def each(self, target): self.results = dict(name=None, files=[], package=None, permissions=[], declared_permissions=[], main_activity=None, activities=[], receivers=[], services=[], manifest=None, libraries=[], main_activity_content=None, internal_classes=[]) try: apk, vm, vm_analysis = AnalyzeAPK(target) # First, get basic information about the APK self.results['name'] = apk.get_app_name() self.results['files'] = apk.get_files_types() self.results['package'] = apk.get_package() self.results['permissions'] = apk.get_details_permissions() self.results[ 'declared_permissions'] = apk.get_declared_permissions_details( ) self.results['main_activity'] = apk.get_main_activity() self.results['activities'] = apk.get_activities() self.results['receivers'] = apk.get_receivers() self.results['services'] = apk.get_services() self.results['manifest'] = apk.get_android_manifest_axml().get_xml( ) self.results['libraries'] = list(apk.get_libraries()) self.results['main_activity_content'] = None self.results['internal_classes'] = [] try: self.results['main_activity_content'] = self.results[ 'main_activity_content'] = vm[0].get_class( "L{};".format(self.results['main_activity']).replace( '.', '/')).get_source() except: self.log('error', traceback.print_exc()) try: self.results['internal_classes'] = self._get_internal_classes( vm_analysis) self._store_internal_classes() except: self.log('error', traceback.print_exc()) # Then, run all the APK Plugins in order to see if this is a known malware for plugin in APKPlugin.__subclasses__(): plugin = plugin(target, apk, vm, vm_analysis) plugin.apply(self) except: self.log('error', traceback.print_exc()) return True
def api_check(folder, APKname): if os.path.exists("result/" + folder + APKname + 'data/'): print(APKname + " Already scanned") return print("Starting apk:" + APKname) apk_start_time = time.time() RESULTdict = dict.fromkeys(RESULT_PARAMS, 0) ##отдельные словари для фич OtherDict = dict.fromkeys(('obfuscation', 'database'), 0) APIdict = dict.fromkeys((API_CALLS + API_ClASS), 0) permission_dict = dict.fromkeys(PERMISSIONS, 0) strings_dict = dict.fromkeys(API_SYSTEM_COMMANDS, 0) groupAPI_dict = dict.fromkeys(APIGROUPS, 0) ##№№№ #a-APK d[0]-DalvikVMFormat dx-Analysis try: a, d, dx = AnalyzeAPK(folder + APKname) except: print(" ERROR: Androguard parse error, skipping file") return ### temp = a.get_details_permissions() temp2 = a.get_declared_permissions_details() temp3 = a.get_uses_implied_permission_list() # ########TODO почитать про использование пермишинсов без запросов #### RESULTdict["APP_Name"] = APKname RESULTdict['folder'] = folder #methods = [] #подозрительные строки RESULTdict["warn_strings"] = [] strings = dx.get_strings_analysis() #w=d[0].get_strings() list_system_commands = read_system_commands(strings, API_SYSTEM_COMMANDS) for i in list_system_commands: #print(i) RESULTdict["warn_strings"].append(i) for i in list_system_commands: strings_dict[i] += 1 ### общая информация RESULTdict['permissions'] = a.get_permissions() RESULTdict['activities'] = a.get_activities() RESULTdict['providers'] = a.get_providers() RESULTdict['services'] = a.get_services() RESULTdict['libraries'] = a.get_libraries() RESULTdict['is_obfuscation'] = 1 if is_ascii_obfuscation(d[0]) else 0 RESULTdict['is_database'] = 1 if d[0].get_regex_strings(DB_REGEX) else 0 #TODO intents_analysis from new.py OtherDict['obfuscation'] = RESULTdict['is_obfuscation'] OtherDict['database'] = RESULTdict['is_database'] #permissions RESULTdict['warn_permissions'] = [] #RESULTdict['feature_vectors']['permissions'] = [] for permission in PERMISSIONS: if permission in RESULTdict['permissions']: RESULTdict['warn_permissions'].append(permission) permission_dict[permission] = 1 ########################################################################### #TODO подсчет групп АПИ и системных команд для вектора фич ########################################################################### #API RESULTdict['API_groups'] = [] external_classes = dx.get_external_classes() for i in external_classes: class_name = i.get_vm_class() methods_list = class_name.get_methods() for method in methods_list: a = '%s' % method.get_class_name().replace(';', '') b = '%s' % method.get_name() c = '%s' % method.get_descriptor() #TODO permission_api_name https://androguard.readthedocs.io/en/latest/api/androguard.core.analysis.html?highlight=permission#androguard.core.analysis.analysis.ExternalMethod.permission_api_name if b in API_CALLS: APIdict[b] += 1 ###TODO !!!нужна нормализация данных if a in API_ClASS: APIdict[a] += 1 temp = GroupAPI_Checker.checkAPIGroup(a.replace('/', '.')[1:], b) if (temp != None): groupAPI_dict[temp] += 1 RESULTdict['API_groups'].append(temp) ##запись общих параметров with open("result/" + 'API_CALLS.csv', 'a', encoding='utf8') as csvfile: fieldnames = (('APP_Name', 'folder') + API_CALLS + API_ClASS) writer = csv.DictWriter(csvfile, fieldnames=fieldnames, delimiter=";", lineterminator="\n") #writer.writeheader() tempDict = APIdict.copy() tempDict['APP_Name'] = APKname tempDict['folder'] = folder writer.writerow(tempDict) with open("result/" + 'OtherDict.csv', 'a', encoding='utf8') as csvfile: fieldnames = 'APP_Name', 'folder', 'obfuscation', 'database' writer = csv.DictWriter(csvfile, fieldnames=fieldnames, delimiter=";", lineterminator="\n") #writer.writeheader() tempDict = OtherDict.copy() tempDict['APP_Name'] = APKname tempDict['folder'] = folder writer.writerow(tempDict) with open("result/" + 'permission_dict.csv', 'a', encoding='utf8') as csvfile: fieldnames = ('APP_Name', 'folder') + PERMISSIONS writer = csv.DictWriter(csvfile, fieldnames=fieldnames, delimiter=";", lineterminator="\n") #writer.writeheader() tempDict = permission_dict.copy() tempDict['APP_Name'] = APKname tempDict['folder'] = folder writer.writerow(tempDict) with open("result/" + 'strings_dict.csv', 'a', encoding='utf8') as csvfile: fieldnames = ('APP_Name', 'folder') + API_SYSTEM_COMMANDS writer = csv.DictWriter(csvfile, fieldnames=fieldnames, delimiter=";", lineterminator="\n") #writer.writeheader() tempDict = strings_dict.copy() tempDict['APP_Name'] = APKname tempDict['folder'] = folder writer.writerow(tempDict) with open("result/" + 'groupAPI_dict.csv', 'a', encoding='utf8') as csvfile: fieldnames = ('APP_Name', 'folder') + APIGROUPS writer = csv.DictWriter(csvfile, fieldnames=fieldnames, delimiter=";", lineterminator="\n") #writer.writeheader() tempDict = groupAPI_dict.copy() tempDict['APP_Name'] = APKname tempDict['folder'] = folder writer.writerow(tempDict) with open("result/" + 'RESULTdict.csv', 'a', encoding='utf8') as csvfile: fieldnames = RESULT_PARAMS writer = csv.DictWriter(csvfile, fieldnames=fieldnames, delimiter=";", lineterminator="\n") #writer.writeheader() writer.writerow(RESULTdict) ##запись параметров данного приложения try: if os.path.exists("result/" + folder): os.mkdir('result/' + folder + APKname + 'data') else: os.mkdir('result/' + folder) os.mkdir('result/' + folder + APKname + 'data') except OSError: print("Создать директорию %s не удалось" % ('result/' + folder + APKname + 'data')) else: with open("result/" + folder + APKname + 'data/RESULT.csv', 'w', encoding='utf8') as csvfile: fieldnames = RESULT_PARAMS writer = csv.DictWriter(csvfile, fieldnames=fieldnames, delimiter=";", lineterminator="\n") writer.writeheader() writer.writerow(RESULTdict) with open("result/" + folder + APKname + 'data/OtherDict.csv', 'w', encoding='utf8') as csvfile: fieldnames = 'obfuscation', 'database' writer = csv.DictWriter(csvfile, fieldnames=fieldnames, delimiter=";", lineterminator="\n") writer.writeheader() writer.writerow(OtherDict) with open("result/" + folder + APKname + 'data/APIdict.csv', 'w', encoding='utf8') as csvfile: fieldnames = API_CALLS + API_ClASS writer = csv.DictWriter(csvfile, fieldnames=fieldnames, delimiter=";", lineterminator="\n") writer.writeheader() writer.writerow(APIdict) with open("result/" + folder + APKname + 'data/permission_dict.csv', 'w', encoding='utf8') as csvfile: fieldnames = PERMISSIONS writer = csv.DictWriter(csvfile, fieldnames=fieldnames, delimiter=";", lineterminator="\n") writer.writeheader() writer.writerow(permission_dict) with open("result/" + folder + APKname + 'data/strings_dict.csv', 'w', encoding='utf8') as csvfile: fieldnames = API_SYSTEM_COMMANDS writer = csv.DictWriter(csvfile, fieldnames=fieldnames, delimiter=";", lineterminator="\n") writer.writeheader() writer.writerow(strings_dict) with open("result/" + folder + APKname + 'data/groupAPI_dict.csv', 'w', encoding='utf8') as csvfile: fieldnames = APIGROUPS writer = csv.DictWriter(csvfile, fieldnames=fieldnames, delimiter=";", lineterminator="\n") writer.writeheader() writer.writerow(groupAPI_dict) print("APK done:{} ".format(time.time() - apk_start_time))
apk.get_providers(), 'new_permissions': extract_new_permissions(apk.get_permissions()), 'filters': get_intent_filers(apk), 'certificate': {}, 'wearable': apk.is_wearable(), 'max_sdk_version': (apk.get_max_sdk_version()), 'min_sdk_version': int(apk.get_min_sdk_version()), 'version_code': apk.xml['AndroidManifest.xml'].get( '{http://schemas.android.com/apk/res/android}versionCode'), 'libraries': list(apk.get_libraries()), 'androidtv': apk.is_androidtv(), 'target_sdk_version': apk.get_target_sdk_version(), 'api_keys': {}, # TODO 'activities': apk.get_activities(), 'main_activity': apk.get_main_activity(), 'receivers': apk.get_receivers(), 'signature_name': apk.get_signature_name(), 'dexes': {}, 'displayed_version':