You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
+13Lines changed: 13 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -171,6 +171,18 @@ When the information is saved in logs you can **check statistics like how many t
171
171
172
172
---
173
173
174
+
### Android in-app native telemetry (no root)
175
+
176
+
On Android, you can instrument native code inside the target app process by preloading a tiny logger library before other JNI libs initialize. This gives early visibility into native behavior without system-wide hooks or root. A popular approach is SoTap: drop libsotap.so for the right ABI into the APK and inject a System.loadLibrary("sotap") call early (e.g., static initializer or Application.onCreate), then collect logs from internal/external paths or Logcat fallback.
177
+
178
+
See the Android native reversing page for setup details and log paths:
Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a `jmp rax` or `call rax`. A small *dispatcher* (typically nine instructions) sets the final target depending on the CPU `ZF`/`CF` flags, completely breaking static CFG recovery.
@@ -262,5 +274,6 @@ idc.set_callee_name(call_ea, resolved_addr, 0) # IDA 8.3+
262
274
## References
263
275
264
276
-[Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
Copy file name to clipboardExpand all lines: src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
+41-2Lines changed: 41 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -63,6 +63,42 @@ Java.perform(function () {
63
63
```
64
64
Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.
65
65
66
+
### Process-local JNI telemetry via preloaded .so (SoTap)
67
+
68
+
When full-featured instrumentation is overkill or blocked, you can still gain native-level visibility by preloading a small logger inside the target process. SoTap is a lightweight Android native (.so) library that logs the runtime behavior of other JNI (.so) libraries within the same app process (no root required).
69
+
70
+
Key properties:
71
+
- Initializes early and observes JNI/native interactions inside the process that loads it.
72
+
- Persists logs using multiple writable paths with graceful fallback to Logcat when storage is restricted.
73
+
- Source-customizable: edit sotap.c to extend/adjust what gets logged and rebuild per ABI.
74
+
75
+
Setup (repack the APK):
76
+
1) Drop the proper ABI build into the APK so the loader can resolve libsotap.so:
77
+
- lib/arm64-v8a/libsotap.so (for arm64)
78
+
- lib/armeabi-v7a/libsotap.so (for arm32)
79
+
2) Ensure SoTap loads before other JNI libs. Inject a call early (e.g., Application subclass static initializer or onCreate) so the logger is initialized first. Smali snippet example:
3) Rebuild/sign/install, run the app, then collect logs.
85
+
86
+
Log paths (checked in order):
87
+
```
88
+
/data/user/0/%s/files/sotap.log
89
+
/data/data/%s/files/sotap.log
90
+
/sdcard/Android/data/%s/files/sotap.log
91
+
/sdcard/Download/sotap-%s.log
92
+
# If all fail: fallback to Logcat only
93
+
```
94
+
95
+
Notes and troubleshooting:
96
+
- ABI alignment is mandatory. A mismatch will raise UnsatisfiedLinkError and the logger won’t load.
97
+
- Storage constraints are common on modern Android; if file writes fail, SoTap will still emit via Logcat.
98
+
- Behavior/verbosity is intended to be customized; rebuild from source after editing sotap.c.
99
+
100
+
This approach is useful for malware triage and JNI debugging where observing native call flows from process start is critical but root/system-wide hooks aren’t available.
101
+
66
102
---
67
103
68
104
### Recent vulnerabilities worth hunting for in APKs
@@ -93,6 +129,9 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their
- If you are going to use declared variables inside the function (declared v0,v1,v2...) put these lines between the _.local \<number>_ and the declarations of the variables (_const v0, 0x1_)
165
+
- If you are going to use declared variables inside the function (declared v0,v1,v2...) put these lines between the _.local <number>_ and the declarations of the variables (_const v0, 0x1_)
166
166
- If you want to put the logging code in the middle of the code of a function:
167
167
- Add 2 to the number of declared variables: Ex: from _.locals 10_ to _.locals 12_
168
168
- The new variables should be the next numbers of the already declared variables (in this example should be _v10_ and _v11_, remember that it starts in v0).
### Loading a Native Library at Startup (System.loadLibrary)
189
190
190
-
{{#include ../../banners/hacktricks-training.md}}
191
+
Sometimes you need to preload a native library so it initializes before other JNI libs (e.g., to enable process-local telemetry/logging). You can inject a call to System.loadLibrary() in a static initializer or early in Application.onCreate(). Example smali for a static class initializer (<clinit>):
192
+
193
+
```smali
194
+
.class public Lcom/example/App;
195
+
.super Landroid/app/Application;
196
+
197
+
.method static constructor <clinit>()V
198
+
.registers 1
199
+
const-string v0, "sotap" # library name without lib...so prefix
0 commit comments