def get_similar_detailed(andr_a, andr_d, app_list): api_chains_app = api_chains.get_api_chains(andr_a, andr_d) if (api_chains_app == None): return [] similar_apps = {} for sample in app_list: if not sample in api_chain_model.malw_api_chain_models: continue api_chains_sample_dict = api_chain_model.malw_api_chain_models[sample] api_chains_sample_list = api_chain_model.malw_api_chain_models_in_lists[sample] if (api_chains_sample_list == []): #ignoring empty malware models if any continue mal_a = sum((1 if len(x.chain) >= api_chains.minimum_length else 0) for x in api_chains_sample_list) mal_b = sum((len(x.chain) if len(x.chain) >= api_chains.minimum_length else 0) for x in api_chains_sample_list) a,b,c,d = api_chains.compare_api_chains(api_chains_app, api_chains_sample_list) similar_apps[sample] = [] if (a >= thresholds.api_chains_total_common_chains and b >= thresholds.api_chains_total_common_length): similar_apps[sample].append(1) if (c >= 2): similar_apps[sample].append(2) if (c >= 1 and d >= 1): similar_apps[sample].append(3) if (d >= 1 and b >= thresholds.api_chains_total_common_length): similar_apps[sample].append(4) if (mal_a != 0 and mal_b != 0 and a * 1.0 / mal_a >= thresholds.api_chains_identical_num_chains and b * 1.0 / mal_b >= thresholds.api_chains_identical_len_chains): similar_apps[sample].append(5) if api_chains.chains_unique(api_chains_app, api_chains_sample_list): similar_apps[sample].append(6) if work_until_first_match and similar_apps[sample] != []: break return similar_apps
def get_similar_detailed(andr_a, andr_d, app_list): api_chains_app = api_chains.get_api_chains(andr_a, andr_d) if (api_chains_app == None): return [] similar_apps = {} for sample in app_list: if not sample in api_chain_model.malw_api_chain_models: continue api_chains_sample_dict = api_chain_model.malw_api_chain_models[sample] api_chains_sample_list = api_chain_model.malw_api_chain_models_in_lists[ sample] if (api_chains_sample_list == [] ): #ignoring empty malware models if any continue mal_a = sum((1 if len(x.chain) >= api_chains.minimum_length else 0) for x in api_chains_sample_list) mal_b = sum( (len(x.chain) if len(x.chain) >= api_chains.minimum_length else 0) for x in api_chains_sample_list) a, b, c, d = api_chains.compare_api_chains(api_chains_app, api_chains_sample_list) similar_apps[sample] = [] if (a >= thresholds.api_chains_total_common_chains and b >= thresholds.api_chains_total_common_length): similar_apps[sample].append(1) if (c >= 2): similar_apps[sample].append(2) if (c >= 1 and d >= 1): similar_apps[sample].append(3) if (d >= 1 and b >= thresholds.api_chains_total_common_length): similar_apps[sample].append(4) if (mal_a != 0 and mal_b != 0 and a * 1.0 / mal_a >= thresholds.api_chains_identical_num_chains and b * 1.0 / mal_b >= thresholds.api_chains_identical_len_chains): similar_apps[sample].append(5) if api_chains.chains_unique(api_chains_app, api_chains_sample_list): similar_apps[sample].append(6) if work_until_first_match and similar_apps[sample] != []: break return similar_apps
def get_similar_short(andr_a, andr_d, app_list): api_chains_app = api_chains.get_api_chains(andr_a, andr_d) return get_similar(api_chains_app, app_list)
def get_api_chains(andr_a, andr_d): return api_chains.get_api_chains(andr_a, andr_d)
time_s = time.time() api = api_matching.get_used_api(andr_d) similar_api_list = api_matching.get_similar_api(api, similar_list) if len(similar_api_list) != 0: print 'Similar malware by API:' for x in similar_api_list: print x print '___________________________________________________________________' else: print 'No API-similarities with malware models' time_api = time.time() - time_s time_s = time.time() api_chains_app = api_chains.get_api_chains(andr_a, andr_d) if (api_chains_app == None): print 'Failed to obtain chains of app', package_name sys.exit(0) time_getting_chains = time.time() - time_s # Generating cfg using pydot import pydot invokes, entry_points, mark = api_chains.get_graph_and_entry_points( andr_a, andr_d) graph = pydot.Dot(graph_type='digraph', rankdir='LR') added_nodes = {} for key in entry_points: if not key in mark: continue node_key = pydot.Node(str(key), style="filled", fillcolor="green")
for line in f_list: apk_name = line[:-1] count_apps += 1 print 'Processing', apk_name, '(', count_apps, ' / ', total_apps, ')' apk_hash = hashlib.sha256(open(apk_name, 'r').read()).hexdigest() if os.path.isfile(save_directory + '/' + apk_hash): continue try: a = APK(apk_name) d = dvm.DalvikVMFormat( a.get_dex() ) except: print 'Failed to decompile' continue try: app_api_chains = api_chains.get_api_chains(a, d) except UnicodeEncodeError: continue #do not process such errors yet if app_api_chains == None: continue features = {} for chain in app_api_chains: features[chain.root] = chain.chain f = open(save_directory + "/" + apk_hash, 'w') f.write(json.dumps(features)) f.close() f_list.close()
for line in f_list: apk_name = line[:-1] count_apps += 1 print 'Processing', apk_name, '(', count_apps, ' / ', total_apps, ')' apk_hash = hashlib.sha256(open(apk_name, 'r').read()).hexdigest() if os.path.isfile(save_directory + '/' + apk_hash): continue try: a = APK(apk_name) d = dvm.DalvikVMFormat(a.get_dex()) except: print 'Failed to decompile' continue try: app_api_chains = api_chains.get_api_chains(a, d) except UnicodeEncodeError: continue #do not process such errors yet if app_api_chains == None: continue features = {} for chain in app_api_chains: features[chain.root] = chain.chain f = open(save_directory + "/" + apk_hash, 'w') f.write(json.dumps(features)) f.close() f_list.close()
time_s = time.time() api = api_matching.get_used_api(andr_d) similar_api_list = api_matching.get_similar_api(api, similar_list) if len(similar_api_list) != 0: print 'Similar malware by API:' for x in similar_api_list: print x print '___________________________________________________________________' else: print 'No API-similarities with malware models' time_api = time.time() - time_s time_s = time.time() api_chains_app = api_chains.get_api_chains(andr_a, andr_d) if (api_chains_app == None): print 'Failed to obtain chains of app', package_name sys.exit(0) time_getting_chains = time.time() - time_s api_chains_app_dict = {} for api_chain in api_chains_app: api_chains_app_dict[api_chain.root] = api_chain.chain is_malicious = False time_s = time.time() for sample in similar_api_list: if (not sample in api_chain_matching.api_chain_model.malw_api_chain_models):