apktool error?

[pamphobeteus]

I tried to create a sample using an existing malware (droid jack) but stopped with this error so which part of the script should I modify?

I: Smaling smali folder into classes.dex... I: Checking whether resources has changed... I: Building resources... W: ERROR: Unknown option '--forced-package-id' W: Android Asset Packaging Tool

[jinhojun]

We think this is apktool problem. You can try to

1) install latest version of apktool 2) or use another malware sample (e.g., DREBIN dataset)

We already confirmed that apktool v2.3.0 can "bak-smali" all samples from DREBIN.

[pamphobeteus]

It is fixed by using apktool of 2.3.0v. However, another problem was discovered If you choose yes to the STRING and variable options in conf.py, it stops with the error message 'input file (./temp_obfus.apk) was not found or was not readable.' Can not use this feature?

(ps. 한국어로 질문해도 괜찮은지 모르겠네요...)

[jinhojun]

한국어 질문하셔도 괜찮습니다.

혹시나 해서 DREBIN malware로 테스트 했는데 정상 구동됨을 확인했습니다. 일단 실행결과를 공유해 드리니, 보시고 동일한 결과가 나오는지 확인해보시기 바랍니다.

"b1e5b8bd534675ce536e8ae2957288f5fa7e1d78c92b2209cd2fa2740dbf7885" 말웨어를 사용하여 테스트 한 결과는 아래와 같습니다.

$ python gen_disguise.py -i a.apk individual [] Decoding apk file to smali I: Using Apktool 2.3.3 on a.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... S: WARNING: Could not write to (/home/jjung/.local/share/apktool/framework), using /tmp instead... S: Please be aware this is a volatile directory and frameworks could go missing, please utilize --frame-path if the default storage directory is unavailable I: Loading resource table from file: /tmp/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values / XMLs... I: Baksmaling classes.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files... python strp.py -f temp_obfus.apk string -c no; Perturb this APK file Loading Smali[else] [] Start string encoding (all different encryption) [] Done processing 142 files => modified 66 files [] Everything done now python strp.py -f temp_obfus.apk variable -c no; Change variable name Loading Smali[else] [] Start variable encryption (simple caesar) [] Done processing 142 files => modified 142 files [*] Everything done now Generating a_obfus.apk I: Using Apktool 2.3.3 I: Checking whether sources has changed... I: Smaling smali folder into classes.dex... I: Checking whether resources has changed... I: Building resources... S: WARNING: Could not write to (/home/jjung/.local/share/apktool/framework), using /tmp instead... S: Please be aware this is a volatile directory and frameworks could go missing, please utilize --frame-path if the default storage directory is unavailable I: Building apk file... I: Copying unknown files/dir... I: Built apk...

이때 conf.py는 아래와 같습니다.

import logging

TEMP_DIR_NAME = "tmpclass/" LIB = "./lib" BENIGN_CLASS_DIR = "./modules/benign_classes"

logging.basicConfig(format='%(levelname)s:%(message)s', level=logging.INFO)

STRING = "python strp.py -f {1}.apk string -c no;" VARIABLE = "python strp.py -f {1}.apk variable -c no;" PCM = "python pcm.py -f {1}.apk package -c no;" BYTECODE = "python pcm.py -f {1}.apk insbyte -c no;" BENIGN_CLASS = "python pcm.py -f {1}.apk bclass -c no;" RESOURCE_IMAGE = "python res.py -f {1} image -c no;" RESOURCE_XML = "python res.py -f {1} resxml -c no -n yes;" API_INTER = "python api.py -f {1}.apk inter -a android -c no;" BEN_PERMISSION = "python api.py -f {1}.apk bpermission -c no;" API_REFLECTION = "python refl.py -f {1}.apk reflect -c no;"

ANTI_DATAFLOW = "WILL RELEASE AFTER ACADEMIC SUBMISSION PROCESS" COMPONENT_DIV = "WILL RELEASE AFTER ACADEMIC SUBMISSION PROCESS" FAMILY_CHANGER = "WILL RELEASE AFTER ACADEMIC SUBMISSION PROCESS" POLY_STR_ENC = "WILL RELEASE AFTER ACADEMIC SUBMISSION PROCESS"

RM_RESOURCE_PAYLOAD = "python res.py -f {1} payload -c no;" RM_APIS = "python rmapi.py -f {1}.apk rmall -c no;" RM_PERMISSION = "python api.py -f {1}.apk permission -c no;"

OBFUSCATION_LIST = [STRING, VARIABLE]

INFERRING_LIST = [API_REFLECTION, STRING, VARIABLE, PCM, BENIGN_CLASS, \ RESOURCE_IMAGE+RESOURCE_XML, RM_PERMISSION]

BLACKLIST_STRING = [] # e.g., '134-333-1234', 'http://mal.com' BLACKLIST_API = [] # e.g., 'toString'

[pamphobeteus]

답변감사드립니다, 현재 디폴트값으로 설정되어있는 conf.py는 작동이 잘 진행되고 있습니다! 다만

STRING = "python strp.py -f {1}.apk string -c no;" VARIABLE = "python strp.py -f {1}.apk variable -c no;" API_REFLECTION = "python refl.py -f {1}.apk reflect -c no;"

위와 같은 특션 옵션들만 수정했을 때 'input file (./temp_obfus.apk) was not found or was not readable.' 이라는 에러와 함께 스크립트가 중지됩니다

그 외의

PCM = "python pcm.py -f {1}.apk package -c no;" BYTECODE = "python pcm.py -f {1}.apk insbyte -c no;" BENIGN_CLASS = "python pcm.py -f {1}.apk bclass -c no;"

같은 것들은 YES로 옵션을 변경해도 잘 작동합니다

일단 다른 apk들을 이용해서 테스트를 더 해봐야겠지만 제가 현재 사회복무 요원때문에 휴학중인 상황이라 DERBIN같은 곳들은 액세스하기가 어렵네요 그래서 현재 virusshare.com 관리자에게 액세스 문의를 해 놨습니다 추후에 훨씬 다양한 샘플로 해보려고 합니다만 일단 현재 샘플로 쓰고 있는 APK들은 저 부분에서 오류가 나네요

항상 빠르게 답변해주셔서 감사합니다.

[jeon1226]

안녕하세요.

혹시 해당 python 스크립트가 있는 디렉토리에서 시도해보셨나요? path관련 정리를 안 해서 같은 디렉토리에 있을 때에만 실행이 되는 스크립트가 몇몇 있습니다.

On Fri, 1 Jun 2018 at 20:34 pamphobeteus notifications@github.com wrote:

답변감사드립니다, 현재 디폴트값으로 설정되어있는 conf.py는 작동이 잘 진행되고 있습니다! 다만

STRING = "python strp.py -f {1}.apk string -c no;" VARIABLE = "python strp.py -f {1}.apk variable -c no;" API_REFLECTION = "python refl.py -f {1}.apk reflect -c no;"

이런 옵션들을 yes로 수정했을 때 'input file (./temp_obfus.apk) was not found or was not readable.' 이라는 에러와 함께 스크립트가 중지됩니다

일단 다른 apk들을 이용해서 테스트를 더 해봐야겠지만 제가 현재 사회복무 요원때문에 휴학중인 상황이라 DERBIN같은 곳들은 들어가기 어렵네요 그래서 현재 virusshare.com 관리자에게 액세스 문의를 해 놨습니다 추후에 훨씬 다양한 샘플로 해보려고 합니다만 일단 현재 샘플로 쓰고 있는 APK들은 저 부분에서 오류가 나네요

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sslab-gatech/avpass/issues/7#issuecomment-394042436, or mute the thread https://github.com/notifications/unsubscribe-auth/ADB0pjz5lJ6TE18CyS_NQdmMbnGrMgBuks5t4d2cgaJpZM4UU9v3 .

[pamphobeteus]

넵 전부 src폴더에서 sudo로 진행했습니다

[pamphobeteus]

DEFINED COMMAND: preserve original functionality

STRING = "python strp.py -f {1}.apk string -c yes;" VARIABLE = "python strp.py -f {1}.apk variable -c yes;" PCM = "python pcm.py -f {1}.apk package -c yes;" BYTECODE = "python pcm.py -f {1}.apk insbyte -c yes;" BENIGN_CLASS = "python pcm.py -f {1}.apk bclass -c no;" RESOURCE_IMAGE = "python res.py -f {1} image -c no;" RESOURCE_XML = "python res.py -f {1} resxml -c yes;" API_INTER = "python api.py -f {1}.apk inter -a android -c yes;" BEN_PERMISSION = "python api.py -f {1}.apk bpermission -c no;" API_REFLECTION = "python refl.py -f {1}.apk reflect -c no;"

ANTI_DATAFLOW = "WILL RELEASE AFTER ACADEMIC SUBMISSION PROCESS" COMPONENT_DIV = "WILL RELEASE AFTER ACADEMIC SUBMISSION PROCESS" FAMILY_CHANGER = "WILL RELEASE AFTER ACADEMIC SUBMISSION PROCESS" POLY_STR_ENC = "WILL RELEASE AFTER ACADEMIC SUBMISSION PROCESS"

DESTRUCTIVE OBFUSCATIONS: only for inferring feature's impact

RM_RESOURCE_PAYLOAD = "python res.py -f {1} payload -c no;" RM_APIS = "python rmapi.py -f {1}.apk rmall -c no;" RM_PERMISSION = "python api.py -f {1}.apk permission -c no;"

위와 같은 conf.py 설정으로 virusshare.com의 c25de17a858b57690255ae51c590f884, 1a9d7f5d16d5ec56057190b1e812d6db 두 샘플에 적용했을 때 역시 동일한 에러가 나옵니다

python strp.py -f temp_obfus.apk variable -c yes; Change variable name [] Decoding apk file to smali Input file (./temp_obfus.apk) was not found or was not readable. Traceback (most recent call last): File "strp.py", line 414, in strp.load_source(True) File "strp.py", line 266, in load_source self.tree = ET.parse(self.target + '/AndroidManifest.xml') File "/usr/lib/python2.7/xml/etree/ElementTree.py", line 1182, in parse tree.parse(source, parser) File "/usr/lib/python2.7/xml/etree/ElementTree.py", line 647, in parse source = open(source, "rb") IOError: [Errno 2] No such file or directory: 'temp_obfus/AndroidManifest.xml' python res.py -f temp_obfus image -c no;python res.py -f temp_obfus resxml -c yes; [] Start image obfuscation Image file obfuscation - flip pixel [*] Everything done now usage: res.py resxml -c {yes,no} -n {yes,no} res.py resxml: error: argument -n/--null-string is required Generating test2_obfus.apk I: Using Apktool 2.3.0 Exception in thread "main" brut.androlib.AndrolibException: brut.directory.DirectoryException: java.nio.file.NoSuchFileException: temp_obfus at brut.androlib.Androlib.readMetaFile(Androlib.java:265) at brut.androlib.Androlib.build(Androlib.java:277) at brut.androlib.Androlib.build(Androlib.java:270) at brut.apktool.Main.cmdBuild(Main.java:224) at brut.apktool.Main.main(Main.java:75) Caused by: brut.directory.DirectoryException: java.nio.file.NoSuchFileException: temp_obfus at brut.directory.ZipRODirectory.(ZipRODirectory.java:55) at brut.directory.ZipRODirectory.(ZipRODirectory.java:38) at brut.directory.ExtFile.getDirectory(ExtFile.java:52) at brut.androlib.Androlib.readMetaFile(Androlib.java:261) ... 4 more Caused by: java.nio.file.NoSuchFileException: temp_obfus at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92) at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116) at java.base/sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:55) at java.base/sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:145) at java.base/sun.nio.fs.LinuxFileSystemProvider.readAttributes(LinuxFileSystemProvider.java:99) at java.base/java.nio.file.Files.readAttributes(Files.java:1755) at java.base/java.util.zip.ZipFile$Source.get(ZipFile.java:1220) at java.base/java.util.zip.ZipFile$CleanableResource.(ZipFile.java:727) at java.base/java.util.zip.ZipFile$CleanableResource.get(ZipFile.java:845) at java.base/java.util.zip.ZipFile.(ZipFile.java:245) at java.base/java.util.zip.ZipFile.(ZipFile.java:175) at java.base/java.util.zip.ZipFile.(ZipFile.java:189) at brut.directory.ZipRODirectory.(ZipRODirectory.java:53) ... 7 more

이 역시 strp.py와 res.py 가있는 src폴더에서 sudo로 진행했을 때 발생합니다

[jinhojun]

두 샘플을 압축(암호: 1234)해서 이메일로 보내주시면 확인 해 드리겠습니다. (jinho.jung@gatech.edu)