这次分析主要针对梆梆加固的子进程反调功能,主要流程如下:
一、fork创建子进程
p0C7DD907A4972190E28826F976662FB9函数中开始fork操作;
fork()返回为0时,开始执行子进程逻辑;
二、子进程创建反调试检测线程
后续子进程会创建两个线程sub_23890和sub_21550;
在线程sub_23890中,会循环执行分析记录(一)中提到的三个反调检测函数,返回为1则表示存在调试操作,就会杀死进程;
在线程sub_21550中,会监视/proc/%ld/mem和/proc/%ld/pagemap文件,还会创建一个线程循环检测,循环检测函数如下:
libDexHelper.so:760F32E8 PUSH {R4-R7,LR} ; t4
libDexHelper.so:760F32EA MOVS R5, #0x10
libDexHelper.so:760F32EC LDR R3, =(dword_76113B44 - 0x760F32F4)
libDexHelper.so:760F32EE LDR R4, =0xFFFFFD44
libDexHelper.so:760F32F0 ADD R3, PC ; dword_76113B44
libDexHelper.so:760F32F2 LDR R3, [R3]
libDexHelper.so:760F32F4 ADD SP, R4
libDexHelper.so:760F32F6 ADD R4, SP, #0x28
libDexHelper.so:760F32F8 LDR R3, [R3]
libDexHelper.so:760F32FA STR R3, [SP,#0x2B4]
libDexHelper.so:760F32FC LDR R3, [R0]
libDexHelper.so:760F32FE STR R3, [SP,#0xC]
libDexHelper.so:760F3300 BLX free
libDexHelper.so:760F3304 MOVS R0, R4
libDexHelper.so:760F3306 MOVS R1, #0
libDexHelper.so:760F3308 MOVS R2, R5
libDexHelper.so:760F330A BLX memset_0
libDexHelper.so:760F330E LDR R3, =(dword_76113C58 - 0x760F3316)
libDexHelper.so:760F3310 MOVS R1, R4
libDexHelper.so:760F3312 ADD R3, PC ; dword_76113C58
libDexHelper.so:760F3314 LDR R3, [R3]
libDexHelper.so:760F3316 ADD R4, SP, #0xA0
libDexHelper.so:760F3318 MOVS R2, #0
libDexHelper.so:760F331A MOVS R0, #0xA
libDexHelper.so:760F331C STR R3, [SP,#0x28]
libDexHelper.so:760F331E BLX sigaction_0
libDexHelper.so:760F3322 MOVS R1, #0
libDexHelper.so:760F3324 MOVS R2, #0x12
libDexHelper.so:760F3326 MOVS R0, R4
libDexHelper.so:760F3328 BLX memset_0
libDexHelper.so:760F332C MOVS R2, #0xB0
libDexHelper.so:760F332E STRB R2, [R4,#3]
libDexHelper.so:760F3330 MOVS R2, #0xB2
libDexHelper.so:760F3332 STRB R2, [R4,#4]
libDexHelper.so:760F3334 MOVS R2, #0xAF
libDexHelper.so:760F3336 STRB R2, [R4,#5]
libDexHelper.so:760F3338 MOVS R2, #0xA3
libDexHelper.so:760F333A STRB R2, [R4,#6]
libDexHelper.so:760F333C MOVS R2, #0xE5
libDexHelper.so:760F333E STRB R2, [R4,#8]
libDexHelper.so:760F3340 MOVS R2, #0xAC
libDexHelper.so:760F3342 STRB R2, [R4,#9]
libDexHelper.so:760F3344 MOVS R2, #0xA4
libDexHelper.so:760F3346 STRB R2, [R4,#0xA]
libDexHelper.so:760F3348 MOVS R2, #0xB4
libDexHelper.so:760F334A STRB R2, [R4,#0xC]
libDexHelper.so:760F334C MOVS R2, #0xA1
libDexHelper.so:760F334E STRB R2, [R4,#0xD]
libDexHelper.so:760F3350 MOVS R2, #0xB3
libDexHelper.so:760F3352 STRB R2, [R4,#0xE]
libDexHelper.so:760F3354 MOVS R2, #0xAB
libDexHelper.so:760F3356 MOVS R3, #0xEF
libDexHelper.so:760F3358 STRB R2, [R4,#0xF]
libDexHelper.so:760F335A MOVS R1, #0xF
libDexHelper.so:760F335C MOVS R2, #0xD0
libDexHelper.so:760F335E MOVS R0, R4
libDexHelper.so:760F3360 STRB R3, [R4,#2]
libDexHelper.so:760F3362 STRB R3, [R4,#7]
libDexHelper.so:760F3364 STRB R3, [R4,#0xB]
libDexHelper.so:760F3366 STRB R3, [R4,#0x10]
libDexHelper.so:760F3368 STRB R5, [R4,#1]
libDexHelper.so:760F336A BL decodeStr
libDexHelper.so:760F336E ADD R3, SP, #0xB4
libDexHelper.so:760F3370 MOVS R0, R3
libDexHelper.so:760F3372 MOVS R1, R4
libDexHelper.so:760F3374 LDR R2, [SP,#0xC]
libDexHelper.so:760F3376 STR R3, [SP,#8]
libDexHelper.so:760F3378 BLX sprintf
libDexHelper.so:760F337C
libDexHelper.so:760F337C loc_760F337C ; CODE XREF: libDexHelper.so:760F3386j
libDexHelper.so:760F337C ; libDexHelper.so:760F3462j
libDexHelper.so:760F337C LDR R0, [SP,#8]
libDexHelper.so:760F337E BLX opendir
libDexHelper.so:760F3382 STR R0, [SP,#4]
libDexHelper.so:760F3384 CMP R0, #0
libDexHelper.so:760F3386 BEQ loc_760F337C
libDexHelper.so:760F3388
libDexHelper.so:760F3388 loc_760F3388 ; CODE XREF: libDexHelper.so:760F33D0j
libDexHelper.so:760F3388 ; libDexHelper.so:760F33DCj ...
libDexHelper.so:760F3388 LDR R0, [SP,#4]
libDexHelper.so:760F338A BLX readdir
libDexHelper.so:760F338E SUBS R4, R0, #0
libDexHelper.so:760F3390 BEQ loc_760F3456
libDexHelper.so:760F3392 MOVS R7, #0
libDexHelper.so:760F3394 MOVS R3, #0xE3
libDexHelper.so:760F3396 ADD R6, SP, #0x14
libDexHelper.so:760F3398 STR R7, [SP,#0x14]
libDexHelper.so:760F339A STRB R3, [R6,#1]
libDexHelper.so:760F339C MOVS R3, #0x52
libDexHelper.so:760F339E MOVS R1, #1
libDexHelper.so:760F33A0 MOVS R2, #0x9F
libDexHelper.so:760F33A2 MOVS R0, R6
libDexHelper.so:760F33A4 STRB R3, [R6,#2]
libDexHelper.so:760F33A6 BL decodeStr
libDexHelper.so:760F33AA MOVS R3, #4
libDexHelper.so:760F33AC ADD R5, SP, #0x18
libDexHelper.so:760F33AE STR R7, [SP,#0x18]
libDexHelper.so:760F33B0 STRB R3, [R5,#1]
libDexHelper.so:760F33B2 MOVS R3, #0xBB
libDexHelper.so:760F33B4 MOVS R1, #2
libDexHelper.so:760F33B6 MOVS R0, R5
libDexHelper.so:760F33B8 MOVS R2, #0x91
libDexHelper.so:760F33BA ADDS R4, #0x13
libDexHelper.so:760F33BC STRB R7, [R5,#4]
libDexHelper.so:760F33BE STRB R3, [R5,#2]
libDexHelper.so:760F33C0 STRB R3, [R5,#3]
libDexHelper.so:760F33C2 BL decodeStr
libDexHelper.so:760F33C6 MOVS R0, R4
libDexHelper.so:760F33C8 MOVS R1, R6
libDexHelper.so:760F33CA BLX strcmp_0
libDexHelper.so:760F33CE CMP R0, R7
libDexHelper.so:760F33D0 BEQ loc_760F3388
libDexHelper.so:760F33D2 MOVS R0, R4
libDexHelper.so:760F33D4 MOVS R1, R5
libDexHelper.so:760F33D6 BLX strcmp_0
libDexHelper.so:760F33DA CMP R0, R7
libDexHelper.so:760F33DC BEQ loc_760F3388
libDexHelper.so:760F33DE MOVS R2, #0x80
libDexHelper.so:760F33E0 ADD R6, SP, #0x1B4
libDexHelper.so:760F33E2 ADD R5, SP, #0x20
libDexHelper.so:760F33E4 MOVS R1, R7
libDexHelper.so:760F33E6 LSLS R2, R2, #1
libDexHelper.so:760F33E8 MOVS R0, R6
libDexHelper.so:760F33EA BLX memset_0
libDexHelper.so:760F33EE MOVS R0, R5
libDexHelper.so:760F33F0 MOVS R1, R7
libDexHelper.so:760F33F2 MOVS R2, #7
libDexHelper.so:760F33F4 BLX memset_0
libDexHelper.so:760F33F8 MOVS R3, #0x5A
libDexHelper.so:760F33FA MOVS R2, #0x9D
libDexHelper.so:760F33FC STRB R3, [R5,#1]
libDexHelper.so:760F33FE MOVS R3, #0xCB
libDexHelper.so:760F3400 STRB R2, [R5,#2]
libDexHelper.so:760F3402 STRB R2, [R5,#4]
libDexHelper.so:760F3404 MOVS R0, R5
libDexHelper.so:760F3406 MOVS R1, #4
libDexHelper.so:760F3408 MOVS R2, #0xE2
libDexHelper.so:760F340A STRB R3, [R5,#3]
libDexHelper.so:760F340C STRB R3, [R5,#5]
libDexHelper.so:760F340E BL decodeStr
libDexHelper.so:760F3412 MOVS R1, R5
libDexHelper.so:760F3414 MOVS R3, R4
libDexHelper.so:760F3416 MOVS R0, R6
libDexHelper.so:760F3418 LDR R2, [SP,#8]
libDexHelper.so:760F341A ADD R5, SP, #0x38
libDexHelper.so:760F341C BLX sprintf
libDexHelper.so:760F3420 MOVS R0, R6
libDexHelper.so:760F3422 MOVS R1, R5
libDexHelper.so:760F3424 BLX lstat_0
libDexHelper.so:760F3428 ADDS R3, R0, #1
libDexHelper.so:760F342A BEQ loc_760F3388
libDexHelper.so:760F342C MOVS R3, #0xF0
libDexHelper.so:760F342E LDR R2, [R5,#0x10]
libDexHelper.so:760F3430 LSLS R3, R3, #8
libDexHelper.so:760F3432 ANDS R3, R2
libDexHelper.so:760F3434 MOVS R2, #0x4000
libDexHelper.so:760F3438 CMP R3, R2
libDexHelper.so:760F343A BNE loc_760F3388
libDexHelper.so:760F343C MOVS R0, R4
libDexHelper.so:760F343E BLX atoi
libDexHelper.so:760F3442 BL sub_760F30D4
libDexHelper.so:760F3446 MOVS R0, R4
libDexHelper.so:760F3448 BLX atoi
libDexHelper.so:760F344C MOVS R1, R0
libDexHelper.so:760F344E LDR R0, [SP,#0xC]
libDexHelper.so:760F3450 BL loc_760F31C0
libDexHelper.so:760F3454 B loc_760F3388
libDexHelper.so:760F3456 ; ---------------------------------------------------------------------------
libDexHelper.so:760F3456
libDexHelper.so:760F3456 loc_760F3456 ; CODE XREF: libDexHelper.so:760F3390j
libDexHelper.so:760F3456 LDR R0, [SP,#4]
libDexHelper.so:760F3458 BLX closedir
libDexHelper.so:760F345C MOVS R0, #2
libDexHelper.so:760F345E BLX sleep
libDexHelper.so:760F3462 B loc_760F337C
在线程sub_21550中,还会通过select函数进行交互,实现反调功能。
[峰会]看雪.第八届安全开发者峰会10月23日上海龙之梦大酒店举办!
龙飞雪
