def analyzeAPK(self):
""" Uses androguard to retrieve metadata about the app e.g. activities, permissions, intent filters, etc. """
try:
prettyPrint("Analyzing app")
logEvent("Analyzing app: \"%s\"" % self.APKPath)
# 1. Load the APK using androguard
analysisSession = Session()
analysisSession.add(self.APKPath, open(self.APKPath).read())
# 2. Retrieve handles to APK and its dex code
self.APK = analysisSession.analyzed_apk.values()[0]
self.DEX = analysisSession.analyzed_dex.values()[0][0]
self.VMAnalysis = analysisSession.analyzed_dex.values()[0][1]
# 3. Retrieve information for each activity
prettyPrint("Analyzing activities")
self.activitiesInfo = analyzeActivities(self.APK, self.DEX)
# 4. Do the same for services and broadcast receivers
prettyPrint("Analyzing services")
self.servicesInfo = analyzeServices(self.APK, self.DEX)
prettyPrint("Analyzing broadcast receivers")
self.receiversInfo = analyzeReceivers(self.APK, self.DEX)
except Exception as e:
prettyPrintError(e)
return False
prettyPrint("Success")
return True
def setupSession(self):
self.session = Session()
self.fileLoadingThread = FileLoadingThread(self.session)
self.connect(self.fileLoadingThread,
QtCore.SIGNAL("loadedFile(bool)"),
self.loadedFile)
def testTypes(self):
s = Session()
with open(TEST_CASE, "rb") as fd:
digest, d, dx = s.addDEX(TEST_CASE, fd.read())
for method in d.get_methods():
key = method.get_class_name() + " " + method.get_name(
) + " " + method.get_descriptor()
if key not in VALUES:
continue
print("METHOD", method.get_class_name(), method.get_name(),
method.get_descriptor())
code = method.get_code()
bc = code.get_bc()
idx = 0
for i in bc.get_instructions():
if "const" in i.get_name():
i.show(0)
formatted_operands = i.get_formatted_operands()
print(formatted_operands)
if not formatted_operands:
VALUES[key].pop(0)
else:
for f in formatted_operands:
self.assertAlmostEqual(f,
VALUES[key].pop(0),
places=4)
idx += i.get_length()
def interact(session=False, apk=None):
"""
Start an interactive shell
:param session:
:param apk:
:return:
"""
from androguard.core.androconf import ANDROGUARD_VERSION, CONF
from IPython.terminal.embed import InteractiveShellEmbed
from traitlets.config import Config
from androguard.misc import init_print_colors, AnalyzeAPK
from androguard.session import Session
if session:
CONF["SESSION"] = Session(export_ipython=True)
if apk:
print("Loading apk {}...".format(os.path.basename(apk)))
print("Please be patient, this might take a while.")
# TODO we can export fancy aliases for those as well...
a, d, dx = AnalyzeAPK(apk)
cfg = Config()
_version_string = "Androguard version {}".format(ANDROGUARD_VERSION)
ipshell = InteractiveShellEmbed(
config=cfg, banner1="{} started".format(_version_string))
init_print_colors()
ipshell()
def interact():
CONF["SESSION"] = Session(True)
cfg = Config()
ipshell = InteractiveShellEmbed(config=cfg,
banner1="Androguard version %s" %
ANDROGUARD_VERSION)
init_print_colors()
ipshell()
def get_default_session():
"""
Return the default Session from the configuration
or create a new one, if the session in the configuration is None.
"""
if androconf.CONF["SESSION"] is None:
androconf.CONF["SESSION"] = Session()
return androconf.CONF["SESSION"]
def process_files(apk1, apk2, should_multiprocess=True):
"""
Similar issues to load_androguard. Serialization issue prevents sending this object (multiple Gbs in RAM) through a
multiprocessing mechanism such as Pipes (or anything build on top of it, i. e. Queues).
"""
file_paths = (apk1, apk2)
if not should_multiprocess:
s = Session()
return tuple(
map(lambda f: load_androguard(f, True, False, s=s), file_paths))
parent_conn, child_conn = multiprocessing.Pipe(False)
def post_result(file_path, conn):
value = load_androguard(file_path, True, False)
conn.send((file_path, value))
ps = [
multiprocessing.Process(target=post_result, args=(f, child_conn))
for f in file_paths
]
def apply_map(f, i):
for x in i:
f(x)
assert len(file_paths) == 2
print("Starting multiprocessing Files")
# Serialization with Pickle requires higher recursion limit
import sys
previous_recursion = sys.getrecursionlimit()
sys.setrecursionlimit(50000)
apply_map(multiprocessing.Process.start, ps)
values = (parent_conn.recv(), parent_conn.recv())
r = tuple(
map(lambda x: x[1], sorted(values,
key=lambda x: file_paths.index(x[0]))))
apply_map(multiprocessing.Process.join, ps)
print("Finished all processes")
sys.setrecursionlimit(previous_recursion)
return r
def testTypes(self):
s = Session()
with open(TEST_CASE, "rb") as fd:
digest, d, dx = s.addDEX(TEST_CASE, fd.read())
for method in filter(lambda x: x.full_name in VALUES, d.get_methods()):
print("METHOD", method.full_name)
for i in filter(lambda x: 'const' in x.get_name(),
method.get_instructions()):
i.show(0)
# ins should only have one literal
self.assertEquals(len(i.get_literals()), 1)
fmt, value = VALUES[method.full_name].pop(0)
converted = format_value(i.get_literals()[0], i, fmt)
print(i.get_literals(), fmt, value, converted)
self.assertEqual(converted, value)
print()
def interact(session=False, apk=None):
"""
Start an interactive shell
:param session:
:param apk:
:return:
"""
if session:
CONF["SESSION"] = Session(export_ipython=True)
if apk:
print("Loading apk {}...".format(os.path.basename(apk)))
print("Please be patient, this might take a while.")
# TODO we can export fancy aliases for those as well...
a, d, dx = AnalyzeAPK(apk)
cfg = Config()
ipshell = InteractiveShellEmbed(config=cfg, banner1="{} started".format(_version_string))
init_print_colors()
ipshell()
def load_androguard(file_path,
force_reload=False,
write_session=True,
session_file=None,
s=None):
"""
Should handle saving and loading sessions automatically.
Writing and Loading sessions currently cause a Kernel Disconnect or an EOF Error (Pickle serialization issues)
"""
if (not force_reload) and path.exists(session_file):
print("Loading Existing Session")
s = Load(session_file)
a = d = dx = None
else:
print("Loading Session from Apk at", file_path)
if s is None:
s = Session()
a, d, dx = AnalyzeAPK(file_path, s)
if write_session:
print("Saving Loaded Session to", session_file)
s.add(file_path, dx=dx)
Save(s, session_file)
return a, d, dx
def run(self):
app.logger.info('new analysis')
s = Session()
self.status = 'Analyzing APK'
a, d, dx = AnalyzeAPK(self.target_file,
session=s) #APK,list[DalvikVMFormat],Analysis
print(type(a), type(d[0]), type(dx))
#cache activities, receivers, services, and providers, because for some reason, saving the Session causes a bug, breaking getters
"""i.e. bytecodes/apk.py", line 582, in get_elements
for item in self.xml[i].findall('.//' + tag_name):
TypeError: string indices must be integers """
activities = a.get_activities()
receivers = a.get_receivers()
services = a.get_services()
providers = a.get_providers()
self.main_activity = a.get_main_activity()
if self.session_save_file:
sys.setrecursionlimit(100000000)
self.status = 'Saving session file'
Save(s, self.session_save_file)
cached_analyses.append({'md5': self.md5, 'analysis': (a, d, dx)})
#gather all classes from dexs 'd'
#classes = get_all_classes_from_dexs(d)
classes = dx.classes
total_num = len(classes)
done = 0 #num of done classes
#result_classes contains the completed analysis info for each class run through the ClassAnalysis object
result_classes = []
analysis_start_time = time.time()
self.status = 'Getting all classes'
for c_name, c_analysis in classes.items():
ca = ClassAnalysis(c_name, c_analysis, activities, receivers,
services, providers)
ca_result = ca.run()
result_classes.append(ca_result)
done += 1
if done % ceil(total_num / 100) == 0:
self.progress += 1
#app.logger.info(self.progress)
# with app.test_request_context('/'):
# socketio.emit('newstatus', {'data':self.progress}, namespace='/status')
analysis_end_time = time.time()
analysis_total_time = analysis_end_time - analysis_start_time
#debugging:
self.status = 'Writing beforenetworkx debugging JSON'
with open(self.graph_out_path + '.beforenetworkx', 'w') as f:
json.dump(result_classes,
f,
indent=4,
separators=(',', ': '),
sort_keys=True)
#create a networkx graph given the completed analyses in result_classess
create_graph_start_time = time.time()
self.status = 'Creating graph out of {} classes analyzed'.format(
len(result_classes))
graph = create_graph(classes=result_classes)
create_graph_end_time = time.time()
create_graph_total_time = create_graph_end_time - create_graph_start_time
#write graph to file: graph_out_path
write_graph_start_time = time.time()
self.status = 'Writing graph to disk'
write_graph(graph, self.graph_out_path)
write_graph_end_time = time.time()
write_graph_total_time = write_graph_end_time - write_graph_start_time
#build and write another graph that contains only providers,receivers,activities, and services
if self.component_subgraph_out_path:
component_names = []
self.status = 'Getting component nodes from graph'
for node in graph:
node_tmp = graph.node[node]
if node_tmp[
'component_type'] != NonComponentType.EXTERNAL and node_tmp[
'component_type'] != NonComponentType.INTERNAL:
component_names.append(node_tmp['name'])
self.status = 'Creating subgraph containing only components'
subgraph = get_class_subgraph(graph, class_names=component_names)
self.status = 'Writing subgraph to disk'
write_graph(subgraph, self.component_subgraph_out_path)
#app metadata for misc/debugging
apk_size = os.path.getsize(self.target_file)
self.status = 'Writing metadata'
self.write_app_metadata(result_classes, a, analysis_total_time,
apk_size, create_graph_total_time,
write_graph_total_time)
#debugging
# with open(self.graph_out_path+'.runmetrics', 'w') as f:
# json.dump()
self.progress = 100
self.status = 'Done'
self.paused.wait(
) #wait for caller to collect last status and reset event before finishing
app.logger.info('done')
def androlyze_main(session, filename):
"""
Start an interactive shell
:param session: Session file to load
:param filename: File to analyze, can be APK or DEX (or ODEX)
"""
from androguard.core.androconf import ANDROGUARD_VERSION, CONF
from IPython.terminal.embed import InteractiveShellEmbed
from traitlets.config import Config
from androguard.session import Session, Load
from colorama import Fore
import colorama
import atexit
# Import commonly used classes, for further usage...
from androguard.core.bytecodes.apk import APK
from androguard.core.bytecodes.dvm import DalvikVMFormat
from androguard.core.analysis.analysis import Analysis
from androguard.misc import AnalyzeAPK
colorama.init()
if session:
print("Restoring session '{}'...".format(session))
s = CONF['SESSION'] = Load(session)
print("Successfully restored {}".format(s))
# TODO Restore a, d, dx etc...
else:
s = CONF["SESSION"] = Session(export_ipython=True)
if filename:
("Loading apk {}...".format(os.path.basename(filename)))
print("Please be patient, this might take a while.")
filetype = androconf.is_android(filename)
print("Found the provided file is of type '{}'".format(filetype))
if filetype not in ['DEX', 'DEY', 'APK']:
print(Fore.RED + "This file type is not supported by androlyze for auto loading right now!" + Fore.RESET, file=sys.stderr)
print("But your file is still available:")
print(">>> filename")
print(repr(filename))
print()
else:
with open(filename, "rb") as fp:
raw = fp.read()
h = s.add(apk, raw)
print("Added file to session: SHA256::{}".format(h))
if filetype == 'APK':
print("Loaded APK file...")
a, d, dx = s.get_objects_apk(digest=h)
print(">>> a")
print(a)
print(">>> d")
print(d)
print(">>> dx")
print(dx)
print()
elif filetype in ['DEX', 'DEY']:
print("Loaded DEX file...")
for h_, d, dx in s.get_objects_dex():
if h == h_:
break
print(">>> d")
print(d)
print(">>> dx")
print(dx)
print()
def shutdown_hook():
"""Save the session on exit, if wanted"""
if not s.isOpen():
return
try:
res = input("Do you want to save the session? (y/[n])?").lower()
except (EOFError, KeyboardInterrupt):
pass
else:
if res == "y":
# TODO: if we already started from a session, probably we want to save it under the same name...
# TODO: be able to take any filename you want
fname = s.save()
print("Saved Session to file: '{}'".format(fname))
cfg = Config()
_version_string = "Androguard version {}".format(ANDROGUARD_VERSION)
ipshell = InteractiveShellEmbed(config=cfg, banner1="{} started"
.format(_version_string))
atexit.register(shutdown_hook)
ipshell()
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
fh.setFormatter(formatter)
ch.setFormatter(formatter)
# add the handlers to the logger
logger.addHandler(fh)
logger.addHandler(ch)
if not os.path.isfile(path):
logger.info('{path} is not a valid file'.format(path=path))
sys.exit()
if not output_file_path:
output_file_path = os.path.splitext(os.path.basename(path))[0] + '.json'
logger.info('output file defaulting to: {path}'.format(path=output_file_path))
start = time.time()
a, d, dx = AnalyzeAPK(path, session=Session())
end = time.time()
logger.info('androguard time: {t}'.format(t=(end-start)))
#a = <class 'androguard.core.bytecodes.apk.APK'>
#d = list <class 'androguard.core.bytecodes.dvm.DalvikVMFormat'> a list of DalvikVMFormat objects, each pertaining to a single classes.dex
#dx = list <class 'androguard.core.analysis.analysis.Analysis'> A list of Analyses objects, each pertaining to a single classes.dex
logger.info(len(d))
logger.info(len(dx))
start = time.time()
result = []
for __d in d:#all dex
print(len(__d.get_classes()))
continue
from pprint import pprint
from androguard.session import Session
from androguard.misc import AnalyzeAPK
a, d, dx = AnalyzeAPK('/home/branden/apks/dendroid.apk', session=Session())
print('here')
acts = a.get_activities()
print('here2')
print(acts)
parser = argparse.ArgumentParser(description="Androguard GUI")
parser.add_argument("-d", "--debug", action="store_true", default=False)
parser.add_argument("-i", "--input_file", default=None)
parser.add_argument("-c", "--console", action="store_true", default=False)
args = parser.parse_args()
if args.debug:
androconf.set_debug()
# We need that to save huge sessions when leaving and avoid
# RuntimeError: maximum recursion depth exceeded while pickling an object
# or
# RuntimeError: maximum recursion depth exceeded in cmp
# http://stackoverflow.com/questions/2134706/hitting-maximum-recursion-depth-using-pythons-pickle-cpickle
sys.setrecursionlimit(50000)
session = Session(export_ipython=args.console)
console = None
if args.console:
console = IpythonConsole()
console.start()
app = QtGui.QApplication(sys.argv)
window = MainWindow(session=session, input_file=args.input_file)
window.resize(1024, 768)
window.show()
sys.exit(app.exec_())
def extractStaticFeatures(apkPath):
"""Extracts static numerical features from APK using Androguard"""
try:
features = [[], [], [], []] # Tuples are immutable
if os.path.exists(apkPath.replace(".apk",".static")):
prettyPrint("Found a pre-computed static features file")
bFeatures, pFeatures, aFeatures, allFeatures = [], [], [], []
try:
possibleExtensions = [".basic", ".perm", ".api", ".static"]
for ext in possibleExtensions:
if os.path.exists(apkPath.replace(".apk", ext)):
content = open(apkPath.replace(".apk", ext)).read()
if len(content) > 0:
features[possibleExtensions.index(ext)] = [float(f) for f in content[1:-1].split(',') if len(f) > 0]
return tuple(features)
except Exception as e:
prettyPrintError(e)
prettyPrint("Could not extract features from \".static\" file. Continuing as usual", "warning")
if verboseON():
prettyPrint("Starting analysis on \"%s\"" % apkPath, "debug")
analysisSession = Session()
if not os.path.exists(apkPath):
prettyPrint("Could not find the APK file \"%s\"" % apkPath, "warning")
return [], [], [], []
# 1. Analyze APK and retrieve its components
#t = threading.Timer(300.0, returnEmptyFeatures) # Guarantees not being stuck on analyzing an APK
#t.start()
analysisSession.add(apkPath, open(apkPath).read())
if type(analysisSession.analyzed_apk.values()) == list:
apk = analysisSession.analyzed_apk.values()[0][0]
else:
apk = analysisSession.analyzed_apk.values()[0]
dex = analysisSession.analyzed_dex.values()[0][0]
vm = analysisSession.analyzed_dex.values()[0][1]
# 2. Add features to the features vector
basicFeatures, permissionFeatures, apiCallFeatures, allFeatures = [], [], [], []
# 2.a. The APK-related features
if verboseON():
prettyPrint("Extracting basic features", "debug")
minSDKVersion = 0.0 if not apk.get_min_sdk_version() else float(apk.get_min_sdk_version())
maxSDKVersion = 0.0 if not apk.get_max_sdk_version() else float(apk.get_max_sdk_version())
basicFeatures.append(minSDKVersion)
basicFeatures.append(maxSDKVersion)
basicFeatures.append(float(len(apk.get_activities()))) # No. of activities
basicFeatures.append(float(len(apk.get_services()))) # No. of services
basicFeatures.append(float(len(apk.get_receivers()))) # No. of broadcast receivers
basicFeatures.append(float(len(apk.get_providers()))) # No. of providers
# 2.b. Harvest permission-related features
if verboseON():
prettyPrint("Extracting permissions-related features", "debug")
aospPermissions = float(len(apk.get_requested_aosp_permissions())) # Android permissions requested by the app
declaredPermissions = float(len(apk.get_declared_permissions())) # Custom permissions declared by the app
dangerousPermissions = float(len([p for p in apk.get_requested_aosp_permissions_details().values() if p["protectionLevel"] == "dangerous"]))
totalPermissions = float(len(apk.get_permissions()))
permissionFeatures.append(totalPermissions) # No. of permissions
if totalPermissions > 0:
permissionFeatures.append(aospPermissions/totalPermissions) # AOSP permissions : Total permissions
permissionFeatures.append(declaredPermissions/totalPermissions) # Third-party permissions : Total permissions
permissionFeatures.append(dangerousPermissions/totalPermissions) # Dangerous permissions : Total permissions
else:
permissionFeatures.append(0.0)
permissionFeatures.append(0.0)
permissionFeatures.append(0.0)
# 2.c. The DEX-related features (API calls)
if verboseON():
prettyPrint("Extracting API calls from dex code", "debug")
apiCallFeatures.append(float(len(dex.get_classes()))) # Total number of classes
apiCallFeatures.append(float(len(dex.get_strings()))) # Total number of strings
apiCategories = sensitiveAPICalls.keys()
apiCategoryCount = [0.0] * len(apiCategories)
for c in dex.classes.get_names():
currentClass = dex.get_class(c)
if not currentClass:
continue
code = currentClass.get_source()
if len(code) < 1:
continue
for category in apiCategories:
if code.find(category) != -1:
for call in sensitiveAPICalls[category]:
apiCategoryCount[apiCategories.index(category)] += float(len(re.findall(call, code)))
apiCallFeatures += apiCategoryCount
except Exception as e:
prettyPrintError(e)
return [], [], [], []
allFeatures = basicFeatures + permissionFeatures + apiCallFeatures
return basicFeatures, permissionFeatures, apiCallFeatures, allFeatures
def run(self):
"""
Runs the Droidutan test against the [processTarget] for [processDuration]
"""
try:
# A timer to guarante the process exits
if verboseON():
prettyPrint(
"Setting timer for %s seconds" %
str(float(self.processDuration) * 5.0), "debug")
t = threading.Timer(float(self.processDuration) * 5.0, self.stop)
t.start()
# Step 1. Analyze APK
#APKType = "malware" if self.processTarget.find("malware") != -1 else "goodware"
if verboseON():
prettyPrint("Analyzing APK: \"%s\"" % self.processTarget,
"debug")
s = Session()
s.add(self.processTarget, open(self.processTarget).read())
if len(s.analyzed_apk.values()) > 0:
apk = s.analyzed_apk.values()[0]
if type(apk) == list:
apk = s.analyzed_apk.values()[0][0]
else:
prettyPrint("Could not retrieve an APK to analyze. Skipping",
"warning")
return False
# Step 2. Get the Ip address assigned to the AVD
getAVDIPCmd = [
"VBoxManage", "guestproperty", "enumerate", self.processVM
]
avdIP = ""
result = subprocess.Popen(
getAVDIPCmd, stderr=subprocess.STDOUT,
stdout=subprocess.PIPE).communicate()[0].replace(' ', '')
if result.lower().find("error") != -1:
prettyPrint("Unable to retrieve the IP address of the AVD",
"error")
print result
return False
index = result.find("androvm_ip_management,value:") + len(
"androvm_ip_management,value:")
while result[index] != ',':
avdIP += result[index]
index += 1
adbID = "%s:5555" % avdIP
# Step 3. Define frequently-used commands
droidbotOut = self.processTarget.replace(".apk", "_droidbot")
droidbotCmd = [
"droidbot", "-d", adbID, "-a", self.processTarget, "-o",
droidbotOut, "-timeout",
str(self.processDuration), "-random", "-keep_env",
"-grant_perm"
]
# Step 4. Test the APK using Droidbot (Assuming machine is already on)
prettyPrint("Testing the APK \"%s\" using Droidbot" % apk.package)
# 4.a. Start Droidbot
status = subprocess.Popen(droidbotCmd,
stderr=subprocess.STDOUT,
stdout=subprocess.PIPE).communicate()[0]
# 4.b. Check for existence of output directory
if not os.path.exists(droidbotOut):
prettyPrint(
"No output folder found for \"%s\"" % self.processTarget,
"warning")
return False
# 4.c. Filter the logcat dumped by droidbot
logFile = open("%s/logcat_filtered.log" % droidbotOut, "w")
catlog = subprocess.Popen(("cat", "%s/logcat.txt" % droidbotOut),
stdout=subprocess.PIPE)
output = subprocess.check_output(
("grep", "-i", "droidmon-apimonitor-%s" % apk.package),
stdin=catlog.stdout)
logFile.write(output)
logFile.close()
except subprocess.CalledProcessError as cpe:
prettyPrint(
"Unable to find the tag \"Droidmon-apimonitor-%s\" in the log file"
% apk.package, "warning")
except Exception as e:
prettyPrintError(e)
return False
return True
32768.5, 32767.5, 32766.5, -5, -65535, -65536,
-123456789123456789.555555555, -123456789123456789.555555555,
-606384730, -123456790519087104, -606384730, 3.5
],
}
def _test(got, expected):
if got == expected:
prefix = ' OK '
else:
prefix = ' X '
print('%s got: %s expected: %s' % (prefix, repr(got), repr(expected)))
s = Session()
with open(TEST_CASE, "rb") as fd:
digest, d, dx = s.addDEX(TEST_CASE, fd.read())
for method in d.get_methods():
key = method.get_class_name() + " " + method.get_name(
) + " " + method.get_descriptor()
if key not in VALUES:
continue
print("METHOD", method.get_class_name(), method.get_name(),
method.get_descriptor())
code = method.get_code()
bc = code.get_bc()
