1. ANTO JOSEPH

2. @whoami
• Security Engineer @ Intel
• Past Speaker / Trainer @ Brucon, HITB Amsterdam, NullCon, GroundZero , c0c0n …
• Will be Speaking @ Defcon , Blackhat
• Mobile Security / IOT Enthusiast
• Intrested in Machine Learning / Neural Networks
• When not hacking , you can find me filling visa applictions :|

3. DYNAMIC INSTRUMENTATION
• Using Xposed Modules
• Using adbi
• Other tools using Library Injection Techniques , LD_PRELOAD
• Xposed Framework being the most famous with larger user / developer base

4. What Is Hooking ?

5. How it’s done currently ?
• Xposed Framework
• Xposed modules are indented to make long lasting changes to devices
• Install Xposed Installer , which installs the xposed –bridge
• Replaces app_process with a modified version which loads the bridge which enables the hooking func
• Write app using java ( android studio ) using the deps and install it on the device
• To activate the module , reboot
• If you need to change something , reboot

6. DEMO – XPOSED

8. What Do We Want In Our Solution ?
• Should be Fast
• Should Be Simple
• Should be Easy to Learn
• Should Just Work !

9. DIFF-DROID

10. DIFF-DROID
• Based on Frida
• Supports Hooking Native and Java Methods
• Web UI , with editable scripts to hook Android Methods
• Re-usable Modules which can be combined as well
• Instant changes in hooking scripts
• No Restarts at allJ

11. DEMO

12. RUNNING DROID-FF
• Start redis server
• Start gunicorn diff-gui:app --worker-class gevent --bind 127.0.0.1:80
• Start android emulator ( Android 4.4.4)
• Push frida-server to /data/local/tmp
• Exec frida-server
• Browse to http://127.0.0.1

14. How Does It Work
• Frida :
• The core of the app is handled by frida.
• Takes care of hooking native and java code
• Written by Ole Andre Vadla Ravnas
• Supports Win/ Unix /Android/IOS platforms

15. INTERNALS
• Frida-server injects a native library into the process using the ptrace api . This is the only support
injection mechanism for now .
• Loads the hook code and replaces / logs the fuction/arguments accordingly
• Send method is used to send data from JVM to python side
• Java.perfrom is used to hook Dalvik Code
• Interceptor.attach is used to hook Native Code
• Most exceptions are handled gracefully with a detailed stacktrace

16. CONT ..
• Zero Modification to the device
• Just push frida-server binary to the device and exec ( requires root )
• Communicates to the system component over adb
• Updates from the instrumentation script is pushed to the web using Server side push for real-time
updates
• Using redis-server as message que

17. How Do We Write A Hook ?

18. Look Up The Api

19. WRITING A NEW HOOK - DALVIK
Java.perform(function () {
var TM = Java.use("android.os.Debug");
TM.isDebuggerConnected.implementation = function () {
return false; }; });

20. WRITING A NEW HOOK – NATIVE STYLE
Interceptor.attach (Module.findExportByName ( "libc.so", ”open"), {
onEnter: function (args) {
send (Memory.readUtf8String (args [1])); }
});

21. SOURCE CODE :
• https://github.com/antojoseph/diff-gui

22. FUTURE
• Adding more modules ( Contributions are welcome )
• Support IOS
• Supporting Frida in ART ( its almost on its way )

23. FEW WORDS FROM OLE ANDRÉ VADLA RAVNÅS
• Future of Frida is the Community !
• We have an active irc @ freenode #frida
• Frida Mailing List
• Happy to have community contributions in terms of Code /
Documentation / Apps based on Frida

24. RESOURCES
• https://rotlogix.com/2015/09/13/defeating-ssl-pinning-in-coin-for-android/
• https://cedricvb.be/post/seccon-2015-reverse-engineering-android-apk-2-400-writeup/
• http://blog.csdn.net/autohacker/article/details/50503261
• http://blog.mdsec.co.uk/2015/04/instrumenting-android-applications-with.html

25. MERCI
• Question ?