Skip to content

Injections

Jump to bottom Edit New page
sonyericssondev edited this page Apr 13, 2012 · 2 revisions

#Dalvik Bytecode Injections

Regarding the outputs

  • All the printouts made by ApkAnalyser is in level V with TAG "APKANALYSER".

  • ApkAnalzyer has a console to display the logcat outputs.

  • The debug level selection in the console only take effect on the logs which not have been done by ApkAnalyser. For instance, Although level "S"(slient) is selected, the printouts by ApkAnalzyer will still be displayed in the console.

Injections can be applied to any package/class/method or the whole APK

Print method entry

  • Print method name when calling the method

  • Format:

      > class:method(param1,param2...)returnType(bytecodeOffset,lineNumber)

  • Example:

      > com.example.android.apis.graphics.FingerPaint$MyView:touch_move(float x, float y)void(0,102)

Print method entry(with params)

  • Print method name and the parameters (names and values) when calling the method

  • Format:

      > class:method(param1,param2...)returnType(bytecodeOffset,lineNumber)
  parameter[0]: type name = value
  parameter[1]: type name = value
  ...

  • Example:

      > com.example.android.apis.graphics.FingerPaint$MyView:touch_move(float x, float y)void(0,102)
  parameter[0]: float x = 155.0
  parameter[1]: float y = 290.0

Print method exit

  • Print method name when the method returns

  • Format:

      < class:method(param1,param2...)returnType(bytecodeOffset,lineNumber)

  • Example:

      < com.example.android.apis.graphics.FingerPaint$MyView:touch_move(float x, float y)void(0,102)

Print method exit(with return value)

  • Print method name and the return value when the method returns

  • Format:

      < class:method(param1,param2...)returnType(bytecodeOffset,lineNumber)
  return: tyep = value

  • Example:

      < com.example.android.apis.graphics.FingerPaint$MyView:onTouchEvent(android.view.MotionEvent event)boolean(10,137)
  return: boolean = true

Print current thread at entry

  • Print method name and the calling thread when calling the method

  • Format:

      @   CurThread class:method(params)returnType(bytecodeOffset,lineNumber) = threadName

  • Example:

      @   CurThread com.example.android.apis.graphics.FingerPaint$MyView:onTouchEvent(android.view.MotionEvent event)boolean(0,120) = main

Invoke system gc at entry

  • Invoke system.gc() when calling the method

  • Format: nothing in log

Print stack trace at entry

  • Print method name and the call stack when calling the method

  • Format:

      @   StackTrace class:method(params)returnType(bytecodeOffset,lineNumber) = java.lang.Throwable
  at ...

  • Example:

      @   StackTrace com.example.android.apis.graphics.FingerPaint$MyView:touch_start(float x, float y)void(0,96) = java.lang.Throwable
  at com.example.android.apis.graphics.FingerPaint$MyView.touch_start(FingerPaint.java)
  at com.example.android.apis.graphics.FingerPaint$MyView.onTouchEvent(FingerPaint.java:125)
  at android.view.View.dispatchTouchEvent(View.java:3709)
  ...

Print new instance

  • Print method name and the instance class when the method new any java object. (including APK’s class and library classes)

  • Format:

      @   NewInstance class:method(params)returnType(bytecodeOffset,lineNumber) -> instanceClass @ instanceHashCode

  • Example:

      @   NewInstance com.sonyericsson.freedom.tts.FdmTTSServiceThd:constructTTS()void(5,109)->com.sonyericsson.freedom.tts.svox.SvoxTTS @ 1151235056

Print reading all fields

  • Print method name, the reading field name and its value when the method is reading any field

  • Format:

      @   ReadField class:method(params)returnType(bytecodeOffset,lineNumber)->class:field = value

  • Example:

      @   ReadField com.example.android.apis.graphics.FingerPaint$MyView:touch_move(float x, float y)void(22,105)->com.example.android.apis.graphics.FingerPaint$MyView:float mX = 162.0

Print writing all fields

  • Print method name, the writing field name and its value when the method is writing any field

  • Format:

      @   WriteField class:method(params)returnType(bytecodeOffset,lineNumber)->class:field = value

  • Example:

      @   WriteField com.example.android.apis.graphics.FingerPaint$MyView:touch_move(float x, float y)void(2D,106)->com.example.android.apis.graphics.FingerPaint$MyView:float mX = 135.0

Print reading local variables

  • Print method name, the reading local variable name and its value when the method is reading one of its local variables

  • Format:

      @   ReadLocal class:method(params)returnType(bytecodeOffset,lineNumber)->type name(register) = value

  • Example:

      @   ReadLocal com.example.android.apis.graphics.FingerPaint$MyView:touch_move(float x, float y)void(14,104)->float drawPath (v0) = 8.0

Print writing local variables

  • Print method name, the writing local vairable name and its value when the method is writing one of its local variables

  • Format:

      @   WriteLocal class:method(params)returnType(bytecodeOffset,lineNumber)->type name(register) = value

  • Example:

      @   WriteLocal com.example.android.apis.graphics.FingerPaint$MyView:touch_move(float x, float y)void(B,102)->float drawOval (v0) = 6.0

Print exception throw

  • Print method name, the exception name and its message when the method throws an exception. The printing will happen before throwing the exception. It doesn't matter whether the exception will be caught or not.

  • Format:

      @   ThrowEx class:method(params)returnType(bytecodeOffset, lineNumber)->exception: message

  • Example:

      @   ThrowEx com.semc.test.TestActivity:throwAnException()void(1F,48)->java.lang.Exception: blah blah ..

Print execption catch

  • Print method name, the exception name and its message when the method catches an exception. The printing will happen when entering the catch block. It doesn't metter whether the block is an empty block or not.

  • Format:

      @   CatchEx class:method(params)returnType(bytecodeOffset, lineNumber)->exception: message

  • Example:

      @   CatchEx com.semc.test.TestActivity:onCreate(android.os.Bundle savedInstanceState)void(2E,38)->java.lang.Exception: message blah blah ..

Print synchronized entry

  • Print method name, the synchronized object when the method enters a synchronized method or code block. The printing will happen before entering the block. it's mainly for solving deadlocks.

  • Format:

      @   SyncEnter class:method(params)returnType(bytecodeOffset, lineNumber)->object

  • Example:

      @   SyncEnter com.semc.test.TestActivity:testSyncCodeBlock()void(2,53)->syncObject

Print synchronized exit

  • Print method name, the synchronized object when the method leaves a synchronized method or code block. The printing will happen before leaving the block. it's mainly for solving deadlocks.

  • Format:

      @   SyncExit class:method(params)returnType(bytecodeOffset, lineNumber)->object

  • Example:

      @   SyncExit com.semc.test.TestActivity:testSyncCodeBlock()void(6,53)->syncObject

Injections can be applied to any package/class or the whole APK

Print construct all local classes

  • Print class name and its hashcode when constructing the local class (the class inside the APK file)

  • Format:

      @   Construct className(bytecodeOffset, lineNumber) @ instanceHashCode

  • Example:

      @   Construct com.sonyericsson.freedom.data.inboxdb.FdmIncmSmsInfo(15,32) @ 1151824120

Print finalize all local classes

  • Print class name and its hashcode when finalizing the local class (the class inside the APK file)

  • Format:

      @   Finalize className(bytecodeOffset, lineNumber) @ instanceHashCode

  • Example:

      @   Finalize com.sonyericsson.freedom.FreedomHS$1 @ 1151423560

Injections can be applied to any class

Print construct this class

  • Print class name and its hashcode when constructing this class

  • Format: same as Print construct all local classes

Print finalize this class

  • Print class name and its hashcode when finalizing this class

  • Format: same as Print finalize all local classes

Injections can be applied to a library or a package/class/method in the library

Print calls to references

  • Print method name and the APK's method name when APK is calling the library.

  • Format:

      ! class:method(params)returnType -> lib_method(params)returnType(bytecodeOffset, lineNumber)

  • Example:

      ! FingerPaint$MyView.onTouchEvent(android.view.MotionEvent event)boolean -> MotionEvent.getAction()int(8,123)

Print calls to references(with param)

  • Print method name, the APK's method name and the parameters of the library's method when APK is calling the library.

  • Format:

      ! class:method(params)returnType -> lib_method(params)returnType(bytecodeOffset, lineNumber) 
  parameter[0]: type name = value
  parameter[1]: type name = value
  ...

  • Example:

      ! FingerPaint$MyView.touch_up()void -> Path.lineTo(float, float)void(6,111)
  parameter[0]: float = 100.0
  parameter[1]: float = 220.0

Print calls to references(with return value)

  • Print method name, the APK's method name and the return value of the library's method when library's method returns.

  • Format:

      ! class:method(params)returnType -> lib_method(params)returnType(bytecodeOffset, lineNumber) 
  return: type = value

  • Example:

      ! FingerPaint$MyView.onTouchEvent(android.view.MotionEvent event)boolean -> MotionEvent.getX()float(0,120)
  return: float = 252.0

Injections can be applied to a certain field

Right click a method->view bytecodes or a class->Examine class, and then right click a field

Print reading this field

  • Print method name, the field name and its value when the method is reading the field (the method could be any class of APK)

  • Format: same as Print reading all fields

Print writing this field

  • Print method name, the field name and its value when the method is writing the field (the method could be any class of APK)

  • Format: same as Print writing all fields

Injections can be applied to a certian offset of a method

Right click a method->view bytecode, and then right click a bytecode.

Print custom log at offset

  • Print a custom string when the bytecode is excuted. The user should input the string in a dialog.

  • Format: N/A (user should input the string in a dialog)

Print current thread at offset

  • Print method name and the calling thread when the bytecode is excuted

  • Format: same as Print current thread at entry

Invoke system gc at offset

  • Invoke system.gc() when the bytecode is excuted

  • Format: nothing in log

Print stack trace at offset

  • Print method name and the call stack when the bytecode is excuted

  • Format: same as Print stack trace at entry

Injections can be applied to a certain call chain (in method call graph)

Right click a method->"show graph for local calls" or "show graph for local callers", and then right click a method

Print call graph chain

  • Print method name and it's caller when going though the call chain.

  • Format:

      > [index/total] class:method(params)returnType[typedescriptor](bytecodeOffset, lineNumber)
  ...

  • Example:

      > [1/2] com.example.android.apis.graphics.FingerPaint$MyView:onTouchEvent(android.view.MotionEvent event)boolean [com.example.android.apis.graphics.FingerPaint$MyView.touch_start(FF)V](0,120)
  > [2/2] com.example.android.apis.graphics.FingerPaint$MyView:touch_start(float x, float y)void [com.example.android.apis.graphics.FingerPaint$MyView.touch_start(FF)V](0,96)
Add a custom footer
Add a custom sidebar
Clone this wiki locally