules +#### Andaa rules Tumia script hii kupakua na kuunganisha yote yara malware rules kutoka github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\ -Unda saraka ya _**rules**_ na uiendeshe. Hii itaunda faili iitwayo _**malware_rules.yar**_ ambayo ina yara rules zote za malware. +Tengeneza saraka _**rules**_ kisha ukimbize script hiyo. Hii itaunda faili liitwalo _**malware_rules.yar**_ ambalo lina yara rules zote za malware. ```bash wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py mkdir rules @@ -36,7 +36,7 @@ python malware_yara_rules.py yara -w malware_rules.yar image #Scan 1 file yara -w malware_rules.yar folder #Scan the whole folder ``` -#### YaraGen: Angalia malware na unda yara rules +#### YaraGen: Kagua malware na unda rules Unaweza kutumia zana [**YaraGen**](https://github.com/Neo23x0/yarGen) kutengeneza yara rules kutoka kwa binary. Angalia mafunzo haya: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/) ```bash @@ -57,7 +57,7 @@ clamscan folderpath #Scan the whole folder ``` ### [Capa](https://github.com/mandiant/capa) -**Capa** hugundua inaweza kuwa hatari **sifa** katika faili zinazotekelezeka: PE, ELF, .NET. Hivyo itaona vitu kama Att\&ck tactics, au sifa zenye shaka kama: +**Capa** inatambua uwezo unaoweza kuwa hatari katika executables: PE, ELF, .NET. Hivyo itapata mambo kama Att\&ck tactics, au uwezo wenye shaka kama: - angalia OutputDebugString error - run as a service @@ -67,16 +67,16 @@ Pata kwenye [**Github repo**](https://github.com/mandiant/capa). ### IOCs -IOC inamaanisha Indicator Of Compromise. IOC ni seti ya **vigezo vinavyoitambulisha** baadhi ya programu zinazoweza kutakiwa au kuthibitishwa kuwa **malware**. Blue Teams hutumia aina hii ya ufafanuzi ili **kutafuta aina hizi za faili zenye madhara** katika **mifumo** na **mitandao** yao.\ -Kushiriki ufafanuzi hizi ni muhimu kwa sababu wakati malware inapotambuliwa kwenye kompyuta na IOC ya malware hiyo ikianzishwa, Blue Teams wengine wanaweza kuitumia kutambua malware kwa haraka. +IOC inamaanisha Indicator Of Compromise. IOC ni seti ya **masharti yanayotambulisha** baadhi ya software zinazoweza kuwa haipendeki au kuthibitishwa kuwa **malware**. Blue Teams hutumia aina hii ya ufafanuzi ili **kutafuta aina hii ya faili zenye madhara** katika **sistimu** na **mitandao** yao.\ +Kushirikisha ufafanuzi hivi ni muhimu sana; pale malware inapotambulika kwenye kompyuta na IOC kwa ajili ya malware hiyo ikitengenezwa, Blue Teams wengine wanaweza kuitumia kuitambua malware hiyo haraka zaidi. -Chombo cha kuunda au kubadilisha IOCs ni [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\ -Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) kutafuta **IOCs zilizofafanuliwa kwenye kifaa**. +Chombo cha kuunda au kuhariri IOCs ni [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\ +Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) kutafuta **IOC zilizofafanuliwa kwenye kifaa**. ### Loki [**Loki**](https://github.com/Neo23x0/Loki) ni scanner kwa Simple Indicators of Compromise.\ -Ugundaji unategemea mbinu nne za kugundua: +Ugunduzi unategemea mbinu nne za utambuzi: ``` 1. File Name IOC Regex match on full file path/name @@ -92,41 +92,41 @@ Compares process connection endpoints with C2 IOCs (new since version v.10) ``` ### Linux Malware Detect -[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni scan ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, iliyobuniwa kuangalia vitisho vinavyokumbwa katika mazingira ya hosting ya pamoja. Inatumia data za vitisho kutoka kwa mfumo wa kugundua uvamizi kwenye mipaka ya mtandao ili kupata malware zinazotumika katika mashambulio na kuzalisha saini za kugundua. Zaidi ya hayo, data za vitisho hupatikana pia kutoka kwa michango ya watumiaji kupitia kipengele cha LMD checkout na rasilimali za jamii za malware. +[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni skana ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, iliyoundwa kwa kuzingatia tishio zinazokumba mazingira yaliyoshirikiwa ya mwenyeji. Inatumia data za tishio kutoka kwa mifumo ya utambuzi wa uvamizi kwenye kingo za mtandao ili kutoa malware zinazotumika katika mashambulizi na kuzalisha saini za kugundua. Zaidi ya hayo, data za tishio hupatikana pia kutoka kwa mawasilisho ya watumiaji kupitia kipengele cha LMD checkout na rasilimali za jamii ya malware. ### rkhunter -Vyombo kama [**rkhunter**](http://rkhunter.sourceforge.net) vinaweza kutumika kukagua filesystem kwa uwezekano wa **rootkits** na malware. +Zana kama [**rkhunter**](http://rkhunter.sourceforge.net) zinaweza kutumika kukagua filesystem kwa uwezekano wa **rootkits** na malware. ```bash sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress] ``` ### FLOSS -[**FLOSS**](https://github.com/mandiant/flare-floss) ni zana itakayejaribu kupata obfuscated strings ndani ya executables kwa kutumia mbinu mbalimbali. +[**FLOSS**](https://github.com/mandiant/flare-floss) ni zana itakayojaribu kutafuta obfuscated strings ndani ya executables kwa kutumia mbinu mbalimbali. ### PEpper -[PEpper ](https://github.com/Th3Hurrican3/PEpper) huchunguza mambo ya msingi ndani ya executable (binary data, entropy, URLs and IPs, some yara rules). +[PEpper ](https://github.com/Th3Hurrican3/PEpper)huchunguza baadhi ya mambo ya msingi ndani ya executable (binary data, entropy, URLs and IPs, baadhi ya yara rules). ### PEstudio -[PEstudio](https://www.winitor.com/download) ni zana inayowezesha kupata taarifa za Windows executables kama imports, exports, headers, lakini pia itakagua virus total na kubaini potential Att\&ck techniques. +[PEstudio](https://www.winitor.com/download) ni zana inayoruhusu kupata taarifa za Windows executables kama imports, exports, headers, na pia itachunguza virus total na kutambua potential Att\&ck techniques. ### Detect It Easy(DiE) -[**DiE**](https://github.com/horsicq/Detect-It-Easy/) ni zana ya kugundua kama faili ime **encrypted** na pia kupata **packers**. +[**DiE**](https://github.com/horsicq/Detect-It-Easy/) ni zana ya kugundua kama faili ime**encrypted** na pia kutafuta **packers**. ### NeoPI -[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI) ni script ya Python inayotumia aina mbalimbali za **statistical methods** kugundua **obfuscated** na **encrypted** content ndani ya text/script files. Madhumuni ya NeoPI ni kusaidia katika **detection of hidden web shell code**. +[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)is script ya Python inayotumia aina mbalimbali za **statistical methods** kutambua yaliyomo yaliyo **obfuscated** na **encrypted** ndani ya text/script files. Kusudi la NeoPI ni kusaidia katika **detection of hidden web shell code**. ### **php-malware-finder** -[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) hufanya kila iwezalo kugundua **obfuscated**/**dodgy code** pamoja na files zinazotumia **PHP** functions zinazotumiwa mara kwa mara na **malwares**/webshells. +[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) inajitahidi sana kutambua **obfuscated**/**dodgy code** pamoja na faili zinazotumia **PHP** functions zinazotumiwa mara kwa mara na **malwares**/webshells. ### Apple Binary Signatures -Wakati wa kukagua baadhi ya **malware sample** unapaswa kila mara **check the signature** ya binary kwani **developer** aliyesaini anaweza kuwa tayari **related** na **malware**. +Unapoangalia baadhi ya **malware sample** unapaswa kila mara **check the signature** ya binary kwani **developer** aliyesaini inaweza tayari kuwa **related** na **malware.** ```bash #Get signer codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier" @@ -137,27 +137,27 @@ codesign --verify --verbose /Applications/Safari.app #Check if the signature is valid spctl --assess --verbose /Applications/Safari.app ``` -## Detection Techniques +## Mbinu za Ugundaji ### File Stacking -Ikiwa unajua kwamba folda fulani iliyo na **faili** za seva ya wavuti ilisasishwa **mwisho tarehe fulani**, **angalia** **tarehe** ambazo **faili** zote kwenye **seva ya wavuti** ziliundwa na kubadilishwa, na ikiwa tarehe yoyote ni **ya kushuku**, angalia faili hiyo. +Ikiwa unajua kuwa folda fulani inayoshikilia **faili** za **seva ya wavuti** ilisasishwa mwisho tarehe fulani, **kagua** tarehe ambazo **faili zote** kwenye **seva ya wavuti** ziliundwa na kubadilishwa; ikiwa tarehe yoyote ni **shaka**, angalia faili hiyo. ### Baselines -Kama **faili** za folda **hazikutakiwa kubadilishwa**, unaweza kuhesabu **hash** ya **faili za awali** za folda na kuzi **linganisha** na za **sasa**. Kile chochote kilichobadilishwa kitakuwa **cha kushuku**. +Ikiwa **faili** za **folda** hazikutakiwa kubadilishwa, unaweza kuhesabu **hash** ya **faili za awali** za folda na **linganisha** nazo zile za **sasa**. Kile kilichobadilishwa kitakuwa **shaka**. -### Statistical Analysis +### Uchanganuzi wa Takwimu -Wakati taarifa zinahifadhiwa kwenye logs unaweza **kuangalia takwimu, kwa mfano ni mara ngapi kila faili ya seva ya wavuti ilifikiwa, kwani web shell inaweza kuwa miongoni mwa zilizofikiwa mara nyingi**. +Wakati taarifa zimehifadhiwa kwenye logs unaweza **kagua takwimu** kama vile ni mara ngapi kila **faili** ya **seva ya wavuti** ilifikiwa — web shell inaweza kuwa miongoni mwa zilizopatikana mara nyingi. --- ### Android in-app native telemetry (no root) -On Android, unaweza kuiweka instrument native code ndani ya mchakato wa target app kwa preload library ndogo ya logger kabla libraries nyingine za JNI hazijaanzishwa. Hii inatoa uonekano wa mapema juu ya tabia za native bila hooks za mfumo mzima au root. Mbinu maarufu ni SoTap: weka libsotap.so kwa ABI sahihi ndani ya APK na ingiza wito wa System.loadLibrary("sotap") mapema (mfano, static initializer au Application.onCreate), kisha ukusanye logs kutoka njia za ndani/za nje au kwa fallback ya Logcat. +Kwenye Android, unaweza kuingilia native code ndani ya mchakato wa app lengwa kwa ku-preload library ndogo ya logger kabla libraries nyingine za JNI hazijaanzishwa. Hii inatoa uonekano wa mapema wa tabia za native bila hooks za mfumo mzima au root. Mbinu maarufu ni SoTap: weka libsotap.so kwa ABI sahihi ndani ya APK na injekta wito wa System.loadLibrary("sotap") mapema (kwa mfano, static initializer au Application.onCreate), kisha ukusanye logs kutoka njia za ndani/za nje au tumia Logcat kama fallback. -See the Android native reversing page for setup details and log paths: +Tazama ukurasa wa Android native reversing kwa maelezo ya usanidi na njia za logi: {{#ref}} ../../mobile-pentesting/android-app-pentesting/reversing-native-libraries.md @@ -165,13 +165,13 @@ See the Android native reversing page for setup details and log paths: --- -## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers) +## Kuondoa Obfuscation ya Dynamic Control-Flow (JMP/CALL RAX Dispatchers) -Familia za kisasa za malware zinatumia kupitiliza obfuscation ya Control-Flow Graph (CFG): badala ya jump/call ya moja kwa moja wanahesabu marudio wakati wa utekelezaji na kutekeleza `jmp rax` au `call rax`. *dispatcher* ndogo (kawaida maagizo tisa) huweka lengo la mwisho kulingana na bendera za CPU `ZF`/`CF`, ikivunja kabisa urejeshaji wa CFG kwa static. +Familia za kisasa za malware zinatumia kwa kupindukia obfuscation ya Control-Flow Graph (CFG): badala ya jump/call moja kwa moja wanahesabu marudio wakati wa utekelezaji na kutekeleza `jmp rax` au `call rax`. Dispatcher ndogo (kawaida maagizo tisa) huweka lengo la mwisho kulingana na bendera za CPU `ZF`/`CF`, ikivunja kabisa urejeshaji wa static wa CFG. -The technique – showcased by the SLOW#TEMPEST loader – can be defeated with a three-step workflow that only relies on IDAPython and the Unicorn CPU emulator. +Mbinu — iliyoonyeshwa na loader ya SLOW#TEMPEST — inaweza kushindwa kwa mtiririko wa hatua tatu unaoegemea tu IDAPython na emulator ya CPU ya Unicorn. -### 1. Pata kila jump / call isiyo ya moja kwa moja +### 1. Locate every indirect jump / call ```python import idautils, idc @@ -180,7 +180,7 @@ mnem = idc.print_insn_mnem(ea) if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax": print(f"[+] Dispatcher found @ {ea:X}") ``` -### 2. Toa byte-code ya dispatcher +### 2. Toa dispatcher byte-code ```python import idc @@ -195,7 +195,7 @@ size = jmp_ea + idc.get_item_size(jmp_ea) - start code = idc.get_bytes(start, size) open(f"{start:X}.bin", "wb").write(code) ``` -### 3. Iga mara mbili na Unicorn +### 3. Iiga mara mbili kwa kutumia Unicorn ```python from unicorn import * from unicorn.x86_const import * @@ -213,7 +213,7 @@ return mu.reg_read(UC_X86_REG_RAX) ``` Endesha `run(code,0,0)` na `run(code,1,1)` ili kupata malengo ya matawi *false* na *true*. -### 4. Rekebisha tena direct jump / call +### 4. Rekebisha tena jump / call ya moja kwa moja ```python import struct, ida_bytes @@ -222,21 +222,21 @@ op = 0xE8 if is_call else 0xE9 # CALL rel32 or JMP rel32 disp = target - (ea + 5) & 0xFFFFFFFF ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack(' cat lib/arm64-v8a/libfoo.so" > libfoo.so # Or from the APK (zip) unzip -j target.apk "lib/*/libfoo.so" -d extracted_libs/ ``` -2. **Identify architecture & protections** +2. **Tambua usanifu & ulinzi** ```bash file libfoo.so # arm64 or arm32 / x86 readelf -h libfoo.so # OS ABI, PIE, NX, RELRO, etc. checksec --file libfoo.so # (peda/pwntools) ``` -3. **List exported symbols & JNI bindings** +3. **Orodhesha alama zilizotumwa nje & vifungo vya JNI** ```bash readelf -s libfoo.so | grep ' Java_' # dynamic-linked JNI strings libfoo.so | grep -i "RegisterNatives" -n # static-registered JNI ``` -4. **Load in a decompiler** (Ghidra ≥ 11.0, IDA Pro, Binary Ninja, Hopper or Cutter/Rizin) and run auto-analysis. -Newer Ghidra versions introduced an AArch64 decompiler that recognises PAC/BTI stubs and MTE tags, greatly improving analysis of libraries built with the Android 14 NDK. -5. **Decide on static vs dynamic reversing:** stripped, obfuscated code often needs *instrumentation* (Frida, ptrace/gdbserver, LLDB). +4. **Pakia katika decompiler** (Ghidra ≥ 11.0, IDA Pro, Binary Ninja, Hopper or Cutter/Rizin) na endesha uchambuzi otomatiki. +Toleo jipya la Ghidra limeleta decompiler ya AArch64 inayotambua PAC/BTI stubs na MTE tags, ikiboresha sana uchambuzi wa maktaba zilizojengwa kwa NDK ya Android 14. +5. **Amua kati ya static vs dynamic reversing:** code iliyokatwa au iliyofichwa mara nyingi inahitaji *instrumentation* (Frida, ptrace/gdbserver, LLDB). --- -### Dynamic Instrumentation (Frida ≥ 16) +### Instrumentation ya Dynamic (Frida ≥ 16) -Frida’s 16-series brought several Android-specific improvements that help when the target uses modern Clang/LLD optimisations: +Mfululizo wa Frida 16 ulileta maboresho kadhaa maalumu kwa Android ambayo husaidia pale lengo linapotumia optimizations za kisasa za Clang/LLD: -* `thumb-relocator` can now *hook tiny ARM/Thumb functions* generated by LLD’s aggressive alignment (`--icf=all`). -* Enumerating and rebinding *ELF import slots* works on Android, enabling per-module `dlopen()`/`dlsym()` patching when inline hooks are rejected. -* Java hooking was fixed for the new **ART quick-entrypoint** used when apps are compiled with `--enable-optimizations` on Android 14. +* `thumb-relocator` sasa inaweza *hook* tiny ARM/Thumb functions zinazozalishwa na alignment kali ya LLD (`--icf=all`). +* Kukagua na kure-bind *ELF import slots* kunafanya kazi kwenye Android, kuruhusu patching kwa kila module kwa `dlopen()`/`dlsym()` wakati inline hooks zinapokataa. +* Java hooking ilirekebishwa kwa **ART quick-entrypoint** mpya inayotumika wakati apps zime-compile kwa `--enable-optimizations` kwenye Android 14. -Example: enumerating all functions registered through `RegisterNatives` and dumping their addresses at runtime: +Mfano: kuorodhesha functions zote zilizosasishwa kupitia `RegisterNatives` na ku-dump anwani zao wakati wa runtime: ```javascript Java.perform(function () { var Runtime = Java.use('java.lang.Runtime'); @@ -61,29 +61,29 @@ console.log('[+] RegisterNatives on ' + clazz.getName() + ' -> ' + count + ' met }); }); ``` -Frida itaenda moja kwa moja kwenye vifaa vinavyounga mkono PAC/BTI (Pixel 8/Android 14+) mradi tu unatumia frida-server 16.2 au baadaye – toleo za mapema zilishindwa kupata padding kwa inline hooks. +Frida itafanya kazi bila marekebisho kwenye vifaa vya PAC/BTI (Pixel 8/Android 14+) mradi tu utumie frida-server 16.2 au toleo jipya zaidi — matoleo ya awali yalishindwa kutambua padding kwa inline hooks. -### Telemetri ya JNI ndani ya mchakato kupitia .so iliyopakiwa kabla (SoTap) +### Telemetry ya ndani ya mchakato ya JNI kupitia .so iliyopangwa kabla (SoTap) -Wakati instrumentation yenye sifa kamili ni ya ziada au imezuiwa, bado unaweza kupata uonekano wa ngazi ya native kwa kupakia kabla logger ndogo ndani ya mchakato lengwa. SoTap ni maktaba nyepesi ya Android native (.so) inayorekodi tabia za runtime za maktaba nyingine za JNI (.so) ndani ya mchakato moja la app (no root required). +Wakati instrumentation yenye sifa kamili ni zaidi ya kinachohitajika au imezuiliwa, bado unaweza kupata uonekano wa kiwango cha native kwa kupakia kabla logger ndogo ndani ya mchakato lengwa. SoTap ni maktaba nyepesi ya Android native (.so) inayorekodi tabia ya wakati wa utekelezaji ya maktaba nyingine za JNI (.so) ndani ya mchakato huo wa app (no root required). -Sifa kuu: -- Inaanzishwa mapema na inafuatilia mwingiliano wa JNI/native ndani ya mchakato unaoipakia. -- Inahifadhi logi kwa kutumia njia kadhaa zinazoweza kuandikwa na inarudi kwa Logcat kwa upole wakati uhifadhi umepunguzwa. -- Inayoweza kubadilishwa kwa chanzo: hariri sotap.c ili kupanua/kubadilisha kinachorekodiwa na ujenge tena kwa kila ABI. +Sifa muhimu: +- Inaanza mapema na inafuatilia mwingiliano wa JNI/native ndani ya mchakato unaoipakia. +- Inahifadhi logs kwa kutumia njia mbalimbali zinazoweza kuandikwa na ina fallback ya heshima kwa Logcat wakati uhifadhi umezuiliwa. +- Inayoweza kubadilishwa kwenye chanzo: hariri sotap.c ili kupanua/kubadilisha kinachorekodiwa na ujenge upya kwa kila ABI. Usanidi (repack the APK): 1) Weka build sahihi ya ABI ndani ya APK ili loader iweze kutatua libsotap.so: - lib/arm64-v8a/libsotap.so (for arm64) - lib/armeabi-v7a/libsotap.so (for arm32) -2) Hakikisha SoTap inapakiwa kabla ya maktaba nyingine za JNI. Weka wito mapema (km., Application subclass static initializer au onCreate) ili logger ianzishwe kwanza. Mfano wa snippet ya Smali: +2) Hakikisha SoTap inapakuliwa kabla ya maktaba nyingine za JNI. Inject a call early (e.g., Application subclass static initializer or onCreate) ili logger ianzishwe kwanza. Smali snippet example: ```smali const-string v0, "sotap" invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V ``` -3) Jenga upya/sign/install, endesha app, kisha kusanya logi. +3) Rebuild/sign/install, run the app, then collect logs. -Log paths (checked in order): +Njia za logi (zinakaguliwa kwa mpangilio): ``` /data/user/0/%s/files/sotap.log /data/data/%s/files/sotap.log @@ -92,30 +92,30 @@ Log paths (checked in order): # If all fail: fallback to Logcat only ``` Notes and troubleshooting: -- Ulinganifu wa ABI ni lazima. Kosa la mismatch litasababisha UnsatisfiedLinkError na logger haitapakia. -- Vizuizi vya uhifadhi ni kawaida kwenye Android za kisasa; ikiwa uandishi wa faili unashindwa, SoTap bado itaonyesha kupitia Logcat. -- Tabia/uvuvi wa taarifa (behavior/verbosity) imetengenezwa ili kurekebishwa; jenga tena kutoka source baada ya kuhariri sotap.c. +- ABI alignment is mandatory. A mismatch will raise UnsatisfiedLinkError and the logger won’t load. +- Storage constraints are common on modern Android; if file writes fail, SoTap will still emit via Logcat. +- Behavior/verbosity is intended to be customized; rebuild from source after editing sotap.c. -Njia hii ni muhimu kwa malware triage na JNI debugging ambapo kuangalia mtiririko wa antcall za native tangu kuanzishwa kwa process ni muhimu lakini root/kuweka hooks za mfumo mzima hazipatikani. +This approach is useful for malware triage and JNI debugging where observing native call flows from process start is critical but root/system-wide hooks aren’t available. --- -### Toleo la hivi karibuni la udhaifu zinazostahili kutafutwa ndani ya APKs +### Recent vulnerabilities worth hunting for in APKs | Year | CVE | Affected library | Notes | |------|-----|------------------|-------| |2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| | |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.| -Unapoona faili za *third-party* `.so` ndani ya APK, daima linganisha hash yao dhidi ya advisories za upstream. SCA (Software Composition Analysis) haijaenea sana kwenye mobile, hivyo builds zilizozee na zilizo na udhaifu ni nyingi. +Unapogundua *third-party* `.so` files ndani ya APK, hakikisha unalinganisha hash yao dhidi ya advisories za upstream. SCA (Software Composition Analysis) haiko kawaida kwenye mobile, kwa hivyo builds zilizozee zenye udhaifu ni nyingi. --- -### Mwelekeo ya Anti-Reversing & Hardening (Android 13-15) +### Anti-Reversing & Hardening trends (Android 13-15) -* **Pointer Authentication (PAC) & Branch Target Identification (BTI):** Android 14 inawasha PAC/BTI katika system libraries kwenye silicon inayounga mkono ARMv8.3+. Decompilers sasa zinaonyesha pseudo-instructions zinazohusiana na PAC; kwa dynamic analysis Frida huingiza trampolines *baada ya* kuondoa PAC, lakini trampolines zako za custom zinapaswa kuita `pacda`/`autibsp` pale inapohitajika. -* **MTE & Scudo hardened allocator:** memory-tagging ni opt-in lakini apps nyingi zinazoelewa Play-Integrity hujenga kwa `-fsanitize=memtag`; tumia `setprop arm64.memtag.dump 1` pamoja na `adb shell am start ...` ili kukamata tag faults. -* **LLVM Obfuscator (opaque predicates, control-flow flattening):** packers za kibiashara (mfano, Bangcle, SecNeo) mara nyingi zinazuia natively code, sio Java pekee; tarajia control-flow bandia na blob za strings zilizofumwa katika `.rodata`. +* **Pointer Authentication (PAC) & Branch Target Identification (BTI):** Android 14 inawezesha PAC/BTI katika system libraries kwenye silicon inayounga mkono ARMv8.3+. Decompilers sasa zinaonyesha PAC‐related pseudo-instructions; kwa dynamic analysis Frida inaingiza trampolines *after* stripping PAC, lakini trampolines zako za kawaida zinapaswa kuita `pacda`/`autibsp` inapofaa. +* **MTE & Scudo hardened allocator:** memory-tagging ni opt-in lakini apps nyingi zinazotumia Play-Integrity zinajenga kwa `-fsanitize=memtag`; tumia `setprop arm64.memtag.dump 1` pamoja na `adb shell am start ...` ili kushika tag faults. +* **LLVM Obfuscator (opaque predicates, control-flow flattening):** commercial packers (e.g., Bangcle, SecNeo) zinazilinda zaidi *native* code, si Java pekee; tarajia bogus control-flow na encrypted string blobs katika `.rodata`. --- diff --git a/src/mobile-pentesting/android-app-pentesting/smali-changes.md b/src/mobile-pentesting/android-app-pentesting/smali-changes.md index ad0f5419c..5d9fe6215 100644 --- a/src/mobile-pentesting/android-app-pentesting/smali-changes.md +++ b/src/mobile-pentesting/android-app-pentesting/smali-changes.md @@ -3,72 +3,72 @@ {{#include ../../banners/hacktricks-training.md}} -Wakati mwingine inavutia kurekebisha msimbo wa programu ili kupata taarifa zilizofichwa kwako (labda nywila zilizofichwa vizuri au flags). Kisha, inaweza kuwa muhimu ku-decompile apk, kubadilisha msimbo na ku-recompile tena. +Wakati mwingine inavutia kubadilisha msimbo wa programu ili kufikia taarifa zilizofichwa kwako (labda well obfuscated passwords au flags). Kisha, inaweza kuwa ya kuvutia decompile the apk, modify the code na recompile it. **Opcodes reference:** [http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html) ## Njia ya Haraka -Ukikitumia **Visual Studio Code** na extension ya [APKLab](https://github.com/APKLab/APKLab), unaweza **automatically decompile**, modify, **recompile**, sign & install the application bila kutekeleza amri yoyote. +Kwa kutumia **Visual Studio Code** na extension ya [APKLab](https://github.com/APKLab/APKLab), unaweza **automatically decompile**, modify, **recompile**, sign & install the application bila kutekeleza amri yoyote. -Another **script** that facilitates this task a lot is [**https://github.com/ax/apk.sh**](https://github.com/ax/apk.sh) +Script nyingine inayorahisisha kazi hii sana ni [**https://github.com/ax/apk.sh**](https://github.com/ax/apk.sh) ## Decompile the APK -Ukigitumia APKTool unaweza kupata **smali code and resources**: +Kwa kutumia APKTool unaweza kupata **smali code and resources**: ```bash apktool d APP.apk ``` -Ikiwa **apktool** inakupa kosa lolote, jaribu[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/) +Ikiwa **apktool** inakupa kosa lolote, jaribu [kusakinisha **toleo la karibuni**](https://ibotpeaches.github.io/Apktool/install/) -Baadhi ya **mafaili ya kuvutia unayopaswa kuyatazama ni**: +Baadhi ya **faili za kuvutia unazopaswa kuangalia**: - _res/values/strings.xml_ (na xml zote ndani ya res/values/*) - _AndroidManifest.xml_ -- Faili yoyote yenye ugani _.sqlite_ au _.db_ +- Faili yoyote yenye nyongeza _.sqlite_ au _.db_ -Ikiwa `apktool` ina **matatizo ku-decode programu** angalia [https://ibotpeaches.github.io/Apktool/documentation/#framework-files](https://ibotpeaches.github.io/Apktool/documentation/#framework-files) au jaribu kutumia hoja **`-r`** (Usidecode rasilimali). Kisha, ikiwa tatizo lilikuwa kwenye rasilimali na si kwenye msimbo wa chanzo, hautakuwa na tatizo hilo (pia hauta-decompile rasilimali). +Ikiwa `apktool` ina **matatizo katika kufasiri programu** angalia [https://ibotpeaches.github.io/Apktool/documentation/#framework-files](https://ibotpeaches.github.io/Apktool/documentation/#framework-files) au jaribu kutumia hoja **`-r`** (Usifasiri resources). Kisha, ikiwa tatizo lilikuwa kwenye resource na si kwenye source code, hautakuwa na tatizo hilo (pia hauta-decompile resources). ## Change smali code -Unaweza **kubadilisha** **maelekezo**, kubadilisha **thamani** ya baadhi ya vigezo au **kuongeza** maelekezo mapya. Mimi hubadilisha msimbo wa Smali kwa kutumia [**VS Code**](https://code.visualstudio.com), kisha instalisha **smalise extension** na mhariri atakuambia ikiwa maelekezo yoyote ni yasiyo sahihi.\ -Some **examples** can be found here: +Unaweza **kubadilisha** **maelekezo**, kubadilisha **thamani** ya baadhi ya vigezo au **kuongeza** maelekezo mapya. Ninabadilisha Smali code kwa kutumia [**VS Code**](https://code.visualstudio.com), kisha usakinishe **smalise extension** na mhariri atakuambia ikiwa kuna **maelekezo yasiyo sahihi**.\ +Baadhi ya **mifano** inaweza kupatikana hapa: - [Smali changes examples](smali-changes.md) - [Google CTF 2018 - Shall We Play a Game?](google-ctf-2018-shall-we-play-a-game.md) -Or you can [**check below some Smali changes explained**](smali-changes.md#modifying-smali). +Au unaweza [**angalia hapa chini mabadiliko ya Smali yaliyofafanuliwa**](smali-changes.md#modifying-smali). -## Recompile the APK +## Kompaila tena APK -Baada ya kubadilisha msimbo unaweza **recompile** msimbo ukitumia: +Baada ya kubadilisha msimbo unaweza **ku-kompaila tena** msimbo kwa kutumia: ```bash apktool b . #In the folder generated when you decompiled the application ``` -Ita **compile** APK mpya **inside** folda _**dist**_. +Hii itafanya **compile** APK mpya **ndani** ya _**dist**_ folda. -Kama **apktool** ikitupa **error**, try[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/) +Ikiwa **apktool** itatoa **hitilafu**, jaribu[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/) ### **Saini APK mpya** -Kisha, utahitaji **generate a key** (utaulizwa password na baadhi ya taarifa ambazo unaweza kujaza kwa nasibu): +Kisha, unahitaji **kutengeneza ufunguo** (utakaulizwa nywila na baadhi ya taarifa ambazo unaweza kujaza kwa nasibu): ```bash keytool -genkey -v -keystore key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias ``` -Mwishowe, **saini** APK mpya: +Hatimaye, **saini** APK mpya: ```bash jarsigner -keystore key.jks path/to/dist/* ``` ### Boresha programu mpya -**zipalign** ni zana ya upangilio wa archive inayotoa uboreshaji muhimu kwa faili za Android application (APK). [Taarifa zaidi hapa](https://developer.android.com/studio/command-line/zipalign). +**zipalign** ni chombo cha kulinganisha archive kinachotoa uboreshaji muhimu kwa faili za programu za Android (APK). [Taarifa zaidi hapa](https://developer.android.com/studio/command-line/zipalign). ```bash zipalign [-f] [-v] infile.apk outfile.apk zipalign -v 4 infile.apk ``` ### **Saini APK mpya (tena?)** -Ikiwa **unapendelea** kutumia [**apksigner**](https://developer.android.com/studio/command-line/) badala ya jarsigner, **unapaswa kusaini apk** baada ya kutumia **maboresho kwa** zipaling. LAKINI KUMBUKA KWAMBA UNAHITAJI **KUSAINI PROGRAMU MARA MOJA TU** NA jarsigner (kabla ya zipalign) AU NA aspsigner (baada ya zipaling). +Ukipendelea kutumia [**apksigner**](https://developer.android.com/studio/command-line/) badala ya jarsigner, **unapaswa kusaini apk** baada ya kutumia **uboresho na** zipaling. LAKINI KUMBUKA KWAMBA UNATUMIA TU **KUSAINI PROGRAMU MARA MOJA** NA jarsigner (kabla ya zipalign) AU NA aspsigner (baada ya zipaling). ```bash apksigner sign --ks key.jks ./dist/mycompiled.apk ``` @@ -90,13 +90,13 @@ invoke-virtual {v0,v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V return-void .end method ``` -Seti ya maagizo ya Smali inapatikana [here](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions). +Seti ya maelekezo ya Smali inapatikana [here](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions). ### Mabadiliko Madogo -### Badilisha thamani za awali za variable ndani ya function +### Badilisha initial values za variable inside a function -Baadhi ya variables zimetangazwa mwanzoni mwa function kwa kutumia opcode _const_, unaweza kubadilisha thamani zake, au unaweza kuunda mpya: +Baadhi ya variables zimetangazwa mwanzoni mwa function kwa kutumia opcode _const_, unaweza kubadilisha thamani zake, au unaweza kuanzisha mpya: ```bash #Number const v9, 0xf4240 @@ -129,7 +129,7 @@ goto :goto_6 #Always go to: :goto_6 ``` ### Mabadiliko Makubwa -### Logging +### Uandishi wa logi ```bash #Log win: iget v5, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Get this.o inside v5 @@ -140,17 +140,17 @@ invoke-static {v5, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/Strin ``` Mapendekezo: -- Ikiwa utatumia variables zilizotangazwa ndani ya function (v0,v1,v2...) weka mistari hii kati ya _.local _ na tamko la variables (_const v0, 0x1_) -- Ikiwa unataka kuweka logging code katikati ya code ya function: +- Ikiwa utatumia variables zilizotangazwa ndani ya function (zimetangazwa v0,v1,v2...) weka mistari hii kati ya _.local _ na tamko la variables (_const v0, 0x1_) +- Ikiwa unataka kuweka code ya logging katikati ya code ya function: - Ongeza 2 kwenye idadi ya variables zilizotangazwa: Mfano: kutoka _.locals 10_ hadi _.locals 12_ -- Variables mpya ziwe nambari zinazofuata za variables zilizotangazwa awali (katika mfano huu ziwe _v10_ na _v11_, kumbuka inaanza kwa v0). +- Variables mpya zinapaswa kuwa nambari zinazofuata za variables zilizotangazwa tayari (katika mfano huu zinapaswa kuwa _v10_ na _v11_, kumbuka inaanzia v0). - Badilisha code ya logging function na tumia _v10_ na _v11_ badala ya _v5_ na _v1_. -### Toasting +### Kuonyesha toast Kumbuka kuongeza 3 kwenye idadi ya _.locals_ mwanzoni mwa function. -Code hii imeandaliwa ili iingizwe katika **katikati ya function** (**badilisha** idadi ya **variables** inapohitajika). Itachukua **value ya this.o**, **iibadilishe** kuwa **String** kisha **itengeneze** **toast** yenye thamani yake. +Msimbo huu umetayarishwa kuingizwa katika **katikati ya function** (**badilisha** idadi ya **variables** kadri inavyohitajika). Utachukua **thamani ya this.o**, **ibadilishe** kuwa **String** kisha **fanya** **toast** na thamani yake. ```bash const/4 v10, 0x1 const/4 v11, 0x1 @@ -162,9 +162,9 @@ invoke-static {p0, v11, v12}, Landroid/widget/Toast;->makeText(Landroid/content/ move-result-object v12 invoke-virtual {v12}, Landroid/widget/Toast;->show()V ``` -### Kupakia Maktaba ya native mwanzoni (System.loadLibrary) +### Kupakia Maktaba ya Native wakati wa Uanzishaji (System.loadLibrary) -Wakati mwingine unahitaji kupakia awali maktaba ya native ili ianze kabla ya maktaba nyingine za JNI (kwa mfano, kuwezesha telemetry/logging ya mchakato pekee). Unaweza kuingiza mwito wa System.loadLibrary() katika static initializer au mapema katika Application.onCreate(). Mfano smali wa static class initializer (): +Wakati mwingine unahitaji kuipakia kabla maktaba ya native ili ianze kabla ya maktaba nyingine za JNI (mfano, ili kuwezesha telemetry/logging ya ndani ya mchakato). Unaweza inject wito wa System.loadLibrary() katika static initializer au mapema katika Application.onCreate(). Mfano smali kwa static class initializer (): ```smali .class public Lcom/example/App; .super Landroid/app/Application; @@ -176,7 +176,7 @@ invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V return-void .end method ``` -Badala yake, weka maagizo hayo mawili mwanzoni mwa Application.onCreate() ili kuhakikisha maktaba inapakia mapema iwezekanavyo: +Kwa mbadala, weka maagizo hayo mawili mwanzoni mwa Application.onCreate() ili kuhakikisha maktaba inapakia mapema iwezekanavyo: ```smali .method public onCreate()V .locals 1 @@ -189,11 +189,11 @@ return-void .end method ``` Vidokezo: -- Hakikisha toleo sahihi la ABI la maktaba lipo chini ya lib// (kwa mfano, arm64-v8a/armeabi-v7a) ili kuepuka UnsatisfiedLinkError. -- Kupakia mapema sana (class static initializer) kunahakikisha native logger anaweza kuona shughuli za JNI zinazofuata. +- Hakikisha toleo sahihi la ABI la maktaba lipo chini ya lib// (mfano, arm64-v8a/armeabi-v7a) ili kuepuka UnsatisfiedLinkError. +- Kupakia mapema sana (class static initializer) kunahakikisha native logger inaweza kushuhudia shughuli za JNI zinazofuata. ## Marejeo -- SoTap: logger mdogo wa tabia za JNI (.so) ndani ya app – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap) +- SoTap: logger mwepesi wa tabia za JNI (.so) ndani ya app – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap) {{#include ../../banners/hacktricks-training.md}}