Skip to content
/ android_demystification_toolbox Public

ADT is a toolset designed to help model application behavior, research and test security vulnerabilities, and facilitate reversing hostile code.

License

Apache-2.0 license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nccgroup/android_demystification_toolbox

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
adt
adt
 
 
samples
samples
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
setup.py
setup.py
 
 

Repository files navigation

Android Demystification Toolbox

Purpose

ADT is a Miasm-based symbolic execution toolset designed to help model application behavior, research and test security vulnerabilities, and facilitate reversing hostile code.

Features

  • The ability to save/restore all threads & processes contexts
  • A centralized (json encoded) config file to mimick an Android environment
  • A scheduler to handle mutexes, multi-threading and multi-processing
    • fork()
    • pthread_create()
    • pthread_mutex_lock/unlock()
    • Blocking file reads / writes
  • Java JNI (java native bridge) implementation which handles
    • Strings
    • Files & directories
    • Arrays
    • Function calls
    • Class fields
  • A number of miscallenous implementations
    • sscanf()
    • mktime()
    • crc32, mimicking the c version
    • c++ streams
    • pipes
    • fstat() and android's custom struct w/ padding for aarch64
    • android libc's _system_property_get()
    • varargs (general case scenario working only)
    • prcrl

HOWTO

Setup

  • Install Miasm from this Miasm fork. The patches from the experimental branch implement aaarch64 instructions, and provide the corresponding jitter and sandboxing components.
    • git clone https://github.com/nguigo/miasm.git && cd miasm && git checkout experimental
    • pip install .
  • git clone https://github.com/nccgroup/android_demystification_toolbox.git
  • pip install ./android_demystification_toolbox

General usage

  • From the template
    • Fill out the necessary memory requirements in the one_time_setup() function
    • Enter your custom breakpoints in the breakpoints_setup() function
    • Let the main loop take care of handling the multiple contexts
    • Use adt.config to store Android environment information (see samples for more details)
  • The NDK sample can be run as a demo with python3 sample.py libhello-jnicallback.so

Saving / Restoring contexts

!! WARNING !!

The contexts are saved and restored using the pickle module, which is not safe with untrusted data. Ensure only trusted contexts are restored.

Usage

  • The sample function save_context_and_dump() can be used as a jitter callback:
jitter.add_breakpoint(<my_address>, save_context_and_dump)
  • The code automatically looks for a context.pkl to restore, so the following command line can be used:
ln -s context_myaddress.pkl context.pkl
  • Upon starting the script, the context will be restored automatically

About

ADT is a toolset designed to help model application behavior, research and test security vulnerabilities, and facilitate reversing hostile code.

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

8 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages