Open gnieto opened 7 years ago
gnieto
commented
7 years ago I've an experimental branch that uses the elf crate to extract the string table and that is able to apply the rules on top of it.
If you think that it's interesting enough, I can try to finish a first version and we can discuss on some questions I have on how generating the reports.
Razican
commented
7 years ago So, the thing is that the current rules will soon (I hope) be superseded with a new format to analyze dalvik bytecode properly, now that the development of the dalvik library is advancing. It's actually a good opportunity to create an RFC about how those rules would be. We would need to at least be able to analyze dalvik and XML files.
About ELF files, where could that be used? Android applications too? AFAIK ELF is used in UNIX as an executable format, but I didn't have news of it being used for apks. Maybe in NDK based ones? What do you propose?
Razican
commented
7 years ago Actually, just as a note, part of this is being tracked in #37.
gnieto
commented
7 years ago Yes, the ones that uses NDK usually have (if i'm not wrong) a lib folder on the root of the APK which contains dynamic libraries that are called from the application.
Checking the type of one of this binaries with file shows:
ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped
This means that it's easy to extract the string tables and check it to try to extract useful data. If you want, once I've a minimal version of this, I can open a PR and you can try with some APKs.
Razican
commented
7 years ago Sounds good. You can open a pull request, sure. It will be good to see it there and see how we can improve or integrate it :)
It would be nice to analyze binary libraries and apply the current rules there. This way, super would be able to extract URLs, IPs and some more data that resides on the string table on that binaries.