典型安卓机床业务安全分析。

本文主角为一款安卓改机工具,微gou改机,这款改机工具去年我们就见过,这一年多的时间已经发展到具有一定的用户规模了。

本文的主角是一款安卓机床,我们去年看到的微gou改机,一年多的时间已经发展到一定的用户规模。

业务安全之典型安卓改机工具分析

从最初的QQ群广告,到现在有三个品牌(VS*师、武*宝、新圩沟),六个商家,1300个帖子的论坛,3000个用户的社交群。显然,这一年多来,微苟的小日子过得还挺舒心的……建议各公司尽快抓紧…

业务安全之典型安卓改机工具分析

抓包分析

这台机床不同于传统机床,需要先刷指定的ROM,再通过改机工具修改指定的参数.通过数据包的捕获和解密,我们得到了与机器修改相关的数据,相关字段有80多个,主要是设备中需要修改的数据。

数据包捕获解密字段:

{ 'accountPassword': ' ',' androidId': ' ',' androidVer': ' ',' api': ' ',' appInstallTime': ' ',' appPackages': ' ',' arpMac': ' ',' backupFileName': ' ',' board': ' ',' bootId': ' ',' brand ' : ' ',' BSB

"networkTor":"", "networkType":, "newAdd":, "p2p0MAC":"", "pathMessage":"", "phoneNumber":"", "phoneType":, "product":"", "recoveryId0":"", "recoveryId1":"", "remainDevice":"", "scaledDensity":, "sdCardCid0":"", "sdCardCid1":"", "serial":"", "simSerial":"", "simState":, "simopeName":"", "survivalVersion":"", "taskId":"", "taskSubId":"", "time":, "type":, "updateTime":"", "used":, "versionId":"", "whereDay":, "width":, "wifiMac":"", "wifiName":"", "xdpi":, "ydpi":}

其中,deviceFile字段是一个链接,下载下来是比较全面的设备改机数据,整体的逻辑为外层的字段和下载的设备数据结合起来,做为一个完整的设备信息。

通过http://*/api/DeviceInfoFile/getDeviceListByVersion接口可获取所有可改的机型,目前机型300+,涵盖主流安卓机型。同一个机型的deviceFile链接为同一个,这也意味着,propset里面会存在一些固定的字段。设备都较为老旧,最高只到Android 9,几乎没有新机型,不排除后续更新的可能。

逆向分析

点击一键新机后,进入com.mingning179.data.ClientUtil.apply,清理完上次改机的信息后,进入com.mingning179.commonutils.ConversionUtil.conversion函数:

业务安全之典型安卓改机工具分析

这个函数首先进行了一些设备信息的修改。然后调用各个Util类,将所有设备信息通过自定义的系统类,反射调用SystemProperties.set,保存到prop里面,供framework层以及service层的改机代码获取设备信息。当然这个prop是有权限控制的,普通应用读不到,需要system权限。

root 授权

通过App界面授权后,最终会将被授权App的uid 写入到/dev/wgzs/fsconf 中的wg.cust.grant_su

wg.cust.destUids=10079wg.cust.emulated=4096,4096,6522359,5031618,5031618,6317056,5036738,5036738,66327,1038,255wg.cust.system=4096,4096,617098,67446,63350,159360,150930,150930,18446744071771954271,4097,255wg.cust.data=4096,4096,6522359,5031618,5031618,6317056,5036738,5036738,66327,1038,255wg.cust.SIMUNET_TYPE=bond0,wlan0,p2p0,dummy0wg.cust.SIMUNET_wlan0_MAC=90:94:97:4b:68:67wg.cust.SIMUNET_dummy0_MAC=36:52:fc:24:0c:8ewg.cust.SIMUNET_p2p0_MAC=92:94:97:4b:68:67wg.cust.SIMUNET_bond0_MAC=52:a8:f1:b0:b4:d7wg.cust.SIMUNET_wlan0_IP6=fe80000000000000929497fffe4b6867wg.cust.SIMUNET_dummy0_IP6=fe800000000000003452fcfffe240c8e/sys/class/power_supply/battery/temp=/dev/wgzs/files/battery/temp/sys/class/power_supply/battery/voltage_now=/dev/wgzs/files/battery/voltage_now/sys/class/power_supply/battery/technology=/dev/wgzs/files/battery/technology/sys/class/power_supply/battery/status=/dev/wgzs/files/battery/status/sys/class/power_supply/battery/health=/dev/wgzs/files/battery/health/sys/class/power_supply/battery/capacity=/dev/wgzs/files/battery/capacity/sys/class/power_supply/battery/present=/dev/wgzs/files/battery/present/sys/devices/qpnp-charger-f04f1000/power_supply/battery/capacity=/dev/wgzs/files/devices/qpnp-charger-f04f1000/power_supply/battery/capacity/proc/meminfo=/dev/wgzs/meminfo/proc/cpuinfo=/dev/wgzs/files/cpuinfo/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpufreq/policy0/scaling_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpufreq/policy4/cpuinfo_max_freq=/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu1/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu2/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu2/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu3/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu3/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu4/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu4/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu5/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu5/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu6/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu6/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu7/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu7/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpufreq/policy0/scaling_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpufreq/policy0/scaling_cur_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpufreq/policy0/scaling_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpufreq/policy0/scaling_cur_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu1/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu2/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu2/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu2/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu3/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu3/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu3/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu4/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu4/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu4/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu5/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu5/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu5/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu6/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu6/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu6/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu7/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu7/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu7/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu0=/dev/wgzs/files/cpu/cpu0/sys/devices/system/cpu/cpu1=/dev/wgzs/files/cpu/cpu1/sys/devices/system/cpu/cpu2=/dev/wgzs/files/cpu/cpu2/sys/devices/system/cpu/cpu3=/dev/wgzs/files/cpu/cpu3/sys/devices/system/cpu/cpu4=/dev/wgzs/files/cpu/cpu4/sys/devices/system/cpu/cpu5=/dev/wgzs/files/cpu/cpu5/sys/devices/system/cpu/cpu6=/dev/wgzs/files/cpu/cpu6/sys/devices/system/cpu/cpu7=/dev/wgzs/files/cpu/cpu7/sys/devices/system/cpu=/dev/wgzs/files/cpu/sys/devices/system/cpu/online=/dev/wgzs/files/cpu/online/sys/devices/system/cpu/possible=/dev/wgzs/files/cpu/possible/sys/devices/system/cpu/present=/dev/wgzs/files/cpu/present/sys/devices/system/cpu/offline=/dev/wgzs/files/cpu/offline/proc/net/if_inet6=/dev/wgzs/files/fileFilter/net/if_inet6/proc/net/arp=/dev/wgzs/files/fileFilter/net/arp/proc/net/dev=/dev/wgzs/files/fileFilter/net/dev/proc/net/igmp=/dev/wgzs/files/fileFilter/net/igmp/proc/net/igmp6=/dev/wgzs/files/fileFilter/net/igmp6/proc/net/route=/dev/wgzs/files/fileFilter/net/route/system/etc/selinux/plat_property_contexts=/dev/wgzs/files/plat_property_contexts/proc/net/ipv6_route=/dev/wgzs/files/fileFilter/net/ipv6_route/proc/net/xt_qtaguid/iface_stat_all=/dev/wgzs/files/fileFilter/net/xt_qtaguid/iface_stat_all/proc/net/xt_qtaguid/iface_stat_fmt=/dev/wgzs/files/fileFilter/net/xt_qtaguid/iface_stat_fmt/proc/net/xt_qtaguid/stats=/dev/wgzs/files/fileFilter/net/xt_qtaguid/stats/sys/bus/virtio=/system/lost+foundwg.cust.uts_name=Linux,localhost,3.18.66-g7730a1a,#1 SMP PREEMPT Tue Mar 20 11:53:15 CST 2018,aarch64,localdomainwg.cust.stat.filter=lineage,Lineage,cyanogenmod,wgzs,ppp0,eth0,tun0,TWRP,/dev/socket/mtpd,twrpwg.cust.file.filter=/net/xt_qtaguid/stats,/net/if_inet6,/net/ipv6_route,/net/xt_qtaguid/iface_stat_all,/net/xt_qtaguid/iface_stat_fmt,/net/arp,/net/igmp,/net/igmp6,/net/route,/net/dev_mcast,/net/maps,/sys/devices/soc0,/net/devwg.cust.file.filter.prefix=/dev/wgzs/files/fileFilter/storage/emulated/0/.temp.txt=/dev/wgzs/properties/dev/wgzs/properties=/dev/null/property_contexts=/dev/wgzs/files/property_contextswg.cust.cpuinfo=1401000,960000,1401000,960000,0/proc/sys/kernel/random/boot_id=/dev/wgzs/files/boot_id/storage/emulated/0/MobileAnJian=/storage/emulated/0/nullFile/storage/emulated/0/backUpFiles=/dev/z0wg.cust.grant_su=10079,10103,1000wg.cust.BSSID=ac:74:09:3b:82:01wg.cust.wgserverPath=2690736423 3532824459

可见除了少部分硬件配置外,大部分都是文件重定向的内容,以及针对IO的一些文件过滤。

具体的实现是在内核中做的,提取内核分析后,发现其存在dofilefilter函数,在所有文件相关操作中都会调用该函数进行过滤。该函数每次都会读取/dev/wgzs/fsconf 的内容,更新配置(内核函数还做了控制流混淆,机智仔

业务安全之典型安卓改机工具分析

业务安全之典型安卓改机工具分析

部分引用:

业务安全之典型安卓改机工具分析

备份还原

备份还原的主要逻辑在com.mingning179.commonutils.BackupUtils

备份:

业务安全之典型安卓改机工具分析

备份涉及到三个路径,分别是App的沙箱目录,data/user/0/packageName ,也就是data/data/packageName,sdcard 相关目录,以及keystore。

以下是备份sdcard的文件过滤逻辑,其实还是存在部分数据遗漏,这会导致数据还原后部分数据丢失。

public static Set getSdFile(Context arg1) {        String[] v1 = ClearAppUtil.getDestUidsStr(arg1, ",").split(",");        Set v1_1 = ClearAppUtil.getFileRecords(new FileFilter() {            @Override            public boolean accept(File arg2) {                String v2 = arg2.getAbsolutePath();                return (v2.startsWith("/proc/")) || (v2.startsWith("/dev/")) || (v2.startsWith("/system/")) || (v2.startsWith("/vendor/")) || (v2.startsWith("/data/")) || (v2.startsWith("/sys/")) || (v2.contains("/.")) ? 0 : 1;            }        }, v1);        Arrays.sort(((String[])v1_1.toArray(new String[0])));        return v1_1;    }

还原:

还原就是把备份的数据解压覆盖回去,涉及到一点权限修复的额外工作。

Build/prop 改机

build

针对Build.class里的字段,其修改逻辑在App启动过程中的handleBindApplication函数中,调用WgzsUtil.modifyBuildClass完成修改:

业务安全之典型安卓改机工具分析

可见其只修改了AOSP代码里有的公共字段。

Prop

prop部分除了libc函数__system_property_get外,还有java层的SystemProperties类,以及/system/bin 中的getprop。libc函数__system_property_get做了相应的修改。

业务安全之典型安卓改机工具分析

其他改机

微在系统里添加了WgzsUtil 类,用来辅助改机,其中涉及到是否改机判断的函数有:

业务安全之典型安卓改机工具分析

shouldGJ涉及:

业务安全之典型安卓改机工具分析

shouldGJInService涉及:

业务安全之典型安卓改机工具分析

shouldGjInSystemServer主要是网络连接服务:

业务安全之典型安卓改机工具分析

具体实现就是在具体函数体中做判断,如果需要改机,就给改机的数据。

总结

微gou改机针对AOSP的改动横跨framework,native libraries以及kernel三个层面,好处就是痕迹少,不过对应维护成本也巨高。改机API方面,虽然涉及的点不多,看似比较完备,但其实Android系统API 茫茫多,更何况还有用户设备环境信息、传感器数据以及生物特征等多维度度数据。从检测的角度讲,本身痕迹较少,要么关注微没有涉及的特征以及用户环境信息,比如sdcard目录等,要么尽可能从不同的地方取同一个设备信息,然后结合策略进行封禁。

内容来源网络,如有侵权,联系删除,本文地址:https://www.230890.com/zhan/51708.html

(0)

相关推荐