ADT is a Miasm-based symbolic execution toolset designed to help model application behavior, research and test security vulnerabilities, and facilitate reversing hostile code.
- The ability to save/restore all threads & processes contexts
- A centralized (json encoded) config file to mimick an Android environment
- A scheduler to handle mutexes, multi-threading and multi-processing
- fork()
- pthread_create()
- pthread_mutex_lock/unlock()
- Blocking file reads / writes
- Java JNI (java native bridge) implementation which handles
- Strings
- Files & directories
- Arrays
- Function calls
- Class fields
- A number of miscallenous implementations
- sscanf()
- mktime()
- crc32, mimicking the c version
- c++ streams
- pipes
- fstat() and android's custom struct w/ padding for aarch64
- android libc's _system_property_get()
- varargs (general case scenario working only)
- prcrl
- Install Miasm from this Miasm fork. The patches from the
experimental
branch implement aaarch64 instructions, and provide the corresponding jitter and sandboxing components.git clone https://github.com/nguigo/miasm.git && cd miasm && git checkout experimental
pip install .
git clone https://github.com/nccgroup/android_demystification_toolbox.git
pip install ./android_demystification_toolbox
- From the template
- Fill out the necessary memory requirements in the
one_time_setup()
function - Enter your custom breakpoints in the
breakpoints_setup()
function - Let the main loop take care of handling the multiple contexts
- Use adt.config to store Android environment information (see samples for more details)
- Fill out the necessary memory requirements in the
- The NDK sample can be run as a demo with
python3 sample.py libhello-jnicallback.so
The contexts are saved and restored using the pickle module, which is not safe with untrusted data. Ensure only trusted contexts are restored.
- The sample function
save_context_and_dump()
can be used as a jitter callback:
jitter.add_breakpoint(<my_address>, save_context_and_dump)
- The code automatically looks for a
context.pkl
to restore, so the following command line can be used:
ln -s context_myaddress.pkl context.pkl
- Upon starting the script, the context will be restored automatically