def each(self, target): self.results = dict() try: # lief oat = lief.parse(target) oat_dict = json.loads(lief.to_json(oat), parse_int=str) self.results.update(oat_dict) # add extracted dex files for idx, dex_file in enumerate(oat.dex_files): temp = tempdir() fname = 'classes_{}.dex'.format(str(idx)) dex_filepath = os.path.join(temp, fname) dex_file.save(dex_filepath) if os.path.isfile(dex_filepath): self.add_extracted_file(dex_filepath) # androguard sha256, vm, vm_analysis = AnalyzeDex(target) aguard_dict = { 'androguard': { 'internal_classes': self._get_internal_classes(vm_analysis) } } self.results.update(aguard_dict) except: self.log('error', traceback.print_exc()) return True
def each(self, target): self.results = dict() self.results['urls'] = [] try: apk, vm, vm_analysis = AnalyzeAPK(target) except: self.log('error', '[+] AnalyzeAPK failed, running AnalyzeDex') apk = None vm, vm_analysis = AnalyzeDex(target) self.results['dex'] = True strings = [] for v in vm: strings.extend(v.get_strings()) for s in strings: for regex_str in r: match = re.search(regex_str, s, re.IGNORECASE) if match: self.results['urls'].append(match.group(0)) self.results['urls'] = list(set(self.results['urls'])) # Add observables for url in self.results['urls']: self.add_ioc(url) return True
def each(self, target): self.results = dict() try: apk, vm, vm_analysis = AnalyzeAPK(target) # First, get basic information about the APK self.results['name'] = apk.get_app_name() self.results['package'] = apk.get_package() self.results['permissions'] = apk.get_permissions() self.results['main_activity'] = apk.get_main_activity() self.results['receivers'] = apk.get_receivers() self.results['services'] = apk.get_services() self.results['main_activity_content'] = vm.get_class("L{};".format( self.results['main_activity']).replace('.', '/')).get_source() except: apk = None vm, vm_analysis = AnalyzeDex(target) self.results['dex'] = True # Then, run all the APK Plugins in order to see if this is a known malware for plugin in APKPlugin.__subclasses__(): plugin = plugin(target, apk, vm, vm_analysis) plugin.apply(self) return True
def testXrefOffsetsFields(self): """Tests if Field offsets in bytecode are correctly stored""" _, _, dx = AnalyzeDex('examples/tests/FieldsTest.dex') self.assertEqual(len(dx.get_strings()), 4) self.assertIn('hello world', dx.strings.keys()) self.assertIn('sdf', dx.strings.keys()) self.assertIn('hello mars', dx.strings.keys()) self.assertIn('i am static', dx.strings.keys()) afield = next(dx.find_fields(fieldname='afield')) self.assertEqual(len(afield.get_xref_read()), 1) # always same method self.assertEqual(len(afield.get_xref_read(withoffset=True)), 2) self.assertListEqual( list( sorted( map(itemgetter(2), afield.get_xref_read(withoffset=True)))), [4, 40]) self.assertListEqual( list( map(lambda x: x.name, map(itemgetter(1), afield.get_xref_read(withoffset=True)))), ["foonbar", "foonbar"]) self.assertEqual(len(afield.get_xref_write()), 2) self.assertEqual(len(afield.get_xref_write(withoffset=True)), 2) self.assertListEqual( list( sorted( map(itemgetter(2), afield.get_xref_write(withoffset=True)))), [10, 32]) self.assertListEqual( list( sorted( map( lambda x: x.name, map(itemgetter(1), afield.get_xref_write(withoffset=True))))), sorted(["<init>", "foonbar"])) cfield = next(dx.find_fields(fieldname='cfield')) # this one is static, hence it must have a write in <clinit> self.assertListEqual( list( sorted( map( lambda x: x.name, map(itemgetter(1), cfield.get_xref_write(withoffset=True))))), sorted(["<clinit>"])) self.assertListEqual( list( sorted( map( lambda x: x.name, map(itemgetter(1), cfield.get_xref_read(withoffset=True))))), sorted(["foonbar"]))
def getStringsClassSource(a, d, dx, DEXFileLocation): target="" init="" main=a.get_main_activity() if(main[-12:]=="MainActivity"): print("Looks like this sample isn't Cerberus, maybe Anubis.") spl=main.split(".") outer="" print(main) for m in spl[:-1]: outer+=m+"." h, d, dx = AnalyzeDex(DEXFileLocation) lst=[] target_obj=dx.classes[Utils.javaish(main)] for meth in target_obj.get_methods(): if(meth.get_method().get_name() == "<init>"): for line in meth.get_method().get_source().splitlines(): btw=Utils.between(line, "= new ", "();") if( outer[:-1] in btw): lst.append(btw) lst = list(dict.fromkeys(lst)) for sinif in lst: sin=dx.classes[Utils.javaish(sinif)] for meth in sin.get_methods(): if(meth.get_method().get_name() == "<init>"): cfg_src=meth.get_method().get_source() break return cfg_src
def load_analysis(filename): """Return an AnalysisObject depding on the filetype""" ret_type = androconf.is_android(filename) if ret_type == "APK": _, _, dx = AnalyzeAPK(filename) return dx if ret_type == "DEX": _, _, dx = AnalyzeDex(filename) return dx return None
def __init__(self, apk_filepath: Union[str, PathLike]): super().__init__(apk_filepath, "androguard") if self.ret_type == "APK": # return the APK, list of DalvikVMFormat, and Analysis objects self.apk, self.dalvikvmformat, self.analysis = AnalyzeAPK( apk_filepath) elif self.ret_type == "DEX": # return the sha256hash, DalvikVMFormat, and Analysis objects _, _, self.analysis = AnalyzeDex(apk_filepath) else: raise ValueError("Unsupported File type.")
def testXrefOffsets(self): """Tests if String offsets in bytecode are correctly stored""" _, _, dx = AnalyzeDex('examples/tests/AnalysisTest.dex') self.assertEqual(len(dx.get_strings()), 1) self.assertIsInstance(dx.strings['Hello world'], analysis.StringAnalysis) sa = dx.strings['Hello world'] self.assertEqual(len(sa.get_xref_from()), 1) self.assertEqual(len(sa.get_xref_from(withoffset=True)), 1) self.assertEqual(next(iter(sa.get_xref_from(withoffset=True)))[2], 4) # offset is 4
def testArrays(self): h, d, dx = AnalyzeDex("examples/tests/FillArrays.dex") z, = d.get_classes() self.assertIn("{20, 30, 40, 50};", z.get_source()) self.assertIn("{1, 2, 3, 4, 5, 999, 10324234};", z.get_source()) self.assertIn("{97, 98, 120, 122, 99};", z.get_source()) self.assertIn("{5, 10, 15, 20};", z.get_source()) # Failed version of char array self.assertNotIn("{97, 0, 98, 0, 120};", z.get_source()) # Failed version of short array self.assertNotIn("{5, 0, 10, 0};", z.get_source())
def list_XREF(file): """ List all XREF in the methods of a binary """ try: a, d, dx = AnalyzeAPK(file) except zipfile.BadZipfile: # if file is not an APK, may be a dex object d, dx = AnalyzeDex(file) for method in dx.get_methods(): print(method.name) print("XREFfrom:", [m[1].name for m in method.get_xref_from()]) print("XREFto:", [m[1].name for m in method.get_xref_to()])
def testAnalysis(self): h, d, dx = AnalyzeDex("examples/tests/AnalysisTest.dex") self.assertEqual(h, "4595fc25104f3fcd709163eb70ca476edf116753607ec18f09548968c71910dc") self.assertIsInstance(d, dvm.DalvikVMFormat) self.assertIsInstance(dx, analysis.Analysis) cls = ["Ljava/io/PrintStream;", "Ljava/lang/Object;", "Ljava/math/BigDecimal;", "Ljava/math/BigInteger;"] for c in cls: self.assertIn(c, map(lambda x: x.orig_class.get_name(), dx.get_external_classes()))
def testExtends(self): h, d, dx = AnalyzeDex('examples/tests/ExceptionHandling.dex') cls = dx.classes['LSomeException;'] self.assertEquals(cls.extends, 'Ljava/lang/Exception;') self.assertEquals(cls.name, 'LSomeException;') self.assertFalse(cls.is_external()) cls = dx.classes['Ljava/lang/Exception;'] self.assertEquals(cls.extends, 'Ljava/lang/Object;') self.assertEquals(cls.name, 'Ljava/lang/Exception;') self.assertEquals(cls.implements, []) self.assertTrue(cls.is_external())
def __init__(self, filename): self.filename = filename try: self.a = APK(filename) self.d = DalvikVMFormat(self.a.get_dex()) self.d.create_python_export() self.dx = Analysis(self.d) except zipfile.BadZipfile: # if file is not an APK, may be a dex object _, self.d, self.dx = AnalyzeDex(self.filename) self.d.set_vmanalysis(self.dx) self.dx.create_xref() self.fcg = self.build_fcg()
def __init__(self, apk_filepath): """Information about apk based on androguard analysis""" self.ret_type = androconf.is_android(apk_filepath) if self.ret_type == "APK": # return the APK, list of DalvikVMFormat, and Analysis objects self.apk, self.dalvikvmformat, self.analysis = AnalyzeAPK(apk_filepath) if self.ret_type == "DEX": # return the sha256hash, DalvikVMFormat, and Analysis objects _, _, self.analysis = AnalyzeDex(apk_filepath) self.apk_filename = os.path.basename(apk_filepath) self.apk_filepath = apk_filepath
def each(self, target): self.results = dict() try: # lief binary = lief.DEX.parse(target) lief_dict = {'lief': json.loads(lief.to_json(binary), parse_int=str)} self.results.update(lief_dict) # androguard sha256, vm, vm_analysis = AnalyzeDex(target) aguard_dict = {'androguard': {'internal_classes':self._get_internal_classes(vm_analysis)}} self.results.update(aguard_dict) except: self.log('error', traceback.print_exc()) return True
def __init__(self, apkpath): self.ret_type = androconf.is_android(apkpath) self.buff_method_set = set() if self.ret_type == "APK": # return the APK, list of DalvikVMFormat, and Analysis objects _, _, self.analysis = AnalyzeAPK(apkpath) if self.ret_type == "DEX": # return the sha256hash, DalvikVMFormat, and Analysis objects _, _, self.analysis = AnalyzeDex(apkpath) for method_analysis in self.analysis.get_methods(): self.buff_method_set.add(method_analysis) del _
def __init__(self, filename): self.filename = filename # print(os.path.exists(filename)) # a,d,dx = AnalyzeAPK(filename) # print(dx.get_call_graph()) try: self.a = APK(filename) self.d = DalvikVMFormat(self.a.get_dex()) self.d.create_python_export() self.dx = Analysis(self.d) except zipfile.BadZipfile: # if file is not an APK, may be a dex object _, self.d, self.dx = AnalyzeDex(self.filename) self.d.set_vmanalysis(self.dx) self.dx.create_xref() self.fcg = self.build_fcg()
def testDexWrapper(self): from androguard.misc import AnalyzeDex from androguard.core.bytecodes.dvm import DalvikVMFormat from androguard.core.analysis.analysis import Analysis h, d, dx = AnalyzeDex( "examples/android/TestsAndroguard/bin/classes.dex") self.assertEqual( h, '2f24538b3064f1f88d3eb29ee7fbd2146779a4c9144aefa766d18965be8775c7') self.assertIsInstance(d, DalvikVMFormat) self.assertIsInstance(dx, Analysis) classes = d.get_classes() self.assertTrue(classes) self.assertEqual(len(classes), 340) methods = d.get_methods() self.assertTrue(methods) self.assertEqual(len(methods), 2600) fields = d.get_fields() self.assertTrue(fields) self.assertEqual(len(fields), 803)
def testInterfaces(self): h, d, dx = AnalyzeDex('examples/tests/InterfaceCls.dex') cls = dx.classes['LInterfaceCls;'] self.assertIn('Ljavax/net/ssl/X509TrustManager;', cls.implements) self.assertEquals(cls.name, 'LInterfaceCls;')
def get_detailed_analysis(self): from androguard.misc import AnalyzeDex self.d, self.dx = AnalyzeDex(self.a.get_dex(), raw=True)
def testSimplification(self): h, d, dx = AnalyzeDex("examples/tests/Test.dex") z, = d.get_classes() self.assertIn("return ((23 - p3) | ((p3 + 66) & 26));", z.get_source())