#!/usr/bin/env python """ __author__ = "Axelle Apvrille" __license__ = "MIT License" __version__ = '3.2.0' """ import hashlib import os import re import itertools import sys import struct import zlib import shutil import subprocess import xml.dom.minidom import droidutil import droidlysis3 import droidconfig import droidcountry import droidproperties import droidziprar import droidurl import xml.parsers.expat as expat class droidsample: """Base class for an Android sample to analyze""" def __init__(self, filename, output='/tmp/analysis', verbose=False, clear=False, enable_procyon=False, disable_description=False, silent=False, no_kit_exception=False): """Setup analysis of a given sample. This does not perform the analysis in itself.""" assert filename != None, "Filename is invalid" self.absolute_filename = filename self.verbose = verbose self.clear = clear self.enable_procyon = enable_procyon self.disable_description = disable_description # we need those for recursive calls to process_file self.silent = silent self.no_kit_exception = no_kit_exception self.ziprar = None # zip file or rar file file handle sanitized_basename = droidutil.sanitize_filename(os.path.basename(filename)) if not silent: print("Filename: "+filename) self.properties = droidproperties.droidproperties(samplename=sanitized_basename,\ sha256=droidutil.sha256sum(filename), \ verbose=self.verbose) if verbose: print( "SHA256: %s" % (self.properties.sha256)) """Computing the SHA1 of a file is only useful to help out the analyst. The digest is written to the automatic analysis/description of the sample. That description is located in the output analysis directory, so obviously, if the end-user specifies he wants the output analysis directory erased, he obviously does not want to know about the SHA1 digest, and thus it's useless to compute it.""" if not clear: sha1 = droidutil.sha1sum(filename) if verbose: print( "SHA1: %s" % (sha1)) # Creating the output analysis directory self.outdir = os.path.join(output, '{filename}-{hash}'.format(\ filename=sanitized_basename,\ hash=self.properties.sha256)) if verbose: print( "Output analysis directory: " + self.outdir ) if os.path.exists(self.outdir): try: shutil.rmtree(self.outdir, ignore_errors=droidutil.on_rm_tree_error) os.makedirs(self.outdir) except RuntimeError: if verbose: print( "Failed to remove directory - rmtree / RuntimeError" ) else: os.makedirs(self.outdir) # standard output for shell commands if self.verbose: self.process_output = None else: self.process_output = open("/dev/null", 'w') def close(self): if self.process_output != None: self.process_output.close() def unzip(self): """ This method will unzip/unrar the sample, and recursively unzip/unrar inner zips/rars. If we are not removing the analysis directory (clearoutput option), then we also unzip the sample in outdir/unzipped subdirectory. If the sample is password protected, we try 'infected' as password. Returns the file type of the sample: droidutil.<FILE CONSTANT> (UNKNOWN, APK, DEX, ...) """ if self.verbose: print("------------- Unzipping %s" % (self.absolute_filename)) self.properties.filetype = droidutil.get_filetype(self.absolute_filename) if self.properties.filetype == droidutil.ARM or \ self.properties.filetype == droidutil.UNKNOWN or \ self.properties.filetype == droidutil.DEX: if self.verbose: print( "This is a %s. Nothing to unzip for %s" % (droidutil.str_filetype(self.properties.filetype), self.absolute_filename) ) return self.properties.filetype if self.properties.filetype == droidutil.ZIP or \ self.properties.filetype == droidutil.RAR: if self.properties.filetype == droidutil.ZIP: self.ziprar = droidziprar.droidziprar(self.absolute_filename, \ zipmode=True, verbose=self.verbose) else: self.ziprar = droidziprar.droidziprar(self.absolute_filename, \ zipmode=False, verbose=self.verbose) if self.ziprar.handle == None: self.properties.filetype = droidutil.UNKNOWN # damaged zip/rar if self.verbose: print( "We are unable to unzip/unrar %s because of errors" % (self.absolute_filename) ) return droidutil.UNKNOWN # Now, we know self.ziprar is valid and open. self.properties.filetype, innerzips = self.ziprar.get_type() if innerzips: self.properties.file_innerzips = True if self.verbose: print( "There are inner zips/rars in " + self.absolute_filename ) for element in innerzips: # extract the inner zip/rar if self.verbose: print( "Extracting " + element + " inside " + self.absolute_filename ) try: self.ziprar.extract_one_file(element, self.outdir) if self.verbose: print( "Recursively processing " + os.path.join(self.outdir, element) ) droidlysis3.process_file(os.path.join(self.outdir, element), self.outdir, self.verbose, self.clear, self.enable_procyon, self.disable_description, self.no_kit_exception) except: print( "Cannot extract %s : %s" % (element, sys.exc_info()[0]) ) if self.properties.filetype == droidutil.APK: # our zip actually is an APK if not self.clear: # let's unzip if self.verbose: print( "Unzipping " + self.absolute_filename + " to " + os.path.join(self.outdir, 'unzipped')) try: self.ziprar.extract_all(outdir=os.path.join(self.outdir, 'unzipped')) except: print( "Unzipping failed (catching exception): %s" % (sys.exc_info()[0])) return self.properties.filetype def disassemble(self): """ Disassembles the sample (as much as possible), and if the end-user is interested in output (clear unset) also decompiles it (as much as possible). APK: java -jar apktool.jar [-q] d file.apk outdir/apktool if apktool failed java -jar baksmali.jar -o outdir/smali classes.dex in file.apk androaxml.py --input binary-manifest in file.apk --output outdir/AndroidManifest.text.xml if clear unset, unzip file.apk -d outdir/unzipped else just unzip META-INF/ DEX: java -jar baksmali.jar -o outdir/smali classes.dex if clear unset, make sure classes.dex is readable dex2jar classes.dex -o classes-dex2jar.jar unzip -qq classes-dex2jar.jar -d outdir/unjarred procyon classes-dex2jar.jar -o outdir/procyon What we'll find: APK, clear unset: ./smali AndroidManifest.xml ./unzipped classes.dex classes-dex2jar.jar ./unjarred ./procyon APK, clear set : ./smali AndroidManifest.xml classes.dex DEX, clear unset: classes.dex ./smali DEX, clear set : classes.dex ./smali classes-dex2jar.jar ./unjarred ./procyon """ if self.verbose: print("------------- Disassembling") if self.properties.filetype == droidutil.ARM or \ self.properties.filetype == droidutil.RAR or \ self.properties.filetype == droidutil.CLASS or \ self.properties.filetype == droidutil.UNKNOWN: # TODO: we could be running procyon on a class file. if self.verbose: print("Nothing to disassemble for " + self.absolute_filename) return if self.properties.filetype == droidutil.APK: # APKTOOL won't output to an existing dir unless you use the -f switch. But then, -f erases the contents # of the output dir... So we can't do this directly on self.outdir apktool_outdir = os.path.join(self.outdir, "apktool") if self.verbose: print("Running apktool on inputfile=" + self.absolute_filename) if self.verbose: print("Apktool command: java -jar %s d -f %s %s" % (droidconfig.APKTOOL_JAR, self.absolute_filename, apktool_outdir)) subprocess.call(["java", "-jar", droidconfig.APKTOOL_JAR, \ "d", "-f", self.absolute_filename, \ "-o", apktool_outdir ]) else: # with quiet option subprocess.call(["java", "-jar", droidconfig.APKTOOL_JAR, \ "-q", "d", "-f", self.absolute_filename, \ "-o", apktool_outdir ], stdout=self.process_output, stderr=self.process_output) if self.verbose: print( "Apktool finished" ) if os.path.isdir(apktool_outdir): droidutil.move_dir(apktool_outdir, self.outdir) # extract classes.dex whatever happens, we'll use it if self.verbose: print( "Extracting classes.dex" ) try: self.ziprar.extract_one_file('classes.dex', self.outdir) except: if self.verbose: print( "Extracting classes.dex failed: %s" % (sys.exc_info()[0])) else: print( "Extracting classes.dex failed") # Disassemble the DEX if self.properties.filetype == droidutil.DEX: dex_file = self.absolute_filename else: dex_file = os.path.join(self.outdir, 'classes.dex') smali_dir = os.path.join( self.outdir, 'smali' ) if (not os.access( smali_dir, os.R_OK) or \ (os.access(smali_dir, os.R_OK) and not os.listdir(smali_dir)) \ and os.access( dex_file, os.R_OK)): if self.verbose: print( "Using baksmali on " + dex_file ) try: subprocess.call( [ "java", "-jar", droidconfig.BAKSMALI_JAR, \ "d", "-o", smali_dir, dex_file ], \ stdout=self.process_output, stderr=self.process_output) except: print( "Baksmali failed" ) # Decompile the DEX if self.verbose: print("------------- Decompiling") if not self.clear and os.access( dex_file, os.R_OK ): jar_file = os.path.join(self.outdir, 'classes-dex2jar.jar') if os.access( droidconfig.DEX2JAR_CMD, os.X_OK): if self.verbose: print( "Dex2jar on " + dex_file ) subprocess.call( [ droidconfig.DEX2JAR_CMD, "--force", dex_file, "-o", jar_file ], \ stdout=self.process_output, stderr=self.process_output) else: if self.verbose: print("Dex2jar: file is not executable, skipping (file: {0})".format(droidconfig.DEX2JAR_CMD)) if os.access( jar_file, os.R_OK ): if self.enable_procyon: if self.verbose: print( "Procyon decompiler on " + jar_file ) subprocess.call( [ "java", "-jar", droidconfig.PROCYON_JAR, \ jar_file, "-o", os.path.join(self.outdir, 'procyon') ], \ stdout=self.process_output, stderr=self.process_output) if self.verbose: print( "Unjarring " + jar_file ) jarziprar = droidziprar.droidziprar(jar_file, zipmode=True, verbose=self.verbose) if jarziprar.handle == None: if self.verbose: print( "Bad Jar / Failed to unjar " + jar_file ) else: try: jarziprar.extract_all(os.path.join(self.outdir, 'unjarred')) except: print( "Failed to unjar: %s" % (sys.exc_info()[0]) ) jarziprar.close() # Convert binary Manifest if self.properties.filetype == droidutil.APK: manifest = os.path.join( self.outdir, 'AndroidManifest.xml') if not os.access( manifest, os.R_OK) or os.path.getsize(manifest)==0: if self.verbose: print( "Extracting binary AndroidManifest.xml") try: self.ziprar.extract_one_file('AndroidManifest.xml', self.outdir) except: print("Failed to extract binary manifest: %s" % (sys.exc_info()[0])) if os.access( manifest, os.R_OK) and os.path.getsize(manifest)>0: textmanifest = os.path.join( self.outdir, 'AndroidManifest.text.xml') subprocess.call( [ "androaxml.py", "--input", manifest, \ "--output", textmanifest ], \ stdout=self.process_output, stderr=self.process_output) if os.access( textmanifest, os.R_OK ): # overwrite the binary manifest with the converted text one os.rename(textmanifest, manifest) def extract_file_properties(self): """Extracts file size, nb of dirs and classes in smali dir""" if self.verbose: print("------------- Extracting file properties") self.properties.file_size = os.stat(self.absolute_filename).st_size if self.properties.file_size < 70000: self.properties.file_small = True smali_dir = os.path.join(self.outdir, "smali") if os.access(smali_dir, os.R_OK): self.properties.file_nb_dir, self.properties.file_nb_classes = droidutil.count_filedirs(smali_dir) if self.verbose: print( "Filesize: %d" % (self.properties.file_size)) print( "Is Small: %d" % (self.properties.file_small)) print( "Nb Class: %d" % (self.properties.file_nb_classes)) print( "Nb Dir : %d" % (self.properties.file_nb_dir)) def extract_meta_properties(self): """Extracting meta-data related to APK's signature timestamp and signing certificate""" if self.properties.filetype == droidutil.APK: self.properties.certificate['timestamp'] = self.ziprar.get_date('META-INF/MANIFEST.MF') if self.properties.certificate['timestamp'] != None: self.properties.certificate['year'] = self.properties.certificate['timestamp'][0] if self.verbose: print( "APK timestamp: %d" % (self.properties.certificate['timestamp'][0])) # extract properties from the certificate if self.verbose: print( "------------- Extracting properties from certificate") list = [] try: list = self.ziprar.extract_pattern(self.outdir, 'META-INF/.*\.RSA') if not list: list = self.ziprar.extract_pattern(self.outdir, 'META-INF/.*\.DSA') except: if self.verbose: print( "Error at extraction: %s" % (sys.exc_info()[0])) if list: try: keyout = subprocess.check_output( [ droidconfig.KEYTOOL, "-printcert", "-file", \ os.path.join(self.outdir, list[0]) ], \ stderr=self.process_output).decode('utf-8') keyout = re.sub(': ', '#', keyout) keyout = re.sub('\t| ', '', keyout) keyout = re.sub('until#', '\nUntil#', keyout) keysplit = re.split('#|\n', keyout) try: index = keysplit.index("Owner") self.properties.certificate['owner'] = keysplit[index+1] if self.verbose: print( "Certificate Owner: "+self.properties.certificate['owner']) self.extract_certificate_owner_properties(self.properties.certificate['owner']) except ValueError: if self.verbose: print( "Certificate Owner not present") try: index = keysplit.index("Serialnumber") self.properties.certificate['serialno'] = keysplit[index+1] if self.verbose: print( "Certificate Serial no: "+self.properties.certificate['serialno']) # detect typical dev certificate if re.search('936eacbe07f201df', self.properties.certificate['serialno'], re.IGNORECASE): self.properties.certificate['dev'] = True if self.verbose: print( "Dev certificate detected") except ValueError: if self.verbose: print( "Serial number not present") try: index = keysplit.index("Signaturealgorithmname") self.properties.certificate['algo'] = keysplit[index+1] if self.verbose: print( "Algo: "+self.properties.certificate['algo'] ) except ValueError: if self.verbose: print( "Signature algorithm name not present") except subprocess.CalledProcessError as e: if self.verbose: print( "Caught CalledProcessError: ", e.output) print( "Probably an invalid certificate" ) else: if self.verbose: print( "No certificate found" ) def extract_certificate_owner_properties(self, owner): # owner should not be null m = re.search('C=(\w*)', owner, re.IGNORECASE) if m != None: cert_country = m.group(0)[2:] if re.search('Unknown', cert_country, re.IGNORECASE): self.properties.certificate['unknown_country'] = True else: self.properties.certificate['country'] = droidcountry.to_int(cert_country) if self.verbose: print( "Certificate Country = %s (%d)" % (cert_country, self.properties.certificate['country']) ) # Debug certificate m = re.search('OU=Android O=Android L=Mountain View', owner, re.IGNORECASE) if m != None: self.properties.certificate['debug'] = True # AV owner av_list = ('O=www.netqin.com',\ 'OU=Symantec',\ 'CN=Fortinet Android OU=Android O=Fortinet L=Burnaby ST=British Columbia C=BC',\ 'OU=Engineering O=Webroot Software Inc L=Boulder ST=Colorado C=US|CN=James Burgess',\ 'OU=Mobile Security, O=Flexilis, L=Los Angeles, ST=CA, C=US|O=Sophos Ltd. L=Abingdon C=UK',\ 'OU=Application Development O=G Data Software AG L=Bochum ST=NRW C=DE',\ 'CN=VIRUSTOTAL OU=VIRUSTOTAL O=VIRUSTOTAL L=Malaga ST=Malaga C=ES',\ 'CN=Qihoo OU=Qihoo 360 Technology Co Ltd O=Qihoo 360 Technology Co Ltd L=Chaoyang ST=Beijing C=CN',\ 'CN=KAIDI,OU=KAIDI,O=KAIDI,L=Beijing,ST=Beijing,C=86',\ 'EMAILADDRESS=android\@avast.com CN=avast! Android O=AVAST Software a.s. L=Prague ST=Prague C=CZ') for av in av_list: m = re.search(av, owner, re.IGNORECASE) if m != None: if self.verbose: print( "Certificate owner matches AV : "+m.group(0) ) self.certificate['av'] = True # Companies famous_list = ('CN=Android OU=Android O=Google Inc\. L=Moutain View ST=California C=US',\ 'O=Rovio Mobile Ltd L=Helsinki C=FI',\ 'CN=Facebook Corporation OU=Facebook O=Facebook Mobile L=Palo Alto ST=CA C=US') for f in famous_list: m = re.search(f, owner, re.IGNORECASE) if m != None: if self.verbose: print( "Certificate owner matches Famous : "+m.group(0) ) self.certificate['famous'] = True def extract_manifest_properties(self): """Extracting services, receviers, activities etc from manifest""" manifest = os.path.join(self.outdir, 'AndroidManifest.xml') if self.properties.filetype == droidutil.APK and os.access(manifest, os.R_OK) and os.path.getsize(manifest)>0: try: xmldoc = xml.dom.minidom.parse(manifest) except expat.ExpatError: if self.verbose: print( "XML parsing error" ) return; tab = droidutil.get_elements(xmldoc, 'service', 'android:name') for t in tab: self.properties.manifest['services'].append(re.sub(r"u'(?P<name>.*)'", r"\g<name>", t)) tab = droidutil.get_elements(xmldoc, 'receiver', 'android:name') for t in tab: self.properties.manifest['receivers'].append(re.sub(r"u'(?P<nom>.*)'", r"\g<nom>", t)) tab = droidutil.get_elements(xmldoc, 'activity', 'android:name') for t in tab: self.properties.manifest['activities'].append(re.sub(r"u'(?P<nom>.*)'", r"\g<nom>", t)) tab = droidutil.get_elements(xmldoc, 'provider', 'android:name') for t in tab: self.properties.manifest['providers'].append(re.sub(r"u'(?P<nom>.*)'", r"\g<nom>", t)) tab = droidutil.get_elements(xmldoc, 'uses-library', 'android:name') for t in tab: self.properties.manifest['libraries'].append(re.sub(r"u'(?P<nom>.*)'", r"\g<nom>", t)) tab = droidutil.get_elements(xmldoc, 'uses-permission', 'android:name') for t in tab: self.properties.manifest['permissions'].append(t.replace('android.permission.','').replace("u'", '').replace("'", '')) self.properties.manifest['maxSDK'] = droidutil.get_element(xmldoc, 'uses-sdk', 'android:maxSdkVersion') self.properties.manifest['minSDK'] = droidutil.get_element(xmldoc, 'uses-sdk', 'android:minSdkVersion') self.properties.manifest['targetSDK'] = droidutil.get_element(xmldoc, 'uses-sdk', 'android:targetSdkVersion') droidutil.get_elements(xmldoc, 'meta-data', 'android:value') if self.verbose: print( "MinSDK=%s MaxSDK=%s TargetSDK=%s" % (self.properties.manifest['minSDK'], self.properties.manifest['maxSDK'], self.properties.manifest['targetSDK'])) for perm in self.properties.manifest['permissions']: print( "Requires permission " + perm) # get main activity for actitem in xmldoc.getElementsByTagName('activity'): for a in actitem.getElementsByTagName('action'): if a.getAttribute( 'android:name' ) == 'android.intent.action.MAIN': for b in actitem.getElementsByTagName('category'): if b.getAttribute( 'android:name' ) == 'android.intent.category.LAUNCHER': self.properties.manifest['main_activity'] = actitem.getAttribute( 'android:name' ) if self.verbose and self.properties.manifest['main_activity'] != None: print( "Main activity: " + self.properties.manifest['main_activity']) # search for swf metalist = droidutil.get_elements(xmldoc, 'meta-data', 'android:value') for item in metalist: if re.search('\.swf', item): self.properties.manifest['swf'] = True # get sms listener for r in xmldoc.getElementsByTagName('receiver'): for i in r.getElementsByTagName('intent-filter'): for a in i.getElementsByTagName('action'): if a.getAttribute( 'android:name' ) == 'android.provider.Telephony.SMS_RECEIVED': self.properties.manifest['listens_incoming_sms'] = True if a.getAttribute( 'android:name' ) == 'android.intent.action.NEW_OUTGOING_CALL': self.properties.manifest['listens_outgoing_call'] = True if self.verbose: print( "Listens to incoming SMS : %d" % (self.properties.manifest['listens_incoming_sms'])) print( "Listens to outgoing calls: %d" % (self.properties.manifest['listens_outgoing_call'])) # get package name if not self.clear: self.properties.manifest_package = droidutil.get_element(xmldoc, 'manifest', 'package') if self.verbose: print( "Package's name : %s" % (self.properties.manifest_package)) def extract_kit_properties(self): """ Detects which kits are present in the sample currently analyzed Returns something like: ['apperhand', 'jackson', 'applovin', 'leadbolt', 'airpush'] """ list = [] if self.properties.filetype == droidutil.APK or self.properties.filetype == droidutil.DEX: smali_dir = os.path.join(self.outdir, "smali") if os.access(smali_dir, os.R_OK): for section in self.properties.kitsconfig.get_sections(): pattern_list = self.properties.kitsconfig.get_pattern(section).split('|') for pattern in pattern_list: if os.access(os.path.join(smali_dir, pattern), os.R_OK): if self.verbose: print("kits[%s] = True (detected pattern: %s)" % (section, pattern)) list.append(section) self.properties.kits[ section ] = True break # break one level return list def extract_dex_properties(self): """Extracts information at DEX level. Requires read access to the DEX file. """ if self.properties.filetype == droidutil.APK or self.properties.filetype == droidutil.DEX: if self.properties.filetype == droidutil.DEX: dex_file = self.absolute_filename else: dex_file = os.path.join(self.outdir, 'classes.dex') if os.access(dex_file, os.R_OK) and os.stat(dex_file).st_size > 0: file = open(dex_file, 'rb') magic = file.read(8) self.properties.dex['magic_unknown'] = True if magic[0:3] == 'dey': self.properties.dex['odex'] = True for i in range(35,39): if magic[4:7] == (b'0%d' % (i)): self.properties.dex['magic'] = i self.properties.dex['magic_unknown'] = False if self.verbose: print( "DEX Magic: %s" % (repr(magic))) checksum = file.read(4) sha1 = file.read(20) # check sha1 of file if sha1 != '': computed_sha1 = hashlib.sha1(file.read()).hexdigest() if sha1.hex() != computed_sha1: self.properties.dex['bad_sha1'] = True if self.verbose: print( "DEX SHA1 read : %s" % sha1.hex()) print( "DEX SHA1 computed: %s" % (computed_sha1)) else: if self.verbose: print( "Impossible to read file's SHA1 => impossible to check") # check checksum if checksum != '': file.seek(8+4, 0) # 0 = from beginning, skip magic and checksum computed_adler32 = zlib.adler32(file.read()) & 0xffffffff # beware, adler32 returns an INTEGER if computed_adler32 != struct.unpack("<I", checksum)[0]: # converting both numbers to integers self.properties.dex['bad_adler32'] = True if self.verbose: print( "DEX checksum read : %s (reverse order)" % ( checksum.hex() )) print( "DEX checksum computed: %s" % (hex(computed_adler32))) else: if self.verbose: print( "Impossible to read file's checksum => impossible to check" ) # check header size file.seek(8+4+20+4, 0) header_size = struct.unpack("<I", file.read(4))[0] if header_size > 0x70: if self.verbose: print( "DEX header is bigger than expected: %d (HoseDex2Jar?)" % (header_size) ) self.properties.dex['big_header'] = True # look for 0 0x0 if-eq v0, v0, +9 #1 0x4 fill-array-data v0, +3 (0x7) #2 0xa fill-array-data-payload # See http://www.dexlabs.org/blog/bytecode-obfuscation file.seek(0x68, 0) data_size = struct.unpack("<I", file.read(4))[0] data_offset = struct.unpack("<I", file.read(4))[0] file.seek(data_offset, 0) buffer = file.read(data_size) fill_array_pattern = re.compile(b"\x32\x00\x09\x00\x26\x00\x03\x00\x00\x00") match = fill_array_pattern.search(buffer) if match != None: if self.verbose: print( "fill-array-data trick located at offset=%d" % (data_offset + match.start()) ) # to print the matching string: ''.join( [ "%02X " % ord( x ) for x in buffer[match.start():match.end() ] ).strip() self.properties.dex['thuxnder'] = True file.close() else: if self.verbose: print( "Dex file %s is missing or empty" % (dex_file)) def extract_smali_properties(self, list_of_kits): if self.properties.filetype != droidutil.APK and\ self.properties.filetype != droidutil.DEX: # no smali properties to extract in that type of file return if self.verbose: print("------------- Extracting Smali properties") smali_dir = os.path.join(self.outdir, 'smali') if os.access(smali_dir, os.R_OK) and os.listdir(smali_dir) != []: exceptions = [] for kit in list_of_kits: pattern = self.properties.kitsconfig.get_pattern(kit) if pattern != None and pattern != '': exceptions.append(os.path.join(smali_dir, pattern )) else: if self.verbose: print( "WARNING: configuration file error: empty pattern for %s" % (kit) ) smali_regexp = self.properties.smaliconfig.get_all_regexp() match = droidutil.recursive_search(smali_regexp, smali_dir, exceptions, False) analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a') analysis_file.write('# Smali keywords\n') analysis_file.close() self.properties.smaliconfig.match_properties(match, self.properties.smali) for mykey in match.keys(): '''if self.verbose: for element in match[mykey]: print("- keyword=%s detected: %s" % (mykey, str(element)))''' if mykey.find('android_id') >= 0 and match[mykey]: # this matches const-string v[0-9]*, "android_id"/' self.properties.smali['android_id'] = True if mykey.find('scp') >= 0 and mykey.find('const-string') >=0 and match[mykey]: # const-string v[0-9]*, ".*scp.*" self.properties.smali['scp'] = True if mykey.find('ssh') >= 0 and mykey.find('const-string') >= 0 and match[mykey]: # const-string v[0-9]*, ".*ssh.*' self.properties.smali['ssh'] = True analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a') # let's not dump for nops if not (mykey == ' nop'): if match[mykey]: analysis_file.write("## %s\n" % (mykey)) for element in match[mykey]: analysis_file.write("- "+str(element)+"\n") analysis_file.write('\n') analysis_file.close() else: if self.verbose: print( "Cannot extract smali properties, because directory %s not found" % (smali_dir)) # all smali properties should then be set to unknown for key in sorted(self.properties.smali.keys()): self.properties.smali[key] = 'unknown' def extract_wide_properties(self, list_of_kits): """Will look for given properties (e.g GPS usage, presence of executables in all subdirectories (smali, assets, resources, library...)""" if self.verbose: print("------------- Extracting Wide properties") # detecting presence of ijiami packer ijiami = os.path.join(self.outdir, 'unzipped/assets/ijiami.dat') if os.access(ijiami, os.R_OK): self.properties.wide['ijiami'] = True # detect executables in resources self.find_exec_in_resources() # other properties if self.properties.filetype == droidutil.APK or self.properties.filetype == droidutil.DEX: exceptions = [] for kit in list_of_kits: exceptions.append(os.path.join(os.path.join(self.outdir, 'smali'), self.properties.kitsconfig.get_pattern(kit))) exceptions.append("/unjarred") exceptions.append("/unzipped") exceptions.append("/unknown") exceptions.append("classes.dex") exceptions.append('autoanalysis.md') wide_regexp = self.properties.wideconfig.get_all_regexp() match = droidutil.recursive_search(wide_regexp, self.outdir, exceptions, False) analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a') analysis_file.write('# Keywords in resources, assets, lib\n\n') analysis_file.close() self.properties.wideconfig.match_properties(match, self.properties.wide) for mykey in match.keys(): if match[mykey]: analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a') analysis_file.write("- "+str(mykey)+"\n") analysis_file.close() # put here keywords for which you need to do some processing on each match # keep a list of phonenumbers we detect # mykey will be the phonenumber # International phone number detector # actually, it should be \+[0-9]{1,3}[0-9]{1,14} but that # generates too many false positives (numbers for other reasons) # so I'm being conservative if mykey.startswith('+') and self.properties.wide['has_phonenumbers']: # mykey.startswith('+') and if re.search(b"\+[0-9]{1,3}[0-9]{10,14}", mykey): self.properties.wide['phonenumbers'].append(mykey) if self.verbose: print( "Phone number spotted: " + mykey) analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a') analysis_file.write("- "+str(mykey)+"\n") analysis_file.close() # we want to process each potential URL if mykey.find('http') >= 0 and match[mykey]: self.interesting_url(mykey) analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a') analysis_file.write('\n\n') analysis_file.close() # detect base64 encoded string in resources self.find_base64_strings(self.outdir, exceptions, self.properties.wide['base64_strings']) # trying to grab the application's name if not self.clear: strings_file = os.path.join(self.outdir, "res/values/strings.xml") if os.access(strings_file, os.R_OK): xmldoc = xml.dom.minidom.parse(strings_file) sitems = xmldoc.getElementsByTagName('string') if sitems != None: for item in sitems: if item.hasAttributes(): if item.getAttribute('name') == 'app_name': if item.hasChildNodes(): self.properties.app_name = item.childNodes[0].data # rule out chinese characters: TODO: convert chinese characters to printable self.properties.app_name = re.sub('[^:print:]','', self.properties.app_name) break def extract_arm_properties(self, arm_filename=''): """Extracts properties from an ARM executable Either call this on a sample which is an ARM file. Or from within an embedded ARM file inside an APK. """ if self.properties.filetype == droidutil.ARM or arm_filename != '': if arm_filename == '': arm_filename = self.absolute_filename if self.verbose: print( "Extracting properties from " + arm_filename) # Run "strings" on the executable proc = subprocess.Popen(['strings', arm_filename], stdout=subprocess.PIPE, stderr=subprocess.PIPE) output = proc.communicate() for section in self.properties.armconfig.get_sections(): matches = re.findall(self.properties.armconfig.get_pattern(section), output[0]) if matches != None: self.properties.arm[section] = True if self.verbose: print( "Setting arm[%s] = True" % (section)) if section == 'url_in_exec': for m in matches: self.interesting_url(m) def find_executables(self, dir): """Finds executables in a given directory. Does not parse recursively. Returns two lists: - ARM executables list (absolute filename) - APK executables list (absolute filename) """ assert os.path.isdir(dir), "argument should be a directory" found_apk = [] found_arm = [] listing = os.listdir(dir) for file in listing: absolute_file = os.path.join(dir, file) if os.path.isfile(absolute_file): filetype = droidutil.get_filetype(absolute_file) if filetype == droidutil.ARM: if self.verbose: print( "%s is an ARM executable" % (absolute_file)) found_arm.append(absolute_file) else: if filetype == droidutil.ZIP: innerzip = droidziprar.droidziprar(absolute_file, True, self.verbose) if innerzip.handle == None: if self.verbose: print( "%s is not a valid zip" % (absolute_file)) return found_apk, found_arm filetype = innerzip.get_type() innerzip.close() if filetype == droidutil.APK: if self.verbose: print( "%s contains an APK" % (absolute_file)) found_apk.append(absolute_file) else: if filetype == droidutil.RAR: innerzip = droidziprar.droidziprar(absolute_file, False, self.verbose) if innerzip.handle == None: if self.verbose: print( "%s is not a valid rar" % (absolute_file)) return found_apk, found_arm filetype = innerzip.get_type() innerzip.close() if filetype == droidutil.APK: if self.verbose: print( "%s contains an APK" % (absolute_file)) found_apk.append(absolute_file) return found_arm, found_apk def find_exec_in_resources(self): """Will detect embedded executables or zips in assets, raw resources and lib dir""" asset_dir = os.path.join(self.outdir, "assets") raw_dir = os.path.join(self.outdir, "res/raw") lib_dir = os.path.join(self.outdir, "lib/armeabi") list_dir = [ asset_dir, raw_dir, lib_dir ] for dir in list_dir: if os.access(dir, os.R_OK) and os.path.isdir(dir): if self.verbose: print( "Parsing %s for embedded executables or zips... " % (dir)) found_arm, found_apk = self.find_executables(dir) if found_arm or found_apk: self.properties.wide['embed_exec'] = True if self.verbose: print( "Embedded executables/zip found in " + dir) if found_arm: for arm in found_arm: if self.verbose: print( "Recursively processing " + arm) self.extract_arm_properties(arm) if found_apk: for apk in found_apk: if self.verbose: print( "Recursively processing " + apk) droidlysis3.process_file(apk, self.outdir, self.verbose, self.clear, self.enable_procyon, self.disable_description, self.disable_dump, self.no_kit_exception) def interesting_url(self, url): """Rules out meaningless URLs to keep only those which might be useful for attackers. input: url - typically starting with http:// output: self.properties.url list Will set self.properties. urls and some wide properties. """ assert url != None, "Empty URL is not valid" url = re.sub('[,;" ].*', '', url) # remove after ",; or whitespace url = re.sub('\n.*','', url) url = re.sub('\r.*', '', url) url = re.sub('[^\x20-\x7e]','', url) url_regexp = '|'.join(droidurl.build_special_url_list()) match = re.search(url_regexp, url) # only one match per line if match == None: # the url is not in the list of special URLs # let's check it hasn't been reported yet (unique URLs) if url not in self.properties.wide['urls']: self.properties.wide['urls'].append(url) if self.verbose: print( "URL: %s" % (url)) # raise a warning if it downloads APKs or for dropbox search = re.findall("\.apk|\.zip",url) if search != None and len(search) > 0: if '\.apk' in search or '\.zip' in search: self.properties.wide['apk_zip_url'] = True return self.properties.wide['urls'] def find_base64_strings(self, thedir, exceptions, theproperty): # const-string v1, "xyz==" # this won't detect all base64 strings because they won't all finish with == # but we'll get some... base64_regexp = bytes("const-string v[0-9]*, \"[a-zA-Z0-9/=]*==\"", 'utf-8') base64_strings = droidutil.recursive_search(base64_regexp, thedir, exceptions, False) if base64_strings is not None: analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a') analysis_file.write("Base64 strings:\n") analysis_file.close() for s in base64_strings.keys(): # remove the const-string vX part thestr = re.sub('const-string v[0-9]*, "', '', s) thestr = re.sub('==\"', '==', thestr) if thestr not in theproperty: theproperty.append(thestr) analysis_file = open(os.path.join(self.outdir, droidlysis3.property_dump_file), 'a') analysis_file.write("- "+thestr+"\n") analysis_file.close() if self.verbose: print("Base64 string: ", thestr)