Research On General Unpacking Sandbox For Android Platform

With the advent of the 5G era,the mobile Internet has developed rapidly.As an excellent mobile operating system,the Android has achieved unprecedented development under the empowerment of 5G technology,and the number of Android applications has grown exponentially.With the explosive development of Android applications,the security threats posed by Android malicious applications are becoming more and more severe.Packing technology,which was originally born to protect applications from tampering,is now being used as a "protective umbrella" by malicious applications to avoid detection by security software.In the context that security software cannot effectively detect malicious applications that use packing technology as a "protective umbrella",Android application unpacking technology is particularly important.In order to effectively detect whether a packed application carries malicious codes,researchers have successively developed some wonderful unpacking technologies.However,these unpacking techniques cannot adapt to new packing techniques,and the research on unpacking techniques cannot keep up with the development of packing techniques.Therefore,aiming at the deficiencies of the existing unpacking technology,this paper proposes a general unpacking sandbox CBox for the Android platform.The relevant contributions are as follows:1)CBox proposes an unpacking framework for memory restoration packing technology based on interpreter interception—Capk.Capk has made improvements to solve the problems existing in the existing unpacking technology that the unpacking point is not deep enough,the granularity of the active call is not fine enough,the inability to go deep into the Native layer to obtain DEX files,and the degree of automation is not high.Capk realizes the acquisition of DEX files at the Android Native layer,active calls at the function level granularity,interception and unpacking when going deep into the interpreter,and automatic repair of the generated DEX file after the unpacking is completed.2)CBox proposes an auxiliary unpacking framework — Camp,for VMP packing technology.Camp proposes a solution to the problems existing in the existing unpacking technology,such as the inability to quickly restore the approximate semantics of the code protected by the VMP packing technology,the inability to quickly locate the location of the custom interpreter of the VMP packing technology,and the lack of a Trace tool suitable for the Android unpacking environment.Camp realizes the use of JNI monitoring to quickly restore the approximate semantics of the code protected by the VMP packing technology,uses the combination of JNI monitoring and Trace records to quickly locate the location of the custom interpreter of the VMP packing technology,and uses Capstone to implement a Trace tool that adapts to the Android unpacking environment.Experiments have proved that Capk is a fully automated unpacking framework with high concealment,strong versatility,and high efficiency.The semantic restoration function provided by Camp and the method of quickly locating the interpreter position of VMP packing technology are effective,and the Trace tool provided by Camp — CTrace,is an efficient Trace tool with powerful versatility,which is fully competent for the Android environment.