def testXrefs(self):
"""Test if XREFs produce the correct results"""
with open("examples/android/TestsAndroguard/bin/classes.dex", "rb") as fd:
d = dvm.DalvikVMFormat(fd.read())
dx = analysis.Analysis(d)
dx.create_xref()
testcls = dx.classes['Ltests/androguard/TestActivity;']
self.assertIsInstance(testcls, analysis.ClassAnalysis)
testmeth = list(filter(lambda x: x.name == 'onCreate', testcls.get_methods()))[0]
self.assertEqual(len(list(dx.find_methods(testcls.name, '^onCreate$'))), 1)
self.assertEqual(list(dx.find_methods(testcls.name, '^onCreate$'))[0], testmeth)
self.assertIsInstance(testmeth, analysis.MethodClassAnalysis)
self.assertFalse(testmeth.is_external())
self.assertIsInstance(testmeth.method, dvm.EncodedMethod)
self.assertEquals(testmeth.name, 'onCreate')
xrefs = list(map(lambda x: x.full_name, map(itemgetter(1), sorted(testmeth.get_xref_to(), key=itemgetter(2)))))
self.assertEqual(len(xrefs), 5)
# First, super is called:
self.assertEquals(xrefs.pop(0), 'Landroid/app/Activity; onCreate (Landroid/os/Bundle;)V')
# then setContentView (which is in the current class but the method is external)
self.assertEquals(xrefs.pop(0), 'Ltests/androguard/TestActivity; setContentView (I)V')
# then getApplicationContext (inside the Toast)
self.assertEquals(xrefs.pop(0), 'Ltests/androguard/TestActivity; getApplicationContext ()Landroid/content/Context;')
# then Toast.makeText
self.assertEquals(xrefs.pop(0), 'Landroid/widget/Toast; makeText (Landroid/content/Context; Ljava/lang/CharSequence; I)Landroid/widget/Toast;')
# then show()
self.assertEquals(xrefs.pop(0), 'Landroid/widget/Toast; show ()V')
# Now, test if the reverse is true
other = list(dx.find_methods('^Landroid/app/Activity;$', '^onCreate$'))
self.assertEquals(len(other), 1)
self.assertIsInstance(other[0], analysis.MethodClassAnalysis)
self.assertTrue(other[0].is_external())
self.assertTrue(other[0].is_android_api())
self.assertIn(testmeth.method, map(itemgetter(1), other[0].get_xref_from()))
other = list(dx.find_methods('^Ltests/androguard/TestActivity;$', '^setContentView$'))
# External because not overwritten in class:
self.assertEquals(len(other), 1)
self.assertIsInstance(other[0], analysis.MethodClassAnalysis)
self.assertTrue(other[0].is_external())
self.assertFalse(other[0].is_android_api())
self.assertIn(testmeth.method, map(itemgetter(1), other[0].get_xref_from()))
other = list(dx.find_methods('^Ltests/androguard/TestActivity;$', '^getApplicationContext$'))
# External because not overwritten in class:
self.assertEquals(len(other), 1)
self.assertIsInstance(other[0], analysis.MethodClassAnalysis)
self.assertTrue(other[0].is_external())
self.assertFalse(other[0].is_android_api())
self.assertIn(testmeth.method, map(itemgetter(1), other[0].get_xref_from()))
other = list(dx.find_methods('^Landroid/widget/Toast;$', '^makeText$'))
self.assertEquals(len(other), 1)
self.assertIsInstance(other[0], analysis.MethodClassAnalysis)
self.assertTrue(other[0].is_external())
self.assertTrue(other[0].is_android_api())
self.assertIn(testmeth.method, map(itemgetter(1), other[0].get_xref_from()))
other = list(dx.find_methods('^Landroid/widget/Toast;$', '^show$'))
self.assertEquals(len(other), 1)
self.assertIsInstance(other[0], analysis.MethodClassAnalysis)
self.assertTrue(other[0].is_external())
self.assertTrue(other[0].is_android_api())
self.assertIn(testmeth.method, map(itemgetter(1), other[0].get_xref_from()))
# Next test internal calls
testmeth = list(filter(lambda x: x.name == 'testCalls', testcls.get_methods()))[0]
self.assertEqual(len(list(dx.find_methods(testcls.name, '^testCalls$'))), 1)
self.assertEqual(list(dx.find_methods(testcls.name, '^testCalls$'))[0], testmeth)
self.assertIsInstance(testmeth, analysis.MethodClassAnalysis)
self.assertFalse(testmeth.is_external())
self.assertIsInstance(testmeth.method, dvm.EncodedMethod)
self.assertEquals(testmeth.name, 'testCalls')
xrefs = list(map(lambda x: x.full_name, map(itemgetter(1), sorted(testmeth.get_xref_to(), key=itemgetter(2)))))
self.assertEqual(len(xrefs), 4)
self.assertEquals(xrefs.pop(0), 'Ltests/androguard/TestActivity; testCall2 (J)V')
self.assertEquals(xrefs.pop(0), 'Ltests/androguard/TestIfs; testIF (I)I')
self.assertEquals(xrefs.pop(0), 'Ljava/lang/Object; getClass ()Ljava/lang/Class;')
self.assertEquals(xrefs.pop(0), 'Ljava/io/PrintStream; println (Ljava/lang/Object;)V')
other = list(dx.find_methods('^Ltests/androguard/TestActivity;$', '^testCall2$'))
self.assertEquals(len(other), 1)
self.assertIsInstance(other[0], analysis.MethodClassAnalysis)
self.assertFalse(other[0].is_external())
self.assertFalse(other[0].is_android_api())
self.assertIn(testmeth.method, map(itemgetter(1), other[0].get_xref_from()))
other = list(dx.find_methods('^Ltests/androguard/TestIfs;$', '^testIF$'))
self.assertEquals(len(other), 1)
self.assertIsInstance(other[0], analysis.MethodClassAnalysis)
self.assertFalse(other[0].is_external())
self.assertFalse(other[0].is_android_api())
self.assertIn(testmeth.method, map(itemgetter(1), other[0].get_xref_from()))
other = list(dx.find_methods('^Ljava/lang/Object;$', '^getClass$'))
self.assertEquals(len(other), 1)
self.assertIsInstance(other[0], analysis.MethodClassAnalysis)
self.assertTrue(other[0].is_external())
self.assertTrue(other[0].is_android_api())
self.assertIn(testmeth.method, map(itemgetter(1), other[0].get_xref_from()))
'''
Created on Jun 8, 2014
@author: lyx
'''
from androguard.core.bytecodes.apk import APK
from androguard.core.bytecodes import dvm
from androguard.core.analysis import analysis
from androguard.decompiler.decompiler import DecompilerDAD
if __name__ == '__main__':
apk = APK('../sampleapk/MyTrojan.apk')
d = dvm.DalvikVMFormat(apk.get_dex())
dx = analysis.uVMAnalysis(d)
d.set_decompiler( DecompilerDAD( d, dx ) )
for current_class in d.get_classes():
s = current_class#.source()
print s
print s.source()
'''for current_method in d.get_methods(): # @IndentOk
x = current_method.get_code()
ins = x.get_bc().get_instructions()
i = 0
for s in ins:
print s.show(i)
i += 1
#apk = analyzeAPK('./sampleapk/k9-4.409-release.apk')'''
def testDex(self):
with open("examples/android/TestsAndroguard/bin/classes.dex",
"rb") as fd:
d = dvm.DalvikVMFormat(fd.read())
dx = analysis.Analysis(d)
self.assertIsInstance(dx, analysis.Analysis)
def __init__(self, apk):
self.__dvm = dvm.DalvikVMFormat(apk.get_dex())
self.__string_rules = RULES
self.__vmx = analysis.VMAnalysis(self.__dvm)
#!/usr/bin/env python import sys, random, string PATH_INSTALL = "./" sys.path.append(PATH_INSTALL) from androguard.core.bytecodes import dvm TEST = "./examples/dalvik/test/bin/classes.dex" TEST_OUTPUT = "./examples/dalvik/test/bin/classes_output.dex" j = dvm.DalvikVMFormat(open(TEST).read()) # Modify the name of each field #for field in j.get_fields() : # field.set_name( random.choice( string.letters ) + ''.join([ random.choice(string.letters + string.digits) for i in range(10 - 1) ] ) ) # Modify the name of each method (minus the constructor (<init>) and a extern called method (go)) #for method in j.get_methods() : # if method.get_name() != "go" and method.get_name() != "<init>" : # method.set_name( random.choice( string.letters ) + ''.join([ random.choice(string.letters + string.digits) for i in range(10 - 1) ] ) ) # SAVE CLASS fd = open(TEST_OUTPUT, "w") fd.write(j.save()) fd.close()
def check_one_file(a,
d1,
dx1,
FS,
threshold,
file_input,
view_strings=False,
new=True,
library=True):
d2 = None
ret_type = androconf.is_android(file_input)
if ret_type == "APK":
a = apk.APK(file_input)
d2 = dvm.DalvikVMFormat(a.get_dex())
elif ret_type == "DEX":
d2 = dvm.DalvikVMFormat(read(file_input))
if d2 == None:
return
dx2 = analysis.VMAnalysis(d2)
el = elsim.Elsim(ProxyDalvik(d1, dx1),
ProxyDalvik(d2, dx2),
FS,
threshold,
options.compressor,
libnative=library)
el.show()
print "\t--> methods: %f%% of similarities" % el.get_similarity_value(new)
if options.display:
print "SIMILAR methods:"
diff_methods = el.get_similar_elements()
for i in diff_methods:
el.show_element(i)
print "IDENTICAL methods:"
new_methods = el.get_identical_elements()
for i in new_methods:
el.show_element(i)
print "NEW methods:"
new_methods = el.get_new_elements()
for i in new_methods:
el.show_element(i, False)
print "DELETED methods:"
del_methods = el.get_deleted_elements()
for i in del_methods:
el.show_element(i)
print "SKIPPED methods:"
skipped_methods = el.get_skipped_elements()
for i in skipped_methods:
el.show_element(i)
if view_strings:
els = elsim.Elsim(ProxyDalvikStringMultiple(d1, dx1),
ProxyDalvikStringMultiple(d2, dx2),
FILTERS_DALVIK_SIM_STRING,
threshold,
options.compressor,
libnative=library)
#els = elsim.Elsim( ProxyDalvikStringOne(d1, dx1),
# ProxyDalvikStringOne(d2, dx2), FILTERS_DALVIK_SIM_STRING, threshold, options.compressor, libnative=library )
els.show()
print "\t--> strings: %f%% of similarities" % els.get_similarity_value(
new)
if options.display:
print "SIMILAR strings:"
diff_strings = els.get_similar_elements()
for i in diff_strings:
els.show_element(i)
print "IDENTICAL strings:"
new_strings = els.get_identical_elements()
for i in new_strings:
els.show_element(i)
print "NEW strings:"
new_strings = els.get_new_elements()
for i in new_strings:
els.show_element(i, False)
print "DELETED strings:"
del_strings = els.get_deleted_elements()
for i in del_strings:
els.show_element(i)
print "SKIPPED strings:"
skipped_strings = els.get_skipped_elements()
for i in skipped_strings:
els.show_element(i)
def check_one_file(a, d1, dx1, FS, threshold, file_input, view_strings=False, new=True, library=True):
d2 = None
ret_type = androconf.is_android( file_input )
if ret_type == "APK":
a = apk.APK( file_input )
d2 = dvm.DalvikVMFormat( a.get_dex() )
elif ret_type == "DEX":
d2 = dvm.DalvikVMFormat( read(file_input) )
if d2 == None:
return
dx2 = analysis.VMAnalysis( d2 )
el = elsim.Elsim( ProxyDalvik(d1, dx1), ProxyDalvik(d2, dx2), FS, threshold, options.compressor, libnative=library )
el.show()
print "\t--> methods: %f%% of similarities" % el.get_similarity_value(new)
if options.dump:
print '\nDumping smali code...'
tmp1 = options.input[1].split('/')
jarname = tmp1[len(tmp1)-1]
if not os.path.exists('smali'):
os.makedirs('smali')
os.system('apktool d ' + options.input[1])
if jarname[len(jarname)-4:len(jarname)] == '.apk':
os.system('mv -f ' + jarname[0:len(jarname)-4] + ' smali')
else:
os.system('mv -f ' + jarname + '.out ' + 'smali')
classes = Set([])
diff_methods = el.get_similar_elements()
for i in diff_methods:
x = el.show_similar_class_name( i )
for j in range(0, len(x)):
classes.add(x.pop())
new_methods = el.get_new_elements()
for i in new_methods:
y = el.show_new_class_name( i )
classes.add(y)
if not os.path.exists('codedump'):
os.makedirs('codedump')
os.chdir('codedump')
if os.path.exists(jarname):
os.system('rm -rf ' + jarname)
os.makedirs(jarname)
os.chdir('..')
for i in range(0,len(classes)):
#os.makedirs('codedump/' + jarname)
filepath = classes.pop()
filename = filepath.replace('/','.')
shutil.copy2('smali/' + jarname + '.out/smali/' + filepath, 'codedump/' + jarname + '/' + filename)
os.system('rmdir codedump/' + jarname)
classes1 = Set([])
for i in diff_methods:
x = el.show_similar_method_name( i )
for j in range(0, len(x)):
classes1.add(x.pop())
for i in new_methods:
y = el.show_new_method_name( i )
classes1.add(y)
start = ''
end = '.end method'
if not os.path.exists('methoddump'):
os.makedirs('methoddump')
for i in range(0,len(classes1)):
x1 = classes1.pop()
xx = x1.split(' ', 1)
if not os.path.exists('methoddump/' + jarname):
os.makedirs('methoddump/' + jarname)
with open('codedump/' + jarname + '/' + xx[0]) as infile:
for line in infile:
if xx[1] in line:
start = line.replace('\n','')
break
med = xx[1].split('(', 1)[0]
with open('codedump/' + jarname + '/' + xx[0]) as infile, open('methoddump/' + jarname + '/' + xx[0] + '.' + med + '.method', 'w+') as outfile:
copy = False
outfile.write(start + '\n')
for line1 in infile:
if line1.strip() == start:
copy = True
elif line1.strip() == end:
copy = False
elif copy:
outfile.write(line1)
outfile.write(end)
print 'DUMP SMALI CODE SUCCESSFULLY.'
if options.display:
print "SIMILAR methods:"
diff_methods = el.get_similar_elements()
for i in diff_methods:
el.show_element( i )
print "IDENTICAL methods:"
new_methods = el.get_identical_elements()
for i in new_methods:
el.show_element( i )
print "NEW methods:"
new_methods = el.get_new_elements()
for i in new_methods:
el.show_element( i, False )
print "DELETED methods:"
del_methods = el.get_deleted_elements()
for i in del_methods:
el.show_element( i )
print "SKIPPED methods:"
skipped_methods = el.get_skipped_elements()
for i in skipped_methods:
el.show_element( i )
if view_strings:
els = elsim.Elsim( ProxyDalvikStringMultiple(d1, dx1),
ProxyDalvikStringMultiple(d2, dx2),
FILTERS_DALVIK_SIM_STRING,
threshold,
options.compressor,
libnative=library )
#els = elsim.Elsim( ProxyDalvikStringOne(d1, dx1),
# ProxyDalvikStringOne(d2, dx2), FILTERS_DALVIK_SIM_STRING, threshold, options.compressor, libnative=library )
els.show()
print "\t--> strings: %f%% of similarities" % els.get_similarity_value(new)
if options.display:
print "SIMILAR strings:"
diff_strings = els.get_similar_elements()
for i in diff_strings:
els.show_element( i )
print "IDENTICAL strings:"
new_strings = els.get_identical_elements()
for i in new_strings:
els.show_element( i )
print "NEW strings:"
new_strings = els.get_new_elements()
for i in new_strings:
els.show_element( i, False )
print "DELETED strings:"
del_strings = els.get_deleted_elements()
for i in del_strings:
els.show_element( i )
print "SKIPPED strings:"
skipped_strings = els.get_skipped_elements()
for i in skipped_strings:
els.show_element( i )
def __init__(self, file_path):
self.a = apk.APK(file_path)
self.d = dvm.DalvikVMFormat(self.a.get_dex())
self.x = analysis.VMAnalysis(self.d)
self.pkg_class_dict = {}
def do_build_apk_report(self, a):
output = StringIO()
a.get_files_types()
output.write("[FILES] \n")
for i in a.get_files():
try:
output.write("\t%s %s %x\n" % (
i,
a.files[i],
a.files_crc32[i],
))
except KeyError:
output.write("\t%s %x\n" % (
i,
a.files_crc32[i],
))
output.write("\n[PERMISSIONS] \n")
details_permissions = a.get_details_permissions()
for i in details_permissions:
output.write("\t%s %s\n" % (
i,
details_permissions[i],
))
output.write("\n[MAIN ACTIVITY]\n\t%s\n" % (a.get_main_activity(), ))
output.write("\n[ACTIVITIES] \n")
activities = a.get_activities()
for i in activities:
filters = a.get_intent_filters("activity", i)
output.write("\t%s %s\n" % (
i,
filters or "",
))
output.write("\n[SERVICES] \n")
services = a.get_services()
for i in services:
filters = a.get_intent_filters("service", i)
output.write("\t%s %s\n" % (
i,
filters or "",
))
output.write("\n[RECEIVERS] \n")
receivers = a.get_receivers()
for i in receivers:
filters = a.get_intent_filters("receiver", i)
output.write("\t%s %s\n" % (
i,
filters or "",
))
output.write("\n[PROVIDERS]\n\t%s\n\n" % (a.get_providers(), ))
vm = dvm.DalvikVMFormat(a.get_dex())
vmx = analysis.uVMAnalysis(vm)
output.write("Native code : %s\n" %
(analysis.is_native_code(vmx), ))
output.write("Dynamic code : %s\n" % (analysis.is_dyn_code(vmx), ))
output.write("Reflection code : %s\n" %
(analysis.is_reflection_code(vmx), ))
output.write("ASCII Obfuscation: %s\n\n" %
(analysis.is_ascii_obfuscation(vm), ))
for i in vmx.get_methods():
i.create_tags()
if not i.tags.empty():
output.write("%s %s %s\n" % (
i.method.get_class_name(),
i.method.get_name(),
i.tags,
))
return output
def gen_dict(list_path):
file = open("error_files.txt", "w")
external_api_dict = {}
for path1 in list_path:
count = 0
for f in os.listdir(path1):
# print count
count += 1
if (count == 300):
break
path = os.path.join(path1, f)
print(path)
try:
if path.endswith('.apk'):
app = apk.APK(path)
app_dex = dvm.DalvikVMFormat(app.get_dex())
else:
app_dex = dvm.DalvikVMFormat(open(path, "rb").read())
app_x = analysis.newVMAnalysis(app_dex)
methods = []
cs = [cc.get_name() for cc in app_dex.get_classes()]
ctr = 0
# print len(app_dex.get_methods())
for method in app_dex.get_methods():
g = app_x.get_method(method)
if method.get_code() == None:
continue
for i in g.get_basic_blocks().get():
for ins in i.get_instructions():
# This is a string that contains methods, variables, or
# anything else.
output = ins.get_output()
match = re.search(r'(L[^;]*;)->[^\(]*\([^\)]*\).*',
output)
if match and match.group(1) not in cs:
methods.append(match.group())
# print "instruction : ", ins.get_basic_blocks()
# print "external api detected: ", match.group()
if (not external_api_dict.has_key(
match.group())):
external_api_dict[match.group()] = len(
external_api_dict)
except:
file.write(path)
file.close()
return external_api_dict
#!/usr/bin/env python
import sys
PATH_INSTALL = "./"
sys.path.append(PATH_INSTALL)
from androguard.core.bytecodes import dvm
from androguard.core.bytecodes import apk
TEST = "examples/android/TestsAndroguard/bin/TestsAndroguard.apk"
a = apk.APK(TEST)
j = dvm.DalvikVMFormat(a.get_dex())
for m in j.get_methods():
print m.get_class_name(), m.get_name(), m.get_descriptor()
code_debug = m.get_debug()
if code_debug != None:
print code_debug.get_line_start(), code_debug.get_parameters_size(
), code_debug.get_parameter_names(
), code_debug.get_translated_parameter_names()
for i in code_debug.get_bytecodes():
print i.get_op_value(), i.get_format(), i.get_value()
#!/usr/bin/env python
from __future__ import print_function
import sys
PATH_INSTALL = "./"
sys.path.append(PATH_INSTALL)
from androguard.core.bytecodes import dvm
from androguard.core.analysis import analysis
from androguard.decompiler import decompiler
from androguard.util import read
TEST = "examples/android/TestsAndroguard/bin/classes.dex"
j = dvm.DalvikVMFormat(read(TEST, binary=False))
jx = analysis.VMAnalysis(j)
#d = decompiler.DecompilerDex2Jad( j )
#d = decompiler.DecompilerDed( j )
d = decompiler.DecompilerDAD(j, jx)
j.set_decompiler(d)
# SHOW METHODS
for i in j.get_methods():
if i.get_name() == "onCreate":
print(i.get_class_name(), i.get_name())
i.source()
# if i.get_name() == "testWhileTrue":
def visit_cond_expression(self, op, arg1, arg2):
arg1 = arg1.visit(self)
if not isinstance(arg1, int):
arg1 = ord(arg1)
arg2 = arg2.visit(self)
if not isinstance(arg2, int):
arg2 = ord(arg2)
return eval('%s %s %s' % (arg1, op, arg2))
def visit_get_static(self, cls, name):
return self.mem[name]
TEST = './apks/pacsec/magicspiral.apk'
vm = dvm.DalvikVMFormat(apk.APK(TEST).get_dex())
vma = uVMAnalysis(vm)
method = vm.get_method('crypt')[0]
amethod = vma.get_method(method)
dvmethod = DvMethod(amethod)
dvmethod.process() # build IR Form / control flow...
graph = dvmethod.graph
visitor = DemoEmulator(graph)
l = [
94, 42, 93, 88, 3, 2, 95, 2, 13, 85, 11, 2, 19, 1, 125, 19, 0, 102, 30, 24,
19, 99, 76, 21, 102, 22, 26, 111, 39, 125, 2, 44, 80, 10, 90, 5, 119, 100,
119, 60, 4, 87, 79, 42, 52
def main(options, arguments):
details = False
if options.display != None:
details = True
if options.input != None:
ret_type = androconf.is_android(options.input[0])
if ret_type == "APK":
a = apk.APK(options.input[0])
d1 = dvm.DalvikVMFormat(a.get_dex())
elif ret_type == "DEX":
d1 = dvm.DalvikVMFormat(open(options.input[0], "rb").read())
dx1 = analysis.VMAnalysis(d1)
ret_type = androconf.is_android(options.input[1])
if ret_type == "APK":
a = apk.APK(options.input[1])
d2 = dvm.DalvikVMFormat(a.get_dex())
elif ret_type == "DEX":
d2 = dvm.DalvikVMFormat(open(options.input[1], "rb").read())
dx2 = analysis.VMAnalysis(d2)
print d1, dx1, d2, dx2
sys.stdout.flush()
threshold = None
if options.threshold != None:
threshold = float(options.threshold)
FS = FILTERS_DALVIK_SIM
FS[elsim.FILTER_SKIPPED_METH].set_regexp(options.exclude)
FS[elsim.FILTER_SKIPPED_METH].set_size(options.size)
el = elsim.Elsim(ProxyDalvik(d1, dx1), ProxyDalvik(d2, dx2), FS,
threshold, options.compressor)
el.show()
e1 = elsim.split_elements(el, el.get_similar_elements())
for i in e1:
j = e1[i]
elb = elsim.Elsim(ProxyDalvikMethod(i), ProxyDalvikMethod(j),
FILTERS_DALVIK_BB, threshold, options.compressor)
#elb.show()
eld = elsim.Eldiff(ProxyDalvikBasicBlock(elb),
FILTERS_DALVIK_DIFF_BB)
#eld.show()
ddm = DiffDalvikMethod(i, j, elb, eld)
ddm.show()
print "NEW METHODS"
enew = el.get_new_elements()
for i in enew:
el.show_element(i, False)
print "DELETED METHODS"
edel = el.get_deleted_elements()
for i in edel:
el.show_element(i)
elif options.version != None:
print "Androdiff version %s" % androconf.ANDROGUARD_VERSION
def __init__(self, classes_dex):
self.dvm = dvm.DalvikVMFormat(classes_dex)
self.vma = uVMAnalysis(self.dvm)
self.tree = {}
self.files = {}
def main(options, args) :
print options.input
if options.input == None or options.output == None :
print "static_analysis.py -i <inputfile> -o <outputfolder>"
sys.exit(2)
elif db.static_features.find({"_id": hashfile(options.input)}, limit=1).count() == 1 :
print "static analysis found.. skipping.."
sys.exit(0)
elif db.virustotal_features.find({"sha1": hashfile(options.input)}).count() == 0 :
print "virus total metadata not found.. skipping.."
sys.exit(0)
elif db.virustotal_features.find({ "$or": [ { "positives": 0 }, { "positives": { "$gte": 35 } } ], "sha1": hashfile(options.input) }).count() == 0 :
print "not clear enough benign or malicious.. skipping.."
sys.exit(0)
t_beginning = time.time()
ret_type = androconf.is_android( options.input )
if ret_type == "APK" :
try :
a = apk.APK(options.input, zipmodule=2)
if a.is_valid_APK() :
vm = dvm.DalvikVMFormat(a.get_dex())
vmx = analysis.uVMAnalysis(vm)
data = {
'_id' : hashfile(options.input),
'validApk' : True,
'mainActivity' : a.get_main_activity(),
'activities' : a.get_activities(),
'providers' : a.get_providers(),
'receivers' : a.get_receivers(),
'services' : a.get_services(),
'androidVersion' : a.get_androidversion_code(),
'maxSdkVersion' : a.get_max_sdk_version(),
'minSdkVersion' : a.get_min_sdk_version(),
'targetSdkVersion' : a.get_target_sdk_version(),
'package' : a.get_package(),
'libraries' : a.get_libraries(),
'isCryptoCode' : analysis.is_crypto_code(vmx),
'isDynamicCode' : analysis.is_dyn_code(vmx),
'isNativeCode' : analysis.is_native_code(vmx),
'nativeMethodCount' : native_method_count(vm),
'isReflectionCode' : analysis.is_reflection_code(vmx),
'reflectionCount' : len(vmx.get_tainted_packages().search_methods("Ljava/lang/reflect/Method;", ".", ".")),
'isAsciiObfuscation' : analysis.is_ascii_obfuscation(vm),
'permissions' : a.get_permissions(),
'actualPermissions' : actual_permissions(vm, vmx),
'internalMethodCalls' : get_methods(vm.get_class_manager(), vmx.get_tainted_packages().get_internal_packages(), {}),
'externalMethodCalls' : get_methods(vm.get_class_manager(), vmx.get_tainted_packages().get_external_packages(), {})
}
data['duration'] = time.time() - t_beginning
db.static_features.insert(data)
else :
print "INVALID APK"
data = {
'_id' : hashfile(options.input),
'validApk' : False
}
db.static_features.insert(data)
except Exception, e :
print "ERROR", e
import traceback
traceback.print_exc()
