Contributed By Check Point Software Technologies LTD.
Droidmon, a key piece in CuckooDroid, monitors applications inside a virtual (guest) machine and provides insight into an application’s behavior. Droidmon is an open source Dalvik Monitoring framework based on Xposed Framework.
Xposed is a framework for modules that can change the behavior of the system and apps without touching any APKs. This means that modules can work in different versions and even ROMs without any additional changes (as long as the original code did not undergo too much modification). It's also easy to reverse. As all changes are done in the memory, you can restore your original system by deactivating the module and rebooting. Another advantage is that multiple modules can make changes to the same part of the system or app. With modified APKs, you must choose one. There is no way to combine them, unless the author builds multiple APKs with different combinations.
Droidmon.apk
and enable this module in XposedInstaller.hooks.json
to /data/local/tmp/
with the required hooks.logcat
.The hooks.json is the configuration file written in json format. It contains a list of all the information needed to hook the required methods. Each element in the list is a dictionary which contains four key-value pairs describing the monitored method.
The first key-value pair contains the name of the class we want to call. The second pair is the name of the method we want to monitor. The third pair is a boolean indicating whether or not to log the information about the object which invokes the method. Finally, the fourth pair is the type of API method such as networking, sms, fingerprint, etc.
An example is shown below:
{
"hookConfigs": [
{
"class_name": "libcore.io.IoBridge",
"method": "open",
"thisObject": false,
"type": "file"
},
{
"class_name": "libcore.io.IoBridge",
"method": "close",
"thisObject": true,
"type": "file"
},
{
"class_name": "android.app.ActivityManager",
"method": "getRunningTasks",
"thisObject": false,
"type": "binder"
}
],
"trace": false
}
Each method found in the configuration file and later invoked produces a log in the format seen below. All of the information in the configuration file appears in the log file. In addition, the log file records the timestamp when the invocation occurred, the arguments passed to the function, and the return value. If we enabled the thisObject Boolean, it records the information of the invoking object. Most importantly, the log also includes a tag for application filtering. Example: Droidmon-apimonitor-<Package Name>
To filter the tag, use this command:
adb logcat -d | grep Droidmon-apimonitor-com.cuckoo.test
I/Xposed ( 1649):
Droidmon-apimonitor-com.cuckoo.test:
{
"timestamp":1436953465511,
"class":"android.telephony.SmsManager",
"method":"sendTextMessage",
"type":"sms",
"args":["0735445281","000000000000000"]
}