search

soot-oss / soot

Soot - A Java optimization framework
GNU Lesser General Public License v2.1
2.87k stars 706 forks source link

Android application crashes after having instrumented by soot? #1042

Open 3ntr0phy opened 5 years ago

3ntr0phy commented 5 years ago

Hello, I am trying to test everything I have done with Soot. At the first try I tried to sign the apk and run it, after slices etc... and it crashed. After that I have tried to not instrument anything, just open the apk an output it with the following code:

public class Main {

    protected static String jarsPath = "/home/jacopo/Android/Sdk/platforms";
    private static String apkPath = "/home/jacopo/Documents/feature_extractor/drebin/DroidLyzer/malwares_app/E8079602A1A2A09E8BE8306E0463F7F7C4795554B4A9D7DD541BA54BD9EAA5AE.apk";

    public static void main(String[] args) {

        Options.v().set_src_prec(Options.src_prec_apk);

        Options.v().set_process_dir(Collections.singletonList(apkPath));

        Options.v().set_output_format(Options.output_format_dex);

        String androidJarPath = Scene.v().getAndroidJarPath(jarsPath, apkPath);

        List<String> pathList = new ArrayList<String>();

        pathList.add(apkPath);

        pathList.add(androidJarPath);

        Options.v().set_process_dir(pathList);

        Options.v().set_force_android_jar(apkPath);

        Options.v().set_keep_line_number(true);

        Options.v().set_process_multiple_dex(true);

        Options.v().set_allow_phantom_refs(true);

        Options.v().set_whole_program(true);

        Options.v().set_wrong_staticness(Options.wrong_staticness_ignore);

        Options.v().set_no_bodies_for_excluded(true);

        Scene.v().loadNecessaryClasses();

        PackManager.v().runPacks();

        PackManager.v().writeOutput();

    }

}

And if I install it on the Android emulator it keeps crashing. What is wrong in my configuration? Or there is something that I'm missing?

3ntr0phy commented 5 years ago

I am currently using the last version of FlowDroid, maybe it could help understanding the reason...No errors during the program execution, but the app keeps crashing on the emulator...

3ntr0phy commented 5 years ago

Ok I have fixed this issue, this was cause because I was using a an array with multiple entries at Options.v().set_process_dir(pathList); I really would like to understand why and how this corrupts the final apk :/ But now I have another issue... with these settings:

Options.v().set_src_prec(Options.src_prec_apk);

        Options.v().set_output_format(Options.output_format_dex);

        Options.v().set_process_dir(Collections.singletonList((apkPath)));

        Options.v().set_force_android_jar(jarsPath);

        Options.v().set_keep_line_number(true);

        Options.v().set_prepend_classpath(true);

        Options.v().set_validate(true);

        Options.v().set_process_multiple_dex(true);

        Options.v().set_allow_phantom_refs(true);

        Options.v().set_whole_program(true);

        Options.v().set_include_all(true);

        Scene.v().loadNecessaryClasses();

        PackManager.v().runPacks();

        PackManager.v().writeOutput();

Everything works fine. But is I modify the Options.v().set_src_prec(Options.src_prec_apk); to Options.v().set_src_prec(Options.src_prec_apk_class_jimple);

I get the following weird exception:

APK file on process dir, but chosen src-prec does not support loading APKs
[Thread-14] ERROR heros.solver.CountingThreadPoolExecutor - Worker thread execution failed: Class com.google.android.gms.dynamic.b doesn't have method asBinder([]) : android.os.IBinder; failed to resolve in superclasses and interfaces
soot.SootMethodRefImpl$ClassResolutionFailedException: Class com.google.android.gms.dynamic.b doesn't have method asBinder([]) : android.os.IBinder; failed to resolve in superclasses and interfacesLooking in com.google.android.gms.dynamic.b which has methods []
Looking in java.lang.Object which has methods [<java.lang.Object: void <init>()>, <java.lang.Object: void registerNatives()>, <java.lang.Object: java.lang.Class getClass()>, <java.lang.Object: int hashCode()>, <java.lang.Object: boolean equals(java.lang.Object)>, <java.lang.Object: java.lang.Object clone()>, <java.lang.Object: java.lang.String toString()>, <java.lang.Object: void notify()>, <java.lang.Object: void notifyAll()>, <java.lang.Object: void wait(long)>, <java.lang.Object: void wait(long,int)>, <java.lang.Object: void wait()>, <java.lang.Object: void finalize()>, <java.lang.Object: void <clinit>()>]
Looking in android.os.IInterface which has methods []

    at soot.SootMethodRefImpl.resolve(SootMethodRefImpl.java:238)
    at soot.SootMethodRefImpl.resolve(SootMethodRefImpl.java:152)
    at soot.jimple.internal.AbstractInvokeExpr.getMethod(AbstractInvokeExpr.java:56)
    at soot.jimple.validation.InvokeArgumentValidator.validate(InvokeArgumentValidator.java:54)
    at soot.jimple.JimpleBody.validate(JimpleBody.java:118)
    at soot.jimple.JimpleBody.validate(JimpleBody.java:98)
    at soot.PackManager.runBodyPacks(PackManager.java:1021)
    at soot.PackManager.access$000(PackManager.java:146)
    at soot.PackManager$1.run(PackManager.java:664)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Exception in thread "main" Exception in thread "Thread-14" soot.SootMethodRefImpl$ClassResolutionFailedException: Class com.google.android.gms.dynamic.b doesn't have method asBinder([]) : android.os.IBinder; failed to resolve in superclasses and interfacesLooking in com.google.android.gms.dynamic.b which has methods []
Looking in java.lang.Object which has methods [<java.lang.Object: void <init>()>, <java.lang.Object: void registerNatives()>, <java.lang.Object: java.lang.Class getClass()>, <java.lang.Object: int hashCode()>, <java.lang.Object: boolean equals(java.lang.Object)>, <java.lang.Object: java.lang.Object clone()>, <java.lang.Object: java.lang.String toString()>, <java.lang.Object: void notify()>, <java.lang.Object: void notifyAll()>, <java.lang.Object: void wait(long)>, <java.lang.Object: void wait(long,int)>, <java.lang.Object: void wait()>, <java.lang.Object: void finalize()>, <java.lang.Object: void <clinit>()>]
Looking in android.os.IInterface which has methods []

    at soot.SootMethodRefImpl.resolve(SootMethodRefImpl.java:238)
    at soot.SootMethodRefImpl.resolve(SootMethodRefImpl.java:152)
    at soot.jimple.internal.AbstractInvokeExpr.getMethod(AbstractInvokeExpr.java:56)
    at soot.jimple.validation.InvokeArgumentValidator.validate(InvokeArgumentValidator.java:54)
    at soot.jimple.JimpleBody.validate(JimpleBody.java:118)
    at soot.jimple.JimpleBody.validate(JimpleBody.java:98)
    at soot.PackManager.runBodyPacks(PackManager.java:1021)
    at soot.PackManager.access$000(PackManager.java:146)
    at soot.PackManager$1.run(PackManager.java:664)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
soot.SootMethodRefImpl$ClassResolutionFailedException: Class com.google.android.gms.dynamic.b doesn't have method asBinder([]) : android.os.IBinder; failed to resolve in superclasses and interfacesLooking in com.google.android.gms.dynamic.b which has methods []
Looking in java.lang.Object which has methods [<java.lang.Object: void <init>()>, <java.lang.Object: void registerNatives()>, <java.lang.Object: java.lang.Class getClass()>, <java.lang.Object: int hashCode()>, <java.lang.Object: boolean equals(java.lang.Object)>, <java.lang.Object: java.lang.Object clone()>, <java.lang.Object: java.lang.String toString()>, <java.lang.Object: void notify()>, <java.lang.Object: void notifyAll()>, <java.lang.Object: void wait(long)>, <java.lang.Object: void wait(long,int)>, <java.lang.Object: void wait()>, <java.lang.Object: void finalize()>, <java.lang.Object: void <clinit>()>]
Looking in android.os.IInterface which has methods []

    at soot.SootMethodRefImpl.resolve(SootMethodRefImpl.java:238)
    at soot.SootMethodRefImpl.resolve(SootMethodRefImpl.java:152)
    at soot.jimple.internal.AbstractInvokeExpr.getMethod(AbstractInvokeExpr.java:56)
    at soot.jimple.validation.InvokeArgumentValidator.validate(InvokeArgumentValidator.java:54)
    at soot.jimple.JimpleBody.validate(JimpleBody.java:118)
    at soot.jimple.JimpleBody.validate(JimpleBody.java:98)
    at soot.PackManager.runBodyPacks(PackManager.java:1021)
    at soot.PackManager.access$000(PackManager.java:146)
    at soot.PackManager$1.run(PackManager.java:664)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

My intention was to have slices of codes to export as jimple file, so I need to read apk file and jimples. How can I fix it?

3ntr0phy commented 5 years ago

I have found also another apk which outputs the same error:

Exception in thread "main" soot.SootMethodRefImpl$ClassResolutionFailedException: Class com.google.android.gms.dynamic.b doesn't have method asBinder([]) : android.os.IBinder; failed to resolve in superclasses and interfacesLooking in com.google.android.gms.dynamic.b which has methods []
Looking in java.lang.Object which has methods [<java.lang.Object: void <init>()>, <java.lang.Object: void registerNatives()>, <java.lang.Object: java.lang.Class getClass()>, <java.lang.Object: int hashCode()>, <java.lang.Object: boolean equals(java.lang.Object)>, <java.lang.Object: java.lang.Object clone()>, <java.lang.Object: java.lang.String toString()>, <java.lang.Object: void notify()>, <java.lang.Object: void notifyAll()>, <java.lang.Object: void wait(long)>, <java.lang.Object: void wait(long,int)>, <java.lang.Object: void wait()>, <java.lang.Object: void finalize()>, <java.lang.Object: void <clinit>()>]
Looking in android.os.IInterface which has methods []

    at soot.SootMethodRefImpl.resolve(SootMethodRefImpl.java:238)
    at soot.SootMethodRefImpl.resolve(SootMethodRefImpl.java:152)
    at soot.jimple.internal.AbstractInvokeExpr.getMethod(AbstractInvokeExpr.java:56)
    at soot.jimple.validation.InvokeArgumentValidator.validate(InvokeArgumentValidator.java:54)
    at soot.jimple.JimpleBody.validate(JimpleBody.java:118)
    at soot.jimple.JimpleBody.validate(JimpleBody.java:98)
3ntr0phy commented 5 years ago

It is thrown by the validate method of the ActiveBody...

3ntr0phy commented 5 years ago

Any answer would be appreciated....