def amdh():
arguments = args_parse()
if arguments.adb_path:
adb_path = arguments.adb_path
dump_apks = False
apks_dump_folder = ""
if arguments.apks_dump_folder:
dump_apks = True
apks_dump_folder = arguments.apks_dump_folder
adb_instance = ADB(adb_path)
device_id = device_choice(adb_instance)
adb_instance = ADB(adb_path, device_id)
settings_check = None
packages = []
if arguments.app_type:
packages = adb_instance.list_installed_packages(arguments.app_type)
report_apps = {}
for package in packages:
dumpsys_out = adb_instance.dumpsys(["package", package])
perm_list = adb_instance.get_req_perms_dumpsys_package(dumpsys_out)
app = App(adb_instance, package, dump_apks, apks_dump_folder,
perm_list)
perms, dangerous_perms = app.check_apps()
print("")
if dangerous_perms.items():
print_warning_header("Package " + package +
" have some dangerous permissions: ")
for perm, desc in dangerous_perms.items():
print_warning("\t " + perm + " : ")
print_warning("\t\t" + desc)
report_apps[package] = {
"permissions": perms,
"dangerous_perms": dangerous_perms
}
print("")
print(
"************************************************************************"
)
else:
print_info("Package " + package + " have no dangerous permissions")
print("")
print(
"************************************************************************"
)
if arguments.H:
settings_check = Settings(settings_file, adb_instance, True)
else:
settings_check = Settings(settings_file, adb_instance)
settings_check.check()
def __init__(self, device=None):
self.logger = logging.getLogger(self.__class__.__name__)
if device is None:
from .DeviceHelper import get_available_devices
all_devices = get_available_devices()
if len(all_devices) == 0:
self.logger.warning("ERROR: No device connected.")
sys.exit(-1)
device = all_devices[0]
if "emulator" in device:
self.is_emulator = True
else:
self.is_emulator = False
self.device = device
self.grant_perm = False ## Grant all permissions while installing. Useful for Android 6.0+
# basic device information
self.display_info = None
self.sdk_version = None
self.release_version = None
self.ro_debuggable = None
self.ro_secure = None
self.connected = True
# adapters
self.adb = ADB(device=self)
self.adapters = {
self.adb: True,
# self.telnet: False,
}
def test_get_devices(self):
adb = ADB()
adb.set_adb_path()
adb.start_server()
err, devices = adb.get_devices()
print(str(err))
if len(devices) > 0:
print(str(devices))
def __init__(self, adb_path):
self.adb_path = adb_path
self.adb = None
self.devices = []
self.adb = ADB(adb_path)
if NEED_RESTART_ADB:
self.restart_adb()
def test_get_pid_on_device(self):
adb = ADB()
adb.enable_debug()
adb.set_adb_path()
adb.set_target_device()
pid = utils.get_pid_on_device(adb, 'com.android.commands.monkey')
utils.kill_proc_on_device(adb, pid)
print(pid)
def test_install(self):
adb = ADB()
adb.set_adb_path()
_, ds = adb.get_devices()
device_id = ds[0]
adb.set_target_device(device_id)
adb.enable_debug()
output = adb.install(reinstall=True, pkgapp='ctssetup.apk')
print("output: " + str(output))
def __init__(self, p2adb, logtype="logcat", pollrate=0.5):
self.adb = ADB(p2adb)
self.logtype = logtype
self.pollrate = pollrate
self._event_list = []
self._isRunning = False
self.logcat_monitor_tread = None
self.cacheMutex = Lock()
self.cacheLineNum = 0
def install_app_and_install_frida(app_path):
app = APK(app_path)
package_name = app.get_package()
logger.info("Start ADB")
adb = ADB()
logger.info("Install APP")
adb.install_app(app_path)
logger.info("Frida Initialize")
push_and_start_frida_server(adb)
return package_name
def adb_init():
adb = ADB()
adb.set_adb_path(parameter.variables.executable_path)
adb.DEFAULT_TCP_PORT = parameter.variables.default_tcp_port
adb.DEFAULT_TCP_HOST = parameter.variables.wireless_address
if not adb.get_version():
raise ConnectionError("Unable to communicate with adb daemon!")
return adb
def ping():
trytime = 30
success = 0
adb = ADB()
cmd = "ping -c 4 {0} | grep -q 'ttl=' && echo '{0} ok' || echo '{0} failed'".format(
'61.135.169.125')
print(cmd)
for i in range(trytime):
result = adb.shell(cmd)
if 'ok' in result[1]: success += 1
print(result)
return success
def catchSysLog():
powerUsbController.OPEN_MAIN_POWER()
powerUsbController.OPEN_KL15()
powerUsbController.USB_ON()
time.sleep(20)
logging.info("swith to Diagnostics Mode")
openADB(TBOX_IP, TBOX_DIAG_KEY)
time.sleep(20)
adb = ADB()
logPath = os.path.join(
LOG_DIR,
time.strftime('sysLog-%m-%d-%H_%M_%S', time.localtime(time.time())))
adb.pull('/logfs', logPath, TBOX_ADB_SN)
def run(self):
adb1 = ADB()
sender = Sender()
while True:
if "{}" not in str(adb1.get_devices()):
pass
else:
try:
sender.send("android-remove", json.loads("{}"))
print "Android remove event was sent"
except Exception as e:
print e
return
time.sleep(self.interval)
def create_adb_and_start_frida(package_name):
"""
Parameters
----------
package_name
Returns
-------
"""
logger.info(f"App Already Installed, start to monitoring ${package_name}")
adb = ADB()
logger.info("Frida Initialize")
push_and_start_frida_server(adb)
return package_name
def create_adb_and_start_frida(package_name, is_google_emulator: bool = False):
"""
Parameters
----------
package_name
Returns
-------
"""
logger.warning(
f"[*] App Already Installed, start to monitoring ${package_name}")
adb = ADB()
logger.info("[*] Frida Initialization")
if not is_google_emulator:
push_and_start_frida_server(adb)
else:
push_and_start_frida_server_google_emulator(adb)
return package_name
def install_app_and_install_frida(app_path):
"""
Install app and Frida script
Parameters
----------
app_path
Returns
-------
"""
app = APK(app_path)
package_name = app.get_package()
logger.info("Start ADB")
adb = ADB()
logger.info("Install APP")
adb.install_app(app_path)
logger.info("Frida Initialize")
push_and_start_frida_server(adb)
return package_name
def loopInit():
powerUsbController.OPEN_MAIN_POWER()
powerUsbController.OPEN_KL15()
powerUsbController.USB_ON()
time.sleep(20)
logging.info("swith to Diagnostics Mode")
openADB(TBOX_IP, TBOX_DIAG_KEY)
time.sleep(20)
powerUsbController.SHUTDOWN_KL15()
time.sleep(2)
adb = ADB()
#adb.stopAdb()
#adb.startAdb()
logging.info(
"adb shell zte_topsw_mcutest 29 02000600060002000200020004000000")
ret = adb.shell("zte_topsw_mcutest 29 02000600060002000200020004000000",
TBOX_ADB_SN)
if (0 != ret[0]):
raise Exception("send adb shell zte_topsw_mcutest failed! " + ret[2])
logging.info(ret[1])
time.sleep(1)
def install_app_and_install_frida(app_path, is_google_emulator: bool = False):
"""
Install app and Frida script
Parameters
----------
app_path
Returns
-------
"""
app = APK(app_path)
package_name = app.get_package()
logger.info("[*] Start ADB")
adb = ADB()
logger.info(f"[*] Install App {package_name}")
adb.install_app(app_path)
logger.info("[*] Frida Initialization")
if not is_google_emulator:
push_and_start_frida_server(adb)
else:
push_and_start_frida_server_google_emulator(adb)
return package_name
def __init__(self):
self.ADB = ADB(device_Name=os.environ.get('DEVICE_NAME'),
screen_Size=(560, 960))
self.package = os.environ.get('PACKAGE_NAME')
self.activity = os.environ.get('ACTIVITY_NAME')
EMULATOR_PATH = "/home/udev/android-sdk-linux/tools/"
NUM_EMULATORS = 1
API_LEVEL = "android-15"
SDCARD = True
ADB_PATH = "/home/udev/android-sdk-linux/platform-tools/"
FUZZ_SAMPLE_DIR = "/home/udev/android-sdk-linux/platform-tools/fuzz/corpus/FIXME/"
CRASH_DIR = "/home/udev/android-sdk-linux/platform-tools/fuzz/crashes/"
MIMETYPE = "audio/mid"
MAX_ITERATION = 4096
#bit_flip window_replace
PRIMITIVES = ["window_replace"]
emu = Emulator(EMULATOR_PATH)
adb = ADB(ADB_PATH)
class FuzzThread(threading.Thread):
def __init__(self, device, queue):
threading.Thread.__init__(self)
self.device = device
self.queue = queue
self.fuzz_file = None
self.mutation_method = None
self.fuzz_data = None
self.mutation_stop = 0
self.mutation_start = 0
#restart emulator stuff
#use self.device to get the process and args... kill it delete the emulator and use the args to restart
self.max_iterations = 1000
from adb import ADB
debug = ADB()
print debug.devices()
debug.shell("input keyevent 26")
debug.shell("input keyevent 82")
debug.shell("input swipe 50 50 800 50")
#debug.screenShot("./ss.png")
if len(sys.argv) > 2:
device = sys.argv[1]
imsi = sys.argv[2]
else:
print("ERROR: Device name not found.")
print("Call the script with: ./smarter_fuzzer #DEVICE #IMSI")
print(
"Where #DEVICE is the name and #IMSI is the IMSI of the mobile device."
)
sys.exit(0)
############################################### SETTINGS #############################################
# Default OpenBTS port
TESTCALL_PORT = 28670
adb = ADB()
date = str(time.strftime("%Y%m%d-%H%M%S"))
location_prefix = "logs/logs_packets/smarter_fuzzer/incomplete/"
log_packets_title = location_prefix + device + "_log_" + date + ".txt"
# Turn on/off prints
verbose = True
# Turn on/off adb logs
adb_logging = False
# Creat socket
tcsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
tcsock.settimeout(2)
from adb import ADB
from model.task_anotations import *
from model.task_model import TaskInfo, Author
GITHUB_REPO_URL = "https://github.com/ilihydrogen/Python-ADB-Utils"
created_by = "iiihydrogen"
version = "1.0"
adbx = ADB()
@entry
def run_app(adb, cfg):
adbx = adb
pass
@module_summary
def summary():
return TaskInfo("test", Author(nickname=created_by), version,
GITHUB_REPO_URL)
def start_analysis(list_apps: list, timeout_privacy: int, max_actions: int, type: str, emulator_name: str):
logger.info("Start Analysis of {} apps".format(len(list_apps)))
start = time.time()
stats = Statistic(type)
if type == "random":
type = start_appium_node(type)
logger.info("Upload model p3 detector")
# upload model
pdetector = PredictionModel()
logger.info("P3detector model uploaded")
# start analysis
count = 0
tentative = 0
num_log = len(glob.glob(os.path.join(os.getcwd(), "logs", "log_analysis_*")))
log_analysis_file = os.path.join(os.getcwd(), "logs", "log_analysis_{}.json".format(num_log + 1))
log_permission_file = os.path.join(os.getcwd(), "logs", "permissions_stats_{}.json".format(num_log + 1))
log_trackers_file = os.path.join(os.getcwd(), "logs", "tracker_stats_{}.json".format(num_log + 1))
while count < len(list_apps):
app = list_apps[count]
dict_analysis_app = {}
md5_app = md5(app)
dir_result = os.path.join(os.getcwd(), "logs", md5_app)
if not os.path.exists(dir_result):
os.makedirs(dir_result)
try:
dict_analysis_app["md5"] = md5_app
apk_object = APK(app)
dict_analysis_app["package_name"] = apk_object.get_package()
if not check_app_already_analyzed_md5(md5_app) or tentative > 0:
logger.info("3PDroid start Analysis {}".format(app))
write_package_name_and_md5(apk_object.get_package(), md5_app,
os.path.join(os.getcwd(), "logs", "package_md5.txt"))
# start emulator
r_start_emulator = requests.get("{}/start/{}".format(LOCAL_URL_EMULATOR, emulator_name))
# if the emulator star ok
if r_start_emulator.status_code == 200:
# get trackers libraries and list permissions
logger.info("Start emulator ok")
logger.info("Get application information")
app_trackers, app_permissions_list, api_to_monitoring_trackers, application, dict_analysis_app = app_analyzer. \
analyze_apk_androguard(app, md5_app, dict_analysis_app)
# get permissions privacy relevant
logger.info("Package name {}".format(application.get_package()))
dict_analysis_app["package_name"] = application.get_package()
logger.info("MD5 {}".format(md5_app))
logger.info("Get permission-api mapping")
permissions_api_mapping = app_analyzer.get_api_related_to_permission_privacy_relevant()
logger.info("Creation list api to be monitored during dynamic analysis")
list_api_to_monitoring = app_analyzer.create_list_api_to_monitoring_from_file(
permissions_api_mapping,
app_permissions_list,
app_trackers)
# if API == 0 --> app is cleaned
if len(list_api_to_monitoring) == 0:
logger.info("Application does not need privacy policy page, "
"close the emulator and "
"pass to the next application")
# write on file
file_name = md5_app
dir_result = os.path.join(os.getcwd(), "logs", file_name)
dict_analysis_app["dynamic_analysis_needed"] = False
with open(os.path.join(dir_result, "{}.json".format(file_name)), "w") as json_file:
json.dump(dict_analysis_app, json_file, indent=4)
count += 1
r_stop_emulator = requests.get("{}/stop/{}".format(LOCAL_URL_EMULATOR, emulator_name))
# UPDATE STATS
logger.info("Update stats")
stats.update_stats_permission(app_permissions_list)
stats.update_stats_trackers(app_trackers)
stats.add_app_cleaned()
# STORE INFORMATION
logger.info(stats.stats_trackers)
logger.info(stats.stats_permission)
# write on file
stats.write_on_file(log_analysis_file, count)
stats.write_stats_permissions(log_permission_file)
stats.write_stats_trackers(log_trackers_file)
shutil.move(app, os.path.join(os.getcwd(), "apps_analyzed"))
continue
# APP should be analyzed in a dynamic way
logger.info("Number of APIs to monitoring: {}".format(len(list_api_to_monitoring)))
file_name = md5_app
dir_result = os.path.join(os.getcwd(), "logs", file_name)
dict_analysis_app["api_to_monitoring_all"] = len(list_api_to_monitoring)
with open(os.path.join(dir_result, "{}.json".format(file_name)), "w") as json_file:
json.dump(dict_analysis_app, json_file, indent=4)
# disable verify installer and set correct time
time.sleep(5)
logger.info("Set correct time on emulator")
adb = ADB()
adb.kill_server()
adb.connect()
time.sleep(2)
try:
command_settings_verify = ["settings put global verifier_verify_adb_installs 0"]
adb.shell(command_settings_verify)
date_command = ['su 0 date {0}; am broadcast -a android.intent.action.TIME_SET'.
format(time.strftime('%m%d%H%M%Y.%S'))]
adb.shell(date_command)
except Exception as e:
logger.error("Exception as e {}, restart and re-connect to emulator".format(e))
adb.kill_server()
adb.connect()
command_settings_verify = ["settings put global verifier_verify_adb_installs 0"]
adb.shell(command_settings_verify)
date_command = ['su 0 date {0}; am broadcast -a android.intent.action.TIME_SET'.
format(time.strftime('%m%d%H%M%Y.%S'))]
adb.shell(date_command)
dir_hook_file = os.path.join(os.getcwd(), "hook", md5_app)
logger.info("Creation hook dir frida")
if not os.path.exists(dir_hook_file):
os.makedirs(dir_hook_file)
hook_is_created = app_analyzer.create_api_list_frida(list_api_to_monitoring,
os.path.join(dir_hook_file, "frida_api.txt"))
frida_monitoring.push_and_start_frida_server(adb)
frida_monitoring.set_file_log_frida(os.path.join(os.getcwd(), "logs",
md5_app, "monitoring_api_{}.json".format(md5_app)))
frida_monitoring.clean_list_json_api_invoked()
signal.signal(signal.SIGALRM, handler_timeout)
signal.alarm(MAX_TIME_ANALYSIS)
result_app, dict_analysis_app = dynamic_testing_environment.start_analysis(type_analysis=type,
app=app,
max_actions=max_actions,
timeout_privacy=timeout_privacy,
pdetector=pdetector,
md5_app=md5_app,
frida_monitoring=frida_monitoring,
dict_analysis_app=dict_analysis_app)
# END DYNAMIC ANALYSIS NOW STORE DATA
result_directory = os.path.join(os.getcwd(), "logs", md5_app)
if not os.path.exists(result_directory):
os.makedirs(result_directory)
logger.info("Analysis api invoked during dynamic analysis")
# Get API Invoked
list_json_api_invoked = frida_monitoring.get_list_api_invoked()
# set_list_json_api_invoked = list(set(list_json_api_invoked))
logger.info("Api invoked during dynamic analysis {}".format(len(list_json_api_invoked)))
# store on json file the api invoked
if len(list_json_api_invoked) > 0:
file_log_frida = frida_monitoring.get_file_log_frida()
with open(file_log_frida, "w") as outfile_api:
json.dump(list_json_api_invoked, outfile_api, indent=4)
# Action not needed
# DETECT IF THE APP IS COMPLIANT OR NOT WITH GOOGLE PLAY STORE
app_is_compliant = result_app.detected and not (result_app.back_button_change_page or
result_app.home_button_change_page or
len(list_json_api_invoked) > 0
)
dict_analysis_app["api_invoked_during_dynamic_analysis"] = len(list_json_api_invoked)
if app_is_compliant:
stats.add_app_compliant()
else:
stats.add_app_not_compliant()
dict_analysis_app["app_is_compliant_with_google_play_store"] = app_is_compliant
dict_analysis_app["app_analyzed"] = True
dict_analysis_app["num_tentative"] = tentative + 1
write_json_file_log(md5_app, dict_analysis_app)
stats.add_api_privacy_relevant_invoked(len(list_json_api_invoked))
# r_reset_emulator = requests.get("{}/reset/{}".format(LOCAL_URL_EMULATOR, emulator_name))
r_stop_emulator = requests.get("{}/stop/{}".format(LOCAL_URL_EMULATOR, emulator_name))
# UPDATE stats analysis
logger.info("Update stats")
stats.list_max_actions.append(result_app.max_actions)
stats.update_value_dynamic_analysis(result_app)
stats.update_stats_permission(app_permissions_list)
stats.update_stats_trackers(app_trackers)
# debug
logger.info(stats.stats_trackers)
logger.info(stats.stats_permission)
# write on file
count += 1
tentative = 0
stats.write_on_file(log_analysis_file, count)
stats.write_stats_permissions(log_permission_file)
stats.write_stats_trackers(log_trackers_file)
logger.info("End update stats")
logger.info("3PDroid end analysis")
str_end_file = "*" * 20
logger.info("{}\n\n".format(str_end_file))
shutil.move(app, os.path.join(os.getcwd(), "apps_analyzed"))
else:
tentative += 1
if tentative < MAX_TENTATIVE:
logger.error("Unable to start emulator, try again this app")
str_end_file = "*" * 20
logger.info("{}\n\n".format(str_end_file))
r_stop_emulator = requests.get("{}/stop/{}".format(LOCAL_URL_EMULATOR, emulator_name))
else:
tentative = 0
count += 1
r_stop_emulator = requests.get("{}/stop/{}".format(LOCAL_URL_EMULATOR, emulator_name))
stats.add_app_not_analyzed()
dict_analysis_app["app_analyzed"] = False
write_json_file_log(md5_app, dict_analysis_app)
logger.error("Unable to start emulator, pass to next app")
str_end_file = "*" * 20
logger.info("{}\n\n".format(str_end_file))
shutil.move(app, os.path.join(os.getcwd(), "apps_analyzed"))
else:
logger.info("App already analyzed, pass to next app")
shutil.move(app, os.path.join(os.getcwd(), "apps_analyzed"))
count += 1
except MyTimeoutExcpetion as e:
tentative += 1
if tentative < MAX_TENTATIVE:
logger.error("Exception stop emulator, Exception: {}".format(e))
str_end_file = "*" * 20
logger.info("{}\n\n".format(str_end_file))
r_stop_emulator = requests.get("{}/stop/{}".format(LOCAL_URL_EMULATOR, emulator_name))
else:
tentative = 0
count += 1
r_stop_emulator = requests.get("{}/stop/{}".format(LOCAL_URL_EMULATOR, emulator_name))
stats.add_app_not_analyzed()
logger.error("Exception stop emulator pass to next apps, Exception: {}".format(e))
dict_analysis_app["app_analyzed"] = False
write_json_file_log(md5_app, dict_analysis_app)
str_end_file = "*" * 20
logger.info("{}\n\n".format(str_end_file))
shutil.move(app, os.path.join(os.getcwd(), "apps_analyzed"))
except Exception as e:
tentative += 1
if tentative < MAX_TENTATIVE:
logger.error("Exception stop emulator, Exception: {}".format(e))
str_end_file = "*" * 20
logger.info("{}\n\n".format(str_end_file))
r_stop_emulator = requests.get("{}/stop/{}".format(LOCAL_URL_EMULATOR, emulator_name))
else:
tentative = 0
count += 1
r_stop_emulator = requests.get("{}/stop/{}".format(LOCAL_URL_EMULATOR, emulator_name))
stats.add_app_not_analyzed()
logger.error("Exception stop emulator pass to next apps, Exception: {}".format(e))
dict_analysis_app["app_analyzed"] = False
write_json_file_log(md5_app, dict_analysis_app)
str_end_file = "*" * 20
logger.info("{}\n\n".format(str_end_file))
shutil.move(app, os.path.join(os.getcwd(), "apps_analyzed"))
end = time.time()
logger.info("\n\n")
logger.info("Execution time: {}, mean: {}".format(end - start, (end - start) / count))
def shell_adb(cmd, adb=ADB()):
v("execute shell command: %s" % cmd)
remote = adb.shell_command(cmd)
return remote[0] if remote and len(remote) > 0 else -1
def connect_adb(wireless_address, adb=ADB()):
v("Trying to connect to %s " % wireless_address)
remote = adb.connect_remote(wireless_address)
return remote[0] if remote and len(remote) > 0 else -1
def __init__(self):
#self.ADB = ADB(device_Name='127.0.0.1:62001',screen_Size=(720,1280)) #夜神
self.ADB = ADB(device_Name='emulator-5554', screen_Size=(560, 960))
