├── .github
    └── workflows
    │   └── test_droidlysis.yml
├── Dockerfile
├── LICENSE
├── MANIFEST.in
├── README.md
├── conf
    ├── __init__.py
    ├── arm.conf
    ├── exodustrack.py
    ├── general.conf
    ├── kit.conf
    ├── manifest.conf
    ├── smali.conf
    ├── sortconf.py
    └── wide.conf
├── dev.md
├── docker-compose.yml
├── droidconfig.py
├── droidcountry.py
├── droidlysis
├── droidlysis3.py
├── droidproperties.py
├── droidreport.py
├── droidsample.py
├── droidsql.py
├── droidurl.py
├── droidutil.py
├── droidziprar.py
├── external
    ├── License.txt
    ├── README.md
    └── procyon-decompiler-0.5.30.jar
├── images
    └── example.png
├── requirements.txt
├── script
    └── DroidlysisSearch.py
├── setup.py
└── test
    ├── __init__.py
    ├── apk
        └── ph0wn-musicalear.apk
    ├── test.md
    ├── test_droidconfig.py
    └── test_droidlysis3.py


/.github/workflows/test_droidlysis.yml:
--------------------------------------------------------------------------------
 1 | name: Test Droidlysis Help works
 2 | 
 3 | on:
 4 |   push:
 5 |     branches:
 6 |       - master
 7 |   pull_request:
 8 |     branches:
 9 |       - master
10 | 
11 | jobs:
12 |   test:
13 |     runs-on: ubuntu-latest
14 | 
15 |     steps:
16 |     - name: Checkout repository
17 |       uses: actions/checkout@v3
18 | 
19 |     - name: Set up Python 3.x
20 |       uses: actions/setup-python@v3
21 |       with:
22 |         python-version: '3.x'
23 | 
24 |     - name: Install dependencies
25 |       run: |
26 |         python -m pip install --upgrade pip
27 |         pip install -r requirements.txt
28 | 
29 |     - name: Run Droidlysis command
30 |       run: |
31 |         ./droidlysis --help
32 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | ARG PYTHON_VERSION=3.9.4-buster
 2 | FROM python:${PYTHON_VERSION} as build
 3 | 
 4 | MAINTAINER Axelle Apvrille
 5 | ENV REFRESHED_AT 2025-03-24
 6 | ENV APKTOOL_VERSION "2.11.1"
 7 | ENV SMALI_VERSION "2.5.2"
 8 | 
 9 | WORKDIR /opt
10 | 
11 | RUN apt-get update && apt-get install -yqq default-jre libxml2-dev libxslt-dev libmagic-dev git wget cmake
12 | RUN pip3 install -U pip wheel
13 | RUN mkdir -p /share
14 | 
15 | # Install Apktool ----------------------------------------------
16 | RUN cd /opt && wget -q "https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_${APKTOOL_VERSION}.jar"
17 | 
18 | # Install Smali / Baksmali -------------------------
19 | RUN wget -q "https://bitbucket.org/JesusFreke/smali/downloads/baksmali-${SMALI_VERSION}.jar"
20 | 
21 | # Install Dex2jar -------------------------------------
22 | RUN wget -O dex2jar.zip -q https://github.com/pxb1988/dex2jar/releases/download/v2.4/dex-tools-v2.4.zip && unzip dex2jar.zip -d /opt && rm -f dex2jar.zip
23 | 
24 | # Install DroidLysis ----------------------------------
25 | RUN git clone https://github.com/cryptax/droidlysis
26 | ENV PATH $PATH:/root/.local/bin
27 | ENV PYTHONPATH $PYTHONPATH:/opt/droidlysis
28 | RUN cd /opt/droidlysis && pip3 install --user -r requirements.txt
29 | RUN chmod u+x /opt/droidlysis/droidlysis
30 | 
31 | # Configure ---------------------------------------------
32 | RUN sed -i 's#~/softs#/opt#g' /opt/droidlysis/conf/general.conf
33 | 
34 | CMD [ "/bin/bash" ]
35 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/MANIFEST.in:
--------------------------------------------------------------------------------
1 | include conf/*.conf
2 | include conf/__init__.py
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # DroidLysis
  2 | 
  3 | DroidLysis is a **pre-analysis tool for Android apps**: it performs repetitive and boring tasks we'd typically do at the beginning of any reverse engineering. It disassembles the Android sample, organizes output in directories, and searches for suspicious spots in the code to look at.
  4 | The output helps the reverse engineer speed up the first few steps of analysis.
  5 | 
  6 | DroidLysis can be used over Android packages (apk), Dalvik executables (dex), Zip files (zip), Rar files (rar) or directories of files.
  7 | 
  8 | <img src="https://img.shields.io/badge/PyPi%20-3.4.7-blue">
  9 | 
 10 | ## Installing DroidLysis
 11 | 
 12 | 1. Install required system packages
 13 | 
 14 | ```
 15 | sudo apt-get install default-jre git python3 python3-pip unzip wget libmagic-dev libxml2-dev libxslt-dev
 16 | ```
 17 | 
 18 | 
 19 | 2. Install Android disassembly tools
 20 | 
 21 | - [Apktool](https://ibotpeaches.github.io/Apktool/) , 
 22 | - [Baksmali](https://bitbucket.org/JesusFreke/smali/downloads), and optionally 
 23 | - [Dex2jar](https://github.com/pxb1988/dex2jar) and 
 24 | 
 25 | ```
 26 | $ mkdir -p ~/softs
 27 | $ cd ~/softs
 28 | $ wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.3.jar
 29 | $ wget https://bitbucket.org/JesusFreke/smali/downloads/baksmali-2.5.2.jar
 30 | $ wget https://github.com/pxb1988/dex2jar/releases/download/v2.4/dex-tools-v2.4.zip
 31 | $ unzip dex-tools-v2.4.zip 
 32 | $ rm -f dex-tools-v2.4.zip 
 33 | ```
 34 | 
 35 | 3. Get DroidLysis from the Git repository (preferred) or from pip
 36 | 
 37 | Install from Git in a Python virtual environment (`python3 -m venv`, or pyenv virtual environments etc).
 38 | 
 39 | ```
 40 | $ python3 -m venv venv
 41 | $ source ./venv/bin/activate
 42 | (venv) $ pip3 install git+https://github.com/cryptax/droidlysis
 43 | ```
 44 | 
 45 | Alternatively, you can install DroidLysis directly from PyPi (`pip3 install droidlysis`).
 46 | 
 47 | 4. Configure `conf/general.conf`. In particular make sure to change `/home/axelle` with your appropriate directories.
 48 | 
 49 | ```
 50 | [tools]
 51 | apktool = /home/axelle/softs/apktool_2.9.3.jar
 52 | baksmali = /home/axelle/softs/baksmali-2.5.2.jar
 53 | dex2jar = /home/axelle/softs/dex-tools-v2.4/d2j-dex2jar.sh
 54 | keytool = /usr/bin/keytool
 55 | ...
 56 | ```
 57 | 
 58 | 5. Run it:
 59 | 
 60 | ```
 61 | python3 ./droidlysis3.py --help
 62 | ```
 63 | 
 64 | 
 65 | ## Configuration
 66 | 
 67 | The configuration file is `./conf/general.conf` (you can switch to another file with the `--config` option).
 68 | This is where you configure the location of various external tools (e.g. Apktool), the name of pattern files 
 69 | (by default `./conf/smali.conf`, `./conf/wide.conf`, `./conf/arm.conf`, `./conf/kit.conf`) and the name of
 70 | the database file (only used if you specify `--enable-sql`)
 71 | 
 72 | Be sure to specify the correct paths for disassembly tools, or DroidLysis won't find them.
 73 | 
 74 | 
 75 | ## Usage
 76 | 
 77 | DroidLysis uses **Python 3**. To launch it and get options:
 78 | 
 79 | ```
 80 | droidlysis --help
 81 | ```
 82 | 
 83 | For example, test it on [Signal's APK](https://signal.org/android/apk/):
 84 | 
 85 | ```
 86 | droidlysis --input Signal-website-universal-release-6.26.3.apk --output /tmp --config /PATH/TO/DROIDLYSIS/conf/general.conf
 87 | ```
 88 | 
 89 | ![](./images/example.png)
 90 | 
 91 | DroidLysis outputs:
 92 | 
 93 | - A summary on the console (see image above)
 94 | - The unzipped, pre-processed sample in a subdirectory of your output dir. The subdirectory is named using the sample's filename and sha256 sum. For example, if we analyze the Signal application and set `--output /tmp`, the analysis will be written to `/tmp/Signalwebsiteuniversalrelease4.52.4.apk-f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290`.
 95 | - A database (by default, SQLite `droidlysis.db`) containing properties it noticed.
 96 | 
 97 | ## Options
 98 | 
 99 | Get usage with `droidlysis --help`
100 | 
101 | - The input can be a file or a directory of files to recursively look into. DroidLysis knows how to process Android packages, DEX, ODEX and ARM executables, ZIP, RAR. DroidLysis won't fail on other type of files (unless there is a bug...) but won't be able to understand the content.
102 | 
103 | - When processing directories of files, it is typically quite helpful to move processed samples to another location to know what has been processed. This is handled by option `--movein`.  Also, if you are only interested in statistics, you should probably clear the output directory which contains detailed information for each sample: this is option `--clearoutput`. If you want to store all statistics in a SQL database, use `--enable-sql` (see [here](#sqlite_database))
104 | 
105 | - DroidLysis's analysis does not inspect known 3rd party SDK by default, i.e. for instance it won't report any suspicious activity from these. If you want them to be inspected, use option `--no-kit-exception`. This usually creates many more detected properties for the sample, as SDKs (e.g. advertisment) use lots of flagged APIs (get GPS location, get IMEI, get IMSI, HTTP POST...).
106 | 
107 | ## Sample output directory (`--output DIR`)
108 | 
109 | This directory contains (when applicable):
110 | 
111 | - A readable `AndroidManifest.xml`
112 | - Readable resources in `res`
113 | - Libraries `lib`, assets `assets`
114 | - Disassembled Smali code: `smali` (and others)
115 | - Package meta information: `META-INF`
116 | - Package contents when simply unzipped in `./unzipped`
117 | - DEX executable `classes.dex` (and others), and converted to jar: `classes-dex2jar.jar`, and unjarred in `./unjarred`
118 | 
119 | The following files are generated by DroidLysis:
120 | 
121 | - `autoanalysis.md`: lists each pattern DroidLysis detected and where.
122 | - `report.md`: same as what was printed on the console
123 | 
124 | If you do not need the sample output directory to be generated, use the option `--clearoutput`.
125 | 
126 | ## Import trackers from Exodus etc (`--import-exodus`)
127 | 
128 | ```
129 | $ python3 ./droidlysis3.py --import-exodus --verbose
130 | Processing file: ./droidurl.pyc ...
131 | DEBUG:droidconfig.py:Reading configuration file: './conf/./smali.conf'
132 | DEBUG:droidconfig.py:Reading configuration file: './conf/./wide.conf'
133 | DEBUG:droidconfig.py:Reading configuration file: './conf/./arm.conf'
134 | DEBUG:droidconfig.py:Reading configuration file: '/home/axelle/.cache/droidlysis/./kit.conf'
135 | DEBUG:droidproperties.py:Importing ETIP Exodus trackers from https://etip.exodus-privacy.eu.org/api/trackers/?format=json
136 | DEBUG:connectionpool.py:Starting new HTTPS connection (1): etip.exodus-privacy.eu.org:443
137 | DEBUG:connectionpool.py:https://etip.exodus-privacy.eu.org:443 "GET /api/trackers/?format=json HTTP/1.1" 200 None
138 | DEBUG:droidproperties.py:Appending imported trackers to /home/axelle/.cache/droidlysis/./kit.conf
139 | ```
140 | 
141 | Trackers from Exodus which are not present in your initial `kit.conf` are appended to `~/.cache/droidlysis/kit.conf`. Diff the 2 files and check what trackers you wish to add.
142 | 
143 | 
144 | ## SQLite database{#sqlite_database}
145 | 
146 | If you want to process a directory of samples, you'll probably like to store the properties DroidLysis found in a database, to easily parse and query the findings. In that case, use the option `--enable-sql`. This will automatically dump all results in a database named `droidlysis.db`, in a table named `samples`. Each entry in the table is relative to a given sample. Each column is properties DroidLysis tracks.
147 | 
148 | For example, to retrieve all filename, SHA256 sum and smali properties of the database:
149 | 
150 | ```
151 | sqlite> select sha256, sanitized_basename, smali_properties from samples;
152 | f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290|Signalwebsiteuniversalrelease4.52.4.apk|{"send_sms": true, "receive_sms": true, "abort_broadcast": true, "call": false, "email": false, "answer_call": false, "end_call": true, "phone_number": false, "intent_chooser": true, "get_accounts": true, "contacts": false, "get_imei": true, "get_external_storage_stage": false, "get_imsi": false, "get_network_operator": false, "get_active_network_info": false, "get_line_number": true, "get_sim_country_iso": true,
153 | ...
154 | ```
155 | 
156 | ## Property patterns
157 | 
158 | What DroidLysis detects can be configured and extended in the files of the `./conf` directory.
159 | 
160 | A pattern consist of:
161 | 
162 | - a **tag** name: example `send_sms`. This is to name the property. Must be unique across the `.conf` file.
163 | - a **pattern**: this is a regexp to be matched. Ex: `;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage`. In the `smali.conf` file, this regexp is match on Smali code. In this particular case, there are 3 different ways to send SMS messages from the code: sendTextMessage, sendMultipartTextMessage and sendDataMessage.
164 | - a **description** (optional): explains the importance of the property and what it means.
165 | 
166 | ```
167 | [send_sms]
168 | pattern=;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage
169 | description=Sending SMS messages
170 | ```
171 | 
172 | 
173 | ## Importing Exodus Privacy Trackers
174 | 
175 | Exodus Privacy maintains a list of various SDKs which are interesting to rule out in our analysis via `conf/kit.conf`.
176 | Add option `--import_exodus` to the droidlysis command line: this will parse existing trackers Exodus Privacy knows and which aren't yet in your `kit.conf`. Finally, it will **append** all new trackers to `~/.cache/droidlysis/kit.conf`.
177 | 
178 | Afterwards, you may want to sort your `kit.conf` file:
179 | 
180 | ```python
181 | import configparser
182 | import collections
183 | import os
184 | 
185 | config = configparser.ConfigParser({}, collections.OrderedDict)
186 | config.read(os.path.expanduser('~/.cache/droidlysis/kit.conf'))
187 | # Order all sections alphabetically
188 | config._sections = collections.OrderedDict(sorted(config._sections.items(), key=lambda t: t[0] ))
189 | with open('sorted.conf','w') as f:
190 |     config.write(f)
191 | ```    
192 | 
193 | ## JEB script for smali properties
194 | 
195 | This script helps you search for methods on JEB UI that contain code that matches the smali pattern and easily navigates to those functions. When you load the script and select `details.md` file among the droidlysis analysis files, a search box will appear. Once moved, you can easily bring up the search windows again by using recent script execution shortcut.
196 | 
197 | - JEB > File > Scripts > Script selector > `script/DroidlysisSearch.py`
198 | - JEB > File > Scripts > Run last Script
199 | 
200 | ## Updates
201 | 
202 | - v3.4.7 - Removed Procyon, integrated several PR #24 and #25, added more detailed accessibility abuse detection
203 | - v3.4.6 - Detecting manifest feature that automatically loads APK at install
204 | - v3.4.5 - Creating a writable user kit.conf file
205 | - v3.4.4 - Bug fix #14
206 | - v3.4.3 - Using configuration files
207 | - v3.4.2 - Adding import of Exodus Privacy Trackers
208 | - v3.4.1 - Removed dependency to Androguard
209 | - v3.4.0 - Multidex support
210 | - v3.3.1 - Improving detection of Base64 strings
211 | - v3.3.0 - Dumping data to JSON
212 | - v3.2.1 - IP address detection
213 | - v3.2.0 - Dex2jar is optional
214 | - v3.1.0 - Detection of Base64 strings
215 | 
216 | 
217 | 


--------------------------------------------------------------------------------
/conf/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cryptax/droidlysis/ce37151642c53791fb267190bbe29668ede06346/conf/__init__.py


--------------------------------------------------------------------------------
/conf/arm.conf:
--------------------------------------------------------------------------------
 1 | [ch***]
 2 | pattern=chmod|chown|chgrp|chcon|chattr
 3 | 
 4 | [exec]
 5 | pattern=\w*(?<!dalvik.)system|exec[a-z][a-z]|fork
 6 | description=Tries to execute a process
 7 | 
 8 | [shell]
 9 | pattern=/system/bin/sh
10 | 
11 | [mounts]
12 | pattern=/proc/mounts|mount
13 | description=Mounting or list mounts - used in several exploits
14 | 
15 | [geteuid]
16 | pattern=geteuid
17 | 
18 | [adb]
19 | pattern=sbin/adb
20 | 
21 | [anti-frida]
22 | pattern=gum-js-loop|frida-helper|frida-server|frida-agent|re.frida.server|linjector|gdbus|frida-gadget|pool-frida|frida-main-loop|frida_agent_main|pool-spawner|DetectFrida
23 | description=Anti runtime analysis - Detect frida framework
24 | 
25 | [pm_install]
26 | pattern=pm install
27 | 
28 | [pm_list]
29 | pattern=pm list
30 | 
31 | [am_broadcast]
32 | pattern=am broadcast
33 | 
34 | [am_start]
35 | pattern=am start
36 | 
37 | [kill]
38 | pattern=kill
39 | 
40 | [ptrace]
41 | pattern=ptrace
42 | 
43 | [proc_version]
44 | pattern=/proc/version
45 | description=Gets description of device
46 | 
47 | [possible_exploit]
48 | pattern=root exploit|rootshell|spray|privileges escalated|/proc/kallsyms|0wned
49 | 
50 | [ragecage]
51 | pattern=CVE-2010-EASY
52 | description=Exploit CVE-2010-EASY rage against the cage spotted
53 | 
54 | [exploid]
55 | pattern=exploid|shakalaca
56 | description=Exploit CVE-2009-1185 spotted
57 | 
58 | [zerg]
59 | pattern=Zerg rush|zerglings|speedlings
60 | description=Exploit CVE-2011-3874 (zergRush) spotted
61 | 
62 | [levitator]
63 | pattern=clobbering kmem with poisoned pointers
64 | description=Exploit CVE-2011-1350 (levitator) spotted
65 | 
66 | [mempodroid]
67 | pattern=Mempodipper|Calculating su padding|Opening parent mem
68 | description=Exploit CVE-2012-0025 (mempodroid) spotted
69 | 
70 | [towelroot]
71 | pattern=towelroot|rootTheShit
72 | 
73 | [supersu]
74 | pattern=/system/xbin/daemonsu|/system/xbin/sugote
75 | 
76 | [dalvikvm]
77 | pattern=dalvikvm
78 | description=Possible way to loads Zips containing DEXs
79 | 
80 | [dexclassloader]
81 | pattern=DexClassLoader
82 | description=Using DexClassLoader through a native library
83 | 
84 | [loadclass]
85 | pattern=loadClass
86 | description=Using loadClass through native library
87 | 
88 | [url_in_exec]
89 | pattern=http://[^ "]*
90 | description=URL in executable
91 | 
92 | [mtk_su]
93 | description=MTK-SU CVE-2020-0069 root on MediaTek
94 | pattern=Temporary root by diplomatic@XDA|amazing-temp-root-mediatek-armv8
95 | 
96 | 


--------------------------------------------------------------------------------
/conf/exodustrack.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | """
 4 | __author__ = "Axelle Apvrille"
 5 | __license__ = "MIT License"
 6 | """
 7 | 
 8 | import argparse
 9 | import requests
10 | import configparser
11 | import json
12 | import re
13 | 
14 | __version__ = '0.1.0'
15 | 
16 | def get_arguments():
17 |     parser =  argparse.ArgumentParser(description="Import missing Exodus Trackers in DroidLysis Kits", prog='exodustrack', epilog='Version '+__version__+' - Greetz from Axelle Apvrille')
18 |     parser.add_argument('-i', '--input', help='DroidLysis kit.conf file', action='store', default='./kit.conf')
19 |     parser.add_argument('-v', '--verbose', help='get more detailed messages', action='store_true')
20 |     args = parser.parse_args()
21 |     return args
22 | 
23 | def get_exodus_trackers(verbose=False):
24 |     r = requests.get('https://etip.exodus-privacy.eu.org/trackers/export',timeout=2)
25 |     assert r.status_code == 200, "Cannot retrieve Exodus Trackers JSON"
26 |     if verbose:
27 |         print("get_exodus_trackers(): status={}".format(r.status_code))
28 |     return r.json()['trackers']
29 | 
30 | def conf2json(kitfile='./conf/kit.conf', verbose=False):
31 |     parser = configparser.RawConfigParser()
32 |     parser.read(kitfile)
33 |     thelist = []
34 |     for section in parser.sections():
35 |         pattern = parser.get(section, 'pattern')
36 |         try:
37 |             description = parser.get(section, 'description')
38 |         except configparser.NoOptionError as e:
39 |             if verbose:
40 |                 print("config2json(): section {} has no description".format(section))
41 |             description = ''
42 |             
43 |         thelist.append( { "section" : section, "pattern" : pattern, "description" : description } )
44 |     return json.loads(json.dumps(thelist))
45 | 
46 | def compare(exodus, droidlysis, verbose=False):
47 |     # we are going to suggestion addition of any tracker in exodus that is not in droidlysis
48 |     for tracker in exodus:
49 |         if tracker['code_signature'] == '':
50 |             if verbose:
51 |                 print("compare(): {} has no code_signature".format(tracker['name']))
52 |         else:
53 |             # convert . to /
54 |             # remove leading and trailing spaces
55 |             # remove trailing /
56 |             # only consider the first pattern when separated by |
57 |             sig = tracker['code_signature'].split('|')[0].replace('.','/').strip().strip('/')
58 |             assert (' ' in sig) == False, "There is a space in sig"
59 |                       
60 |             # search droidlysis patterns
61 |             found = False
62 |             for item in droidlysis:
63 |                 for p in item['pattern'].split('|'):
64 |                     if item['pattern'].startswith(sig) or sig.startswith(p):
65 |                         if verbose:
66 |                             print("compare(): {} (sig={}) found in {} (pattern={})".format(tracker['name'],sig, item['section'], p))
67 |                         found = True
68 |                         break
69 | 
70 |             if not found:
71 |                 # this is what you should consider adding
72 |                 section_name = ''.join(re.findall('[a-z0-9]',tracker['name'].lower()))
73 |                 print("[{}]".format(section_name))
74 |                 print("pattern={}".format(sig))
75 |                 print("")
76 |             
77 | 
78 | def main():
79 |     args = get_arguments()
80 |     exodus = get_exodus_trackers(args.verbose)
81 |     droidlysis = conf2json(args.input, args.verbose)
82 |     compare(exodus, droidlysis, args.verbose)
83 |             
84 | if __name__ == "__main__":
85 |     main()
86 |         
87 | 
88 | 
89 | 


--------------------------------------------------------------------------------
/conf/general.conf:
--------------------------------------------------------------------------------
 1 | [tools]
 2 | apktool = ~/softs/apktool_2.9.3.jar
 3 | baksmali = ~/softs/baksmali-2.5.2.jar
 4 | dex2jar = ~/softs/dex-tools-v2.4/d2j-dex2jar.sh
 5 | keytool = /usr/bin/keytool
 6 | 
 7 | [general]
 8 | db_file = droidlysis.db
 9 | smali_config = ./smali.conf
10 | wide_config = ./wide.conf
11 | arm_config = ./arm.conf
12 | kit_config = ./kit.conf
13 | 


--------------------------------------------------------------------------------
/conf/manifest.conf:
--------------------------------------------------------------------------------
 1 | [permission_gps]
 2 | pattern=ACCESS_COARSE_LOCATION|ACCESS_FINE_LOCATION
 3 | description=Allows an app to access location from location sources such as GPS, cell towers, and Wi-Fi
 4 | 
 5 | [permission_send_sms]
 6 | pattern=SEND_SMS|WRITE_SMS
 7 | description=Allows to send SMS messages
 8 | 
 9 | [permission_receive_sms]
10 | pattern=RECEIVE_SMS|RECEIVE_WAP_PUSH|SMS_RECEIVE
11 | description=Allows an application to monitor incoming SMS messages, to record or perform processing on them, or or to process WAP Push messages
12 | 
13 | [permission_call]
14 | pattern=CALL_PHONE|CALL_PRIVILEGED|PROCESS_OUTGOING_CALLS
15 | description=Allows to call or process outgoing calls
16 | 
17 | [permission_contacts]
18 | pattern=READ_CONTACTS
19 | 
20 | [permission_install]
21 | pattern=INSTALL_PACKAGES
22 | 
23 | [permission_wifi]
24 | pattern=CHANGE_WIFI_STATE
25 | 
26 | [permission_access_wifi_state]
27 | pattern=ACCESS_WIFI_STATE
28 | 
29 | [permssion_capture_audio]
30 | pattern=CAPTURE_AUDIO_OUTPUT
31 | 
32 | [permission_accounts]
33 | pattern=GET_ACCOUNTS
34 | 
35 | [permission_logs]
36 | pattern=READ_LOGS
37 | 
38 | [permission_internet]
39 | pattern=INTERNET
40 | 
41 | [permission_bluetooth]
42 | pattern=BLUETOOTH
43 | description=Allows to use Bluetooth
44 | 
45 | [permission_nfc]
46 | pattern=NFC
47 | description=Allows to use NFC
48 | 
49 | [permission_set_time]
50 | pattern=SET_TIME
51 | description=Allows to set time or timezone
52 | 
53 | [vibrate]
54 | pattern=VIBRATE
55 | 
56 | [permission_orientation]
57 | pattern=SET_ORIENTATION
58 | 
59 | [permission_device_admin]
60 | pattern=BIND_DEVICE_ADMIN
61 | 
62 | [permission_wallpaper]
63 | pattern=BIND_WALLPAPER
64 | 
65 | [permission_accessibility]
66 | pattern=BIND_ACCESSIBILITY_SERVICE
67 | 
68 | [permission_history_bookmarks]
69 | pattern=READ_HISTORY_BOOKMARKS
70 | 
71 | [permission_forward_lock]
72 | pattern=INSTALL_FORWARD_LOCK
73 | 
74 | [permission_authenticate_accounts]
75 | pattern=AUTHENTICATE_ACCOUNTS
76 | 
77 | [permission_disable_keyguard]
78 | pattern=DISABLE_KEYGUARD
79 | 
80 | [permission_inject_events]
81 | pattern=INJECT_EVENTS
82 | 
83 | [permission_master_clear]
84 | pattern=MASTER_CLEAR
85 | 
86 | [permission_kill_background_processes]
87 | pattern=KILL_BACKGROUND_PROCESSES
88 | 
89 | [permission_substrate]
90 | pattern=SUBSTRATE
91 | 
92 | [permission_camera]
93 | pattern=CAMERA
94 | 


--------------------------------------------------------------------------------
/conf/smali.conf:
--------------------------------------------------------------------------------
  1 | [abort_broadcast]
  2 | pattern=abortBroadcast
  3 | description=abortBroadcast() is used to remove an incoming SMS from the queue before other receivers (with lower priority) can process them
  4 | 
  5 | [adb]
  6 | pattern=development_settings_enabled|adb_enabled
  7 | description=developer mode,adb detection
  8 | 
  9 | [accessibility_service]
 10 | pattern=onAccessibilityEvent|AccessibilityEvent|android.settings.ACCESSIBILITY_SETTINGS|AccessibilityNodeInfo
 11 | description=Work with accessibility settings (use, or implement a service). Meant to help users with disabilities, but often abused by malicious apps.
 12 | 
 13 | [account_pwd]
 14 | pattern=android/accounts/AccountManager;->getPassword
 15 | description=Tries to get the password of the phone account
 16 | 
 17 | [airplane]
 18 | pattern=android.intent.action.AIRPLANE_MODE
 19 | description=Detects phone airplane mode
 20 | 
 21 | [android_id]
 22 | pattern=const-string v[0-9]*, "android_id"
 23 | description=Retrieves the Android ID
 24 | 
 25 | [andy]
 26 | pattern=fstab.andy|ueventd.andy.rc|/system/bin/andy-prop|/system/etc/init.andy.sh|/system/lib/egl/libEGL_andy.so
 27 | description=Andy emulator detection
 28 | 
 29 | [answer_call]
 30 | pattern=;->answerRingingCall
 31 | description=Answer a ringing call
 32 | 
 33 | [apkprotect]
 34 | pattern=APKProtect
 35 | description=Obfuscation with APKProtect
 36 | 
 37 | [base64]
 38 | pattern=Landroid/util/Base64;->
 39 | description=Uses Base64 encoder/decoder
 40 | 
 41 | [battery]
 42 | pattern=android.intent.action.BATTERY_CHANGED
 43 | description=Gets battery info (e.g. how charged, temperature)
 44 | 
 45 | [bluetooth]
 46 | description=Uses Bluetooth
 47 | pattern=BluetoothGatt|[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*
 48 | 
 49 | [bluestacks]
 50 | pattern=com.bluestacks|/sys/devices/virtual/misc/bst_gps|/sys/devices/virtual/misc/bst_ime|/sys/devices/virtual/misc/bstpgaipc|/sys/devices/platform/hd_power|/mnt/windows/BstSharedFolder|/system/bin/bstfolderd|/system/bin/bstsyncfs|/data/.bluestacks.prop|/system/lib/egl/libGLES_bst.so
 51 | description=Bluestacks emulator detection
 52 | 
 53 | [board]
 54 | pattern=Build;->BOARD
 55 | description=Retrieves hardware board information
 56 | 
 57 | [bookmarks]
 58 | pattern=BOOKMARKS_URI|Landroid/provider/Browser;->getAllBookmarks
 59 | description=Adds or reads bookmarks to the phone browser
 60 | 
 61 | [bootloader]
 62 | pattern=Build;->BOOTLOADER
 63 | description=Retrieves version of bootloader
 64 | 
 65 | [brand]
 66 | pattern=Build;->BRAND
 67 | description=Retrieves phone brand name
 68 | 
 69 | [busybox]
 70 | pattern=busybox
 71 | description=Uses busybox, probably to issue native shell commands or run other processes
 72 | 
 73 | [calendar]
 74 | description=Read calendar events or reminders
 75 | pattern=content://calendar|content://com.android/calendar/
 76 | 
 77 | [call]
 78 | pattern=ACTION_CALL|ACTION_DIAL|android.intent.action.CALL
 79 | description=Can place calls
 80 | 
 81 | [call_log]
 82 | pattern=android/provider/CallLog
 83 | description=Reads the call log
 84 | 
 85 | [camera]
 86 | pattern=Landroid/hardware/Camera;->open
 87 | description=Uses the phone camera
 88 | 
 89 | [check_permission]
 90 | pattern=Landroid/content/pm/PackageManager;->checkPermission|Landroid/content/Context;->checkPermission
 91 | description=Checks for given permissions
 92 | 
 93 | [class_loader]
 94 | pattern=Class;->getClassLoader
 95 | description=Get class loader. Can be used for reflexion or dynamic class loading
 96 | 
 97 | [contacts]
 98 | pattern=android/provider/ContactsContract
 99 | description=Reads or lists phone contacts
100 | 
101 | [cookie_manager]
102 | pattern=android/webkit/CookieManager;->
103 | description=Looks into cookies
104 | 
105 | [cpu_abi]
106 | pattern=Build;->CPU_ABI
107 | description=Retreives CPU ABI
108 | 
109 | [crc32]
110 | pattern=java/util/zip/CRC32;->init
111 | description=Computes CRC32
112 | 
113 | [c2dm]
114 | pattern=intent.REGISTER|intent.UNREGISTER|Lcom/google/android/gcm/GCMRegistrar;->getRegistrationId
115 | description=Registers or unregisters C2DM (Cloud to Device Messaging)
116 | 
117 | [debugger]
118 | pattern=Debug;->isDebuggerConnected
119 | description=Detects connected debugger
120 | 
121 | [device_admin]
122 | pattern=DeviceAdminReceiver|isAdminActive
123 | description=Creates or uses a device administrator app
124 | 
125 | [dex_class_loader]
126 | pattern=DexClassLoader|PathClassLoader|InMemoryDexClassLoader
127 | description=Potentially trying to silently run another DEX executable
128 | 
129 | [dex_file]
130 | pattern=Ldalvik/system/DexFile;->
131 | description=Manipulates DEX files
132 | 
133 | [dhcp_server]
134 | pattern=Landroid/net/DhcpInfo;->serverAddress
135 | description=Queries the address of a DHCP server
136 | 
137 | [dns]
138 | pattern=Landroid/net/DhcpInfo;->dns
139 | description=Queries the address of a DNS server
140 | 
141 | [doze_mode]
142 | pattern=;->isIgnoringBatteryOptimizations|REQUEST_IGNORE_BATTERY_OPTIMIZATIONSREQUEST_IGNORE_BATTERY_OPTIMIZATIONS
143 | description=Ignore battery optimizations (used to avoid running as foreground service)
144 | 
145 | [email]
146 | pattern=EXTRA_EMAIL|EXTRA_SUBJECT|EXTRA_BCC|EXTRA_CC|extra\.SUBJECT|android/net/MailTo
147 | description=Reading/writing or sending an email
148 | 
149 | [emulator]
150 | pattern=15555215554|310260000000000|e21833235b6eef10|com.framgia.android.emulator
151 | description=Emulator detection techniques
152 | 
153 | [encryption]
154 | pattern=KeySpec|SecretKey|Cipher
155 | description=Uses encryption
156 | 
157 | [end_call]
158 | pattern=;->endCall
159 | description=End a phone call
160 | 
161 | [execute_native]
162 | pattern=Runtime;->exec|createSubprocess|Ljava/lang/ProcessBuilder;->start|android.os.Exec
163 | description=Executes shell or native executables
164 | 
165 | [fingerprint]
166 | pattern=Build;->FINGERPRINT
167 | description=Retrieves hardware Build fingerprint
168 | 
169 | [genymotion]
170 | pattern=/dev/socket/baseband_genyd|/dev/socket/genyd|genymotion
171 | description=Detect GenyMotion emulator
172 | 
173 | [gesture]
174 | pattern=android/accessibilityservice/GestureDescription|android/accessibilityservice/AccessibilityService;->dispatchGesture
175 | description=Creating gestures on behalf of end-user
176 | 
177 | [get_accounts]
178 | pattern=AccountManager;->getAccounts|ContactsContract\$CommonDataKinds\$Email|Patterns\$EMAIL_ADDRESS
179 | description=Possibly trying to retrieve the phone operational email address
180 | 
181 | [get_active_network_info]
182 | pattern=getActivateNetworkInfo
183 | description=Returns details about the currently active default data network
184 | 
185 | [get_external_storage_stage]
186 | pattern=Landroid/os/Environment;->getExternalStorageState
187 | description=Reads storage state, possibly to tell if SD card mounted read-only or read-write
188 | 
189 | [get_imei]
190 | pattern=getDeviceId
191 | description=Retrieves phone IMEI
192 | 
193 | [get_imsi]
194 | pattern=getSubscriberId
195 | description=Retrieves user IMSI
196 | 
197 | [get_installed_packages]
198 | pattern=PackageManager;->getInstalledPackages|PackageManager;->getInstalledApplications
199 | description=Lists installed packages
200 | 
201 | [get_installer_package_name]
202 | pattern=PackageManager;->getInstallerPackageName
203 | description=Gives the name of the app which installed a given package
204 | 
205 | [get_line_number]
206 | pattern=getLine1Number
207 | description=Retrieves end user Phone number (line number)
208 | 
209 | [get_mac]
210 | pattern=getMacAddress
211 | description=Retrieves MAC address
212 | 
213 | [get_network_operator]
214 | # this will also match NetworkOperatorName
215 | pattern=getNetworkOperator
216 | description=Retrieves Network operator
217 | 
218 | [get_package_info]
219 | pattern=PackageManager;->getPackageInfo
220 | description=Gets information on package
221 | 
222 | [get_sim_country_iso]
223 | pattern=getSimCountryIso
224 | description=Retrieves SIM country
225 | 
226 | [get_sim_operator]
227 | pattern=getSimOperator
228 | description=Retrieves SIM operator
229 | 
230 | [get_sim_serial_number]
231 | pattern=getSimSerialNumber
232 | description=Retrieves SIM serial number
233 | 
234 | [get_sim_slot_index]
235 | pattern=SubscriptionInfo;->getSimSlotIndex
236 | description=Get SIM slot index 
237 | 
238 | [get_top_activity_component]
239 | pattern=Landroid/app/ActivityManager\$RunningTaskInfo;->topActivity
240 | description=Get the component of the top activity
241 | 
242 | [gps]
243 | pattern=Location;->getLatitude|Location;->getLongitude|;->getCid|;->getLac|LocationManager;->getLastKnownLocation|TelephonyManager;->getCellLocation|LocationManager;->requestLocationUpdates|TelephonyManager;->getNeighboringCellInfo
244 | description=Uses GPS location
245 | 
246 | [gzip]
247 | pattern=java/util/zip/GZipOutputStream|java/util/zip/GZipInputStream
248 | description=Reads or writes GZipped data
249 | 
250 | [hardware]
251 | pattern=Build;->HARDWARE
252 | description=Retrieves phone hardware information
253 | 
254 | [hide_softkeyboard]
255 | pattern=hideSoftInputFromWindow
256 | description=Hides software keyboard
257 | 
258 | [http]
259 | pattern=HttpGet|HttpMessage|HttpRequest|URLConnection;->openConnection
260 | description=Performs HTTP GET
261 | 
262 | 
263 | [intent_chooser]
264 | pattern=Intent;->createChooser
265 | description=Uses intent chooses to ask end-user what application to use when a given event occurs (e.g which email app to use to send an email)
266 | 
267 | [ip_address]
268 | pattern=Landroid/net/DhcpInfo;->ipAddress|getIpAddress|net/InetAddress;->getHostAddress
269 | description=Retrieves the device IP address
270 | 
271 | [ip_properties]
272 | pattern=Landroid/net/DhcpInfo;->netmask|Landroid/net/DhcpInfo;->gateway
273 | description=Gets the netmask or gateway used by the device
274 | 
275 | [javascript]
276 | pattern=Landroid/webkit/WebSettings;->setJavaScriptEnabled|Landroid/webkit/WebView;->addJavascriptInterface
277 | description=Loads JavaScript in WebView
278 | 
279 | [jni]
280 | pattern=JNIEnv| native |jclass|jmethodID|jfieldID|FindClass
281 | description=Uses Java JNI
282 | 
283 | [json]
284 | pattern=org/json/JSONObject
285 | description=Uses JSON objects
286 | 
287 | [keyguard]
288 | pattern=KeyguardManager\$KeyguardLock;->|FLAG_DISMISS_KEYGUARD|android/app/admin/DevicePolicyManager;->lockNow
289 | description=Probably tries to unlock the phone
290 | 
291 | [kill_proc]
292 | pattern=android/app/ActivityManager;->killBackgroundProcesses
293 | description=Kills background process
294 | 
295 | [link_speed]
296 | pattern=android/net/wifi/WifiInfo;->getLinkSpeed
297 | description=Gets link speed for Wifi
298 | 
299 | [load_dex]
300 | pattern=openDexFile|loadDex
301 | description=Loads a DEX executable
302 | 
303 | [load_library]
304 | pattern=System;->loadLibrary
305 | description=Loads a native library
306 | 
307 | [logcat]
308 | pattern=logcat
309 | description=Inspects or manipulates system logs
310 | 
311 | [manufacturer]
312 | pattern=Build;->MANUFACTURER
313 | description=Retrieves hardware manufacturer name
314 | 
315 | [methodchannel]
316 | pattern=io/flutter/plugin/common/MethodChannel;->
317 | description=Communicates with Flutter layer
318 | 
319 | [microphone]
320 | pattern=android/media/AudioManager;->setMicrophoneMute
321 | description=Mutes the microphone
322 | 
323 | [misecurity]
324 | pattern=com.miui.securitycenter
325 | description=Checks presence, navigates to Mi Security Center or tries to disable security settings
326 | 
327 | [model]
328 | pattern=Build;->MODEL
329 | description=Retrieves hardware build model
330 | 
331 | [nop]
332 | pattern= nop
333 | description=DEX bytecode contains NOP instructions.
334 | 
335 | [nox]
336 | pattern=fstab.nox|init.nox.rc|ueventd.nox.rc|com.bignox.app|nox-prop|nox-vbox-sf|noxspeedup|libnoxspeedup.so|libnoxd.so
337 | description=NOX emulator detection
338 | 
339 | [obfuscation]
340 | pattern=/a/a;->a|AESObfuscator-1
341 | description=Obvious traces of code obfuscation
342 | 
343 | [open_non_asset]
344 | pattern=openNonAsset
345 | description=Opens a non asset file
346 | 
347 | [package_delete]
348 | pattern=android.intent.action.DELETE
349 | description=Uninstalls a package
350 | 
351 | [package_session]
352 | pattern=PackageInstaller;->createSession|PackageInstaller;->openSession
353 | description=Session-based package installer, potentially to bypass Restricted Settings
354 | 
355 | [package_sig]
356 | pattern=PackageInfo;->signatures|GET_SIGNATURES
357 | description=Reads signatures of packages
358 | 
359 | [pangxie]
360 | pattern=PangXie
361 | description=Uses PangXie obfuscation
362 | 
363 | [password]
364 | pattern=android/app/admin/DevicePolicyManager;->resetPassword|android/app/admin/DevicePolicyManager;->clearResetPasswordToken|android/app/admin/DevicePolicyManager;->clearUserRestriction
365 | description=Reset smartphone password
366 | 
367 | [perform_action]
368 | pattern=android/view/accessibility/AccessibilityNodeInfo;->performAction|android/accessibilityservice/AccessibilityService;->performGlobalAction
369 | description=Perform action (click, scroll etc) on behalf of end user
370 | 
371 | [phone_number]
372 | pattern=android.intent.extra.PHONE_NUMBER
373 | description=Retrieves an Incoming or outgoing phone number
374 | 
375 | [play_protect]
376 | pattern=.security.settings.VerifyAppsSettingsActivity
377 | description=Tries to launch or disable Google Play Protect
378 | 
379 | [post]
380 | pattern=POST |HttpPost|"POST"|POST
381 | description=Tries to perform an HTTP POST. There might be False Positives...
382 | 
383 | [product]
384 | pattern=Build;->PRODUCT
385 | description=Retrieves hardware build product
386 | 
387 | [receive_sms]
388 | pattern=SmsReceiver|;->createFromPdu|SmsObserver|;->getOriginatingAddress|content://sms|SmsMessage|SMS_RECEIVED
389 | description=Receiving SMS
390 | 
391 | [record]
392 | pattern=android/media/AudioRecord;->startRecording
393 | description=Records audio on the phone
394 | 
395 | [record_screen]
396 | pattern=Landroid/media/projection/MediaProjection;->createVirtualDisplay
397 | description=Records screen
398 | 
399 | [reflection]
400 | pattern=Class;->forName|Method;->invoke|Class;->getDeclaredMethods|Method;->setAccessible|java/lang/ClassLoader;->loadClass|Class;->getMethod|java/lang/reflect/Constructor;->newInstance
401 | description=Uses Java Reflection
402 | 
403 | [ringer]
404 | pattern=android/media/AudioManager;->setRingerMode|android/media/AudioManager;->getRingerMode
405 | description=Gets or sets ringer mode
406 | 
407 | [rooting]
408 | pattern=com.amphoras.hidemyroot|com.amphoras.hidemyrootadfree|com.chelpus.lackypatch|com.cyanogenmod|com.devadvance.rootcloak|com.dimonvideo.luckypatcher|com.formyhm.hideroot|com.koushikdutta.rommanager|com.koushikdutta.superuser|com.noshufou.android.su|com.ramdroid.appquarantine|com.saurik.substrate|com.thirdparty.superuser|com.topjohnwu.magisk|com.yellowes.su|com.zachspong.temprootremovejb|de.robv.android.xposed.installer|eu.chainfire.supersu|io.github.huskydg.magisk|me.phh.superuser|me.weishu.kernelsu|org.lsposed.daemon|org.lsposed.manager|Superuser.apk
409 | description=Searches for or uses applications typically installed on rooted phones.
410 | 
411 | [rssi]
412 | pattern=android/net/wifi/WifiInfo;->getRssi
413 | description=Gets Wifi RSSI
414 | 
415 | [scp]
416 | pattern=const-string v[0-9]*, ".*scp.*"
417 | description=Sends or retrieves files via SCP
418 | 
419 | [search_url]
420 | pattern=Landroid/provider/Browser;->addSearchUrl
421 | description=Adds a new search URL to the browser
422 | 
423 | 
424 | [send_sms]
425 | pattern=;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage
426 | description=Sending SMS messages
427 | 
428 | [sensor]
429 | pattern=android/hardware/SensorManager;->getSensorList|onSensorChanged
430 | description=Lists hardware sensors or receives sensor events. Sometimes abused to check the phone is running in a sandbox.
431 | 
432 | [set_component]
433 | pattern=PackageManager;->setComponentEnabledSetting
434 | description=Might be trying to hide the application icon
435 | 
436 | [shortcut]
437 | pattern=INSTALL_SHORTCUT
438 | description=Adds a new app shortcut to the phone
439 | 
440 | [socket]
441 | pattern=Ljava/net/Socket;-><init>|java/net/ServerSocket;->accept
442 | description=Creates a socket. Used to communicate...
443 | 
444 | [ssh]
445 | pattern= const-string v[0-9]*, ".*ssh.*"
446 | description=Application uses SSH
447 | 
448 | [ssl_pinning]
449 | pattern= javax/net/ssl/X509TrustManager;->checkClientTrusted | javax/net/ssl/X509TrustManager;->checkServerTrusted | javax/net/ssl/X509TrustManager;->getAcceptedIssuers | javax/net/ssl/HostnameVerifier;->verify | okhttp/CertificatePinner;->check | okhttp3/CertificatePinner;->check | javax/net/ssl/HttpsURLConnection;->setDefaultHostnameVerifier | javax/net/ssl/HttpsURLConnection;->setSSLSocketFactory | javax/net/ssl/HttpsURLConnection;->setHostnameVerifier | android/webkit/WebViewClient;->onReceivedSslError | org/apache/cordova/CordovaWebViewClient;->onReceivedSslError
450 | description=Application uses SSL Pinning to secure connection
451 | 
452 | [ssid]
453 | pattern=android/net/wifi/WifiInfo;->getSSID
454 | description=Retrieves SSID used by Wifi
455 | 
456 | [stacktrace]
457 | pattern=Throwable;->getStackTrace
458 | description=Get stack traces. Can be used as Anti Frida technique.
459 | 
460 | [su]
461 | pattern="su"|/system/xbin/daemonsu|/system/xbin/sugote|/vendor/bin/su|/odm/bin/su|/product/bin/su|/system/bin/.su|/system/xbin/.su|/system/app/Superuser.apk|/sbin/su|/system/bin/su|/system/xbin/su|/data/local/su|/su/bin/su|/data/local/bin/su|/data/local/xbin/su|/system/bin/.ext/su|/system/bin/failsafe/su|/system/sd/xbin/su|/system/usr/we-need-root/su|/cache/su|/data/su|/dev/su
462 | description=Uses Su. Perhaps to test if device is rooted.
463 | 
464 | [substrate]
465 | pattern=com/saurik/substrate/MS
466 | description=Uses or refers to Saurik substrate
467 | 
468 | [system_app]
469 | pattern=android/app/admin/DevicePolicyManager;->enableSystemApp
470 | description=System apps cannot be deleted, a feature which interests some malware...
471 | 
472 | [tasks]
473 | pattern=android/app/ActivityManager;->getRunningTasks
474 | description=Lists running tasks
475 | 
476 | [teamviewer]
477 | pattern=com.teamviewer.quicksupport.market
478 | description=Checks presence, navigates to or uses Team Viewer remote control app
479 | 
480 | [uri]
481 | pattern=Landroid/net/Uri;->parse
482 | description=Parses a URL. Will usually just display the URL, but not post info.
483 | 
484 | [url_history]
485 | pattern=Landroid/provider/Browser;->getAllVisitedUrls
486 | description=Gets all URLs the phone browser visited
487 | 
488 | [user_agent]
489 | pattern=User-Agent
490 | description=Specifies a HTTP User Agent
491 | 
492 | [uuid]
493 | pattern=UUID;->randomUUID
494 | description=Creates a random identifier. Used to identify the user.
495 | 
496 | [version]
497 | pattern=Build\$VERSION;->RELEASE|Build\$VERSION;->CODENAME
498 | description=Build version
499 | 
500 | [vibrate]
501 | pattern=android/os/Vibrator;->vibrate
502 | description=Uses phone vibrations
503 | 
504 | [vnd_package]
505 | pattern=application/vnd.android.package_archive
506 | description=Probably tries to load an app
507 | 
508 | [wakelock]
509 | pattern=android/os/PowerManager\$WakeLock;->acquire()
510 | description=Get PowerManager WakeLock (typically used to conceal a running malware while keeping screen blank)
511 | 
512 | [wallpaper]
513 | pattern=android/app/WallpaperManager;->getDrawable|android/app/WallpaperManager;->setBitmap
514 | description=Gets or sets the current wallpaper
515 | 
516 | [webview]
517 | pattern=Landroid/webkit/WebView;->loadUrl|;->setWebChromeClient
518 | description=Displays a URL in the WebView. Very much used to display custom pages with JavaScript, sometimes malicious...
519 | 
520 | [wifi]
521 | pattern=android/net/wifi/WifiManager;->setWifiEnabled|android/net/wifi/WifiManager;->isWifiEnabled|android/net/wifi/WifiManager;->startScan
522 | description=Tests or scans for WiFi
523 | 
524 | [zip]
525 | pattern=java/util/zip/ZipOutputStream|java/util/zip/ZipInputStream|java/util/zip/ZipEntry
526 | description=Zips or unzips files
527 | 
528 | [2fa]
529 | pattern=com.google.android.apps.authenticator2
530 | description=Checks presence of 2FA app, or navigates to it, or steals PIN
531 | 


--------------------------------------------------------------------------------
/conf/sortconf.py:
--------------------------------------------------------------------------------
 1 | import argparse
 2 | import configparser
 3 | 
 4 | DEFAULTSECT = 'default'
 5 | 
 6 | def get_arguments():
 7 |     parser =  argparse.ArgumentParser(description="Sort conf files by alphabetic order of sections", prog='sortconf')
 8 |     parser.add_argument('-i', '--input', help='Input conf file', action='store', default='./kit.conf')
 9 |     parser.add_argument('-o', '--output', help='Output file', action='store', default='./sorted.conf')
10 |     parser.add_argument('-v', '--verbose', help='get more detailed messages', action='store_true')
11 |     args = parser.parse_args()
12 |     return args
13 |     
14 | 
15 | class OrderedRawConfigParser( configparser.RawConfigParser ):
16 |     """
17 |     Overload standart Class ConfigParser.RawConfigParser
18 |     """
19 |     def __init__( self, defaults = None, dict_type = dict ):
20 |         configparser.RawConfigParser.__init__( self, defaults = None, dict_type = dict )
21 | 
22 |         def write(self, fp):
23 |             """Write an .ini-format representation of the configuration state."""
24 |             if self._defaults:
25 |                 fp.write("[%s]\n" % DEFAULTSECT)
26 |                 for key in sorted( self._defaults ):                
27 |                     fp.write( "%s = %s\n" % (key, str( self._defaults[ key ] ).replace('\n', '\n\t')) )
28 |                     fp.write("\n")
29 |             for section in self._sections:
30 |                 fp.write("[%s]\n" % section)
31 |                 for key in sorted( self._sections[section] ): 
32 |                     if key != "__name__":
33 |                         fp.write("%s = %s\n" %
34 |                                  (key, str( self._sections[section][ key ] ).replace('\n', '\n\t')))    
35 |                 fp.write("\n")
36 | 
37 | def main():
38 |     args = get_arguments()
39 |     parser = OrderedRawConfigParser()
40 |     parser.read(args.input)
41 |     output = open(args.output,'w')
42 |     parser.write(output)
43 |     output.close()
44 |     
45 |     
46 | if __name__ == "__main__":
47 |     main()
48 | 


--------------------------------------------------------------------------------
/conf/wide.conf:
--------------------------------------------------------------------------------
  1 | [am_start]
  2 | pattern=am start
  3 | description=Start an activity via shell command
  4 | 
  5 | [android_wear]
  6 | pattern=Android\ Wear|android_wear
  7 | description=Uses or references Android Wear
  8 | 
  9 | [china_mobile]
 10 | pattern=cmwap|cmnet
 11 | description=Detects China Mobile network
 12 | 
 13 | [china_unicom]
 14 | pattern=uniwap|uninet
 15 | description=Detects China Unicom network
 16 | 
 17 | [china_telecom]
 18 | pattern=ctwap|ctnet
 19 | description=Detects China Telecom network
 20 | 
 21 | [coinhive]
 22 | pattern=CoinHive
 23 | description=CoinHive JavaScript SDK for mining Monero
 24 | 
 25 | [cryptocurrency]
 26 | pattern=CoinHive|crypta\.js|crypto-loot|ethereum|dogecoin|litecoin|bitcoin|ledger|blockchain|trezor
 27 | description=Uses cryptocurrencies
 28 | 
 29 | [cryptoloot]
 30 | pattern=crypta\.js|crypto-loot
 31 | 
 32 | [c2_anon]
 33 | pattern=portmap\.io|ngrok\.io
 34 | description=Port forwarding or secure tunneling service - often used to anonymize C2
 35 | 
 36 | [gps]
 37 | pattern=LocationManager
 38 | description=Use of GPS noticed in assets, libraries or other unusual directories
 39 | 
 40 | [javascript]
 41 | pattern=<script type=\"text/javascript\" src=.*\.js\"
 42 | 
 43 | [jni_onload]
 44 | pattern=JNI_OnLoad
 45 | 
 46 | [has_phonenumbers]
 47 | pattern=\+[0-9]{1,3}[0-9]{10,14}
 48 | description=References phone numbers in the app
 49 | 
 50 | [has_url]
 51 | pattern=(http|https|ftp|ftps)://[0-9a-zA-Z.&=_@\-]*
 52 | description=References URLs
 53 | 
 54 | [ip_address]
 55 | pattern=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
 56 | description=Mentions an IP address
 57 | 
 58 | [kill]
 59 | pattern=kill .* 
 60 | description=Can kill other processes
 61 | 
 62 | [miner]
 63 | pattern=minerd|xmrig|cpuminerd|minergate
 64 | description=Uses a crypto miner
 65 | 
 66 | [mms]
 67 | pattern=FEATURE_ENABLE_MMS|EXTRA_STRAM|content://
 68 | description=Probably dealing with MMS
 69 | 
 70 | [play_protect]
 71 | pattern=Google\ Play\ Protect
 72 | description=Uses or searches for Google Play Protect mechanism
 73 | 
 74 | [play_services]
 75 | pattern=google_play_services|Google\ Play\ services
 76 | description=Uses Google Play services
 77 | 
 78 | [pm_install]
 79 | pattern=pm install
 80 | description=Install an application via shell command
 81 | 
 82 | [qemu]
 83 | pattern=goldfish|ro\.hardware|gsm\.version\.ril-impl|android reference-ril|/dev/socket/qemud|/dev/qemu_pipe|qemu\.sf|qemu\.hhw|ro\.kernel\.qemu
 84 | description=Detection of QEMU emulator
 85 | 
 86 | [screen_on_off]
 87 | pattern=android.intent.action.USER_PRESENT|android.intent.action.ACTION_SCREEN_
 88 | description=To perform an action while the user is not watching
 89 | 
 90 | [sfr]
 91 | pattern=mmssfr|sl2sfr
 92 | description=Detects SFR network
 93 | 
 94 | [su_exector]
 95 | pattern=SuExecutor
 96 | 
 97 | [systemprop]
 98 | pattern=ro\.product|ro\.serialno
 99 | description=Inspects system properties
100 | 
101 | 
102 | 


--------------------------------------------------------------------------------
/dev.md:
--------------------------------------------------------------------------------
  1 | # Dev notes
  2 | 
  3 | ## Testing the git in a Docker container
  4 | 
  5 | ```
  6 | $ docker run -it --rm ubuntu:latest /bin/bash
  7 | # apt update
  8 | # apt-get install default-jre git python3 python3-pip unzip wget libmagic-dev libxml2-dev libxslt-dev
  9 | # mkdir -p ~/softs
 10 | # cd ~/softs
 11 | # wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.11.1.jar
 12 | # wget https://bitbucket.org/JesusFreke/smali/downloads/baksmali-2.5.2.jar
 13 | # wget https://github.com/pxb1988/dex2jar/releases/download/v2.4/dex-tools-v2.4.zip
 14 | # unzip dex-tools-2.4.zip 
 15 | # rm -f dex-tools-2.4.zip 
 16 | # pip3 install -U pip
 17 | # git clone https://github.com/cryptax/droidlysis
 18 | # cd droidlysis
 19 | # pip3 install -r requirements.txt
 20 | ```
 21 | 
 22 | ## Packaging
 23 | 
 24 | https://packaging.python.org/en/latest/tutorials/packaging-projects/
 25 | 
 26 | Update packages:
 27 | 
 28 | ```
 29 | python3 -m pip install --upgrade pip
 30 | python3 -m pip install --upgrade build
 31 | python3 -m pip install --upgrade twine
 32 | ```
 33 | 
 34 | Then build:
 35 | 
 36 | ```
 37 | python3 -m build
 38 | ```
 39 | 
 40 | Upload the package to test:
 41 | 
 42 | ```
 43 | python3 -m twine upload --repository testpypi dist/*
 44 | ```
 45 | 
 46 | ### Testing the package in a python virtual environment
 47 | 
 48 | From github repo:
 49 | 
 50 | ```
 51 | cd /tmp
 52 | python3 -m venv ./droid-test
 53 | source ./droid-test/bin/activate
 54 | pip3 install git+https://github.com/cryptax/droidlysis
 55 | ```
 56 | 
 57 | From test pypi:
 58 | ```
 59 | cd /tmp
 60 | python3 -m venv ./droid-test
 61 | source ./droid-test/bin/activate
 62 | pip3 install -i https://test.pypi.org/simple/ droidlysis
 63 | ```
 64 | 
 65 | You might need to install the requirements...
 66 | 
 67 | ```
 68 | which droidlysis
 69 | droidlysis --version
 70 | ```
 71 | 
 72 | Run droidlysis using default config from Python virtual environment: 
 73 | 
 74 | ```
 75 | droidlysis --config ./lib/python3.10/site-packages/conf/general.conf --input yourapk.apk --output /tmp/outputdir
 76 | ```
 77 | 
 78 | 
 79 | ### Testing the package in a Docker container
 80 | 
 81 | In Alpine:
 82 | 
 83 | ```
 84 | $ docker run -it --rm alpine:latest /bin/sh
 85 | / # apk add bash python3 py3-setuptools py3-pip git libxml2 libxslt-dev
 86 | # pip3 install --upgrade pip
 87 | # pip3 install --extra-index-url https://testpypi.python.org/pypi --no-deps droidlysis
 88 | 
 89 | ```
 90 | 
 91 | Or with Ubuntu:
 92 | 
 93 | ```
 94 | docker run -it --rm ubuntu:latest /bin/bash
 95 | # apt update
 96 | # apt install python3 python3-pip python3-venv
 97 | # pip3 install --upgrade pip
 98 | # python3 -m venv droidlysis
 99 | # pip3 install --extra-index-url https://testpypi.python.org/pypi --no-deps droidlysis
100 | ```
101 | 
102 | ### Final upload
103 | 
104 | When ready, upload on the real pypi: `twine upload dist/*`
105 | 
106 | Make sure to use ~/.pypirc with API token.
107 | 
108 | 


--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | version: "3"
 3 | services:
 4 |   droidlysis:
 5 |     build:
 6 |       context: .
 7 |       dockerfile: Dockerfile
 8 |     image: cryptax/droidlysis:2024.02
 9 |     volumes:
10 |       - /tmp/droidlysis-share:/share
11 | 


--------------------------------------------------------------------------------
/droidconfig.py:
--------------------------------------------------------------------------------
  1 | import os
  2 | import errno
  3 | import configparser
  4 | import logging
  5 | import shutil
  6 | import filecmp 
  7 | from platformdirs import *
  8 | 
  9 | 
 10 | logging.basicConfig(format='%(levelname)s:%(filename)s:%(message)s',
 11 |                     level=logging.INFO)
 12 | 
 13 | 
 14 | # ------------------------- Reading *.conf configuration files -----------
 15 | class generalconfig:
 16 |     def __init__(self, filename, verbose=False):
 17 |         if not filename:
 18 |             filename = './conf/general.conf'
 19 |         if not os.path.exists(filename):
 20 |             try:
 21 |                 from xdg.BaseDirectory import xdg_config_home
 22 | 
 23 |                 config = xdg_config_home
 24 |             except ImportError:
 25 |                 config = os.path.join(os.getenv('HOME'), '.config')
 26 |             config = os.path.join(config, 'droidlysis', 'general.conf')
 27 |             if not os.path.exists(config):
 28 |                 config = '/etc/droidlysis/general.conf'
 29 |             if os.path.exists(config):
 30 |                 filename = config
 31 |         logging.debug(f'Reading config from {filename}')
 32 | 
 33 |         if not os.path.exists(filename):
 34 |             raise FileNotFoundError(errno.ENOENT, os.strerror(errno.ENOENT), filename)
 35 |         self.config = configparser.ConfigParser()
 36 |         self.config.read(filename)
 37 | 
 38 |         # get config
 39 |         self.APKTOOL_JAR = os.path.expanduser(self.config['tools']['apktool'])
 40 |         self.BAKSMALI_JAR = os.path.expanduser(self.config['tools']['baksmali'])
 41 |         self.DEX2JAR_CMD = os.path.expanduser(self.config['tools']['dex2jar'])
 42 |         self.KEYTOOL = os.path.expanduser(self.config['tools']['keytool'])
 43 |         self.SMALI_CONFIGFILE = os.path.join(os.path.dirname(filename),
 44 |                                              self.config['general']['smali_config'])
 45 |         self.WIDE_CONFIGFILE = os.path.join(os.path.dirname(filename),
 46 |                                             self.config['general']['wide_config'])
 47 |         self.ARM_CONFIGFILE = os.path.join(os.path.dirname(filename),
 48 |                                            self.config['general']['arm_config'])
 49 |         self.DISTRIB_KIT_CONFIGFILE = os.path.join(os.path.dirname(filename),
 50 |                                                    self.config['general']['kit_config'])
 51 | 
 52 |         # duplicate kit configuration for edition
 53 |         cache_dir = user_cache_dir('droidlysis', 'cryptax')
 54 |         if not os.path.exists(cache_dir):
 55 |             os.makedirs(cache_dir)
 56 |         self.KIT_CONFIGFILE = os.path.join(cache_dir,
 57 |                                            self.config['general']['kit_config'])
 58 |         if not os.path.exists(self.KIT_CONFIGFILE):
 59 |             logging.debug(f'Copying {self.DISTRIB_KIT_CONFIGFILE}'
 60 |                           f' to {self.KIT_CONFIGFILE}')
 61 |             shutil.copyfile(self.DISTRIB_KIT_CONFIGFILE, self.KIT_CONFIGFILE)
 62 |         elif not filecmp.cmp(self.KIT_CONFIGFILE, self.DISTRIB_KIT_CONFIGFILE):
 63 |             logging.warning(f'Cached kit configuration {self.KIT_CONFIGFILE} != general distrib config {self.DISTRIB_KIT_CONFIGFILE}. Using cached config. Check this is ok')
 64 | 
 65 |         self.SQLALCHEMY = f'sqlite:///{self.config["general"]["db_file"]}'
 66 | 
 67 |         # check files are accessible
 68 |         for f in [self.APKTOOL_JAR, self.BAKSMALI_JAR,
 69 |                   self.DEX2JAR_CMD, 
 70 |                   self.SMALI_CONFIGFILE, self.WIDE_CONFIGFILE,
 71 |                   self.ARM_CONFIGFILE, self.KIT_CONFIGFILE]:
 72 |             if not os.access(f, os.R_OK):
 73 |                 logging.warning(f'Cannot access {f} - check your configuration file {filename}')
 74 | 
 75 |         if not os.access(self.KEYTOOL, os.X_OK):
 76 |             logging.warning(f'Cannot access keytool at {self.KEYTOOL} - check your configuration file {filename}')
 77 | 
 78 | 
 79 | class droidconfig:
 80 |     def __init__(self, filename, verbose=False):
 81 |         assert filename is not None, "Filename is invalid"
 82 |         assert os.access(filename, os.R_OK) is not False, "File {0} is not readable".format(filename)
 83 | 
 84 |         self.filename = filename
 85 |         self.configparser = configparser.RawConfigParser()
 86 |         if verbose:
 87 |             logging.getLogger().setLevel(logging.DEBUG)
 88 |         logging.debug("Reading configuration file: '%s'" % (filename))
 89 |         self.configparser.read(filename)
 90 | 
 91 |     def get_sections(self):
 92 |         return self.configparser.sections()
 93 | 
 94 |     def get_pattern(self, section):
 95 |         return self.configparser.get(section, 'pattern')
 96 | 
 97 |     def get_description(self, section):
 98 |         try:
 99 |             return self.configparser.get(section, 'description')
100 |         except (configparser.NoSectionError, configparser.NoOptionError):
101 |             pass
102 |         return None
103 | 
104 |     def is_pattern_present(self, pattern):
105 |         for section in self.get_sections():
106 |             section_patterns = self.get_pattern(section).split('|')
107 |             if pattern in section_patterns:
108 |                 return True
109 |             for p in section_patterns:
110 |                 if p in pattern:
111 |                     # our pattern is more generic
112 |                     return True
113 |         return False
114 | 
115 |     def get_all_regexp(self):
116 |         # reads the config file and returns a list
117 |         # of all patterns for all sections
118 |         # the patterns are concatenated with a |
119 |         # throws NoSectionError, NoOptionError
120 |         allpatterns = ''
121 |         for section in self.configparser.sections():
122 |             if allpatterns == '':
123 |                 allpatterns = self.configparser.get(section, 'pattern')
124 |             else:
125 |                 allpatterns = self.configparser.get(section, 'pattern') + '|' + allpatterns
126 |         return bytes(allpatterns, 'utf-8')
127 | 
128 |     def match_properties(self, match, properties):
129 |         """
130 |         Call this when the recursive search has been done to analyze the results
131 |         and understand which properties have been spotted.
132 | 
133 |         @param match: returned by droidutil.recursive_search. This is a dictionary
134 |         of matching lines ordered by matching keyword (pattern)
135 | 
136 |         @param properties: dictionary of properties where the key is the property name
137 |         and the value will be False/True if set or not
138 | 
139 |         throws NoSessionError, NoOptionError
140 |         """
141 |         for section in self.configparser.sections():
142 |             pattern_list = self.configparser.get(section, 'pattern').split('|')
143 |             properties[section] = False
144 |             for pattern in pattern_list:
145 |                 # beware when pattern has blah\$binz, the matching key is blah$binz
146 |                 if match[pattern.replace('\\', '')]:
147 |                     logging.debug("Setting properties[%s] = True (matches %s)" % (section, pattern))
148 |                     properties[section] = True
149 |                     break
150 | 
151 |                 
152 | 


--------------------------------------------------------------------------------
/droidcountry.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | """
  4 | __author__ = "Axelle Apvrille"
  5 | __status__ = "Alpha"
  6 | __license__ = "MIT License"
  7 | """
  8 | country = {'af': 0,
  9 |            'ax': 1,
 10 |            'al': 2,
 11 |            'dz': 3,
 12 |            'as': 4,
 13 |            'ad': 5,
 14 |            'ao': 6,
 15 |            'ai': 7,
 16 |            'aq': 8,
 17 |            'ag': 9,
 18 |            'ar': 10,
 19 |            'am': 11,
 20 |            'aw': 12,
 21 |            'au': 13,
 22 |            'at': 14,
 23 |            'az': 15,
 24 |            'bs': 16,
 25 |            'bh': 17,
 26 |            'bd': 18,
 27 |            'bb': 19,
 28 |            'by': 20,
 29 |            'be': 21,
 30 |            'bz': 22,
 31 |            'bj': 23,
 32 |            'bm': 24,
 33 |            'bt': 25,
 34 |            'bo': 26,
 35 |            'bq': 27,
 36 |            'ba': 28,
 37 |            'bw': 29,
 38 |            'bv': 30,
 39 |            'br': 31,
 40 |            'io': 32,
 41 |            'bn': 33,
 42 |            'bg': 34,
 43 |            'bf': 35,
 44 |            'bi': 36,
 45 |            'kh': 37,
 46 |            'cm': 38,
 47 |            'ca': 39,
 48 |            'cv': 40,
 49 |            'ky': 41,
 50 |            'cf': 42,
 51 |            'td': 43,
 52 |            'cl': 44,
 53 |            'cn': 45,
 54 |            'cx': 46,
 55 |            'cc': 47,
 56 |            'co': 48,
 57 |            'km': 49,
 58 |            'cg': 50,
 59 |            'cd': 51,
 60 |            'ck': 52,
 61 |            'cr': 53,
 62 |            'ci': 54,
 63 |            'hr': 55,
 64 |            'cu': 56,
 65 |            'cw': 57,
 66 |            'cy': 58,
 67 |            'cz': 59,
 68 |            'dk': 60,
 69 |            'dj': 61,
 70 |            'dm': 62,
 71 |            'do': 63,
 72 |            'ec': 64,
 73 |            'eg': 65,
 74 |            'sv': 66,
 75 |            'gq': 67,
 76 |            'er': 68,
 77 |            'ee': 69,
 78 |            'et': 70,
 79 |            'fk': 71,
 80 |            'fo': 72,
 81 |            'fj': 73,
 82 |            'fi': 74,
 83 |            'fr': 75,
 84 |            'gf': 76,
 85 |            'pf': 77,
 86 |            'tf': 78,
 87 |            'ga': 79,
 88 |            'gm': 80,
 89 |            'ge': 81,
 90 |            'de': 82,
 91 |            'gh': 83,
 92 |            'gi': 84,
 93 |            'gr': 85,
 94 |            'gl': 86,
 95 |            'gd': 87,
 96 |            'gp': 88,
 97 |            'gu': 89,
 98 |            'gt': 90,
 99 |            'gg': 91,
100 |            'gn': 92,
101 |            'gw': 93,
102 |            'gy': 94,
103 |            'ht': 95,
104 |            'hm': 96,
105 |            'va': 97,
106 |            'hn': 98,
107 |            'hk': 99,
108 |            'hu': 100,
109 |            'is': 101,
110 |            'in': 102,
111 |            'id': 103,
112 |            'ir': 104,
113 |            'iq': 105,
114 |            'ie': 106,
115 |            'im': 107,
116 |            'il': 108,
117 |            'it': 109,
118 |            'jm': 110,
119 |            'jp': 111,
120 |            'je': 112,
121 |            'jo': 113,
122 |            'kz': 114,
123 |            'ke': 115,
124 |            'ki': 116,
125 |            'kp': 117,
126 |            'kr': 118,
127 |            'kw': 119,
128 |            'kg': 120,
129 |            'la': 121,
130 |            'lv': 122,
131 |            'lb': 123,
132 |            'ls': 124,
133 |            'lr': 125,
134 |            'ly': 126,
135 |            'li': 127,
136 |            'lt': 128,
137 |            'lu': 129,
138 |            'mo': 130,
139 |            'mk': 131,
140 |            'mg': 132,
141 |            'mw': 133,
142 |            'my': 134,
143 |            'mv': 135,
144 |            'ml': 136,
145 |            'mt': 137,
146 |            'mh': 138,
147 |            'mq': 139,
148 |            'mr': 140,
149 |            'mu': 141,
150 |            'yt': 142,
151 |            'mx': 143,
152 |            'fm': 144,
153 |            'md': 145,
154 |            'mc': 146,
155 |            'mn': 147,
156 |            'me': 148,
157 |            'ms': 149,
158 |            'ma': 150,
159 |            'mz': 151,
160 |            'mm': 152,
161 |            'na': 153,
162 |            'nr': 154,
163 |            'np': 155,
164 |            'nl': 156,
165 |            'nc': 157,
166 |            'nz': 158,
167 |            'ni': 159,
168 |            'ne': 160,
169 |            'ng': 161,
170 |            'nu': 162,
171 |            'nf': 163,
172 |            'mp': 164,
173 |            'no': 165,
174 |            'om': 166,
175 |            'pk': 167,
176 |            'pw': 168,
177 |            'ps': 169,
178 |            'pa': 170,
179 |            'pg': 171,
180 |            'py': 172,
181 |            'pe': 173,
182 |            'ph': 174,
183 |            'pn': 175,
184 |            'pl': 176,
185 |            'pt': 177,
186 |            'pr': 178,
187 |            'qa': 179,
188 |            're': 180,
189 |            'ro': 181,
190 |            'ru': 182,
191 |            'rw': 183,
192 |            'bl': 184,
193 |            'sh': 185,
194 |            'kn': 186,
195 |            'lc': 187,
196 |            'mf': 188,
197 |            'pm': 189,
198 |            'vc': 190,
199 |            'ws': 191,
200 |            'sm': 192,
201 |            'st': 193,
202 |            'sa': 194,
203 |            'sn': 195,
204 |            'rs': 196,
205 |            'sc': 197,
206 |            'sl': 198,
207 |            'sg': 199,
208 |            'sx': 200,
209 |            'sk': 201,
210 |            'si': 202,
211 |            'sb': 203,
212 |            'so': 204,
213 |            'za': 205,
214 |            'gs': 206,
215 |            'ss': 207,
216 |            'es': 208,
217 |            'lk': 209,
218 |            'sd': 210,
219 |            'sr': 211,
220 |            'sj': 212,
221 |            'sz': 213,
222 |            'se': 214,
223 |            'ch': 215,
224 |            'sy': 216,
225 |            'tw': 217,
226 |            'tj': 218,
227 |            'tz': 219,
228 |            'th': 220,
229 |            'tl': 221,
230 |            'tg': 222,
231 |            'tk': 223,
232 |            'to': 224,
233 |            'tt': 225,
234 |            'tn': 226,
235 |            'tr': 227,
236 |            'tm': 228,
237 |            'tc': 229,
238 |            'tv': 230,
239 |            'ug': 231,
240 |            'ua': 232,
241 |            'ae': 233,
242 |            'gb': 234,
243 |            'us': 235,
244 |            'um': 236,
245 |            'uy': 237,
246 |            'uz': 238,
247 |            'vu': 239,
248 |            've': 240,
249 |            'vn': 241,
250 |            'vg': 242,
251 |            'vi': 243,
252 |            'wf': 244,
253 |            'eh': 245,
254 |            'ye': 246,
255 |            'zm': 247,
256 |            'zw': 248,
257 |            'unknown': 500
258 |            }
259 | 
260 | 
261 | def to_int(country_string):
262 |     """
263 |     Converts a 2-letter country string like fr to the appropriate enum value
264 |     If not found, returns the value for unknown
265 |     """
266 |     lowercase = country_string.lower()
267 |     if lowercase in country.keys():
268 |         return country[lowercase]
269 |     else:
270 |         return country['unknown']
271 | 
272 | 
273 | def to_key(code):
274 |     """Converts the enum value to a 2 letter country code. If not found,
275 |     returns unknown"""
276 |     for name, number in country.iteritems():
277 |         if code == number:
278 |             return name
279 |     return "unknown"
280 | 


--------------------------------------------------------------------------------
/droidlysis:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | import droidlysis3
 5 | 
 6 | if __name__ == "__main__":
 7 |     droidlysis3.check_python_version()
 8 |     args = droidlysis3.get_arguments()
 9 |     droidlysis3.process_input(args)
10 |     print("END")
11 | 


--------------------------------------------------------------------------------
/droidlysis3.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | """
  4 | __author__ = "Axelle Apvrille"
  5 | __license__ = "MIT License"
  6 | """
  7 | import argparse
  8 | import os
  9 | import subprocess
 10 | import droidutil  # that's my own utilities
 11 | import droidsample
 12 | import droidreport
 13 | import sys
 14 | import logging
 15 | from droidsql import DroidSql
 16 | from droidconfig import generalconfig
 17 | 
 18 | property_dump_file = 'details.md'
 19 | report_file = 'report.md'
 20 | json_file = 'report.json'
 21 | __version__ = "3.4.7"
 22 | 
 23 | logging.basicConfig(format='%(levelname)s:%(filename)s:%(message)s',
 24 |                     level=logging.INFO)
 25 | 
 26 | 
 27 | def get_arguments():
 28 |     """Read arguments for the program and returns the ArgumentParser"""
 29 |     description = 'DroidLysis3 is a Python which processes Android samples. \n'
 30 |     'It prepares the sample for analysis, unzipping,'
 31 |     'disassembling, decompiling it.'
 32 |     'It parses for potentially suspicious features '
 33 |     '(e.g "sample roots the phone")'
 34 |     parser = argparse.ArgumentParser(description=description,
 35 |                                      prog='DroidLysis',
 36 |                                      epilog='Version ' + __version__
 37 |                                      + ' - Greetz from @cryptax')
 38 |     parser.add_argument('-i', '--input',
 39 |                         help='input directories or files to process',
 40 |                         nargs='+', action='store', default='.')
 41 |     parser.add_argument('-o', '--output',
 42 |                         help='analysis of input files is written into '
 43 |                         'subdirectories of this directory',
 44 |                         action='store', default='.')
 45 |     parser.add_argument('-c', '--clearoutput',
 46 |                         help='erase the output directory at the end. '
 47 |                         'Indicates you want something quick.',
 48 |                         action='store_true')
 49 |     parser.add_argument('-s', '--silent',
 50 |                         help='do not display output on console',
 51 |                         action='store_true')
 52 |     parser.add_argument('-m', '--movein',
 53 |                         help='after it has been processed, '
 54 |                         'each input file is moved to this directory',
 55 |                         action='store')
 56 |     parser.add_argument('-v', '--verbose',
 57 |                         help='get more detailed messages',
 58 |                         action='store_true')
 59 |     parser.add_argument('-V', '--version',
 60 |                         help='displays version number',
 61 |                         action='version',
 62 |                         version="%(prog)s "+__version__)
 63 |     parser.add_argument('--no-kit-exception',
 64 |                         help='by default, ad/dev/stats kits are ruled '
 65 |                         'out for searches. '
 66 |                         'Use this option to treat them as regular namespaces',
 67 |                         action='store_true')
 68 |     parser.add_argument('--disable-report',
 69 |                         help='do not generate automatic report',
 70 |                         action='store_true')
 71 |     parser.add_argument('--enable-sql',
 72 |                         help='write analysis to SQL database',
 73 |                         action='store_true')
 74 |     parser.add_argument('--disable-json',
 75 |                         help='do not dump analysis to JSON',
 76 |                         action='store_true')
 77 |     parser.add_argument('--import-exodus',
 78 |                         help='import ETIP Exodus Privacy trackers '
 79 |                         'and add them to kit config file',
 80 |                         action='store_true')
 81 |     parser.add_argument('--config',
 82 |                         help='general configuration file for DroidLysis. Default: ./conf/general.conf',
 83 |                         default='./conf/general.conf',
 84 |                         action='store')
 85 | 
 86 |     args = parser.parse_args()
 87 |     if args.verbose:
 88 |         logging.getLogger().setLevel(logging.DEBUG)
 89 |     # create output dir if necessary
 90 |     droidutil.mkdir_if_necessary(args.output)
 91 |     # create movein dir if necessary
 92 |     droidutil.mkdir_if_necessary(args.movein)
 93 |     return args
 94 | 
 95 | 
 96 | def process_input(args):
 97 |     """
 98 |     Process input.
 99 |     Provide ArgumentParser as argument.
100 |     @args args.input contains a list of files and directories to process.
101 |     each file in an input directory are processed, but not recursively.
102 |     each input file is process.
103 |     """
104 |     config = generalconfig(filename=args.config, verbose=args.verbose)
105 |     sql = None
106 |     if args.enable_sql:
107 |         sql = DroidSql()
108 | 
109 |     for element in args.input:
110 |         if os.path.isdir(element):
111 |             listing = os.listdir(element)
112 |             for file in listing:
113 |                 process_file(config,
114 |                              os.path.join(element, file),
115 |                              outdir=args.output,
116 |                              verbose=args.verbose,
117 |                              clear=args.clearoutput,
118 |                              disable_report=args.disable_report,
119 |                              no_kit_exception=args.no_kit_exception,
120 |                              sql=sql,
121 |                              disable_json=args.disable_json,
122 |                              import_exodus=args.import_exodus)
123 |                 if args.movein:
124 |                     logging.debug("Moving %s to %s" %
125 |                                   (os.path.join('.', element),
126 |                                    os.path.join(args.movein, element)))
127 |                     # TODO: issue if inner dirs. Are we handling this?
128 |                     try:
129 |                         os.rename(os.path.join(element, file),
130 |                                   os.path.join(args.movein, file))
131 |                     except OSError as e:
132 |                         logging.debug("%s no longer present?: %s\n" % (file, str(e)))
133 | 
134 |         if os.path.isfile(element):
135 |             process_file(config,
136 |                          os.path.join('.', element),
137 |                          outdir=args.output,
138 |                          verbose=args.verbose,
139 |                          clear=args.clearoutput,
140 |                          disable_report=args.disable_report,
141 |                          silent=args.silent,
142 |                          no_kit_exception=args.no_kit_exception,
143 |                          sql=sql,
144 |                          disable_json=args.disable_json,
145 |                          import_exodus=args.import_exodus
146 |                          )
147 |             if args.movein:
148 |                 logging.debug("Moving %s to %s" %
149 |                               (os.path.join('.', element),
150 |                                os.path.join(args.movein, os.path.basename(element))))
151 |                 os.rename(os.path.join('.', element), os.path.join(args.movein, os.path.basename(element)))
152 | 
153 | 
154 | def process_file(config,
155 |                  infile,
156 |                  outdir='/tmp/analysis',
157 |                  verbose=False,
158 |                  clear=False,
159 |                  disable_report=False,
160 |                  silent=False,
161 |                  no_kit_exception=False,
162 |                  sql=None,
163 |                  disable_json=False,
164 |                  import_exodus=False):
165 |     """Static analysis of a given file"""
166 | 
167 |     if os.access(infile, os.R_OK):
168 |         if not silent:
169 |             print("Processing file: " + infile + " ...")
170 |         sample = droidsample.droidsample(config=config,
171 |                                          filename=infile,
172 |                                          output=outdir,
173 |                                          verbose=verbose,
174 |                                          clear=clear,
175 |                                          disable_description=disable_report,
176 |                                          silent=silent,
177 |                                          no_kit_exception=no_kit_exception,
178 |                                          import_exodus=import_exodus)
179 |         sample.unzip()
180 |         sample.disassemble()
181 |         sample.extract_file_properties()
182 |         sample.extract_meta_properties()
183 |         sample.extract_manifest_properties()
184 |         sample.extract_dex_properties()
185 |         listofkits = sample.extract_kit_properties()
186 |         if no_kit_exception:
187 |             listofkits = []
188 |         sample.extract_smali_properties(listofkits)
189 |         sample.extract_wide_properties(listofkits)
190 | 
191 |         if sql is not None:
192 |             sample.properties.write(sql)
193 | 
194 |         if not disable_json:
195 |             sample.properties.dump_json(os.path.join(sample.outdir, json_file))
196 | 
197 |         if not silent and not clear:
198 |             report = droidreport.droidreport(sample, console=True, report_to_file=disable_report)
199 |             report.write(os.path.join(sample.outdir, report_file), verbose)
200 | 
201 |         if not clear:
202 |             analysis_file = open(os.path.join(sample.outdir, property_dump_file), 'a')
203 |             analysis_file.write(str(sample.properties))
204 |             analysis_file.close()
205 |         else:
206 |             if not silent:
207 |                 print("Removing directory %s ..." % (sample.outdir))
208 |             proc = subprocess.Popen(['rm', '-rf', sample.outdir])
209 |             proc.communicate()
210 | 
211 |         sample.close()
212 | 
213 | 
214 | def check_python_version():
215 |     if sys.version_info.major < 3:
216 |         print("ERROR: Please run DroidLysis with Python 3")
217 |         quit()
218 | 
219 | 
220 | if __name__ == "__main__":
221 |     check_python_version()
222 |     args = get_arguments()
223 |     process_input(args)
224 |     print("END")
225 | 


--------------------------------------------------------------------------------
/droidproperties.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | """
  4 | __author__ = "Axelle Apvrille"
  5 | __status__ = "Beta"
  6 | __license__ = "MIT License"
  7 | """
  8 | 
  9 | import droidutil
 10 | import droidconfig
 11 | import droidcountry
 12 | import droidsql
 13 | import json
 14 | import requests
 15 | import logging
 16 | import re
 17 | import configparser  # to import Exodus Privacy trackers
 18 | from sqlalchemy.orm import sessionmaker
 19 | import sqlalchemy.exc
 20 | 
 21 | logging.basicConfig(format='%(levelname)s:%(filename)s:%(message)s',
 22 |                     level=logging.INFO)
 23 | 
 24 | 
 25 | # This is where to set whether given fields have
 26 | # a meaning or not for a given file type
 27 | applicability = {'file_size': [droidutil.APK, droidutil.DEX, droidutil.ARM,
 28 |                                droidutil.CLASS, droidutil.ZIP, droidutil.RAR],
 29 |                  'file_small': [droidutil.APK, droidutil.DEX, droidutil.ARM,
 30 |                                 droidutil.CLASS, droidutil.ZIP, droidutil.RAR],
 31 |                  'file_nb_classes': [droidutil.APK, droidutil.DEX],
 32 |                  'file_nb_dir': [droidutil.APK, droidutil.DEX],
 33 |                  'file_innerzips': [droidutil.APK, droidutil.ZIP, droidutil.RAR],
 34 |                  'cert': [droidutil.APK],
 35 |                  'manifest': [droidutil.APK],
 36 |                  'smali': [droidutil.APK, droidutil.DEX],
 37 |                  'wide': [droidutil.APK, droidutil.DEX],
 38 |                  'arm': [droidutil.APK, droidutil.ARM],
 39 |                  'dex': [droidutil.APK, droidutil.DEX],
 40 |                  'kit': [droidutil.APK, droidutil.DEX]
 41 |                  }
 42 | 
 43 | class droidproperties:
 44 |     verbose = False
 45 |     """Extracted properties"""
 46 | 
 47 |     """Field allocation"""
 48 |     certificate = {}
 49 |     manifest = {}
 50 |     smali = {}
 51 |     wide = {}
 52 |     arm = {}
 53 |     dex = {}
 54 |     kits = {}
 55 | 
 56 |     def __init__(self, config, samplename='', sha256='', verbose=False, import_exodus=False):
 57 |         """Properties concern a given sample identified by a basename (to be helpful) and a sha256 (real reference)"""
 58 |         self.config = config
 59 |         self.verbose = verbose
 60 |         if verbose:
 61 |             logging.getLogger().setLevel(logging.DEBUG)
 62 |         self.sha256 = sha256
 63 |         self.sanitized_basename = samplename
 64 |         self.import_exodus = import_exodus
 65 |         self.clear_fields()
 66 | 
 67 |     def clear_fields(self):
 68 |         """Re-initialize all fields of the object - to default values"""
 69 |         self.file_nb_classes = 0
 70 |         self.file_nb_dir = 0
 71 |         self.file_size = 0
 72 |         self.file_small = False
 73 |         self.filetype = droidutil.UNKNOWN
 74 |         self.file_innerzips = False
 75 | 
 76 |         self.certificate.clear()
 77 |         self.certificate = {'av': False,
 78 |                             'algo': None,
 79 |                             'debug': False,
 80 |                             'dev': False,
 81 |                             'famous': False,
 82 |                             'serialno': None,
 83 |                             'country': droidcountry.country['unknown'],
 84 |                             'owner': None,
 85 |                             'timestamp': None,
 86 |                             'year': 0,
 87 |                             'unknown_country': False
 88 |                             }
 89 | 
 90 |         self.manifest.clear()
 91 |         self.manifest = {
 92 |             'activities': [],
 93 |             'libraries': [],
 94 |             'listens_incoming_sms': False,
 95 |             'listens_outgoing_call': False,
 96 |             'maxSDK': 0,
 97 |             'main_activity': None,
 98 |             'minSDK': 0,
 99 |             'package_name': None,
100 |             'permissions': [],
101 |             'providers': [],
102 |             'receivers': [],
103 |             'services': [],
104 |             'swf': False,
105 |             'targetSDK': 0
106 |         }
107 | 
108 |         # automatically adding smali properties. 
109 |         self.smali.clear()
110 |         self.smaliconfig = droidconfig.droidconfig(self.config.SMALI_CONFIGFILE, self.verbose)
111 |         for section in self.smaliconfig.get_sections():
112 |             self.smali[section] = False
113 | 
114 |         self.smali['packed'] = False  # This property is not in conf section as it is deduced from no main activity + loading DEX dynamically
115 |         self.smali['multidex'] = []
116 | 
117 |         # automatically adding wide properties
118 |         self.wide.clear()
119 |         self.wide['app_name'] = None
120 |         self.wide['phonenumbers'] = []
121 |         self.wide['urls'] = []
122 |         self.wide['base64_strings'] = []
123 |         self.wide['apk_zip_url'] = False
124 |         self.wideconfig = droidconfig.droidconfig(self.config.WIDE_CONFIGFILE, self.verbose)
125 |         for section in self.wideconfig.get_sections():
126 |             self.wide[section] = False
127 | 
128 |         # automatically add ARM properties
129 |         self.arm.clear()
130 |         self.armconfig = droidconfig.droidconfig(self.config.ARM_CONFIGFILE, self.verbose)
131 |         for section in self.armconfig.get_sections():
132 |             self.arm[section] = False
133 | 
134 |         self.dex.clear()
135 |         self.dex = {'magic': 0,
136 |                     'odex': False,
137 |                     'magic_unknown': False,
138 |                     'bad_sha1': False,
139 |                     'bad_adler32': False,
140 |                     'big_header': False,
141 |                     'thuxnder': False
142 |                     }
143 | 
144 |         # automatically set to False kit properties
145 |         self.kits.clear()
146 |         logging.debug(f'Reading Kit Config file = {self.config.KIT_CONFIGFILE}')
147 |         self.kitsconfig = droidconfig.droidconfig(self.config.KIT_CONFIGFILE,
148 |                                                   self.verbose)
149 |         for section in self.kitsconfig.get_sections():
150 |             self.kits[section] = False
151 | 
152 |         if self.import_exodus:
153 |             self.import_exodus_trackers()
154 |             quit()
155 |         # END OF reinit to default values
156 | 
157 |     def import_exodus_trackers(self):
158 |         # import ETIP Exodus Privacy trackers
159 |         url = 'https://etip.exodus-privacy.eu.org/api/trackers/?format=json'
160 |         logging.debug(f'Importing ETIP Exodus trackers from {url}')
161 |         r = requests.get(url)
162 |         if r.status_code != 200:
163 |             logging.warning('Cannot download Exodus Privacy trackers: '
164 |                             f'{url} responds code={r.status_code}')
165 |             return
166 |         j = json.loads(r.text)
167 |         config = configparser.ConfigParser()
168 |         for tracker in j:
169 |             # remove trailing dots
170 |             code_signature = re.sub('\.\|', '|', tracker['code_signature']).rstrip('.').lstrip('.').replace('.', '/').replace('\/', '/').split('|')
171 |             for sig in code_signature:
172 |                 if len(re.sub('[^a-zA-Z0-9/_]', '', sig)) == 0:
173 |                     continue
174 |                 if self.kitsconfig.is_pattern_present(sig):
175 |                     # logging.debug(f'Not adding tracker={tracker["name"]}'
176 |                     #              f' as pattern={sig} is already present')
177 |                     break
178 |                 # sanitize name
179 |                 name = re.sub('[^a-zA-Z0-9]', '', tracker['name']).lower()
180 |                 # if our signature is more generic, nothing to do
181 |                 if name in self.kits:
182 |                     # our signature is less generic / missing a pattern
183 |                     logging.debug(f'name={name} sig={sig} pattern={self.kitsconfig.get_pattern(name)}')
184 |                     logging.warning(f'You should add pattern={sig}'
185 |                                     f' in tracker={tracker["name"]}')
186 |                     break
187 |                 logging.debug(f'Adding Exodus Tracker: {name}')
188 |                 config[name] = {}
189 |                 config[name]['description'] = f'{tracker["name"]} (from ETIP Exodus Privacy list)'
190 |                 config[name]['pattern'] = '|'.join(code_signature)
191 |                 break
192 |         logging.debug('Appending imported trackers '
193 |                       f'to {self.config.KIT_CONFIGFILE}')
194 |         with open(self.config.KIT_CONFIGFILE, 'a') as configfile:
195 |             config.write(configfile)
196 | 
197 |     def write(self, sql):
198 |         Session = sessionmaker(bind=sql.engine)
199 |         session = Session()
200 |         sample = droidsql.Sample(sha256=self.sha256,
201 |                                  sanitized_basename=self.sanitized_basename,
202 |                                  file_nb_classes=self.file_nb_classes,
203 |                                  file_nb_dir=self.file_nb_dir,
204 |                                  file_size=self.file_size,
205 |                                  file_small=self.file_small,
206 |                                  filetype=self.filetype,
207 |                                  file_innerzips=self.file_innerzips,
208 |                                  manifest_properties=json.dumps(self.manifest),
209 |                                  smali_properties=json.dumps(self.smali),
210 |                                  wide_properties=json.dumps(self.wide),
211 |                                  arm_properties=json.dumps(self.arm),
212 |                                  dex_properties=json.dumps(self.dex),
213 |                                  kits=json.dumps(self.kits))
214 |         session.add(sample)
215 |         try:
216 |             session.commit()
217 |         except sqlalchemy.exc.IntegrityError:
218 |             # occurs when the sample with the same sha256 is already in
219 |             logging.debug("Sample is already in the database")
220 | 
221 |     def dump_json(self, filename='report.json'):
222 |         data = {'sanitized_basename': self.sanitized_basename,
223 |                 'file_nb_classes': self.file_nb_classes,
224 |                 'file_nb_dir': self.file_nb_dir,
225 |                 'file_size': self.file_size,
226 |                 'file_small': self.file_small,
227 |                 'filetype': self.filetype,
228 |                 'file_innerzips': self.file_innerzips,
229 |                 'manifest_properties': self.manifest,
230 |                 'smali_properties': self.smali,
231 |                 'wide_properties': self.wide,
232 |                 'arm_properties': self.arm,
233 |                 'dex_properties': self.dex,
234 |                 'kits': self.kits
235 |                 }
236 |         if self.verbose:
237 |             print("-------------")
238 |             print("Dumping to JSON file {}".format(filename))
239 |         f = open(filename, 'w')
240 |         f.write(json.dumps(data))
241 |         f.close()
242 | 


--------------------------------------------------------------------------------
/droidreport.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # $Source$
  3 | """
  4 | __author__ = "Axelle Apvrille"
  5 | __license__ = "MIT License"
  6 | """
  7 | 
  8 | 
  9 | class droidversion:
 10 |     """A small class to hold different versions of Android"""
 11 |     def __init__(self, versionstring, apilevel, codename=''):
 12 |         self.codename = codename
 13 |         self.version = versionstring
 14 |         self.apilevel = apilevel
 15 | 
 16 |     def __str__(self):
 17 |         return "Android %s - %s (API level %d)" % (self.versionstring, self.codename, self.apilevel)
 18 | 
 19 | 
 20 | versions = [droidversion('1.0', 1),
 21 |             droidversion('1.1', 2),
 22 |             droidversion('1.5', 3, 'Cupcake'),
 23 |             droidversion('1.6', 4, 'Donut'),
 24 |             droidversion('2.0', 5, 'Eclair'),
 25 |             droidversion('2.0.1', 6, 'Eclair'),
 26 |             droidversion('2.1', 7, 'Eclair'),
 27 |             droidversion('2.2', 8, 'Froyo'),
 28 |             droidversion('2.3', 9, 'Gingerbread'),
 29 |             droidversion('2.3.3', 10, 'Gingerbread'),
 30 |             droidversion('3.0', 11, 'Honeycomb'),
 31 |             droidversion('3.1', 12, 'Honeycomb'),
 32 |             droidversion('3.2', 13, 'Honeycomb'),
 33 |             droidversion('4.0', 14, 'Ice Cream Sandwich'),
 34 |             droidversion('4.0.3', 15, 'Ice Cream Sandwich'),
 35 |             droidversion('4.1', 16, 'Jelly Bean'),
 36 |             droidversion('4.2', 17, 'Jelly Bean'),
 37 |             droidversion('4.3', 18, 'Jelly Bean'),
 38 |             droidversion('4.4', 19, 'KitKat'),
 39 |             droidversion('5.0', 21, 'Lollipop'),
 40 |             droidversion('5.1', 22, 'Lollipop'),
 41 |             droidversion('6.0', 23, 'Marshmallow'),
 42 |             droidversion('7.0', 24, 'Nougat'),
 43 |             droidversion('7.1', 25, 'Nougat'),
 44 |             droidversion('8.0', 26, 'Oreo'),
 45 |             droidversion('8.1', 27, 'Oreo'),
 46 |             droidversion('9.0', 28, 'Pie'),
 47 |             droidversion('10', 29, 'Q'),
 48 |             droidversion('11', 30, 'R'),
 49 |             droidversion('12.0', 31, 'Snow Cone'),
 50 |             droidversion('12.1', 32, 'Snow Cone v2'),
 51 |             droidversion('13', 33, 'Tiramisu'),
 52 |             droidversion('14', 34, 'Upside Down Cake')
 53 |             ]
 54 | 
 55 | # ------------------------------------------------------
 56 | 
 57 | class droidreport:
 58 |     def __init__(self, sample, console=True, report_to_file=True):
 59 |         # console means we want to display the result on the console
 60 |         # report file means we want to dump in the report file
 61 |         self.sample = sample
 62 |         self.console = console
 63 |         self.report_to_file = report_to_file
 64 | 
 65 |     def write(self, report_file, verbose=True):
 66 |         if verbose:
 67 |             print( "Writing report to " + report_file)
 68 |         if self.report_to_file:
 69 |             self.reportfile = open(report_file, 'w')
 70 |             self.reportfile.write("# %s\n\n" % (self.sample.properties.sha256))
 71 | 
 72 |         self.write_properties()
 73 | 
 74 |         if self.report_to_file:
 75 |             self.reportfile.close()
 76 | 
 77 |     def write_file(self, message):
 78 |         if self.report_to_file:
 79 |             self.reportfile.write(message)
 80 | 
 81 |     def write_console(self, message):
 82 |         if self.console:
 83 |             print(message)
 84 | 
 85 |     def write_properties(self):
 86 |         # Header / File info
 87 |         print("\033[1;36;1m============= Report ============\033[0m")
 88 |         self.write_file("{0:20.20}: {1}\n".format('Sanitized basename', self.sample.properties.sanitized_basename))
 89 |         self.write_console("{0:20.20}: \033[1;37;1m{1}\033[0m".format('Sanitized basename',
 90 |                                                                       self.sample.properties.sanitized_basename))
 91 |         
 92 |         self.write_file("{0:20.20}: {1}\n".format('SHA256', self.sample.properties.sha256))
 93 |         self.write_console("{0:20.20}: \033[1;37;1m{1}\033[0m".format('SHA256', self.sample.properties.sha256))
 94 | 
 95 |         self.write_file("{0:20.20}: {1} bytes\n".format('File size', self.sample.properties.file_size))
 96 |         self.write_console("{0:20.20}: \033[1;37;1m{1}\033[0m bytes".format('File size',
 97 |                                                                             self.sample.properties.file_size))
 98 | 
 99 |         self.write_file("{0:20.20}: {1}\n".format('Is small', self.sample.properties.file_small))
100 |         self.write_console("{0:20.20}: \033[1;37;1m{1}\033[0m".format('Is small', self.sample.properties.file_small))
101 | 
102 |         self.write_file("{0:20.20}: {1}\n".format('Nb of classes', self.sample.properties.file_nb_classes))
103 |         self.write_console("{0:20.20}: \033[1;37;1m{1}\033[0m".format('Nb of classes',
104 |                                                                       self.sample.properties.file_nb_classes))
105 | 
106 |         self.write_file("{0:20.20}: {1}\n".format('Nb of directories', self.sample.properties.file_nb_dir))
107 |         self.write_console("{0:20.20}: \033[1;37;1m{1}\033[0m".format('Nb of dirs', self.sample.properties.file_nb_dir))
108 | 
109 | 
110 |         # Certificate properties
111 |         self.write_file("\nCertificate properties:\n")
112 |         self.write_console("\n\033[0;30;47mCertificate properties\033[0m")
113 |         
114 |         for key in self.sample.properties.certificate.keys():
115 |             if self.sample.properties.certificate[key] is not False:
116 |                 self.write_console("{0:20.20}: \033[1;36;1m{1}\033[0m".format(key,
117 |                                                                               self.sample.properties.certificate[key]))
118 |             self.write_file("{0:20.20}: {1}\n".format(key, self.sample.properties.certificate[key]))
119 | 
120 |         # Manifest properties
121 |         self.write_file("\nManifest properties:\n")
122 |         self.write_console("\n\033[0;30;47mManifest properties\033[0m")
123 |         for key in self.sample.properties.manifest.keys():
124 |             if self.sample.properties.manifest[key] is not False \
125 |                     and self.sample.properties.manifest[key] is not None and self.sample.properties.manifest[key]:
126 |                 self.write_file("{0:20.20}: {1}\n".format(key, self.sample.properties.manifest[key]))
127 |                 self.write_console("{0:20.20}: \033[1;36;1m{1}\033[0m".format(key,
128 |                                                                               self.sample.properties.manifest[key]))
129 |             else:
130 |                 self.write_file("{0:20.20}: {1}\n".format(key,     self.sample.properties.manifest[key]))
131 | 
132 | 
133 |         # Smali properties
134 |         self.write_file("\nSmali properties\n")
135 |         self.write_console("\n\033[0;30;47mSmali properties /  What the Dalvik code does\033[0m")
136 |         for section in self.sample.properties.smali.keys():
137 |             if self.sample.properties.smali[section] is not False:
138 |                 if (type(self.sample.properties.smali[section]) is list and
139 |                     len(self.sample.properties.smali[section]) > 0) or \
140 |                         (type(self.sample.properties.smali[section]) is bool):
141 |                     self.write_console("{0:20.20}: \033[1;31;1m{1} \033[1;33;40m({2})\033[0m".format(section,
142 |                                                                                                      self.sample.properties.smali[section],
143 |                                                                                                      self.sample.properties.smaliconfig.get_description(section)))
144 |                     self.write_file("{0:20.20}: {1} ({2})\n".format(section,
145 |                                                                     self.sample.properties.smali[section],
146 |                                                                     self.sample.properties.smaliconfig.get_description(section)))
147 |             else:
148 |                 self.write_file("{0:20.20}: {1}\n".format(section, self.sample.properties.smali[section]))
149 | 
150 |         # Wide properties
151 |         self.write_file("\nWide properties\n")
152 |         self.write_console("\n\033[0;30;47mWide properties /  What Resources/Assets do\033[0m")
153 |         for section in self.sample.properties.wide.keys():
154 |             if self.sample.properties.wide[section] is not False and self.sample.properties.wide[section] is not None \
155 |                     and self.sample.properties.wide[section]:
156 |                 if self.sample.properties.wideconfig.get_description(section) is not None:
157 |                     self.write_console("{0:20.20}: \033[1;31;1m{1} \033[1;33;40m({2})\033[0m".format(section,
158 |                                                                                                      self.sample.properties.wide[section],
159 |                                                                                                      self.sample.properties.wideconfig.get_description(section)))
160 |                     self.write_file("{0:20.20}: {1} ({2})\n".format(section, self.sample.properties.wide[section],
161 |                                                                     self.sample.properties.wideconfig.get_description(section)))
162 |                 else:
163 |                     self.write_console("{0:20.20}: \033[1;31;1m{1}\033[0m".format(section,
164 |                                                                                   self.sample.properties.wide[section]))
165 |                     self.write_file("{0:20.20}: {1}\n".format(section, self.sample.properties.wide[section]))
166 |             else:
167 |                 # case where the property is False, or None.
168 |                 self.write_file("{0:20.20}: {1}\n".format(section, self.sample.properties.wide[section]))
169 | 
170 |         # ARM properties
171 |         self.write_file("\nARM properties\n")
172 |         self.write_console("\n\033[0;30;47mARM properties /  What native ARM libraries do\033[0m")
173 |         for section in self.sample.properties.arm.keys():
174 |             if self.sample.properties.arm[section] is not False and self.sample.properties.arm[section] is not None:
175 |                 if self.sample.properties.armconfig.get_description(section) is not None:
176 |                     self.write_console("{0:20.20}: \033[1;31;1m{1} \033[1;33;40m({2})\033[0m".format(section,
177 |                                                                                                      self.sample.properties.arm[section],
178 |                                                                                                      self.sample.properties.armconfig.get_description(section)))
179 |                     self.write_file("{0:20.20}: {1} ({2})\n".format(section, self.sample.properties.arm[section],
180 |                                                                     self.sample.properties.armconfig.get_description(section)))
181 |                 else:
182 |                     self.write_console("{0:20.20}: \033[1;31;1m{1}\033[0m".format(section, self.sample.properties.arm[section]))
183 |                     self.write_file("{0:20.20}: {1}\n".format(section, self.sample.properties.arm[section]))
184 |             else:
185 |                 # case where the property is False, or None.
186 |                 self.write_file("{0:20.20}: {1}\n".format(section, self.sample.properties.arm[section]))
187 | 
188 |         # DEX properties
189 |         self.write_file("\nDEX properties\n")
190 |         self.write_console("\n\033[0;30;47mDEX properties /  About classes.dex format\033[0m")
191 |         for section in self.sample.properties.dex.keys():
192 |             if self.sample.properties.dex[section] is not False and self.sample.properties.dex[section] is not None:
193 |                 self.write_console("{0:20.20}: \033[1;31;1m{1} \033[0m".format(section,
194 |                                                                                self.sample.properties.dex[section]))
195 |                 self.write_file("{0:20.20}: {1}\n".format(section, self.sample.properties.dex[section]))
196 |             else:
197 |                 # case where the property is False, or None.
198 |                 self.write_file("{0:20.20}: {1}\n".format(section, self.sample.properties.dex[section]))
199 |                 
200 |         # Kits properties
201 |         self.write_file("\nKit properties\n")
202 |         self.write_console("\n\033[0;30;47mKit properties /  Detected 3rd party SDKs\033[0m")
203 |         for section in self.sample.properties.kits.keys():
204 |             if self.sample.properties.kits[section] is not False and self.sample.properties.kits[section] is not None:
205 |                 if self.sample.properties.kitsconfig.get_description(section) is not None:
206 |                     self.write_console("{0:20.20}: \033[1;31;1m{1} \033[1;33;40m({2})\033[0m".format(section,
207 |                                                                                                      self.sample.properties.kits[section],
208 |                                                                                                      self.sample.properties.kitsconfig.get_description(section)))
209 |                     self.write_file("{0:20.20}: {1} ({2})\n".format(section, self.sample.properties.kits[section],
210 |                                                                     self.sample.properties.kitsconfig.get_description(section)))
211 |                 else:
212 |                     self.write_console("{0:20.20}: \033[1;31;1m{1}\033[0m".format(section,
213 |                                                                                   self.sample.properties.kits[section]))
214 |                     self.write_file("{0:20.20}: {1}\n".format(section, self.sample.properties.kits[section]))
215 |             else:
216 |                 # case where the property is False, or None.
217 |                 self.write_file("{0:20.20}: {1}\n".format(section, self.sample.properties.kits[section]))
218 |         
219 | 


--------------------------------------------------------------------------------
/droidsample.py:
--------------------------------------------------------------------------------
   1 | #!/usr/bin/env python
   2 | 
   3 | """
   4 | __author__ = "Axelle Apvrille"
   5 | __license__ = "MIT License"
   6 | """
   7 | import hashlib
   8 | import base64
   9 | import os
  10 | import re
  11 | import sys
  12 | import string
  13 | import struct
  14 | import zlib
  15 | import shutil
  16 | import subprocess
  17 | import xml.dom.minidom
  18 | import droidutil
  19 | import droidlysis3
  20 | import droidconfig
  21 | import droidcountry
  22 | import droidproperties
  23 | import droidziprar
  24 | import droidurl
  25 | import xml.parsers.expat as expat
  26 | import logging
  27 | 
  28 | logging.basicConfig(format='%(levelname)s:%(filename)s:%(message)s',
  29 |                     level=logging.INFO)
  30 | 
  31 | 
  32 | class droidsample:
  33 |     # Base class for an Android sample to analyze
  34 | 
  35 |     def __init__(self,
  36 |                  config,
  37 |                  filename,
  38 |                  output='/tmp/analysis',
  39 |                  verbose=False,
  40 |                  clear=False,
  41 |                  disable_description=False,
  42 |                  silent=False,
  43 |                  no_kit_exception=False,
  44 |                  import_exodus=False):
  45 |         # Setup analysis of a given sample.
  46 |         # This does not perform the analysis in itself
  47 | 
  48 |         assert filename is not None, "Filename is invalid"
  49 | 
  50 |         self.config = config
  51 |         self.absolute_filename = filename
  52 |         self.clear = clear
  53 |         # we need those for recursive calls to process_file
  54 |         self.disable_description = disable_description
  55 |         self.silent = silent
  56 |         self.no_kit_exception = no_kit_exception
  57 |         self.ziprar = None  # zip file or rar file file handle
  58 |         self.verbose = verbose
  59 |         if verbose:
  60 |             logging.getLogger().setLevel(logging.DEBUG)
  61 | 
  62 |         sanitized_basename = droidutil.sanitize_filename(
  63 |             os.path.basename(filename))
  64 | 
  65 |         self.properties = droidproperties.droidproperties(
  66 |             config=self.config,
  67 |             samplename=sanitized_basename,
  68 |             sha256=droidutil.sha256sum(filename),
  69 |             verbose=verbose,
  70 |             import_exodus=import_exodus)
  71 |         logging.debug("SHA256: %s" % (self.properties.sha256))
  72 | 
  73 |         """Computing the SHA1 of a file is only useful to help out the analyst.
  74 |         The digest is written to the automatic analysis/description
  75 |         of the sample. That description is located in the output analysis
  76 |         directory, so obviously, if the end-user specifies he wants
  77 |         the output analysis directory erased, he obviously
  78 |         does not want to know about the SHA1 digest, and
  79 |         thus it's useless to compute it."""
  80 |         if not clear:
  81 |             sha1 = droidutil.sha1sum(filename)
  82 |             logging.debug("SHA1: %s" % (sha1))
  83 | 
  84 |         # Creating the output analysis directory
  85 |         self.outdir = os.path.join(output, '{filename}-{hash}'.format(
  86 |                 filename=sanitized_basename,
  87 |                 hash=self.properties.sha256))
  88 | 
  89 |         logging.debug("Output dir: " + self.outdir)
  90 | 
  91 |         if os.path.exists(self.outdir):
  92 |             try:
  93 |                 shutil.rmtree(self.outdir,
  94 |                               ignore_errors=droidutil.on_rm_tree_error)
  95 |                 os.makedirs(self.outdir)
  96 |             except RuntimeError:
  97 |                 logging.debug("Failed to remove directory RuntimeError")
  98 |         else:
  99 |             os.makedirs(self.outdir)
 100 | 
 101 |         # standard output for shell commands
 102 |         if self.verbose:
 103 |             self.process_output = None
 104 |         else:
 105 |             self.process_output = open("/dev/null", 'w')
 106 | 
 107 |     def close(self):
 108 |         if self.process_output is not None:
 109 |             self.process_output.close()
 110 | 
 111 |     def unzip(self):
 112 |         """
 113 |         This method will unzip/unrar the sample,
 114 |         and recursively unzip/unrar inner zips/rars.
 115 |         If we are not removing the analysis directory
 116 |         (clearoutput option), then we also
 117 |         unzip the sample in outdir/unzipped subdirectory.
 118 |         If the sample is password protected,
 119 |         we try 'infected' as password.
 120 |         Returns the file type of the sample: droidutil
 121 |         <FILE CONSTANT> (UNKNOWN, APK, DEX, ...)
 122 |         """
 123 |         logging.debug("------------- Unzipping %s" % (self.absolute_filename))
 124 | 
 125 |         self.properties.filetype = droidutil.get_filetype(
 126 |             self.absolute_filename)
 127 | 
 128 |         if self.properties.filetype == droidutil.ARM or \
 129 |            self.properties.filetype == droidutil.UNKNOWN or \
 130 |            self.properties.filetype == droidutil.DEX:
 131 |             logging.debug("This is a %s. Nothing to unzip for %s"
 132 |                           % (droidutil.str_filetype(self.properties.filetype),
 133 |                              self.absolute_filename))
 134 |             return self.properties.filetype
 135 | 
 136 |         if self.properties.filetype == droidutil.ZIP or \
 137 |                 self.properties.filetype == droidutil.RAR:
 138 |             if self.properties.filetype == droidutil.ZIP:
 139 |                 self.ziprar = droidziprar.droidziprar(
 140 |                     self.absolute_filename,
 141 |                     zipmode=True, verbose=self.verbose)
 142 |             else:
 143 |                 self.ziprar = droidziprar.droidziprar(
 144 |                     self.absolute_filename,
 145 |                     zipmode=False, verbose=self.verbose)
 146 |             if self.ziprar.handle is None:
 147 |                 self.properties.filetype = droidutil.UNKNOWN  # damaged zip/rar
 148 |                 logging.debug("Unable to unzip/unrar %s because of errors"
 149 |                               % self.absolute_filename)
 150 |                 return droidutil.UNKNOWN
 151 |             # Now, we know self.ziprar is valid and open.
 152 |             self.properties.filetype, innerzips = self.ziprar.get_type()
 153 |             if innerzips:
 154 |                 self.properties.file_innerzips = True
 155 |                 logging.debug("There are inner zips/rars in "
 156 |                               + self.absolute_filename)
 157 | 
 158 |                 for element in innerzips:
 159 |                     # extract the inner zip/rar
 160 |                     logging.debug("Extracting " + element
 161 |                                   + " inside " + self.absolute_filename)
 162 |                     try:
 163 |                         self.ziprar.extract_one_file(element, self.outdir)
 164 |                         logging.debug("Recursively processing "
 165 |                                       + os.path.join(self.outdir, element))
 166 |                         # TODO: this is probably buggy: we
 167 |                         # should be providing enable_sql too etc.
 168 |                         droidlysis3.process_file(
 169 |                             os.path.join(self.outdir, element),
 170 |                             self.outdir, self.verbose, self.clear,
 171 |                             self.disable_description,
 172 |                             self.no_kit_exception)
 173 |                     except:
 174 |                         logging.warning("Cannot extract %s : %s"
 175 |                                         % (element, sys.exc_info()[0]))
 176 | 
 177 |         if self.properties.filetype == droidutil.APK:
 178 |             # our zip actually is an APK
 179 |             if not self.clear:
 180 |                 # let's unzip
 181 |                 logging.debug("Unzipping " +
 182 |                               self.absolute_filename
 183 |                               + " to " + os.path.join(self.outdir, 'unzipped'))
 184 |                 try:
 185 |                     self.ziprar.extract_all(
 186 |                         outdir=os.path.join(self.outdir, 'unzipped'))
 187 |                 except:
 188 |                     logging.warning("Unzipping failed (catching exception): %s"
 189 |                                     % (sys.exc_info()[0]))
 190 | 
 191 |         return self.properties.filetype
 192 | 
 193 |     def disassemble(self):
 194 |         """
 195 |         Disassembles the sample (as much as possible),
 196 |         and if the end-user is interested in output (clear unset)
 197 |         also decompiles it (as much as possible).
 198 | 
 199 |         APK: 
 200 |                 java -jar apktool.jar [-q] d file.apk outdir/apktool
 201 |                 if apktool failed
 202 |                       java -jar baksmali.jar -o outdir/smali classes.dex in file.apk
 203 |                 if clear unset,
 204 |                       unzip file.apk -d outdir/unzipped
 205 |                 else
 206 |                       just unzip META-INF/
 207 | 
 208 |         DEX:
 209 |                 java -jar baksmali.jar -o outdir/smali classes.dex
 210 |                 if clear unset,
 211 |                       make sure classes.dex is readable
 212 |                       dex2jar classes.dex -o classes-dex2jar.jar
 213 |                       unzip -qq classes-dex2jar.jar -d outdir/unjarred
 214 | 
 215 |         What we'll find:
 216 |         APK, clear unset: ./smali AndroidManifest.xml ./unzipped classes.dex classes-dex2jar.jar ./unjarred 
 217 |         APK, clear set  : ./smali AndroidManifest.xml classes.dex
 218 | 
 219 |         DEX, clear unset: classes.dex ./smali
 220 |         DEX, clear set  : classes.dex ./smali classes-dex2jar.jar ./unjarred
 221 | 
 222 |         """
 223 |         logging.debug("------------- Disassembling")
 224 | 
 225 |         if self.properties.filetype == droidutil.ARM or \
 226 |                 self.properties.filetype == droidutil.RAR or \
 227 |                 self.properties.filetype == droidutil.CLASS or \
 228 |                 self.properties.filetype == droidutil.UNKNOWN:
 229 |             logging.debug("Nothing to disassemble for "
 230 |                           + self.absolute_filename)
 231 |             return
 232 | 
 233 |         if self.properties.filetype == droidutil.APK:
 234 |             # APKTOOL won't output to an existing
 235 |             # dir unless you use the -f switch. But then, -f erases the contents
 236 |             # of the output dir... So we can't do this directly on self.outdir
 237 |             apktool_outdir = os.path.join(self.outdir, "apktool")
 238 |             logging.debug("Running apktool on inputfile="
 239 |                           + self.absolute_filename)
 240 | 
 241 |             if self.verbose:
 242 |                 logging.debug("Apktool command: java -jar %s d -f %s %s"
 243 |                               % (self.config.APKTOOL_JAR,
 244 |                                  self.absolute_filename, apktool_outdir))
 245 |                 subprocess.call(["java", "-jar", self.config.APKTOOL_JAR,
 246 |                                  "d", "-f", self.absolute_filename,
 247 |                                  "-o", apktool_outdir])
 248 |             else:
 249 |                 # with quiet option
 250 |                 subprocess.call(["java", "-jar", self.config.APKTOOL_JAR,
 251 |                                  "-q", "d", "-f", self.absolute_filename,
 252 |                                  "-o", apktool_outdir],
 253 |                                  stdout=self.process_output,
 254 |                                  stderr=self.process_output)
 255 | 
 256 |             if os.path.isdir(apktool_outdir):
 257 |                 droidutil.move_dir(apktool_outdir, self.outdir)
 258 | 
 259 |             # we want all smali_classes? dir in smali
 260 |             if os.path.exists(os.path.join(self.outdir, "smali_classes2")):
 261 |                 # we have multidex - we are going to move
 262 |                 # all smali classes in the same directory
 263 |                 logging.debug("Moving multidex smali classes to ./smali")
 264 | 
 265 |                 os.system("cp -R "
 266 |                           + os.path.join(self.outdir, "./smali_classes*/*")
 267 |                           + " " + os.path.join(self.outdir, "./smali"))
 268 |                 os.system("rm -r "
 269 |                           + os.path.join(self.outdir, "./smali_classes*"))
 270 |                 
 271 |             if self.verbose:
 272 |                 logging.debug("Apktool finished")
 273 | 
 274 |             # extract classes.dex whatever happens, we'll use it
 275 |             logging.debug("Extracting classes*.dex")
 276 |             try:
 277 |                 self.ziprar.extract_one_file('classes.dex', self.outdir)
 278 |                 for i in range(2, 1000):
 279 |                     self.ziprar.extract_one_file('classes{}.dex'.format(i), self.outdir)
 280 |                     if not os.path.exists(os.path.join(self.outdir, 'classes{}.dex'.format(i))):
 281 |                         break
 282 |                     self.properties.smali['multidex'].append('classes{}.dex'.format(i))
 283 |                     
 284 |             except:
 285 |                 logging.debug("Extracting classes.dex failed: %s" % (sys.exc_info()[0]))
 286 |                 logging.warning("Extracting classes.dex failed")
 287 | 
 288 |         # Disassemble the DEX(es)
 289 |         dex_files = []
 290 |         if self.properties.filetype == droidutil.DEX:
 291 |             dex_files.append(self.absolute_filename)
 292 |         else:
 293 |             if len(self.properties.smali['multidex']) > 0:
 294 |                 for d in self.properties.smali['multidex']:
 295 |                     dex_files.append(os.path.join(self.outdir, d))
 296 |             else:
 297 |                 dex_files.append(os.path.join(self.outdir, 'classes.dex'))
 298 | 
 299 |         smali_dir = os.path.join(self.outdir, 'smali')
 300 | 
 301 |         if (not os.access(smali_dir, os.R_OK) or
 302 |                 (os.access(smali_dir, os.R_OK) and not os.listdir(smali_dir))):
 303 |             # we only do this if apktool didn't baksmali correctly
 304 |             for d in dex_files:
 305 |                 if os.access(d, os.R_OK):
 306 |                     logging.debug("Baksmali on {} -> {}".format(d, smali_dir))
 307 |                     try:
 308 |                         subprocess.call(["java", "-jar", self.config.BAKSMALI_JAR,
 309 |                                          "d", "-o", smali_dir, d],
 310 |                                         stdout=self.process_output, stderr=self.process_output)
 311 |                     except:
 312 |                         logging.warning("[-] Baksmali failed for {}".format(d))
 313 | 
 314 |         # Decompile the DEX(es)
 315 |         logging.debug("------------- Decompiling")
 316 | 
 317 |         if not self.clear:
 318 |             for d in dex_files:
 319 |                 if os.access(d, os.R_OK):
 320 |                     jar_file = os.path.join(self.outdir, '{}-dex2jar.jar'.format(
 321 |                         os.path.splitext(os.path.basename(d))[0]))
 322 |                     if os.access(self.config.DEX2JAR_CMD, os.X_OK):
 323 |                         if self.verbose:
 324 |                             logging.debug("Dex2jar on " + d)
 325 |                             try:
 326 |                                 subprocess.call([self.config.DEX2JAR_CMD, "--force", d, "-o", jar_file],
 327 |                                                 stdout=self.process_output, stderr=self.process_output)
 328 |                             except:
 329 |                                 logging.warning("[-] Dex2jar failed on {}".format(d))
 330 |                     else:
 331 |                         logging.warning("Dex2jar software is not executable, skipping (file: {0})".format(self.config.DEX2JAR_CMD))
 332 |                     
 333 |                     if os.access(jar_file, os.R_OK):
 334 |                         logging.debug("Unjarring " + jar_file)
 335 |                         jarziprar = droidziprar.droidziprar(jar_file, zipmode=True, verbose=self.verbose)
 336 |                         if jarziprar.handle is None:
 337 |                             logging.debug("Bad Jar / Failed to unjar " + jar_file)
 338 |                         else:
 339 |                             try:
 340 |                                 jarziprar.extract_all(os.path.join(self.outdir, 'unjarred'))
 341 |                             except:
 342 |                                 logging.warning("Failed to unjar: %s" % (sys.exc_info()[0]))
 343 |                         jarziprar.close()
 344 | 
 345 |         # Convert binary Manifest
 346 |         if self.properties.filetype == droidutil.APK:
 347 |             manifest = os.path.join(self.outdir, 'AndroidManifest.xml')
 348 |             if not os.access(manifest, os.R_OK) or os.path.getsize(manifest) == 0:
 349 |                 try:
 350 |                     logging.debug( "Extracting binary AndroidManifest.xml")
 351 |                     self.ziprar.extract_one_file('AndroidManifest.xml', self.outdir)
 352 |                     if os.access( manifest, os.R_OK) and os.path.getsize(manifest) > 0:
 353 |                         textmanifest = os.path.join( self.outdir, 'AndroidManifest.text.xml')
 354 |                         subprocess.call( [ "androaxml.py", "--input", manifest, \
 355 |                                            "--output", textmanifest ], \
 356 |                                          stdout=self.process_output, stderr=self.process_output)
 357 |                         if os.access( textmanifest, os.R_OK ):
 358 |                             # overwrite the binary manifest with the converted text one
 359 |                             os.rename(textmanifest, manifest)
 360 |                 except AssertionError:
 361 |                     logging.warning("Failed to extract binary manifest: %s" % (sys.exc_info()[0]))
 362 |                 
 363 |                 except FileNotFoundError:
 364 |                     logging.warning("Error while unzipping or Androguard not installed (no androaxml.py)")
 365 |                      
 366 |     def extract_file_properties(self):
 367 |         """Extracts file size, 
 368 |         nb of dirs and classes in smali dir"""
 369 |         logging.debug("------------- Extracting file properties")
 370 |             
 371 |         self.properties.file_size = os.stat(self.absolute_filename).st_size
 372 | 
 373 |         if self.properties.file_size < 70000:
 374 |             self.properties.file_small = True
 375 |         
 376 |         smali_dir = os.path.join(self.outdir, "smali")
 377 | 
 378 |         if os.access(smali_dir, os.R_OK):
 379 |             self.properties.file_nb_dir, self.properties.file_nb_classes = droidutil.count_filedirs(smali_dir)
 380 | 
 381 |         logging.debug("Filesize: %d" % (self.properties.file_size))
 382 |         logging.debug("Is Small: %d" % (self.properties.file_small))
 383 |         logging.debug("Nb Class: %d" % (self.properties.file_nb_classes))
 384 |         logging.debug("Nb Dir  : %d" % (self.properties.file_nb_dir))
 385 | 
 386 |     def extract_meta_properties(self):
 387 |         """Extracting meta-data related to APK's signature timestamp and signing certificate"""
 388 |         if self.properties.filetype == droidutil.APK:
 389 |             self.properties.certificate['timestamp'] = self.ziprar.get_date('META-INF/MANIFEST.MF')
 390 |             if self.properties.certificate['timestamp'] != None:
 391 |                 self.properties.certificate['year'] = self.properties.certificate['timestamp'][0]
 392 |                 logging.debug("APK timestamp: %d" % (self.properties.certificate['timestamp'][0]))
 393 | 
 394 |             # extract properties from the certificate
 395 |             logging.debug("------------- Extracting properties from certificate")
 396 | 
 397 |             list = []
 398 |             try:
 399 |                 list = self.ziprar.extract_pattern(self.outdir, 'META-INF/.*\.RSA')
 400 |                 if not list:
 401 |                     list = self.ziprar.extract_pattern(self.outdir, 'META-INF/.*\.DSA')
 402 |             except:
 403 |                 logging.debug("Error at extraction: %s" % (sys.exc_info()[0]))
 404 | 
 405 |             if list:
 406 |                 try: 
 407 |                     keyout = subprocess.check_output([self.config.KEYTOOL, "-printcert",  "-file",
 408 |                                                       os.path.join(self.outdir, list[0])],
 409 |                                                       stderr=self.process_output).decode('utf-8')
 410 |                     keyout = re.sub(': ', '#', keyout)
 411 |                     keyout = re.sub('\t| ', '', keyout)
 412 |                     keyout = re.sub('until#', '\nUntil#', keyout)
 413 |                     keysplit = re.split('#|\n', keyout)
 414 |                     try:
 415 |                         index = keysplit.index("Owner")
 416 |                         self.properties.certificate['owner'] = keysplit[index+1]
 417 |                         logging.debug("Certificate Owner: "+self.properties.certificate['owner'])
 418 |                         self.extract_certificate_owner_properties(self.properties.certificate['owner'])
 419 |                             
 420 |                     except ValueError:
 421 |                         logging.debug("Certificate Owner not present")
 422 |                     try:
 423 |                         index = keysplit.index("Serialnumber")
 424 |                         self.properties.certificate['serialno'] = keysplit[index+1]
 425 |                         logging.debug("Certificate Serial no: "+self.properties.certificate['serialno'])
 426 | 
 427 |                         # detect typical dev certificate
 428 |                         if re.search('936eacbe07f201df', self.properties.certificate['serialno'], re.IGNORECASE):
 429 |                             self.properties.certificate['dev'] = True
 430 |                             logging.debug("Dev certificate detected")
 431 |                     except ValueError:
 432 |                         logging.debug("Serial number not present")
 433 |                     try:
 434 |                         index = keysplit.index("Signaturealgorithmname")
 435 |                         self.properties.certificate['algo'] = keysplit[index+1]
 436 |                         logging.debug("Algo: "+self.properties.certificate['algo'])
 437 |                     except ValueError:
 438 |                         logging.debug("Signature algorithm name not present")
 439 |                 except subprocess.CalledProcessError as e:
 440 |                     logging.debug("Caught CalledProcessError: ", e.output)
 441 |                     logging.debug("Probably an invalid certificate")
 442 |             else:
 443 |                 logging.debug("No certificate found")
 444 | 
 445 |     def extract_certificate_owner_properties(self, owner):
 446 |         # owner should not be null
 447 |         m = re.search('C=(\w*)', owner, re.IGNORECASE)
 448 |         if m is not None:
 449 |             cert_country = m.group(0)[2:]
 450 |             if re.search('Unknown', cert_country, re.IGNORECASE):
 451 |                 self.properties.certificate['unknown_country'] = True
 452 |             else:
 453 |                 self.properties.certificate['country'] = droidcountry.to_int(cert_country)
 454 |                 logging.debug("Certificate Country = %s (%d)" % (cert_country, self.properties.certificate['country']))
 455 | 
 456 |         # Debug certificate
 457 |         m = re.search('OU=Android  O=Android L=Mountain View', owner, re.IGNORECASE)
 458 |         if m is not None:
 459 |             self.properties.certificate['debug'] = True
 460 |             
 461 |         # AV owner
 462 |         av_list = ('O=www.netqin.com',
 463 |                    'OU=Symantec',
 464 |                    'CN=Fortinet Android  OU=Android  O=Fortinet  L=Burnaby  ST=British Columbia  C=BC',
 465 |                    'OU=Engineering  O=Webroot Software Inc  L=Boulder  ST=Colorado  C=US|CN=James Burgess',
 466 |                    'OU=Mobile Security, O=Flexilis, L=Los Angeles, ST=CA, C=US|O=Sophos Ltd.  L=Abingdon  C=UK',
 467 |                    'OU=Application Development  O=G Data Software AG  L=Bochum  ST=NRW  C=DE',
 468 |                    'CN=VIRUSTOTAL  OU=VIRUSTOTAL  O=VIRUSTOTAL  L=Malaga  ST=Malaga  C=ES',
 469 |                    'CN=Qihoo  OU=Qihoo 360 Technology Co Ltd  O=Qihoo 360 Technology Co Ltd  L=Chaoyang  ST=Beijing  C=CN',
 470 |                    'CN=KAIDI,OU=KAIDI,O=KAIDI,L=Beijing,ST=Beijing,C=86',
 471 |                    'EMAILADDRESS=android\@avast.com  CN=avast! Android  O=AVAST Software a.s.  L=Prague  ST=Prague  C=CZ')
 472 | 
 473 |         for av in av_list:
 474 |             m = re.search(av, owner, re.IGNORECASE)
 475 |             if m is not None:
 476 |                 if self.verbose:
 477 |                     print("Certificate owner matches AV : "+m.group(0))
 478 |                 self.properties.certificate['av'] = True
 479 | 
 480 |         # Companies
 481 |         famous_list = ('CN=Android  OU=Android  O=Google Inc\.  L=Moutain View  ST=California  C=US',
 482 |                        'O=Rovio Mobile Ltd  L=Helsinki  C=FI',
 483 |                        'CN=Facebook Corporation  OU=Facebook  O=Facebook Mobile  L=Palo Alto  ST=CA  C=US')
 484 |         for f in famous_list:
 485 |             m = re.search(f, owner, re.IGNORECASE)
 486 |             if m is not None:
 487 |                 logging.debug("Certificate owner matches Famous : "+m.group(0))
 488 |                 self.properties.certificate['famous'] = True
 489 | 
 490 |     def is_packed(self):
 491 |         """
 492 |         We assume a sample is packed if the main activity its manifest references cannot be found in the DEX
 493 |         + DexClassLoader or Dex File
 494 |         This test is far from perfect
 495 |         """
 496 |         smali_dir = os.path.join(self.outdir, 'smali')
 497 |         missing = False
 498 |         if self.properties.manifest['main_activity'] is not None:
 499 |             filename = os.path.join(smali_dir, self.properties.manifest['main_activity'].replace('.', os.path.sep)
 500 |                                     .replace('\'', '') + '.smali')
 501 |             if not os.access(filename, os.R_OK):
 502 |                 logging.debug("Unable to find Main Activitity: {} filename={}".format(self.properties.manifest['main_activity'],
 503 |                                                                                       filename))
 504 |                 missing = True
 505 | 
 506 |         if missing and (self.properties.smali['dex_class_loader'] or self.properties.smali['dex_file'] or self.properties.smali['load_library'] or self.properties.smali['class_loader']):
 507 |             self.properties.smali['packed'] = True
 508 | 
 509 |     def extract_manifest_properties(self):
 510 |         """Extracting services, receivers, activities etc from manifest"""
 511 |         manifest = os.path.join(self.outdir, 'AndroidManifest.xml')
 512 |         if self.properties.filetype == droidutil.APK and os.access(manifest, os.R_OK) and os.path.getsize(manifest)>0:
 513 |             try:
 514 |                 xmldoc = xml.dom.minidom.parse(manifest)
 515 |             except expat.ExpatError:
 516 |                 logging.debug("XML parsing error")
 517 |                 return
 518 | 
 519 |             # getting package's name
 520 |             self.properties.manifest['package_name'] = xmldoc.documentElement.getAttribute('package')
 521 | 
 522 |             tab = droidutil.get_elements(xmldoc, 'service', 'android:name')
 523 |             tab.extend(droidutil.get_elements(xmldoc, 'service', 'obfuscation:name'))
 524 |             for t in tab:
 525 |                 name = re.sub(r"u'(?P<name>.*)'", r"\g<name>", t)
 526 |                 if name != "''":
 527 |                     self.properties.manifest['services'].append(name)
 528 |                                                             
 529 |             tab = droidutil.get_elements(xmldoc, 'receiver', 'android:name')
 530 |             tab.extend(droidutil.get_elements(xmldoc, 'receiver', 'obfuscation:name'))
 531 |             for t in tab:
 532 |                 name = re.sub(r"u'(?P<name>.*)'", r"\g<name>", t)
 533 |                 if name != "''":
 534 |                     self.properties.manifest['receivers'].append(name)
 535 | 
 536 |             tab = droidutil.get_elements(xmldoc, 'activity', 'android:name')
 537 |             tab.extend(droidutil.get_elements(xmldoc, 'activity', 'obfuscation:name'))
 538 |             for t in tab:
 539 |                 name = re.sub(r"u'(?P<name>.*)'", r"\g<name>", t)
 540 |                 if name != "''":
 541 |                     self.properties.manifest['activities'].append(name)
 542 | 
 543 |             tab = droidutil.get_elements(xmldoc, 'provider', 'android:name')
 544 |             tab.extend(droidutil.get_elements(xmldoc, 'provider', 'obfuscation:name'))
 545 |             for t in tab:
 546 |                 name = re.sub(r"u'(?P<name>.*)'", r"\g<name>", t)
 547 |                 if name != "''":
 548 |                     self.properties.manifest['providers'].append(name)
 549 | 
 550 |             tab = droidutil.get_elements(xmldoc, 'uses-library', 'android:name')
 551 |             for t in tab:
 552 |                 self.properties.manifest['libraries'].append(re.sub(r"u'(?P<nom>.*)'", r"\g<nom>", t))
 553 | 
 554 |             tab = droidutil.get_elements(xmldoc, 'uses-permission', 'android:name')
 555 |             tab.extend(droidutil.get_elements(xmldoc, 'uses-permission', 'obfuscation:name'))
 556 |             for t in tab:
 557 |                 name = t.replace('android.permission.','').replace("u'", '').replace("'", '')
 558 |                 if name != '':
 559 |                     self.properties.manifest['permissions'].append(name)
 560 | 
 561 |             tab = droidutil.get_elements(xmldoc, 'application', 'obfuscation:name')
 562 |             tab.extend(droidutil.get_elements(xmldoc, 'application', 'android:name'))
 563 |             for t in tab:
 564 |                 if 'multidex' in t:
 565 |                     self.properties.manifest['multidex'] = True
 566 |                     break
 567 | 
 568 |             self.properties.manifest['maxSDK'] = droidutil.get_element(xmldoc, 'uses-sdk', 'android:maxSdkVersion')
 569 |             self.properties.manifest['minSDK'] = droidutil.get_element(xmldoc, 'uses-sdk', 'android:minSdkVersion')
 570 |             self.properties.manifest['targetSDK'] = droidutil.get_element(xmldoc, 'uses-sdk', 'android:targetSdkVersion')
 571 |             tab = droidutil.get_elements(xmldoc, 'meta-data', 'android:name')
 572 |             if self.verbose:
 573 |                 logging.debug('meta-data: ' + ''.join(tab))
 574 |             for t in tab:
 575 |                 if 'android.content.ContactDirectory' in t:
 576 |                     self.properties.manifest['auto_load'] = True
 577 |                     if self.verbose:
 578 |                         logging.debug('Suspicious ContactDirectory meta-data trick')
 579 |                     break
 580 | 
 581 |             if self.verbose:
 582 |                 logging.debug("MinSDK=%s MaxSDK=%s TargetSDK=%s" % (self.properties.manifest['minSDK'],
 583 |                                                                     self.properties.manifest['maxSDK'],
 584 |                                                                     self.properties.manifest['targetSDK']))
 585 |                 for perm in self.properties.manifest['permissions']:
 586 |                     logging.debug("Requires permission " + perm)
 587 | 
 588 |             # get main activity
 589 |             for actitem in xmldoc.getElementsByTagName('activity'):
 590 |                 for a in actitem.getElementsByTagName('action'):
 591 |                     if a.getAttribute( 'android:name') == 'android.intent.action.MAIN' \
 592 |                             or a.getAttribute('obfuscation:name') ==  'android.intent.action.MAIN':
 593 |                         for b in actitem.getElementsByTagName('category'):
 594 |                             if b.getAttribute('android:name') == 'android.intent.category.LAUNCHER'\
 595 |                                     or b.getAttribute('obfuscation:name') ==  'android.intent.category.LAUNCHER':
 596 |                                 if actitem.getAttribute('android:name') != '':
 597 |                                     self.properties.manifest['main_activity'] = actitem.getAttribute('android:name')
 598 |                                 else:
 599 |                                     self.properties.manifest['main_activity'] = actitem.getAttribute('obfuscation:name')
 600 |             if self.verbose and self.properties.manifest['main_activity'] is not None:
 601 |                 logging.debug("Main activity: " + self.properties.manifest['main_activity'])
 602 | 
 603 |             # search for swf
 604 |             metalist = droidutil.get_elements(xmldoc, 'meta-data', 'android:value')
 605 |             for item in metalist:
 606 |                 if re.search('\.swf', item):
 607 |                     self.properties.manifest['swf'] = True
 608 | 
 609 |             # get sms listener
 610 |             for r in xmldoc.getElementsByTagName('receiver'):
 611 |                 for i in r.getElementsByTagName('intent-filter'):
 612 |                     for a in i.getElementsByTagName('action'):
 613 |                         if a.getAttribute('android:name') == 'android.provider.Telephony.SMS_RECEIVED':
 614 |                             self.properties.manifest['listens_incoming_sms'] = True
 615 |                         if a.getAttribute('android:name') == 'android.intent.action.NEW_OUTGOING_CALL':
 616 |                             self.properties.manifest['listens_outgoing_call'] = True
 617 | 
 618 |             logging.debug("Listens to incoming SMS  : %d" % (self.properties.manifest['listens_incoming_sms']))
 619 |             logging.debug("Listens to outgoing calls: %d" % (self.properties.manifest['listens_outgoing_call']))
 620 | 
 621 |     def extract_kit_properties(self):
 622 |         """
 623 |         Detects which kits are present in the sample currently analyzed
 624 |         Returns something like: ['apperhand', 'jackson', 'applovin', 'leadbolt', 'airpush']
 625 |         """
 626 |         list = []
 627 |         if self.properties.filetype == droidutil.APK or self.properties.filetype == droidutil.DEX:
 628 |             smali_dir = os.path.join(self.outdir, "smali")
 629 |             if os.access(smali_dir, os.R_OK):
 630 |                 for section in self.properties.kitsconfig.get_sections():
 631 |                     pattern_list = self.properties.kitsconfig.get_pattern(section).split('|')
 632 |                     for pattern in pattern_list:
 633 |                         for root, dirs, fname in os.walk(smali_dir):
 634 |                             if pattern in root:
 635 |                                 logging.debug("kits[%s] = True (detected pattern: %s)" % (section, pattern))
 636 |                                 list.append(section)
 637 |                                 self.properties.kits[section] = True
 638 |                                 break # break one level
 639 |                         if self.properties.kits[section] is True:
 640 |                             break  # break another level
 641 | 
 642 |         return list
 643 | 
 644 |     def extract_dex_properties(self):
 645 |         """Extracts information at DEX level. Requires read access to the DEX file. """
 646 |         if self.properties.filetype == droidutil.APK or self.properties.filetype == droidutil.DEX:
 647 |             if self.properties.filetype == droidutil.DEX:
 648 |                 dex_file = self.absolute_filename
 649 |             else:
 650 |                 dex_file = os.path.join(self.outdir, 'classes.dex')
 651 | 
 652 |             if os.access(dex_file, os.R_OK) and os.stat(dex_file).st_size > 0:
 653 |                 file = open(dex_file, 'rb')
 654 |                 magic = file.read(8)
 655 |                 self.properties.dex['magic_unknown'] = True
 656 |                 if magic[0:3] == 'dey':
 657 |                     self.properties.dex['odex'] = True
 658 |                 for i in range(35, 39):
 659 |                     if magic[4:7] == (b'0%d' % i):
 660 |                         self.properties.dex['magic'] = i
 661 |                         self.properties.dex['magic_unknown'] = False
 662 | 
 663 |                 logging.debug("DEX Magic: %s" % (repr(magic)))
 664 | 
 665 |                 checksum = file.read(4)
 666 |                 sha1 = file.read(20)
 667 | 
 668 |                 # check sha1 of file
 669 |                 if sha1 != '':
 670 |                     computed_sha1 = hashlib.sha1(file.read()).hexdigest()
 671 |                     if sha1.hex() != computed_sha1:
 672 |                         self.properties.dex['bad_sha1'] = True
 673 | 
 674 |                         logging.debug("DEX SHA1 read    : %s" % sha1.hex())
 675 |                         logging.debug("DEX SHA1 computed: %s" % computed_sha1)
 676 |                 else:
 677 |                     logging.debug("Impossible to read file's SHA1 => impossible to check")
 678 | 
 679 |                 # check checksum
 680 |                 if checksum != '':
 681 |                     file.seek(8+4, 0)  # 0 = from beginning, skip magic and checksum
 682 |                     computed_adler32 = zlib.adler32(file.read()) & 0xffffffff  # beware, adler32 returns an INTEGER
 683 |                     if computed_adler32 != struct.unpack("<I", checksum)[0]:  # converting both numbers to integers
 684 |                         self.properties.dex['bad_adler32'] = True
 685 | 
 686 |                     logging.debug("DEX checksum read    : %s (reverse order)" % (checksum.hex()))
 687 |                     logging.debug("DEX checksum computed: %s" % (hex(computed_adler32)))
 688 |                 else:
 689 |                     logging.debug("Impossible to read file's checksum => impossible to check")
 690 | 
 691 |                 # check header size
 692 |                 file.seek(8+4+20+4, 0)
 693 |                 header_size = struct.unpack("<I", file.read(4))[0]
 694 |                 if header_size > 0x70:
 695 |                     logging.debug("DEX header is bigger than expected: %d (HoseDex2Jar?)" % header_size)
 696 |                     self.properties.dex['big_header'] = True
 697 | 
 698 |                 # look for 0 0x0 if-eq v0, v0, +9
 699 |                 # 1 0x4 fill-array-data v0, +3 (0x7)
 700 |                 # 2 0xa fill-array-data-payload
 701 |                 # See http://www.dexlabs.org/blog/bytecode-obfuscation
 702 |                 file.seek(0x68, 0)
 703 |                 data_size = struct.unpack("<I", file.read(4))[0]
 704 |                 data_offset = struct.unpack("<I", file.read(4))[0]
 705 |                 file.seek(data_offset, 0)
 706 |                 buffer = file.read(data_size)
 707 |                 fill_array_pattern = re.compile(b"\x32\x00\x09\x00\x26\x00\x03\x00\x00\x00")
 708 |                 match = fill_array_pattern.search(buffer)
 709 |                 if match is not None:
 710 |                     logging.debug("fill-array-data trick located at offset=%d" % (data_offset + match.start()))
 711 |                     # to print the matching string: ''.join( [ "%02X " % ord( x ) for x in buffer[match.start():match.end() ] ).strip()
 712 |                     self.properties.dex['thuxnder'] = True
 713 |                 
 714 |                 file.close()            
 715 |             else:
 716 |                 logging.debug("Dex file %s is missing or empty" % dex_file)
 717 | 
 718 |     def extract_smali_properties(self, list_of_kits):
 719 |         if self.properties.filetype != droidutil.APK and\
 720 |                 self.properties.filetype != droidutil.DEX:
 721 |             # no smali properties to extract in that type of file
 722 |             return
 723 | 
 724 |         logging.debug("------------- Extracting Smali properties")
 725 | 
 726 |         smali_dir = os.path.join(self.outdir, 'smali')
 727 |         if os.access(smali_dir, os.R_OK) and os.listdir(smali_dir) != []: 
 728 |             exceptions = []
 729 |             for kit in list_of_kits:
 730 |                 pattern_list = self.properties.kitsconfig.get_pattern(kit).split('|')
 731 |                 for pattern in pattern_list:
 732 |                     if pattern is not None and pattern != '':
 733 |                         exceptions.append(pattern)  # pattern may be part of a path so do not prefix with smali_dir
 734 |                     else:
 735 |                         logging.debug("WARNING: configuration file error: empty pattern for %s" % kit)
 736 |                               
 737 |             smali_regexp = self.properties.smaliconfig.get_all_regexp()
 738 |             match = droidutil.recursive_search(smali_regexp, smali_dir, exceptions, False)
 739 |             
 740 |             analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a')
 741 |             analysis_file.write('# Smali keywords\n')
 742 |             analysis_file.close()
 743 | 
 744 |             self.properties.smaliconfig.match_properties(match, self.properties.smali)
 745 |             for mykey in match.keys():
 746 |                 '''if self.verbose:
 747 |                     for element in match[mykey]:
 748 |                         print("- keyword=%s detected: %s" % (mykey, str(element)))'''
 749 |                 if mykey.find('android_id') >= 0 and match[mykey]:
 750 |                     # this matches const-string v[0-9]*, "android_id"/'
 751 |                     self.properties.smali['android_id'] = True
 752 | 
 753 |                 if mykey.find('scp') >= 0 and mykey.find('const-string') >= 0 and match[mykey]:
 754 |                     # const-string v[0-9]*, ".*scp.*"
 755 |                     self.properties.smali['scp'] = True
 756 | 
 757 |                 if mykey.find('ssh') >= 0 and mykey.find('const-string') >= 0 and match[mykey]:
 758 |                     # const-string v[0-9]*, ".*ssh.*'
 759 |                     self.properties.smali['ssh'] = True
 760 | 
 761 |                 analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a')
 762 |                 # let's not dump for nops
 763 |                 if not (mykey == ' nop'):
 764 |                     if match[mykey]:
 765 |                         analysis_file.write("## %s\n" % mykey)
 766 |                     for element in match[mykey]:
 767 |                         append = self.extract_method_name(str(element))
 768 |                         analysis_file.write("- "+append+str(element)+"\n")
 769 |                     analysis_file.write('\n')
 770 |                     analysis_file.close()
 771 | 
 772 |             # test if sample is likely to be packed
 773 |             self.is_packed()
 774 |         else:
 775 |             logging.debug("Cannot extract smali properties, because directory %s not found" % smali_dir)
 776 |             # all smali properties should then be set to unknown
 777 |             for key in sorted(self.properties.smali.keys()):
 778 |                 self.properties.smali[key] = 'unknown'
 779 | 
 780 |     def extract_method_name(self, element):
 781 |         m = re.findall(r'file=(.*?)\s+no=\s*(\d+)', element)
 782 |         if m:
 783 |             file_path, line_no = m[0]
 784 |             with open(file_path, 'r') as f:
 785 |                 lines = f.readlines()
 786 |                 for i in range(int(line_no), 0, -1):
 787 |                     line = lines[i]
 788 |                     if line.startswith('.method'):
 789 |                         clazz = (lines[0].split(' ')[-1]).strip()
 790 |                         method = (line.split(' ')[-1]).strip()
 791 |                         return f'path={clazz}->{method} '
 792 |         return ''
 793 | 
 794 |     def extract_wide_properties(self, list_of_kits):
 795 |         """Will look for given properties (e.g GPS usage, presence of executables
 796 |         in all subdirectories (smali, assets, resources, library...)"""
 797 | 
 798 |         logging.debug("------------- Extracting Wide properties")
 799 | 
 800 |         # detecting presence of ijiami packer
 801 |         ijiami = os.path.join(self.outdir, 'unzipped/assets/ijiami.dat')
 802 |         if os.access(ijiami, os.R_OK):
 803 |             self.properties.wide['ijiami'] = True
 804 | 
 805 |         # detecting Flutter debug mode
 806 |         flutter_debug = os.path.join(self.outdir, 'unzipped/assets/flutter_assets/kernel_blob.bin')
 807 |         if os.access(flutter_debug, os.R_OK):
 808 |             self.properties.kits['flutter'] = True
 809 |         
 810 |         # detecting react native framework using index.android.bundle
 811 |         react_assets = os.path.join(self.outdir, 'unzipped/assets/index.android.bundle')
 812 |         if os.access(react_assets, os.R_OK):
 813 |             self.properties.wide['react_asset'] = True
 814 |         
 815 |         # Run "file" to detect hermes bytecode version
 816 |         proc = subprocess.Popen(['file', react_assets], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
 817 |         output = proc.communicate()[0]
 818 | 
 819 |         analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a')
 820 |         analysis_file.write('# Hermes Bytecode version\n')
 821 |         analysis_file.write(output.decode() + '\n')
 822 |         analysis_file.close()
 823 | 
 824 |         # detect executables in resources
 825 |         self.find_exec_in_resources()
 826 | 
 827 |         # other properties
 828 |         if self.properties.filetype == droidutil.APK or self.properties.filetype == droidutil.DEX:
 829 |             exceptions = []
 830 |             for kit in list_of_kits:
 831 |                 pattern_list = self.properties.kitsconfig.get_pattern(kit).split('|')
 832 |                 for pattern in pattern_list:
 833 |                     exceptions.append(pattern)
 834 |             exceptions.append("/unjarred")
 835 |             exceptions.append("/unzipped")
 836 |             exceptions.append("/unknown")
 837 |             exceptions.append("classes.dex")
 838 |             exceptions.append('details.md')
 839 | 
 840 |             wide_regexp = self.properties.wideconfig.get_all_regexp()
 841 |             match = droidutil.recursive_search(wide_regexp, self.outdir, exceptions, False)
 842 |             analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a')
 843 |             analysis_file.write('# Keywords in resources, assets, lib\n\n')
 844 |             analysis_file.close()
 845 | 
 846 |             self.properties.wideconfig.match_properties(match, self.properties.wide)
 847 | 
 848 |             for mykey in match.keys():  # remember mykey is the matched value not the pattern
 849 |                 if match[mykey]:
 850 |                     analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a')
 851 |                     analysis_file.write("- "+str(mykey)+"\n")
 852 |                     analysis_file.close()
 853 | 
 854 |                 # put here keywords for which you need to do some processing on each match
 855 | 
 856 |                 # keep a list of phonenumbers we detect
 857 |                 # mykey will be the phonenumber
 858 |                 # International phone number detector
 859 |                 # actually, it should be \+[0-9]{1,3}[0-9]{1,14} but that
 860 |                 # generates too many false positives (numbers for other reasons)
 861 |                 # so I'm being conservative
 862 |                 if mykey.startswith('+') and self.properties.wide['has_phonenumbers']:  # mykey.startswith('+') and
 863 |                     if re.search(b"\+[0-9]{1,3}[0-9]{10,14}", mykey):
 864 |                         self.properties.wide['phonenumbers'].append(mykey)
 865 |                         logging.debug("Phone number spotted: " + mykey)
 866 |                         analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a')
 867 |                         analysis_file.write("- "+str(mykey)+"\n")
 868 |                         analysis_file.close()
 869 | 
 870 |                 # we want to process each potential URL and IP address
 871 |                 ip_pattern = re.compile("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}")
 872 |                 if ip_pattern.match(mykey):
 873 |                     logging.debug("IP address to check: {}".format(mykey))
 874 |                     self.interesting_url(mykey)
 875 |                     
 876 |                 if mykey.find('http') >= 0 and match[mykey]:
 877 |                     self.interesting_url(mykey)
 878 | 
 879 |             analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a')
 880 |             analysis_file.write('\n\n')
 881 |             analysis_file.close()
 882 | 
 883 |             # detect base64 encoded string in resources
 884 |             self.find_base64_strings(self.outdir, exceptions, self.properties.wide['base64_strings'])
 885 | 
 886 |             # trying to grab the application's name
 887 |             if not self.clear:
 888 |                 strings_file = os.path.join(self.outdir, "res/values/strings.xml")
 889 |                 if os.access(strings_file, os.R_OK):
 890 |                     xmldoc = xml.dom.minidom.parse(strings_file)
 891 |                     sitems = xmldoc.getElementsByTagName('string')
 892 |                     if sitems is None:
 893 |                         for item in sitems:
 894 |                             if item.hasAttributes():
 895 |                                 if item.getAttribute('name') == 'app_name':
 896 |                                     if item.hasChildNodes():
 897 |                                         self.properties.app_name = item.childNodes[0].data
 898 |                                         # rule out chinese characters: TODO: convert chinese characters to printable
 899 |                                         self.properties.app_name = re.sub('[^:print:]', '', self.properties.app_name)
 900 |                                         break
 901 | 
 902 |     def extract_arm_properties(self, arm_filename=''):
 903 |         """Extracts properties from an ARM executable
 904 |         Either call this on a sample which is an ARM file. 
 905 |         Or from within an embedded ARM file inside an APK.
 906 |         """
 907 |         if self.properties.filetype == droidutil.ARM or arm_filename != '':
 908 |             if arm_filename == '':
 909 |                 arm_filename = self.absolute_filename
 910 |             logging.debug("Extracting properties from " + arm_filename)
 911 | 
 912 |             # Run "strings" on the executable
 913 |             proc = subprocess.Popen(['strings', arm_filename], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
 914 |             output = proc.communicate()
 915 | 
 916 |             for section in self.properties.armconfig.get_sections():
 917 |                 matches = re.findall(self.properties.armconfig.get_pattern(section), output[0].decode('utf-8'))
 918 |                 if matches is not None and len(matches) > 0:
 919 |                     self.properties.arm[section] = True
 920 |                     logging.debug("Setting arm[%s]  = True" % section)
 921 |                     if section == 'url_in_exec':
 922 |                         for m in matches:
 923 |                             self.interesting_url(m)
 924 | 
 925 |     def find_executables(self, dir):
 926 |         """Finds executables in a given directory. Does not parse recursively.
 927 |         Returns two lists:
 928 |         - ARM executables list (absolute filename)
 929 |         - APK executables list (absolute filename)
 930 |         """
 931 |         assert os.path.isdir(dir), "argument should be a directory"
 932 |         found_apk = []
 933 |         found_arm = []
 934 |         listing = os.listdir(dir)
 935 |         
 936 |         for file in listing:
 937 |             absolute_file = os.path.join(dir, file)
 938 |             if os.path.isfile(absolute_file):
 939 |                 filetype = droidutil.get_filetype(absolute_file)
 940 | 
 941 |                 # Special case to detect Flutter apps compiled in release mode
 942 |                 if file == 'libapp.so':
 943 |                     self.properties.kits['flutter'] = True
 944 | 
 945 |                 if filetype == droidutil.ARM:
 946 |                     logging.debug("%s is an ARM executable" % absolute_file)
 947 |                     found_arm.append(absolute_file)
 948 |                 else:
 949 |                     if filetype == droidutil.ZIP:
 950 |                         innerzip = droidziprar.droidziprar(absolute_file, True, self.verbose)
 951 |                         if innerzip.handle is None:
 952 |                             logging.debug("%s is not a valid zip" % absolute_file)
 953 |                             return found_apk, found_arm
 954 |                         filetype = innerzip.get_type()
 955 |                         innerzip.close()
 956 |                         if filetype == droidutil.APK:
 957 |                             logging.debug("%s contains an APK" % absolute_file)
 958 |                             found_apk.append(absolute_file)
 959 |                     else:
 960 |                         if filetype == droidutil.RAR:
 961 |                             innerzip = droidziprar.droidziprar(absolute_file, False, self.verbose)
 962 |                             if innerzip.handle is None:
 963 |                                 logging.debug("%s is not a valid rar" % absolute_file)
 964 |                                 return found_apk, found_arm
 965 |                             filetype = innerzip.get_type()
 966 |                             innerzip.close()
 967 |                             if filetype == droidutil.APK:
 968 |                                 logging.debug("%s contains an APK" % absolute_file)
 969 |                                 found_apk.append(absolute_file)
 970 |         return found_arm, found_apk
 971 | 
 972 |     def find_exec_in_resources(self):
 973 |         """Will detect embedded executables or zips in assets, raw resources and lib dir"""
 974 |         asset_dir = os.path.join(self.outdir, "assets")
 975 |         raw_dir = os.path.join(self.outdir, "res/raw")
 976 |         lib_dir = os.path.join(self.outdir, "lib/armeabi")
 977 |         lib2_dir = os.path.join(self.outdir, "lib/arm64-v8a")
 978 |         
 979 |         list_dir = [asset_dir, raw_dir, lib_dir, lib2_dir]
 980 | 
 981 |         for dir in list_dir:
 982 |             if os.access(dir, os.R_OK) and os.path.isdir(dir):
 983 |                 logging.debug("Parsing %s for embedded executables or zips... " % dir)
 984 | 
 985 |                 found_arm, found_apk = self.find_executables(dir)
 986 |                 if found_arm or found_apk:
 987 |                     self.properties.wide['embed_exec'] = True
 988 |                     logging.debug("Embedded executables/zip found in " + dir)
 989 |                     if found_arm:
 990 |                         for arm in found_arm:
 991 |                             logging.debug("Recursively processing " + arm)
 992 |                             self.extract_arm_properties(arm)
 993 |                     if found_apk:
 994 |                         for apk in found_apk:
 995 |                             logging.debug("Recursively processing " + apk)
 996 |                             droidlysis3.process_file(apk, self.outdir, self.verbose, self.clear, 
 997 |                                                      disable_report=self.disable_description,
 998 |                                                      no_kit_exception=self.no_kit_exception)
 999 | 
1000 |     def interesting_url(self, url):
1001 |         """Rules out meaningless URLs to keep only those which might be useful for attackers.
1002 |         
1003 |         input: url - typically starting with http://
1004 |         output: self.properties.url list
1005 |         Will set self.properties. urls and some wide properties.
1006 |         """
1007 |         assert url is not None, "Empty URL is not valid"
1008 |         url = re.sub('[,;" ].*', '', url)  # remove after ",; or whitespace
1009 |         url = re.sub('\n.*', '', url)
1010 |         url = re.sub('\r.*', '', url)
1011 |         url = re.sub('[^\x20-\x7e]', '', url)
1012 |         
1013 |         url_regexp = '|'.join(droidurl.build_special_url_list())
1014 |         match = re.search(url_regexp, url)  # only one match per line
1015 | 
1016 |         if match is None:
1017 |             # the url is not in the list of special URLs
1018 |             # let's check it hasn't been reported yet (unique URLs)
1019 |             if url not in self.properties.wide['urls']:
1020 |                 self.properties.wide['urls'].append(url) 
1021 |                 logging.debug("URL: %s" % url)
1022 | 
1023 |             # raise a warning if it downloads APKs or for dropbox
1024 |             search = re.findall("\.apk|\.zip", url)
1025 |             if search is not None and len(search) > 0:
1026 |                 if '\.apk' in search or '\.zip' in search:
1027 |                     self.properties.wide['apk_zip_url'] = True
1028 | 
1029 |         return self.properties.wide['urls']
1030 | 
1031 |     def find_base64_strings(self, thedir, exceptions, theproperty):
1032 |         """
1033 |         To detect base64 strings, we spot all constants with potentially base64 encoded
1034 |         characters. Then, on these, we attempt to perform base 64 decoding.
1035 |         If that does not lead to an error (padding exception etc) and if the result is
1036 |         printable (~ makes potential sense), we assume this is a Base64 string
1037 | 
1038 |         const-string v1, "xyz=="
1039 |         this won't detect all base64 strings because they won't all finish with ==
1040 |         but we'll get some...
1041 |         """
1042 |         base64_regexp = bytes("const-string v[0-9]*, \"[a-zA-Z0-9/?=]*\"", 'utf-8')
1043 |         base64_strings = droidutil.recursive_search(base64_regexp, thedir, exceptions, False)
1044 | 
1045 |         if base64_strings is not None:
1046 |             printable_chars = bytes(string.printable, 'ascii')
1047 |             for s in base64_strings.keys():
1048 |                 # remove the const-string vX part and trailing "
1049 |                 thestr = re.sub('const-string v[0-9]*, "', '', s)
1050 |                 thestr = re.sub('"', '', thestr)
1051 |                     
1052 |                 # try to decode the Base64 string
1053 |                 try:
1054 |                     decoded = base64.b64decode(thestr)
1055 |                     
1056 |                     if all(c in printable_chars for c in decoded) and decoded != b'' and (not decoded.decode('utf-8') in theproperty):
1057 |                         # the decoded string is printable, so likely a valid decoded base64 info
1058 |                         # + the array contains unique strings only
1059 |                         theproperty.append(decoded.decode('utf-8'))
1060 |                         if self.verbose:
1061 |                             print("Base64 string: ", decoded)
1062 |                 except Exception as e:
1063 |                     # this is not a base64 string
1064 |                     pass
1065 | 
1066 |             if len(theproperty) > 0:
1067 |                 analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a')
1068 |                 analysis_file.write("Base64 strings:\n")
1069 | 
1070 |                 for b in theproperty:
1071 |                     analysis_file.write("- "+b+"\n")
1072 |                     
1073 |                 analysis_file.close()
1074 | 
1075 |             
1076 | 


--------------------------------------------------------------------------------
/droidsql.py:
--------------------------------------------------------------------------------
 1 | """
 2 | __author__ = "Axelle Apvrille"
 3 | __status__ = "Alpha"
 4 | __license__ = "MIT License"
 5 | """
 6 | 
 7 | import sqlalchemy
 8 | from sqlalchemy.ext.declarative import declarative_base
 9 | from sqlalchemy import Column, Integer, String, Boolean
10 | import droidconfig
11 | 
12 | 
13 | Base = declarative_base()
14 | 
15 | 
16 | class Sample(Base):
17 |     __tablename__ = 'samples'
18 | 
19 |     sha256 = Column(String(64), primary_key=True)
20 |     sanitized_basename = Column(String())
21 |     file_nb_classes = Column(Integer())
22 |     file_nb_dir = Column(Integer())
23 |     file_size = Column(Integer())
24 |     file_small = Column(Boolean())
25 |     filetype = Column(Integer())
26 |     file_innerzips = Column(Boolean())
27 |     manifest_properties = Column(String())
28 |     smali_properties = Column(String())
29 |     wide_properties = Column(String())
30 |     arm_properties = Column(String())
31 |     dex_properties = Column(String())
32 |     kits = Column(String())
33 | 
34 |     def __repr__(self):
35 |         return "<Sample(sha256=%s)>" % self.sha256
36 | 
37 | 
38 | class DroidSql:
39 |     def __init__(self, verbose=False):
40 |         self.verbose = verbose  # to get SQL ALCHEMY requests
41 |         self.engine = sqlalchemy.create_engine(droidconfig.SQLALCHEMY, echo=self.verbose)
42 |         Base.metadata.create_all(self.engine)
43 | 
44 |     
45 | 


--------------------------------------------------------------------------------
/droidurl.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | """
  4 | __author__ = "Axelle Apvrille"
  5 | __status__ = "Mature"
  6 | __license__ = "MIT License"
  7 | """
  8 | 
  9 | def build_special_url_list():
 10 |     """Returns a list of special URLs"""
 11 |     list = []
 12 |     
 13 |     # dummy URLs
 14 |     list.append('^(http://)127\.0\.0\.1$')
 15 |     list.append('^8\.8\.8\.8$')
 16 |     list.append('^8\.8\.4\.4$')
 17 |     list.append('^https*://%s:%d%s')
 18 |     list.append('^(http://)*192\.168\.[0-9.:]*')
 19 |     list.append('host:port')
 20 |     list.append('^(http://)*localhost$') 
 21 |     list.append('^https*://$')
 22 |     list.append('^https*$')
 23 |     list.append('temporary$') 
 24 |     list.append('^https*://unknown$') 
 25 |     list.append('^https*://images$')
 26 |     list.append('^http://ads$')
 27 |     list.append('^http://app$')
 28 |     list.append('^http://server$')
 29 |     list.append('^http://server/.*')
 30 |     list.append('username:password@YOUR')
 31 |     list.append('www\.dummyurl\.com')
 32 |     list.append('www\.example\.com')
 33 |     # clean URLs - which do not correspond to a kit i.e with a smali path
 34 |     list.append('creativecommons\.org')
 35 |     list.append('docs\.google\.')
 36 |     list.append('support\.google\.')
 37 |     list.append('developer\.android\.com')
 38 |     list.append('developers\.google\.com')
 39 |     list.append('googlesyndication\.com')
 40 |     list.append('jsoup\.org')
 41 |     list.append('www\.jcip\.net')
 42 |     list.append('finance\.google\.')
 43 |     list.append('maps\.google') 
 44 |     list.append('^https*://play\.google\.com')
 45 |     list.append('https*://[a-zA-Z]*\.google\.com/') 
 46 |     list.append('www\.google\.') 
 47 |     list.append('checkout\.google\.com')
 48 |     list.append('doubleclick\.net')
 49 |     list.append('\.google-analytics\.com') 
 50 |     list.append('^https*://[a-z]*\.googleapis\.com/')
 51 |     list.append('plus\.url\.google\.com') 
 52 |     list.append('market\.android\.com')
 53 |     list.append('source\.android\.com')
 54 |     list.append('material\.io')
 55 |     list.append('java\.sun\.com') 
 56 |     list.append('\.facebook\.com/help') 
 57 |     list.append('\.facebook\.com$')
 58 |     list.append('fonts\.gstatic\.com')
 59 |     list.append('forum\.xda-developers\.com/showthread\.php')
 60 |     list.append('www\.freetype\.org')
 61 |     list.append('www\.microsoft\.com')
 62 |     list.append('mozilla\.org') 
 63 |     list.append('www\.android\.com') 
 64 |     list.append('developer\.android\.com/reference/')
 65 |     list.append('fontforge\.sf\.net')
 66 |     list.append('www\.apache\.org')  
 67 |     list.append('www\.apple\.com')
 68 |     list.append('travis-ci\.org')
 69 |     list.append('twitter\.com') 
 70 |     list.append('www\.gnu\.org')
 71 |     list.append('www\.fsf\.org')
 72 |     list.append('www\.iec\.ch')
 73 |     list.append('www\.paypal\.com')
 74 |     list.append('www\.macromedia\.com/go/getflashplayer')
 75 |     list.append('www\.mozilla\.org') 
 76 |     list.append('opensource\.org') 
 77 |     list.append('www\.openssl\.org') 
 78 |     list.append('www\.gstatic\.com') 
 79 |     list.append('www\.JSON\.org') 
 80 |     list.append('www\.junit\.com') 
 81 |     list.append('http://www\.amazon\.com/gp/mas/dl/android') 
 82 |     list.append('.\.youtube.com') 
 83 |     list.append('\.hockeyapp\.net') 
 84 |     list.append('http://ns\.adobe\.com/') 
 85 |     list.append('https*://[a-zA-Z]*\.jquery\.com')
 86 |     list.append('https*://jqueryui\.com')
 87 |     list.append('^https*://jquery\.[com|org]/*$')
 88 |     list.append('scripts\.sil\.org')
 89 |     list.append('www\.ajaxplorer\.info')
 90 |     list.append('wikipedia\.org')
 91 |     list.append('play\.google\.com')
 92 |     list.append('github\.com')
 93 |     list.append('jquery\.org')
 94 |     list.append('www\.iana\.org')
 95 |     list.append('stackoverflow\.com')
 96 |     list.append('www\.unicode\.org')
 97 |     list.append('freetype\.org')
 98 | 
 99 |     # AV
100 |     list.append('www\.fortinet\.com') 
101 |     list.append('docs\.fortinet\.com/fclient/android/')
102 |     list.append('home\.mcafee\.com')
103 |     list.append('\.norton\.com') 
104 |     list.append('www\.avast\.com')
105 |     list.append('\.symantec\.com') 
106 |     list.append('www\.mcafeemobilesecurity\.com/eula\.aspx') 
107 |     list.append('www\.trendmicro\.com') 
108 |     list.append('https*://[a-zA-Z0-9]*\.360safe\.com')
109 | 
110 |     # search engines
111 |     list.append('search\.twitter\.com') 
112 |     list.append('search\.yahoo\.com') 
113 |     list.append('www\.baidu\.com') 
114 |     list.append('wap\.baidu\.com') 
115 |     list.append('map\.baidu\.com') 
116 |     list.append('www\.searchmobileonline\.com') 
117 | 
118 | 
119 |     # XML
120 |     list.append('^https*://push$') 
121 |     list.append('^https*://schemas') 
122 |     list.append('^https*://www\.$') 
123 |     list.append('www\.w3\.org') 
124 |     list.append('xml\.apache\.org') 
125 |     list.append('xml\.org') 
126 |     list.append('xmlpull\.org') 
127 |     list.append('^https*://.*/configure[-_0-9]*\.dtd$')
128 |     
129 |     # Operator
130 |     list.append('10\.0\.0\.172') 
131 |     list.append('10\.0\.0\.200') 
132 |     list.append('wap\.uni-info\.com\.cn') 
133 |     list.append('mmsc\.myuni\.com\.cn') 
134 |     list.append('mmsc\.vnet\.mobi') 
135 |     list.append('wap\.vnet\.mobi') 
136 |     list.append('10\.151\.0\.1') 
137 |     list.append('62\.201\.134\.17') 
138 |     list.append('mmsbouygtel\.com') 
139 |     list.append('\.monternet\.com') 
140 | 
141 |     # Protocol
142 |     list.append('oauth_token') 
143 | 
144 |     # adkit urls which sometimes appear outside the smali path
145 |     list.append('pflexads\.com')
146 |     list.append('admob\.com')
147 |     list.append('^https*://api\.weibo\.com')
148 |     list.append('^https*://.*\.alipay.com')
149 | 
150 |     return list
151 | 


--------------------------------------------------------------------------------
/droidutil.py:
--------------------------------------------------------------------------------
  1 | import os
  2 | import errno
  3 | import re
  4 | import shutil
  5 | import magic
  6 | import hashlib
  7 | from collections import defaultdict
  8 | 
  9 | """Those are my own utilities for sample analysis"""
 10 | 
 11 | 
 12 | def mkdir_if_necessary(path):
 13 |     """
 14 |     Creates the directory if it does not exist yet.
 15 |     If it exists, does not do anything.
 16 |     If path is None (not filled), does not do anything.
 17 |     """
 18 | 
 19 |     if path is not None:
 20 |         try:
 21 |             os.makedirs(path)
 22 |         except OSError as exc:  # Python >2.5
 23 |             if exc.errno == errno.EEXIST and os.path.isdir(path):
 24 |                 pass
 25 |             else:
 26 |                 raise
 27 | 
 28 | 
 29 | def on_rm_tree_error(fn, path, exc_info):
 30 |     """
 31 |     Error handler for ``shutil.rmtree``.
 32 | 
 33 |     rmtree fails in particular if the file to delete is read-only.
 34 |     to remove, we attempt to set all permissions and then retry.
 35 | 
 36 |     Usage : ``shutil.rmtree(path, onerror=onerror)``
 37 |     """
 38 |     if fn is os.rmdir:
 39 |         os.chmod(path, 777)
 40 |         os.rmdir(path)
 41 |     elif fn is os.remove:
 42 |         os.chmod(path, 777)
 43 |         os.remove(path)
 44 | 
 45 | 
 46 | def move_dir(src, dst):
 47 |     # Move src directory to dst - works even if dst already exists.
 48 |     assert os.path.isdir(src), "src must be an existing directory"
 49 |     os.system("mv" + " " + src + "/* " + dst)
 50 |     shutil.rmtree(src, onerror=on_rm_tree_error)
 51 | 
 52 | 
 53 | def sanitize_filename(filename):
 54 |     """Sanitizes a filename so that we can create the output analysis directory without any problem.
 55 |     We need to consider we might have filenames with Russian or Chinese characters. 
 56 |     
 57 |     filename is only the 'basename' not an absolute path
 58 | 
 59 |     Returns the sanitized name."""
 60 |     # we remove any character which is not letters, numbers, _ or .
 61 |     return re.sub('[^a-zA-Z0-9_\.]', '', filename)
 62 | 
 63 | 
 64 | def listAll(dirName):
 65 |     filelist1 = []
 66 |     files = os.listdir(dirName)
 67 |     for f in files:
 68 |         if os.path.isfile(os.path.join(dirName, f)):
 69 |             filelist1.append(os.path.join(dirName, f))
 70 |         else:
 71 |             newlist = listAll(os.path.join(dirName, f))
 72 |             filelist1.extend(newlist)           
 73 |     return filelist1 
 74 | 
 75 | 
 76 | def count_filedirs(dirname):
 77 |     """Counts the number of directories and files in a given directory. Counts recursively.
 78 |     dirname must be readable.
 79 |     Returns:
 80 |     nb of directories
 81 |     nb of files
 82 |     
 83 |     This is somewhat the equivalent of: find ./smali -type d -print 
 84 |     or -type f
 85 |     """
 86 |     assert os.access(dirname, os.R_OK), "Can't access directory: "+dirname
 87 |     
 88 |     dirs = [name for name in os.listdir(dirname) if os.path.isdir(os.path.join(dirname, name))]
 89 |     nb_dirs = len(dirs)
 90 |     nb_files = len([name for name in os.listdir(dirname) if os.path.isfile(os.path.join(dirname, name))])
 91 |     for element in dirs:
 92 |         try:
 93 |             element_dirs, element_files = count_filedirs(os.path.join(dirname, element))
 94 |         except RuntimeError:
 95 |             # occurs when too many recursive dir
 96 |             element_dirs = 0
 97 |             element_files = 0
 98 |         nb_dirs += element_dirs
 99 |         nb_files += element_files
100 | 
101 |     return nb_dirs, nb_files
102 | 
103 | 
104 | def sha256sum(input_file_name):
105 |     """Computes the SHA256 hash of a binary file
106 |     Returns the digest string or '' if an error occurred reading the file"""
107 |     chunk_size = 1048576  # 1 MB
108 |     file_sha256 = hashlib.sha256()
109 |     try:
110 |         with open(input_file_name, "rb") as f:
111 |             byte = f.read(chunk_size)
112 |             while byte:
113 |                 file_sha256.update(byte)
114 |                 byte = f.read(chunk_size)
115 |     except IOError:
116 |         print('sha256sum: cannot open file: %s' % input_file_name)
117 |         return ''
118 |     return file_sha256.hexdigest()
119 | 
120 | 
121 | def sha1sum(input_file_name):
122 |     """
123 |     Computes the SHA1 hash of a binary file
124 |     Returns the digest string or '' if an error occurred reading the file
125 |     """
126 |     chunk_size = 1048576  # 1 MB
127 |     file_sha1 = hashlib.sha1()
128 |     try:
129 |         with open(input_file_name, "rb") as f:
130 |             byte = f.read(chunk_size)
131 |             while byte:
132 |                 file_sha1.update(byte)
133 |                 byte = f.read(chunk_size)
134 |     except IOError:
135 |         print('sha1sum: cannot open file: %s' % input_file_name)
136 |         return ''
137 |     return file_sha1.hexdigest()
138 | 
139 | 
140 | # -------------------------- File Constants -------------------------
141 | """Something else than the other file types. We do not support this file type."""
142 | UNKNOWN = 0
143 | 
144 | """An APK. It is not possible to differentiate a ZIP from an APK until we have looked inside the ZIP."""
145 | APK = 1
146 | 
147 | """A Dalvik Executable file. We do not check the file is valid/accepted by the verifier."""
148 | DEX = 2
149 | 
150 | """An ARM ELF executable."""
151 | ARM = 3
152 | 
153 | """A Java .class file"""
154 | CLASS = 4
155 | 
156 | """A Zip file. Actually, this can also be a JAR or an APK until we have thoroughly checked."""
157 | ZIP = 5
158 | 
159 | """A RARed file."""
160 | RAR = 6
161 | 
162 | """We can probably add some more later: TAR, TGZ, BZ2..."""
163 | 
164 | 
165 | def str_filetype(filetype):
166 |     """Provide as input a droidutil filetype (APK, DEX, ARM...) and returns the corresponding string"""
167 |     if filetype == APK:
168 |         return "APK"
169 |     if filetype == DEX:
170 |         return "DEX"
171 |     if filetype == ARM:
172 |         return "ARM"
173 |     if filetype == CLASS:
174 |         return "CLASS"
175 |     if filetype == ZIP:
176 |         return "ZIP"
177 |     if filetype == RAR:
178 |         return "RAR"
179 |     return "UNKNOWN"
180 |     
181 | 
182 | def get_filetype(filename):
183 |     """Returns an enumerate for the filetype corresponding to the given absolute filename.
184 |     This function does not open the file or unzip it.
185 |     It will return one of these:
186 |     droidutil.ZIP
187 |     droidutil.RAR
188 |     droidutil.ARM
189 |     droidutil.CLASS
190 |     droidutil.DEX
191 |     droidutil.UNKNOWN
192 |     """
193 |     filetype = magic.from_file(filename)
194 |     if filetype is None:
195 |         # this happens if magic is unable to find file type
196 |         return UNKNOWN
197 |     match = re.search('Zip archive data|zip|RAR archive data|executable, ARM|'
198 |                       'shared object, ARM|Java class|Dalvik dex|Java archive|Android package', filetype)
199 |     if match is None:
200 |         mytype = UNKNOWN
201 |     else:
202 |         typecase = {'Zip archive data': ZIP,
203 |                     'zip': ZIP,
204 |                     'Java archive': ZIP,
205 |                     'RAR archive data': RAR,
206 |                     'executable, ARM': ARM,
207 |                     'shared object, ARM': ARM,
208 |                     'Java class': CLASS,
209 |                     'Dalvik dex': DEX,
210 |                     'Android package': ZIP,  # droidsample needs ZIP type to do all the processing
211 |                     'None': UNKNOWN
212 |                     }
213 |         mytype = typecase[match.group(0)]
214 |     return mytype
215 | 
216 | 
217 | def get_elements(xmldoc, tag_name, attribute):
218 |     """Returns a list of elements"""
219 |     l = []
220 |     for item in xmldoc.getElementsByTagName(tag_name):
221 |         value = item.getAttribute(attribute)
222 |         l.append(repr(value))
223 |     return l
224 | 
225 | 
226 | def get_element(xmldoc, tag_name, attribute):
227 |     for item in xmldoc.getElementsByTagName(tag_name):
228 |         value = item.getAttribute(attribute)
229 |         if len(value) > 0:
230 |             return value
231 |     return None
232 | 
233 | 
234 | """Very simple exception to raise when we found something. For instance to break a loop."""
235 | class Found(Exception):
236 |     pass
237 | 
238 | 
239 | class matchresult:
240 |     """Match information"""
241 | 
242 |     def __init__(self, thefile, theline, thelineno):
243 |         """Represents a match for a keyword.
244 |         Made of a filename and a line"""
245 |         self.file = thefile
246 |         self.line = theline
247 |         self.lineno = thelineno
248 |     
249 |     def __repr__(self):
250 |         return 'file=%s lineno=%d line=%s' % (self.file, self.lineno, self.line)
251 | 
252 |     def __str__(self):
253 |         return 'file=%s no=%4d line=%30s' % (self.file, self.lineno, self.line)
254 | 
255 | 
256 | def recursive_search(search_regexp, directory, exception_list=[], verbose=False):
257 |     """Recursively search in a directory except in some subdirectories
258 |     The exception list actually is a list of regexp for directories.
259 |     
260 |     Returns a dictionary of list of matches:
261 |     match[ keyword ] = [ <'filename', 'matching line content', 'lineno'>,
262 |                          <'filename', 'matching line content', 'lineno'>,
263 |                          <'filename', 'matching line content', 'lineno'>, ]
264 | 
265 |     We can only have one match per line. Otherwise, this won't work we should be using re.findall
266 |     """
267 |     matches = defaultdict(list)
268 | 
269 |     if verbose:
270 |         print("Searching in " + directory + " for " + search_regexp.decode('utf-8'))
271 |         print("Exceptions: %s" % (str(exception_list)))
272 | 
273 |     for entry in os.listdir(directory):
274 |         current_entry = os.path.join(directory, entry)
275 |         try: 
276 |             if os.path.isfile(current_entry):
277 |                 for exception in exception_list:
278 |                     # TO DO: not entirely sure we need 'match'? perhaps if it is a regexp?
279 |                     # Remember that "exception" can be part of a path e.g. we want everything that matches blah/bloh
280 |                     # then com/blah/bloh must match
281 |                     match = re.search(exception, current_entry)  # TO DO: not entirely sure that we need the match
282 |                     if match is not None or exception in current_entry:
283 |                         # skip this file
284 |                         raise Found
285 | 
286 |                 # ok, this file must be searched
287 |                 lineno = 0
288 |                 for line in open(current_entry, 'rb'):
289 |                     lineno += 1
290 |                     match = re.search(search_regexp, line)
291 |                     if match is not None:
292 |                         if verbose:
293 |                             print("Match: File: " + entry + " Keyword: " +
294 |                                   match.group(0).decode('utf-8', errors='replace') +
295 |                                   " Line: " + line.decode('utf-8', errors='replace'))
296 |                         """match.group(0) only provides one match per line if we need more, 
297 |                         re.search is not appropriate
298 |                         and should be replaced by re.findall"""
299 |                         matches[match.group(0).decode('utf-8', errors='replace')].append(matchresult(current_entry, line, lineno))
300 | 
301 |             if os.path.isdir(current_entry):
302 |                 for exception in exception_list:
303 |                     match = re.search(exception, current_entry)
304 |                     if match is not None:
305 |                         # skip this directory
306 |                         raise Found
307 | 
308 |                 # this directory is not in the exception list, we must search it recursively
309 |                 try:
310 |                     hismatches = recursive_search(search_regexp, current_entry, exception_list, verbose)
311 |                     # merge in those results
312 |                     for key in hismatches.keys():
313 |                         matches[key].extend(hismatches[key])
314 |                 except RuntimeError:
315 |                     # we get this when there are too many recursive dirs
316 |                     pass  # next
317 | 
318 |         except Found:
319 |             pass  # go to next entry
320 | 
321 |     return matches
322 | 


--------------------------------------------------------------------------------
/droidziprar.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | """
  4 | __author__ = "Axelle Apvrille"
  5 | __status__ = "In progress"
  6 | __license__ = "MIT License"
  7 | """
  8 | import zipfile
  9 | import rarfile
 10 | import re
 11 | import droidutil
 12 | import struct
 13 | import subprocess
 14 | import logging
 15 | 
 16 | logging.basicConfig(format='%(levelname)s:%(filename)s:%(message)s', level=logging.INFO)
 17 | 
 18 | 
 19 | class droidziprar:
 20 | 
 21 |     def __init__(self, archive, zipmode=True, verbose=False):
 22 |         """Returns the archive file handle - don't forget to close it once you've finished with the file"""
 23 |         if verbose:
 24 |             logging.getLogger().setLevel(logging.DEBUG)
 25 |         self.zipmode = zipmode  # True for a zip, False for a Rar
 26 |         self.password = 'infected'
 27 |         self.handle = None
 28 |         self.archive_name = archive
 29 | 
 30 |         # File type is not fully certain until get_type() has been called
 31 |         if self.zipmode:
 32 |             self.filetype = droidutil.ZIP
 33 |         else:
 34 |             self.filetype = droidutil.RAR
 35 | 
 36 |         self.open(archive)
 37 | 
 38 |     def open(self, filename):
 39 |         try:
 40 |             if self.zipmode:
 41 |                 logging.debug("Opening Zip archive "+filename)
 42 |                 self.handle = zipfile.ZipFile(filename, 'r')
 43 |             else:
 44 |                 logging.debug("Opening Rar archive "+filename)
 45 |                 self.handle = rarfile.RarFile(filename, 'r')
 46 | 
 47 |         except (struct.error, zipfile.BadZipfile, zipfile.LargeZipFile, IOError) as e:
 48 |             logging.debug("Exception caught in ZipFile: %s" % (repr(e)))
 49 |             self.handle = None
 50 | 
 51 |         return self.handle
 52 | 
 53 |     def get_type(self):
 54 |         """A ZIP file can be really an APK, a JAR, or a real ZIP
 55 |         Calling this function reallys sets the appropriate type for the archive.
 56 |         Returns:
 57 |         - the file type: APK, CLASS or ZIP
 58 |         - a list of inner zips/rars if any
 59 |         """
 60 |         assert self.handle is not None, "zip/rar file handle has been closed"
 61 | 
 62 |         innerzips = []  # default value
 63 |         files_in_zip = self.handle.namelist()
 64 | 
 65 |         # guess file type based on contents
 66 |         if [x for x in files_in_zip if re.search("classes\.dex|AndroidManifest\.xml|resources\.arsc|assets/|res/", x)]:
 67 |             self.filetype = droidutil.APK
 68 |         else:
 69 |             innerzips = [x for x in files_in_zip if re.search("\.apk|\.zip|\.rar", x)]
 70 |             if innerzips:
 71 |                 if self.zipmode:
 72 |                     self.filetype = droidutil.ZIP
 73 |                 else:
 74 |                     self.filetype = droidutil.RAR
 75 |             else:
 76 |                 if [x for x in files_in_zip if re.search("\.class", x)]:
 77 |                     self.filetype = droidutil.CLASS
 78 |         return self.filetype, innerzips
 79 | 
 80 |     def extract_one_file(self, filename, outdir):
 81 |         """Extracts from a ZIP or a RAR
 82 |         - file: file to extract
 83 |         - outdir: directory to extract to
 84 |         Will use a password if necessary
 85 |         """
 86 |         if self.zipmode:
 87 |             # the unzip command works better... (manages to unzip more)
 88 |             subprocess.call(["/usr/bin/unzip", "-o", "-qq", "-P",
 89 |                              self.password, "-d", outdir, self.archive_name, filename])
 90 |         else:
 91 |             assert self.handle is not None, "zip/rar file handle has been closed"
 92 |             # beware this may raise errors KeyError, RuntimeError...
 93 |             self.handle.extract(filename, outdir, pwd=self.password)
 94 | 
 95 |     def extract_all(self, outdir):
 96 |         if self.zipmode:
 97 |             print('Launching unzip process on %s with output dir=%s' % (self.archive_name, outdir))
 98 |             subprocess.call(["/usr/bin/unzip", "-o", "-qq", "-P", self.password, self.archive_name, "-d", outdir])
 99 |         else:
100 |             assert self.handle is not None, "zip/rar file handle has been closed"
101 |             self.handle.extractall(path=outdir, pwd=self.password)
102 | 
103 |     def extract_pattern(self, outdir, pattern):
104 |         """Unzips (or unrars) files matching a given regexp to a given output directory.
105 |         Returns a list of what has been unzipped.
106 |         """
107 |         assert self.handle is not None, "zip/rar file handle has been closed"
108 |         all_files = self.handle.namelist()
109 |         list = [x for x in all_files if re.search(pattern, x)]
110 |         
111 |         for file in list:
112 |             self.extract_one_file(file, outdir)
113 | 
114 |         return list
115 | 
116 |     def get_date(self, filename):
117 |         """Gets the time at which filename was created"""
118 |         assert self.handle is not None, "zip/rar file handle has been closed"
119 |         try:
120 |             metainfo = self.handle.getinfo(filename)
121 |             return metainfo.date_time
122 |         except (KeyError, rarfile.NoRarEntry) as e:
123 |             logging.debug("%s does not exist in %s" % (filename, self.archive_name))
124 |         return None
125 | 
126 |     def close(self):
127 |         if self.handle is not None:
128 |             pass
129 |         else:
130 |             self.handle.close()
131 |             logging.debug("Closing archive: " + self.archive_name)
132 |     
133 | 


--------------------------------------------------------------------------------
/external/License.txt:
--------------------------------------------------------------------------------
 1 | Apache License
 2 | Version 2.0, January 2004
 3 | http://www.apache.org/licenses/ 
 4 | 
 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 
 6 | 
 7 | 1. Definitions.
 8 | 
 9 | "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. 
10 | 
11 | "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. 
12 | 
13 | "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. 
14 | 
15 | "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. 
16 | 
17 | "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. 
18 | 
19 | "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. 
20 | 
21 | "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). 
22 | 
23 | "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. 
24 | 
25 | "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." 
26 | 
27 | "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 
28 | 
29 | 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 
30 | 
31 | 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 
32 | 
33 | 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: 
34 | 
35 | You must give any other recipients of the Work or Derivative Works a copy of this License; and 
36 | 
37 | 
38 | You must cause any modified files to carry prominent notices stating that You changed the files; and 
39 | 
40 | 
41 | You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and 
42 | 
43 | 
44 | If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. 
45 | You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 
46 | 
47 | 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 
48 | 
49 | 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 
50 | 
51 | 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 
52 | 
53 | 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 
54 | 
55 | 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. 
56 | 


--------------------------------------------------------------------------------
/external/README.md:
--------------------------------------------------------------------------------
1 | Procyon is project from https://github.com/mstrobel/procyon
2 | It has recently migrated from bitbucket to github and releases are no longer available. I am hosting here the latest releaseust to help people who really need it, but please be aware I am not the author nor the maintainer.
3 | Procyon is released under the Apache License which I include in this directory.
4 | 


--------------------------------------------------------------------------------
/external/procyon-decompiler-0.5.30.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cryptax/droidlysis/ce37151642c53791fb267190bbe29668ede06346/external/procyon-decompiler-0.5.30.jar


--------------------------------------------------------------------------------
/images/example.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cryptax/droidlysis/ce37151642c53791fb267190bbe29668ede06346/images/example.png


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | configparser>=4.0.2
2 | python-magic==0.4.12
3 | rarfile>=3.0
4 | requests
5 | SQLAlchemy>=1.1.1
6 | platformdirs
7 | 
8 | 


--------------------------------------------------------------------------------
/script/DroidlysisSearch.py:
--------------------------------------------------------------------------------
 1 | # -*- coding: utf-8 -*-
 2 | 
 3 | # A script to search suspicious malicious funtions by Droidlysis
 4 | # Author: d3xter
 5 | #?shortcut=
 6 | import os
 7 | import re
 8 | import json
 9 | from com.pnfsoftware.jeb.client.api import IScript
10 | from com.pnfsoftware.jeb.core.units.code.android import IDexUnit
11 | 
12 | class DroidlysisSearch(IScript):
13 |     BMKEY = 'DLYSISMARKS'
14 |     
15 |     def run(self, ctx):
16 |         prj = ctx.getMainProject()
17 |         assert prj, 'Need a project'
18 |         
19 |         bmstr = prj.getData(DroidlysisSearch.BMKEY)
20 |         if not bmstr:
21 |             print(u'😵‍💫 Droidlysis mapping ...')
22 | 
23 |             path = ctx.displayFileOpenSelector('Select a file')
24 |             assert path, 'Need a valid file path'
25 | 
26 |             with open(path, 'r') as f:
27 |                 file_contents = f.readlines()
28 | 
29 |             bm = {}
30 |             bm['outputfile'] = path
31 |             current_key = None
32 | 
33 |             pattern_key = r'^##\s+(.*?)$'
34 |             pattern_data = r'^- path=(.*?)\s+file=(.*?)\s+no=\s*(\d+)\s+line=(.*?)$'
35 | 
36 |             for line in file_contents:
37 |                 key_match = re.match(pattern_key, line)
38 |                 data_match = re.match(pattern_data, line)
39 |                 
40 |                 if key_match:
41 |                     current_key = key_match.group(1)
42 |                     bm[current_key] = []
43 |                 elif current_key and data_match:
44 |                     path = data_match.group(1)
45 |                     file = data_match.group(2)
46 |                     no = data_match.group(3)
47 |                     line = data_match.group(4).strip()[2:-3].strip()
48 |                     bm[current_key].append([path, line])
49 | 
50 |             prj.setData(DroidlysisSearch.BMKEY, json.dumps(bm), True)
51 | 
52 |         bmstr = prj.getData(DroidlysisSearch.BMKEY)
53 |         bm = json.loads(bmstr)
54 |         if not os.path.exists(bm['outputfile']):
55 |             print(u'🤗 Droidlysis goodbye ...')
56 |             prj.clearAllData(DroidlysisSearch.BMKEY)
57 |             return
58 |         
59 |         print(u'😄 Droidlysis searching ...')
60 |         headers = ['Match', 'Path', 'Code']
61 |         rows = []
62 |         for mm, info in bm.items():
63 |             if not mm == 'outputfile':
64 |                 for ii in info:
65 |                     rows.append([mm, ii[0], ii[1]])
66 | 
67 |         index = ctx.displayList('Droidlysis Search', 'List of suspicious functions identified by Droidlysis', headers, rows)
68 |         if index < 0:
69 |             return
70 |         
71 |         sel = rows[index]
72 |         dex = prj.findUnit(IDexUnit)
73 |         assert dex, 'Need a dex file'
74 | 
75 |         f = ctx.findFragment(dex, 'Disassembly', True)
76 |         if f:
77 |             f.setActiveAddress(sel[1])
78 | 


--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | from setuptools import setup
 4 | 
 5 | with open("README.md", "r", encoding="utf-8") as fh:
 6 |     long_description = fh.read()
 7 | 
 8 | setup(
 9 |     name='droidlysis',
10 |     description='DroidLysis: pre-analysis of suspicious Android samples',
11 |     long_description=long_description,
12 |     long_description_content_type="text/markdown",
13 |     author='@cryptax',
14 |     author_email='aafortinet@gmail.com',
15 |     url='https://github.com/cryptax/droidlysis',
16 |     license='MIT',
17 |     keywords="android malware reverse",
18 |     python_requires='>=3.0',
19 |     version='3.4.7',
20 |     packages=['conf'],
21 |     py_modules=[
22 |         'droidconfig',
23 |         'droidcountry',
24 |         'droidlysis3',
25 |         'droidproperties',
26 |         'droidreport',
27 |         'droidsample',
28 |         'droidsql',
29 |         'droidurl',
30 |         'droidutil',
31 |         'droidziprar',
32 |     ],
33 |     classifiers=[
34 |         "Programming Language :: Python :: 3",
35 |         "License :: OSI Approved :: MIT License",
36 |         "Development Status :: 3 - Alpha",
37 |         "Operating System :: Unix",
38 |         "Topic :: Software Development :: Disassemblers",
39 |     ],
40 |     include_package_data=True,
41 |     install_requires=[
42 |         'configparser>=4.0.2',
43 |         'python-magic==0.4.12',
44 |         'requests',
45 |         'SQLAlchemy>=1.1.1',
46 |         'rarfile>=3.0',
47 |         'platformdirs'
48 |     ],
49 |     scripts=[ 'droidlysis', 'droidlysis3.py' ]
50 | )
51 | 


--------------------------------------------------------------------------------
/test/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cryptax/droidlysis/ce37151642c53791fb267190bbe29668ede06346/test/__init__.py


--------------------------------------------------------------------------------
/test/apk/ph0wn-musicalear.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cryptax/droidlysis/ce37151642c53791fb267190bbe29668ede06346/test/apk/ph0wn-musicalear.apk


--------------------------------------------------------------------------------
/test/test.md:
--------------------------------------------------------------------------------
 1 | # To launch all tests
 2 | 
 3 | ```
 4 | cd test
 5 | python3 -m unittest
 6 | ```
 7 | # To test a single file
 8 | 
 9 | ```
10 | source ./venv/bin/activate
11 | python3 setup.py develop
12 | cd test
13 | python3 ./test_droidlysis3.py
14 | ```
15 | 


--------------------------------------------------------------------------------
/test/test_droidconfig.py:
--------------------------------------------------------------------------------
 1 | import unittest
 2 | from droidconfig import generalconfig
 3 | 
 4 | '''
 5 | To run tests:
 6 | source ./venv/bin/activate
 7 | python3 setup.py develop
 8 | cd tests
 9 | python3 ./droidconfig_test.py
10 | '''
11 | 
12 | 
13 | class DroidConfigTest(unittest.TestCase):
14 |     def test_general_config(self):
15 |         config = generalconfig(filename='../conf/general.conf', verbose=True)
16 | 
17 |     def test_bad_config(self):
18 |         self.assertRaises(FileNotFoundError,
19 |                           generalconfig,
20 |                           '../conf/doesnotexist.conf')
21 | 
22 | if __name__ == '__main__':
23 |     unittest.main()
24 | 


--------------------------------------------------------------------------------
/test/test_droidlysis3.py:
--------------------------------------------------------------------------------
 1 | import unittest
 2 | import tempfile
 3 | import shutil
 4 | from droidlysis3 import process_file
 5 | from droidconfig import generalconfig
 6 | 
 7 | class DroidLysisTest(unittest.TestCase):
 8 |     def setUp(self):
 9 |         # Create a temporary directory
10 |         self.test_dir = tempfile.mkdtemp()
11 | 
12 |     def tearDown(self):
13 |         # Remove the directory after the test
14 |         shutil.rmtree(self.test_dir)
15 | 
16 |     def test_process_file(self):
17 |         config = generalconfig(filename='../conf/general.conf', verbose=False)
18 |         process_file(config=config,
19 |                      infile='./apk/ph0wn-musicalear.apk',
20 |                      outdir=self.test_dir)
21 | 
22 | 
23 | if __name__ == '__main__':
24 |     unittest.main()
25 | 


--------------------------------------------------------------------------------