Dalvik Research
Over the past couple of months I’ve been doing some research with regards to
the Dalvik Virtual Machine, which is Android’s Java Virtual Machine
implementation. Long story short, most Android applications are written in
Java, which gets compiled to Dalvik Bytecode, and ends up in an APK file (a
Zip file.)
As part of my research on Dalvik, I analyzed both the Dalvik VM itself and
various applications – with a focus on their Obfuscation techniques (which
makes analysis harder.) This research was presented on a couple of
conferences.
Back in June I already posted my slides for my AthCon
talk, which focussed on Deobfuscation. Then a couple of weeks ago,
I did a similar talk together with Rodrigo Chiossi at
H2HC, featuring new and updated content, with a bit more focus on some
of the techniques involved in creating new Dex files.
Finally I did a talk yesterday at Hack.lu, focussing on the
Dalvik Virtual Machine itself. In this talk I presented about an
“undocumented feature” which I found in the way Android verifies Dex files,
allowing an attacker to run arbitrary Dalvik Bytecode (which is normally not
allowed – all code must normally be hardcoded and will be verified upon
installation.) Following are the slides and the
Proof of Concept DvmEscape application.
As explained during the presentation, when running this application on your
phone or emulator, you can type arbitrary Dalvik Bytecode and execute it by
clicking on the “Run Dalvik” button. On the 30th slide of the presentation one
can find two examples of valid Dalvik Bytecode, which, when ran, will return
with a fancy number. Unfortunately the dalvik.py disassembler mentioned in the
slides is currently not open source, but for some more documentation on the
Dalvik Bytecode there’s always the Dalvik Bytecode reference.
Win32 Calc.exe Proof of Concept
If you want to run my win32 calc.exe Proof of Concept from the presentation
you’ll have to do a couple of things:
- Install CalcExe.apk on the device
- Get the adb_type.py script, which “types” a string into
the emulator - Finally, type payload.txt to the DvmEscape application, with
the following command.
$ python adb_type.py $(cat payload.txt)
Note that typing the bytecode in to the emulator (or phone?!) takes roughly a
minute. (No, there appears to be no support for using the clipboard with the
emulator.) After that, just click on the button and calc should pop
For more information or questions, feel free to reach me at my new email
address; mail.
I liked your “Abusing Dalvik” paper. Fun stuff.
One minor correction: the Facebook hack was to increase the size of the LinearAlloc area, which is used to store bits of classes that are more or less read-only (vtables and so on). They had enough classes and methods in their APK to overflow the area, which was undersized on older releases. Their fix does not address the 64K method limit, which is inherent in the opcode format.
Thanks for the feedback and the correction