././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1712920312.4632206 droidlysis-3.4.7/0000775000175000017500000000000014606213370013264 5ustar00axelleaxelle././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1559548175.0 droidlysis-3.4.7/LICENSE0000644000175000017500000000204113475150417014271 0ustar00axelleaxelleMIT License Copyright (c) 2019 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1583136952.0 droidlysis-3.4.7/MANIFEST.in0000664000175000017500000000005513627140270015022 0ustar00axelleaxelleinclude conf/*.conf include conf/__init__.py ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1712920312.4592204 droidlysis-3.4.7/PKG-INFO0000644000175000017500000002540714606213370014367 0ustar00axelleaxelleMetadata-Version: 2.1 Name: droidlysis Version: 3.4.7 Summary: DroidLysis: pre-analysis of suspicious Android samples Home-page: https://github.com/cryptax/droidlysis Author: @cryptax Author-email: aafortinet@gmail.com License: MIT Keywords: android malware reverse Classifier: Programming Language :: Python :: 3 Classifier: License :: OSI Approved :: MIT License Classifier: Development Status :: 3 - Alpha Classifier: Operating System :: Unix Classifier: Topic :: Software Development :: Disassemblers Requires-Python: >=3.0 Description-Content-Type: text/markdown License-File: LICENSE Requires-Dist: configparser>=4.0.2 Requires-Dist: python-magic==0.4.12 Requires-Dist: requests Requires-Dist: SQLAlchemy>=1.1.1 Requires-Dist: rarfile>=3.0 Requires-Dist: platformdirs # DroidLysis DroidLysis is a **pre-analysis tool for Android apps**: it performs repetitive and boring tasks we'd typically do at the beginning of any reverse engineering. It disassembles the Android sample, organizes output in directories, and searches for suspicious spots in the code to look at. The output helps the reverse engineer speed up the first few steps of analysis. DroidLysis can be used over Android packages (apk), Dalvik executables (dex), Zip files (zip), Rar files (rar) or directories of files. ## Installing DroidLysis 1. Install required system packages ``` sudo apt-get install default-jre git python3 python3-pip unzip wget libmagic-dev libxml2-dev libxslt-dev ``` 2. Install Android disassembly tools - [Apktool](https://ibotpeaches.github.io/Apktool/) , - [Baksmali](https://bitbucket.org/JesusFreke/smali/downloads), and optionally - [Dex2jar](https://github.com/pxb1988/dex2jar) and ``` $ mkdir -p ~/softs $ cd ~/softs $ wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.3.jar $ wget https://bitbucket.org/JesusFreke/smali/downloads/baksmali-2.5.2.jar $ wget https://github.com/pxb1988/dex2jar/releases/download/v2.4/dex-tools-v2.4.zip $ unzip dex-tools-v2.4.zip $ rm -f dex-tools-v2.4.zip ``` 3. Get DroidLysis from the Git repository (preferred) or from pip Install from Git in a Python virtual environment (`python3 -m venv`, or pyenv virtual environments etc). ``` $ python3 -m venv venv $ source ./venv/bin/activate (venv) $ pip3 install git+https://github.com/cryptax/droidlysis ``` Alternatively, you can install DroidLysis directly from PyPi (`pip3 install droidlysis`). 4. Configure `conf/general.conf`. In particular make sure to change `/home/axelle` with your appropriate directories. ``` [tools] apktool = /home/axelle/softs/apktool_2.9.3.jar baksmali = /home/axelle/softs/baksmali-2.5.2.jar dex2jar = /home/axelle/softs/dex-tools-v2.4/d2j-dex2jar.sh keytool = /usr/bin/keytool ... ``` 5. Run it: ``` python3 ./droidlysis3.py --help ``` ## Configuration The configuration file is `./conf/general.conf` (you can switch to another file with the `--config` option). This is where you configure the location of various external tools (e.g. Apktool), the name of pattern files (by default `./conf/smali.conf`, `./conf/wide.conf`, `./conf/arm.conf`, `./conf/kit.conf`) and the name of the database file (only used if you specify `--enable-sql`) Be sure to specify the correct paths for disassembly tools, or DroidLysis won't find them. ## Usage DroidLysis uses **Python 3**. To launch it and get options: ``` droidlysis --help ``` For example, test it on [Signal's APK](https://signal.org/android/apk/): ``` droidlysis --input Signal-website-universal-release-6.26.3.apk --output /tmp --config /PATH/TO/DROIDLYSIS/conf/general.conf ``` ![](./images/example.png) DroidLysis outputs: - A summary on the console (see image above) - The unzipped, pre-processed sample in a subdirectory of your output dir. The subdirectory is named using the sample's filename and sha256 sum. For example, if we analyze the Signal application and set `--output /tmp`, the analysis will be written to `/tmp/Signalwebsiteuniversalrelease4.52.4.apk-f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290`. - A database (by default, SQLite `droidlysis.db`) containing properties it noticed. ## Options Get usage with `droidlysis --help` - The input can be a file or a directory of files to recursively look into. DroidLysis knows how to process Android packages, DEX, ODEX and ARM executables, ZIP, RAR. DroidLysis won't fail on other type of files (unless there is a bug...) but won't be able to understand the content. - When processing directories of files, it is typically quite helpful to move processed samples to another location to know what has been processed. This is handled by option `--movein`. Also, if you are only interested in statistics, you should probably clear the output directory which contains detailed information for each sample: this is option `--clearoutput`. If you want to store all statistics in a SQL database, use `--enable-sql` (see [here](#sqlite_database)) - DroidLysis's analysis does not inspect known 3rd party SDK by default, i.e. for instance it won't report any suspicious activity from these. If you want them to be inspected, use option `--no-kit-exception`. This usually creates many more detected properties for the sample, as SDKs (e.g. advertisment) use lots of flagged APIs (get GPS location, get IMEI, get IMSI, HTTP POST...). ## Sample output directory (`--output DIR`) This directory contains (when applicable): - A readable `AndroidManifest.xml` - Readable resources in `res` - Libraries `lib`, assets `assets` - Disassembled Smali code: `smali` (and others) - Package meta information: `META-INF` - Package contents when simply unzipped in `./unzipped` - DEX executable `classes.dex` (and others), and converted to jar: `classes-dex2jar.jar`, and unjarred in `./unjarred` The following files are generated by DroidLysis: - `autoanalysis.md`: lists each pattern DroidLysis detected and where. - `report.md`: same as what was printed on the console If you do not need the sample output directory to be generated, use the option `--clearoutput`. ## Import trackers from Exodus etc (`--import-exodus`) ``` $ python3 ./droidlysis3.py --import-exodus --verbose Processing file: ./droidurl.pyc ... DEBUG:droidconfig.py:Reading configuration file: './conf/./smali.conf' DEBUG:droidconfig.py:Reading configuration file: './conf/./wide.conf' DEBUG:droidconfig.py:Reading configuration file: './conf/./arm.conf' DEBUG:droidconfig.py:Reading configuration file: '/home/axelle/.cache/droidlysis/./kit.conf' DEBUG:droidproperties.py:Importing ETIP Exodus trackers from https://etip.exodus-privacy.eu.org/api/trackers/?format=json DEBUG:connectionpool.py:Starting new HTTPS connection (1): etip.exodus-privacy.eu.org:443 DEBUG:connectionpool.py:https://etip.exodus-privacy.eu.org:443 "GET /api/trackers/?format=json HTTP/1.1" 200 None DEBUG:droidproperties.py:Appending imported trackers to /home/axelle/.cache/droidlysis/./kit.conf ``` Trackers from Exodus which are not present in your initial `kit.conf` are appended to `~/.cache/droidlysis/kit.conf`. Diff the 2 files and check what trackers you wish to add. ## SQLite database{#sqlite_database} If you want to process a directory of samples, you'll probably like to store the properties DroidLysis found in a database, to easily parse and query the findings. In that case, use the option `--enable-sql`. This will automatically dump all results in a database named `droidlysis.db`, in a table named `samples`. Each entry in the table is relative to a given sample. Each column is properties DroidLysis tracks. For example, to retrieve all filename, SHA256 sum and smali properties of the database: ``` sqlite> select sha256, sanitized_basename, smali_properties from samples; f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290|Signalwebsiteuniversalrelease4.52.4.apk|{"send_sms": true, "receive_sms": true, "abort_broadcast": true, "call": false, "email": false, "answer_call": false, "end_call": true, "phone_number": false, "intent_chooser": true, "get_accounts": true, "contacts": false, "get_imei": true, "get_external_storage_stage": false, "get_imsi": false, "get_network_operator": false, "get_active_network_info": false, "get_line_number": true, "get_sim_country_iso": true, ... ``` ## Property patterns What DroidLysis detects can be configured and extended in the files of the `./conf` directory. A pattern consist of: - a **tag** name: example `send_sms`. This is to name the property. Must be unique across the `.conf` file. - a **pattern**: this is a regexp to be matched. Ex: `;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage`. In the `smali.conf` file, this regexp is match on Smali code. In this particular case, there are 3 different ways to send SMS messages from the code: sendTextMessage, sendMultipartTextMessage and sendDataMessage. - a **description** (optional): explains the importance of the property and what it means. ``` [send_sms] pattern=;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage description=Sending SMS messages ``` ## Importing Exodus Privacy Trackers Exodus Privacy maintains a list of various SDKs which are interesting to rule out in our analysis via `conf/kit.conf`. Add option `--import_exodus` to the droidlysis command line: this will parse existing trackers Exodus Privacy knows and which aren't yet in your `kit.conf`. Finally, it will **append** all new trackers to `~/.cache/droidlysis/kit.conf`. Afterwards, you may want to sort your `kit.conf` file: ```python import configparser import collections import os config = configparser.ConfigParser({}, collections.OrderedDict) config.read(os.path.expanduser('~/.cache/droidlysis/kit.conf')) # Order all sections alphabetically config._sections = collections.OrderedDict(sorted(config._sections.items(), key=lambda t: t[0] )) with open('sorted.conf','w') as f: config.write(f) ``` ## JEB script for smali properties This script helps you search for methods on JEB UI that contain code that matches the smali pattern and easily navigates to those functions. When you load the script and select `details.md` file among the droidlysis analysis files, a search box will appear. Once moved, you can easily bring up the search windows again by using recent script execution shortcut. - JEB > File > Scripts > Script selector > `script/DroidlysisSearch.py` - JEB > File > Scripts > Run last Script ## Updates - v3.4.6 - Detecting manifest feature that automatically loads APK at install - v3.4.5 - Creating a writable user kit.conf file - v3.4.4 - Bug fix #14 - v3.4.3 - Using configuration files - v3.4.2 - Adding import of Exodus Privacy Trackers - v3.4.1 - Removed dependency to Androguard - v3.4.0 - Multidex support - v3.3.1 - Improving detection of Base64 strings - v3.3.0 - Dumping data to JSON - v3.2.1 - IP address detection - v3.2.0 - Dex2jar is optional - v3.1.0 - Detection of Base64 strings ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1712919598.0 droidlysis-3.4.7/README.md0000664000175000017500000002400014606212056014537 0ustar00axelleaxelle# DroidLysis DroidLysis is a **pre-analysis tool for Android apps**: it performs repetitive and boring tasks we'd typically do at the beginning of any reverse engineering. It disassembles the Android sample, organizes output in directories, and searches for suspicious spots in the code to look at. The output helps the reverse engineer speed up the first few steps of analysis. DroidLysis can be used over Android packages (apk), Dalvik executables (dex), Zip files (zip), Rar files (rar) or directories of files. ## Installing DroidLysis 1. Install required system packages ``` sudo apt-get install default-jre git python3 python3-pip unzip wget libmagic-dev libxml2-dev libxslt-dev ``` 2. Install Android disassembly tools - [Apktool](https://ibotpeaches.github.io/Apktool/) , - [Baksmali](https://bitbucket.org/JesusFreke/smali/downloads), and optionally - [Dex2jar](https://github.com/pxb1988/dex2jar) and ``` $ mkdir -p ~/softs $ cd ~/softs $ wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.3.jar $ wget https://bitbucket.org/JesusFreke/smali/downloads/baksmali-2.5.2.jar $ wget https://github.com/pxb1988/dex2jar/releases/download/v2.4/dex-tools-v2.4.zip $ unzip dex-tools-v2.4.zip $ rm -f dex-tools-v2.4.zip ``` 3. Get DroidLysis from the Git repository (preferred) or from pip Install from Git in a Python virtual environment (`python3 -m venv`, or pyenv virtual environments etc). ``` $ python3 -m venv venv $ source ./venv/bin/activate (venv) $ pip3 install git+https://github.com/cryptax/droidlysis ``` Alternatively, you can install DroidLysis directly from PyPi (`pip3 install droidlysis`). 4. Configure `conf/general.conf`. In particular make sure to change `/home/axelle` with your appropriate directories. ``` [tools] apktool = /home/axelle/softs/apktool_2.9.3.jar baksmali = /home/axelle/softs/baksmali-2.5.2.jar dex2jar = /home/axelle/softs/dex-tools-v2.4/d2j-dex2jar.sh keytool = /usr/bin/keytool ... ``` 5. Run it: ``` python3 ./droidlysis3.py --help ``` ## Configuration The configuration file is `./conf/general.conf` (you can switch to another file with the `--config` option). This is where you configure the location of various external tools (e.g. Apktool), the name of pattern files (by default `./conf/smali.conf`, `./conf/wide.conf`, `./conf/arm.conf`, `./conf/kit.conf`) and the name of the database file (only used if you specify `--enable-sql`) Be sure to specify the correct paths for disassembly tools, or DroidLysis won't find them. ## Usage DroidLysis uses **Python 3**. To launch it and get options: ``` droidlysis --help ``` For example, test it on [Signal's APK](https://signal.org/android/apk/): ``` droidlysis --input Signal-website-universal-release-6.26.3.apk --output /tmp --config /PATH/TO/DROIDLYSIS/conf/general.conf ``` ![](./images/example.png) DroidLysis outputs: - A summary on the console (see image above) - The unzipped, pre-processed sample in a subdirectory of your output dir. The subdirectory is named using the sample's filename and sha256 sum. For example, if we analyze the Signal application and set `--output /tmp`, the analysis will be written to `/tmp/Signalwebsiteuniversalrelease4.52.4.apk-f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290`. - A database (by default, SQLite `droidlysis.db`) containing properties it noticed. ## Options Get usage with `droidlysis --help` - The input can be a file or a directory of files to recursively look into. DroidLysis knows how to process Android packages, DEX, ODEX and ARM executables, ZIP, RAR. DroidLysis won't fail on other type of files (unless there is a bug...) but won't be able to understand the content. - When processing directories of files, it is typically quite helpful to move processed samples to another location to know what has been processed. This is handled by option `--movein`. Also, if you are only interested in statistics, you should probably clear the output directory which contains detailed information for each sample: this is option `--clearoutput`. If you want to store all statistics in a SQL database, use `--enable-sql` (see [here](#sqlite_database)) - DroidLysis's analysis does not inspect known 3rd party SDK by default, i.e. for instance it won't report any suspicious activity from these. If you want them to be inspected, use option `--no-kit-exception`. This usually creates many more detected properties for the sample, as SDKs (e.g. advertisment) use lots of flagged APIs (get GPS location, get IMEI, get IMSI, HTTP POST...). ## Sample output directory (`--output DIR`) This directory contains (when applicable): - A readable `AndroidManifest.xml` - Readable resources in `res` - Libraries `lib`, assets `assets` - Disassembled Smali code: `smali` (and others) - Package meta information: `META-INF` - Package contents when simply unzipped in `./unzipped` - DEX executable `classes.dex` (and others), and converted to jar: `classes-dex2jar.jar`, and unjarred in `./unjarred` The following files are generated by DroidLysis: - `autoanalysis.md`: lists each pattern DroidLysis detected and where. - `report.md`: same as what was printed on the console If you do not need the sample output directory to be generated, use the option `--clearoutput`. ## Import trackers from Exodus etc (`--import-exodus`) ``` $ python3 ./droidlysis3.py --import-exodus --verbose Processing file: ./droidurl.pyc ... DEBUG:droidconfig.py:Reading configuration file: './conf/./smali.conf' DEBUG:droidconfig.py:Reading configuration file: './conf/./wide.conf' DEBUG:droidconfig.py:Reading configuration file: './conf/./arm.conf' DEBUG:droidconfig.py:Reading configuration file: '/home/axelle/.cache/droidlysis/./kit.conf' DEBUG:droidproperties.py:Importing ETIP Exodus trackers from https://etip.exodus-privacy.eu.org/api/trackers/?format=json DEBUG:connectionpool.py:Starting new HTTPS connection (1): etip.exodus-privacy.eu.org:443 DEBUG:connectionpool.py:https://etip.exodus-privacy.eu.org:443 "GET /api/trackers/?format=json HTTP/1.1" 200 None DEBUG:droidproperties.py:Appending imported trackers to /home/axelle/.cache/droidlysis/./kit.conf ``` Trackers from Exodus which are not present in your initial `kit.conf` are appended to `~/.cache/droidlysis/kit.conf`. Diff the 2 files and check what trackers you wish to add. ## SQLite database{#sqlite_database} If you want to process a directory of samples, you'll probably like to store the properties DroidLysis found in a database, to easily parse and query the findings. In that case, use the option `--enable-sql`. This will automatically dump all results in a database named `droidlysis.db`, in a table named `samples`. Each entry in the table is relative to a given sample. Each column is properties DroidLysis tracks. For example, to retrieve all filename, SHA256 sum and smali properties of the database: ``` sqlite> select sha256, sanitized_basename, smali_properties from samples; f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290|Signalwebsiteuniversalrelease4.52.4.apk|{"send_sms": true, "receive_sms": true, "abort_broadcast": true, "call": false, "email": false, "answer_call": false, "end_call": true, "phone_number": false, "intent_chooser": true, "get_accounts": true, "contacts": false, "get_imei": true, "get_external_storage_stage": false, "get_imsi": false, "get_network_operator": false, "get_active_network_info": false, "get_line_number": true, "get_sim_country_iso": true, ... ``` ## Property patterns What DroidLysis detects can be configured and extended in the files of the `./conf` directory. A pattern consist of: - a **tag** name: example `send_sms`. This is to name the property. Must be unique across the `.conf` file. - a **pattern**: this is a regexp to be matched. Ex: `;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage`. In the `smali.conf` file, this regexp is match on Smali code. In this particular case, there are 3 different ways to send SMS messages from the code: sendTextMessage, sendMultipartTextMessage and sendDataMessage. - a **description** (optional): explains the importance of the property and what it means. ``` [send_sms] pattern=;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage description=Sending SMS messages ``` ## Importing Exodus Privacy Trackers Exodus Privacy maintains a list of various SDKs which are interesting to rule out in our analysis via `conf/kit.conf`. Add option `--import_exodus` to the droidlysis command line: this will parse existing trackers Exodus Privacy knows and which aren't yet in your `kit.conf`. Finally, it will **append** all new trackers to `~/.cache/droidlysis/kit.conf`. Afterwards, you may want to sort your `kit.conf` file: ```python import configparser import collections import os config = configparser.ConfigParser({}, collections.OrderedDict) config.read(os.path.expanduser('~/.cache/droidlysis/kit.conf')) # Order all sections alphabetically config._sections = collections.OrderedDict(sorted(config._sections.items(), key=lambda t: t[0] )) with open('sorted.conf','w') as f: config.write(f) ``` ## JEB script for smali properties This script helps you search for methods on JEB UI that contain code that matches the smali pattern and easily navigates to those functions. When you load the script and select `details.md` file among the droidlysis analysis files, a search box will appear. Once moved, you can easily bring up the search windows again by using recent script execution shortcut. - JEB > File > Scripts > Script selector > `script/DroidlysisSearch.py` - JEB > File > Scripts > Run last Script ## Updates - v3.4.6 - Detecting manifest feature that automatically loads APK at install - v3.4.5 - Creating a writable user kit.conf file - v3.4.4 - Bug fix #14 - v3.4.3 - Using configuration files - v3.4.2 - Adding import of Exodus Privacy Trackers - v3.4.1 - Removed dependency to Androguard - v3.4.0 - Multidex support - v3.3.1 - Improving detection of Base64 strings - v3.3.0 - Dumping data to JSON - v3.2.1 - IP address detection - v3.2.0 - Dex2jar is optional - v3.1.0 - Detection of Base64 strings ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1712920312.4312203 droidlysis-3.4.7/conf/0000775000175000017500000000000014606213370014211 5ustar00axelleaxelle././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1583136576.0 droidlysis-3.4.7/conf/__init__.py0000664000175000017500000000000013627137500016312 0ustar00axelleaxelle././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1707735028.0 droidlysis-3.4.7/conf/arm.conf0000664000175000017500000000373514562373764015666 0ustar00axelleaxelle[ch***] pattern=chmod|chown|chgrp|chcon|chattr [exec] pattern=\w*(?getPassword description=Tries to get the password of the phone account [airplane] pattern=android.intent.action.AIRPLANE_MODE description=Detects phone airplane mode [android_id] pattern=const-string v[0-9]*, "android_id" description=Retrieves the Android ID [andy] pattern=fstab.andy|ueventd.andy.rc|/system/bin/andy-prop|/system/etc/init.andy.sh|/system/lib/egl/libEGL_andy.so description=Andy emulator detection [answer_call] pattern=;->answerRingingCall description=Answer a ringing call [apkprotect] pattern=APKProtect description=Obfuscation with APKProtect [base64] pattern=Landroid/util/Base64;-> description=Uses Base64 encoder/decoder [battery] pattern=android.intent.action.BATTERY_CHANGED description=Gets battery info (e.g. how charged, temperature) [bluetooth] description=Uses Bluetooth pattern=BluetoothGatt|[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]* [bluestacks] pattern=com.bluestacks|/sys/devices/virtual/misc/bst_gps|/sys/devices/virtual/misc/bst_ime|/sys/devices/virtual/misc/bstpgaipc|/sys/devices/platform/hd_power|/mnt/windows/BstSharedFolder|/system/bin/bstfolderd|/system/bin/bstsyncfs|/data/.bluestacks.prop|/system/lib/egl/libGLES_bst.so description=Bluestacks emulator detection [board] pattern=Build;->BOARD description=Retrieves hardware board information [bookmarks] pattern=BOOKMARKS_URI|Landroid/provider/Browser;->getAllBookmarks description=Adds or reads bookmarks to the phone browser [bootloader] pattern=Build;->BOOTLOADER description=Retrieves version of bootloader [brand] pattern=Build;->BRAND description=Retrieves phone brand name [busybox] pattern=busybox description=Uses busybox, probably to issue native shell commands or run other processes [calendar] description=Read calendar events or reminders pattern=content://calendar|content://com.android/calendar/ [call] pattern=ACTION_CALL|ACTION_DIAL|android.intent.action.CALL description=Can place calls [call_log] pattern=android/provider/CallLog description=Reads the call log [camera] pattern=Landroid/hardware/Camera;->open description=Uses the phone camera [check_permission] pattern=Landroid/content/pm/PackageManager;->checkPermission|Landroid/content/Context;->checkPermission description=Checks for given permissions [class_loader] pattern=Class;->getClassLoader description=Get class loader. Can be used for reflexion or dynamic class loading [contacts] pattern=android/provider/ContactsContract description=Reads or lists phone contacts [cookie_manager] pattern=android/webkit/CookieManager;-> description=Looks into cookies [cpu_abi] pattern=Build;->CPU_ABI description=Retreives CPU ABI [crc32] pattern=java/util/zip/CRC32;->init description=Computes CRC32 [c2dm] pattern=intent.REGISTER|intent.UNREGISTER|Lcom/google/android/gcm/GCMRegistrar;->getRegistrationId description=Registers or unregisters C2DM (Cloud to Device Messaging) [debugger] pattern=Debug;->isDebuggerConnected description=Detects connected debugger [device_admin] pattern=DeviceAdminReceiver|isAdminActive description=Creates or uses a device administrator app [dex_class_loader] pattern=DexClassLoader|PathClassLoader|InMemoryDexClassLoader description=Potentially trying to silently run another DEX executable [dex_file] pattern=Ldalvik/system/DexFile;-> description=Manipulates DEX files [dhcp_server] pattern=Landroid/net/DhcpInfo;->serverAddress description=Queries the address of a DHCP server [dns] pattern=Landroid/net/DhcpInfo;->dns description=Queries the address of a DNS server [doze_mode] pattern=;->isIgnoringBatteryOptimizations|REQUEST_IGNORE_BATTERY_OPTIMIZATIONSREQUEST_IGNORE_BATTERY_OPTIMIZATIONS description=Ignore battery optimizations (used to avoid running as foreground service) [email] pattern=EXTRA_EMAIL|EXTRA_SUBJECT|EXTRA_BCC|EXTRA_CC|extra\.SUBJECT|android/net/MailTo description=Reading/writing or sending an email [emulator] pattern=15555215554|310260000000000|e21833235b6eef10|com.framgia.android.emulator description=Emulator detection techniques [encryption] pattern=KeySpec|SecretKey|Cipher description=Uses encryption [end_call] pattern=;->endCall description=End a phone call [execute_native] pattern=Runtime;->exec|createSubprocess|Ljava/lang/ProcessBuilder;->start|android.os.Exec description=Executes shell or native executables [fingerprint] pattern=Build;->FINGERPRINT description=Retrieves hardware Build fingerprint [genymotion] pattern=/dev/socket/baseband_genyd|/dev/socket/genyd|genymotion description=Detect GenyMotion emulator [gesture] pattern=android/accessibilityservice/GestureDescription|android/accessibilityservice/AccessibilityService;->dispatchGesture description=Creating gestures on behalf of end-user [get_accounts] pattern=AccountManager;->getAccounts|ContactsContract\$CommonDataKinds\$Email|Patterns\$EMAIL_ADDRESS description=Possibly trying to retrieve the phone operational email address [get_active_network_info] pattern=getActivateNetworkInfo description=Returns details about the currently active default data network [get_external_storage_stage] pattern=Landroid/os/Environment;->getExternalStorageState description=Reads storage state, possibly to tell if SD card mounted read-only or read-write [get_imei] pattern=getDeviceId description=Retrieves phone IMEI [get_imsi] pattern=getSubscriberId description=Retrieves user IMSI [get_installed_packages] pattern=PackageManager;->getInstalledPackages|PackageManager;->getInstalledApplications description=Lists installed packages [get_installer_package_name] pattern=PackageManager;->getInstallerPackageName description=Gives the name of the app which installed a given package [get_line_number] pattern=getLine1Number description=Retrieves end user Phone number (line number) [get_mac] pattern=getMacAddress description=Retrieves MAC address [get_network_operator] # this will also match NetworkOperatorName pattern=getNetworkOperator description=Retrieves Network operator [get_package_info] pattern=PackageManager;->getPackageInfo description=Gets information on package [get_sim_country_iso] pattern=getSimCountryIso description=Retrieves SIM country [get_sim_operator] pattern=getSimOperator description=Retrieves SIM operator [get_sim_serial_number] pattern=getSimSerialNumber description=Retrieves SIM serial number [get_sim_slot_index] pattern=SubscriptionInfo;->getSimSlotIndex description=Get SIM slot index [get_top_activity_component] pattern=Landroid/app/ActivityManager\$RunningTaskInfo;->topActivity description=Get the component of the top activity [gps] pattern=Location;->getLatitude|Location;->getLongitude|;->getCid|;->getLac|LocationManager;->getLastKnownLocation|TelephonyManager;->getCellLocation|LocationManager;->requestLocationUpdates|TelephonyManager;->getNeighboringCellInfo description=Uses GPS location [gzip] pattern=java/util/zip/GZipOutputStream|java/util/zip/GZipInputStream description=Reads or writes GZipped data [hardware] pattern=Build;->HARDWARE description=Retrieves phone hardware information [hide_softkeyboard] pattern=hideSoftInputFromWindow description=Hides software keyboard [http] pattern=HttpGet|HttpMessage|HttpRequest|URLConnection;->openConnection description=Performs HTTP GET [intent_chooser] pattern=Intent;->createChooser description=Uses intent chooses to ask end-user what application to use when a given event occurs (e.g which email app to use to send an email) [ip_address] pattern=Landroid/net/DhcpInfo;->ipAddress|getIpAddress|net/InetAddress;->getHostAddress description=Retrieves the device IP address [ip_properties] pattern=Landroid/net/DhcpInfo;->netmask|Landroid/net/DhcpInfo;->gateway description=Gets the netmask or gateway used by the device [javascript] pattern=Landroid/webkit/WebSettings;->setJavaScriptEnabled|Landroid/webkit/WebView;->addJavascriptInterface description=Loads JavaScript in WebView [jni] pattern=JNIEnv| native |jclass|jmethodID|jfieldID|FindClass description=Uses Java JNI [json] pattern=org/json/JSONObject description=Uses JSON objects [keyguard] pattern=KeyguardManager\$KeyguardLock;->|FLAG_DISMISS_KEYGUARD|android/app/admin/DevicePolicyManager;->lockNow description=Probably tries to unlock the phone [kill_proc] pattern=android/app/ActivityManager;->killBackgroundProcesses description=Kills background process [link_speed] pattern=android/net/wifi/WifiInfo;->getLinkSpeed description=Gets link speed for Wifi [load_dex] pattern=openDexFile|loadDex description=Loads a DEX executable [load_library] pattern=System;->loadLibrary description=Loads a native library [logcat] pattern=logcat description=Inspects or manipulates system logs [manufacturer] pattern=Build;->MANUFACTURER description=Retrieves hardware manufacturer name [methodchannel] pattern=io/flutter/plugin/common/MethodChannel;-> description=Communicates with Flutter layer [microphone] pattern=android/media/AudioManager;->setMicrophoneMute description=Mutes the microphone [misecurity] pattern=com.miui.securitycenter description=Checks presence, navigates to Mi Security Center or tries to disable security settings [model] pattern=Build;->MODEL description=Retrieves hardware build model [nop] pattern= nop description=DEX bytecode contains NOP instructions. [nox] pattern=fstab.nox|init.nox.rc|ueventd.nox.rc|com.bignox.app|nox-prop|nox-vbox-sf|noxspeedup|libnoxspeedup.so|libnoxd.so description=NOX emulator detection [obfuscation] pattern=/a/a;->a|AESObfuscator-1 description=Obvious traces of code obfuscation [open_non_asset] pattern=openNonAsset description=Opens a non asset file [package_delete] pattern=android.intent.action.DELETE description=Uninstalls a package [package_session] pattern=PackageInstaller;->createSession|PackageInstaller;->openSession description=Session-based package installer, potentially to bypass Restricted Settings [package_sig] pattern=PackageInfo;->signatures|GET_SIGNATURES description=Reads signatures of packages [pangxie] pattern=PangXie description=Uses PangXie obfuscation [password] pattern=android/app/admin/DevicePolicyManager;->resetPassword|android/app/admin/DevicePolicyManager;->clearResetPasswordToken|android/app/admin/DevicePolicyManager;->clearUserRestriction description=Reset smartphone password [perform_action] pattern=android/view/accessibility/AccessibilityNodeInfo;->performAction|android/accessibilityservice/AccessibilityService;->performGlobalAction description=Perform action (click, scroll etc) on behalf of end user [phone_number] pattern=android.intent.extra.PHONE_NUMBER description=Retrieves an Incoming or outgoing phone number [play_protect] pattern=.security.settings.VerifyAppsSettingsActivity description=Tries to launch or disable Google Play Protect [post] pattern=POST |HttpPost|"POST"|POST description=Tries to perform an HTTP POST. There might be False Positives... [product] pattern=Build;->PRODUCT description=Retrieves hardware build product [receive_sms] pattern=SmsReceiver|;->createFromPdu|SmsObserver|;->getOriginatingAddress|content://sms|SmsMessage|SMS_RECEIVED description=Receiving SMS [record] pattern=android/media/AudioRecord;->startRecording description=Records audio on the phone [record_screen] pattern=Landroid/media/projection/MediaProjection;->createVirtualDisplay description=Records screen [reflection] pattern=Class;->forName|Method;->invoke|Class;->getDeclaredMethods|Method;->setAccessible|java/lang/ClassLoader;->loadClass|Class;->getMethod|java/lang/reflect/Constructor;->newInstance description=Uses Java Reflection [ringer] pattern=android/media/AudioManager;->setRingerMode|android/media/AudioManager;->getRingerMode description=Gets or sets ringer mode [rooting] pattern=com.amphoras.hidemyroot|com.amphoras.hidemyrootadfree|com.chelpus.lackypatch|com.cyanogenmod|com.devadvance.rootcloak|com.dimonvideo.luckypatcher|com.formyhm.hideroot|com.koushikdutta.rommanager|com.koushikdutta.superuser|com.noshufou.android.su|com.ramdroid.appquarantine|com.saurik.substrate|com.thirdparty.superuser|com.topjohnwu.magisk|com.yellowes.su|com.zachspong.temprootremovejb|de.robv.android.xposed.installer|eu.chainfire.supersu|io.github.huskydg.magisk|me.phh.superuser|me.weishu.kernelsu|org.lsposed.daemon|org.lsposed.manager|Superuser.apk description=Searches for or uses applications typically installed on rooted phones. [rssi] pattern=android/net/wifi/WifiInfo;->getRssi description=Gets Wifi RSSI [scp] pattern=const-string v[0-9]*, ".*scp.*" description=Sends or retrieves files via SCP [search_url] pattern=Landroid/provider/Browser;->addSearchUrl description=Adds a new search URL to the browser [send_sms] pattern=;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage description=Sending SMS messages [sensor] pattern=android/hardware/SensorManager;->getSensorList|onSensorChanged description=Lists hardware sensors or receives sensor events. Sometimes abused to check the phone is running in a sandbox. [set_component] pattern=PackageManager;->setComponentEnabledSetting description=Might be trying to hide the application icon [shortcut] pattern=INSTALL_SHORTCUT description=Adds a new app shortcut to the phone [socket] pattern=Ljava/net/Socket;->|java/net/ServerSocket;->accept description=Creates a socket. Used to communicate... [ssh] pattern= const-string v[0-9]*, ".*ssh.*" description=Application uses SSH [ssl_pinning] pattern= javax/net/ssl/X509TrustManager;->checkClientTrusted | javax/net/ssl/X509TrustManager;->checkServerTrusted | javax/net/ssl/X509TrustManager;->getAcceptedIssuers | javax/net/ssl/HostnameVerifier;->verify | okhttp/CertificatePinner;->check | okhttp3/CertificatePinner;->check | javax/net/ssl/HttpsURLConnection;->setDefaultHostnameVerifier | javax/net/ssl/HttpsURLConnection;->setSSLSocketFactory | javax/net/ssl/HttpsURLConnection;->setHostnameVerifier | android/webkit/WebViewClient;->onReceivedSslError | org/apache/cordova/CordovaWebViewClient;->onReceivedSslError description=Application uses SSL Pinning to secure connection [ssid] pattern=android/net/wifi/WifiInfo;->getSSID description=Retrieves SSID used by Wifi [stacktrace] pattern=Throwable;->getStackTrace description=Get stack traces. Can be used as Anti Frida technique. [su] pattern="su"|/system/xbin/daemonsu|/system/xbin/sugote|/vendor/bin/su|/odm/bin/su|/product/bin/su|/system/bin/.su|/system/xbin/.su|/system/app/Superuser.apk|/sbin/su|/system/bin/su|/system/xbin/su|/data/local/su|/su/bin/su|/data/local/bin/su|/data/local/xbin/su|/system/bin/.ext/su|/system/bin/failsafe/su|/system/sd/xbin/su|/system/usr/we-need-root/su|/cache/su|/data/su|/dev/su description=Uses Su. Perhaps to test if device is rooted. [substrate] pattern=com/saurik/substrate/MS description=Uses or refers to Saurik substrate [system_app] pattern=android/app/admin/DevicePolicyManager;->enableSystemApp description=System apps cannot be deleted, a feature which interests some malware... [tasks] pattern=android/app/ActivityManager;->getRunningTasks description=Lists running tasks [teamviewer] pattern=com.teamviewer.quicksupport.market description=Checks presence, navigates to or uses Team Viewer remote control app [uri] pattern=Landroid/net/Uri;->parse description=Parses a URL. Will usually just display the URL, but not post info. [url_history] pattern=Landroid/provider/Browser;->getAllVisitedUrls description=Gets all URLs the phone browser visited [user_agent] pattern=User-Agent description=Specifies a HTTP User Agent [uuid] pattern=UUID;->randomUUID description=Creates a random identifier. Used to identify the user. [version] pattern=Build\$VERSION;->RELEASE|Build\$VERSION;->CODENAME description=Build version [vibrate] pattern=android/os/Vibrator;->vibrate description=Uses phone vibrations [vnd_package] pattern=application/vnd.android.package_archive description=Probably tries to load an app [wakelock] pattern=android/os/PowerManager\$WakeLock;->acquire() description=Get PowerManager WakeLock (typically used to conceal a running malware while keeping screen blank) [wallpaper] pattern=android/app/WallpaperManager;->getDrawable|android/app/WallpaperManager;->setBitmap description=Gets or sets the current wallpaper [webview] pattern=Landroid/webkit/WebView;->loadUrl|;->setWebChromeClient description=Displays a URL in the WebView. Very much used to display custom pages with JavaScript, sometimes malicious... [wifi] pattern=android/net/wifi/WifiManager;->setWifiEnabled|android/net/wifi/WifiManager;->isWifiEnabled|android/net/wifi/WifiManager;->startScan description=Tests or scans for WiFi [zip] pattern=java/util/zip/ZipOutputStream|java/util/zip/ZipInputStream|java/util/zip/ZipEntry description=Zips or unzips files [2fa] pattern=com.google.android.apps.authenticator2 description=Checks presence of 2FA app, or navigates to it, or steals PIN ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1613653374.0 droidlysis-3.4.7/conf/sortconf.py0000664000175000017500000000347514013462576016437 0ustar00axelleaxelleimport argparse import configparser DEFAULTSECT = 'default' def get_arguments(): parser = argparse.ArgumentParser(description="Sort conf files by alphabetic order of sections", prog='sortconf') parser.add_argument('-i', '--input', help='Input conf file', action='store', default='./kit.conf') parser.add_argument('-o', '--output', help='Output file', action='store', default='./sorted.conf') parser.add_argument('-v', '--verbose', help='get more detailed messages', action='store_true') args = parser.parse_args() return args class OrderedRawConfigParser( configparser.RawConfigParser ): """ Overload standart Class ConfigParser.RawConfigParser """ def __init__( self, defaults = None, dict_type = dict ): configparser.RawConfigParser.__init__( self, defaults = None, dict_type = dict ) def write(self, fp): """Write an .ini-format representation of the configuration state.""" if self._defaults: fp.write("[%s]\n" % DEFAULTSECT) for key in sorted( self._defaults ): fp.write( "%s = %s\n" % (key, str( self._defaults[ key ] ).replace('\n', '\n\t')) ) fp.write("\n") for section in self._sections: fp.write("[%s]\n" % section) for key in sorted( self._sections[section] ): if key != "__name__": fp.write("%s = %s\n" % (key, str( self._sections[section][ key ] ).replace('\n', '\n\t'))) fp.write("\n") def main(): args = get_arguments() parser = OrderedRawConfigParser() parser.read(args.input) output = open(args.output,'w') parser.write(output) output.close() if __name__ == "__main__": main() ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1655112517.0 droidlysis-3.4.7/conf/wide.conf0000664000175000017500000000453414251601505016013 0ustar00axelleaxelle[am_start] pattern=am start description=Start an activity via shell command [android_wear] pattern=Android\ Wear|android_wear description=Uses or references Android Wear [china_mobile] pattern=cmwap|cmnet description=Detects China Mobile network [china_unicom] pattern=uniwap|uninet description=Detects China Unicom network [china_telecom] pattern=ctwap|ctnet description=Detects China Telecom network [coinhive] pattern=CoinHive description=CoinHive JavaScript SDK for mining Monero [cryptocurrency] pattern=CoinHive|crypta\.js|crypto-loot|ethereum|dogecoin|litecoin|bitcoin|ledger|blockchain|trezor description=Uses cryptocurrencies [cryptoloot] pattern=crypta\.js|crypto-loot [c2_anon] pattern=portmap\.io|ngrok\.io description=Port forwarding or secure tunneling service - often used to anonymize C2 [gps] pattern=LocationManager description=Use of GPS noticed in assets, libraries or other unusual directories [javascript] pattern=