androguard 功能分析与定制

0x00 前言

androguard是一款非常棒的开源Android APK静态分析工具;使用Python开发;androguard只能在Linux环境运行,因为它使用的几个python库仅支持Linux平台。并且由于复杂的库依赖,在Linux环境的安装也较困难;好消息是santoku已经集成了它,不用我们再折腾,androguard安装在santoku的/usr/share/androguard目录;下面分析其主要功能,并开发一些额外的实用功能;

相关链接:
https://github.com/androguard/androguard/
https://santoku-linux.com/

0x01 模块介绍

1.androapkinfo.py

 用来查看apk文件信息,该工具输出apk文件的包、资源、权限、组件、方法等信息。使用方法:

 ./androapkinfo.py -i ./demo.apk

2.androxml.py

 用来解密apk包中的AndroidManifest.xml文件。使用方法:

 ./androxml.py -i ./demo.apk

3.androcsign.py

用于添加apk文件的签名信息到一个数据库文件,其所有目录为signatures/dbandroguard。使用前首先要为apk编写一个sign文件,这个文件使用json格式保存。、
 [
     {
         "SAMPLE":"apks/demo.apk"
     },
     {
         "BASE":"AndroidOS",
         "NAME":"DroidDeram",
         "SIGNATURE":[
             {
                 "TYPE":"METHSIM",
                 "CN":"Lcom/droider/demo/MainActivity$SNChecker;",
                 "MN":"isRegistered",
                 "D":"()Z"
             }
         ],
         "BF":"0"
     }
 ]

 使用方法:

 ./androcsign.py -i signatures/demo.sign -o signatures/dbandroguard

4.androdd.py

 用于生成apk文件中,每个类的方法的调用流程图。使用方法:

 ./androdd.py -i ./demo.apk -o ./out -d -d PNG

5.androdiff.py

 比较两个apk文件的差异。使用方法:

 ./androdiff.py -i ./demo.apk ./demo2.apk

6.androdump.py

 用于dump一个linux进程的信息。使用方法:

 ./androdump.py -i pid

7.androgexf.py

 用于生成apk的gexf格式的图形文件,该文件可以使用Gephi软件查看。使用方法:

 ./androgexf.py -i ./demo.apk -o ./demo.gexf

8.androlyze.py

交互式的Android静态分析程序,功能特别多。具体可以参考coreanalysis和corebytecodes下的代码。以及Xbalien的相关使用介绍。

9.andromercury.py

andromercury.py是Mercury工具的框架。功能上是对Mercury的包装。内网实验室的社区网站上有8篇2013年发的Mercury的使用介绍,已经使用,功能比较丰富。

10.androrisk.py

用于评估apk的潜在风险,最后会得出一个分。ICSL_androguard中使用了这个模块的分析结果。

11.androsign.py

用于检测apk的签名信息是否在数据库里,与androcsign.py功能恰好相反。

12.androsim.py

用于计算两个apk文件的相似度。是个开源的库。网上相关资料比较少,在androguard老的google source code网站wiki里面有介绍。

13.androxgmml.py

用于生成apk/jar/class/dex等文件的控制流程及功能调用图,生成格式为xgmml。使用方法:

./androxgmml.py -i ./demo.apk -o ./demo.xgmml

14.apkviewer.py

 为apk文件中每个类生成一个独立的graphhml文件,可以使用Gephi查看。使用方法:

 ./apkviewer.py -i ./demo.apk -o ./output

0x02 androguard DIY

我们接下来将开发或适配下列功能:

  • 组件Activities,Services,Content Providers、Broadcast Receivers

  • Permissions 及对应使用代码

  • 敏感 APIs 监控

  • URL、IP、口令、加解密算法等信息监控

  • 检查动态注册的 Receivers

  • 检测 AllowBackup、Debuggable、ShareUserId、用户自定义权限

  • risk 评分

0x03 Code Show

下面记录一些关键代码实现:

一、敏感 API 调用

def show_Sensitive_APIs(dx):
    for i in Sensitive_APIs:
        print " ",i,Sensitive_APIs[i][0],Sensitive_APIs[i][1]
        paths = dx.get_tainted_packages().search_methods( Sensitive_APIs[i][0],Sensitive_APIs[i][1],".")
        show_Paths(dx.get_vm(), paths )
Sensitive_APIs = { 
    #log
    #0 : [ "Landroid/util/Log;","d"],
    #send sms
    1: ["Landroid/telephony/SmsManager;","sendTextMessage"],
    #read sms
    2: [".","getDisplayMessageBody"],
    3: [".","getMessageBody"],
    #IMEI
    4: ["Landroid/telephony/TelephonyManager;","getDecicedID"],
    #phone number
    5: ["Landroid/telephony/TelephonyManager;","getLine1Number"],
    #get Sim serial
    6: ["Landroid/telephony/TelephonyManager;","getSimSerialNumber"],
    #Location
    7: ["Landroid/telephony/TelephonyManager;","getCellLocation"],
    #GPS
    8: [".","getLastKnownLocation"],
    9: [".","requestLocationUpdates"],
    #Recorder
    10: ["Landroid/media/MediaRecorder;","prepare"],
    #native_code
    11: ["Ljava/lang/Runtime;","exec"],
    12: ["Ljava/lang/Runtime;","load"],
    13: ["Ljava/lang/System;","load"],
    #file io
    14: ["Llibcore/io/IoBridge;", "open"],
    15: ["Llibcore/io/IoBridge;", "read"],
    16: ["Llibcore/io/IoBridge;", "write"],
    17: ["Ljava/io/File;", "create"],
    18: ["Ljava/io/File;", "delete"],
    19: ["Ljava/io/File;", "get"],
    20: ["Ljava/io/File;", "mk"],
    21: ["Ljava/io/File;", "set"],
    #get resource
    22: [".","openRawResource"],
    23: [".","getAssets"],
    #http
    24: ["Lorg/apache/http/impl/client/AbstractHttpClient;", "execute"],
    25: ["Ljava/net/HttpURLConnection;","connect"],
    26: ["Ljava/net/URL;","openConnection"],
    27: ["Ljava/net/URLConnection;","connect"],
    28: ["Ljava/net/Socket;","."],
    #ssl
    29: ["Ljavax/net/ssl;","."],
    #WebView
    30: ["Landroid/webkit/WebView;","addJavascriptInterface"],
    31: ["Landroid/webkit/WebView;","searchBoxJavaBridge_"],
    #load jar
    32: ["Ldalvik/system/DexClassLoader;","."],
    33: ["Ljava/net/URLClassLoader;","."],
    34: ["Ldalvik/system/PathClassLoader;","."],
    #ReflectionCode
    35: ["Ljava/lang/reflect/Method;", "."],
    #encrypt or SHA
    36: [".", "doFinal"],
    37: [".","digest"],
    #use camera
    38: ["Landroid/hardware/Camera;","open"],
    #query SQL(read contact\SMS)
    39: ["Landroid/content/ContentResolver;","query"],
    #SharedPreferences
    40: ["Landroid/content/SharedPreferences;","edit" ],
    #sendBroadcast
    41: [".","sendBroadcast"],
    42: [".","sendOrderedBroadcast"],
    43: [".","sendStickyBroadcast"],
    44: [".","sendStickyOrderedBroadcast"],
    #start activity
    45: [".","startActivity"],
    46: [".","startActivityForResult"],
    #Service
    47: [".","startService"],
    48: [".","bindService"],
    #write to SD card ,add by Colbert 20150120
    49: [".","getExternalStorageDirectory"],
    #input check ,add by Colbert 20150120
    50: [".","readLine"]
}

二、关键字匹配

vm = dvm.DalvikVMFormat(apk.get_dex()) #dex转DalvikVMFormat
vmx = analysis.uVMAnalysis(vm)


vm.get_regex_strings("(?i)password") #Key Words
vm.get_regex_strings("AES")



vm.get_regex_strings("^((https?|ftp)://[^\s/$.?#].[^\s]*)$") #urls



vm.get_regex_strings("[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+") #ip

三、动态加载的Receivers

#Dynamically Registered Receiver
def show_Register_receiver(dx):
    paths = dx.get_tainted_packages().search_methods(".","registerReceiver",".")
    show_Paths(dx.get_vm(), paths )

四、SharedUserId、AllowBackup、Debuggable等

self.sharedUserId = self.xml[i].documentElement.getAttribute("android:sharedUserId") 
for item in self.xml[i].getElementsByTagName(‘application‘):
    self.allowbackup.append(str(item.getAttributeNS(NS_ANDROID_URI, "allowBackup")))

五、计算风险评分

ri = risk.RiskIndicator()
ri.add_risk_analysis( risk.RedFlags() )
ri.add_risk_analysis( risk.FuzzyRisk() )
analyze_app( options.input, ri, a )

def display_result(res) :
  for i in res :
    print "\t", i
    for j in res[i] :
      print "\t\t", j, res[i][j]

def analyze_app(filename, ri, a) :
    display_result( ri.with_apk( a ) )

六、扫描结果示例

[Activities]
    com.achievo.vipshop.activity.LodingActivity
    com.tencent.tauth.AuthActivity
[Services]
    com.achievo.vipshop.manage.service.SplashAlarmService
    com.vipshop.sdk.push.MqttService
[Content Providers]

[Broadcast Receivers]
    com.vipshop.sdk.viplog.batch.VipLogReceiver
    com.vipshop.sdk.push.VipsPushReceiver
[Permissions]   
USE_CREDENTIALS :
    1 Lcom/androidquery/auth/GoogleHandle;->reauth(Lcom/androidquery/callback/AbstractAjaxCallback;)Z (0x12) ---> Landroid/accounts/AccountManager;->invalidateAuthToken(Ljava/lang/String; Ljava/lang/String;)V
READ_PHONE_STATE :
[Sensitive APIs]    
    30 Landroid/webkit/WebView; addJavascriptInterface
        1 Lbolts/WebViewAppLinkResolver$2;->then(Lbolts/Task;)Lbolts/Task; (0x56) ---> Landroid/webkit/WebView;->addJavascriptInterface(Ljava/lang/Object; Ljava/lang/String;)V
[Dynamically registered receivers]
    1 Lcom/achievo/vipshop/newactivity/CartFloatView;->registerFavoriteRecever()V (0x3e) ---> Landroid/content/Context;->registerReceiver(Landroid/content/BroadcastReceiver; Landroid/content/IntentFilter;)Landroid/content/Intent;
[SharedUserId|AllowBackup|Debuggable]
    SharedUserId:[]
    AllowBackup:[false]
    Debuggable[false]
[key words]   

    [‘PWDCHARS_ARRAY‘, ‘PWDCHARS_STRING‘, ‘pwd‘, ‘pwdWatcher‘]
    [‘UserName‘, ‘userName‘, ‘username‘, ‘username=‘, ‘username_del‘]
    [‘secretKey‘]
    [‘ENCRYPTION‘, ‘ENCRYPTION_AES‘, ‘ENCRYPT_ACTION‘, ‘encrypt‘, ‘encryption error. ‘]
    [‘imei‘, ‘imei=‘]
    [‘imsi‘]
    [‘AES‘, ‘AES/CBC/PKCS5Padding‘, ‘AES/ECB/PKCS7Padding‘, ‘AESUtils‘, ‘AESUtils.java‘]
    [‘SHA-1‘]
    []
    []
    [‘MD5‘, ‘MD5.java‘, ‘MD5PatchVerifier.java‘, ‘MD5Util.java‘, ‘MD5_INSTANCE‘, ‘MD5_SALT‘]
    [‘RSA‘, ‘RSA/ECB/PKCS1Padding‘, ‘RSA_PKCS_V15‘, ‘RSA_PKCS_V21‘, ‘RSA_PRIVATE‘, ‘RSA_PUBLIC‘]

[urls]
    ftp://anonymous:anonymous@
    http://%1$s/diagnoses/v1/report
    http://%1$s/gslb/gslb/getbucket.asp?ver=3.0
    http://10.237.12.17:9085/pass/register
    http://400.vip.com/WebChat/chat/wapchat.jsp?
    http://800.vip.com/live800/chatClient/chatbox.jsp?companyID=8900&configID=17&enterurl=APP&pagereferrer=APP&syslanguage=0
    http://a.appsimg.com
    http://a.appsimg.com/upload/brand/
    http://a.appsimg.com/upload/merchandise/
    http://ap.vip.com/coupons_rules
    http://ap.vip.com/fwxy1015
    http://ap.vip.com/index.php?m=activity&code=coupon_help2&wapid=ap_2342
    http://ap.vip.com/index.php?m=activity&code=global_rule&wapid=ap_1881
[ip]
    1.1.3.61
    1.2.2.56
    1.3.4.60
    10.0.0.172
    10.0.0.200
    10.237.12.17
    10.237.12.2
    2.3.3.61
    2.4.0.61
    223.202.68.46
    42.62.48.181
    58.68.235.106
    58.68.235.232

[risk score]
    RedFlags
        DEX {‘NATIVE‘: 1, ‘DYNAMIC‘: 1, ‘CRYPTO‘: 1, ‘REFLECTION‘: 1}
        APK {‘DEX‘: 0, ‘EXECUTABLE‘: 0, ‘ZIP‘: 0, ‘SHELL_SCRIPT‘: 0, ‘APK‘: 0, ‘SHARED LIBRARIES‘: 87}
        PERM {‘PRIVACY‘: 6, ‘NORMAL‘: 9, ‘MONEY‘: 0, ‘INTERNET‘: 1, ‘SMS‘: 2, ‘DANGEROUS‘: 13, ‘SIGNATUREORSYSTEM‘: 1, ‘CALL‘: 0, ‘SIGNATURE‘: 0, ‘GPS‘: 2}
    FuzzyRisk
        VALUE 80.0

0x04 总结

定制androguard可用于大批量APK分析工作;通过迅速给出攻击面信息,辅助人工分析;但在进行加固APK分析时先天不足,需使用DroidBox、Xposed、adbi、Dozer等动态分析工具或手段来补齐短板;

文章来自:http://my.oschina.net/cve2015/blog/508305
© 2021 jiaocheng.bubufx.com  联系我们
ICP备案:鲁ICP备09046678号-3