diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md index c42a193fbb4..d5bd5fb515f 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md @@ -171,6 +171,18 @@ When the information is saved in logs you can **check statistics like how many t --- +### Android in-app native telemetry (no root) + +On Android, you can instrument native code inside the target app process by preloading a tiny logger library before other JNI libs initialize. This gives early visibility into native behavior without system-wide hooks or root. A popular approach is SoTap: drop libsotap.so for the right ABI into the APK and inject a System.loadLibrary("sotap") call early (e.g., static initializer or Application.onCreate), then collect logs from internal/external paths or Logcat fallback. + +See the Android native reversing page for setup details and log paths: + +{{#ref}} +../../../mobile-pentesting/android-app-pentesting/reversing-native-libraries.md +{{#endref}} + +--- + ## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers) Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a `jmp rax` or `call rax`. A small *dispatcher* (typically nine instructions) sets the final target depending on the CPU `ZF`/`CF` flags, completely breaking static CFG recovery. @@ -262,5 +274,6 @@ idc.set_callee_name(call_ea, resolved_addr, 0) # IDA 8.3+ ## References - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/) +- SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap) {{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md index ea060841d8a..12fc201f549 100644 --- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md +++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md @@ -63,6 +63,42 @@ Java.perform(function () { ``` Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks. +### Process-local JNI telemetry via preloaded .so (SoTap) + +When full-featured instrumentation is overkill or blocked, you can still gain native-level visibility by preloading a small logger inside the target process. SoTap is a lightweight Android native (.so) library that logs the runtime behavior of other JNI (.so) libraries within the same app process (no root required). + +Key properties: +- Initializes early and observes JNI/native interactions inside the process that loads it. +- Persists logs using multiple writable paths with graceful fallback to Logcat when storage is restricted. +- Source-customizable: edit sotap.c to extend/adjust what gets logged and rebuild per ABI. + +Setup (repack the APK): +1) Drop the proper ABI build into the APK so the loader can resolve libsotap.so: + - lib/arm64-v8a/libsotap.so (for arm64) + - lib/armeabi-v7a/libsotap.so (for arm32) +2) Ensure SoTap loads before other JNI libs. Inject a call early (e.g., Application subclass static initializer or onCreate) so the logger is initialized first. Smali snippet example: + ```smali + const-string v0, "sotap" + invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V + ``` +3) Rebuild/sign/install, run the app, then collect logs. + +Log paths (checked in order): +``` +/data/user/0/%s/files/sotap.log +/data/data/%s/files/sotap.log +/sdcard/Android/data/%s/files/sotap.log +/sdcard/Download/sotap-%s.log +# If all fail: fallback to Logcat only +``` + +Notes and troubleshooting: +- ABI alignment is mandatory. A mismatch will raise UnsatisfiedLinkError and the logger won’t load. +- Storage constraints are common on modern Android; if file writes fail, SoTap will still emit via Logcat. +- Behavior/verbosity is intended to be customized; rebuild from source after editing sotap.c. + +This approach is useful for malware triage and JNI debugging where observing native call flows from process start is critical but root/system-wide hooks aren’t available. + --- ### Recent vulnerabilities worth hunting for in APKs @@ -93,6 +129,9 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their ### References - Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/) -- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) +- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) +- SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap) +- SoTap Releases – [github.com/RezaArbabBot/SoTap/releases](https://github.com/RezaArbabBot/SoTap/releases) +- How to work with SoTap? – [t.me/ForYouTillEnd/13](https://t.me/ForYouTillEnd/13) -{{#include ../../banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/mobile-pentesting/android-app-pentesting/smali-changes.md b/src/mobile-pentesting/android-app-pentesting/smali-changes.md index be382d8142b..176d03fb024 100644 --- a/src/mobile-pentesting/android-app-pentesting/smali-changes.md +++ b/src/mobile-pentesting/android-app-pentesting/smali-changes.md @@ -1,4 +1,4 @@ -# Smali - Decompiling/\[Modifying]/Compiling +# Smali - Decompiling/[Modifying]/Compiling {{#include ../../banners/hacktricks-training.md}} @@ -25,7 +25,7 @@ If **apktool** gives you any error, try[ installing the **latest version**](http Some **interesting files you should look are**: -- _res/values/strings.xml_ (and all xmls inside res/values/\*) +- _res/values/strings.xml_ (and all xmls inside res/values/*) - _AndroidManifest.xml_ - Any file with extension _.sqlite_ or _.db_ @@ -162,7 +162,7 @@ invoke-static {v5, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/Strin Recommendations: -- If you are going to use declared variables inside the function (declared v0,v1,v2...) put these lines between the _.local \_ and the declarations of the variables (_const v0, 0x1_) +- If you are going to use declared variables inside the function (declared v0,v1,v2...) put these lines between the _.local _ and the declarations of the variables (_const v0, 0x1_) - If you want to put the logging code in the middle of the code of a function: - Add 2 to the number of declared variables: Ex: from _.locals 10_ to _.locals 12_ - The new variables should be the next numbers of the already declared variables (in this example should be _v10_ and _v11_, remember that it starts in v0). @@ -186,8 +186,42 @@ move-result-object v12 invoke-virtual {v12}, Landroid/widget/Toast;->show()V ``` +### Loading a Native Library at Startup (System.loadLibrary) -{{#include ../../banners/hacktricks-training.md}} +Sometimes you need to preload a native library so it initializes before other JNI libs (e.g., to enable process-local telemetry/logging). You can inject a call to System.loadLibrary() in a static initializer or early in Application.onCreate(). Example smali for a static class initializer (): + +```smali +.class public Lcom/example/App; +.super Landroid/app/Application; + +.method static constructor ()V + .registers 1 + const-string v0, "sotap" # library name without lib...so prefix + invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V + return-void +.end method +``` + +Alternatively, place the same two instructions at the start of your Application.onCreate() to ensure the library loads as early as possible: + +```smali +.method public onCreate()V + .locals 1 + + const-string v0, "sotap" + invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V + + invoke-super {p0}, Landroid/app/Application;->onCreate()V + return-void +.end method +``` + +Notes: +- Make sure the correct ABI variant of the library exists under lib// (e.g., arm64-v8a/armeabi-v7a) to avoid UnsatisfiedLinkError. +- Loading very early (class static initializer) guarantees the native logger can observe subsequent JNI activity. +## References +- SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap) +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file