def module_run(self, verbose=False): z = self.apk.vm_analysis.tainted_packages.search_methods( ".", "getSystemService", ".") external_services = set() for p in z: method = self.apk.dalvik_vm_format.get_method_by_idx( p.get_src_idx()) if method.get_code() is None: continue mx = self.apk.vm_analysis.get_method(method) if self.apk.get_package() in method.get_class_name().replace( "/", "."): ms = decompile.DvMethod(mx) try: ms.process() except AttributeError as e: self.warning( "Error while processing disassembled Dalvik method: %s" % e.message) source = ms.get_source() matches = re.findall(r'getSystemService\("([^"]*)"\)', source) if len(matches): external_services.add(android_system_services[matches[0]]) return {"results": sorted(external_services), "vulnerabilities": []}
def module_run(self, verbose=False): results = [] z = self.apk.vm_analysis.tainted_packages.search_methods( "Landroid/content/Intent", "<init>", ".") for p in z: method = self.apk.dalvik_vm_format.get_method_by_idx( p.get_src_idx()) if method.get_code() is None: continue if self.apk.get_package() in method.get_class_name().replace( "/", "."): mx = self.apk.vm_analysis.get_method(method) ms = decompile.DvMethod(mx) try: ms.process() except AttributeError as e: self.warning( "Error while processing disassembled Dalvik method: %s" % e.message) source = ms.get_source() matches = re.findall(r'Intent\(([^\)]*)\);', source) if len(matches): results.append({ "file": method.get_class_name()[1:-1], "line": method.get_debug().get_line_start(), }) return {"results": results, "vulnerabilities": []}
def get_source_method(self, m): mx = self.vmx.get_method(m) z = decompile.DvMethod(mx) z.process() result = z.get_source() return result
def process_methods(self, found_methods): """ Process and return a unique and analyzed list of methods based on usage findings. Args: param1: Discovered methods Returns: return: Processed methods """ # Locals seen = set() unique = list() processed = list() for m in found_methods: if m.get_class_name() not in seen: unique.append(m) seen.add(m.get_class_name()) for u in unique: if u.get_code(): analyzed = self.vmx.get_method(u) src = decompile.DvMethod(analyzed) src.process() processed.append((u, analyzed, src.get_source())) else: analyzed = self.vmx.get_method(u) processed.append((u, analyzed, None)) return processed
def module_run(self, verbose=False): logs = "" vulnerable = False providers = self.get_providers() z = self.apk.vm_analysis.tainted_packages.search_methods( ".", "addURI", ".") for p in z: method = self.apk.dalvik_vm_format.get_method_by_idx( p.get_src_idx()) if method.get_code() is None: continue mx = self.apk.vm_analysis.get_method(method) ms = decompile.DvMethod(mx) try: ms.process() except AttributeError as e: self.warning( "Error while processing disassembled Dalvik method: %s" % e.message) source = ms.get_source() matches = re.findall(r'addURI\("([^"]*)", "([^"]*)"', source) for match in matches: for provider in providers: if provider["authorities"] == match[0]: provider["uris"].add("uri://%s/%s" % (match[0], match[1])) for provider in providers: provider["uris"] = list(provider["uris"]) if provider["exported"] and provider["permission"] is None and provider["read_permission"] is None\ and provider["write_permission"] is None: #content was introduced in honeycomb if self.avd is not None and self.avd.target >= 16: for uri in provider["uris"]: logs += "$ adb shell content query --uri %s\n" % uri logs += self.avd.shell("content query --uri %s" % uri) provider["vulnerable"] = True vulnerable = True else: provider["vulnerable"] = False if verbose: print logs return { "results": providers, "vulnerabilities": [ framework.Vulnerability( "Exported content provider.", "The following application provider is exported, which means that any application can access it" " without the need for any custom permission.", framework.Vulnerability.MEDIUM, resources=[p for p in providers if p["vulnerable"]], logs=logs).__dict__ ] if vulnerable else [] }
def _analyze(self, apk, dalvik_vm_format, vm_analysis, gvm_analysis, *args, **kwargs): # CFG for method in dalvik_vm_format.get_methods(): try: mx = vm_analysis.get_method(method) if method.get_code() == None: continue classname, methodname, method_descriptor = method.get_class_name( ), method.get_name(), method.get_descriptor() # skip android classes due to mongo db document limit if classname.find("Landroid") != -1: continue ms = decompile.DvMethod(mx) # process to the decompilation ms.process() self.cres += '''%s.%s%s { %s } ''' % (classname, methodname, method_descriptor, ms.get_source()) except: pass
def _analyze(self, apk, dalvik_vm_format, vm_analysis, gvm_analysis, *args, **kwargs): ''' This sample code is taken from `androguard` and has been modified! See Also -------- http://code.google.com/p/androguard/wiki/RE#Source_Code ''' res = self.res res.register_keys([CAT_DECOMPILE]) # CFG for method in dalvik_vm_format.get_methods(): mx = vm_analysis.get_method(method) if method.get_code() == None: continue try: classname, methodname, method_descriptor = method.get_class_name(), method.get_name(), method.get_descriptor() # skip android classes if classname.find("Landroid") != -1: continue CAT = (CAT_DECOMPILE, classname, methodname) res.register_keys([method_descriptor], *CAT) ms = decompile.DvMethod(mx) # process to the decompilation ms.process() # get the source ! res.log(method_descriptor, ms.get_source().split("\n"), *CAT) except: pass
def module_run(self, verbose=False): results = {} z = self.apk.vm_analysis.tainted_packages.search_packages("Log") for p in z: method = self.apk.dalvik_vm_format.get_method_by_idx( p.get_src_idx()) if self.apk.package.replace(".", "/") in method.get_class_name()[1:-1]: if method.get_code() is None: continue mx = self.apk.vm_analysis.get_method(method) ms = decompile.DvMethod(mx) try: ms.process() except AttributeError as e: self.warning( "Error while processing disassembled Dalvik method: %s" % e.message) if method.get_class_name()[1:-1] not in results: results[method.get_class_name()[1:-1]] = [] if method.get_debug().get_line_start() not in \ [x["line"] for x in results[method.get_class_name()[1:-1]]]: results[method.get_class_name()[1:-1]].append({ "type": ms.type, "line": method.get_debug().get_line_start() }) return {"results": results, "vulnerabilities": []}
def _analyze(self, apk, dalvik_vm_format, vm_analysis, gvm_analysis, *args, **kwargs): res = self.res res.register_keys([CAT_PERMISSIONS]) class_manager = dalvik_vm_format.get_class_manager() perm_dict = vm_analysis.get_permissions([]) # register list for each used permissions keys permissions = set(perm_dict.keys()) res.register_enum_keys(permissions, CAT_PERMISSIONS, PERMISSIONS_LISTING) # register each permission only once! res.register_enum_keys(permissions, CAT_PERMISSIONS, PERMISSIONS_CODE) # use set to remove duplicates! method_names = set() method_analysis_objs = set() for permission_name, pathp_obj_list in perm_dict.items(): # list<PathP> for pathp in pathp_obj_list: if isinstance(pathp, PathP): # type: androguard.core.bytecodes.dvm.MethodIdItem # the method that uses the permission src_method = class_manager.get_method_ref(pathp.src_idx) method_name = full_method_name(src_method) method_names.add((permission_name, method_name)) # the api function for the permission #dst_method = class_manager.get_method_ref(pathp.dst_idx) # get androguard.core.bytecodes.dvm.EncodedMethod encoded_method = dalvik_vm_format.get_method( src_method.get_name())[0] # get androguard.core.analysis.analysis.MethodAnalysis method_analysis = vm_analysis.get_method(encoded_method) method_analysis_objs.add( (permission_name, method_name, method_analysis)) for permission_name, method_name in method_names: # log which classes use which permissions res.log_append_to_enum(permission_name, method_name, CAT_PERMISSIONS, PERMISSIONS_LISTING) for permission_name, method_name, method_analysis in method_analysis_objs: ms = decompile.DvMethod(method_analysis) ms.process() source_code = ms.get_source() # decompile these methods too! log_val = {method_name: source_code.split("\n")[1:-1]} res.log_append_to_enum(permission_name, log_val, CAT_PERMISSIONS, PERMISSIONS_CODE)
def module_run(self, verbose=False): results = {} apis = { "Crypto": ["javax.crypto", "java.security", "android.security"], "Networking": ["java.net", "org.apache.http", "javax.net", "javax.net.ssl"], "IO": ["java.io"], "Databases": ["android.database", "javax.sql", "java.sql"], "Communications": [ "android.telephony", "android.bluetooth", "android.net.sip", "android.net.wifi", "android.net.wifi.p2p", "android.nfc" ], "Geolocation": ["android.location"] } for api in apis: results[api] = {} if verbose: self.output("Searching for %s calls" % api) for package in apis[api]: results[api][package] = {} z = self.apk.vm_analysis.tainted_packages.search_packages( package) for p in z: method = self.apk.dalvik_vm_format.get_method_by_idx( p.get_src_idx()) if self.apk.package.replace( ".", "/") in method.get_class_name()[1:-1]: if method.get_code() is None: continue mx = self.apk.vm_analysis.get_method(method) ms = decompile.DvMethod(mx) try: ms.process() except AttributeError as e: self.warning( "Error while processing disassembled Dalvik method: %s" % e.message) if method.get_class_name( )[1:-1] not in results[api][package]: results[api][package][method.get_class_name() [1:-1]] = [] if method.get_debug().get_line_start() not in \ [x["line"] for x in results[api][package][method.get_class_name()[1:-1]]]: results[api][package][ method.get_class_name()[1:-1]].append({ "line": method.get_debug().get_line_start() }) for api in apis: total = 0 for package in apis[api]: total += len(results[api][package]) if not total: del (results[api]) return {"results": results, "logs": "", "vulnerabilities": []}
def decompileMethod(dx, method): mx = dx.get_method(method) ms = decompile.DvMethod(mx) # process to the decompilation ms.process() # get the source ! return ms.get_source()
def grab_source_code(d, dx): source = collections.OrderedDict() for classe in d.get_classes(): data = collections.OrderedDict() for metodo in classe.get_methods(): method = dx.get_method(metodo) ms = decompile.DvMethod(method) ms.process() data[metodo.name] = ms.get_source() source[classe.get_name()] = data return source
def diffMethod(dexO, dexR, classNameO, methodNameO, classNameR, methodNameR): vm = dvm.DalvikVMFormat(open(dexO, "r").read()) vmx = analysis.VMAnalysis(vm) vmR = dvm.DalvikVMFormat(open(dexR, "r").read()) vmxR = analysis.VMAnalysis(vmR) for method in vm.get_methods(): for methodR in vmR.get_methods(): if (method.get_class_name() == classNameO and method.get_name() == methodNameO) and (methodR.get_class_name() == classNameR and methodR.get_name() == methodNameR): mx = vmx.get_method(method) ms = decompile.DvMethod(mx) ms.process() mxR = vmxR.get_method(methodR) msR = decompile.DvMethod(mxR) msR.process() text = (_unidiff_output(ms.get_source(), msR.get_source())) print("getOneMethod") return text
def display_source(self, m) : mx = self.vmx.get_method( m ) from androguard.decompiler.dad import decompile z = decompile.DvMethod( mx ) z.process() lexer = get_lexer_by_name("java", stripall=True) formatter = TerminalFormatter() result = highlight(z.get_source(), lexer, formatter) print result
def module_run(self, verbose=False): results = [] z = self.apk.vm_analysis.tainted_packages.search_methods( ".", "rawQuery", ".") z += self.apk.vm_analysis.tainted_packages.search_methods( ".", "query", ".") for p in z: method = self.apk.dalvik_vm_format.get_method_by_idx( p.get_src_idx()) if method.get_code() is None: continue mx = self.apk.vm_analysis.get_method(method) if self.apk.get_package() in method.get_class_name().replace( "/", "."): ms = decompile.DvMethod(mx) try: ms.process() except AttributeError as e: self.warning( "Error while processing disassembled Dalvik method: %s" % e.message) if method.get_class_name()[1:-1] not in [ x["file"] for x in results ]: results.append({ "file": method.get_class_name()[1:-1], "lines": [method.get_debug().get_line_start()] }) else: for r in results: if r["file"] == method.get_class_name()[1:-1]: if method.get_debug().get_line_start( ) not in r["lines"]: r["lines"].append( method.get_debug().get_line_start()) return { "results": results, "vulnerabilities": [ framework.Vulnerability( "Multiple SQL injection vectors.", "The application do not make use of prepared statement which could lead to SQL injection vulnerabilities.\n" "Review the results to see if these raw queries can be exploited.", framework.Vulnerability.MEDIUM, resources=results).__dict__ ] if len(results) else [] }
def getNewMethods(dexR, classNameR, methodNameR): vmR = dvm.DalvikVMFormat(open(dexR, "r").read()) vmxR = analysis.VMAnalysis(vmR) for methodR in vmR.get_methods(): if (methodR.get_class_name() == classNameR and methodR.get_name() == methodNameR): mxR = vmxR.get_method(methodR) msR = decompile.DvMethod(mxR) msR.process() text = msR.get_source() print("getNewMethod") return text
def module_run(self, verbose=False): results = {} #external storage z = self.apk.vm_analysis.tainted_packages.search_methods( ".", "getExternalStorageState()", ".") z += self.apk.vm_analysis.tainted_packages.search_methods( ".", "getExternalStoragePublicDirectory", ".") z += self.apk.vm_analysis.tainted_packages.search_methods( ".", "getExternalFilesDirs()", ".") z += self.apk.vm_analysis.tainted_packages.search_methods( ".", "getExternalCacheDirs()", ".") #internal storage z += self.apk.vm_analysis.tainted_packages.search_methods( ".", "getFilesDir()", ".") z += self.apk.vm_analysis.tainted_packages.search_methods( ".", "getDir()", ".") z += self.apk.vm_analysis.tainted_packages.search_methods( ".", "deleteFile()", ".") z += self.apk.vm_analysis.tainted_packages.search_methods( ".", "fileList()", ".") for p in z: method = self.apk.dalvik_vm_format.get_method_by_idx( p.get_src_idx()) if method.get_code() is None: continue mx = self.apk.vm_analysis.get_method(method) if self.apk.get_package() in method.get_class_name().replace( "/", "."): ms = decompile.DvMethod(mx) try: ms.process() except AttributeError as e: self.warning( "Error while processing disassembled Dalvik method: %s" % e.message) if method.get_class_name()[1:-1] not in results: results[method.get_class_name()[1:-1]] = [] if method.get_debug().get_line_start() not in \ [x["line"] for x in results[method.get_class_name()[1:-1]]]: results[method.get_class_name()[1:-1]].append({ "source": ms.get_source(), "line": method.get_debug().get_line_start() }) return {"results": results, "vulnerabilities": []}
def ast_for_method_analysis(method_analysis): ''' Create the abstract syntax tree. Parameters ---------- method_analysis: androguard.androguard.core.analysis.analysis.MethodAnalysis Returns ------- dict The abstract syntax tree of the `method_analysis`. ''' dv_method = decompile.DvMethod(method_analysis) dv_method.process(doAST=True) return dv_method.ast
def decompileMethod(methodObj, analysis): # <methodObj> e un obiect de tipul EncodedMethod # <analysis> e un obiect de tipul VMAnalysis if method.get_code() == None: return None methodAnalysis = analysis.get_method( method) # returns MethodAnalysis object decompMethod = decompile.DvMethod(methodAnalysis) try: decompMethod.process() methodSource = decompMethod.get_source() except: print 'Failed to decompile [%s]' % methodObj.get_name() return ''' method %s() { // failed to decompile }''' return methodSource
def module_run(self, verbose=False): results = {} z = self.apk.vm_analysis.tainted_packages.search_objects( "SQLiteClosable") z += self.apk.vm_analysis.tainted_packages.search_objects( "SQLiteCursor") z += self.apk.vm_analysis.tainted_packages.search_objects( "SQLiteDatabase") z += self.apk.vm_analysis.tainted_packages.search_objects( "SQLiteOpenHelper") z += self.apk.vm_analysis.tainted_packages.search_objects( "SQLiteProgram") z += self.apk.vm_analysis.tainted_packages.search_objects( "SQLiteQuery") z += self.apk.vm_analysis.tainted_packages.search_objects( "SQLiteQueryBuilder") z += self.apk.vm_analysis.tainted_packages.search_objects( "SQLiteStatement") for p in z: method = self.apk.dalvik_vm_format.get_method_by_idx( p.get_src_idx()) if method.get_code() is None: continue mx = self.apk.vm_analysis.get_method(method) if self.apk.get_package() in method.get_class_name().replace( "/", "."): ms = decompile.DvMethod(mx) try: ms.process() except AttributeError as e: self.warning( "Error while processing disassembled Dalvik method: %s" % e.message) if method.get_class_name()[1:-1] not in results: results[method.get_class_name()[1:-1]] = [] if method.get_debug().get_line_start() not in \ [x["line"] for x in results[method.get_class_name()[1:-1]]]: results[method.get_class_name()[1:-1]].append( {"line": method.get_debug().get_line_start()}) return {"results": results, "vulnerabilities": []}
def decompile_method(self, method_to_decompile): """This function will decompile the given method. Maybe there is a better way. """ if not self.quiet: print "Method to decompile :", method_to_decompile print "------------" for method in self.dalvik_executable.get_methods(): mx = self.analyzed_dex.get_method(method) if method.get_code() == None: continue method_decompiling = method.get_class_name() + method.get_name() + method.get_descriptor() if method_to_decompile != method_decompiling: #debug #if not self.quiet: # print method_decompiling continue if not self.quiet: print "About to decompile the following method : " print method.get_class_name(), method.get_name(), method.get_descriptor() print "[*] Decompilation initated" self.smali += [''.join((method.get_class_name(), method.get_name(), method.get_descriptor()))] ms = decompile.DvMethod(mx) if not self.quiet: print "[*] Processing..." try: ms.process() except: return None java_source = ms.get_source() if not self.quiet: print java_source self.java += [java_source]
def extractSourceFiles(PREFIX, d, vmx): check_dirs(settings.SOURCELOCATION, PREFIX) for _class in d.get_classes(): class_path = convert_descriptor(_class.get_name()) path = check_path(class_path, PREFIX) if not os.path.exists(path): if len(path) > 255: ext = os.path.basename(path).split(".")[-1] newName = os.path.dirname( path) + "/filename_to_long_suspiciousFile-" + id_generator( ) + "." + ext source = open(newName, "w") else: source = open(path, "w") for field in _class.get_fields(): access_flags = field.get_access_flags_string() if access_flags == "0x0": access_flags = "" source.write( "\t%s %s %s\n" % (access_flags, convert_descriptor( field.get_descriptor()), field.get_name())) for method in _class.get_methods(): try: g = vmx.get_method(method) if method.get_code() is None: continue ms = decompile.DvMethod(g) ms.process() for line in ms.get_source().split("\n"): source.write("\t%s\n" % line) except: continue source.flush() source.close()
def run_search_method(apks, x, clz, method, permission): """ Search for API calls and implementation location """ vm = apks.get_vm() paths = x.get_tainted_packages().search_methods(clz, method, ".") if paths: for p in paths: for m in apks.get_methods(): if m.get_name() == p.get_src(vm.get_class_manager())[1]: if m.get_class_name() == p.get_src( vm.get_class_manager())[0]: mx = x.get_method(m) d = decompile.DvMethod(mx) d.process() print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Permission: ") + "{0}".format(permission))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Found Method: ") + "{0}".format(method))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Class: ") + "{0}".format(m.get_class_name()))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Method: ") + "{0}".format(m.get_name()))) print(m.pretty_show()) print(d.get_source())
def decompile_method_analysis(method_analysis): ''' Decompile the `method_analysis` object Parameters ---------- method_analysis: androguard.androguard.core.analysis.analysis.MethodAnalysis Returns ------- str The decompiled method Example ------- >>> decompile_method_analysis(...) protected varargs String doInBackground(Void[] p14) { org.apache.http.client.methods.HttpGet v6_1 = new org.apache.http.client.methods.HttpGet("http://10.10.0.134:8080/index.html"); v6_1.addHeader("Authorization", new StringBuilder().append("Basic ").append(android.util.Base64.encodeToString(this.CREDENTIALS.getBytes(), 2)).toString()); try { java.io.InputStream v9 = new org.apache.http.impl.client.DefaultHttpClient().execute(v6_1).getEntity().getContent(); int v7 = de.uni_marburg.ipcinetcallee.InetActivity.inputStream2String(v9); v9.close(); } catch (org.apache.http.client.ClientProtocolException v2) { android.util.Log.e("HTTPGetTask", "msg", v2); v7 = 0; } catch (java.io.IOException v5) { android.util.Log.e("HTTPGetTask", "msg", v5); } return v7; } ''' dv_method = decompile.DvMethod(method_analysis) dv_method.process() return dv_method.get_source()
def run(self): """ Search for CertificateManager and Keystore API usage within target class and methods """ if self.vm_type == "apks": _x = analysis.uVMAnalysis(self.vm.get_vm()) _vm = self.vm.get_vm() _structure = list() if _x: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Performing surgery ..."))) for a, b in self.enum.values.items(): for c in b: paths = _x.get_tainted_packages().search_methods( "{0}".format(a), "{0}".format(c), ".") if paths: for p in paths: for method in self.vm.get_methods(): if method.get_name() == p.get_src( _vm.get_class_manager())[1]: if method.get_class_name( ) == p.get_src( _vm.get_class_manager())[0]: mx = _x.get_method(method) d = decompile.DvMethod(mx) d.process() _structure.append((c, method, d)) methods = [s[0] for s in _structure] methods_set = set(methods) for m in methods_set: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Available certkey method: ") + "{0}".format(m))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter \'back\' to exit"))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter \'list\' to show available methods"))) while True: method = raw_input( t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter method selection: "))) for s in _structure: if method == s[0]: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Found: ") + "{0}".format(s[0]))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Class: ") + "{0}".format(s[1].get_class_name()))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Method: ") + "{0}".format(s[1].get_name()))) print(s[1].show()) console.colorize_decompiled_method( str(s[2].get_source())) if method == "back": break elif method == "list": for m in methods_set: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Available certkey method: ") + "{0}".format(m))) elif self.vm_type == "dex": _x = analysis.uVMAnalysis(self.vm) _vm = self.vm _structure = list() if _x: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Performing surgery ..."))) for a, b in self.enum.values.items(): for c in b: paths = _x.get_tainted_packages().search_methods( "{0}".format(a), "{0}".format(c), ".") if paths: for p in paths: for method in self.vm.get_methods(): if method.get_name() == p.get_src( _vm.get_class_manager())[1]: if method.get_class_name( ) == p.get_src( _vm.get_class_manager())[0]: mx = _x.get_method(method) d = decompile.DvMethod(mx) d.process() _structure.append((c, method, d)) methods = [s[0] for s in _structure] methods_set = set(methods) for m in methods_set: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Available certkey method: ") + "{0}".format(m))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter \'back\' to exit"))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter \'list\' to show available methods"))) while True: method = raw_input( t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter method selection: "))) for s in _structure: if method == s[0]: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Found: ") + "{0}".format(s[0]))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Class: ") + "{0}".format(s[1].get_class_name()))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Method: ") + "{0}".format(s[1].get_name()))) print(s[1].show()) console.colorize_decompiled_method( str(s[2].get_source())) if method == "back": break elif method == "list": for m in methods_set: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Available certkey method: ") + "{0}".format(m)))
def run(self): """ Search for socket service API implemenations """ if self.vm_type == "apks": x = analysis.uVMAnalysis(self.vm.get_vm()) _vm = self.vm.get_vm() _structure = list() if x: print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Performing surgery ..."))) # Get enum values # for a, b in self.enum.values.items(): for c in b: paths = x.get_tainted_packages().search_methods("{0}".format(a), "{0}".format(c), ".") if paths: for p in paths: for method in self.vm.get_methods(): if method.get_name() == p.get_src(_vm.get_class_manager())[1]: if method.get_class_name() == p.get_src(_vm.get_class_manager())[0]: mx = x.get_method(method) d = decompile.DvMethod(mx) d.process() _structure.append((c, method, d)) methods = [s[0] for s in _structure] methods_set = set(methods) for m in methods_set: print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Available logging methods: ") + "{0}".format(m))) print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter \'back\' to exit"))) print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter \'list\' to show available functions"))) while True: method = raw_input(t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter method selection: "))) for s in _structure: if method == s[0]: print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Found: ") + "{0}".format(s[0]))) print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Class: ") + "{0}".format(s[1].get_class_name()))) print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Method: ") + "{0}".format(s[1].get_name()))) print(s[1].show()) print(s[2].get_source()) if method == "back": break elif method == "list": for m in methods_set: print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Available logging methods: ") + "{0}".format(m))) elif self.vm_type == "dex": x = analysis.uVMAnalysis(self.vm) _vm = self.vm _structure = list() if x: print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Performing surgery ..."))) # Get enum values # for a, b in self.enum.values.items(): for c in b: paths = x.get_tainted_packages().search_methods("{0}".format(a), "{0}".format(c), ".") if paths: for p in paths: for method in self.vm.get_methods(): if method.get_name() == p.get_src(_vm.get_class_manager())[1]: if method.get_class_name() == p.get_src(_vm.get_class_manager())[0]: mx = x.get_method(method) d = decompile.DvMethod(mx) d.process() _structure.append((c, method, d)) methods = [s[0] for s in _structure] methods_set = set(methods) for m in methods_set: print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Available logging methods: ") + "{0}".format(m))) print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter \'back\' to exit"))) print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter \'list\' to show available functions"))) while True: method = raw_input(t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter method selection: "))) for s in _structure: if method == s[0]: print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Found: ") + "{0}".format(s[0]))) print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Class: ") + "{0}".format(s[1].get_class_name()))) print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Method: ") + "{0}".format(s[1].get_name()))) print(s[1].show()) print(s[2].get_source()) if method == "back": break elif method == "list": for m in methods_set: print(t.green("[{0}] ".format(datetime.now()) + t.yellow("Available logging methods: ") + "{0}".format(m)))
def module_run(self, verbose=False): webviews = [] vulnerable = False funcs = [{ "name": "setJavaScriptEnabled", "default": False, "description": "Allows the WebView to execute Javascript." }, { "name": "setPluginsEnabled" if self.apk.get_min_sdk_version() < 8 else "setPluginState", "default": True, "description": "Allow the loading of plugins (ie. Flash)." }, { "name": "setAllowContentAccess", "default": True, "description": "WebView has access to content providers on the system." }, { "name": "setAllowFileAccess", "default": True, "description": "Allows a WebView to load content from the filesystem using file:// scheme." }, { "name": "setAllowFileAccessFromFileURLS", "default": True if self.apk.get_min_sdk_version() <= 15 else False, "description": "Allows the HTML file that was loaded using file:// scheme to access " "other files on the system" }, { "name": "setAllowUniversalAccessFromFilesURLS", "default": True if self.apk.get_min_sdk_version() <= 15 else False, "description": "Allows the HTML file that was loaded using file:// to " "access content from any origin (including other files)." }, { "name": "setSavePassword", "default": True, "description": "The WebView will save entered passwords." }] z = self.apk.vm_analysis.tainted_packages.search_packages("WebView") for p in z: method = self.apk.dalvik_vm_format.get_method_by_idx( p.get_src_idx()) if method.get_code() is None: continue if method.get_class_name()[1:-1] not in [ x["file"] for x in webviews ]: webview = { "file": method.get_class_name()[1:-1], "line": method.get_debug().get_line_start() } mx = self.apk.vm_analysis.get_method(method) ms = decompile.DvMethod(mx) try: ms.process() except AttributeError as e: self.warning( "Error while processing disassembled Dalvik method: %s" % e.message) source = ms.get_source() for func in funcs: matches = re.findall(r'%s\((.*?)\);' % func["name"], source) if len(matches) == 1: webview[func["name"]] = True if matches[ 0] == "1" or matches[0] == "true" else False else: webview[func["name"]] = func["default"] webviews.append(webview) for webview in webviews: if webview["setJavaScriptEnabled"]: vulnerable = True return { "results": webviews, "logs": "", "vulnerabilities": [ framework.Vulnerability( "Explicitly enabled Javascript in WebViews", "The application explicitly enable Javascript for multiple webviews.", framework.Vulnerability.MEDIUM, resources=webviews).__dict__ ] if vulnerable else [] }
def get_ast_method(self, m): mx = self.vmx.get_method(m) z = decompile.DvMethod(mx) z.process(doAST=True) return z.get_ast()
#!/usr/bin/env python import sys PATH_INSTALL = "./" sys.path.append(PATH_INSTALL) from androguard.core.bytecodes import dvm from androguard.core.analysis import analysis from androguard.decompiler.dad import decompile from androguard.util import read TEST = 'examples/android/TestsAndroguard/bin/classes.dex' vm = dvm.DalvikVMFormat(read(TEST, binary=False)) vmx = analysis.VMAnalysis(vm) # CFG for method in vm.get_methods(): mx = vmx.get_method(method) if method.get_code() == None: continue print method.get_class_name(), method.get_name(), method.get_descriptor() ms = decompile.DvMethod(mx) ms.process() print ms.get_source()
def run(self): """ Search for Web Browser API usage within target class and methods """ if self.vm_type == "apks": _x = analysis.uVMAnalysis(self.vm.get_vm()) _vm = self.vm.get_vm() _structure = list() if _x: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Performing surgery ..."))) for a, b in self.enum.values.items(): for c in b: paths = _x.get_tainted_packages().search_methods( "{0}".format(a), "{0}".format(c), ".") if paths: for p in paths: for method in self.vm.get_methods(): if method.get_name() == p.get_src( _vm.get_class_manager())[1]: if method.get_class_name( ) == p.get_src( _vm.get_class_manager())[0]: mx = _x.get_method(method) d = decompile.DvMethod(mx) try: d.process() except Exception as decompile_process_error: if decompile_process_error.message == \ "'Instruction31c' object has no attribute 'get_raw_string'": pass _structure.append((c, method, d)) methods = [s[0] for s in _structure] methods_set = set(methods) for m in methods_set: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Available bowser method: ") + "{0}".format(m))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter \'back\' to exit"))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter \'list\' to show available methods"))) while True: method = raw_input( t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter method selection: "))) for s in _structure: if method == s[0]: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Found: ") + "{0}".format(s[0]))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Class: ") + "{0}".format(s[1].get_class_name()))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Method: ") + "{0}".format(s[1].get_name()))) print("".join([ s[1].get_class_name(), "->", s[1].get_name(), s[1].get_descriptor(), s[1].get_access_flags_string() ])) print(s[1].show()) console.colorize_decompiled_method( str(s[2].get_source())) if method == "back": break elif method == "list": for m in methods_set: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Available bowser method: ") + "{0}".format(m))) elif self.vm_type == "dex": _x = analysis.uVMAnalysis(self.vm) _vm = self.vm _structure = list() if _x: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Performing surgery ..."))) for a, b in self.enum.values.items(): for c in b: paths = _x.get_tainted_packages().search_methods( "{0}".format(a), "{0}".format(c), ".") if paths: for p in paths: for method in self.vm.get_methods(): if method.get_name() == p.get_src( _vm.get_class_manager())[1]: if method.get_class_name( ) == p.get_src( _vm.get_class_manager())[0]: mx = _x.get_method(method) d = decompile.DvMethod(mx) try: d.process() except Exception as decompile_process_error: if decompile_process_error.message == \ "'Instruction31c' object has no attribute 'get_raw_string'": pass _structure.append((c, method, d)) methods = [s[0] for s in _structure] methods_set = set(methods) for m in methods_set: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Available bowser method: ") + "{0}".format(m))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter \'back\' to exit"))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter \'list\' to show available methods"))) while True: method = raw_input( t.green("[{0}] ".format(datetime.now()) + t.yellow("Enter method selection: "))) for s in _structure: if method == s[0]: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Found: ") + "{0}".format(s[0]))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Class: ") + "{0}".format(s[1].get_class_name()))) print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Method: ") + "{0}".format(s[1].get_name()))) print(s[1].show()) console.colorize_decompiled_method( str(s[2].get_source())) if method == "back": break elif method == "list": for m in methods_set: print( t.green("[{0}] ".format(datetime.now()) + t.yellow("Available bowser method: ") + "{0}".format(m)))