混淆应用中的第三方库函数定位  

作　　者：袁江风 李昊翔 游伟[1] 黄建军[1] 石文昌[1] 梁彬[1] YUAN Jiangfeng;LI Haoxiang;YOU Wei;HUANG Jianjun;SHI Wenchang;LIANG Bin(School of Information,Renmin University of China,Beijing 100872,China)

机构地区：[1]中国人民大学信息学院,北京100872

出　　处：《计算机科学》2023年第7期293-301,共9页Computer Science

基　　金：国家自然科学基金(U1836209,62272465,62002361);CCF—华为胡杨林研究创新基金(CCF-HuaweiSE2021002)。

摘　　要：第三方库是Android应用程序的重要组成部分。在对应用进行基于重打包技术的安全增强或分析时,往往需要定位第三方库中的一些特定函数,此时需要将第三方库源码中的函数映射到目标应用反汇编代码中,以找到其对应的位置。在实际工作中,很多应用经过了代码混淆,这给定位第三方库函数带来了挑战。在经过混淆处理的应用程序反汇编代码中,大部分可供定位的特征被消除,代码也变得晦涩、难以分析。在缺少线索的情况下,从庞大的代码空间中定位到一个特定的函数十分困难。目前对混淆后应用进行的分析仅仅关注识别应用程序中包含了哪些第三方库,而没有更细粒度的函数级别的识别。文中提出了一种在混淆后的应用代码中定位第三方库中特定函数的方法。首先,对应用所用到的混淆器和混淆参数进行识别,从而将第三方库源码处理成与目标应用相同混淆方式的代码,即混淆对齐;在此基础上,通过静态插桩在待定位的函数中引入查找特征,并抽取其混淆后的结构特征来从目标应用中最终识别出待定位的函数位置。实验结果表明,所提方法能以较高的正确率识别出目标应用所使用的混淆工具及混淆参数,且能准确定位流行的混淆闭源应用中感兴趣的第三方库函数。Third-party libraries are an important part of Android applications.When enforcing security enhancement or analysis based on application repackaging,it is often necessary to locate specific functions in third-party library.To this end,there is a need to map the functions of the third-party library to the disassembly code of the target application.However,many applications are obfuscated,which brings challenges to locating third-party library functions.In the disassembly code of the obfuscated application,the discriminated fingerprints are often eliminated,hence the code becomes obscure and difficult to analyze.Due to the lack of location fingerprints,it is very difficult to identify a specific function from the huge code space.So far,the existing studies only focus on identifying which third-party libraries are included in the target application rather than locating specific functions.In this paper,a method to locate the third-party functions in obfuscated applications is presented.In the first place,the obfuscator and obfuscation parameters used in the target application are identified.The source code of the third-party library is obfuscated in the same way as done for the target application.The stage is called as obfuscation alignment in this study.On this basis,we introduce some location fingerprints into the target functions with static instrumentation,and extract the structural features to identify the function location from the target application.Experiments show that the proposed method can identify the obfuscation tools and obfuscation parameters with high accuracy,and can accurately locate the third-party library functions for popular obfuscated close-source applications.

关 键 词：ANDROID应用 重打包 混淆 第三方库 定位 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]