Uchambuzi wa Maktaba za Native

Reading time: 8 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Kwa taarifa za ziada angalia: https://maddiestone.github.io/AndroidAppRE/reversing_native_libs.html

Apps za Android zinaweza kutumia maktaba za native, kwa kawaida zilizoandikwa kwa C au C++, kwa kazi zinazohitaji utendakazi mkubwa. Waandishi wa malware pia hutumia maktaba hizi kwa sababu ELF shared objects bado ni ngumu zaidi ku-decompile kuliko DEX/OAT byte-code. Ukurasa huu unalenga mitiririko ya kazi ya vitendo na maboresho ya zana za karibuni (2023-2025) yanayofanya kureverse mafaili ya .so ya Android kuwa rahisi.

Mbinu ya uchunguzi wa haraka kwa `libfoo.so` iliyopigwa hivi punde

Toa maktaba

bash

# From an installed application
adb shell "run-as <pkg> cat lib/arm64-v8a/libfoo.so" > libfoo.so
# Or from the APK (zip)
unzip -j target.apk "lib/*/libfoo.so" -d extracted_libs/

Tambua usanifu & ulinzi

bash

file libfoo.so        # arm64 or arm32 / x86
readelf -h libfoo.so  # OS ABI, PIE, NX, RELRO, etc.
checksec --file libfoo.so  # (peda/pwntools)

Orodhesha exported symbols & JNI bindings

bash

readelf -s libfoo.so | grep ' Java_'     # dynamic-linked JNI
strings libfoo.so   | grep -i "RegisterNatives" -n   # static-registered JNI

Pakia katika decompiler (Ghidra ≥ 11.0, IDA Pro, Binary Ninja, Hopper or Cutter/Rizin) na endesha auto-analysis. Toleo jipya la Ghidra liliingiza decompiler ya AArch64 inayotambua PAC/BTI stubs na MTE tags, ikiboresha sana uchambuzi wa maktaba zilizojengwa kwa Android 14 NDK.
Amua kati ya static vs dynamic reversing: code iliyokatwa au iliyofichwa mara nyingi inahitaji instrumentation (Frida, ptrace/gdbserver, LLDB).

Dynamic Instrumentation (Frida ≥ 16)

Frida’s 16-series ilileta maboresho kadhaa maalumu kwa Android yanayosaidia wakati lengo linapotumia optimisations za kisasa za Clang/LLD:

thumb-relocator sasa inaweza ku-hook functions ndogo za ARM/Thumb zilizotengenezwa na alignment kali ya LLD (--icf=all).
Kuorodhesha na kurebind ELF import slots kunafanya kazi kwenye Android, kuwezesha patching per-module ya dlopen()/dlsym() wakati inline hooks zinakubaliwa.
Java hooking ilirekebishwa kwa ART quick-entrypoint mpya inayotumika wakati apps zinapojengwa na --enable-optimizations kwenye Android 14.

Mfano: kuorodhesha functions zote zilizosajiliwa kupitia RegisterNatives na kutupa anwani zao wakati wa runtime:

javascript

Java.perform(function () {
var Runtime = Java.use('java.lang.Runtime');
var register = Module.findExportByName(null, 'RegisterNatives');
Interceptor.attach(register, {
onEnter(args) {
var envPtr  = args[0];
var clazz   = Java.cast(args[1], Java.use('java.lang.Class'));
var methods = args[2];
var count   = args[3].toInt32();
console.log('[+] RegisterNatives on ' + clazz.getName() + ' -> ' + count + ' methods');
// iterate & dump (JNI nativeMethod struct: name, sig, fnPtr)
}
});
});

Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.

Process-local JNI telemetry via preloaded .so (SoTap)

Wakati instrumentation yenye vipengele kamili ni kupita kiasi au imezuiwa, bado unaweza kupata uonekano wa ngazi ya native kwa ku-preload logger ndogo ndani ya mchakato lengwa. SoTap ni maktaba nyepesi ya Android native (.so) inayorekodi tabia ya wakati wa utekelezaji ya maktaba nyingine za JNI (.so) ndani ya mchakato moja la app (hakuna root inahitajika).

Key properties:

Inaanzishwa mapema na inachunguza mwingiliano wa JNI/native ndani ya mchakato unaoiweka.
Inaendelea kuhifadhi logs ikitumia njia mbalimbali zinazoweza kuandikwa na kwa upendeleo inarudi kwa Logcat wakati uhifadhi umezuiliwa.
Inayoweza kubadilishwa chanzo: hariri sotap.c ili kupanua/rekebisha kinachorekodiwa na ujenge upya kwa kila ABI.

Setup (repack the APK):

Drop the proper ABI build into the APK so the loader can resolve libsotap.so:

lib/arm64-v8a/libsotap.so (for arm64)
lib/armeabi-v7a/libsotap.so (for arm32)

Ensure SoTap loads before other JNI libs. Inject a call early (e.g., Application subclass static initializer or onCreate) so the logger is initialized first. Smali snippet example:

smali

const-string v0, "sotap"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

Rebuild/sign/install, run the app, then collect logs.

Log paths (checked in order):

/data/user/0/%s/files/sotap.log
/data/data/%s/files/sotap.log
/sdcard/Android/data/%s/files/sotap.log
/sdcard/Download/sotap-%s.log
# If all fail: fallback to Logcat only

Notes and troubleshooting:

ABI alignment is mandatory. A mismatch will raise UnsatisfiedLinkError and the logger won’t load.
Storage constraints are common on modern Android; if file writes fail, SoTap will still emit via Logcat.
Behavior/verbosity is intended to be customized; rebuild from source after editing sotap.c.

This approach is useful for malware triage and JNI debugging where observing native call flows from process start is critical but root/system-wide hooks aren’t available.

Recent vulnerabilities worth hunting for in APKs

Mwaka	CVE	Maktaba iliyoathirika	Maelezo
2023	CVE-2023-4863	`libwebp` ≤ 1.3.1	Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.
2024	Multiple	OpenSSL 3.x series	Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.

When you spot third-party .so files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.

Anti-Reversing & Hardening trends (Android 13-15)

Pointer Authentication (PAC) & Branch Target Identification (BTI): Android 14 enables PAC/BTI in system libraries on supported ARMv8.3+ silicon. Decompilers now display PAC‐related pseudo-instructions; for dynamic analysis Frida injects trampolines after stripping PAC, but your custom trampolines should call pacda/autibsp where necessary.
MTE & Scudo hardened allocator: memory-tagging is opt-in but many Play-Integrity aware apps build with -fsanitize=memtag; use setprop arm64.memtag.dump 1 plus adb shell am start ... to capture tag faults.
LLVM Obfuscator (opaque predicates, control-flow flattening): commercial packers (e.g., Bangcle, SecNeo) increasingly protect native code, not only Java; expect bogus control-flow and encrypted string blobs in .rodata.

Rasilimali

Kujifunza ARM Assembly: Azeria Labs – ARM Assembly Basics
JNI & NDK Nyaraka: Oracle JNI Spec · Android JNI Tips · NDK Guides
Kudebuga Native Libraries: Debug Android Native Libraries Using JEB Decompiler

Marejeo

Frida 16.x change-log (Android hooking, tiny-function relocation) – frida.re/news
NVD advisory for libwebp overflow CVE-2023-4863 – nvd.nist.gov
SoTap: Lightweight in-app JNI (.so) behavior logger – github.com/RezaArbabBot/SoTap
SoTap Releases – github.com/RezaArbabBot/SoTap/releases
How to work with SoTap? – t.me/ForYouTillEnd/13
CoRPhone — JNI memory-only execution pattern and packaging

tip

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.