Open-source static analysis tool androguard experience

Link: http://blog.csdn.net/xbalien29/article/details/21885297

Although Ida, VTS, and other tools in the free version of Windows can be used for static analysis, these tools are not suitable for manual analysis. However, for project development, great extensions are ignored. In androguard, It is very suitable for expansion or transplantation into a module of your own project. Although I have heard of it, I have only recently started to experience a few. Of course, androguard has been developed by many people again, including some websites that provide upload portals. This module is used for static analysis, and many static analysis tools are based on it, another apkinspector is also famous.

Androguard is mainly used for static analysis. It uses ded as The Decompilation software by default, and provides many modules for analysts. For the installation method of the Project address https://code.google.com/p/androguard/, see the Wiki section. If you have trouble downloading santoku, the system is customized with Ubuntu, which is mainly used for mobile devices, including many collection of analysis tools androguard and drozer, similar to Kali.

This is mainly for the preliminary use of several modules:

 

1. Androrisk. py this module is used to analyze the APK hazard level
2. Androapkinfo. py this module analyzes information such as the file type, permission, four components, and whether the APK is ndk reflected.
3. Androaxml. py this module is used to display APK androidmanifest. xml
4. Androgexf. py this module generates a function call Diagram
5. Apkviewer. py this module generates a command-level call Diagram
6. Androlyze. py this module is an interactive Analysis Environment

The following section uses a sample as the analysis target to demonstrate androguard's initial usage.  1. First, we first use androrisk. py to quickly determine whether the application is available. Use the following command./androrisk. py-I./sample.apk

 

It can be seen that five of the reflection permissions in this Dex are privacy permissions, two are charged, one is online, and three are short messages. These permissions are classified based on their own configuration files., located in. /tools/permissions/androidmanifest. XML

2. Based on the simple features, we can determine that the sample has a large permission, and then we can use androapkinfo. py and androaxml. py for analysis.

The following command is used:/androaxml. py-I./sample.apk./androapkinfo. py-I./sample.apk>./sample.apk.info

The former is just a display of androidmanifest. XML, while the latter has a lot of content. It is best to redirect it to VIM in the text to view it. The content is listed as follows (except for permissions and files ):

When I saw the information listed, I suddenly thought that the results of some websites were similar, so it was estimated that the results were integrated into the project. The list details can be used for reference.

3. Sometimes we need to analyze the function call process, then androgexf. py will be used./androgexf. py-I./sample.apk-o./sample.apk. gexf

The generation of an image, this picture we can open with gephi, http://gephi.org/users/download/

After opening, select the process Yifan Hu to run and generate the analysis graph:

Search for the calling process of the kc2011 class from the data file. Right-click the data file and choose "kc2011". Then, click "Overview" to see the process:

 

After that, I dragged it myself and the function process was clear. But I had some problems. It seems that I only judged the functions that were called by this function. The call sequence does not seem to be reflected, looks a little sad... I wonder if someone can give me some advice.

 

4. The above is the function-level call relationship, if you want to see the command level, you need apkviewer. py this module, this module needs networkx, install see the blog http://blog.csdn.net/flydirk/article/details/8506463

The command is as follows:./apkviewer. py-I./sample.apk-o./sample

This module generates a lot of images, corresponding to each class. Of course, there is also a summary call relationship diagram, which can be opened with gephi. Although it looks sad, it won't work. However, the call process implemented by this module is a good choice for future improvement.

5. The rest is the androlyze. py interactive module./androlyze. py-S

After entering the interaction window, we can use APK, D, DEX = analyzeapk ("./sample.apk ")

Obtain the APK object, Dex object, and analysis result object respectively.

For the operations on these objects, you can use the tab to list the corresponding methods. For details, see D and Dex.

For example, the APK object can get the corresponding information through get_xxxx, including files, permissions, components, etc. In fact, these functions are the core classes of androguard work. If you are interested, you can study them. code under/androguard/Core

X

In addition to the modules listed above, there are also several interesting modules: androsign. PY androcsign. py is used to check whether the APK information is in the database, and one is used to add some feature information of the APK to the database, similar to the feature library, while androdiff. py is used to compare the differences between two apks.

Open-source static analysis tool androguard experience