The method creates a new instance of inotify and returns us the file descriptor to that instance: int inotifyFd = inotify_init() To initialise inotify we must first call inotify_init(). Since Android was built on top of the linux kernel and this api was not removed by the developers of android, we are able to access it using it’s header which is sys/inotify.h. When a directory is monitored, inotify will return events for the directory itself, and for files inside the directory. Inotify can be used to monitor individual files, or to monitor directories. The inotify API provides a mechanism for monitoring filesystem events. The method i want to discuss is linux’s own inotify api. By monitoring the file system on the testing device, we can automate tests that use the changes in the filesystem as indicators to whether the application is operating properly or malfunctioning. QA - Most mobile applications create/edit/delete files while operating.dex/.so files, and copy them aside for analysis. So by monitoring the filesystem we can detect the unpacking and creation of those. Only once unpacked, decrypted and loaded in runtime, it is available for study. ![]() Meaning the actual code which is responsible for the core operations of the malware(the evil part) is encrypted and is not in it’s official. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |