def analyzeAPK(self): """ Uses androguard to retrieve metadata about the app e.g. activities, permissions, intent filters, etc. """ try: prettyPrint("Analyzing app") logEvent("Analyzing app: \"%s\"" % self.APKPath) # 1. Load the APK using androguard analysisSession = Session() analysisSession.add(self.APKPath, open(self.APKPath).read()) # 2. Retrieve handles to APK and its dex code self.APK = analysisSession.analyzed_apk.values()[0] self.DEX = analysisSession.analyzed_dex.values()[0][0] self.VMAnalysis = analysisSession.analyzed_dex.values()[0][1] # 3. Retrieve information for each activity prettyPrint("Analyzing activities") self.activitiesInfo = analyzeActivities(self.APK, self.DEX) # 4. Do the same for services and broadcast receivers prettyPrint("Analyzing services") self.servicesInfo = analyzeServices(self.APK, self.DEX) prettyPrint("Analyzing broadcast receivers") self.receiversInfo = analyzeReceivers(self.APK, self.DEX) except Exception as e: prettyPrintError(e) return False prettyPrint("Success") return True
def setupSession(self): self.session = Session() self.fileLoadingThread = FileLoadingThread(self.session) self.connect(self.fileLoadingThread, QtCore.SIGNAL("loadedFile(bool)"), self.loadedFile)
def testTypes(self): s = Session() with open(TEST_CASE, "rb") as fd: digest, d, dx = s.addDEX(TEST_CASE, fd.read()) for method in d.get_methods(): key = method.get_class_name() + " " + method.get_name( ) + " " + method.get_descriptor() if key not in VALUES: continue print("METHOD", method.get_class_name(), method.get_name(), method.get_descriptor()) code = method.get_code() bc = code.get_bc() idx = 0 for i in bc.get_instructions(): if "const" in i.get_name(): i.show(0) formatted_operands = i.get_formatted_operands() print(formatted_operands) if not formatted_operands: VALUES[key].pop(0) else: for f in formatted_operands: self.assertAlmostEqual(f, VALUES[key].pop(0), places=4) idx += i.get_length()
def interact(session=False, apk=None): """ Start an interactive shell :param session: :param apk: :return: """ from androguard.core.androconf import ANDROGUARD_VERSION, CONF from IPython.terminal.embed import InteractiveShellEmbed from traitlets.config import Config from androguard.misc import init_print_colors, AnalyzeAPK from androguard.session import Session if session: CONF["SESSION"] = Session(export_ipython=True) if apk: print("Loading apk {}...".format(os.path.basename(apk))) print("Please be patient, this might take a while.") # TODO we can export fancy aliases for those as well... a, d, dx = AnalyzeAPK(apk) cfg = Config() _version_string = "Androguard version {}".format(ANDROGUARD_VERSION) ipshell = InteractiveShellEmbed( config=cfg, banner1="{} started".format(_version_string)) init_print_colors() ipshell()
def interact(): CONF["SESSION"] = Session(True) cfg = Config() ipshell = InteractiveShellEmbed(config=cfg, banner1="Androguard version %s" % ANDROGUARD_VERSION) init_print_colors() ipshell()
def get_default_session(): """ Return the default Session from the configuration or create a new one, if the session in the configuration is None. """ if androconf.CONF["SESSION"] is None: androconf.CONF["SESSION"] = Session() return androconf.CONF["SESSION"]
def process_files(apk1, apk2, should_multiprocess=True): """ Similar issues to load_androguard. Serialization issue prevents sending this object (multiple Gbs in RAM) through a multiprocessing mechanism such as Pipes (or anything build on top of it, i. e. Queues). """ file_paths = (apk1, apk2) if not should_multiprocess: s = Session() return tuple( map(lambda f: load_androguard(f, True, False, s=s), file_paths)) parent_conn, child_conn = multiprocessing.Pipe(False) def post_result(file_path, conn): value = load_androguard(file_path, True, False) conn.send((file_path, value)) ps = [ multiprocessing.Process(target=post_result, args=(f, child_conn)) for f in file_paths ] def apply_map(f, i): for x in i: f(x) assert len(file_paths) == 2 print("Starting multiprocessing Files") # Serialization with Pickle requires higher recursion limit import sys previous_recursion = sys.getrecursionlimit() sys.setrecursionlimit(50000) apply_map(multiprocessing.Process.start, ps) values = (parent_conn.recv(), parent_conn.recv()) r = tuple( map(lambda x: x[1], sorted(values, key=lambda x: file_paths.index(x[0])))) apply_map(multiprocessing.Process.join, ps) print("Finished all processes") sys.setrecursionlimit(previous_recursion) return r
def testTypes(self): s = Session() with open(TEST_CASE, "rb") as fd: digest, d, dx = s.addDEX(TEST_CASE, fd.read()) for method in filter(lambda x: x.full_name in VALUES, d.get_methods()): print("METHOD", method.full_name) for i in filter(lambda x: 'const' in x.get_name(), method.get_instructions()): i.show(0) # ins should only have one literal self.assertEquals(len(i.get_literals()), 1) fmt, value = VALUES[method.full_name].pop(0) converted = format_value(i.get_literals()[0], i, fmt) print(i.get_literals(), fmt, value, converted) self.assertEqual(converted, value) print()
def interact(session=False, apk=None): """ Start an interactive shell :param session: :param apk: :return: """ if session: CONF["SESSION"] = Session(export_ipython=True) if apk: print("Loading apk {}...".format(os.path.basename(apk))) print("Please be patient, this might take a while.") # TODO we can export fancy aliases for those as well... a, d, dx = AnalyzeAPK(apk) cfg = Config() ipshell = InteractiveShellEmbed(config=cfg, banner1="{} started".format(_version_string)) init_print_colors() ipshell()
def load_androguard(file_path, force_reload=False, write_session=True, session_file=None, s=None): """ Should handle saving and loading sessions automatically. Writing and Loading sessions currently cause a Kernel Disconnect or an EOF Error (Pickle serialization issues) """ if (not force_reload) and path.exists(session_file): print("Loading Existing Session") s = Load(session_file) a = d = dx = None else: print("Loading Session from Apk at", file_path) if s is None: s = Session() a, d, dx = AnalyzeAPK(file_path, s) if write_session: print("Saving Loaded Session to", session_file) s.add(file_path, dx=dx) Save(s, session_file) return a, d, dx
def run(self): app.logger.info('new analysis') s = Session() self.status = 'Analyzing APK' a, d, dx = AnalyzeAPK(self.target_file, session=s) #APK,list[DalvikVMFormat],Analysis print(type(a), type(d[0]), type(dx)) #cache activities, receivers, services, and providers, because for some reason, saving the Session causes a bug, breaking getters """i.e. bytecodes/apk.py", line 582, in get_elements for item in self.xml[i].findall('.//' + tag_name): TypeError: string indices must be integers """ activities = a.get_activities() receivers = a.get_receivers() services = a.get_services() providers = a.get_providers() self.main_activity = a.get_main_activity() if self.session_save_file: sys.setrecursionlimit(100000000) self.status = 'Saving session file' Save(s, self.session_save_file) cached_analyses.append({'md5': self.md5, 'analysis': (a, d, dx)}) #gather all classes from dexs 'd' #classes = get_all_classes_from_dexs(d) classes = dx.classes total_num = len(classes) done = 0 #num of done classes #result_classes contains the completed analysis info for each class run through the ClassAnalysis object result_classes = [] analysis_start_time = time.time() self.status = 'Getting all classes' for c_name, c_analysis in classes.items(): ca = ClassAnalysis(c_name, c_analysis, activities, receivers, services, providers) ca_result = ca.run() result_classes.append(ca_result) done += 1 if done % ceil(total_num / 100) == 0: self.progress += 1 #app.logger.info(self.progress) # with app.test_request_context('/'): # socketio.emit('newstatus', {'data':self.progress}, namespace='/status') analysis_end_time = time.time() analysis_total_time = analysis_end_time - analysis_start_time #debugging: self.status = 'Writing beforenetworkx debugging JSON' with open(self.graph_out_path + '.beforenetworkx', 'w') as f: json.dump(result_classes, f, indent=4, separators=(',', ': '), sort_keys=True) #create a networkx graph given the completed analyses in result_classess create_graph_start_time = time.time() self.status = 'Creating graph out of {} classes analyzed'.format( len(result_classes)) graph = create_graph(classes=result_classes) create_graph_end_time = time.time() create_graph_total_time = create_graph_end_time - create_graph_start_time #write graph to file: graph_out_path write_graph_start_time = time.time() self.status = 'Writing graph to disk' write_graph(graph, self.graph_out_path) write_graph_end_time = time.time() write_graph_total_time = write_graph_end_time - write_graph_start_time #build and write another graph that contains only providers,receivers,activities, and services if self.component_subgraph_out_path: component_names = [] self.status = 'Getting component nodes from graph' for node in graph: node_tmp = graph.node[node] if node_tmp[ 'component_type'] != NonComponentType.EXTERNAL and node_tmp[ 'component_type'] != NonComponentType.INTERNAL: component_names.append(node_tmp['name']) self.status = 'Creating subgraph containing only components' subgraph = get_class_subgraph(graph, class_names=component_names) self.status = 'Writing subgraph to disk' write_graph(subgraph, self.component_subgraph_out_path) #app metadata for misc/debugging apk_size = os.path.getsize(self.target_file) self.status = 'Writing metadata' self.write_app_metadata(result_classes, a, analysis_total_time, apk_size, create_graph_total_time, write_graph_total_time) #debugging # with open(self.graph_out_path+'.runmetrics', 'w') as f: # json.dump() self.progress = 100 self.status = 'Done' self.paused.wait( ) #wait for caller to collect last status and reset event before finishing app.logger.info('done')
def androlyze_main(session, filename): """ Start an interactive shell :param session: Session file to load :param filename: File to analyze, can be APK or DEX (or ODEX) """ from androguard.core.androconf import ANDROGUARD_VERSION, CONF from IPython.terminal.embed import InteractiveShellEmbed from traitlets.config import Config from androguard.session import Session, Load from colorama import Fore import colorama import atexit # Import commonly used classes, for further usage... from androguard.core.bytecodes.apk import APK from androguard.core.bytecodes.dvm import DalvikVMFormat from androguard.core.analysis.analysis import Analysis from androguard.misc import AnalyzeAPK colorama.init() if session: print("Restoring session '{}'...".format(session)) s = CONF['SESSION'] = Load(session) print("Successfully restored {}".format(s)) # TODO Restore a, d, dx etc... else: s = CONF["SESSION"] = Session(export_ipython=True) if filename: ("Loading apk {}...".format(os.path.basename(filename))) print("Please be patient, this might take a while.") filetype = androconf.is_android(filename) print("Found the provided file is of type '{}'".format(filetype)) if filetype not in ['DEX', 'DEY', 'APK']: print(Fore.RED + "This file type is not supported by androlyze for auto loading right now!" + Fore.RESET, file=sys.stderr) print("But your file is still available:") print(">>> filename") print(repr(filename)) print() else: with open(filename, "rb") as fp: raw = fp.read() h = s.add(apk, raw) print("Added file to session: SHA256::{}".format(h)) if filetype == 'APK': print("Loaded APK file...") a, d, dx = s.get_objects_apk(digest=h) print(">>> a") print(a) print(">>> d") print(d) print(">>> dx") print(dx) print() elif filetype in ['DEX', 'DEY']: print("Loaded DEX file...") for h_, d, dx in s.get_objects_dex(): if h == h_: break print(">>> d") print(d) print(">>> dx") print(dx) print() def shutdown_hook(): """Save the session on exit, if wanted""" if not s.isOpen(): return try: res = input("Do you want to save the session? (y/[n])?").lower() except (EOFError, KeyboardInterrupt): pass else: if res == "y": # TODO: if we already started from a session, probably we want to save it under the same name... # TODO: be able to take any filename you want fname = s.save() print("Saved Session to file: '{}'".format(fname)) cfg = Config() _version_string = "Androguard version {}".format(ANDROGUARD_VERSION) ipshell = InteractiveShellEmbed(config=cfg, banner1="{} started" .format(_version_string)) atexit.register(shutdown_hook) ipshell()
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') fh.setFormatter(formatter) ch.setFormatter(formatter) # add the handlers to the logger logger.addHandler(fh) logger.addHandler(ch) if not os.path.isfile(path): logger.info('{path} is not a valid file'.format(path=path)) sys.exit() if not output_file_path: output_file_path = os.path.splitext(os.path.basename(path))[0] + '.json' logger.info('output file defaulting to: {path}'.format(path=output_file_path)) start = time.time() a, d, dx = AnalyzeAPK(path, session=Session()) end = time.time() logger.info('androguard time: {t}'.format(t=(end-start))) #a = <class 'androguard.core.bytecodes.apk.APK'> #d = list <class 'androguard.core.bytecodes.dvm.DalvikVMFormat'> a list of DalvikVMFormat objects, each pertaining to a single classes.dex #dx = list <class 'androguard.core.analysis.analysis.Analysis'> A list of Analyses objects, each pertaining to a single classes.dex logger.info(len(d)) logger.info(len(dx)) start = time.time() result = [] for __d in d:#all dex print(len(__d.get_classes())) continue
from pprint import pprint from androguard.session import Session from androguard.misc import AnalyzeAPK a, d, dx = AnalyzeAPK('/home/branden/apks/dendroid.apk', session=Session()) print('here') acts = a.get_activities() print('here2') print(acts)
parser = argparse.ArgumentParser(description="Androguard GUI") parser.add_argument("-d", "--debug", action="store_true", default=False) parser.add_argument("-i", "--input_file", default=None) parser.add_argument("-c", "--console", action="store_true", default=False) args = parser.parse_args() if args.debug: androconf.set_debug() # We need that to save huge sessions when leaving and avoid # RuntimeError: maximum recursion depth exceeded while pickling an object # or # RuntimeError: maximum recursion depth exceeded in cmp # http://stackoverflow.com/questions/2134706/hitting-maximum-recursion-depth-using-pythons-pickle-cpickle sys.setrecursionlimit(50000) session = Session(export_ipython=args.console) console = None if args.console: console = IpythonConsole() console.start() app = QtGui.QApplication(sys.argv) window = MainWindow(session=session, input_file=args.input_file) window.resize(1024, 768) window.show() sys.exit(app.exec_())
def extractStaticFeatures(apkPath): """Extracts static numerical features from APK using Androguard""" try: features = [[], [], [], []] # Tuples are immutable if os.path.exists(apkPath.replace(".apk",".static")): prettyPrint("Found a pre-computed static features file") bFeatures, pFeatures, aFeatures, allFeatures = [], [], [], [] try: possibleExtensions = [".basic", ".perm", ".api", ".static"] for ext in possibleExtensions: if os.path.exists(apkPath.replace(".apk", ext)): content = open(apkPath.replace(".apk", ext)).read() if len(content) > 0: features[possibleExtensions.index(ext)] = [float(f) for f in content[1:-1].split(',') if len(f) > 0] return tuple(features) except Exception as e: prettyPrintError(e) prettyPrint("Could not extract features from \".static\" file. Continuing as usual", "warning") if verboseON(): prettyPrint("Starting analysis on \"%s\"" % apkPath, "debug") analysisSession = Session() if not os.path.exists(apkPath): prettyPrint("Could not find the APK file \"%s\"" % apkPath, "warning") return [], [], [], [] # 1. Analyze APK and retrieve its components #t = threading.Timer(300.0, returnEmptyFeatures) # Guarantees not being stuck on analyzing an APK #t.start() analysisSession.add(apkPath, open(apkPath).read()) if type(analysisSession.analyzed_apk.values()) == list: apk = analysisSession.analyzed_apk.values()[0][0] else: apk = analysisSession.analyzed_apk.values()[0] dex = analysisSession.analyzed_dex.values()[0][0] vm = analysisSession.analyzed_dex.values()[0][1] # 2. Add features to the features vector basicFeatures, permissionFeatures, apiCallFeatures, allFeatures = [], [], [], [] # 2.a. The APK-related features if verboseON(): prettyPrint("Extracting basic features", "debug") minSDKVersion = 0.0 if not apk.get_min_sdk_version() else float(apk.get_min_sdk_version()) maxSDKVersion = 0.0 if not apk.get_max_sdk_version() else float(apk.get_max_sdk_version()) basicFeatures.append(minSDKVersion) basicFeatures.append(maxSDKVersion) basicFeatures.append(float(len(apk.get_activities()))) # No. of activities basicFeatures.append(float(len(apk.get_services()))) # No. of services basicFeatures.append(float(len(apk.get_receivers()))) # No. of broadcast receivers basicFeatures.append(float(len(apk.get_providers()))) # No. of providers # 2.b. Harvest permission-related features if verboseON(): prettyPrint("Extracting permissions-related features", "debug") aospPermissions = float(len(apk.get_requested_aosp_permissions())) # Android permissions requested by the app declaredPermissions = float(len(apk.get_declared_permissions())) # Custom permissions declared by the app dangerousPermissions = float(len([p for p in apk.get_requested_aosp_permissions_details().values() if p["protectionLevel"] == "dangerous"])) totalPermissions = float(len(apk.get_permissions())) permissionFeatures.append(totalPermissions) # No. of permissions if totalPermissions > 0: permissionFeatures.append(aospPermissions/totalPermissions) # AOSP permissions : Total permissions permissionFeatures.append(declaredPermissions/totalPermissions) # Third-party permissions : Total permissions permissionFeatures.append(dangerousPermissions/totalPermissions) # Dangerous permissions : Total permissions else: permissionFeatures.append(0.0) permissionFeatures.append(0.0) permissionFeatures.append(0.0) # 2.c. The DEX-related features (API calls) if verboseON(): prettyPrint("Extracting API calls from dex code", "debug") apiCallFeatures.append(float(len(dex.get_classes()))) # Total number of classes apiCallFeatures.append(float(len(dex.get_strings()))) # Total number of strings apiCategories = sensitiveAPICalls.keys() apiCategoryCount = [0.0] * len(apiCategories) for c in dex.classes.get_names(): currentClass = dex.get_class(c) if not currentClass: continue code = currentClass.get_source() if len(code) < 1: continue for category in apiCategories: if code.find(category) != -1: for call in sensitiveAPICalls[category]: apiCategoryCount[apiCategories.index(category)] += float(len(re.findall(call, code))) apiCallFeatures += apiCategoryCount except Exception as e: prettyPrintError(e) return [], [], [], [] allFeatures = basicFeatures + permissionFeatures + apiCallFeatures return basicFeatures, permissionFeatures, apiCallFeatures, allFeatures
def run(self): """ Runs the Droidutan test against the [processTarget] for [processDuration] """ try: # A timer to guarante the process exits if verboseON(): prettyPrint( "Setting timer for %s seconds" % str(float(self.processDuration) * 5.0), "debug") t = threading.Timer(float(self.processDuration) * 5.0, self.stop) t.start() # Step 1. Analyze APK #APKType = "malware" if self.processTarget.find("malware") != -1 else "goodware" if verboseON(): prettyPrint("Analyzing APK: \"%s\"" % self.processTarget, "debug") s = Session() s.add(self.processTarget, open(self.processTarget).read()) if len(s.analyzed_apk.values()) > 0: apk = s.analyzed_apk.values()[0] if type(apk) == list: apk = s.analyzed_apk.values()[0][0] else: prettyPrint("Could not retrieve an APK to analyze. Skipping", "warning") return False # Step 2. Get the Ip address assigned to the AVD getAVDIPCmd = [ "VBoxManage", "guestproperty", "enumerate", self.processVM ] avdIP = "" result = subprocess.Popen( getAVDIPCmd, stderr=subprocess.STDOUT, stdout=subprocess.PIPE).communicate()[0].replace(' ', '') if result.lower().find("error") != -1: prettyPrint("Unable to retrieve the IP address of the AVD", "error") print result return False index = result.find("androvm_ip_management,value:") + len( "androvm_ip_management,value:") while result[index] != ',': avdIP += result[index] index += 1 adbID = "%s:5555" % avdIP # Step 3. Define frequently-used commands droidbotOut = self.processTarget.replace(".apk", "_droidbot") droidbotCmd = [ "droidbot", "-d", adbID, "-a", self.processTarget, "-o", droidbotOut, "-timeout", str(self.processDuration), "-random", "-keep_env", "-grant_perm" ] # Step 4. Test the APK using Droidbot (Assuming machine is already on) prettyPrint("Testing the APK \"%s\" using Droidbot" % apk.package) # 4.a. Start Droidbot status = subprocess.Popen(droidbotCmd, stderr=subprocess.STDOUT, stdout=subprocess.PIPE).communicate()[0] # 4.b. Check for existence of output directory if not os.path.exists(droidbotOut): prettyPrint( "No output folder found for \"%s\"" % self.processTarget, "warning") return False # 4.c. Filter the logcat dumped by droidbot logFile = open("%s/logcat_filtered.log" % droidbotOut, "w") catlog = subprocess.Popen(("cat", "%s/logcat.txt" % droidbotOut), stdout=subprocess.PIPE) output = subprocess.check_output( ("grep", "-i", "droidmon-apimonitor-%s" % apk.package), stdin=catlog.stdout) logFile.write(output) logFile.close() except subprocess.CalledProcessError as cpe: prettyPrint( "Unable to find the tag \"Droidmon-apimonitor-%s\" in the log file" % apk.package, "warning") except Exception as e: prettyPrintError(e) return False return True
32768.5, 32767.5, 32766.5, -5, -65535, -65536, -123456789123456789.555555555, -123456789123456789.555555555, -606384730, -123456790519087104, -606384730, 3.5 ], } def _test(got, expected): if got == expected: prefix = ' OK ' else: prefix = ' X ' print('%s got: %s expected: %s' % (prefix, repr(got), repr(expected))) s = Session() with open(TEST_CASE, "rb") as fd: digest, d, dx = s.addDEX(TEST_CASE, fd.read()) for method in d.get_methods(): key = method.get_class_name() + " " + method.get_name( ) + " " + method.get_descriptor() if key not in VALUES: continue print("METHOD", method.get_class_name(), method.get_name(), method.get_descriptor()) code = method.get_code() bc = code.get_bc()