ddi - Dynamic Dalvik Instrumentation Toolkit
Simple and easy to use toolkit for dynamic instrumentation of Dalvik code. Instrumentation is based on library injection and hooking method entry points (in-line hooking). The actual instrumentation code is written using the JNI interface.
The DDI further supports loading additional dex classes into a process. This enables instrumentation code to be partially written in Java and thus simplifies interacting with the instrumented process and the Android framework.
The toolkit is based on ADBI (see below) and consists of one main library called dalvikhook. Dalvikhook uses ADBI and the hijack utility that is part of ADBI.
hijack (from ADBI)
The hijack tool provides the injection functionality. It supports a number of modes for supporting older and newer Android devices. hijack provides help on the command line.
libdalvikhook
The library provides the hooking and unhooking functionality. The library is compiled as a static library so it can be directly included in the actual instrumentation library. This is done so we can keep everything in /data/local/tmp.
Below we provide and easy to follow step-by-step instructions for howto build and use DDI.
Examples
There are two examples included in the library. The strmon example hooks a number of methods from String related classes and the the getMethod used for reflection. The smsdispatch example hooks the SMSDispatcher of the Android framework. This example loads additional dex classes into the com.android.phone process. The instrumentation code takes every incoming SMS message and reverses the message body and injects a fake message with the reverse message text (you will get two messages). All examples are supplied in full source. For details please read slide deck [1].
=== External Resources ===
more information at: http://www.mulliner.org/android/
slides about this toolkit:
[1] http://www.mulliner.org/android/feed/mulliner_ddi_summercon2013.pdf
[2] http://www.mulliner.org/android/feed/androidruntime_syscan13.pdf
=== Prerequisites ===
Android SDK
Android NDK
ADBI (see below)
== Build ADBI ==
git clone https://github.com/crmulliner/adbi.git
follow readme
folders should be:
adbi/ ddi/
== Pull Libraries from Device ==
cd dalvikhook cd jni cd libs adb pull /system/lib/libdl.so adb pull /system/lib/libdvm.so
== Build libdalvikhook ==
cd dalvikhook cd jni ndk-build
== Build strmon example ==
cd examples cd strmon cd jni ndk-build cd .. adb push libs/armeabi/libstrmon.so /data/local/tmp
== How to Run strmon ==
adb shell su cd /data/local/tmp # GET PID from com.android.contacts >/data/local/tmp/strmon.log chmod 777 /data/local/tmp/strmon.log ./hijack -d -p PID -l /data/local/tmp/libstrmon.so cat strmon.log
output:
libstrmon: started do_patch sb20.toString() = en_US sb13 = Latn sb13.equalsIgnoreCase() = 0 Arab sb13 = Latn sb13.equalsIgnoreCase() = 0 Hebr sb20.toString() = en-US sb7 = : sb7.indexOf() = -1 (i=0) \E sb20.toString() = \Q:\E
== Advanced Options ==
Inject code at application startup before application code starts executing. This is done by attaching to zygote (-z -p PID_of_zygote) and using the -s option to supply the main class of application (take from manifest or by running 'ps' on the adb shell).
adb shell su cd /data/local/tmp # GET PID of >>> zygote <<< ./hijack -d -p PID -z -l /data/local/tmp/libstrmon.so -s com.android.contacts
== Build smsdispatch example (advanced!) ==
cd examples cd smsdispatch cd jni ndk-build cd .. adb push libs/armeabi/libsmsdispatch.so /data/local/tmp
== Howto Run smsdispatch ==
adb push ddiclasses.dex /data/local/tmp/ adb shell su cd /data/local/tmp >/data/local/tmp/smsdispatch.log chmod 777 /data/local/tmp/smsdispatch.log chmod 777 /data/dalvik-cache/ # GET PID from com.android.phone ./hijack -d -p PID -l /data/local/tmp/libsmsdispatch.so
send SMS message to that phone (send to yourself if you only have one phone)
further notes: if you have problems that your modified version of ddiclasses.dex is not loaded you need to remove the class from the dalvik cache rm /data/dalvik-cache/data@local@[email protected]
now inspect logfiles and logcat...
$ adb logcat SmsReceiverService( 5527): onStart: #1 mResultCode: -1 = Activity.RESULT_OK D/dalvikvm( 5527): GC_EXPLICIT freed 264K, 3% free 15600K/15943K, paused 2ms+4ms D/dalvikvm( 5515): DexOpt: --- BEGIN 'ddiclasses.dex' (bootstrap=0) --- D/dalvikvm( 5618): DexOpt: load 35ms, verify+opt 160ms D/dalvikvm( 5515): DexOpt: --- END 'ddiclasses.dex' (success) --- D/dalvikvm( 5515): DEX prep '/data/local/tmp/ddiclasses.dex': copy in 5ms, rewrite 349ms I/System.out( 5515): org.mulliner.ddiexample.SMSDispatch(pdu) I/System.out( 5515): ddiexample: incoming SMS I/System.out( 5515): ddiexample: Abcd1234 nilloc I/System.out( 5515): ddiexample: +18571234567 I/System.out( 5515): ddiexample: fake SMS I/System.out( 5515): ddiexample: collin 4321dcbA I/System.out( 5515): Intent {
act=android.provider.Telephony.SMS_RECEIVED (has extras)
}
I/System.out( 5515): ddiexample: appname: com.android.phone.PhoneApp@41816460 V/SmsReceiverService( 5527): onStart: #1 mResultCode: -1 = Activity.RESULT_OK V/SmsReceiverService( 5527): onStart: #2 mResultCode: -1 = Activity.RESULT_OK
smsdispatch.log
cat smsdispatch.log libsmsdispatch: started hooking:
epoll_wait = 0x400a1378 ARM using 0x46e4a6d4 dvm_hand = 0xb000c490 dvm_dalvik_system_DexFile = 0x408943d0 dvm_java_lang_Class = 0x408946b0 _Z13dvmThreadSelfv = 0x4084184d _Z32dvmCreateStringFromCstrAndLengthPKcj = 0x408431f5 _Z23dvmGetSystemClassLoaderv = 0x40859f85 _Z21dvmIsClassInitializedPK11ClassObject = 0x408363cd dvmInitClass = 0x40859a01 _Z36dvmFindVirtualMethodHierByDescriptorPK11ClassObjectPKcS3_ = 0x4085ad85 _Z31dvmFindDirectMethodByDescriptorPK11ClassObjectPKcS3_ = 0x4085ad75 _Z17dvmIsStaticMethodPK6Method = 0x408361ed dvmAllocObject = 0x40843495 _Z14dvmCallMethodVP6ThreadPK6MethodP6ObjectbP6JValueSt9__va_list = 0x4084f971 _Z14dvmCallMethodAP6ThreadPK6MethodP6ObjectbP6JValuePK6jvalue = 0x4084f81d _Z22dvmAddToReferenceTableP14ReferenceTableP6Object = 0x4083f615 _Z16dvmSetNativeFuncP6MethodPFvPKjP6JValuePKS_P6ThreadEPKt = 0x4085791d _Z15dvmUseJNIBridgeP6MethodPv = 0x408385a9 _Z20dvmDecodeIndirectRefP6ThreadP8_jobject = 0x0 _Z21dvmLinearSetReadWriteP6ObjectPv = 0x4083c935 _Z22dvmGetCurrentJNIMethodv = 0x40837041 _Z20dvmFindInstanceFieldPK11ClassObjectPKcS3_ = 0x4085aab9 _Z16dvmCallJNIMethodPKjP6JValuePK6MethodP6Thread = 0x4083be9d _Z17dvmDumpAllClassesi = 0x40857a69 _Z12dvmDumpClassPK11ClassObjecti = 0x40857f35 _Z18dvmFindLoadedClassPKc = 0x40857aa1 _Z16dvmHashTableLockP9HashTable = 0x40836961 _Z18dvmHashTableUnlockP9HashTable = 0x4083694d _Z14dvmHashForeachP9HashTablePFiPvS1_ES1_ = 0x40833665 _Z13dvmInstanceofPK11ClassObjectS1_ = 0x40836811 gDvm = 0x4089ac58 dexstuff_loaddex, path = 0x46e4e8f0 cookie = 0x1bae50 libsmsdispatch: loaddex res = 1bae50 dexstuff_defineclass: org/mulliner/ddiexample/SMSDispatch using 1bae50 sys classloader = 0x40a4a400 cur m classloader = 0x0 class = 0x41825c80 libsmsdispatch: clazz = 0x41825c80 libsmsdispatch: new obj = 0x95700025 success calling : dispatchPdus