Shulou(Shulou.com)05/31 Report--

What is the idea and implementation of Anti_Virtual App in APK protection? many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

Preface of 0x00

Virtual App is a very powerful presence, breaking the isolation measures of the Android system itself, you can do without root hook and other cool techs operations, you can use this to do a lot of things that can not be done in the original APP, at the same time, the security threat of Virtual App is also self-evident. You can read this article. Research report on underground industry utilization of VirtualApp technology.

Of course, there are other things, you can go to the major forums for in-depth excavation.

Our focus this time is on Anti_Virtual App.

1. Content 1.1 the first way of thinking and implementation 1.2 the second way of thinking and implementation

I don't know what to name it either. I feel that it's hard to start after writing my thoughts directly in the title. No more wording. the text begins.

The first idea and realization of 0x01 1. Train of thought 1.1 where do ideas come from?

If we want to prevent App from running on VirtualAPP, we have to reverse analyze some of the features when Virtual starts App. VirtualAPP is open source and we can also analyze it with source code.

1.2 thought mining

Android application isolation is based on the multi-user mechanism of Linux system, that is, each application is assigned a different Linux user uid/gid at the time of installation. In VirtualApp, client applications (applications installed through VirtualApp) have the same user uid as host applications (that is, VirtualApp itself).

This is introduced in the Virtual material, and it is worth noting that client applications and host applications have the same uid.

Let's run a test.

This is what we run under normal conditions.

Filter it with grep. Then we run it under the virtual machine and filter it with grep.

One premise is that the UID in the Android system is allocated during app installation and will not be changed afterwards. And in order to be sandboxed and quarantined, each APP is assigned a different UID, and different UID has only one process. This is Linux's multi-user system has been castrated into the current state, of course, it also improves the security of APP. The same UID has shared features.

At this different point, we test the implementation.

two。 Realize

The method of implementation is developed directly using NDK, or you can use java.

The implementation idea is that I call ps | grep in app to get the number of rows returned. It is simple and rough to understand, and there may be bug for general situations. Tread lightly.

The first step we need to do is to get the UNAME corresponding to the UID of APP.

I am using the encapsulation method here.

Struct passwd * pwd; pwd = getpwuid (getuid ()); char * find=pwd- > pw_name

So you can get the UNAME directly.

Then we use string concatenation to combine commands, am I too verbose.

Char cmd [20] = "ps | grep"; LOGD ("% s", cmd); strcat (cmd,find); LOGD ("% s", cmd)

Use popen to run commands

/ / set an appropriate length to store each line output while (fgets (tmp, sizeof (tmp), pp)! = NULL) {if (tmp [strlen (tmp)-1] = ='\ n') {tmp [strlen (tmp)-1] ='\ 0length; / / remove the newline character icalendar;} LOGD ("% s", tmp) } LOGD ("iVOR% d", I); return I;}

Finally, the call judgment is made. Integrate the final results.

Struct passwd * pwd; pwd = getpwuid (getuid ()); char * find=pwd- > pw_name; LOGD ("% s", find); char cmd [20] = "ps | grep"; LOGD ("% s", cmd); strcat (cmd,find); LOGD ("% s", cmd); int I = getEnd (cmd); if (I > 4) {LOGD ("This is VA!"); kill (0, SIGKILL) } 3. Test 3.1 normal environment

3.2 VirtualApp environment testing

The second idea and realization of 0x02 1. Train of thought

Virtual App has a feature, that is, when running app, if there is a so file, it will copy the so file to its own directory, then you can read the so file road strength, and then judge, you can distinguish between Virtual App and the normal operating environment.

This implementation parses the / proc/PID/maps file. It can be a little complicated to implement. Go to git to see if there are any open source projects.

And finally locked on a target. Https://github.com/ysrc/AntiVirtualApp

two。 Summary of implementation ideas for implementation 2.1

(1) get the PID

(2) get / proc/PID/maps

(3) get the package name

(4) get the SO path

(5) Analysis and comparison

2.2 get the PID

There are many ways to get the PID of the current process. There is a very simple way to do this.

Int pid=getpid ()

Of course, there is another way to get pid by reflecting the java layer, both of which are implemented.

Reflection three steps, easy to get, here the control of the return value is not yet familiar with the degree, but this kind of reflection can still be obtained.

/ / reflection get pid jclass Process=env- > FindClass ("android/os/Process"); jmethodID myPid=env- > GetStaticMethodID (Process, "myPid", "() I"); LOGD ("d", (int) env- > CallStaticIntMethod (Process,myPid)); return (int) env- > CallStaticIntMethod (Process,myPid); 2.3 get / proc/PID/maps

Here, you can get the file pointer by reading the file stitching.

Char data [256]; char s [64] = {0}; int pid=getpid (); sprintf (s, "/ proc/%d/maps", pid); FILE * fd= fopen (s, "r"); if (fd==NULL) {LOGD ("The file is field");} else {LOGD ("ok");} 2.4 get the package name.

The package name can be obtained through the file / proc/PID/cmdline

We still do the same thing. Then we processed the file and finally got our package name.

Char * buffer = (char *) malloc (1024); memset (buffer, 0, 1024); char path_t [0] = {0}; int pid = getpid (); sprintf (path_t, "/ proc/%d/cmdline", pid); int fd = open (path_t, O_RDONLY); if (fd > 0) {int read_count = (int) read (fd, buffer, 1024); close (fd) If (read_count > 0) {return buffer;}} free (buffer); return NULL

Conduct a test:

2.5 get the SO path

Deal with the maps we got.

Char path [128A] = {0}; char uid [10] = {0}; char * filter= "libnative-lib.so"; while (fgets (data, 256, fd)) {int len = (int) strlen (data); if (len)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.