How do you spot JNI API functions in shared libraries

[gaojun0816]

In order to find out the dynamically registered JNI functions, you have to spot the use of JNI API function RegisterNatives. In your nativedroid, you have follow in code to find it and hook it with a customized SimProcedure:

if 'jniRegisterNativeMethods' in project.loader.main_object.imports or \
                '_ZN7android14AndroidRuntime21registerNativeMethodsEP7_JNIEnvPKcPK15JNINativeMethodi' in \
                project.loader.main_object.imports:
            project.hook_symbol('jniRegisterNativeMethods', RegisterNativeMethods(analysis_center))

This code appears in the function dynamic_register_resolve in file nativedroid/analyses/resolver/dynamic_register_resolution.py. However, I checked with many cases with several tools radare2, objdump besides angr. None of these tools provide the symbol tables contains these JNI API functions.

So I'd like to know are you sure this part of the code is really working? How did you make it work? Have you done anything extra with angr which I did not notice?

[behnamben]

I think that's because JN-SAF is built in the way that it can work with NDK version < 16. in newer versions these symbols are not there because of some kind of optimizations of the compiler.

[gaojun0816]

Thanks @behnamben , I checked with NDK version 15 and it is as you said those symbols appear. But the symbols only show in debug version, not the release version. I believe for the release version, the latest Android studio also did more things to strip off most of the symbols.

But anyway, this indicates that nativedroid need to be updated to catch up with these new features otherwise it will not be able to work with recent apps.

[behnamben]

Although that's true, the concepts are always the same and you can easily change those signatures in the native-droid. I also saw some problems when analyzing Armv7 or 8. it cant properly propagate the tainted value in the analysed program.