>>So um, hi.  My name is Jeff and I have a problem.  I like to do, eh, eh sorry [applause] I like to do bad things to worse programming languages and for the purposes of this talk, that means JAVA.  Um….
>>Hiiiii Jeff
>>Thank you.  Um, so, I’m going to, right before I get into this, I, I do want to say that, this is really like a forty-minute talk distilled into twenty minutes.  So, I have a lot more material in the slides then I’m specifically covering.  I go through it really fast.  And uh, you, I recommend going through the slides on their own, uh at some other point since they have a lot of gems hidden in them.
Uh but so, getting back to, what is this talk about and why does it matter?  Um, this talk is about injecting uh JRuby into Android applications to do function hooking.  And this might be useful to you if you reverse Android apps or if you develop them, it’s just another debugging tool honestly.  Or if you have some strange fascination with Ruby and/or REPLs.  
So, um, going back in time a little bit um, I was reversing this chat app called Line that’s really screwy and aside from the ProGuarding and stuff which doesn’t really matter, um the main annoying part of it was that everything was like an interface of something else.  And it was really annoying to find out what objects actually weren’t Runtime and I was just writing a bunch one off hooks to like see what the object was and then go off and do it again. And this was getting real boring real fast.  So I decided, ya know, what if we took all the interesting functions and wrapped them in REPLs ya know.  So you drop down like a shell and you just kind of poke around at Runtime and see what things are and see what they have inside them all ad-hoc style so you don’t have to like write some code and then run it, and then write some code and run it all over and over and again. 
Um, so to take a step back a little bit. Let’s, let’s talk about kind of what the, the things you can do on Android right now are.  So you can use LD_PRELOAD.  It’s pretty old-school.  Native, native hooking with native code for native functions.  Ya know of things like Lib C calls and stuff.  Um, I’m kind of skipping code as I go, I, I recommend going over my slides as I said.
Um, then, then of course there’s actually using the debugger which is basically, um the JDWP that you have in the normal JVM.  ADB uh, exposes it.  And there are various ways of, of getting into it, either be the app is debuggable or you have root and stuff.  The useful things from it are that it can uh list all active instances of objects, uh of all Java objects and, when you set break points you can execute code in them from the context of the frame where the breakpoint got hit. Um so you can hit like, uh you can hit like protected stuff and private variables that can be hit by the code normally.  It slows down the app massively though, like almost to the be point of being unusable. Um, but it is useful for things. 
Um, it, there’s a lot of GUI stuff, a lot of GUI stuff.  It’s all terrible and even the command line stuff for it is basically toxic.  You, you, you hit up and you get this horrible ‘A’ character thing because it doesn’t handle like arrow keys.  Uh, but it works. 
Uh, moving on we have Frida, which is sort of a new hotness, uh for a while.  It works on Android, it actually stomps over the actual instructions in memory to ya know jump to its own hooks.  Um it also recently has the capability to, uh inspect and list all the active Java objects so you can just tap one specific object.  The functions hooks are generally speaking being implemented in Java scripts.  Which is not, not something I like but uh, but it works for many people and if you don’t want to do that you can use the um, the native C/GLIB code, um Frida-gum to, to do hooking with anything that compiles them like ya know native code.  Um there are many ways to get it working.  Um, but the hooks are fairly simple.
Um then of course we have Zygote, which is the uh, uh sorry Xposed which is kind of the big main framework for doing function hooking on Android.  Which actually modifies Zygotes uh sort of, in it process that forks into the actual apps.  And, the really nice thing about it, is that aside from being like Java first or Dalvik first which means you just write stuff that actually kind of has native reflections access, into, into the code you’re hooking.  The other cool thing is that it hooks like always at the start of app start, reliably, even early in boot um and so you can, you can get very reliable hooks running without missing them by accident.  Um, it, it has a lot, a lot, a lot of scaffolding but eventually you get to something like, something like this.  Where um, it’s, it’s more or less the same thing as the, the Java script code. 
Um, so now I have a question for you.  Who, who’s that Pokémon? [inaudible audience response]
Meowth, that’s right, right, no that’s wrong, sorry, Parasect, Parasect is right. Um, so why am I talking about Pokémon at my talk?  [laughter] Um so Parasect is a mushroom Pokémon and if you didn’t know um, the mushroom part on top of it is, is actually the Pokémon.  The uh, the bug is, is a dead husk kind of marionetted by the mushroom at this point.  The dead white milky eyes are sort of a hint.  So, why, why again am I talking about this?  I wrote a tool called ParaSpectre.  And uh it, it carries basically all the same roots as, as Parasect does for the puns and things.  Plus, plus what I got to introspection.   Um, and, and we get this cute little guy.  Um, so what is it actually though?


Um ParaSpectre is a function method hooking tool for Android uh focused on Java.  Um it injects a full JRuby interpreter into a target process so that you, the hooks that you run are JRuby.  They’re easily reloaded every time that you, you restart the, the um app.  As opposed to Xposed where every time you change the code you actually have to reboot the phone itself. 
Um, its implemented using Xposed but of course the Java part doesn’t change when you, when you change your hook.  Um and it has a bunch of selectors that you can configure based on classes and methods.  Such as superclasses or interfaces that are actually implemented by a class, um it’ll, it’ll just figure out a Runtime and if you don’t want to pay the searching cost you can just hardcode the name of the class in.  So, if you, if you just want to figure out what you want to hook, you can, you can use these and you can hard code it later so subsequent runs are much faster.  Um, not that they’re much slower in general.  Um method matching uses the method name, the argument type signature, the return type and the exception signature and then whatever the total set of those combined, uh it’ll, it’ll find it or you can be as vague as you want.  If you just want to hook two string on object, uh anything this subclasses object you’re going to get a lot of stuff.
Um, Ruby, uh JRuby really specifically is pretty useful in this case.  Much better that Groovy was when I attempted it the first time.  It has very good interop with, with the Java parts. Um, there are only a few cases where you have to do a little bit of reflection to get around some of the annoying ProGuard stuff.  But in general it doesn’t really matter. 
The really useful thing with the way that I load it in, is that I load it under the sub- uh under the class loader that is actually for the app itself.  So, it has native access to load classes from the app without reflection. Whereas with Xposed, you, you’d have to use a lot of reflection to manipulate things.  Um the other cool thing is that because of this, you can actually define your own subclasses and int-, interface implementers for the Java code of the actual app itself and then plug them in any functions that take a callback function basically.
Um, but I kind of started this conversation with REPLs and I’m getting back to it now eventually. Um I use this thing called Pry which is a much better REPL that IRB, the default one that comes with Ruby which also didn’t really want to speak well over the network.  Um and it’s got a whole bunch of fancy stuff that allows you to introspect the sort of Ruby runtime but also the Java one because of JRuby much better than IRB would have, even. 
Um there is this thing called pry-remote which is a gem that kind of wraps Pry with this crazy, crazy thing called DRuby which is basically Corpa for Ruby. And if you know what Corpa is you’re shaking and throwing up, please, please do it in the empty seat next to you.  Um, it has no authentication by its own which is scary because it’s basically without, without even like using this to send strings to eval it basically is a dual eval between the client and the server in any direction apparently.  So, its super scary and doesn’t have authentication. So, I, I modified it, at least the one that I install on the phone um to add authentication.  Then for the one you run locally I have an authenticating proxy I wrote to sort of speak to that so that at least other apps can’t compromise the one that you’re actually hooking when you’re hooking it.
Uh, then you, you drop down into uh, basically with some connect back tmux window that pops up with your shell and things work.  For apps that don’t actually have the internet permissions, this this needs networking and so I have a bunch of hooks in using Xposed that will basically force the internet permission in apps that don’t request it. They really don’t like that but I get it to work anyway.
Um, for configuring all this, this monstrosity I actually have a jetty Servlet web app I actually run from the device itself.  Which was an exercise in frustration but it works.  Um and all the edits that you make are actually tracked in a Git repo on-device.  So, if you really screw something up bad you can always like ADB pull that off the device and revert back to what you need to.  Um, it’s also worth mentioning that, that has authentication as well that works decently enough.  Um, but overall the flow is pretty simple.  Um, it, it, you edit config files, they’re world readable so that the hooks that run within the context of the app you’re hooking can read them. Um, then I set up the JRuby environment and then I iterate through all the classes to do the searching and selecting and stuff and then Xposed actually used to set up the actual hook and then that hook runs your Ruby code.
Um, this is kind of what a hook look, it’s kind of quick and dirty. Um, we hook this method and this class and then we just print out what the argument is and move on.  But for anything more involved you’ll use something like this where you’ll actually have a file that you can also edit through the uh, the web interface.  Um, which looks something like this.  And this guy disables uh cert validation, cert pinning and also hard codes.  My, my HB proxy, so that all the requests made using okay HTP go through my proxy even though that they normally speaking ignore, the uh, the system proxy setting unlike the WIFI setting. 
Um, you’d think this would be slow but I, I cheat really, really hard wherever I can.  Um, so my, I try to load as much as the JRuby in at uh, Zygote in it, um and because of the way I do it I have to play some reflection dark magic so I can force in the class loader of the app to be the parent of the JRuby class loader so that the classes resolve correctly through the app instead of just up through the default set of classes in Android, um, that Zygote can see. 
Um, due to some bugs in Android I can’t actually set up a whole container instance that runs the scripts in Zygote.  Because if Zygote takes too long to start up the whole thing deadlocks.  I have no idea why this happens. It’s really spooky, I like it to s-, I’d like to see it get fixed.  Um, but uh so I have to, I have to start up the containers actually in the app itself.  And this, this takes like six to seven seconds generally but I try to paralyze it out so it’s not observable until a hook actually runs and then it’ll, it’ll have to actually finish before the hook will run.  Um, for the class searching and stuff, uh because the normal like class loader searching stuff actually searches the parent class loader first before it searches the child, I yank out the internal class loader for the, the DEX classes stuff on Android.  Um, using reflection and then I run that and that saves a ton of time.  Um, there’s still this problem with uh basically the threading so um, there’s this, the class loader lock you can’t actually load a class between, it, it’ll lock when you try to load a class.  And so, the more threads you have the slower it goes. 
Um, so I eventually I might start parsing the DEX files manually but I’m not at that point yet because I haven’t hit that as a performance road block yet.  Um, things run fast enough, this went from taking thirty seconds of overhead to being quote on quote nigh-instantaneous.  Which means that if you hit that six or seven seconds you have to pay for it.  Um, searching is fast enough unless you hit something like the Facebook app.  Which literally has a hundred thousand classes in it as of last time I checked. And uh because of the threading thing, that, that takes a while to go through about thirty seconds.  Um, yep. 
Um, but this is still a lot faster than Xposed stuff, which you know, you write your Java code.  You compile it, that takes however long, that takes.  Um, you actually copy it to the device and then you install it and then you have to reboot the file and then wait like two minutes for the whole thing to finish if the phones encrypted. 
So, let’s, let’s do some demos shall we?  Let’s hope the download Gods are with us.  So, I have, um this phone, you can see on the screen.  Let’s, let’s do some math, shall we? What’s a good number, you know the life, answer to life the universe and everything? [audience response] Oh yea.  So, let’s, let’s get there shall we?  Oh, what’s that?  That’s interesting, that’s, that’s not supposed to happen.  Apparently, we have a new answer.  Um, so moving on, uh like to what that way.  Um, I have this hook and hopefully it’s, it’s seeable on the screen without too much of the flashing giving people epileptic seizures.  But basically, I have this weird method in the ProGuarded code. IT has this horrible function signa-, signature.  But it returns this string.  The string it returns is actually the result of the calculation. And so, whenever the, I- I- I- invoke it specifically um within the code and when the value is something I like, I do something entirely different.
Um, moving on, I have this, this UI demo where basically um, I, I have a bunch of buttons and you, you click the buttons and they, they do stuff.  And, and this, this is bad, if you’ve ever seen uihook bridged you know that, that last button is wrong.  Let’s do that one more time. You see, that’s now, that’s what I’m talking about.  Um, attention duelists my hair has an announcement. 
Um, so, the hook on this is basically just on the, the text view stuff in the, the UI.  And I actually, when I see this hello duelist string, I, I completely replace the on-click listener associated with the button.  So the event handler for the button I replace with my own implementation that sub classes the on click listener class that is, is what it actually needs as an interface to pass it to.  So, this one is now, when I hit the button the first time it swaps out with my own class instance.  And then the second time actually jumps straight into my code, no hooks anymore. 
Um, and so moving on.  Now let’s, ya know this is fine and good and all.  Let’s, let’s tweet.  Oh, what’s this?  This is a shell.  Who are you?  Oh, main activity.  Hmmm.  It says do some math fo- for me. Ooo, ten. Okay, so, so this is, I’m in the shell right now. I have access to all sorts of things.  This is the Pry. But let’s, let’s Tweet. Does anybody, does anybody have any requests? I know I’m asking a weird question to a weird crowd.  Anyone?  Anyone want me to tweet something?  Anything. 
>>Yay
>>Yay? Ok yay.
>>Def Con twenty-five.
>>Okay.  And now we’re back, we’re back in the app.  Um, and I actually, oh, I need internet.  That’s, that’s important.  That’s super important actually. Let’s see if that worked.  If it didn’t work I’ll do it again.  Nope.  So, we’ll, we’ll do it one more time.  I, I have the one resume method hooked and so every time it goes back to main activity, uh, it’ll jump back to my hook.  Uh, [inaudible sound] mmm, there you go. Kay, back here.  Let’s see if it did something.  Yea okay, that one worked.  Ok cool, networking how does it work.  [applause]
Uh, so, so this hook is a little bit interesting. Um if only because, uh let me skip past the.  The, these are the proxy ones from before, from the slides.  Uh, this one is a little interesting because the uh, the code for this.  I , I actually just made my own method that does a whole bunch of horrible reflection and stuff into uh, into the insides of the Twitter wrap.  And I figured out what the actual necessary functions to call for their rest APIs are internally that actually do the tweeting.  I have no idea how to make replies right now.  There are some weird parameters in here in this map thing that I think have to do with the reply IDs and stuff but, whatever.  It works. 
Um, one interesting thing is that I do, I do load class with reflection if only because there’s this, this ‘A’ field here which is a static um, when you have a static internal class, nested class that matches a static field um, with the ProGuarding, you, you sort of have to do this because the resolution order in JRuby takes the method, uh, or takes the field first and not the, not the class.  Um, but, now where, where can you get this magic tool?  You’ll be able to get it there soon.  The installation stuff I want to clean up just a little bit. Um, there’s no way I’m getting around having to reinstall it twice because of the thing with the internet permission.  It actually sets up a hook for itself so that it can grant permissions itself.  But that requires you to reinstall it so that the second install, the hook runs in the package manager that then allows it to take the permissions.  Uh, so only it can take the permission that it needs to grant permissions and only it can be used to grant the internet permissions to apps that don’t request it.  So that’s at least pretty secure and locked down.
Um, limitations.  The DRuby stuff is super scary. I’m going to get to it.  That’s probably going to be its own talk, honestly.  Since it’s just super, super dangerous.  Um, adding gems, not quite supported yet.  Requires some shenanigans.  I’ll, I’ll probably get around to that soon.  Um, so the stuff, the gems, I might make a UI to make it fancier.  Might just make it easier to do in the build process.  Um, the UI could use just a little bit of work maybe.  Um Android 7 compatibility isn’t there yet.  Because Xposed doesn’t support it yet.  Um, if and when it does, I have, I know what I have to fix. Um, if it doesn’t, I, I have some plans on how I can, I can stop using Xposed.  But I’d, I’d prefer to use it, because it’s, it’s useful for a whole bunch of stuff. 
Um, I’d like to think a whole bunch of people specifically, um Marcos, the Scorpion Writer.  Uh, aka Josie our former intern who I basically sacrificed to this thing, is a lot, for QA work.  Um, she wasn’t able to make it out here today, but uh, thank, thank you Josie.
Um are there any questions?  You.  [off-mic question]
Oh, you want to know, yea, of course, of course. So, uh.  Trump the Ruby has, has this, this wonderful thing.  It’s just string replace.  So, if we, we go to search for um, well maybe not our favorite president but a president.  I mean some, someone’s favorite, ya know?  He uh, he’s apparently a fan. [laughter] [applause]
Uh, any, any other questions? [applause]
Uh, was that a, no, what that a question?  Ok.  Anyone else? Okay, thank you everyone. [applause]