ART虚拟机中的DEX文件脱壳技术

doi:10.11772/j.issn.1001-9081.2017.11.3294

计算机应用 ›› 2017, Vol. 37 ›› Issue (11): 3294-3298.DOI: 10.11772/j.issn.1001-9081.2017.11.3294

ART虚拟机中的DEX文件脱壳技术

蒋钟庆, 周安民, 贾鹏

四川大学电子信息学院, 成都 610065

收稿日期:2017-05-04 修回日期:2017-06-13 出版日期:2017-11-10 发布日期:2017-11-11
通讯作者: 周安民
作者简介:蒋钟庆(1992-),男,贵州遵义人,硕士研究生,主要研究方向:移动安全;周安民(1963-),男,四川成都人,研究员,主要研究方向:安全防御管理、移动互联网安全、云计算安全;贾鹏(1988-),男,河南郑州人,博士,主要研究方向:复杂网络、移动安全、二进制安全。

DEX unpacking technology in ART virtual machine

JIANG Zhongqing, ZHOU Anmin, JIA Peng

College of Electronics and Information, Sichuan University, Chengdu Sichuan 610065, China

Received:2017-05-04 Revised:2017-06-13 Online:2017-11-10 Published:2017-11-11

摘要/Abstract

摘要： 在对现有的DEX加固技术和脱壳技术进行系统学习和研究的基础上，提出和实现了一种基于Android ART虚拟机（VM）的DEX脱壳方案。该方案能够从加固的Android应用中还原出原始DEX文件，其核心思想是将静态插桩和模拟运行技术相结合，以通用的方式实现零知识有效脱壳。首先，在ART虚拟机的解释器里插入监测代码来定位脱壳点；然后，在内存中进行模拟运行，解析相应的结构体指针，得到原始DEX文件数据在内存中的位置；最后，收集这些数据，并按照DEX文件的格式对这些数据进行重组，恢复出应用程序的原始DEX文件，实现脱壳。实验结果表明，所提出的基于ART虚拟机的DEX自动化脱壳方案在引入较小启动延迟的情况下，能够很好地实现对加壳的DEX文件的零知识脱壳。

关键词: ART, DEX脱壳, 解释器, 模拟运行, DEX重组

Abstract: Based on the systematic study and research on the existing DEX packing and unpacking technologies, a DEX unpacking scheme based on Android ART Virtual Machine (VM) was proposed and implemented. The method could extract the original DEX file from the enhanced Android application. The core idea is to accomplish the zero-knowledge unpacking in a strong compatible way by combining simulation execution with static instrumentation. Firstly, the unpacking point was achieved by inserting monitoring codes into the interpreter of ART. Then, the memory location of the data belonging to original DEX file was obtained by performing simulation execution and analyzing related structs. Finally, the original DEX file was restored by collecting and reassembling the data according to the format of DEX file. The experimental results indicate that the proposed automatically unpacking method can well perform zero-knowledge unpacking by just bringing in little time delay when application launching.

Key words: Android Runtime (ART), DEX unpacking, interpreter, simulation execution, DEX recombination

中图分类号:

TP393

蒋钟庆, 周安民, 贾鹏. ART虚拟机中的DEX文件脱壳技术[J]. 计算机应用, 2017, 37(11): 3294-3298.

JIANG Zhongqing, ZHOU Anmin, JIA Peng. DEX unpacking technology in ART virtual machine[J]. Journal of Computer Applications, 2017, 37(11): 3294-3298.

参考文献

[1] 李霞. Android虚拟机运行时技术的分析与评测[D]. 南京:东南大学, 2015.(LI X. Analysis and evaluation of runtime technology of Android virtual machine[D]. Nanjing:Southeast University, 2015.)
[2] ABSAR J, SHEKHAR D. Eliminating partially-redundant array-bounds check in the Android Dalvik JIT compiler[C]//Proceedings of the 9th International Conference on Principles and Practice of Programming in Java. New York:ACM, 2011:121-128.
[3] 张洪睿, 张亚腾. 一种ART模式下应用加固方案[J]. 软件, 2015, 36(12):176-179.(ZHANG H R,ZHANG Y T. Application of packing scheme in ART mode[J]. Software, 2015, 36(12):176-179.)
[4] LIAO Y, LI J, LI B, et al. Automated detection and classification for packed Android applications[C]//Proceedings of the 2016 IEEE International Conference on Mobile Services. Piscataway, NJ:IEEE, 2016:200-203.
[5] FEREIDOONI H, CONTI M, YAO D, et al. ANASTASIA:ANdroid mAlware detection using STatic analySIs of Applications[C]//Proceedings of the 20168th IFIP International Conference on New Technologies, Mobility and Security. Piscataway, NJ:IEEE, 2016:1-5.
[6] RASTOGI V, CHEN Y, JIANG X. DroidChameleon:evaluating Android anti-malware against transformation attacks[C]//Proceedings of the 8th ACM SIGSAC Symposium on Information, computer and Communications Security. New York:ACM, 2013:329-334.
[7] 朱洪军, 陈耀光, 华保健,等. 一种Android应用加固方案[J]. 计算机应用与软件, 2016, 33(11):297-300.(ZHU H J,CHEN Y G,HUA B J,et al. An Android application packing scheme[J]. Journal of Computer Applications and Software, 2016, 33(11):297-300.)
[8] 邱寅峰, 泮晓波. APK文件的快速加载方法:CN201510657289.9[P]. 2015-10-12.(QIU Y F,PAN X B. Fast loading method for APK files:CN201510657289.9[P]. 2015-10-12.)
[9] YU R. Android packers:facing the challenges, building solutions[EB/OL].[2016-11-20]. https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Yu.pdf.
[10] KANG M G, POOSANKAM P, YIN H. Renovo:a hidden code extractor for packed executables[C]//Proceedings of the 2007 ACM Workshop on Recurring Malcode. New York:ACM, 2007:46-53.
[11] LI J, ZHANG Y, YANG W, et al. DIAS:Automated online analysis for Android applications[C]//Proceedings of the 2014 IEEE International Conference on Computer and Information Technology. Washington, DC:IEEE Computer Society, 2014:307-314.
[12] STRAZZERE T. Android-unpacker[EB/OL].[2016-11-20].https://github.com/strazzere/androidunpacker.
[13] 高琦, 刘克胜, 常超,等. 基于自修改字节码的Android软件保护技术研究[J]. 计算机应用与软件, 2016, 33(4):230-234.(GAO Q, LIU K S, CHANG C, et al. Research on Android software protection technology based on self-modified bytecode[J]. Journal of Computer Applications and Software, 2016, 33(4):230-234.)
[14] CHO H, LIM J, KIM H, et al. Anti-debugging scheme for protecting mobile apps on Android platform[J]. Journal of Supercomputing, 2016, 72(1):1-15.
[15] YANG W, ZHANG Y, LI J, et al. AppSpear:bytecode decrypting and DEX reassembling for packed Android malware[C]//Proceedings of the 18th International Symposium Research in Attacks, Intrusions, and Defenses. Berlin:Springer, 2015:359-381.
[16] ZHANG Y, LUO X, YIN H. DexHunter:toward extracting hidden code from packed Android applications[C]//Proceedings of the 20th European Symposium on Research in Computer Security. Berlin:Springer, 2015:293-311.

ART虚拟机中的DEX文件脱壳技术

DEX unpacking technology in ART virtual machine

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	余莉李佳田李佳段平王华. 二维空间聚类的树ART2模型[J]. 计算机应用, 2011, 31(05): 1328-1330.
[2]	金文标王旭松张智丰. 基于特征的图像网格生成方法[J]. 计算机应用, 2010, 30(9): 2427-2430.
[3]	孙晶谭效辉赵会群陈磊. 球类比赛的脚本解释器的研究与实现[J]. 计算机应用, 2010, 30(3): 612-614.
[4]	周雪梅郭兵沈艳王继禾伍元胜. 功耗仿真器HMSim的I/O接口功耗仿真模块设计与实现[J]. 计算机应用, 2010, 30(07): 1987-1990.
[5]	孔颖裘彬强徐从富. 基于CART算法的垃圾邮件过滤模型设计与实现[J]. 计算机应用, 2009, 29(2): 374-376.
[6]	唐勇刘昌忠吴宏刚. 基于Google Earth的三维航迹监视及六自由度飞行仿真[J]. 计算机应用, 2009, 29(12): 3385-3387.
[7]	林剑雷英杰. 基于直觉模糊ART神经网络的群事件检测方法[J]. 计算机应用, 2009, 29(1): 130-131,.
[8]	王燚李中志. 基于期待类型的Chart句法分析算法[J]. 计算机应用, 2009, 29(05): 1251-1253.
[9]	张忠向涛. 一种基于Smart Card的远程用户身份验证方案的安全性讨论[J]. 计算机应用, 2008, 28(11): 2811-2813.
[10]	杨振刚邓飞其. CFW的CBR与ART-KNN集成智能预测[J]. 计算机应用, 2007, 27(5): 1177-1179.
[11]	顾民葛良全. 一种ART2神经网络的改进算法[J]. 计算机应用, 2007, 27(4): 945-947.
[12]	张频罗贵明 . UML模型检测方法的研究[J]. 计算机应用, 2007, 27(10): 2493-2497.
[13]	贺中堂张力军陈自力 . MIMO系统各态历经信道容量的分析与仿真[J]. 计算机应用, 2006, 26(8): 1799-1801.
[14]	卢达;浦炜;陈琦玮;谢铭培. 基于神经网络和模糊匹配算法的手写汉字预分类研究[J]. 计算机应用, 2005, 25(10): 2418-2421.
[15]	王国豪，陈文智，石教英. 基于Linux的高可用系统中IP接管的设计与实现[J]. 计算机应用, 2005, 25(07): 1695-1697.