def each(self, target):
self.results = dict()
try:
# lief
oat = lief.parse(target)
oat_dict = json.loads(lief.to_json(oat), parse_int=str)
self.results.update(oat_dict)
# add extracted dex files
for idx, dex_file in enumerate(oat.dex_files):
temp = tempdir()
fname = 'classes_{}.dex'.format(str(idx))
dex_filepath = os.path.join(temp, fname)
dex_file.save(dex_filepath)
if os.path.isfile(dex_filepath):
self.add_extracted_file(dex_filepath)
# androguard
sha256, vm, vm_analysis = AnalyzeDex(target)
aguard_dict = {
'androguard': {
'internal_classes': self._get_internal_classes(vm_analysis)
}
}
self.results.update(aguard_dict)
except:
self.log('error', traceback.print_exc())
return True
def each(self, target):
self.results = dict()
self.results['urls'] = []
try:
apk, vm, vm_analysis = AnalyzeAPK(target)
except:
self.log('error', '[+] AnalyzeAPK failed, running AnalyzeDex')
apk = None
vm, vm_analysis = AnalyzeDex(target)
self.results['dex'] = True
strings = []
for v in vm:
strings.extend(v.get_strings())
for s in strings:
for regex_str in r:
match = re.search(regex_str, s, re.IGNORECASE)
if match:
self.results['urls'].append(match.group(0))
self.results['urls'] = list(set(self.results['urls']))
# Add observables
for url in self.results['urls']:
self.add_ioc(url)
return True
def each(self, target):
self.results = dict()
try:
apk, vm, vm_analysis = AnalyzeAPK(target)
# First, get basic information about the APK
self.results['name'] = apk.get_app_name()
self.results['package'] = apk.get_package()
self.results['permissions'] = apk.get_permissions()
self.results['main_activity'] = apk.get_main_activity()
self.results['receivers'] = apk.get_receivers()
self.results['services'] = apk.get_services()
self.results['main_activity_content'] = vm.get_class("L{};".format(
self.results['main_activity']).replace('.', '/')).get_source()
except:
apk = None
vm, vm_analysis = AnalyzeDex(target)
self.results['dex'] = True
# Then, run all the APK Plugins in order to see if this is a known malware
for plugin in APKPlugin.__subclasses__():
plugin = plugin(target, apk, vm, vm_analysis)
plugin.apply(self)
return True
def testXrefOffsetsFields(self):
"""Tests if Field offsets in bytecode are correctly stored"""
_, _, dx = AnalyzeDex('examples/tests/FieldsTest.dex')
self.assertEqual(len(dx.get_strings()), 4)
self.assertIn('hello world', dx.strings.keys())
self.assertIn('sdf', dx.strings.keys())
self.assertIn('hello mars', dx.strings.keys())
self.assertIn('i am static', dx.strings.keys())
afield = next(dx.find_fields(fieldname='afield'))
self.assertEqual(len(afield.get_xref_read()), 1) # always same method
self.assertEqual(len(afield.get_xref_read(withoffset=True)), 2)
self.assertListEqual(
list(
sorted(
map(itemgetter(2),
afield.get_xref_read(withoffset=True)))), [4, 40])
self.assertListEqual(
list(
map(lambda x: x.name,
map(itemgetter(1),
afield.get_xref_read(withoffset=True)))),
["foonbar", "foonbar"])
self.assertEqual(len(afield.get_xref_write()), 2)
self.assertEqual(len(afield.get_xref_write(withoffset=True)), 2)
self.assertListEqual(
list(
sorted(
map(itemgetter(2),
afield.get_xref_write(withoffset=True)))), [10, 32])
self.assertListEqual(
list(
sorted(
map(
lambda x: x.name,
map(itemgetter(1),
afield.get_xref_write(withoffset=True))))),
sorted(["<init>", "foonbar"]))
cfield = next(dx.find_fields(fieldname='cfield'))
# this one is static, hence it must have a write in <clinit>
self.assertListEqual(
list(
sorted(
map(
lambda x: x.name,
map(itemgetter(1),
cfield.get_xref_write(withoffset=True))))),
sorted(["<clinit>"]))
self.assertListEqual(
list(
sorted(
map(
lambda x: x.name,
map(itemgetter(1),
cfield.get_xref_read(withoffset=True))))),
sorted(["foonbar"]))
def getStringsClassSource(a, d, dx, DEXFileLocation):
target=""
init=""
main=a.get_main_activity()
if(main[-12:]=="MainActivity"):
print("Looks like this sample isn't Cerberus, maybe Anubis.")
spl=main.split(".")
outer=""
print(main)
for m in spl[:-1]:
outer+=m+"."
h, d, dx = AnalyzeDex(DEXFileLocation)
lst=[]
target_obj=dx.classes[Utils.javaish(main)]
for meth in target_obj.get_methods():
if(meth.get_method().get_name() == "<init>"):
for line in meth.get_method().get_source().splitlines():
btw=Utils.between(line, "= new ", "();")
if( outer[:-1] in btw):
lst.append(btw)
lst = list(dict.fromkeys(lst))
for sinif in lst:
sin=dx.classes[Utils.javaish(sinif)]
for meth in sin.get_methods():
if(meth.get_method().get_name() == "<init>"):
cfg_src=meth.get_method().get_source()
break
return cfg_src
def load_analysis(filename):
"""Return an AnalysisObject depding on the filetype"""
ret_type = androconf.is_android(filename)
if ret_type == "APK":
_, _, dx = AnalyzeAPK(filename)
return dx
if ret_type == "DEX":
_, _, dx = AnalyzeDex(filename)
return dx
return None
def __init__(self, apk_filepath: Union[str, PathLike]):
super().__init__(apk_filepath, "androguard")
if self.ret_type == "APK":
# return the APK, list of DalvikVMFormat, and Analysis objects
self.apk, self.dalvikvmformat, self.analysis = AnalyzeAPK(
apk_filepath)
elif self.ret_type == "DEX":
# return the sha256hash, DalvikVMFormat, and Analysis objects
_, _, self.analysis = AnalyzeDex(apk_filepath)
else:
raise ValueError("Unsupported File type.")
def testXrefOffsets(self):
"""Tests if String offsets in bytecode are correctly stored"""
_, _, dx = AnalyzeDex('examples/tests/AnalysisTest.dex')
self.assertEqual(len(dx.get_strings()), 1)
self.assertIsInstance(dx.strings['Hello world'], analysis.StringAnalysis)
sa = dx.strings['Hello world']
self.assertEqual(len(sa.get_xref_from()), 1)
self.assertEqual(len(sa.get_xref_from(withoffset=True)), 1)
self.assertEqual(next(iter(sa.get_xref_from(withoffset=True)))[2], 4) # offset is 4
def testArrays(self):
h, d, dx = AnalyzeDex("examples/tests/FillArrays.dex")
z, = d.get_classes()
self.assertIn("{20, 30, 40, 50};", z.get_source())
self.assertIn("{1, 2, 3, 4, 5, 999, 10324234};", z.get_source())
self.assertIn("{97, 98, 120, 122, 99};", z.get_source())
self.assertIn("{5, 10, 15, 20};", z.get_source())
# Failed version of char array
self.assertNotIn("{97, 0, 98, 0, 120};", z.get_source())
# Failed version of short array
self.assertNotIn("{5, 0, 10, 0};", z.get_source())
def list_XREF(file):
""" List all XREF in the methods of a binary """
try:
a, d, dx = AnalyzeAPK(file)
except zipfile.BadZipfile:
# if file is not an APK, may be a dex object
d, dx = AnalyzeDex(file)
for method in dx.get_methods():
print(method.name)
print("XREFfrom:", [m[1].name for m in method.get_xref_from()])
print("XREFto:", [m[1].name for m in method.get_xref_to()])
def testAnalysis(self):
h, d, dx = AnalyzeDex("examples/tests/AnalysisTest.dex")
self.assertEqual(h, "4595fc25104f3fcd709163eb70ca476edf116753607ec18f09548968c71910dc")
self.assertIsInstance(d, dvm.DalvikVMFormat)
self.assertIsInstance(dx, analysis.Analysis)
cls = ["Ljava/io/PrintStream;", "Ljava/lang/Object;",
"Ljava/math/BigDecimal;", "Ljava/math/BigInteger;"]
for c in cls:
self.assertIn(c, map(lambda x: x.orig_class.get_name(),
dx.get_external_classes()))
def testExtends(self):
h, d, dx = AnalyzeDex('examples/tests/ExceptionHandling.dex')
cls = dx.classes['LSomeException;']
self.assertEquals(cls.extends, 'Ljava/lang/Exception;')
self.assertEquals(cls.name, 'LSomeException;')
self.assertFalse(cls.is_external())
cls = dx.classes['Ljava/lang/Exception;']
self.assertEquals(cls.extends, 'Ljava/lang/Object;')
self.assertEquals(cls.name, 'Ljava/lang/Exception;')
self.assertEquals(cls.implements, [])
self.assertTrue(cls.is_external())
def __init__(self, filename):
self.filename = filename
try:
self.a = APK(filename)
self.d = DalvikVMFormat(self.a.get_dex())
self.d.create_python_export()
self.dx = Analysis(self.d)
except zipfile.BadZipfile:
# if file is not an APK, may be a dex object
_, self.d, self.dx = AnalyzeDex(self.filename)
self.d.set_vmanalysis(self.dx)
self.dx.create_xref()
self.fcg = self.build_fcg()
def __init__(self, apk_filepath):
"""Information about apk based on androguard analysis"""
self.ret_type = androconf.is_android(apk_filepath)
if self.ret_type == "APK":
# return the APK, list of DalvikVMFormat, and Analysis objects
self.apk, self.dalvikvmformat, self.analysis = AnalyzeAPK(apk_filepath)
if self.ret_type == "DEX":
# return the sha256hash, DalvikVMFormat, and Analysis objects
_, _, self.analysis = AnalyzeDex(apk_filepath)
self.apk_filename = os.path.basename(apk_filepath)
self.apk_filepath = apk_filepath
def each(self, target):
self.results = dict()
try:
# lief
binary = lief.DEX.parse(target)
lief_dict = {'lief': json.loads(lief.to_json(binary), parse_int=str)}
self.results.update(lief_dict)
# androguard
sha256, vm, vm_analysis = AnalyzeDex(target)
aguard_dict = {'androguard': {'internal_classes':self._get_internal_classes(vm_analysis)}}
self.results.update(aguard_dict)
except:
self.log('error', traceback.print_exc())
return True
def __init__(self, apkpath):
self.ret_type = androconf.is_android(apkpath)
self.buff_method_set = set()
if self.ret_type == "APK":
# return the APK, list of DalvikVMFormat, and Analysis objects
_, _, self.analysis = AnalyzeAPK(apkpath)
if self.ret_type == "DEX":
# return the sha256hash, DalvikVMFormat, and Analysis objects
_, _, self.analysis = AnalyzeDex(apkpath)
for method_analysis in self.analysis.get_methods():
self.buff_method_set.add(method_analysis)
del _
def __init__(self, filename):
self.filename = filename
# print(os.path.exists(filename))
# a,d,dx = AnalyzeAPK(filename)
# print(dx.get_call_graph())
try:
self.a = APK(filename)
self.d = DalvikVMFormat(self.a.get_dex())
self.d.create_python_export()
self.dx = Analysis(self.d)
except zipfile.BadZipfile:
# if file is not an APK, may be a dex object
_, self.d, self.dx = AnalyzeDex(self.filename)
self.d.set_vmanalysis(self.dx)
self.dx.create_xref()
self.fcg = self.build_fcg()
def testDexWrapper(self):
from androguard.misc import AnalyzeDex
from androguard.core.bytecodes.dvm import DalvikVMFormat
from androguard.core.analysis.analysis import Analysis
h, d, dx = AnalyzeDex(
"examples/android/TestsAndroguard/bin/classes.dex")
self.assertEqual(
h,
'2f24538b3064f1f88d3eb29ee7fbd2146779a4c9144aefa766d18965be8775c7')
self.assertIsInstance(d, DalvikVMFormat)
self.assertIsInstance(dx, Analysis)
classes = d.get_classes()
self.assertTrue(classes)
self.assertEqual(len(classes), 340)
methods = d.get_methods()
self.assertTrue(methods)
self.assertEqual(len(methods), 2600)
fields = d.get_fields()
self.assertTrue(fields)
self.assertEqual(len(fields), 803)
def testInterfaces(self):
h, d, dx = AnalyzeDex('examples/tests/InterfaceCls.dex')
cls = dx.classes['LInterfaceCls;']
self.assertIn('Ljavax/net/ssl/X509TrustManager;', cls.implements)
self.assertEquals(cls.name, 'LInterfaceCls;')
def get_detailed_analysis(self):
from androguard.misc import AnalyzeDex
self.d, self.dx = AnalyzeDex(self.a.get_dex(), raw=True)
def testSimplification(self):
h, d, dx = AnalyzeDex("examples/tests/Test.dex")
z, = d.get_classes()
self.assertIn("return ((23 - p3) | ((p3 + 66) & 26));", z.get_source())