本帖最后由 狼毛 于 2023-1-23 10:44 编辑
这里学习apk文件的逆向技术,这是一点笔记
静态分析会通过反编译 apk 文件,分析其中的权限、组件、敏感函数等
信息,这些可以弥补动态分析中因未触发恶意行为而漏掉的行为。动态分析主要通过在模拟
器运行 Android 软件,然后再对软件进行一些操作以触发尽可能多的恶意行为,接着输出到
log 中,再通过脚本对日志进行分析。
一些敏感 API 函数列表
- my %apis = (
- "IActivityManager\$Stub\$Proxy\;\-\>shutdown" => '关机',
- "ActivityManager\;\-\>killBackgroundProcesses" => '中断进程,可用于关闭杀软',
- 'ActivityManagerNative;->killBackgroundProcesses' => '中断进程,可用于关闭杀软',
- 'ActivityManagerNative;->restartPackage' => ' 中断进程,可用于关闭杀软',
- 'ActivityManager;->restartPackage' => ' 中断进程,可用于关闭杀软',
- #"BluetoothAdapter\;\-\>enable" => '开启蓝牙',
- #"BluetoothSocket\;\-\>connect" => '连接蓝牙',
- #"IBluetoothPbap\$Stub\$Proxy\;\-\>connect" => '连接蓝牙',
- "ContentResolver\;\-\>query" => '读取联系人、短信等数据库',
- "ContentService\;\-\>dump" => '转储联系人、短信等信息',
- "PackageManager\;\-\>installPackage" => '安装apk包',
- "Camera\;\-\>open" => '开启相机',
- "MediaRecorder\;\-\>setAudioSource" => '开启录音功能',
- "MediaRecorder\;\-\>setVideoSource" => '开启视频录制',
- "LocationManager\;\-\>getLastKnownLocation" => '获取地址位置',
- "Downloads\$ByUri\;\-\>startDownloadByUri" => '下载文件',
- "Downloads\$DownloadBase\;\-\>startDownloadByUri" => '下载文件',
- "PowerManager\;\-\>reboot" => '重启手机',
- "Settings\$Bookmarks\;\-\>add" => '添加浏览器书签',
- "TelephonyManager\;\-\>getDeviceId" => '搜集用户手机IMEI码、电话号码、系统版本号等信息',
- "TelephonyManager\;\-\>getSimSerialNumber()" => '获取SIM序列号',
- "Telephony\$Mms\;\-\>query" => '读取短信',
- "TelephonyManager\;\-\>getLine1Number" => '获取手机号',
- "SpeechRecognizer\;\-\>startListening" => '开启麦克风',
- "WifiManager\;\-\>setWifiEnabled" => '开启WIFI',
- "SmsManager\;\-\>getAllMessagesFromSim" => '获取sim卡上的短信',
- "SmsManager\;\-\>sendDataMessage" => '发送二进制消息',
- "SmsManager\;\-\>sendMultipartTextMessage" => '发送彩信',
- "SmsManager\;\-\>sendTextMessage" => '发送普通短信',
- #"http/multipart/FilePart;->sendData" => '发送http请求',
- #"http/multipart/Part\;\-\>send" => '发送http请求',
- #"http/multipart/Part\;\-\>sendParts" => '发送http请求',
- #"http/multipart/StringPart\;\-\>sendData" => '发送http请求',
- "internal/telephony/ISms\$Stub\$Proxy\;\-\>sendData" => '发送短信',
- "internal/telephony/ISms\$Stub\$Proxy\;\-\>sendMultipartText" => '发送短信',
- "internal/telephony/ISms\$Stub\$Proxy\;\-\>sendText" => '发送短信',
- "internal/telephony/ITelephony\$Stub\$Proxy\;\-\>call" => '拔打电话',
- "java/lang/Runtime\;\-\>exec" => '执行字符串命令',
- "java/net/HttpURLConnection\;\-\>connect" => '连接URL',
- #"java/net/URL\;\-\>getContent" => '获取网页内容',
- "java/net/URL\;\-\>openConnection" => '连接URL',
- "java/net/URLConnection\;\-\>connect" => '连接URL',
- "DefaultHttpClient\;\-\>execute" => '发送HTTP请求',
- "HttpClient\;\-\>execute" => '请求远程服务器',
- 'android/app/NotificationManager;->notify' => '信息通知栏',
- "SmsReceiver\;\-\>abortBroadcast" => '拦截短信接收',
- "ContentResolver\;\-\>delete" => '删除短信、联系人',
- "chmod " => '更改文件权限',
- "getRuntime" => '获取命令行环境',
- #'content://telephony/carriers' => '获取所有的APN(网络接入点)配置信息',
- 'content://telephony/carriers/preferapn' => '可能用于篡改APN(网络接入点)以调用应用市场
- M-Market扣费接口并验证',
- 'content://sms' => '获取短信数据库',
- 'content://browser/bookmarks' => '获取浏览器书签',
- 'mount -o remount' => '重新挂载档案系统',
- '/system/bin/sh' => '执行shell',
- '/proc/mounts' => '加载文件系统',
- '/system/bin/cp' => '复制文件',
- '/root/su' => '切换用户',
- '/system/bin/rm ' => '删除文件',
- );
|
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
