Android Hacker's Handbook - 577 PAGES

Status
Not open for further replies.

ANONMUSK

t.me/ANONMUSK
Staff member
blob:


REAL PRICE - 10$

DOWNLOAD IT FOR FREE


BOOK CONTENS

Introduction xxv
Chapter 1 Looking at the Ecosystem 1
Understanding Android’s Roots 1
Company History 2
Version History 2
Examining the Device Pool 4
Open Source, Mostly 7
Understanding Android Stakeholders 7
Google 8
Hardware Vendors 10
Carriers 12
Developers 13
Users 14
Grasping Ecosystem Complexities 15
Fragmentation 16
Compatibility 17
Update Issues 18
Security versus Openness 21
Public Disclosures 22
Summary 23
Chapter 2 Android Security Design and Architecture 25
Understanding Android System Architecture 25
Understanding Security Boundaries and Enforcement 27
Android’s Sandbox 27
Android Permissions 30
Looking Closer at the Layers 34
Android Applications 34
The Android Framework 39
Contents
xvi Contents
The Dalvik Virtual Machine 40
User-Space Native Code 41
The Kernel 49
Complex Security, Complex Exploits 55
Summary 56
Chapter 3 Rooting Your Device 57
Understanding the Partition Layout 58
Determining the Partition Layout 59
Understanding the Boot Process 60
Accessing Download Mode 61
Locked and Unlocked Boot Loaders 62
Stock and Custom Recovery Images 63
Rooting with an Unlocked Boot Loader 65
Rooting with a Locked Boot Loader 68
Gaining Root on a Booted System 69
NAND Locks, Temporary Root, and Permanent Root 70
Persisting a Soft Root 71
History of Known Attacks 73
Kernel: Wunderbar/asroot 73
Recovery: Volez 74
Udev: Exploid 74
Adbd: RageAgainstTheCage 75
Zygote: Zimperlich and Zysploit 75
Ashmem: KillingInTheNameOf and psneuter 76
Vold: GingerBreak 76
PowerVR: levitator 77
Libsysutils: zergRush 78
Kernel: mempodroid 78
File Permission and Symbolic Link–Related Attacks 79
Adb Restore Race Condition 79
Exynos4: exynos-abuse 80
Diag: lit / diaggetroot 81
Summary 81
Chapter 4 Reviewing Application Security 83
Common Issues 83
App Permission Issues 84
Insecure Transmission of Sensitive Data 86
Insecure Data Storage 87
Information Leakage Through Logs 88
Unsecured IPC Endpoints 89
Case Study: Mobile Security App 91
Profi ling 91
Static Analysis 93
Dynamic Analysis 109
Attack 117
Contents xvii
Case Study: SIP Client 120
Enter Drozer 121
Discovery 121
Snarfi ng 122
Injection 124
Summary 126
Chapter 5 Understanding Android’s Attack Surface 129
An Attack Terminology Primer 130
Attack Vectors 130
Attack Surfaces 131
Classifying Attack Surfaces 133
Surface Properties 133
Classifi cation Decisions 134
Remote Attack Surfaces 134
Networking Concepts 134
Networking Stacks 139
Exposed Network Services 140
Mobile Technologies 142
Client-side Attack Surface 143
Google Infrastructure 148
Physical Adjacency 154
Wireless Communications 154
Other Technologies 161
Local Attack Surfaces 161
Exploring the File System 162
Finding Other Local Attack Surfaces 163
Physical Attack Surfaces 168
Dismantling Devices 169
USB 169
Other Physical Attack Surfaces 173
Third-Party Modifi cations 174
Summary 174
Chapter 6 Finding Vulnerabilities with Fuzz Testing 177
Fuzzing Background 177
Identifying a Target 179
Crafting Malformed Inputs 179
Processing Inputs 180
Monitoring Results 181
Fuzzing on Android 181
Fuzzing Broadcast Receivers 183
Identifying a Target 183
Generating Inputs 184
Delivering Inputs 185
Monitoring Testing 185
xviii Contents
Fuzzing Chrome for Android 188
Selecting a Technology to Target 188
Generating Inputs 190
Processing Inputs 192
Monitoring Testing 194
Fuzzing the USB Attack Surface 197
USB Fuzzing Challenges 198
Selecting a Target Mode 198
Generating Inputs 199
Processing Inputs 201
Monitoring Testing 202
Summary 204
Chapter 7 Debugging and Analyzing Vulnerabilities 205
Getting All Available Information 205
Choosing a Toolchain 207
Debugging with Crash Dumps 208
System Logs 208
Tombstones 209
Remote Debugging 211
Debugging Dalvik Code 212
Debugging an Example App 213
Showing Framework Source Code 215
Debugging Existing Code 217
Debugging Native Code 221
Debugging with the NDK 222
Debugging with Eclipse 226
Debugging with AOSP 227
Increasing Automation 233
Debugging with Symbols 235
Debugging with a Non-AOSP Device 241
Debugging Mixed Code 243
Alternative Debugging Techniques 243
Debug Statements 243
On-Device Debugging 244
Dynamic Binary Instrumentation 245
Vulnerability Analysis 246
Determining Root Cause 246
Judging Exploitability 260
Summary 261
Chapter 8 Exploiting User Space Software 263
Memory Corruption Basics 263
Stack Buffer Overfl ows 264
Heap Exploitation 268
Contents xix
A History of Public Exploits 275
GingerBreak 275
zergRush 279
mempodroid 283
Exploiting the Android Browser 284
Understanding the Bug 284
Controlling the Heap 287
Summary 290
Chapter 9 Return Oriented Programming 291
History and Motivation 291
Separate Code and Instruction Cache 292
Basics of ROP on ARM 294
ARM Subroutine Calls 295
Combining Gadgets into a Chain 297
Identifying Potential Gadgets 299
Case Study: Android 4.0.1 Linker 300
Pivoting the Stack Pointer 301
Executing Arbitrary Code from a New Mapping 303
Summary 308
Chapter 10 Hacking and Attacking the Kernel 309
Android’s Linux Kernel 309
Extracting Kernels 310
Extracting from Stock Firmware 311
Extracting from Devices 314
Getting the Kernel from a Boot Image 315
Decompressing the Kernel 316
Running Custom Kernel Code 316
Obtaining Source Code 316
Setting Up a Build Environment 320
Confi guring the Kernel 321
Using Custom Kernel Modules 322
Building a Custom Kernel 325
Creating a Boot Image 329
Booting a Custom Kernel 331
Debugging the Kernel 336
Obtaining Kernel Crash Reports 337
Understanding an Oops 338
Live Debugging with KGDB 343
Exploiting the Kernel 348
Typical Android Kernels 348
Extracting Addresses 350
Case Studies 352
Summary 364
xx Contents
Chapter 11 Attacking the Radio Interface Layer 367
Introduction to the RIL 368
RIL Architecture 368
Smartphone Architecture 369
The Android Telephony Stack 370
Telephony Stack Customization 371
The RIL Daemon (rild) 372
The Vendor-RIL API 374
Short Message Service (SMS) 375
Sending and Receiving SMS Messages 376
SMS Message Format 376
Interacting with the Modem 379
Emulating the Modem for Fuzzing 379
Fuzzing SMS on Android 382
Summary 390
Chapter 12 Exploit Mitigations 391
Classifying Mitigations 392
Code Signing 392
Hardening the Heap 394
Protecting Against Integer Overfl ows 394
Preventing Data Execution 396
Address Space Layout Randomization 398
Protecting the Stack 400
Format String Protections 401
Read-Only Relocations 403
Sandboxing 404
Fortifying Source Code 405
Access Control Mechanisms 407
Protecting the Kernel 408
Pointer and Log Restrictions 409
Protecting the Zero Page 410
Read-Only Memory Regions 410
Other Hardening Measures 411
Summary of Exploit Mitigations 414
Disabling Mitigation Features 415
Changing Your Personality 416
Altering Binaries 416
Tweaking the Kernel 417
Overcoming Exploit Mitigations 418
Overcoming Stack Protections 418
Overcoming ASLR 418
Overcoming Data Execution Protections 419
Overcoming Kernel Protections 419
Contents xxi
Looking to the Future 420
Offi cial Projects Underway 420
Community Kernel Hardening Efforts 420
A Bit of Speculation 422
Summary 422
Chapter 13 Hardware Attacks 423
Interfacing with Hardware Devices 424
UART Serial Interfaces 424
I2C, SPI, and One-Wire Interfaces 428
JTAG 431
Finding Debug Interfaces 443
Identifying Components 456
Getting Specifi cations 456
Diffi culty Identifying Components 457
Intercepting, Monitoring, and Injecting Data 459
USB 459
I2C, SPI, and UART Serial Interfaces 463
Stealing Secrets and Firmware 469
Accessing Firmware Unobtrusively 469
Destructively Accessing the Firmware 471
What Do You Do with a Dump? 474
Pitfalls 479
Custom Interfaces 479
Binary/Proprietary Data 479
Blown Debug Interfaces 480
Chip Passwords 480
Boot Loader Passwords, Hotkeys, and Silent Terminals 480
Customized Boot Sequences 481
Unexposed Address Lines 481
Anti-Reversing Epoxy 482
Image Encryption, Obfuscation, and Anti-Debugging 482
Summary 482
Appendix A Tool Catalog 485
Development Tools 485
Android SDK 485
Android NDK 486
Eclipse 486
ADT Plug-In 486
ADT Bundle 486
Android Studio 487
Firmware Extraction and Flashing Tools 487
Binwalk 487
fastboot 487
xxii Contents
Samsung 488
NVIDIA 489
LG 489
HTC 489
Motorola 490
Native Android Tools 491
BusyBox 491
setpropex 491
SQLite 491
strace 492
Hooking and Instrumentation Tools 492
ADBI Framework 492
ldpreloadhook 492
XPosed Framework 492
Cydia Substrate 493
Static Analysis Tools 493
Smali and Baksmali 493
Androguard 493
apktool 494
dex2jar 494
jad 494
JD-GUI 495
JEB 495
Radare2 495
IDA Pro and Hex-Rays Decompiler 496
Application Testing Tools 496
Drozer (Mercury) Framework 496
iSEC Intent Sniffer and Intent Fuzzer 496
Hardware Hacking Tools 496
Segger J-Link 497
JTAGulator 497
OpenOCD 497
Saleae 497
Bus Pirate 497
GoodFET 497
Total Phase Beagle USB 498
Facedancer21 498
Total Phase Beagle I2C 498
Chip Quik 498
Hot air gun 498
Xeltek SuperPro 498
IDA 499
Appendix B Open Source Repositories 501
Google 501
AOSP 501
Gerrit Code Review 502
Contents xxiii
SoC Manufacturers 502
AllWinner 503
Intel 503
Marvell 503
MediaTek 504
Nvidia 504
Texas Instruments 504
Qualcomm 505
Samsung 505
OEMs 506
ASUS 506
HTC 507
LG 507
Motorola 507
Samsung 508
Sony Mobile 508
Upstream Sources 508
Others 509
Custom Firmware 509
Linaro 510
Replicant 510
Code Indexes 510
Individuals 510
Appendix C References 511
Index


LINK DEAD REMOVED

 
Last edited:

pentest2377

Member
Registered
ANON said:
blob:https://imgur.com/13450c31-848b-43db-a7f8-02d7611eedaa

REAL PRICE - 10$​
cghb
DOWNLOAD IT FOR FREE​


BOOK CONTENS​

Introduction xxv
Chapter 1 Looking at the Ecosystem 1
Understanding Android’s Roots 1
Company History 2
Version History 2
Examining the Device Pool 4
Open Source, Mostly 7
Understanding Android Stakeholders 7
Google 8
Hardware Vendors 10
Carriers 12
Developers 13
Users 14
Grasping Ecosystem Complexities 15
Fragmentation 16
Compatibility 17
Update Issues 18
Security versus Openness 21
Public Disclosures 22
Summary 23
Chapter 2 Android Security Design and Architecture 25
Understanding Android System Architecture 25
Understanding Security Boundaries and Enforcement 27
Android’s Sandbox 27
Android Permissions 30
Looking Closer at the Layers 34
Android Applications 34
The Android Framework 39
Contents
xvi Contents
The Dalvik Virtual Machine 40
User-Space Native Code 41
The Kernel 49
Complex Security, Complex Exploits 55
Summary 56
Chapter 3 Rooting Your Device 57
Understanding the Partition Layout 58
Determining the Partition Layout 59
Understanding the Boot Process 60
Accessing Download Mode 61
Locked and Unlocked Boot Loaders 62
Stock and Custom Recovery Images 63
Rooting with an Unlocked Boot Loader 65
Rooting with a Locked Boot Loader 68
Gaining Root on a Booted System 69
NAND Locks, Temporary Root, and Permanent Root 70
Persisting a Soft Root 71
History of Known Attacks 73
Kernel: Wunderbar/asroot 73
Recovery: Volez 74
Udev: Exploid 74
Adbd: RageAgainstTheCage 75
Zygote: Zimperlich and Zysploit 75
Ashmem: KillingInTheNameOf and psneuter 76
Vold: GingerBreak 76
PowerVR: levitator 77
Libsysutils: zergRush 78
Kernel: mempodroid 78
File Permission and Symbolic Link–Related Attacks 79
Adb Restore Race Condition 79
Exynos4: exynos-abuse 80
Diag: lit / diaggetroot 81
Summary 81
Chapter 4 Reviewing Application Security 83
Common Issues 83
App Permission Issues 84
Insecure Transmission of Sensitive Data 86
Insecure Data Storage 87
Information Leakage Through Logs 88
Unsecured IPC Endpoints 89
Case Study: Mobile Security App 91
Profi ling 91
Static Analysis 93
Dynamic Analysis 109
Attack 117
Contents xvii
Case Study: SIP Client 120
Enter Drozer 121
Discovery 121
Snarfi ng 122
Injection 124
Summary 126
Chapter 5 Understanding Android’s Attack Surface 129
An Attack Terminology Primer 130
Attack Vectors 130
Attack Surfaces 131
Classifying Attack Surfaces 133
Surface Properties 133
Classifi cation Decisions 134
Remote Attack Surfaces 134
Networking Concepts 134
Networking Stacks 139
Exposed Network Services 140
Mobile Technologies 142
Client-side Attack Surface 143
Google Infrastructure 148
Physical Adjacency 154
Wireless Communications 154
Other Technologies 161
Local Attack Surfaces 161
Exploring the File System 162
Finding Other Local Attack Surfaces 163
Physical Attack Surfaces 168
Dismantling Devices 169
USB 169
Other Physical Attack Surfaces 173
Third-Party Modifi cations 174
Summary 174
Chapter 6 Finding Vulnerabilities with Fuzz Testing 177
Fuzzing Background 177
Identifying a Target 179
Crafting Malformed Inputs 179
Processing Inputs 180
Monitoring Results 181
Fuzzing on Android 181
Fuzzing Broadcast Receivers 183
Identifying a Target 183
Generating Inputs 184
Delivering Inputs 185
Monitoring Testing 185
xviii Contents
Fuzzing Chrome for Android 188
Selecting a Technology to Target 188
Generating Inputs 190
Processing Inputs 192
Monitoring Testing 194
Fuzzing the USB Attack Surface 197
USB Fuzzing Challenges 198
Selecting a Target Mode 198
Generating Inputs 199
Processing Inputs 201
Monitoring Testing 202
Summary 204
Chapter 7 Debugging and Analyzing Vulnerabilities 205
Getting All Available Information 205
Choosing a Toolchain 207
Debugging with Crash Dumps 208
System Logs 208
Tombstones 209
Remote Debugging 211
Debugging Dalvik Code 212
Debugging an Example App 213
Showing Framework Source Code 215
Debugging Existing Code 217
Debugging Native Code 221
Debugging with the NDK 222
Debugging with Eclipse 226
Debugging with AOSP 227
Increasing Automation 233
Debugging with Symbols 235
Debugging with a Non-AOSP Device 241
Debugging Mixed Code 243
Alternative Debugging Techniques 243
Debug Statements 243
On-Device Debugging 244
Dynamic Binary Instrumentation 245
Vulnerability Analysis 246
Determining Root Cause 246
Judging Exploitability 260
Summary 261
Chapter 8 Exploiting User Space Software 263
Memory Corruption Basics 263
Stack Buffer Overfl ows 264
Heap Exploitation 268
Contents xix
A History of Public Exploits 275
GingerBreak 275
zergRush 279
mempodroid 283
Exploiting the Android Browser 284
Understanding the Bug 284
Controlling the Heap 287
Summary 290
Chapter 9 Return Oriented Programming 291
History and Motivation 291
Separate Code and Instruction Cache 292
Basics of ROP on ARM 294
ARM Subroutine Calls 295
Combining Gadgets into a Chain 297
Identifying Potential Gadgets 299
Case Study: Android 4.0.1 Linker 300
Pivoting the Stack Pointer 301
Executing Arbitrary Code from a New Mapping 303
Summary 308
Chapter 10 Hacking and Attacking the Kernel 309
Android’s Linux Kernel 309
Extracting Kernels 310
Extracting from Stock Firmware 311
Extracting from Devices 314
Getting the Kernel from a Boot Image 315
Decompressing the Kernel 316
Running Custom Kernel Code 316
Obtaining Source Code 316
Setting Up a Build Environment 320
Confi guring the Kernel 321
Using Custom Kernel Modules 322
Building a Custom Kernel 325
Creating a Boot Image 329
Booting a Custom Kernel 331
Debugging the Kernel 336
Obtaining Kernel Crash Reports 337
Understanding an Oops 338
Live Debugging with KGDB 343
Exploiting the Kernel 348
Typical Android Kernels 348
Extracting Addresses 350
Case Studies 352
Summary 364
xx Contents
Chapter 11 Attacking the Radio Interface Layer 367
Introduction to the RIL 368
RIL Architecture 368
Smartphone Architecture 369
The Android Telephony Stack 370
Telephony Stack Customization 371
The RIL Daemon (rild) 372
The Vendor-RIL API 374
Short Message Service (SMS) 375
Sending and Receiving SMS Messages 376
SMS Message Format 376
Interacting with the Modem 379
Emulating the Modem for Fuzzing 379
Fuzzing SMS on Android 382
Summary 390
Chapter 12 Exploit Mitigations 391
Classifying Mitigations 392
Code Signing 392
Hardening the Heap 394
Protecting Against Integer Overfl ows 394
Preventing Data Execution 396
Address Space Layout Randomization 398
Protecting the Stack 400
Format String Protections 401
Read-Only Relocations 403
Sandboxing 404
Fortifying Source Code 405
Access Control Mechanisms 407
Protecting the Kernel 408
Pointer and Log Restrictions 409
Protecting the Zero Page 410
Read-Only Memory Regions 410
Other Hardening Measures 411
Summary of Exploit Mitigations 414
Disabling Mitigation Features 415
Changing Your Personality 416
Altering Binaries 416
Tweaking the Kernel 417
Overcoming Exploit Mitigations 418
Overcoming Stack Protections 418
Overcoming ASLR 418
Overcoming Data Execution Protections 419
Overcoming Kernel Protections 419
Contents xxi
Looking to the Future 420
Offi cial Projects Underway 420
Community Kernel Hardening Efforts 420
A Bit of Speculation 422
Summary 422
Chapter 13 Hardware Attacks 423
Interfacing with Hardware Devices 424
UART Serial Interfaces 424
I2C, SPI, and One-Wire Interfaces 428
JTAG 431
Finding Debug Interfaces 443
Identifying Components 456
Getting Specifi cations 456
Diffi culty Identifying Components 457
Intercepting, Monitoring, and Injecting Data 459
USB 459
I2C, SPI, and UART Serial Interfaces 463
Stealing Secrets and Firmware 469
Accessing Firmware Unobtrusively 469
Destructively Accessing the Firmware 471
What Do You Do with a Dump? 474
Pitfalls 479
Custom Interfaces 479
Binary/Proprietary Data 479
Blown Debug Interfaces 480
Chip Passwords 480
Boot Loader Passwords, Hotkeys, and Silent Terminals 480
Customized Boot Sequences 481
Unexposed Address Lines 481
Anti-Reversing Epoxy 482
Image Encryption, Obfuscation, and Anti-Debugging 482
Summary 482
Appendix A Tool Catalog 485
Development Tools 485
Android SDK 485
Android NDK 486
Eclipse 486
ADT Plug-In 486
ADT Bundle 486
Android Studio 487
Firmware Extraction and Flashing Tools 487
Binwalk 487
fastboot 487
xxii Contents
Samsung 488
NVIDIA 489
LG 489
HTC 489
Motorola 490
Native Android Tools 491
BusyBox 491
setpropex 491
SQLite 491
strace 492
Hooking and Instrumentation Tools 492
ADBI Framework 492
ldpreloadhook 492
XPosed Framework 492
Cydia Substrate 493
Static Analysis Tools 493
Smali and Baksmali 493
Androguard 493
apktool 494
dex2jar 494
jad 494
JD-GUI 495
JEB 495
Radare2 495
IDA Pro and Hex-Rays Decompiler 496
Application Testing Tools 496
Drozer (Mercury) Framework 496
iSEC Intent Sniffer and Intent Fuzzer 496
Hardware Hacking Tools 496
Segger J-Link 497
JTAGulator 497
OpenOCD 497
Saleae 497
Bus Pirate 497
GoodFET 497
Total Phase Beagle USB 498
Facedancer21 498
Total Phase Beagle I2C 498
Chip Quik 498
Hot air gun 498
Xeltek SuperPro 498
IDA 499
Appendix B Open Source Repositories 501
Google 501
AOSP 501
Gerrit Code Review 502
Contents xxiii
SoC Manufacturers 502
AllWinner 503
Intel 503
Marvell 503
MediaTek 504
Nvidia 504
Texas Instruments 504
Qualcomm 505
Samsung 505
OEMs 506
ASUS 506
HTC 507
LG 507
Motorola 507
Samsung 508
Sony Mobile 508
Upstream Sources 508
Others 509
Custom Firmware 509
Linaro 510
Replicant 510
Code Indexes 510
Individuals 510
Appendix C References 511
Index ​

DOWNLOAD NOW

 
 

tanmaypaliwal8

Member
Registered
ANON said:
gonna read itblob:https://imgur.com/13450c31-848b-43db-a7f8-02d7611eedaa

REAL PRICE - 10$​

DOWNLOAD IT FOR FREE​


BOOK CONTENS​

Introduction xxv
Chapter 1 Looking at the Ecosystem 1
Understanding Android’s Roots 1
Company History 2
Version History 2
Examining the Device Pool 4
Open Source, Mostly 7
Understanding Android Stakeholders 7
Google 8
Hardware Vendors 10
Carriers 12
Developers 13
Users 14
Grasping Ecosystem Complexities 15
Fragmentation 16
Compatibility 17
Update Issues 18
Security versus Openness 21
Public Disclosures 22
Summary 23
Chapter 2 Android Security Design and Architecture 25
Understanding Android System Architecture 25
Understanding Security Boundaries and Enforcement 27
Android’s Sandbox 27
Android Permissions 30
Looking Closer at the Layers 34
Android Applications 34
The Android Framework 39
Contents
xvi Contents
The Dalvik Virtual Machine 40
User-Space Native Code 41
The Kernel 49
Complex Security, Complex Exploits 55
Summary 56
Chapter 3 Rooting Your Device 57
Understanding the Partition Layout 58
Determining the Partition Layout 59
Understanding the Boot Process 60
Accessing Download Mode 61
Locked and Unlocked Boot Loaders 62
Stock and Custom Recovery Images 63
Rooting with an Unlocked Boot Loader 65
Rooting with a Locked Boot Loader 68
Gaining Root on a Booted System 69
NAND Locks, Temporary Root, and Permanent Root 70
Persisting a Soft Root 71
History of Known Attacks 73
Kernel: Wunderbar/asroot 73
Recovery: Volez 74
Udev: Exploid 74
Adbd: RageAgainstTheCage 75
Zygote: Zimperlich and Zysploit 75
Ashmem: KillingInTheNameOf and psneuter 76
Vold: GingerBreak 76
PowerVR: levitator 77
Libsysutils: zergRush 78
Kernel: mempodroid 78
File Permission and Symbolic Link–Related Attacks 79
Adb Restore Race Condition 79
Exynos4: exynos-abuse 80
Diag: lit / diaggetroot 81
Summary 81
Chapter 4 Reviewing Application Security 83
Common Issues 83
App Permission Issues 84
Insecure Transmission of Sensitive Data 86
Insecure Data Storage 87
Information Leakage Through Logs 88
Unsecured IPC Endpoints 89
Case Study: Mobile Security App 91
Profi ling 91
Static Analysis 93
Dynamic Analysis 109
Attack 117
Contents xvii
Case Study: SIP Client 120
Enter Drozer 121
Discovery 121
Snarfi ng 122
Injection 124
Summary 126
Chapter 5 Understanding Android’s Attack Surface 129
An Attack Terminology Primer 130
Attack Vectors 130
Attack Surfaces 131
Classifying Attack Surfaces 133
Surface Properties 133
Classifi cation Decisions 134
Remote Attack Surfaces 134
Networking Concepts 134
Networking Stacks 139
Exposed Network Services 140
Mobile Technologies 142
Client-side Attack Surface 143
Google Infrastructure 148
Physical Adjacency 154
Wireless Communications 154
Other Technologies 161
Local Attack Surfaces 161
Exploring the File System 162
Finding Other Local Attack Surfaces 163
Physical Attack Surfaces 168
Dismantling Devices 169
USB 169
Other Physical Attack Surfaces 173
Third-Party Modifi cations 174
Summary 174
Chapter 6 Finding Vulnerabilities with Fuzz Testing 177
Fuzzing Background 177
Identifying a Target 179
Crafting Malformed Inputs 179
Processing Inputs 180
Monitoring Results 181
Fuzzing on Android 181
Fuzzing Broadcast Receivers 183
Identifying a Target 183
Generating Inputs 184
Delivering Inputs 185
Monitoring Testing 185
xviii Contents
Fuzzing Chrome for Android 188
Selecting a Technology to Target 188
Generating Inputs 190
Processing Inputs 192
Monitoring Testing 194
Fuzzing the USB Attack Surface 197
USB Fuzzing Challenges 198
Selecting a Target Mode 198
Generating Inputs 199
Processing Inputs 201
Monitoring Testing 202
Summary 204
Chapter 7 Debugging and Analyzing Vulnerabilities 205
Getting All Available Information 205
Choosing a Toolchain 207
Debugging with Crash Dumps 208
System Logs 208
Tombstones 209
Remote Debugging 211
Debugging Dalvik Code 212
Debugging an Example App 213
Showing Framework Source Code 215
Debugging Existing Code 217
Debugging Native Code 221
Debugging with the NDK 222
Debugging with Eclipse 226
Debugging with AOSP 227
Increasing Automation 233
Debugging with Symbols 235
Debugging with a Non-AOSP Device 241
Debugging Mixed Code 243
Alternative Debugging Techniques 243
Debug Statements 243
On-Device Debugging 244
Dynamic Binary Instrumentation 245
Vulnerability Analysis 246
Determining Root Cause 246
Judging Exploitability 260
Summary 261
Chapter 8 Exploiting User Space Software 263
Memory Corruption Basics 263
Stack Buffer Overfl ows 264
Heap Exploitation 268
Contents xix
A History of Public Exploits 275
GingerBreak 275
zergRush 279
mempodroid 283
Exploiting the Android Browser 284
Understanding the Bug 284
Controlling the Heap 287
Summary 290
Chapter 9 Return Oriented Programming 291
History and Motivation 291
Separate Code and Instruction Cache 292
Basics of ROP on ARM 294
ARM Subroutine Calls 295
Combining Gadgets into a Chain 297
Identifying Potential Gadgets 299
Case Study: Android 4.0.1 Linker 300
Pivoting the Stack Pointer 301
Executing Arbitrary Code from a New Mapping 303
Summary 308
Chapter 10 Hacking and Attacking the Kernel 309
Android’s Linux Kernel 309
Extracting Kernels 310
Extracting from Stock Firmware 311
Extracting from Devices 314
Getting the Kernel from a Boot Image 315
Decompressing the Kernel 316
Running Custom Kernel Code 316
Obtaining Source Code 316
Setting Up a Build Environment 320
Confi guring the Kernel 321
Using Custom Kernel Modules 322
Building a Custom Kernel 325
Creating a Boot Image 329
Booting a Custom Kernel 331
Debugging the Kernel 336
Obtaining Kernel Crash Reports 337
Understanding an Oops 338
Live Debugging with KGDB 343
Exploiting the Kernel 348
Typical Android Kernels 348
Extracting Addresses 350
Case Studies 352
Summary 364
xx Contents
Chapter 11 Attacking the Radio Interface Layer 367
Introduction to the RIL 368
RIL Architecture 368
Smartphone Architecture 369
The Android Telephony Stack 370
Telephony Stack Customization 371
The RIL Daemon (rild) 372
The Vendor-RIL API 374
Short Message Service (SMS) 375
Sending and Receiving SMS Messages 376
SMS Message Format 376
Interacting with the Modem 379
Emulating the Modem for Fuzzing 379
Fuzzing SMS on Android 382
Summary 390
Chapter 12 Exploit Mitigations 391
Classifying Mitigations 392
Code Signing 392
Hardening the Heap 394
Protecting Against Integer Overfl ows 394
Preventing Data Execution 396
Address Space Layout Randomization 398
Protecting the Stack 400
Format String Protections 401
Read-Only Relocations 403
Sandboxing 404
Fortifying Source Code 405
Access Control Mechanisms 407
Protecting the Kernel 408
Pointer and Log Restrictions 409
Protecting the Zero Page 410
Read-Only Memory Regions 410
Other Hardening Measures 411
Summary of Exploit Mitigations 414
Disabling Mitigation Features 415
Changing Your Personality 416
Altering Binaries 416
Tweaking the Kernel 417
Overcoming Exploit Mitigations 418
Overcoming Stack Protections 418
Overcoming ASLR 418
Overcoming Data Execution Protections 419
Overcoming Kernel Protections 419
Contents xxi
Looking to the Future 420
Offi cial Projects Underway 420
Community Kernel Hardening Efforts 420
A Bit of Speculation 422
Summary 422
Chapter 13 Hardware Attacks 423
Interfacing with Hardware Devices 424
UART Serial Interfaces 424
I2C, SPI, and One-Wire Interfaces 428
JTAG 431
Finding Debug Interfaces 443
Identifying Components 456
Getting Specifi cations 456
Diffi culty Identifying Components 457
Intercepting, Monitoring, and Injecting Data 459
USB 459
I2C, SPI, and UART Serial Interfaces 463
Stealing Secrets and Firmware 469
Accessing Firmware Unobtrusively 469
Destructively Accessing the Firmware 471
What Do You Do with a Dump? 474
Pitfalls 479
Custom Interfaces 479
Binary/Proprietary Data 479
Blown Debug Interfaces 480
Chip Passwords 480
Boot Loader Passwords, Hotkeys, and Silent Terminals 480
Customized Boot Sequences 481
Unexposed Address Lines 481
Anti-Reversing Epoxy 482
Image Encryption, Obfuscation, and Anti-Debugging 482
Summary 482
Appendix A Tool Catalog 485
Development Tools 485
Android SDK 485
Android NDK 486
Eclipse 486
ADT Plug-In 486
ADT Bundle 486
Android Studio 487
Firmware Extraction and Flashing Tools 487
Binwalk 487
fastboot 487
xxii Contents
Samsung 488
NVIDIA 489
LG 489
HTC 489
Motorola 490
Native Android Tools 491
BusyBox 491
setpropex 491
SQLite 491
strace 492
Hooking and Instrumentation Tools 492
ADBI Framework 492
ldpreloadhook 492
XPosed Framework 492
Cydia Substrate 493
Static Analysis Tools 493
Smali and Baksmali 493
Androguard 493
apktool 494
dex2jar 494
jad 494
JD-GUI 495
JEB 495
Radare2 495
IDA Pro and Hex-Rays Decompiler 496
Application Testing Tools 496
Drozer (Mercury) Framework 496
iSEC Intent Sniffer and Intent Fuzzer 496
Hardware Hacking Tools 496
Segger J-Link 497
JTAGulator 497
OpenOCD 497
Saleae 497
Bus Pirate 497
GoodFET 497
Total Phase Beagle USB 498
Facedancer21 498
Total Phase Beagle I2C 498
Chip Quik 498
Hot air gun 498
Xeltek SuperPro 498
IDA 499
Appendix B Open Source Repositories 501
Google 501
AOSP 501
Gerrit Code Review 502
Contents xxiii
SoC Manufacturers 502
AllWinner 503
Intel 503
Marvell 503
MediaTek 504
Nvidia 504
Texas Instruments 504
Qualcomm 505
Samsung 505
OEMs 506
ASUS 506
HTC 507
LG 507
Motorola 507
Samsung 508
Sony Mobile 508
Upstream Sources 508
Others 509
Custom Firmware 509
Linaro 510
Replicant 510
Code Indexes 510
Individuals 510
Appendix C References 511
Index ​

DOWNLOAD NOW

 
 

Lawn

Member
Registered
LUEGO said:
blob:https://imgur.com/13450c31-848b-43db-a7f8-02d7611eedaa

PRECIO REAL - 10 $​

DESCARGALO GRATIS​


RESERVA DE LIBROS​

Introducción xxv
Capítulo 1 Mirando el Ecosistema 1
Entendiendo las Raíces de Android 1
Historia de la Compañía 2 Historial de
Versiones 2
Examinando el Grupo de Dispositivos 4
Código Abierto, Mayormente 7
Entendiendo a los Interesados de Android 7 Proveedores de Hardware de
Google 8
10
Operadoras 12
Desarrolladores 13
Usuarios 14
Adquiriendo Complejidades de Ecosistemas 15
Fragmentación 16
Compatibilidad 17
Problemas de actualización 18
Seguridad frente a apertura 21
Divulgaciones públicas 22
Resumen 23
Capítulo 2 Diseño y arquitectura de seguridad de Android 25
Descripción de la arquitectura del sistema Android 25
Descripción de los límites de seguridad y su aplicación 27
Android Sandbox 27
Permisos de Android 30
Mirando más de cerca las capas 34
Aplicaciones de Android 34
El marco de Android 39
Contenido
xvi Contenido
La máquina virtual Dalvik 40
Código nativo de User-Space 41
El Kernel 49
Seguridad compleja, exploits complejos 55
Resumen 56
Capítulo 3 Rootear su dispositivo 57
Comprensión del diseño de partición 58
Determinación del diseño de partición 59
Descripción del proceso de arranque 60
Acceso al modo de descarga 61
Cargadores de arranque bloqueados y desbloqueados 62
Imágenes en stock y de recuperación personalizadas 63
Enraizamiento con un cargador de arranque desbloqueado 65
Enraizamiento con un cargador de arranque bloqueado 68
Ganando raíz en un sistema de arranque 69
Bloqueos NAND, raíz temporal y raíz permanente 70
Persistiendo en una raíz blanda 71
Historial de ataques conocidos 73
Kernel: Wunderbar / asroot 73
Recuperación: Volez 74
Udev: Exploid 74
Adbd: RageAgainstTheCage 75
Zygote: Zimperlich y Zysploit 75
Ashmem: KillingInTheNameOf y psneuter 76
Vold: GingerBreak 76
PowerVR: levitator 77
Libsysutils: zergRush 78
Kernel: mempodroid 78
Permiso de archivos y ataques relacionados con enlaces simbólicos 79
Adb Restore Condición de carrera 79
Exynos4: exynos-abuse 80
Diag: lit / diaggetroot 81
Resumen 81
Capítulo 4 Revisión de la seguridad de aplicaciones 83
Problemas comunes 83
Aplicación emite la autorización 84
no seguras en la transmisión de datos confidenciales 86
inseguro de almacenamiento de datos 87
la fuga de información a través de registros 88
sin garantía de IPC Endpoints 89
Estudio de caso: aplicación de seguridad móvil 91
Profi ling 91
Análisis estático 93
Análisis Dinámico 109
Ataque 117
Contenido xvii
Estudio de caso: SIP cliente 120
Intro Drozer 121
Discovery 121
Gráfico
124 Inyección 124
Resumen 126
Capítulo 5 Descripción de la superficie de ataque de Android 129
Una guía de terminología de
ataque 130 Vectores de
ataque 130 Superficies de ataque 131
Clasificación de superficies de ataque 133
Propiedades de la superficie 133
Decisiones de clasificación 134
Superficies de ataque remoto 134
Conceptos de redes 134
Pilas de red 139
Servicios de red expuestos 140
Tecnologías móviles 142
Superficie de ataque del lado del cliente 143
Infraestructura de Google 148
Adyacencia física 154
Comunicaciones inalámbricas 154
Otras tecnologías 161
Superficies de ataque local 161
Exploración del sistema de archivos 162
Búsqueda de otros Superficies de ataque locales 163 Superficies de ataque
físico 168
Desmantelamiento de dispositivos 169
USB 169
Otras superficies de ataque físico 173
Modificaciones de terceros 174
Resumen 174
Capítulo 6 Encontrar vulnerabilidades con Fuzz Testing 177
Fondo borroso 177
Identificar un objetivo 179 Elaborar
entradas mal formadas 179
Procesar entradas 180
Monitorear resultados 181
Fuzzing en Android 181
Fuzzing Broadcast Receivers 183
Identificar un objetivo 183
Generar entradas 184
Entregar entradas 185
Controlar las pruebas 185
xviii Contenidos
Fuzzing Chrome para Android 188
Seleccionar una tecnología para orientar 188
Generación de entradas 190
Procesamiento de entradas 192
Supervisión de pruebas 194
Fuzzing USB Attack Surface 197
USB Fuzzing Challenges 198
Selección de un modo objetivo 198
Generación de entradas 199
Procesamiento de entradas 201
Monitoring Testing 202
Resumen 204
Capítulo 7 Depuración y análisis de vulnerabilidades 205
Obtención de toda la información disponible 205
Elección de una cadena de herramientas 207
Depuración con volcados de emergencia 208
Registros del sistema 208
Tombstones 209
Depuración remota 211
Depuración Código Dalvik 212
Depuración de un ejemplo de aplicación 213
Mostrando código fuente Código 215
Depuración del código existente 217
Depuración Código nativo 221
Depuración con NDK 222
Depuración con Eclipse 226
Depuración con AOSP 227
Aumento de la automatización 233
Depuración con símbolos 235
Depuración con un dispositivo que no es AOSP 241
Depuración Código mixto 243
Técnicas alternativas de depuración 243
Declaraciones de depuración 243
Depuración en el dispositivo 244
Instrumentación binaria dinámica 245
Análisis de vulnerabilidad 246
Determinación de la causa raíz 246
Evaluación de la vulnerabilidad 260
Resumen 261
Capítulo 8 Explotación del software del espacio de usuario 263
Conceptos básicos de la corrupción de la memoria 263
Sobreflujo de pila 264
Heap Exploitation 268
Contenido xix
Historia de los exploits públicos 275 GingerBreak
275
zergRush 279
mempodroid 283
Explotar el navegador Android 284
Comprender el error 284
Controlar el montón 287
Resumen 290
Capítulo 9 Programación orientada hacia el retorno 291
Historia y motivación 291
Código separado y caché de instrucciones 292
Nociones básicas de ROP en ARM 294
Llamadas de subrutina ARM 295
Combinación de artilugios en una cadena 297
Identificación de artilugios potenciales 299
Estudio de caso: Android 4.0.1 Vinculador 300
Giro del puntero de pila 301
Ejecución de código arbitrario a partir de una nueva asignación 303
Resumen 308
Capítulo 10 Hackeando y atacando el Kernel 309 Kernel
de Linux de Android 309
Extrayendo Kernels 310
Extrayendo de Stock Firmware 311
Extrayendo de los Dispositivos 314
Obteniendo el Kernel desde una Imagen de Arranque 315
Descomprimiendo el Kernel 316
Ejecutando el Código de Kernel Personalizado 316
Obteniendo el Código Fuente 316
Configurando un Entorno de Construcción 320
Confi guración del kernel 321
Uso de módulos de kernel personalizados 322
Creación de un kernel personalizado 325
Creación de una imagen de
arranque 329 Inicio de un kernel personalizado 331
Depuración del kernel 336
Obtención de informes de crash del kernel 337
Descripción de un
oops 338 Depuración en directo con KGDB 343
Explotación del kernel 348
Kernels de Android típicos 348
Extraer direcciones 350
Casos de estudio 352
Resumen 364
xx Contenido
Capítulo 11 Ataque de la capa de interfaz de radio 367
Introducción a la
arquitectura de RIL 368 RIL 368
Arquitectura de Smartphone 369
La pila de telefonía Android 370
Personalización de la pila de telefonía 371
The RIL Daemon (rild) 372
The Vendor-RIL API 374
Servicio de mensajes cortos (SMS) 375
Envío y recepción de mensajes
SMS 376 Formato de mensaje SMS 376
Interacción con el módem 379
Emulación del módem para fuzzing 379
Fuzzing SMS en Android 382
Resumen 390
Capítulo 12 Mitigación de vulnerabilidades 391
Clasificación de mitigaciones 392
Código de firma 392
Endurecimiento del
montículo 394 Protección contra desbordamiento de enteros 394
Prevención de la ejecución de datos 396
Aleatorio de distribución del espacio de direcciones 398
Protección de Stack 400
Format String Protections 401
Reubicaciones de solo lectura 403
Sandboxing 404
Fortificación del código fuente 405
Mecanismos de control de acceso 407
Proteger el kernel 408
Restricciones de puntero y registro 409
Proteger el cero Página 410
Regiones de memoria de solo lectura 410
Otras medidas de endurecimiento 411
Resumen de mitigaciones de exploits 414
Desactivar funciones de mitigación 415
Cambiar su personalidad 416
Modificar binarios 416
Afinar el kernel 417
Superar exploit Mitigaciones 418
Superación de protecciones de pila 418
Superación de ASLR 418
Superación de protección de ejecución de datos 419
Superación de protecciones de núcleo 419
Contenido xxi
Mirando hacia el futuro 420
Proyectos oficiales en curso 420
Esfuerzos de refuerzo de núcleo de comunidad 420
Un poco de especulación 422
Resumen 422
Capítulo 13 Ataques de hardware 423
Interconexión con dispositivos de hardware 424
Interfaces serie UART 424 Interfaces
I2C, SPI e One-Wire 428
JTAG 431
Encontrar interfaces de depuración 443
Identificar componentes 456
Obtener especificaciones 456
Diferenciar Identificar componentes 457
Interceptar , Monitoreo e inyección de datos 459 interfaces seriales
USB 459
I2C, SPI y UART 463
Secretos de robo y firmware 469
Acceso discreto al firmware 469
acceso destructivo al firmware 471
¿Qué hace con un volcado? 474
trampas 479
interfaces personalizadas 479
Datos binarios / propietarios 479
Interfaces de depuración mejoradas 480
Contraseñas de chip 480 Contraseñas de
cargador de arranque, teclas rápidas y terminales silenciosas 480
Secuencias de inicio personalizadas 481
Líneas de direcciones no expuestas 481
Epoxi antirreversión 482
Cifrado, ofuscación y antid depuración de imágenes 482
Resumen 482
Apéndice A Herramienta Catálogo 485
Herramientas de desarrollo 485
Android SDK 485
Android NDK 486
Eclipse 486
ADT Plug-In 486
ADT Bundle 486
Android Studio 487
Herramientas de extracción y
flasheo 487
Binwalk 487 fastboot 487
xxii Contenido
Samsung 488
NVIDIA 489
LG 489
HTC 489
Motorola 490
Native Android Tools 491
BusyBox 491
setpropex 491
SQLite 491
strace 492
Herramientas de enganche e instrumentación 492
ADBI Framework 492
ldpreloadhook 492
XPosed Framework 492
Cydia Substrate 493
Herramientas de análisis estático 493
Smali y Baksmali 493
Androguard 493
apktool 494
dex2jar 494
jad 494
JD-GUI 495
JEB 495
Radare2 495 Descompilador
IDA Pro y Hex-Rays 496
Herramientas de prueba de aplicaciones 496
Marco Drozer (Mercury) 496
Detector de intenciones iSEC y Fuzzer intencionado 496
Herramientas de piratería de hardware 496 JTAGulator 497
Segger J-Link
497
OpenOCD 497
Saleae 497
Bus Pirate 497
GoodFET 497
Total Phase Beagle USB 498
Facedancer21 498
Total Phase Beagle I2C 498
Chip Quik 498
Hot Air gun 498
Xeltek SuperPro 498
IDA 499
Apéndice B Repositorios de código abierto 501
Google 501
AOSP 501
Gerrit Code Review 502
Contenido xxiii
SoC Fabricantes 502
AllWinner 503
Intel 503
Marvell 503
MediaTek 504
Nvidia 504
Texas Instruments 504
Qualcomm
505
OEM de Samsung 505 506
ASUS 506
HTC 507
LG 507
Motorola 507
Samsung 508
Sony Mobile 508
Fuentes ascendentes 508
Otros 509
Firmware personalizado 509
Linaro 510
Replicante 510
Índices de código 510
Individuos 510
Apéndice C Referencias 511
Índice ​

DESCARGAR AHORA

 

Very  good!
 

hacker007

Newbie
Registered
ANON said:
blob:https://imgur.com/13450c31-848b-43db-a7f8-02d7611eedaa

REAL PRICE - 10$​

DOWNLOAD IT FOR FREE​


BOOK CONTENS​

Introduction xxv
Chapter 1 Looking at the Ecosystem 1
Understanding Android’s Roots 1
Company History 2
Version History 2
Examining the Device Pool 4
Open Source, Mostly 7
Understanding Android Stakeholders 7
Google 8
Hardware Vendors 10
Carriers 12
Developers 13
Users 14
Grasping Ecosystem Complexities 15
Fragmentation 16
Compatibility 17
Update Issues 18
Security versus Openness 21
Public Disclosures 22
Summary 23
Chapter 2 Android Security Design and Architecture 25
Understanding Android System Architecture 25
Understanding Security Boundaries and Enforcement 27
Android’s Sandbox 27
Android Permissions 30
Looking Closer at the Layers 34
Android Applications 34
The Android Framework 39
Contents
xvi Contents
The Dalvik Virtual Machine 40
User-Space Native Code 41
The Kernel 49
Complex Security, Complex Exploits 55
Summary 56
Chapter 3 Rooting Your Device 57
Understanding the Partition Layout 58
Determining the Partition Layout 59
Understanding the Boot Process 60
Accessing Download Mode 61
Locked and Unlocked Boot Loaders 62
Stock and Custom Recovery Images 63
Rooting with an Unlocked Boot Loader 65
Rooting with a Locked Boot Loader 68
Gaining Root on a Booted System 69
NAND Locks, Temporary Root, and Permanent Root 70
Persisting a Soft Root 71
History of Known Attacks 73
Kernel: Wunderbar/asroot 73
Recovery: Volez 74
Udev: Exploid 74
Adbd: RageAgainstTheCage 75
Zygote: Zimperlich and Zysploit 75
Ashmem: KillingInTheNameOf and psneuter 76
Vold: GingerBreak 76
PowerVR: levitator 77
Libsysutils: zergRush 78
Kernel: mempodroid 78
File Permission and Symbolic Link–Related Attacks 79
Adb Restore Race Condition 79
Exynos4: exynos-abuse 80
Diag: lit / diaggetroot 81
Summary 81
Chapter 4 Reviewing Application Security 83
Common Issues 83
App Permission Issues 84
Insecure Transmission of Sensitive Data 86
Insecure Data Storage 87
Information Leakage Through Logs 88
Unsecured IPC Endpoints 89
Case Study: Mobile Security App 91
Profi ling 91
Static Analysis 93
Dynamic Analysis 109
Attack 117
Contents xvii
Case Study: SIP Client 120
Enter Drozer 121
Discovery 121
Snarfi ng 122
Injection 124
Summary 126
Chapter 5 Understanding Android’s Attack Surface 129
An Attack Terminology Primer 130
Attack Vectors 130
Attack Surfaces 131
Classifying Attack Surfaces 133
Surface Properties 133
Classifi cation Decisions 134
Remote Attack Surfaces 134
Networking Concepts 134
Networking Stacks 139
Exposed Network Services 140
Mobile Technologies 142
Client-side Attack Surface 143
Google Infrastructure 148
Physical Adjacency 154
Wireless Communications 154
Other Technologies 161
Local Attack Surfaces 161
Exploring the File System 162
Finding Other Local Attack Surfaces 163
Physical Attack Surfaces 168
Dismantling Devices 169
USB 169
Other Physical Attack Surfaces 173
Third-Party Modifi cations 174
Summary 174
Chapter 6 Finding Vulnerabilities with Fuzz Testing 177
Fuzzing Background 177
Identifying a Target 179
Crafting Malformed Inputs 179
Processing Inputs 180
Monitoring Results 181
Fuzzing on Android 181
Fuzzing Broadcast Receivers 183
Identifying a Target 183
Generating Inputs 184
Delivering Inputs 185
Monitoring Testing 185
xviii Contents
Fuzzing Chrome for Android 188
Selecting a Technology to Target 188
Generating Inputs 190
Processing Inputs 192
Monitoring Testing 194
Fuzzing the USB Attack Surface 197
USB Fuzzing Challenges 198
Selecting a Target Mode 198
Generating Inputs 199
Processing Inputs 201
Monitoring Testing 202
Summary 204
Chapter 7 Debugging and Analyzing Vulnerabilities 205
Getting All Available Information 205
Choosing a Toolchain 207
Debugging with Crash Dumps 208
System Logs 208
Tombstones 209
Remote Debugging 211
Debugging Dalvik Code 212
Debugging an Example App 213
Showing Framework Source Code 215
Debugging Existing Code 217
Debugging Native Code 221
Debugging with the NDK 222
Debugging with Eclipse 226
Debugging with AOSP 227
Increasing Automation 233
Debugging with Symbols 235
Debugging with a Non-AOSP Device 241
Debugging Mixed Code 243
Alternative Debugging Techniques 243
Debug Statements 243
On-Device Debugging 244
Dynamic Binary Instrumentation 245
Vulnerability Analysis 246
Determining Root Cause 246
Judging Exploitability 260
Summary 261
Chapter 8 Exploiting User Space Software 263
Memory Corruption Basics 263
Stack Buffer Overfl ows 264
Heap Exploitation 268
Contents xix
A History of Public Exploits 275
GingerBreak 275
zergRush 279
mempodroid 283
Exploiting the Android Browser 284
Understanding the Bug 284
Controlling the Heap 287
Summary 290
Chapter 9 Return Oriented Programming 291
History and Motivation 291
Separate Code and Instruction Cache 292
Basics of ROP on ARM 294
ARM Subroutine Calls 295
Combining Gadgets into a Chain 297
Identifying Potential Gadgets 299
Case Study: Android 4.0.1 Linker 300
Pivoting the Stack Pointer 301
Executing Arbitrary Code from a New Mapping 303
Summary 308
Chapter 10 Hacking and Attacking the Kernel 309
Android’s Linux Kernel 309
Extracting Kernels 310
Extracting from Stock Firmware 311
Extracting from Devices 314
Getting the Kernel from a Boot Image 315
Decompressing the Kernel 316
Running Custom Kernel Code 316
Obtaining Source Code 316
Setting Up a Build Environment 320
Confi guring the Kernel 321
Using Custom Kernel Modules 322
Building a Custom Kernel 325
Creating a Boot Image 329
Booting a Custom Kernel 331
Debugging the Kernel 336
Obtaining Kernel Crash Reports 337
Understanding an Oops 338
Live Debugging with KGDB 343
Exploiting the Kernel 348
Typical Android Kernels 348
Extracting Addresses 350
Case Studies 352
Summary 364
xx Contents
Chapter 11 Attacking the Radio Interface Layer 367
Introduction to the RIL 368
RIL Architecture 368
Smartphone Architecture 369
The Android Telephony Stack 370
Telephony Stack Customization 371
The RIL Daemon (rild) 372
The Vendor-RIL API 374
Short Message Service (SMS) 375
Sending and Receiving SMS Messages 376
SMS Message Format 376
Interacting with the Modem 379
Emulating the Modem for Fuzzing 379
Fuzzing SMS on Android 382
Summary 390
Chapter 12 Exploit Mitigations 391
Classifying Mitigations 392
Code Signing 392
Hardening the Heap 394
Protecting Against Integer Overfl ows 394
Preventing Data Execution 396
Address Space Layout Randomization 398
Protecting the Stack 400
Format String Protections 401
Read-Only Relocations 403
Sandboxing 404
Fortifying Source Code 405
Access Control Mechanisms 407
Protecting the Kernel 408
Pointer and Log Restrictions 409
Protecting the Zero Page 410
Read-Only Memory Regions 410
Other Hardening Measures 411
Summary of Exploit Mitigations 414
Disabling Mitigation Features 415
Changing Your Personality 416
Altering Binaries 416
Tweaking the Kernel 417
Overcoming Exploit Mitigations 418
Overcoming Stack Protections 418
Overcoming ASLR 418
Overcoming Data Execution Protections 419
Overcoming Kernel Protections 419
Contents xxi
Looking to the Future 420
Offi cial Projects Underway 420
Community Kernel Hardening Efforts 420
A Bit of Speculation 422
Summary 422
Chapter 13 Hardware Attacks 423
Interfacing with Hardware Devices 424
UART Serial Interfaces 424
I2C, SPI, and One-Wire Interfaces 428
JTAG 431
Finding Debug Interfaces 443
Identifying Components 456
Getting Specifi cations 456
Diffi culty Identifying Components 457
Intercepting, Monitoring, and Injecting Data 459
USB 459
I2C, SPI, and UART Serial Interfaces 463
Stealing Secrets and Firmware 469
Accessing Firmware Unobtrusively 469
Destructively Accessing the Firmware 471
What Do You Do with a Dump? 474
Pitfalls 479
Custom Interfaces 479
Binary/Proprietary Data 479
Blown Debug Interfaces 480
Chip Passwords 480
Boot Loader Passwords, Hotkeys, and Silent Terminals 480
Customized Boot Sequences 481
Unexposed Address Lines 481
Anti-Reversing Epoxy 482
Image Encryption, Obfuscation, and Anti-Debugging 482
Summary 482
Appendix A Tool Catalog 485
Development Tools 485
Android SDK 485
Android NDK 486
Eclipse 486
ADT Plug-In 486
ADT Bundle 486
Android Studio 487
Firmware Extraction and Flashing Tools 487
Binwalk 487
fastboot 487
xxii Contents
Samsung 488
NVIDIA 489
LG 489
HTC 489
Motorola 490
Native Android Tools 491
BusyBox 491
setpropex 491
SQLite 491
strace 492
Hooking and Instrumentation Tools 492
ADBI Framework 492
ldpreloadhook 492
XPosed Framework 492
Cydia Substrate 493
Static Analysis Tools 493
Smali and Baksmali 493
Androguard 493
apktool 494
dex2jar 494
jad 494
JD-GUI 495
JEB 495
Radare2 495
IDA Pro and Hex-Rays Decompiler 496
Application Testing Tools 496
Drozer (Mercury) Framework 496
iSEC Intent Sniffer and Intent Fuzzer 496
Hardware Hacking Tools 496
Segger J-Link 497
JTAGulator 497
OpenOCD 497
Saleae 497
Bus Pirate 497
GoodFET 497
Total Phase Beagle USB 498
Facedancer21 498
Total Phase Beagle I2C 498
Chip Quik 498
Hot air gun 498
Xeltek SuperPro 498
IDA 499
Appendix B Open Source Repositories 501
Google 501
AOSP 501
Gerrit Code Review 502
Contents xxiii
SoC Manufacturers 502
AllWinner 503
Intel 503
Marvell 503
MediaTek 504
Nvidia 504
Texas Instruments 504
Qualcomm 505
Samsung 505
OEMs 506
ASUS 506
HTC 507
LG 507
Motorola 507
Samsung 508
Sony Mobile 508
Upstream Sources 508
Others 509
Custom Firmware 509
Linaro 510
Replicant 510
Code Indexes 510
Individuals 510
Appendix C References 511
Index ​

DOWNLOAD NOW

 
 
Status
Not open for further replies.
Forgot your password?
Forum Name ?