././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1676990868.9041154 droidlysis-3.4.1/0000775000175000017500000000000000000000000014455 5ustar00axelleaxelle00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1559548175.0 droidlysis-3.4.1/LICENSE0000644000175000017500000000204100000000000015455 0ustar00axelleaxelle00000000000000MIT License Copyright (c) 2019 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1583136952.0 droidlysis-3.4.1/MANIFEST.in0000664000175000017500000000005500000000000016213 0ustar00axelleaxelle00000000000000include conf/*.conf include conf/__init__.py ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1676990868.9041154 droidlysis-3.4.1/PKG-INFO0000664000175000017500000002333400000000000015557 0ustar00axelleaxelle00000000000000Metadata-Version: 2.1 Name: droidlysis Version: 3.4.1 Summary: DroidLysis: pre-analysis of suspicious Android samples Home-page: https://github.com/cryptax/droidlysis Author: @cryptax Author-email: aafortinet@gmail.com License: MIT Keywords: android malware reverse Classifier: Programming Language :: Python :: 3 Classifier: License :: OSI Approved :: MIT License Classifier: Development Status :: 3 - Alpha Classifier: Operating System :: Unix Classifier: Topic :: Software Development :: Disassemblers Requires-Python: >=3.0 Description-Content-Type: text/markdown License-File: LICENSE # DroidLysis DroidLysis is a **pre-analysis tool for Android apps**: it performs repetitive and boring tasks we'd typically do at the beginning of any reverse engineering. It disassembles the Android sample, organizes output in directories, and searches for suspicious spots in the code to look at. The output helps the reverse engineer speed up the first few steps of analysis. DroidLysis can be used over Android packages (apk), Dalvik executables (dex), Zip files (zip), Rar files (rar) or directories of files. ## Quick setup Can't wait to use DroidLysis? Then, use a Docker container: ``` $ docker pull cryptax/droidlysis:2023.02 $ docker run -it --rm -v /tmp/share:/share cryptax/droidlysis:2023.02 /bin/bash $ cd /opt/droidlysis $ python3 ./droidlysis3.py --help ``` ## Installing DroidLysis 1. Install required system packages 2. Install Android disassembly tools 3. Get DroidLysis from the Git repository (preferred) or from pip 4. Configure `droidconfig.py` Install required system packages: ``` sudo apt-get install default-jre git python3 python3-pip unzip wget libmagic-dev libxml2-dev libxslt-dev ``` Install Android disassembly tools: [Apktool](https://ibotpeaches.github.io/Apktool/) , [Baksmali](https://bitbucket.org/JesusFreke/smali/downloads), and optionally [Dex2jar](https://github.com/pxb1988/dex2jar) and [Procyon](https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler) (note that Procyon only works with Java 8, not Java 11). ``` $ mkdir -p ~/softs $ cd ~/softs $ wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.7.0.jar $ wget https://bitbucket.org/JesusFreke/smali/downloads/baksmali-2.5.2.jar $ wget https://github.com/pxb1988/dex2jar/releases/download/v2.2-SNAPSHOT-2021-10-31/dex-tools-2.2-SNAPSHOT-2021-10-31.zip $ unzip dex-tools-2.2-SNAPSHOT-2021-10-31.zip $ rm -f dex-tools-2.2-SNAPSHOT-2021-10-31.zip ``` Install from Git in a Python virtual environment: ``` $ python3 -m venv venv $ source ./venv/bin/activate (venv) $ pip3 install git+https://github.com/cryptax/droidlysis ``` Run it: ``` cd droidlysis ./droidlysis --help ``` Alternatively, you can install DroidLysis directly from PyPi (`pip3 install droidlysis`). ## Configuration If you used the default install commands & directories as specified above, you won't need any configuration. The configuration is extremely simple, you only need to tune `droidconfig.py`. Note that if you placed the tools in the default `~/softs` directory as I specified, you don't have to do anything: the tools will be automatically found in that location. - `APKTOOL_JAR`: set the path to your apktool jar - `BAKSMALI_JAR`: set the path to your baksmali jar - `DEX2JAR_CMD`: set the path to the folder containing `d2j-dex2.jar.sh`. If you did not install dex2jar, simply provide an invalid path here, for example pointing to a non-existant file. - `PROCYON_JAR`: set the path to the procyon decompiler jar. If you don't want Procyon, leave this path to a non existant file. - `INSTALL_DIR`: set the path to your DroidLysis instance. Do not forget to set this or DroidLysis won't work correctly! By default, `droidconfig.py` searches for tools at the following location: ```python APKTOOL_JAR = os.path.join( os.path.expanduser("~/softs"), "apktool_2.7.0.jar") BAKSMALI_JAR = os.path.join(os.path.expanduser("~/softs"), "baksmali-2.5.2.jar") DEX2JAR_CMD = os.path.join(os.path.expanduser("~/softs/dex-tools-2.1-SNAPSHOT"), "d2j-dex2jar.sh") PROCYON_JAR = os.path.join( os.path.expanduser("~/softs"), "procyon-decompiler-0.5.36.jar") INSTALL_DIR = os.path.expanduser("~/droidlysis") ``` Optionally, if you need a specific situation, you might need to tune the following too. Normally, the default options will work and you won't have to touch these: - `SQLALCHEMY`: specify your SQL database. - `KEYTOOL`: absolute path of `keytool` which generally ships with Java - `SMALI_CONFIGFILE`: smali patterns - `WIDE_CONFIGFILE`: resource patterns - `ARM_CONFIGFILE`: ARM executable patterns - `KIT_CONFIGFILE`: 3rd party SDK patterns ## Usage DroidLysis uses **Python 3**. To launch it and get options: ``` droidlysis --help ``` For example, test it on [Signal's APK](https://signal.org/android/apk/): ``` droidlysis --input Signal-website-universal-release-4.52.4.apk --output /tmp ``` ![](./images/example.png) DroidLysis outputs: - A summary on the console (see image above) - The unzipped, pre-processed sample in a subdirectory of your output dir. The subdirectory is named using the sample's filename and sha256 sum. For example, if we analyze the Signal application and set `--output /tmp`, the analysis will be written to `/tmp/Signalwebsiteuniversalrelease4.52.4.apk-f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290`. - A database (by default, SQLite `droidlysis.db`) containing properties it noticed. ## Options Get usage with `droidlysis --help` - The input can be a file or a directory of files to recursively look into. DroidLysis knows how to process Android packages, DEX, ODEX and ARM executables, ZIP, RAR. DroidLysis won't fail on other type of files (unless there is a bug...) but won't be able to understand the content. - When processing directories of files, it is typically quite helpful to move processed samples to another location to know what has been processed. This is handled by option `--movein`. Also, if you are only interested in statistics, you should probably clear the output directory which contains detailed information for each sample: this is option `--clearoutput`. If you want to store all statistics in a SQL database, use `--enable-sql` (see [here](#sqlite_database)) - DEX decompilation is quite long with Procyon, so this option is *disabled* by default. If you want to decompile to Java, use `--enable-procyon`. - DroidLysis's analysis does not inspect known 3rd party SDK by default, i.e. for instance it won't report any suspicious activity from these. If you want them to be inspected, use option `--no-kit-exception`. This usually creates many more detected properties for the sample, as SDKs (e.g. advertisment) use lots of flagged APIs (get GPS location, get IMEI, get IMSI, HTTP POST...). ## Sample output directory (`--output DIR`) This directory contains (when applicable): - A readable `AndroidManifest.xml` - Readable resources in `res` - Libraries `lib`, assets `assets` - Disassembled Smali code: `smali` (and others) - Package meta information: `META-INF` - Package contents when simply unzipped in `./unzipped` - DEX executable `classes.dex` (and others), and converted to jar: `classes-dex2jar.jar`, and unjarred in `./unjarred` The following files are generated by DroidLysis: - `autoanalysis.md`: lists each pattern DroidLysis detected and where. - `report.md`: same as what was printed on the console If you do not need the sample output directory to be generated, use the option `--clearoutput`. ## SQLite database{#sqlite_database} If you want to process a directory of samples, you'll probably like to store the properties DroidLysis found in a database, to easily parse and query the findings. In that case, use the option `--enable-sql`. This will automatically dump all results in a database named `droidlysis.db`, in a table named `samples`. Each entry in the table is relative to a given sample. Each column is properties DroidLysis tracks. For example, to retrieve all filename, SHA256 sum and smali properties of the database: ``` sqlite> select sha256, sanitized_basename, smali_properties from samples; f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290|Signalwebsiteuniversalrelease4.52.4.apk|{"send_sms": true, "receive_sms": true, "abort_broadcast": true, "call": false, "email": false, "answer_call": false, "end_call": true, "phone_number": false, "intent_chooser": true, "get_accounts": true, "contacts": false, "get_imei": true, "get_external_storage_stage": false, "get_imsi": false, "get_network_operator": false, "get_active_network_info": false, "get_line_number": true, "get_sim_country_iso": true, ... ``` ## Property patterns What DroidLysis detects can be configured and extended in the files of the `./conf` directory. A pattern consist of: - a **tag** name: example `send_sms`. This is to name the property. Must be unique across the `.conf` file. - a **pattern**: this is a regexp to be matched. Ex: `;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage`. In the `smali.conf` file, this regexp is match on Smali code. In this particular case, there are 3 different ways to send SMS messages from the code: sendTextMessage, sendMultipartTextMessage and sendDataMessage. - a **description** (optional): explains the importance of the property and what it means. ``` [send_sms] pattern=;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage description=Sending SMS messages ``` ## To do - Remove the "caution: filename not matched: classes6.dex" which occurs at file extraction in `droidsample.py` ## Updates - v3.4.1 - Removed dependency to Androguard - v3.4.0 - Multidex support - v3.3.1 - Improving detection of Base64 strings - v3.3.0 - Dumping data to JSON - v3.2.1 - IP address detection - v3.2.0 - Dex2jar is optional - v3.1.0 - Detection of Base64 strings ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1676990582.0 droidlysis-3.4.1/README.md0000664000175000017500000002221500000000000015736 0ustar00axelleaxelle00000000000000# DroidLysis DroidLysis is a **pre-analysis tool for Android apps**: it performs repetitive and boring tasks we'd typically do at the beginning of any reverse engineering. It disassembles the Android sample, organizes output in directories, and searches for suspicious spots in the code to look at. The output helps the reverse engineer speed up the first few steps of analysis. DroidLysis can be used over Android packages (apk), Dalvik executables (dex), Zip files (zip), Rar files (rar) or directories of files. ## Quick setup Can't wait to use DroidLysis? Then, use a Docker container: ``` $ docker pull cryptax/droidlysis:2023.02 $ docker run -it --rm -v /tmp/share:/share cryptax/droidlysis:2023.02 /bin/bash $ cd /opt/droidlysis $ python3 ./droidlysis3.py --help ``` ## Installing DroidLysis 1. Install required system packages 2. Install Android disassembly tools 3. Get DroidLysis from the Git repository (preferred) or from pip 4. Configure `droidconfig.py` Install required system packages: ``` sudo apt-get install default-jre git python3 python3-pip unzip wget libmagic-dev libxml2-dev libxslt-dev ``` Install Android disassembly tools: [Apktool](https://ibotpeaches.github.io/Apktool/) , [Baksmali](https://bitbucket.org/JesusFreke/smali/downloads), and optionally [Dex2jar](https://github.com/pxb1988/dex2jar) and [Procyon](https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler) (note that Procyon only works with Java 8, not Java 11). ``` $ mkdir -p ~/softs $ cd ~/softs $ wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.7.0.jar $ wget https://bitbucket.org/JesusFreke/smali/downloads/baksmali-2.5.2.jar $ wget https://github.com/pxb1988/dex2jar/releases/download/v2.2-SNAPSHOT-2021-10-31/dex-tools-2.2-SNAPSHOT-2021-10-31.zip $ unzip dex-tools-2.2-SNAPSHOT-2021-10-31.zip $ rm -f dex-tools-2.2-SNAPSHOT-2021-10-31.zip ``` Install from Git in a Python virtual environment: ``` $ python3 -m venv venv $ source ./venv/bin/activate (venv) $ pip3 install git+https://github.com/cryptax/droidlysis ``` Run it: ``` cd droidlysis ./droidlysis --help ``` Alternatively, you can install DroidLysis directly from PyPi (`pip3 install droidlysis`). ## Configuration If you used the default install commands & directories as specified above, you won't need any configuration. The configuration is extremely simple, you only need to tune `droidconfig.py`. Note that if you placed the tools in the default `~/softs` directory as I specified, you don't have to do anything: the tools will be automatically found in that location. - `APKTOOL_JAR`: set the path to your apktool jar - `BAKSMALI_JAR`: set the path to your baksmali jar - `DEX2JAR_CMD`: set the path to the folder containing `d2j-dex2.jar.sh`. If you did not install dex2jar, simply provide an invalid path here, for example pointing to a non-existant file. - `PROCYON_JAR`: set the path to the procyon decompiler jar. If you don't want Procyon, leave this path to a non existant file. - `INSTALL_DIR`: set the path to your DroidLysis instance. Do not forget to set this or DroidLysis won't work correctly! By default, `droidconfig.py` searches for tools at the following location: ```python APKTOOL_JAR = os.path.join( os.path.expanduser("~/softs"), "apktool_2.7.0.jar") BAKSMALI_JAR = os.path.join(os.path.expanduser("~/softs"), "baksmali-2.5.2.jar") DEX2JAR_CMD = os.path.join(os.path.expanduser("~/softs/dex-tools-2.1-SNAPSHOT"), "d2j-dex2jar.sh") PROCYON_JAR = os.path.join( os.path.expanduser("~/softs"), "procyon-decompiler-0.5.36.jar") INSTALL_DIR = os.path.expanduser("~/droidlysis") ``` Optionally, if you need a specific situation, you might need to tune the following too. Normally, the default options will work and you won't have to touch these: - `SQLALCHEMY`: specify your SQL database. - `KEYTOOL`: absolute path of `keytool` which generally ships with Java - `SMALI_CONFIGFILE`: smali patterns - `WIDE_CONFIGFILE`: resource patterns - `ARM_CONFIGFILE`: ARM executable patterns - `KIT_CONFIGFILE`: 3rd party SDK patterns ## Usage DroidLysis uses **Python 3**. To launch it and get options: ``` droidlysis --help ``` For example, test it on [Signal's APK](https://signal.org/android/apk/): ``` droidlysis --input Signal-website-universal-release-4.52.4.apk --output /tmp ``` ![](./images/example.png) DroidLysis outputs: - A summary on the console (see image above) - The unzipped, pre-processed sample in a subdirectory of your output dir. The subdirectory is named using the sample's filename and sha256 sum. For example, if we analyze the Signal application and set `--output /tmp`, the analysis will be written to `/tmp/Signalwebsiteuniversalrelease4.52.4.apk-f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290`. - A database (by default, SQLite `droidlysis.db`) containing properties it noticed. ## Options Get usage with `droidlysis --help` - The input can be a file or a directory of files to recursively look into. DroidLysis knows how to process Android packages, DEX, ODEX and ARM executables, ZIP, RAR. DroidLysis won't fail on other type of files (unless there is a bug...) but won't be able to understand the content. - When processing directories of files, it is typically quite helpful to move processed samples to another location to know what has been processed. This is handled by option `--movein`. Also, if you are only interested in statistics, you should probably clear the output directory which contains detailed information for each sample: this is option `--clearoutput`. If you want to store all statistics in a SQL database, use `--enable-sql` (see [here](#sqlite_database)) - DEX decompilation is quite long with Procyon, so this option is *disabled* by default. If you want to decompile to Java, use `--enable-procyon`. - DroidLysis's analysis does not inspect known 3rd party SDK by default, i.e. for instance it won't report any suspicious activity from these. If you want them to be inspected, use option `--no-kit-exception`. This usually creates many more detected properties for the sample, as SDKs (e.g. advertisment) use lots of flagged APIs (get GPS location, get IMEI, get IMSI, HTTP POST...). ## Sample output directory (`--output DIR`) This directory contains (when applicable): - A readable `AndroidManifest.xml` - Readable resources in `res` - Libraries `lib`, assets `assets` - Disassembled Smali code: `smali` (and others) - Package meta information: `META-INF` - Package contents when simply unzipped in `./unzipped` - DEX executable `classes.dex` (and others), and converted to jar: `classes-dex2jar.jar`, and unjarred in `./unjarred` The following files are generated by DroidLysis: - `autoanalysis.md`: lists each pattern DroidLysis detected and where. - `report.md`: same as what was printed on the console If you do not need the sample output directory to be generated, use the option `--clearoutput`. ## SQLite database{#sqlite_database} If you want to process a directory of samples, you'll probably like to store the properties DroidLysis found in a database, to easily parse and query the findings. In that case, use the option `--enable-sql`. This will automatically dump all results in a database named `droidlysis.db`, in a table named `samples`. Each entry in the table is relative to a given sample. Each column is properties DroidLysis tracks. For example, to retrieve all filename, SHA256 sum and smali properties of the database: ``` sqlite> select sha256, sanitized_basename, smali_properties from samples; f3c7d5e38df23925dd0b2fe1f44bfa12bac935a6bc8fe3a485a4436d4487a290|Signalwebsiteuniversalrelease4.52.4.apk|{"send_sms": true, "receive_sms": true, "abort_broadcast": true, "call": false, "email": false, "answer_call": false, "end_call": true, "phone_number": false, "intent_chooser": true, "get_accounts": true, "contacts": false, "get_imei": true, "get_external_storage_stage": false, "get_imsi": false, "get_network_operator": false, "get_active_network_info": false, "get_line_number": true, "get_sim_country_iso": true, ... ``` ## Property patterns What DroidLysis detects can be configured and extended in the files of the `./conf` directory. A pattern consist of: - a **tag** name: example `send_sms`. This is to name the property. Must be unique across the `.conf` file. - a **pattern**: this is a regexp to be matched. Ex: `;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage`. In the `smali.conf` file, this regexp is match on Smali code. In this particular case, there are 3 different ways to send SMS messages from the code: sendTextMessage, sendMultipartTextMessage and sendDataMessage. - a **description** (optional): explains the importance of the property and what it means. ``` [send_sms] pattern=;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage description=Sending SMS messages ``` ## To do - Remove the "caution: filename not matched: classes6.dex" which occurs at file extraction in `droidsample.py` ## Updates - v3.4.1 - Removed dependency to Androguard - v3.4.0 - Multidex support - v3.3.1 - Improving detection of Base64 strings - v3.3.0 - Dumping data to JSON - v3.2.1 - IP address detection - v3.2.0 - Dex2jar is optional - v3.1.0 - Detection of Base64 strings ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1676990868.9001155 droidlysis-3.4.1/conf/0000775000175000017500000000000000000000000015402 5ustar00axelleaxelle00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1583136576.0 droidlysis-3.4.1/conf/__init__.py0000664000175000017500000000000000000000000017501 0ustar00axelleaxelle00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1622555955.0 droidlysis-3.4.1/conf/arm.conf0000664000175000017500000000335000000000000017031 0ustar00axelleaxelle00000000000000[ch***] pattern=chmod|chown|chgrp|chcon|chattr [exec] pattern=\w*(?getPassword description=Tries to get the password of the phone account [airplane] pattern=android.intent.action.AIRPLANE_MODE description=Detects phone airplane mode [android_id] pattern=const-string v[0-9]*, "android_id" description=Retrieves the Android ID [andy] pattern=fstab.andy|ueventd.andy.rc description=Andy emulator detection [answer_call] pattern=;->answerRingingCall description=Answer a ringing call [apkprotect] pattern=APKProtect description=Obfuscation with APKProtect [base64] pattern=Landroid/util/Base64;-> description=Uses Base64 encoder/decoder [battery] pattern=android.intent.action.BATTERY_CHANGED description=Gets battery info (e.g. how charged, temperature) [bluetooth] description=Uses Bluetooth pattern=BluetoothGatt|[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]* [bluestacks] pattern=com.bluestacks description=Bluestacks emulator detection [board] pattern=Build;->BOARD description=Retrieves hardware board information [bookmarks] pattern=BOOKMARKS_URI|Landroid/provider/Browser;->getAllBookmarks description=Adds or reads bookmarks to the phone browser [bootloader] pattern=Build;->BOOTLOADER description=Retrieves version of bootloader [brand] pattern=Build;->BRAND description=Retrieves phone brand name [busybox] pattern=busybox description=Uses busybox, probably to issue native shell commands or run other processes [calendar] description=Read calendar events or reminders pattern=content://calendar|content://com.android/calendar/ [call] pattern=ACTION_CALL|ACTION_DIAL|android.intent.action.CALL description=Can place calls [call_log] pattern=android/provider/CallLog description=Reads the call log [camera] pattern=Landroid/hardware/Camera;->open description=Uses the phone camera [check_permission] pattern=Landroid/content/pm/PackageManager;->checkPermission|Landroid/content/Context;->checkPermission description=Checks for given permissions [class_loader] pattern=Class;->getClassLoader description=Get class loader. Can be used for reflexion or dynamic class loading [contacts] pattern=android/provider/ContactsContract description=Reads or lists phone contacts [cookie_manager] pattern=android/webkit/CookieManager;-> description=Looks into cookies [cpu_abi] pattern=Build;->CPU_ABI description=Retreives CPU ABI [crc32] pattern=java/util/zip/CRC32;->init description=Computes CRC32 [c2dm] pattern=intent.REGISTER|intent.UNREGISTER|Lcom/google/android/gcm/GCMRegistrar;->getRegistrationId description=Registers or unregisters C2DM (Cloud to Device Messaging) [debugger] pattern=Debug;->isDebuggerConnected description=Detects connected debugger [device_admin] pattern=DeviceAdminReceiver|isAdminActive description=Creates or uses a device administrator app [dex_class_loader] pattern=DexClassLoader|PathClassLoader|InMemoryDexClassLoader description=Potentially trying to silently run another DEX executable [dex_file] pattern=Ldalvik/system/DexFile;-> description=Manipulates DEX files [dhcp_server] pattern=Landroid/net/DhcpInfo;->serverAddress description=Queries the address of a DHCP server [dns] pattern=Landroid/net/DhcpInfo;->dns description=Queries the address of a DNS server [doze_mode] pattern=;->isIgnoringBatteryOptimizations|REQUEST_IGNORE_BATTERY_OPTIMIZATIONSREQUEST_IGNORE_BATTERY_OPTIMIZATIONS description=Ignore battery optimizations (used to avoid running as foreground service) [email] pattern=EXTRA_EMAIL|EXTRA_SUBJECT|EXTRA_BCC|EXTRA_CC|extra\.SUBJECT|android/net/MailTo description=Reading/writing or sending an email [emulator] pattern=15555215554|310260000000000|e21833235b6eef10|com.framgia.android.emulator description=Emulator detection techniques [encryption] pattern=KeySpec|SecretKey|Cipher description=Uses encryption [end_call] pattern=;->endCall description=End a phone call [execute_native] pattern=Runtime;->exec|createSubprocess|Ljava/lang/ProcessBuilder;->start|android.os.Exec description=Executes shell or native executables [fingerprint] pattern=Build;->FINGERPRINT description=Retrieves hardware Build fingerprint [genymotion] pattern=/dev/socket/baseband_genyd|/dev/socket/genyd|genymotion description=Detect GenyMotion emulator [get_accounts] pattern=AccountManager;->getAccounts|ContactsContract\$CommonDataKinds\$Email|Patterns\$EMAIL_ADDRESS description=Possibly trying to retrieve the phone operational email address [get_active_network_info] pattern=getActivateNetworkInfo description=Returns details about the currently active default data network [get_external_storage_stage] pattern=Landroid/os/Environment;->getExternalStorageState description=Reads storage state, possibly to tell if SD card mounted read-only or read-write [get_imei] pattern=getDeviceId description=Retrieves phone IMEI [get_imsi] pattern=getSubscriberId description=Retrieves user IMSI [get_installed_packages] pattern=PackageManager;->getInstalledPackages|PackageManager;->getInstalledApplications description=Lists installed packages [get_installer_package_name] pattern=PackageManager;->getInstallerPackageName description=Gives the name of the app which installed a given package [get_line_number] pattern=getLine1Number description=Retrieves end user Phone number (line number) [get_mac] pattern=getMacAddress description=Retrieves MAC address [get_network_operator] # this will also match NetworkOperatorName pattern=getNetworkOperator description=Retrieves Network operator [get_package_info] pattern=PackageManager;->getPackageInfo description=Gets information on package [get_sim_country_iso] pattern=getSimCountryIso description=Retrieves SIM country [get_sim_operator] pattern=getSimOperator description=Retrieves SIM operator [get_sim_serial_number] pattern=getSimSerialNumber description=Retrieves SIM serial number [get_sim_slot_index] pattern=SubscriptionInfo;->getSimSlotIndex description=Get SIM slot index [get_top_activity_component] pattern=Landroid/app/ActivityManager\$RunningTaskInfo;->topActivity description=Get the component of the top activity [gps] pattern=Location;->getLatitude|Location;->getLongitude|;->getCid|;->getLac|LocationManager;->getLastKnownLocation|TelephonyManager;->getCellLocation|LocationManager;->requestLocationUpdates|TelephonyManager;->getNeighboringCellInfo description=Uses GPS location [gzip] pattern=java/util/zip/GZipOutputStream|java/util/zip/GZipInputStream description=Reads or writes GZipped data [hardware] pattern=Build;->HARDWARE description=Retrieves phone hardware information [hide_softkeyboard] pattern=hideSoftInputFromWindow description=Hides software keyboard [http] pattern=HttpGet|HttpMessage|HttpRequest|URLConnection;->openConnection description=Performs HTTP GET [intent_chooser] pattern=Intent;->createChooser description=Uses intent chooses to ask end-user what application to use when a given event occurs (e.g which email app to use to send an email) [ip_address] pattern=Landroid/net/DhcpInfo;->ipAddress|getIpAddress|net/InetAddress;->getHostAddress description=Retrieves the device IP address [ip_properties] pattern=Landroid/net/DhcpInfo;->netmask|Landroid/net/DhcpInfo;->gateway description=Gets the netmask or gateway used by the device [javascript] pattern=Landroid/webkit/WebSettings;->setJavaScriptEnabled|Landroid/webkit/WebView;->addJavascriptInterface description=Loads JavaScript in WebView [jni] pattern=JNIEnv| native |jclass|jmethodID|jfieldID|FindClass description=Uses Java JNI [json] pattern=org/json/JSONObject description=Uses JSON objects [keyguard] pattern=KeyguardManager\$KeyguardLock;->|FLAG_DISMISS_KEYGUARD|android/app/admin/DevicePolicyManager;->lockNow description=Probably tries to unlock the phone [kill_proc] pattern=android/app/ActivityManager;->killBackgroundProcesses description=Kills background process [link_speed] pattern=android/net/wifi/WifiInfo;->getLinkSpeed description=Gets link speed for Wifi [load_dex] pattern=openDexFile|loadDex description=Loads a DEX executable [load_library] pattern=System;->loadLibrary description=Loads a native library [logcat] pattern=logcat description=Inspects or manipulates system logs [manufacturer] pattern=Build;->MANUFACTURER description=Retrieves hardware manufacturer name [microphone] pattern=android/media/AudioManager;->setMicrophoneMute description=Mutes the microphone [model] pattern=Build;->MODEL description=Retrieves hardware build model [nop] pattern= nop description=DEX bytecode contains NOP instructions. [nox] pattern=fstab.nox|init.nox.rc|ueventd.nox.rc|com.bignox.app description=NOX emulator detection [obfuscation] pattern=/a/a;->a|AESObfuscator-1 description=Obvious traces of code obfuscation [open_non_asset] pattern=openNonAsset description=Opens a non asset file [package_delete] pattern=android.intent.action.DELETE description=Uninstalls a package [package_sig] pattern=PackageInfo;->signatures|GET_SIGNATURES description=Reads signatures of packages [pangxie] pattern=PangXie description=Uses PangXie obfuscation [password] pattern=android/app/admin/DevicePolicyManager;->resetPassword|android/app/admin/DevicePolicyManager;->clearResetPasswordToken|android/app/admin/DevicePolicyManager;->clearUserRestriction description=Reset smartphone password [phone_number] pattern=android.intent.extra.PHONE_NUMBER description=Retrieves an Incoming or outgoing phone number [play_protect] pattern=.security.settings.VerifyAppsSettingsActivity description=Tries to launch or disable Google Play Protect [post] pattern=POST |HttpPost|"POST"|POST description=Tries to perform an HTTP POST. There might be False Positives... [product] pattern=Build;->PRODUCT description=Retrieves hardware build product [receive_sms] pattern=SmsReceiver|;->createFromPdu|SmsObserver|;->getOriginatingAddress|content://sms|SmsMessage|SMS_RECEIVED description=Receiving SMS [record] pattern=android/media/AudioRecord;->startRecording description=Records audio on the phone [record_screen] pattern=Landroid/media/projection/MediaProjection;->createVirtualDisplay description=Records screen [reflection] pattern=Class;->forName|Method;->invoke|Class;->getDeclaredMethods|Method;->setAccessible|java/lang/ClassLoader;->loadClass|Class;->getMethod|java/lang/reflect/Constructor;->newInstance description=Uses Java Reflection [ringer] pattern=android/media/AudioManager;->setRingerMode|android/media/AudioManager;->getRingerMode description=Gets or sets ringer mode [rooting] pattern=com.cyanogenmod|com.noshufou.android.su|Superuser.apk|eu.chainfire.supersu|com.koushikdutta.superuser|com.zachspong.temprootremovejb|com.thirdparty.superuser description=Searches for or uses applications typically installed on rooted phones. [rssi] pattern=android/net/wifi/WifiInfo;->getRssi description=Gets Wifi RSSI [scp] pattern=const-string v[0-9]*, ".*scp.*" description=Sends or retrieves files via SCP [search_url] pattern=Landroid/provider/Browser;->addSearchUrl description=Adds a new search URL to the browser [send_sms] pattern=;->sendTextMessage|;->sendMultipartTextMessage|SmsManager;->sendDataMessage description=Sending SMS messages [sensor] pattern=android/hardware/SensorManager;->getSensorList|onSensorChanged description=Lists hardware sensors or receives sensor events. Sometimes abused to check the phone is running in a sandbox. [set_component] pattern=PackageManager;->setComponentEnabledSetting description=Might be trying to hide the application icon [shortcut] pattern=INSTALL_SHORTCUT description=Adds a new app shortcut to the phone [socket] pattern=Ljava/net/Socket;->|java/net/ServerSocket;->accept description=Creates a socket. Used to communicate... [ssh] pattern= const-string v[0-9]*, ".*ssh.*" description=Application uses SSH [ssid] pattern=android/net/wifi/WifiInfo;->getSSID description=Retrieves SSID used by Wifi [stacktrace] pattern=Throwable;->getStackTrace description=Get stack traces. Can be used as Anti Frida technique. [su] pattern="su"|/system/xbin/daemonsu|/system/xbin/sugote description=Uses Su. Perhaps to test if device is rooted. [substrate] pattern=com/saurik/substrate/MS description=Uses or refers to Saurik substrate [system_app] pattern=android/app/admin/DevicePolicyManager;->enableSystemApp description=System apps cannot be deleted, a feature which interests some malware... [tasks] pattern=android/app/ActivityManager;->getRunningTasks description=Lists running tasks [uri] pattern=Landroid/net/Uri;->parse description=Parses a URL. Will usually just display the URL, but not post info. [url_history] pattern=Landroid/provider/Browser;->getAllVisitedUrls description=Gets all URLs the phone browser visited [user_agent] pattern=User-Agent description=Specifies a HTTP User Agent [uuid] pattern=UUID;->randomUUID description=Creates a random identifier. Used to identify the user. [version] pattern=Build\$VERSION;->RELEASE|Build\$VERSION;->CODENAME description=Build version [vibrate] pattern=android/os/Vibrator;->vibrate description=Uses phone vibrations [vnd_package] pattern=application/vnd.android.package_archive description=Probably tries to load an app [wakelock] pattern=android/os/PowerManager\$WakeLock;->acquire() description=Get PowerManager WakeLock (typically used to conceal a running malware while keeping screen blank) [wallpaper] pattern=android/app/WallpaperManager;->getDrawable|android/app/WallpaperManager;->setBitmap description=Gets or sets the current wallpaper [webview] pattern=Landroid/webkit/WebView;->loadUrl|;->setWebChromeClient description=Displays a URL in the WebView. Very much used to display custom pages with JavaScript, sometimes malicious... [wifi] pattern=android/net/wifi/WifiManager;->setWifiEnabled|android/net/wifi/WifiManager;->isWifiEnabled|android/net/wifi/WifiManager;->startScan description=Tests or scans for WiFi [zip] pattern=java/util/zip/ZipOutputStream|java/util/zip/ZipInputStream|java/util/zip/ZipEntry description=Zips or unzips files ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1613653374.0 droidlysis-3.4.1/conf/sortconf.py0000664000175000017500000000347500000000000017622 0ustar00axelleaxelle00000000000000import argparse import configparser DEFAULTSECT = 'default' def get_arguments(): parser = argparse.ArgumentParser(description="Sort conf files by alphabetic order of sections", prog='sortconf') parser.add_argument('-i', '--input', help='Input conf file', action='store', default='./kit.conf') parser.add_argument('-o', '--output', help='Output file', action='store', default='./sorted.conf') parser.add_argument('-v', '--verbose', help='get more detailed messages', action='store_true') args = parser.parse_args() return args class OrderedRawConfigParser( configparser.RawConfigParser ): """ Overload standart Class ConfigParser.RawConfigParser """ def __init__( self, defaults = None, dict_type = dict ): configparser.RawConfigParser.__init__( self, defaults = None, dict_type = dict ) def write(self, fp): """Write an .ini-format representation of the configuration state.""" if self._defaults: fp.write("[%s]\n" % DEFAULTSECT) for key in sorted( self._defaults ): fp.write( "%s = %s\n" % (key, str( self._defaults[ key ] ).replace('\n', '\n\t')) ) fp.write("\n") for section in self._sections: fp.write("[%s]\n" % section) for key in sorted( self._sections[section] ): if key != "__name__": fp.write("%s = %s\n" % (key, str( self._sections[section][ key ] ).replace('\n', '\n\t'))) fp.write("\n") def main(): args = get_arguments() parser = OrderedRawConfigParser() parser.read(args.input) output = open(args.output,'w') parser.write(output) output.close() if __name__ == "__main__": main() ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1655112517.0 droidlysis-3.4.1/conf/wide.conf0000664000175000017500000000453400000000000017207 0ustar00axelleaxelle00000000000000[am_start] pattern=am start description=Start an activity via shell command [android_wear] pattern=Android\ Wear|android_wear description=Uses or references Android Wear [china_mobile] pattern=cmwap|cmnet description=Detects China Mobile network [china_unicom] pattern=uniwap|uninet description=Detects China Unicom network [china_telecom] pattern=ctwap|ctnet description=Detects China Telecom network [coinhive] pattern=CoinHive description=CoinHive JavaScript SDK for mining Monero [cryptocurrency] pattern=CoinHive|crypta\.js|crypto-loot|ethereum|dogecoin|litecoin|bitcoin|ledger|blockchain|trezor description=Uses cryptocurrencies [cryptoloot] pattern=crypta\.js|crypto-loot [c2_anon] pattern=portmap\.io|ngrok\.io description=Port forwarding or secure tunneling service - often used to anonymize C2 [gps] pattern=LocationManager description=Use of GPS noticed in assets, libraries or other unusual directories [javascript] pattern=