def extract_permissions(file):
a = APK(file)
d = DalvikVMFormat(a.get_dex())
dx = VMAnalysis(d)
vm = dvm.DalvikVMFormat(a.get_dex())
vmx = analysis.uVMAnalysis(vm)
d.set_vmanalysis(dx)
d.set_decompiler(DecompilerDAD(d, dx))
return a.get_permissions()
def extract_features(file_path):
#result = []
try:
a = APK(file_path)
d = DalvikVMFormat(a.get_dex())
dx = Analysis(d)
vm = dvm.DalvikVMFormat(a.get_dex())
vmx = analysis.uAnalysis(vm)
d.set_Analysis(dx)
d.set_decompiler(DecompilerDAD(d, dx))
except:
return None
return a.get_permissions() #it will return permission
def on_complete(self):
receivers = self.get_results("apkinfo", {}).get("manifest", {}).get("receivers", {})
activities = self.get_results("apkinfo", {}).get("manifest", {}).get("activities", {})
services = self.get_results("apkinfo", {}).get("manifest", {}).get("services", {})
app_path = self.get_results("target",{}).get("file",{}).get("path", None)
if not app_path:
return False
if not os.path.exists(app_path):
return False
app_apk = APK(app_path)
dvm = DalvikVMFormat(app_apk.get_dex())
classes = set()
for cls in dvm.get_classes():
classes.add(cls.name)
for receiver in receivers:
if self.convert_class(receiver) not in classes:
return True
for activity in activities:
if self.convert_class(activity) not in classes:
return True
for service in services:
if self.convert_class(service) not in classes:
return True
class ApkAnalysis:
def __init__(self, apk_name):
self.apk_name = apk_name
self.apk = INPUT_APK_DIR + self.apk_name + ".apk"
# analyze the dex file
self.a = APK(self.apk)
# get the vm analysis
self.d = DalvikVMFormat(self.a.get_dex())
self.dx = VMAnalysis(self.d)
self.gx = GVMAnalysis(self.dx, None)
self.d.set_vmanalysis(self.dx)
self.d.set_gvmanalysis(self.gx)
# create the cross reference
self.d.create_xref()
self.d.create_dref()
def get_all_activities_results(self):
activity_names = self.a.get_activities()
return [
StaticAnalysisResult(self.apk_name, None, a,
VulnType.selected_activities.value, True)
for a in activity_names
]
def get_smart_input(self):
return GetFieldType(self).analyze()
class AndroguardAnalysis(object):
def __init__(self, app_path):
self.app_path = app_path
from androguard.core.bytecodes.apk import APK
self.a = APK(app_path)
self.d = None
self.dx = None
def get_detailed_analysis(self):
from androguard.misc import AnalyzeDex
self.d, self.dx = AnalyzeDex(self.a.get_dex(), raw=True)
def get_developer_name(self):
developer = "Unknown"
if (self.a.is_signed()):
try:
signatures = self.a.get_signature_names()
for signature in signatures:
cert = self.a.get_certificate(signature)
issuer = get_certificate_name_string(cert.issuer)
attr_list = issuer.split(',')
for attr in attr_list:
if attr.startswith(
" organizationName") or attr.startswith(
"organizationName"):
developer = attr.split('=')[1]
except ValueError:
print("certificat endommagée ... ")
return developer
def test(app_path):
if not app_path:
return False
if not os.path.exists(app_path):
return False
app_apk = APK(app_path)
dvm = DalvikVMFormat(app_apk.get_dex())
receivers = app_apk.get_receivers()
activities = app_apk.get_activities()
services = app_apk.get_services()
for activity in activities:
if not check_class_in_dex(dvm, activity):
return True
for receiver in receivers:
if not check_class_in_dex(dvm, receiver):
return True
for service in services:
if not check_class_in_dex(dvm, service):
return True
return False
def get_apis(path):
application = APK(path)
application_dex = DalvikVMFormat(application.get_dex())
application_x = Analysis(application_dex)
methods = set()
cs = [cc.get_name() for cc in application_dex.get_classes()]
for method in application_dex.get_methods():
g = application_x.get_method(method)
if method.get_code() == None:
continue
for i in g.get_basic_blocks().get():
for ins in i.get_instructions():
output = ins.get_output()
match = re.search(r'(L[^;]*;)->[^\(]*\([^\)]*\).*', output)
if match and match.group(1) not in cs:
methods.add(match.group())
methods = list(methods)
return methods
def run(self):
"""Run androguard to extract static android information
@return: list of static features
"""
self.key = "apkinfo"
apkinfo = {}
if "file" not in self.task["category"]:
return
from androguard.core.bytecodes.apk import APK
from androguard.core.bytecodes.dvm import DalvikVMFormat
from androguard.core.analysis.analysis import uVMAnalysis
from androguard.core.analysis import analysis
f = File(self.task["target"])
if f.get_name().endswith((".zip", ".apk")) or "zip" in f.get_type():
if not os.path.exists(self.file_path):
raise CuckooProcessingError("Sample file doesn't exist: \"%s\"" % self.file_path)
try:
a = APK(self.file_path)
if a.is_valid_APK():
manifest = {}
apkinfo["files"] = self._apk_files(a)
manifest["package"] = a.get_package()
# manifest["permissions"]=a.get_details_permissions_new()
manifest["main_activity"] = a.get_main_activity()
manifest["activities"] = a.get_activities()
manifest["services"] = a.get_services()
manifest["receivers"] = a.get_receivers()
# manifest["receivers_actions"]=a.get__extended_receivers()
manifest["providers"] = a.get_providers()
manifest["libraries"] = a.get_libraries()
apkinfo["manifest"] = manifest
# apkinfo["certificate"] = a.get_certificate()
static_calls = {}
if self.check_size(apkinfo["files"]):
vm = DalvikVMFormat(a.get_dex())
vmx = uVMAnalysis(vm)
static_calls["all_methods"] = self.get_methods(vmx)
static_calls["is_native_code"] = analysis.is_native_code(vmx)
static_calls["is_dynamic_code"] = analysis.is_dyn_code(vmx)
static_calls["is_reflection_code"] = analysis.is_reflection_code(vmx)
# static_calls["dynamic_method_calls"]= analysis.get_show_DynCode(vmx)
# static_calls["reflection_method_calls"]= analysis.get_show_ReflectionCode(vmx)
# static_calls["permissions_method_calls"]= analysis.get_show_Permissions(vmx)
# static_calls["crypto_method_calls"]= analysis.get_show_CryptoCode(vmx)
# static_calls["native_method_calls"]= analysis.get_show_NativeMethods(vmx)
else:
log.warning("Dex size bigger than: %s",
self.options.decompilation_threshold)
apkinfo["static_method_calls"] = static_calls
except (IOError, OSError, zipfile.BadZipfile) as e:
raise CuckooProcessingError("Error opening file %s" % e)
return apkinfo
def run(self):
"""Run androguard to extract static android information
@return: list of static features
"""
self.key = "apkinfo"
apkinfo = {}
if "file" not in self.task["category"] or not HAVE_ANDROGUARD:
return
f = File(self.task["target"])
if f.get_name().endswith((".zip", ".apk")) or "zip" in f.get_type():
if not os.path.exists(self.file_path):
raise CuckooProcessingError(
"Sample file doesn't exist: \"%s\"" % self.file_path)
try:
a = APK(self.file_path)
if a.is_valid_APK():
manifest = {}
apkinfo["files"] = self._apk_files(a)
manifest["package"] = a.get_package()
# manifest["permissions"]=a.get_details_permissions_new()
manifest["main_activity"] = a.get_main_activity()
manifest["activities"] = a.get_activities()
manifest["services"] = a.get_services()
manifest["receivers"] = a.get_receivers()
# manifest["receivers_actions"]=a.get__extended_receivers()
manifest["providers"] = a.get_providers()
manifest["libraries"] = a.get_libraries()
apkinfo["manifest"] = manifest
# apkinfo["certificate"] = a.get_certificate()
static_calls = {}
if self.check_size(apkinfo["files"]):
vm = DalvikVMFormat(a.get_dex())
vmx = uVMAnalysis(vm)
static_calls["all_methods"] = self.get_methods(vmx)
static_calls[
"is_native_code"] = analysis.is_native_code(vmx)
static_calls["is_dynamic_code"] = analysis.is_dyn_code(
vmx)
static_calls[
"is_reflection_code"] = analysis.is_reflection_code(
vmx)
# static_calls["dynamic_method_calls"]= analysis.get_show_DynCode(vmx)
# static_calls["reflection_method_calls"]= analysis.get_show_ReflectionCode(vmx)
# static_calls["permissions_method_calls"]= analysis.get_show_Permissions(vmx)
# static_calls["crypto_method_calls"]= analysis.get_show_CryptoCode(vmx)
# static_calls["native_method_calls"]= analysis.get_show_NativeMethods(vmx)
else:
log.warning("Dex size bigger than: %s",
self.options.decompilation_threshold)
apkinfo["static_method_calls"] = static_calls
except (IOError, OSError, BadZipfile) as e:
raise CuckooProcessingError("Error opening file %s" % e)
return apkinfo
class GetFieldType:
predictions = {}
def __init__(self, args):
self.apk = args.apk
self.verbosity = args.verbosity
self.output_location = args.output_location
self.file_identifier = args.apk.split('.')[0]
self.file_identifier = self.file_identifier[-24:]
# print "Analyzing " + self.apk
# print " Output Location " + self.output_location
# print "File Identifier " + self.file_identifier
# analyze the dex file
print "From LOCATION = ",self.apk
self.a = APK(self.apk)
# get the vm analysis
self.d = DalvikVMFormat(self.a.get_dex())
self.dx = VMAnalysis(self.d)
self.gx = GVMAnalysis(self.dx, None)
self.d.set_vmanalysis(self.dx)
self.d.set_gvmanalysis(self.gx)
# create the cross reference
self.d.create_xref()
self.d.create_dref()
print 'CWD: ', os.getcwd()
predictor = Predict_Input(self.output_location,self.file_identifier)
self.predictions = predictor.predict(self.apk, self.apk[:-4],self.output_location,self.file_identifier)
try:
# get the classes for this apk
# store them in a dict
self.classes = self.get_class_dict()
# Find the R$layout class
self.Rlayout = self.get_RLayout(self.d.get_classes())
# Find the R$id class
self.Rid = self.get_Rid(self.d.get_classes())
# Store all fields referenced in R$id
self.fields, self.field_refs = self.get_fields(self.Rid)
except Exception, e:
print e
class CFG():
def __init__(self, filename):
self.filename = filename
try:
self.a = APK(filename)
self.d = DalvikVMFormat(self.a.get_dex())
self.d.create_python_export()
self.dx = Analysis(self.d)
except zipfile.BadZipfile:
# if file is not an APK, may be a dex object
_, self.d, self.dx = AnalyzeDex(self.filename)
self.d.set_vmanalysis(self.dx)
self.dx.create_xref()
self.cfg = self.build_cfg()
def get_cg(self):
return self.cfg
def get_cfg(self):
return self.dx.get_call_graph()
def build_cfg(self):
""" Using NX and Androguard, build a directed graph NX object so that:
- node names are analysis.MethodClassAnalysis objects
- each node has a label that encodes the method behavior
"""
cfg = self.get_cfg() ##/////////My changes///////////////
for n in cfg.nodes:
instructions = []
# print(n)
try:
ops = n.get_instructions()
for i in ops:
instructions.append(i.get_name())
# print(ops)
encoded_label = self.color_instructions(instructions)
# print("No Exception")
except AttributeError:
encoded_label = np.array([0] * 15)
cfg.node[n]["label"] = encoded_label
return cfg
def color_instructions(self, instructions):
""" Node label based on coloring technique by Kruegel """
h = [0] * len(INSTRUCTION_CLASS_COLOR)
for i in instructions:
h[INSTRUCTION_SET_COLOR[i]] = 1
return np.array(h)
def get_classes_from_label(self, label):
classes = [
INSTRUCTION_CLASSES[i] for i in range(len(label)) if label[i] == 1
]
return classes
def parse_apk(path):
"""
Parse an apk file to my custom bytecode output
:param path: the path to the
:rtype: string
"""
# Load our example APK
a = APK(path)
# Create DalvikVMFormat Object
#d = DalvikVMFormat(a)
return a.get_dex()
def GetAnalyzedDex(sample_name):
a = APK(sample_name)
d = dvm.DalvikVMFormat(a.get_dex())
dx = analysis.Analysis(d)
if type(dx) is list:
dx = dx[0]
dx.create_xref()
return dx
class GetFieldType:
predictions = {}
def __init__(self, args):
self.apk = args.apk
self.verbosity = args.verbosity
self.output_location = args.output_location
self.file_identifier = args.apk.split('.')[0]
self.file_identifier = self.file_identifier[-24:]
# print "Analyzing " + self.apk
# print " Output Location " + self.output_location
# print "File Identifier " + self.file_identifier
# analyze the dex file
print "From LOCATION = ", self.apk
self.a = APK(self.apk)
# get the vm analysis
self.d = DalvikVMFormat(self.a.get_dex())
self.dx = VMAnalysis(self.d)
self.gx = GVMAnalysis(self.dx, None)
self.d.set_vmanalysis(self.dx)
self.d.set_gvmanalysis(self.gx)
# create the cross reference
self.d.create_xref()
self.d.create_dref()
print 'CWD: ', os.getcwd()
predictor = Predict_Input(self.output_location, self.file_identifier)
self.predictions = predictor.predict(self.apk, self.apk[:-4],
self.output_location,
self.file_identifier)
try:
# get the classes for this apk
# store them in a dict
self.classes = self.get_class_dict()
# Find the R$layout class
self.Rlayout = self.get_RLayout(self.d.get_classes())
# Find the R$id class
self.Rid = self.get_Rid(self.d.get_classes())
# Store all fields referenced in R$id
self.fields, self.field_refs = self.get_fields(self.Rid)
except Exception, e:
print e
class AndroguardAnalysis(object):
"""
analysis result of androguard
"""
def __init__(self, app_path):
"""
:param app_path: local file path of app, should not be None
analyse app specified by app_path
"""
self.app_path = app_path
from androguard.core.bytecodes.apk import APK
self.a = APK(app_path)
def get_detailed_analysis(self):
from androguard.misc import AnalyzeDex
self.d, self.dx = AnalyzeDex(self.a.get_dex(), raw=True)
class AndroguardAnalysis(object):
"""
analysis result of androguard
"""
def __init__(self, app_path):
"""
:param app_path: local file path of app, should not be None
analyse app specified by app_path
"""
self.app_path = app_path
from androguard.core.bytecodes.apk import APK
self.a = APK(app_path)
def get_detailed_analysis(self):
from androguard.misc import AnalyzeDex
self.d, self.dx = AnalyzeDex(self.a.get_dex(), raw=True)
def analyze_apk(filename, raw=False, decompiler=None):
"""
Analyze an android application and setup all stuff for a more quickly analysis !
:param filename: the filename of the android application or a buffer which represents the application
:type filename: string
:param raw: True is you would like to use a buffer (optional)
:type raw: boolean
:param decompiler: ded, dex2jad, dad (optional)
:type decompiler: string
:rtype: return the :class:`APK`, :class:`DalvikVMFormat`, and :class:`VMAnalysis` objects
"""
a = APK(filename, raw)
d, dx = analyze_dex(a.get_dex(), raw=True, decompiler=decompiler)
return a, d, dx
def analyze_apk(filename, raw=False, decompiler=None):
"""
Analyze an android application and setup all stuff for a more quickly analysis !
:param filename: the filename of the android application or a buffer which represents the application
:type filename: string
:param raw: True is you would like to use a buffer (optional)
:type raw: boolean
:param decompiler: ded, dex2jad, dad (optional)
:type decompiler: string
:rtype: return the :class:`APK`, :class:`DalvikVMFormat`, and :class:`VMAnalysis` objects
"""
a = APK(filename, raw)
d, dx = analyze_dex(a.get_dex(), raw=True, decompiler=decompiler)
return a, d, dx
def perform_analysis(self):
if self.apk_file and os.path.exists(self.apk_file):
try:
apk = APK(self.apk_file)
except Exception, ex:
print ex
return
# Intents
self.intents = apk.get_elements('action', 'android:name')
# Create DalvikFormat
dalvik_vm_format = None
try:
dalvik_vm_format = DalvikVMFormat( apk.get_dex() )
except Exception, ex:
print ex
return
class GetFieldType:
def __init__(self, args):
self.apk = args.apk
self.verbosity = args.verbosity
print "Analyzing " + self.apk
# analyze the dex file
self.a = APK(self.apk)
# get the vm analysis
self.d = DalvikVMFormat(self.a.get_dex())
self.dx = VMAnalysis(self.d)
self.gx = GVMAnalysis(self.dx, None)
self.d.set_vmanalysis(self.dx)
self.d.set_gvmanalysis(self.gx)
# create the cross reference
self.d.create_xref()
self.d.create_dref()
try:
# get the classes for this apk
# store them in a dict
self.classes = self.get_class_dict()
# Find the R$layout class
self.Rlayout = self.get_RLayout(self.d.get_classes())
# Find the R$id class
self.Rid = self.get_Rid(self.d.get_classes())
# Store all fields referenced in R$id
self.fields, self.field_refs = self.get_fields(self.Rid)
except Exception, e:
print e
class GetFieldType:
def __init__(self, args):
self.apk = args.apk
self.verbosity = args.verbosity
print "Analyzing " + self.apk
# analyze the dex file
self.a = APK(self.apk)
# get the vm analysis
self.d = DalvikVMFormat(self.a.get_dex())
self.dx = VMAnalysis(self.d)
self.gx = GVMAnalysis(self.dx, None)
self.d.set_vmanalysis(self.dx)
self.d.set_gvmanalysis(self.gx)
# create the cross reference
self.d.create_xref()
self.d.create_dref()
try:
# get the classes for this apk
# store them in a dict
self.classes = self.get_class_dict()
# Find the R$layout class
self.Rlayout = self.get_RLayout(self.d.get_classes())
# Find the R$id class
self.Rid = self.get_Rid(self.d.get_classes())
# Store all fields referenced in R$id
self.fields, self.field_refs = self.get_fields(self.Rid)
except Exception, e:
print e
class PDG():
def __init__(self, filename):
"""
:type self: object
"""
self.filename = filename
try:
self.a = APK(filename)
self.d = DalvikVMFormat(self.a.get_dex())
self.d.create_python_export()
self.dx = Analysis(self.d)
except zipfile.BadZipfile:
# if file is not an APK, may be a dex object
_, self.d, self.dx = AnalyzeDex(self.filename)
self.d.set_vmanalysis(self.dx)
self.dx.create_xref()
self.fcg = self.dx.get_call_graph()
self.icfg = self.build_icfg()
def get_graph(self):
return self.icfg
def build_icfg(self):
icfg = nx.DiGraph()
methods = self.d.get_methods()
for method in methods:
for bb in self.dx.get_method(method).basic_blocks.get():
children = []
label = self.get_bb_label(bb)
children = self.get_children(bb, self.dx)
icfg.add_node(label)
icfg.add_edges_from([(label, child) for child in children])
return icfg
def get_bb_label(self, bb):
""" Return the descriptive name of a basic block
"""
return self.get_method_label(bb.method) + (bb.name, )
def get_method_label(self, method):
""" Return the descriptive name of a method
"""
return (method.get_class_name(), method.get_name(),
method.get_descriptor())
def get_children(self, bb, dx):
""" Return the labels of the basic blocks that are children of the
input basic block in and out of its method
"""
return self.get_bb_intra_method_children(
bb) + self.get_bb_extra_method_children(bb, dx)
def get_bb_intra_method_children(self, bb):
""" Return the labels of the basic blocks that are children of the
input basic block within a method
"""
child_labels = []
for c_in_bb in bb.get_next():
next_bb = c_in_bb[2]
child_labels.append(self.get_bb_label(next_bb))
return child_labels
def get_bb_extra_method_children(self, bb, dx):
""" Given a basic block, find the calls to external methods and
return the label of the first basic block in these methods
"""
call_labels = []
# iterate over calls from bb method to external methods
try:
xrefs = dx.get_method_analysis(bb.method).get_xref_to()
except AttributeError:
return call_labels
for xref in xrefs:
remote_method_offset = xref[2]
if self.call_in_bb(bb, remote_method_offset):
try:
remote_method = dx.get_method(
self.d.get_method_by_idx(remote_method_offset))
if remote_method:
remote_bb = next(remote_method.basic_blocks.get())
call_labels.append(self.get_bb_label(remote_bb))
except StopIteration:
pass
return call_labels
def call_in_bb(self, bb, idx):
return bb.get_start() <= idx <= bb.get_end()
def extract_features(file_path):
result = {}
try:
a = APK(file_path)
d = DalvikVMFormat(a.get_dex())
dx = Analysis(d)
vm = dvm.DalvikVMFormat(a.get_dex())
vmx = analysis.Analysis(vm)
d.set_vmanalysis(dx)
d.set_decompiler(DecompilerDAD(d, dx))
except Exception as e:
print e
return None
result['android_version_code'] = a.get_androidversion_code()
result['android_version_name'] = a.get_androidversion_name()
result['max_sdk'] = a.get_max_sdk_version()
result['min_sdk'] = a.get_min_sdk_version()
result['libraries'] = a.get_libraries()
result['filename'] = a.get_filename()
result['target_sdk'] = a.get_target_sdk_version()
result['md5'] = hashlib.md5(a.get_raw()).hexdigest()
result['sha256'] = hashlib.sha256(a.get_raw()).hexdigest()
result['permissions'] = a.get_permissions()
result['activities'] = a.get_activities()
result['providers'] = a.get_providers()
result['services'] = a.get_services()
result['strings'] = d.get_strings()
result['class_names'] = [c.get_name() for c in d.get_classes()]
result['method_names'] = [m.get_name() for m in d.get_methods()]
result['field_names'] = [f.get_name() for f in d.get_fields()]
# result['is_native_code'] = 1 if analysis.is_native_code(dx) else 0
result['is_obfuscation'] = 1 if analysis.is_ascii_obfuscation(d) else 0
# result['is_crypto_code'] = 1 if analysis.is_crypto_code(dx) else 0
# result['is_dyn_code'] = 1 if analysis.is_dyn_code(dx) else 0
# result['is_reflection_code'] = 1 if analysis.is_reflection_code(vmx) else 0
result['is_database'] = 1 if d.get_regex_strings(DB_REGEX) else 0
s_list = []
s_list.extend(result['class_names'])
s_list.extend(result['method_names'])
s_list.extend(result['field_names'])
result['entropy_rate'] = entropy_rate(s_list)
result['feature_vectors'] = {}
result['feature_vectors']['api_calls'] = []
for call in API_CALLS:
status = 1 if dx.get_method_by_name(".", call, ".") else 0
result['feature_vectors']['api_calls'].append(status)
result['feature_vectors']['permissions'] = []
for permission in PERMISSIONS:
status = 1 if permission in result['permissions'] else 0
result['feature_vectors']['permissions'].append(status)
result['feature_vectors']['special_strings'] = []
for word in SPECIAL_STRINGS:
status = 1 if d.get_regex_strings(word) else 0
result['feature_vectors']['special_strings'].append(status)
result['feature_vectors']['others'] = [
# result['is_reflection_code'],
# result['is_crypto_code'],
# result['is_native_code'],
result['is_obfuscation'],
result['is_database'],
# result['is_dyn_code']
]
return result
class FCG(): ##/////////////Changed for testing/////////////////////
def __init__(self, filename):
self.filename = filename
# print(os.path.exists(filename))
# a,d,dx = AnalyzeAPK(filename)
# print(dx.get_call_graph())
try:
self.a = APK(filename)
self.d = DalvikVMFormat(self.a.get_dex())
self.d.create_python_export()
self.dx = Analysis(self.d)
except zipfile.BadZipfile:
# if file is not an APK, may be a dex object
_, self.d, self.dx = AnalyzeDex(self.filename)
self.d.set_vmanalysis(self.dx)
self.dx.create_xref()
self.fcg = self.build_fcg()
def get_fcg(self):
return self.fcg
def get_lock_graph(self):
graph_list = []
# print("LockGraphs", self.dx)
call_graph = self.dx.get_call_graph()
# print("Call Graphs")
for m in (self.dx.find_methods(
classname='Landroid.os.PowerManager.WakeLock'
)): ##//////////Work fine but found 3 method so will use when done
# print("Method=", m.get_method())
ancestors = nx.ancestors(call_graph, m.get_method())
ancestors.add(m.get_method())
graph = call_graph.subgraph(ancestors)
graph_list.append(graph)
wake_graph = nx.compose_all(graph_list)
return wake_graph
def build_fcg(self):
""" Using NX and Androguard, build a directed graph NX object so that:
- node names are analysis.MethodClassAnalysis objects
- each node has a label that encodes the method behavior
"""
fcg = self.get_lock_graph() ##/////////My changes///////////////
for n in fcg.nodes:
instructions = []
try:
ops = n.get_instructions()
for i in ops:
instructions.append(i.get_name())
encoded_label = self.color_instructions(instructions)
except AttributeError:
encoded_label = np.array([0] * 15)
fcg.node[n]["label"] = encoded_label
return fcg
def color_instructions(self, instructions):
""" Node label based on coloring technique by Kruegel """
h = [0] * len(INSTRUCTION_CLASS_COLOR)
for i in instructions:
h[INSTRUCTION_SET_COLOR[i]] = 1
return np.array(h)
def get_classes_from_label(self, label):
classes = [
INSTRUCTION_CLASSES[i] for i in range(len(label)) if label[i] == 1
]
return classes
'''
Created on Jun 8, 2014
@author: lyx
'''
from androguard.core.bytecodes.apk import APK
from androguard.core.bytecodes import dvm
from androguard.core.analysis import analysis
from androguard.decompiler.decompiler import DecompilerDAD
if __name__ == '__main__':
apk = APK('../sampleapk/MyTrojan.apk')
d = dvm.DalvikVMFormat(apk.get_dex())
dx = analysis.uVMAnalysis(d)
d.set_decompiler( DecompilerDAD( d, dx ) )
for current_class in d.get_classes():
s = current_class#.source()
print s
print s.source()
'''for current_method in d.get_methods(): # @IndentOk
x = current_method.get_code()
ins = x.get_bc().get_instructions()
i = 0
for s in ins:
print s.show(i)
i += 1
#apk = analyzeAPK('./sampleapk/k9-4.409-release.apk')'''
def get_apis(path):
methods = set()
error_file = open("error_files.txt", "w")
"""
Get the APIs from an application.
Parameters:
path - The path of the application to be decompiled
Returns:
A sorted list of APIs with parameters
"""
try:
# You can see the documents of androguard to get the further details
# of the decompilation procedures.
# 获取APK文件对象
# application:表示APK对象,在其中可以找到有关 APK 的信息,例如包名、权限、AndroidManifest.xml、resources
# application_dex:DalvikVMFormat 对象数组,DalvikVMFormat 对应 apk 文件中的 dex 文件,从 dex 文件中我们可以获取类、方法和字符串。
# application_x:表示 Analysis 对象,其包含链接了关于 classes.dex 信息的特殊的类,甚至可以一次处理许多 dex 文件。
application = APK(path)
application_dex = DalvikVMFormat(application.get_dex())
application_x = Analysis(application_dex)
# 获得class 对象
classesList = [classes.get_name() for classes in application_dex.get_classes()]
# print("classesList:", classesList)
# 获得methods方法
for method in application_dex.get_methods():
methodAnalysis = application_x.get_method(method)
if method.get_code() is None:
continue
for basicBlocks in methodAnalysis.get_basic_blocks().get():
# 获得jvm指令
for instructions in basicBlocks.get_instructions():
# 这是一个包含方法,变量或其他任何内容的字符串
output = instructions.get_output()
# print("output", output)
# Here we use regular expression to check if it is a function
# call. A function call comprises four parts: a class name, a
# function name, zero or more parameters, and a return type.
# The pattern is actually simple:
#
# CLASS NAME: starts with a character L and ends in a right
# arrow.
# FUNCTION NAME: starts with the right arrow and ends in a
# left parenthesis.
# PARAMETERS: are between the parentheses.
# RETURN TYPE: is the rest of the string.
#
# 这里拿到的classList是应用本身的类,第二个匹配的组(一个括号一个组)是调用的类不是应用本身的类,是系统的类
# 这里就是通过系统接口调用来做判断。
match = re.search(r'(L[^;]*;)->[^\(]*\([^\)]*\).*', output)
# print("----")
# if match:
# log(match.group() + "----" + match.group(1), "->" + (match.group(1) not in classesList))
# print(match.group() + "----" + match.group(1), "->", (match.group(1) not in classesList))
# print("isInClassList:", match.group(1), "->", (match.group(1) not in classesList))
# match.group():Landroid/app/IntentService;-><init>(Ljava/lang/String;)V
# match.group(1):Landroid/app/IntentService;
if match and match.group(1) not in classesList:
# print(match.group() + "----" + match.group(1))
methods.add(match.group())
methods = list(methods)
except Exception as e:
print(e)
print("path", path)
error_file.write(path)
return methods
def extract_features(file_path):
result = {}
try:
a = APK(file_path)
d = DalvikVMFormat(a.get_dex())
dx = VMAnalysis(d)
vm = dvm.DalvikVMFormat(a.get_dex())
vmx = analysis.uVMAnalysis(vm)
d.set_vmanalysis(dx)
d.set_decompiler(DecompilerDAD(d, dx))
except:
return None
result['android_version_code'] = a.get_androidversion_code()
result['android_version_name'] = a.get_androidversion_name()
result['max_sdk'] = a.get_max_sdk_version()
result['min_sdk'] = a.get_min_sdk_version()
result['libraries'] = a.get_libraries()
result['filename'] = a.get_filename()
result['target_sdk'] = a.get_target_sdk_version()
result['md5'] = hashlib.md5(a.get_raw()).hexdigest()
result['sha256'] = hashlib.sha256(a.get_raw()).hexdigest()
result['permissions'] = a.get_permissions()
result['activities'] = a.get_activities()
result['providers'] = a.get_providers()
result['services'] = a.get_services()
#result['strings'] = d.get_strings()
#result['class_names'] = [c.get_name() for c in d.get_classes()]
#result['method_names'] = [m.get_name() for m in d.get_methods()]
#result['field_names'] = [f.get_name() for f in d.get_fields()]
class_names = [c.get_name() for c in d.get_classes()]
method_names = [m.get_name() for m in d.get_methods()]
field_names = [ f.get_name() for f in d.get_fields()]
result['is_native_code'] = 1 if analysis.is_native_code(dx) else 0
result['is_obfuscation'] = 1 if analysis.is_ascii_obfuscation(d) else 0
result['is_crypto_code'] = 1 if analysis.is_crypto_code(dx) else 0
result['is_dyn_code'] = 1 if analysis.is_dyn_code(dx) else 0
result['is_reflection_code'] = 1 if analysis.is_reflection_code(vmx) else 0
result['is_database'] = 1 if d.get_regex_strings(DB_REGEX) else 0
s_list = []
#s_list.extend(result['class_names'])
#s_list.extend(result['method_names'])
#s_list.extend(result['field_names'])
s_list.extend(class_names)
s_list.extend(method_names)
s_list.extend(method_names)
result['entropy_rate'] = entropy_rate(s_list)
result['feature_vectors'] = {}
# Search for the presence of api calls in a given apk
result['feature_vectors']['api_calls'] = []
for call in API_CALLS:
status = 1 if dx.tainted_packages.search_methods(".", call, ".") else 0
result['feature_vectors']['api_calls'].append(status)
# Search for the presence of permissions in a given apk
result['feature_vectors']['permissions'] = []
for permission in PERMISSIONS:
status = 1 if permission in result['permissions'] else 0
result['feature_vectors']['permissions'].append(status)
result['feature_vectors']['special_strings'] = []
for word in SPECIAL_STRINGS:
status = 1 if d.get_regex_strings(word) else 0
result['feature_vectors']['special_strings'].append(status)
opt_seq = []
for m in d.get_methods():
for i in m.get_instructions():
opt_seq.append(i.get_name())
optngramlist = [tuple(opt_seq[i:i+NGRAM]) for i in xrange(len(opt_seq) - NGRAM)]
optngram = Counter(optngramlist)
optcodes = dict()
tmpCodes = dict(optngram)
#for k,v in optngram.iteritems():
# if v>=NGRAM_THRE:
#optcodes[str(k)] = v
# optcodes[str(k)] = 1
tmpCodes = sorted(tmpCodes.items(),key =lambda d:d[1],reverse=True)
for value in tmpCodes[:NGRAM_THRE]:
optcodes[str(value[0])] = 1
result['feature_vectors']['opt_codes'] = optcodes
return result
def extract_features(file_path):
result = {}
try:
a = APK(file_path)
d = DalvikVMFormat(a.get_dex())
dx = Analysis(d)
vm = dvm.DalvikVMFormat(a.get_dex())
#vmx = analysis.uVMAnalysis(vm)
d.set_vmanalysis(dx)
d.set_decompiler(DecompilerDAD(d, dx))
except:
return None
result['android_version_code'] = a.get_androidversion_code()
result['android_version_name'] = a.get_androidversion_name()
result['max_sdk'] = a.get_max_sdk_version()
result['min_sdk'] = a.get_min_sdk_version()
#result['libraries'] = a.get_libraries()
result['filename'] = a.get_filename()
result['target_sdk'] = a.get_target_sdk_version()
result['md5'] = hashlib.md5(a.get_raw()).hexdigest()
result['sha256'] = hashlib.sha256(a.get_raw()).hexdigest()
result['permissions'] = a.get_permissions()
result['activities'] = a.get_activities()
result['providers'] = a.get_providers()
result['services'] = a.get_services()
result['strings'] = d.get_strings()
result['class_names'] = [c.get_name() for c in d.get_classes()]
result['method_names'] = [m.get_name() for m in d.get_methods()]
result['field_names'] = [f.get_name() for f in d.get_fields()]
#result['is_native_code'] = 1 if analysis.is_native_code(dx) else 0
result['is_obfuscation'] = 1 if analysis.is_ascii_obfuscation(d) else 0
#result['is_crypto_code'] = 1 if analysis.is_crypto_code(dx) else 0
'''result['is_dyn_code'] = 1 if analysis.is_dyn_code(dx) else 0
result['is_reflection_code'] = 1 if analysis.is_reflection_code(vmx) else 0'''
result['is_database'] = 1 if d.get_regex_strings(DB_REGEX) else 0
arr = []
s = a.get_elements("action", "name")
for i in s:
arr.append(i)
result['intents'] = arr
s_list = []
s_list.extend(result['class_names'])
s_list.extend(result['method_names'])
s_list.extend(result['field_names'])
result['entropy_rate'] = entropy_rate(s_list)
result['feature_vectors'] = {}
# Search for the presence of api calls in a given apk
result['feature_vectors']['api_calls'] = []
for call in API_CALLS:
status = 1 if dx.get_method(call) else 0
result['feature_vectors']['api_calls'].append(status)
# Search for the presence of permissions in a given apk
result['feature_vectors']['permissions'] = []
for permission in PERMISSIONS:
status = 1 if permission in result['permissions'] else 0
result['feature_vectors']['permissions'].append(status)
#Search for the presence of intents in a given apk
result['feature_vectors']['intents'] = []
n = len(INTENTS)
m = len(result['intents'])
for i in range(n):
stri = INTENTS[i]
flg = False
for j in range(m):
if stri in result['intents'][j]:
flg = True
break
if flg:
status = 1
else:
status = 0
result['feature_vectors']['intents'].append(status)
#Check for special strings in code
result['feature_vectors']['special_strings'] = []
for word in SPECIAL_STRINGS:
status = 1 if d.get_regex_strings(word) else 0
result['feature_vectors']['special_strings'].append(status)
return result
def run(self):
"""Run androguard to extract static android information
@return: list of static features
"""
self.key = "apkinfo"
apkinfo = {}
if "file" not in self.task["category"] or not HAVE_ANDROGUARD:
return
#f = File(self.task["target"])
#if f.get_name().endswith((".zip", ".apk")) or "zip" in f.get_type():
if not os.path.exists(self.file_path):
raise CuckooProcessingError("Sample file doesn't exist: \"%s\"" % self.file_path)
apkinfo["APKiD"] = self._scan_APKiD(self.file_path)
try:
a = APK(self.file_path)
if a.is_valid_APK():
manifest = {}
apkinfo["files"] = self._apk_files(a)
apkinfo["encrypted_assets"] = self.find_encrypted_assets(a)
manifest["package"] = a.get_package()
apkinfo["hidden_payload"] = []
for file in apkinfo["files"]:
if self.file_type_check(file):
apkinfo["hidden_payload"].append(file)
apkinfo["files_flaged"] = self.files_name_map
manifest["permissions"]= get_permissions(a)
manifest["main_activity"] = a.get_main_activity()
manifest["activities"] = a.get_activities()
manifest["services"] = a.get_services()
manifest["receivers"] = a.get_receivers()
manifest["receivers_actions"] = get_extended_receivers(a)
manifest["receivers_info"] = get_receivers_info(a)
manifest["providers"] = a.get_providers()
manifest["libraries"] = a.get_libraries()
apkinfo["manifest"] = manifest
apkinfo["icon"] = get_apk_icon(self.file_path)
certificate = get_certificate(self.file_path)
if certificate:
apkinfo["certificate"] = certificate
#vm = DalvikVMFormat(a.get_dex())
#strings = vm.get_strings()
strings = self._get_strings(self.file_path)
for subdir, dirs, files in os.walk(self.dropped_path):
for file in files:
path = os.path.join(subdir, file)
try:
extra_strings = self._get_strings(path)
strings = list(set(extra_strings + strings))
except:
pass
apkinfo["dex_strings"] = strings
static_calls = {}
if self.options.decompilation:
if self.check_size(apkinfo["files"]):
vm = DalvikVMFormat(a.get_dex())
vmx = uVMAnalysis(vm)
# Be less verbose about androguard logging messages.
logging.getLogger("andro.runtime").setLevel(logging.CRITICAL)
static_calls["all_methods"] = get_methods(vmx)
static_calls["is_native_code"] = analysis.is_native_code(vmx)
static_calls["is_dynamic_code"] = analysis.is_dyn_code(vmx)
static_calls["is_reflection_code"] = analysis.is_reflection_code(vmx)
static_calls["is_crypto_code"] = is_crypto_code(vmx)
static_calls["dynamic_method_calls"] = get_show_DynCode(vmx)
static_calls["reflection_method_calls"] = get_show_ReflectionCode(vmx)
static_calls["permissions_method_calls"] = get_show_Permissions(vmx)
static_calls["crypto_method_calls"] = get_show_CryptoCode(vmx)
static_calls["native_method_calls"] = get_show_NativeMethods(vmx)
classes = list()
for cls in vm.get_classes():
classes.append(cls.name)
static_calls["classes"] = classes
else:
log.warning("Dex size bigger than: %s",
self.options.decompilation_threshold)
apkinfo["static_method_calls"] = static_calls
except (IOError, OSError, BadZipfile) as e:
raise CuckooProcessingError("Error opening file %s" % e)
return apkinfo
#toReturn += "]\n}"
toReturn += "]"
return toReturn
# cattura del percorso del file apk
apkToBeAnalyzed = sys.argv[1]
#variabile che rappresenta il file apk
a = APK(apkToBeAnalyzed)
#variabile che rappresenta il file dex
dexFile = DalvikVMFormat(a.get_dex())
#variabile che rappresenta il file dex dopo essere stato analizzato
dexAnalyzed = analysis.uVMAnalysis(dexFile)
#print a.show()
#print "package name " + a.get_package()
#print a.get_permissions()
#analysis.show_Permissions(dexAnalyzed)
#print "\n"
# mostra dove vengono usati i permessi
permissions = dexAnalyzed.get_permissions([])
permissionDictionary = toDictionary(dexFile, permissions)
def get_dex(apk_path):
"""
Extract the package name of an APK
"""
a = APK(apk_path)
return a.get_dex()
def run(self):
"""Run androguard to extract static android information
@return: list of static features
"""
self.key = "apkinfo"
apkinfo = {}
if "file" not in self.task["category"] or not HAVE_ANDROGUARD:
return
f = File(self.task["target"])
#if f.get_name().endswith((".zip", ".apk")) or "zip" in f.get_type():
if not os.path.exists(self.file_path):
raise CuckooProcessingError("Sample file doesn't exist: \"%s\"" % self.file_path)
try:
a = APK(self.file_path)
if a.is_valid_APK():
manifest = {}
apkinfo["files"] = self._apk_files(a)
manifest["package"] = a.get_package()
apkinfo["hidden_payload"] = []
for file in apkinfo["files"]:
if self.file_type_check(file):
apkinfo["hidden_payload"].append(file)
apkinfo["files_flaged"] = self.files_name_map
manifest["permissions"]= get_permissions(a)
manifest["main_activity"] = a.get_main_activity()
manifest["activities"] = a.get_activities()
manifest["services"] = a.get_services()
manifest["receivers"] = a.get_receivers()
manifest["receivers_actions"] = get_extended_receivers(a)
manifest["providers"] = a.get_providers()
manifest["libraries"] = a.get_libraries()
apkinfo["manifest"] = manifest
apkinfo["icon"] = get_apk_icon(self.file_path)
certificate = get_certificate(self.file_path)
if certificate:
apkinfo["certificate"] = certificate
#vm = DalvikVMFormat(a.get_dex())
#strings = vm.get_strings()
strings = self._get_strings(self.file_path)
apkinfo["interesting_strings"] = find_strings(strings)
apkinfo["dex_strings"] = strings
static_calls = {}
if self.options.decompilation:
if self.check_size(apkinfo["files"]):
vm = DalvikVMFormat(a.get_dex())
vmx = uVMAnalysis(vm)
static_calls["all_methods"] = get_methods(vmx)
static_calls["is_native_code"] = analysis.is_native_code(vmx)
static_calls["is_dynamic_code"] = analysis.is_dyn_code(vmx)
static_calls["is_reflection_code"] = analysis.is_reflection_code(vmx)
static_calls["is_crypto_code"] = is_crypto_code(vmx)
static_calls["dynamic_method_calls"] = get_show_DynCode(vmx)
static_calls["reflection_method_calls"] = get_show_ReflectionCode(vmx)
static_calls["permissions_method_calls"] = get_show_Permissions(vmx)
static_calls["crypto_method_calls"] = get_show_CryptoCode(vmx)
static_calls["native_method_calls"] = get_show_NativeMethods(vmx)
classes = list()
for cls in vm.get_classes():
classes.append(cls.name)
static_calls["classes"] = classes
else:
log.warning("Dex size bigger than: %s",
self.options.decompilation_threshold)
apkinfo["static_method_calls"] = static_calls
except (IOError, OSError, BadZipfile) as e:
raise CuckooProcessingError("Error opening file %s" % e)
return apkinfo
def run(self):
"""Run androguard to extract static android information
@return: list of static features
"""
self.key = "apkinfo"
apkinfo = {}
if "file" not in self.task["category"] or not HAVE_ANDROGUARD:
return
f = File(self.task["target"])
#if f.get_name().endswith((".zip", ".apk")) or "zip" in f.get_type():
if not os.path.exists(self.file_path):
raise CuckooProcessingError("Sample file doesn't exist: \"%s\"" %
self.file_path)
try:
a = APK(self.file_path)
if a.is_valid_APK():
manifest = {}
apkinfo["files"] = self._apk_files(a)
manifest["package"] = a.get_package()
apkinfo["hidden_payload"] = []
for file in apkinfo["files"]:
if self.file_type_check(file):
apkinfo["hidden_payload"].append(file)
apkinfo["files_flaged"] = self.files_name_map
manifest["permissions"] = get_permissions(a)
manifest["main_activity"] = a.get_main_activity()
manifest["activities"] = a.get_activities()
manifest["services"] = a.get_services()
manifest["receivers"] = a.get_receivers()
manifest["receivers_actions"] = get_extended_receivers(a)
manifest["providers"] = a.get_providers()
manifest["libraries"] = list(a.get_libraries())
apkinfo["manifest"] = manifest
apkinfo["icon"] = get_apk_icon(self.file_path)
certificate = get_certificate(self.file_path)
if certificate:
apkinfo["certificate"] = certificate
#vm = DalvikVMFormat(a.get_dex())
#strings = vm.get_strings()
strings = self._get_strings(self.file_path)
apkinfo["interesting_strings"] = find_strings(strings)
apkinfo["dex_strings"] = strings
static_calls = {}
if self.options.decompilation:
if self.check_size(apkinfo["files"]):
vm = DalvikVMFormat(a.get_dex())
vmx = Analysis(vm)
vmx.create_xref()
static_calls["all_methods"] = get_methods(vmx)
static_calls[
"permissions_method_calls"] = get_show_Permissions(
vmx)
static_calls[
"native_method_calls"] = get_show_NativeMethods(
vmx)
static_calls["is_native_code"] = bool(
static_calls["native_method_calls"]
) # True if not empty, False if empty
static_calls[
"dynamic_method_calls"] = get_show_DynCode(vmx)
static_calls["is_dynamic_code"] = bool(
static_calls["dynamic_method_calls"])
static_calls[
"reflection_method_calls"] = get_show_ReflectionCode(
vmx)
static_calls["is_reflection_code"] = bool(
static_calls["reflection_method_calls"])
static_calls[
"crypto_method_calls"] = get_show_CryptoCode(vmx)
static_calls["is_crypto_code"] = bool(
static_calls["crypto_method_calls"])
classes = list()
for cls in vm.get_classes():
classes.append(cls.name)
static_calls["classes"] = classes
else:
log.warning(
"Aborted decompilation, static extraction of calls not perforemd",
)
apkinfo["static_method_calls"] = static_calls
except (IOError, OSError, BadZipfile) as e:
raise CuckooProcessingError("Error opening file %s" % e)
return apkinfo
from androguard.core.analysis.analysis import VMAnalysis
from androguard.core.bytecodes.apk import APK
from androguard.core.bytecodes.dvm import DalvikVMFormat
from core.analysis import *
if __name__ == '__main__':
a = APK("1_1.apk")
print len(a.get_activities())
print a.get_main_activity()
d = DalvikVMFormat(a.get_dex())
dx = VMAnalysis(d)
print dx.get_method_signature()
): # inserisce la virgola fin tanto che non � l'ultimo oggetto
toReturn += ","
#toReturn += "]\n}"
toReturn += "]"
return toReturn
# cattura del percorso del file apk
apkToBeAnalyzed = sys.argv[1]
#variabile che rappresenta il file apk
a = APK(apkToBeAnalyzed)
#variabile che rappresenta il file dex
dexFile = DalvikVMFormat(a.get_dex())
#variabile che rappresenta il file dex dopo essere stato analizzato
dexAnalyzed = analysis.uVMAnalysis(dexFile)
#print a.show()
#print "package name " + a.get_package()
#print a.get_permissions()
#analysis.show_Permissions(dexAnalyzed)
#print "\n"
# mostra dove vengono usati i permessi
permissions = dexAnalyzed.get_permissions([])
permissionDictionary = toDictionary(dexFile, permissions)
import argparse
from androguard.core.bytecodes.apk import APK
from androguard.core import androconf
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument("YARARULE", help="Path of the yara rule file")
parser.add_argument("PATH", help="Path of the executable to check")
args = parser.parse_args()
if not os.path.isfile(args.PATH):
print("Invalid snoopdroid dump path")
sys.exit(-1)
if not os.path.isfile(args.YARARULE):
print("Invalid path for yara rule")
sys.exit(-1)
if androconf.is_android(args.PATH) != "APK":
print("This is not an APK file")
sys.exit(-1)
rules = yara.compile(filepath=args.YARARULE)
apk = APK(args.PATH)
dex = apk.get_dex()
res = rules.match(data=dex)
if len(res) > 0:
print("Matches: {}".format(", ".join([r.rule for r in res])))
