def get_similar_detailed(andr_a, andr_d, app_list):
api_chains_app = api_chains.get_api_chains(andr_a, andr_d)
if (api_chains_app == None):
return []
similar_apps = {}
for sample in app_list:
if not sample in api_chain_model.malw_api_chain_models:
continue
api_chains_sample_dict = api_chain_model.malw_api_chain_models[sample]
api_chains_sample_list = api_chain_model.malw_api_chain_models_in_lists[sample]
if (api_chains_sample_list == []): #ignoring empty malware models if any
continue
mal_a = sum((1 if len(x.chain) >= api_chains.minimum_length else 0) for x in api_chains_sample_list)
mal_b = sum((len(x.chain) if len(x.chain) >= api_chains.minimum_length else 0) for x in api_chains_sample_list)
a,b,c,d = api_chains.compare_api_chains(api_chains_app, api_chains_sample_list)
similar_apps[sample] = []
if (a >= thresholds.api_chains_total_common_chains and b >= thresholds.api_chains_total_common_length):
similar_apps[sample].append(1)
if (c >= 2):
similar_apps[sample].append(2)
if (c >= 1 and d >= 1):
similar_apps[sample].append(3)
if (d >= 1 and b >= thresholds.api_chains_total_common_length):
similar_apps[sample].append(4)
if (mal_a != 0 and mal_b != 0 and a * 1.0 / mal_a >= thresholds.api_chains_identical_num_chains and b * 1.0 / mal_b >= thresholds.api_chains_identical_len_chains):
similar_apps[sample].append(5)
if api_chains.chains_unique(api_chains_app, api_chains_sample_list):
similar_apps[sample].append(6)
if work_until_first_match and similar_apps[sample] != []:
break
return similar_apps
def get_similar_detailed(andr_a, andr_d, app_list):
api_chains_app = api_chains.get_api_chains(andr_a, andr_d)
if (api_chains_app == None):
return []
similar_apps = {}
for sample in app_list:
if not sample in api_chain_model.malw_api_chain_models:
continue
api_chains_sample_dict = api_chain_model.malw_api_chain_models[sample]
api_chains_sample_list = api_chain_model.malw_api_chain_models_in_lists[
sample]
if (api_chains_sample_list == []
): #ignoring empty malware models if any
continue
mal_a = sum((1 if len(x.chain) >= api_chains.minimum_length else 0)
for x in api_chains_sample_list)
mal_b = sum(
(len(x.chain) if len(x.chain) >= api_chains.minimum_length else 0)
for x in api_chains_sample_list)
a, b, c, d = api_chains.compare_api_chains(api_chains_app,
api_chains_sample_list)
similar_apps[sample] = []
if (a >= thresholds.api_chains_total_common_chains
and b >= thresholds.api_chains_total_common_length):
similar_apps[sample].append(1)
if (c >= 2):
similar_apps[sample].append(2)
if (c >= 1 and d >= 1):
similar_apps[sample].append(3)
if (d >= 1 and b >= thresholds.api_chains_total_common_length):
similar_apps[sample].append(4)
if (mal_a != 0 and mal_b != 0 and
a * 1.0 / mal_a >= thresholds.api_chains_identical_num_chains
and
b * 1.0 / mal_b >= thresholds.api_chains_identical_len_chains):
similar_apps[sample].append(5)
if api_chains.chains_unique(api_chains_app, api_chains_sample_list):
similar_apps[sample].append(6)
if work_until_first_match and similar_apps[sample] != []:
break
return similar_apps
def get_similar_short(andr_a, andr_d, app_list):
api_chains_app = api_chains.get_api_chains(andr_a, andr_d)
return get_similar(api_chains_app, app_list)
def get_api_chains(andr_a, andr_d):
return api_chains.get_api_chains(andr_a, andr_d)
time_s = time.time()
api = api_matching.get_used_api(andr_d)
similar_api_list = api_matching.get_similar_api(api, similar_list)
if len(similar_api_list) != 0:
print 'Similar malware by API:'
for x in similar_api_list:
print x
print '___________________________________________________________________'
else:
print 'No API-similarities with malware models'
time_api = time.time() - time_s
time_s = time.time()
api_chains_app = api_chains.get_api_chains(andr_a, andr_d)
if (api_chains_app == None):
print 'Failed to obtain chains of app', package_name
sys.exit(0)
time_getting_chains = time.time() - time_s
# Generating cfg using pydot
import pydot
invokes, entry_points, mark = api_chains.get_graph_and_entry_points(
andr_a, andr_d)
graph = pydot.Dot(graph_type='digraph', rankdir='LR')
added_nodes = {}
for key in entry_points:
if not key in mark:
continue
node_key = pydot.Node(str(key), style="filled", fillcolor="green")
def get_similar_short(andr_a, andr_d, app_list): api_chains_app = api_chains.get_api_chains(andr_a, andr_d) return get_similar(api_chains_app, app_list)
def get_api_chains(andr_a, andr_d): return api_chains.get_api_chains(andr_a, andr_d)
for line in f_list:
apk_name = line[:-1]
count_apps += 1
print 'Processing', apk_name, '(', count_apps, ' / ', total_apps, ')'
apk_hash = hashlib.sha256(open(apk_name, 'r').read()).hexdigest()
if os.path.isfile(save_directory + '/' + apk_hash):
continue
try:
a = APK(apk_name)
d = dvm.DalvikVMFormat( a.get_dex() )
except:
print 'Failed to decompile'
continue
try:
app_api_chains = api_chains.get_api_chains(a, d)
except UnicodeEncodeError:
continue #do not process such errors yet
if app_api_chains == None:
continue
features = {}
for chain in app_api_chains:
features[chain.root] = chain.chain
f = open(save_directory + "/" + apk_hash, 'w')
f.write(json.dumps(features))
f.close()
f_list.close()
for line in f_list:
apk_name = line[:-1]
count_apps += 1
print 'Processing', apk_name, '(', count_apps, ' / ', total_apps, ')'
apk_hash = hashlib.sha256(open(apk_name, 'r').read()).hexdigest()
if os.path.isfile(save_directory + '/' + apk_hash):
continue
try:
a = APK(apk_name)
d = dvm.DalvikVMFormat(a.get_dex())
except:
print 'Failed to decompile'
continue
try:
app_api_chains = api_chains.get_api_chains(a, d)
except UnicodeEncodeError:
continue #do not process such errors yet
if app_api_chains == None:
continue
features = {}
for chain in app_api_chains:
features[chain.root] = chain.chain
f = open(save_directory + "/" + apk_hash, 'w')
f.write(json.dumps(features))
f.close()
f_list.close()
time_s = time.time()
api = api_matching.get_used_api(andr_d)
similar_api_list = api_matching.get_similar_api(api, similar_list)
if len(similar_api_list) != 0:
print 'Similar malware by API:'
for x in similar_api_list:
print x
print '___________________________________________________________________'
else:
print 'No API-similarities with malware models'
time_api = time.time() - time_s
time_s = time.time()
api_chains_app = api_chains.get_api_chains(andr_a, andr_d)
if (api_chains_app == None):
print 'Failed to obtain chains of app', package_name
sys.exit(0)
time_getting_chains = time.time() - time_s
api_chains_app_dict = {}
for api_chain in api_chains_app:
api_chains_app_dict[api_chain.root] = api_chain.chain
is_malicious = False
time_s = time.time()
for sample in similar_api_list:
if (not sample in api_chain_matching.api_chain_model.malw_api_chain_models):