BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Runtime Riddles: Abusing Manipulation Points in the Android\n Source\n When: Saturday\, Aug 12\, 16:00 - 16:45 PDT\n Whe re: Caesars Forum - Forum - 109-119\, 138-139 - Track 2 - [1]Map\n\n Spe akerBio:Laurie Kirk \, Security Researcher at Microsoft\n Laurie Kirk is a Reverse Engineer at Microsoft working in incident\n response. She spe cializes in cross-platform malware analysis with a\n focus on mobile thr eats. She also runs a YouTube channel\n (@LaurieWired) that covers all s orts of in-depth Malware Analysis\,\n Reverse-Engineering\, Exploitation and security topics. Laurie received\n her Bachelor's Degree from Flori da State University in Computer\n Science with a minor in Math. She star ted as a Software Engineer for\n an aerospace company before finding her current calling in Cyber\n Security and low-level programming.\n Twit ter: [2]@@LaurieWired\n\n Description:\n Android malware creators cons tantly struggle to devise innovative\n methods to obscure apps and imped e reverse engineering. As numerous\n standard techniques have lost effic acy\, I'll unveil the next frontier\n in Android obfuscation: runtime ma nipulation. Runtime manipulation\n alters standard application flow-of-c ontrol to bypass decompilers and\n emulators.\n\n In this talk\, I'll reveal my strategy for pinpointing manipulation\n targets in Android's s ource code. I will describe how I craft\n manipulators in native C++ onc e a suitable target has been located.\n This is accomplished by hooking Java methods via the Java Native\n Interface (JNI) and typecasting the h andle to a C-style pointer.\n Runtime manipulation can entirely remove t races of ClassLoader calls\n which are unavoidable for standard Dalvik E xecutable (DEX) packing\,\n but are also easily discovered and hooked. T his technique also\n effectively breaks cross-reference calculations wit hin all Android\n decompilers.\n\n I will demonstrate and equip attend ees with a custom Android library\n for devices running Android 13\, pro viding a new tool that enables\n runtime manipulation experimentation. I n addition\, I'll demonstrate my\n methodology for pinpointing Java targ ets and modifying their\n underlying native data structures.\n\n REFER ENCES\n [3]https://security.csl.toronto.edu/wp-content/uploads/201 8/06/mwong-usenixsec2018-tiro.pdf\n\n ArtMethod hooking: [4]https://gith ub.com/PAGalaxyLab/YAHFA mCookie\n manipulation: [5]https://github.com/w oxihuannisja/Bangcle\n DexFile.java: [6]https://cs.android.com/android/p latform/superproject/+/master:libcore/dalvik/src/main/java/dalvik/system/D exFile.java\n dex_file.h: [7]https://cs.android.com/android/platform/sup erproject/+/refs/heads/master:art/libdexfile/dex/dex_file.h\n art_method .h: [8]https://cs.android.com/android/platform/superproject/+/master:art/r untime/art_method.h\;bpv=0\;bpt=0\n Executable.java – contains artMeth od field: [9]https://cs.android.com/android/platform/superproject/+/master :libcore/ojluni/src/main/java/java/lang/reflect/Executable.java\;l=582?q=a rtMethod&ss=android%2Fplatform%2Fsuperproject\n\n '\n\n 1. #CaesarsFor umBR\n 2. https://twitter.com/@LaurieWired\n 3. https://security.csl.t oronto.edu/wp-content/uploads/2018/06/mwong-usenixsec2018-tiro.pdf\n 4. https://github.com/PAGalaxyLab/YAHFA\n 5. https://github.com/woxihuannis ja/Bangcle\n 6. https://cs.android.com/android/platform/superproject/+/m aster:libcore/dalvik/src/main/java/dalvik/system/DexFile.java\n 7. https ://cs.android.com/android/platform/superproject/+/refs/heads/master:art/li bdexfile/dex/dex_file.h\n 8. https://cs.android.com/android/platform/sup erproject/+/master:art/runtime/art_method.h\;bpv=0\;bpt=0\n 9. https://c s.android.com/android/platform/superproject/+/master:libcore/ojluni/src/ma in/java/java/lang/reflect/Executable.java\;l=582?q=artMethod&ss=android%2F platform%2Fsuperproject\n\n\n DTEND:20230812T234500Z DTSTART:20230812T230000Z LOCATION:DC - Caesars Forum - Forum - 109-119\, 138-139 - Track 2 SUMMARY:Runtime Riddles: Abusing Manipulation Points in the Android Source END:VEVENT END:VCALENDAR