在 Android 惡意程式中定位模擬器檢測的程式碼區段

林永濬; Yung-Chun Lin

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/89943

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蕭旭君	zh_TW
dc.contributor.advisor	Hsu-Chun Hsiao	en
dc.contributor.author	林永濬	zh_TW
dc.contributor.author	Yung-Chun Lin	en
dc.date.accessioned	2023-09-22T16:46:32Z	-
dc.date.available	2023-11-09	-
dc.date.copyright	2023-09-22	-
dc.date.issued	2023	-
dc.date.submitted	2023-08-11	-
dc.identifier.citation	androiddeveloper. https://developer.android.com/reference. Anti android emulator detection final report. https://i.cs.hku.hk/fyp/2018/fyp18033/data/final.pdf. apktool. https://ibotpeaches.github.io/Apktool/. Dalvik bytecode. https://source.android.com/docs/core/runtime/Dalvik-bytecode. detectandroidevasion. https://hitcon.org/2014/downloads/P1_12_%E8%83%A1%E6%96%87%E5%90%9B%20%20Guess%20Where%20I%20amAndroid%E6%A8%A1%E6%8B%9F%E5%99%A8%E8%BA%B2%E9%81%BF%E7%9A%84%E6%A3%80%E6%B5%8B%E4%B8%8E%E5%BA%94%E5%AF%B9.pdf. Mobile security testing guide. https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05j-testing-resiliency-against-reverse-engineering. Smali. https://github.com/JesusFreke/Smali. smaliregisters. https://stackoverflow.com/questions/27341565/Smali-increase-number-of-registers.59 strace. https://source.android.google.cn/docs/core/tests/debug/strace. V. Afonso, A. Kalysch, T. Müller, D. Oliveira, A. Grégio, and P. L. de Geus. Lumus:Dynamically uncovering evasive android applications. In L. Chen, M. Manulis, and S. Schneider, editors, Information Security, pages 47–66, Cham, 2018. Springer International Publishing. K. Allix, T. F. Bissyandé, J. Klein, and Y. L. Traon. Androzoo: Collecting millions of android apps for the research community. In 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR), pages 468–471, 2016. M. K. Alzaylaee, S. Y. Yerima, and S. Sezer. Emulator vs real phone: Android malware detection using machine learning. In Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics, IWSPA ’17, page 65–72, New York, NY, USA, 2017. Association for Computing Machinery. L. Bello and M. Pistoia. Ares: Triggering payload of evasive android malware. In 2018 IEEE/ACM 5th International Conference on Mobile Software Engineering and Systems (MOBILESoft), pages 2–12, 2018. Y. Fratantonio, A. Bianchi, W. Robertson, E. Kirda, C. Kruegel, and G. Vigna. Triggerscope: Towards detecting logic bombs in android applications. pages 377–396, 05 2016. Y. Li, Z. Yang, Y. Guo, and X. Chen. Droidbot: a lightweight ui-guided test input generator for android. In 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C), pages 23–26, 2017. J. Liu, T. Wu, X. Deng, J. Yan, and J. Zhang. Insdal: A safe and extensible instrumentation tool on dalvik byte-code for android applications. pages 502–506, 02 2017. T. Petsas, G. Voyatzis, E. Athanasopoulos, M. Polychronakis, and S. Ioannidis. Rage against the virtual machine: Hindering dynamic analysis of android malware. In Proceedings of the Seventh European Workshop on System Security, EuroSec ’14, New York, NY, USA, 2014. Association for Computing Machinery. J. Samhi, T. F. Bissyande, and J. Klein. Triggerzoo: A dataset of android applications automatically infected with logic bombs. In 2022 IEEE/ACM 19th International Conference on Mining Software Repositories (MSR), pages 459–463, Los Alamitos, CA, USA, may 2022. IEEE Computer Society. J. Samhi, L. Li, T. F. Bissyande, and J. Klein. Difuzer: Uncovering suspicious hidden sensitive operations in android apps. In 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE), pages 723–735, Los Alamitos, CA, USA, may 2022. IEEE Computer Society. V. Sihag, M. Vardhan, and P. Singh. A survey of android application and malware hardening. Computer Science Review, 39:100365, 2021. T. Vidas and N. Christin. Evading android runtime analysis via sandbox detection. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’14, page 447–458, New York, NY, USA, 2014. Association for Computing Machinery. X. Wang, S. Zhu, D. Zhou, and Y. Yang. Droid-antirm: Taming control flow anti-analysis to support automated dynamic analysis of android malware. In Proceedings of the 33rd Annual Computer Security Applications Conference, ACSAC ’17, page 350–361, New York, NY, USA, 2017. Association for Computing Machinery. M. Wong and D. Lie. Intellidroid: A targeted input generator for the dynamic analysis of android malware. 01 2016	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/89943	-
dc.description.abstract	惡意程式開發與分析偵測一直都是攻擊方和防禦方的軍備競賽，主流的分析方法會結合動態與靜態分析來試圖截長補短。對於惡意程式開發者而言，如何去規避分析不讓自己的惡意行為被輕易逆向分析出來，就成為一個相當重要的課題。對於分析人員來說，動態分析對於要瞭解程式行為是不可或缺的一環，然而去針對動態分析的規避行為也相當普遍，其中最常見的就是去檢測大部分動態分析方案皆需要的模擬器環境，這導致在做大規模程式分析時的效果不彰。因此，能夠定位出這些針對動態分析環境的規避行為，對於徹底解析惡意程式有實質上的幫助。有鑑於模擬器檢測手法一直推陳出新，傳統基於靜態特徵來找出模擬器檢測的方法經常不再堪用。因此，我們開發了名叫 SADroid 的系統，透過靜態輔助動態 (Static-Aided Dynamic) 的分析方法，試圖找到模擬器檢測 (反模擬器) 在程式碼中的哪些片段，並找到這些在近期版本的模擬器上的確能夠改變程式行為的檢測方法。這些檢測方法可作為惡意程式開發者的利器。	zh_TW
dc.description.abstract	Malware development and analysis is an ongoing arms race between attackers and defenders. Mainstream analysis designs often combine dynamic and static analysis in an attempt to complement each other’s weaknesses. For malware developers, how to evade analysis and not let their malicious behavior be easily reversed and analyzed becomes a critical issue. While dynamic analysis is essential for analysts trying to understand program behavior, evasion of dynamic analysis is also common, with one of the most common designs being the detection of emulator environments which are required for many dynamic analysis approaches. This leads to poor performance when conducting large-scale program analysis. Therefore, the ability to identify these evasion behaviors targeted at dynamic analysis environments is substantially helpful in thoroughly analyzing malware. Given that techniques for detecting emulator environments are constantly evolving, traditional static feature-based approaches for detecting emulator environments are often no longer effective. As such, we have developed a system called SADroid that uses static-aided dynamic analysis to identify segments of code in programs that are used for detecting emulator environments (anti-emulation) and finding techniques that can alter program behavior on latest emulator versions, which can be used as tools by malware developers.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2023-09-22T16:46:32Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2023-09-22T16:46:32Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Contents 摘要 iii Abstract v Contents vii List of Figures xi List of Tables xiii Chapter 1 Introduction 1 Chapter 2 Related Work 5 Chapter 3 Preliminaries 9 3.1 Dalvik Bytecode and Smali Syntax . . . . . . . . . . . . . . . . . . 9 3.1.1 Locals/Parameters Register . . . . . . . . . . . . . . . . . . . . . . 9 3.1.2 Register Range of Dalvik Bytecode Instructions . . . . . . . . . . . 10 3.1.3 Method Invocation Types And Return Value . . . . . . . . . . . . . 10 3.1.4 Tags for jumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.5 Wide Type Register Usage . . . . . . . . . . . . . . . . . . . . . . 11 3.1.6 Calling Android APIs in Smali Bytecode . . . . . . . . . . . . . . . 11 3.1.7 Android Support Libraries in Smali Directories . . . . . . . . . . . 12 3.1.8 App Obfuscation Everywhere . . . . . . . . . . . . . . . . . . . . . 12 3.2 Android App Protection / Malware Evasion . . . . . . . . . . . . . . 12 3.3 Sensitive APIs List (Target APIs List) . . . . . . . . . . . . . . . . . 13 3.4 ”adb” And ”adb logcat” And ”adb devices” . . . . . . . . . . . . . . 14 3.5 Android Lifecycle Entry Points And New Process/Thread Entry Points 14 3.6 Bytecode Instrumentation . . . . . . . . . . . . . . . . . . . . . . . 15 Chapter 4 SADroid Approach Overview 17 4.1 Research Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4.3 Features of Our Approach . . . . . . . . . . . . . . . . . . . . . . . 18 4.4 Model Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Chapter 5 Implementation Details 23 5.1 Bytecode Instrumentation Tool . . . . . . . . . . . . . . . . . . . . . 23 5.1.1 Special Logging Methods: Passing Arguments Without Any Register 24 5.1.2 Registers Modification And Side Effect Handling . . . . . . . . . . 26 5.1.3 Runtime Method-Scoped Random ID Passing Mechanism . . . . . . 27 5.1.4 Virtual Method Handling . . . . . . . . . . . . . . . . . . . . . . . 28 5.1.5 Logging Methods Implementation . . . . . . . . . . . . . . . . . . 29 5.1.6 Multidex Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 5.2 Two-Device UI Fuzzer . . . . . . . . . . . . . . . . . . . . . . . . . 30 5.3 Log Sequence Analyzer . . . . . . . . . . . . . . . . . . . . . . . . 31 5.4 Dynamic Control Flow Passing Counter . . . . . . . . . . . . . . . . 33 Chapter 6 Evaluation 35 6.1 Experiment Environments And Dataset Collection . . . . . . . . . . 35 6.2 Sensitive evasion in Our Dataset . . . . . . . . . . . . . . . . . . . . 36 6.3 Discovery of New Evasion Types . . . . . . . . . . . . . . . . . . . 37 6.4 Actual Sensitive Behavior . . . . . . . . . . . . . . . . . . . . . . . 39 6.5 Bytecode Instrumentation Failure . . . . . . . . . . . . . . . . . . . 40 6.6 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 6.6.1 True Positive And True Negative . . . . . . . . . . . . . . . . . . . 40 6.6.2 ”Try-Catch” as An Evasion . . . . . . . . . . . . . . . . . . . . . . 42 6.6.3 Weird Failed Instrumentation Sample . . . . . . . . . . . . . . . . . 42 Chapter 7 Discussion And Limitation: 45 7.1 What Cause The Instrumentation Fault . . . . . . . . . . . . . . . . 45 7.2 Main Cause of The Exception Line During Log Sequence Analysis . 46 7.3 Static Uncertainty: Virtual Methods Issues And Reflection . . . . . . 48 7.4 All Evasion Candidates Results And Cause of Anti-Emulator FNs . . 49 7.5 Cause of Anti-Emulator FPs: UI/Phone Style Difference And Neutral Environmental Checks And Unknowns . . . . . . . . . . . . . . . 50 7.6 Limitations - Code Coverage / Not Supported Apps . . . . . . . . . . 51 Chapter 8 Future Work 55 Chapter 9 Conclusion 57 References 59	-
dc.language.iso	en	-
dc.subject	規避行為	zh_TW
dc.subject	模擬器檢測	zh_TW
dc.subject	惡意程式	zh_TW
dc.subject	動態分析	zh_TW
dc.subject	Dynamic Analysis	en
dc.subject	Malware	en
dc.subject	Emulator Detection	en
dc.subject	Evasion	en
dc.title	在 Android 惡意程式中定位模擬器檢測的程式碼區段	zh_TW
dc.title	Locating Anti-Emulator Code in Android Malware	en
dc.type	Thesis	-
dc.date.schoolyear	111-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	黎士瑋;班濤	zh_TW
dc.contributor.oralexamcommittee	Shih-Wei Li;Tao Ban	en
dc.subject.keyword	惡意程式,動態分析,模擬器檢測,規避行為,	zh_TW
dc.subject.keyword	Malware,Dynamic Analysis,Emulator Detection,Evasion,	en
dc.relation.page	62	-
dc.identifier.doi	10.6342/NTU202303088	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2023-08-12	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	資訊工程學系	-
顯示於系所單位：	資訊工程學系

文件中的檔案：

檔案	大小	格式
ntu-111-2.pdf	1.47 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。