def analyze_dex(self, data):
'''
start analyzing dex logic (r2p timeout = 10) for individual dex
add description to strings, get words and wordsstripped from the dex
'''
r2p = r2open(data["Location"]["File"], flags=['-2'])
r2p.cmd("e anal.timeout = 5")
r2p.cmd("aaaa;")
k = 'APK_DEX_1'
data[k] = {
"Classes": [],
"Externals": [],
"Symbols": [],
"Bigfunctions": [],
"Suspicious": [],
"_Classes": ["Type", "Name"],
"_Externals": ["Type", "Name"],
"_Symbols": ["Type", "Address", "X", "Name"],
"_Bigfunctions": ["Size", "Name"],
"_Suspicious": ["Location", "Function", "Xrefs"]
}
data[k]["Classes"] = self.get_all_classes(r2p)
data[k]["Externals"] = self.get_all_externals(r2p)
data[k]["Symbols"] = self.get_all_symbols(r2p)
data[k]["Bigfunctions"] = self.big_functions(r2p)
data[k]["Suspicious"] = self.check_sus(r2p)
get_words(data, data["Location"]["File"])
#future plan; force closing - try,except
r2p.quit()
def analyze_apk(self, data):
'''
start analyzing apk logic (r2p timeout = 10) for all dex files
add description to strings, get words and wordsstripped from the packed files
'''
data["APK"] = {
"General": {},
"Permissions": [],
"_General": {},
"_Permissions": ["Permission", "Description"]
}
for index, item in enumerate(data["Packed"]["Files"]):
if item["Name"].lower() == "androidmanifest.xml":
#self.readpepackage(v["Path"])
data["APK"]["Permissions"] = self.read_permissions(
data, item["Path"])
if "classes" in item["Name"].lower() and item["Name"].lower(
).endswith(".dex"):
r2p = r2open(item["Path"], flags=['-2'])
r2p.cmd("e anal.timeout = 5")
r2p.cmd("aaaa;")
self.dex_wrapper(data, r2p, 'APK_DEX_{}'.format(index))
add_description("AndroidPermissions", data["APK"]["Permissions"],
"Permission")
get_words_multi_files(data, data["Packed"]["Files"])
r2p.quit()
def analyze_dex(self, data):
'''
start analyzing dex logic (r2p timeout = 10) for individual dex
add description to strings, get words and wordsstripped from the dex
'''
r2p = r2open(data["Location"]["File"], flags=['-2'])
r2p.cmd("e anal.timeout = 5")
r2p.cmd("aaaa;")
self.dex_wrapper(data, r2p, 'APK_DEX_1')
get_words(data, data["Location"]["File"])
r2p.quit()
def analyze_apk(self, data):
'''
start analyzing apk logic (r2p timeout = 10) for all dex files
add description to strings, get words and wordsstripped from the packed files
'''
data["APK"] = {
"General": {},
"Permissions": [],
"_General": {},
"_Permissions": ["Permission", "Description"]
}
for i, v in enumerate(data["Packed"]["Files"]):
if v["Name"].lower() == "androidmanifest.xml":
#self.readpepackage(v["Path"])
data["APK"]["Permissions"] = self.read_permissions(
data, v["Path"])
if "classes" in v["Name"].lower() and v["Name"].lower().endswith(
".dex"):
r2p = r2open(v["Path"], flags=['-2'])
r2p.cmd("e anal.timeout = 5")
r2p.cmd("aaaa;")
k = 'APK_DEX_{}'.format(i)
data[k] = {
"Classes": [],
"Externals": [],
"Symbols": [],
"Bigfunctions": [],
"Suspicious": [],
"_Classes": ["Type", "Name"],
"_Externals": ["Type", "Name"],
"_Symbols": ["Type", "Address", "X", "Name"],
"_Bigfunctions": ["Size", "Name"],
"_Suspicious": ["Location", "Function", "Xrefs"]
}
data[k]["Classes"] = self.get_all_classes(r2p)
data[k]["Externals"] = self.get_all_externals(r2p)
data[k]["Symbols"] = self.get_all_symbols(r2p)
data[k]["Bigfunctions"] = self.big_functions(r2p)
data[k]["Suspicious"] = self.check_sus(r2p)
add_description("AndroidPermissions", data["APK"]["Permissions"],
"Permission")
get_words_multi_files(data, data["Packed"]["Files"])
#future plan; force closing - try,except
r2p.quit()
def create_d3_ref(self, data):
'''
get cross references from file using radare2
'''
data["XREFS"] = {
"GRAPH": {
"nodes": [],
"links": []
},
"TEXT": [],
"_TEXT": ["From", "To"]
}
r2p = r2open(data["Location"]["File"], flags=['-2'])
r2p.cmd("e anal.timeout = 10")
r2p.cmd("aaaa")
x = r2p.cmd("axtj@@ sym.*")
x = "[" + (x.replace('\n', '').replace("][", "],[")) + "]"
sym = ' '.join(r2p.cmd("is~[6]").split())
x = literal_eval(x)
_node = []
_links = []
_list = []
_temp = []
for funcs in x:
for func in funcs:
if "opcode" in func and "fcn_name" in func:
match = search(r'\[(.*?)\]', func["opcode"])
if match is not None:
if len(r2p.cmd("pd 1 @ " + match.group(1))) > 0:
_list.append({
"From": func["fcn_name"],
"To": match.group(1)
})
else:
funcfromopcode = ''.join(
func["opcode"].split(' ')[-1:])
_list.append({
"From": func["fcn_name"],
"To": funcfromopcode
})
for xfunc in _list:
if self.check_func(xfunc["From"], sym):
if xfunc["From"] not in _temp:
_temp.append(xfunc["From"])
_node.append({"func": xfunc["From"]})
if xfunc["To"] not in _temp:
_temp.append(xfunc["To"])
_node.append({"func": xfunc["To"]})
for xfunc in _list:
try:
S = _temp.index(xfunc["From"])
T = _temp.index(xfunc["To"])
if next((item for item in _links
if item["source"] == S and item["target"] == T),
False) == False:
_links.append({"source": S, "target": T})
except:
pass
if len(_node) > 0 and len(_links) > 0:
data["XREFS"]["GRAPH"]["nodes"] = _node
data["XREFS"]["GRAPH"]["links"] = _links
data["XREFS"]["TEXT"] = _list
def analyze(self, data):
'''
start analyzing exe logic, add descriptions and get words and wordsstripped from the file
'''
data["PE"] = deepcopy(self.datastruct)
data["ICONS"] = {"ICONS": []}
pe_info = PE(data["Location"]["File"])
ep_info = pe_info.OPTIONAL_HEADER.AddressOfEntryPoint
section = self.find_entry_point_function(pe_info, ep_info)
singinhex = "UnKnown"
en_section_name = "UnKnown"
sig_instructions = "UnKnown"
with ignore_excpetion(Exception):
sig = section.get_data(ep_info, 52)
singinhex = "".join("{:02x}".format(x) for x in sig)
r2p = r2open("-", flags=['-2'])
r2p.cmd("e anal.timeout = 5")
temp_sig_instructions = r2p.cmd(
"pad {}".format(singinhex)).split("\n")[:8]
sig_instructions = "\n".join(temp_sig_instructions)
with ignore_excpetion(Exception):
en_section_name = section.Name.decode("utf-8",
errors="ignore").strip("\00")
data["PE"]["General"] = {
"PE Type":
self.what_type(pe_info),
"Entrypoint":
pe_info.OPTIONAL_HEADER.AddressOfEntryPoint,
"Entrypoint Section":
en_section_name,
"Header checksum":
hex(pe_info.OPTIONAL_HEADER.CheckSum),
"Verify checksum":
hex(pe_info.generate_checksum()),
"Match checksum":
pe_info.verify_checksum(),
"Sig":
singinhex,
"imphash":
pe_info.get_imphash(),
"warning":
pe_info.get_warnings()
if len(pe_info.get_warnings()) > 0 else "None",
"Timestamp":
datetime.fromtimestamp(pe_info.FILE_HEADER.TimeDateStamp).strftime(
'%Y-%m-%d %H:%M:%S')
}
data["PE"]["Characteristics"] = self.get_characteristics(pe_info)
data["PE"]["Singed"], data["PE"][
"SignatureExtracted"] = self.check_if_singed(pe_info)
data["PE"]["Stringfileinfo"] = self.get_string_file_info(pe_info)
data["PE"]["Sections"] = self.get_sections(pe_info)
data["PE"]["Dlls"] = self.get_dlls(pe_info)
data["PE"]["Resources"], data["PE"]["Manifest"], data["ICONS"][
"ICONS"] = self.get_recourse(pe_info)
data["PE"]["Imported functions"] = self.get_imported_functions(pe_info)
data["PE"]["Exported functions"] = self.get_exported_functions(pe_info)
data["PE"]["Entrypoint"] = sig_instructions
add_description("WinApis", data["PE"]["Imported functions"],
"Function")
add_description("ManHelp", data["PE"]["Imported functions"],
"Function")
add_description("WinDlls", data["PE"]["Dlls"], "Dll")
add_description("WinSections", data["PE"]["Sections"], "Section")
add_description("WinResources", data["PE"]["Resources"], "Resource")
get_words(data, data["Location"]["File"])