androguard.core.analysis package¶
The analysis module implements an abstraction layer for androguard.core.bytecodes.dvm.DalvikVMFormat
objects.
The the help of the androguard.core.analysis.analysis.Analsyis
object, you can bundle several DEX files together.
This is not only useful for multidex files, but also for a single dex, as Analysis offers many features to investigate
DEX files.
One of these features is crossreferencing (XREF). It allows you to build a graph of the methods inside the DEX files.
You can then create callgraphs or find methods which use a specific API method.
Submodules¶
androguard.core.analysis.analysis module¶
-
class
androguard.core.analysis.analysis.
Analysis
(vm=None)¶ Bases:
object
-
add
(vm)¶ Add a DalvikVMFormat to this Analysis.
- Parameters
vm (androguard.core.bytecodes.dvm.DalvikVMFormat) –
dvm.DalvikVMFormat
to add to this Analysis
-
create_ipython_exports
()¶ Warning
this feature is experimental and is currently not enabled by default! Use with caution!
Creates attributes for all classes, methods and fields on the Analysis object itself. This makes it easier to work with Analysis module in an iPython shell.
Classes can be search by typing
dx.CLASS_<tab>
, as each class is added via this attribute name. Each class will have all methods attached to it viadx.CLASS_Foobar.METHOD_<tab>
. Fields have a similar syntax:dx.CLASS_Foobar.FIELD_<tab>
.As Strings can contain nearly anything, use
find_strings()
instead.Each CLASS_ item will return a
ClassAnalysis
Each METHOD_ item will return a
MethodAnalysis
Each FIELD_ item will return a
FieldAnalysis
-
create_xref
()¶ Create Class, Method, String and Field crossreferences for all classes in the Analysis.
If you are using multiple DEX files, this function must be called when all DEX files are added. If you call the function after every DEX file, it will only work for the first time.
-
find_classes
(name='.*', no_external=False)¶ Find classes by name, using regular expression This method will return all ClassAnalysis Object that match the name of the class.
- Parameters
name – regular expression for class name (default “.*”)
no_external – Remove external classes from the output (default False)
- Return type
Iterator[ClassAnalysis]
-
find_fields
(classname='.*', fieldname='.*', fieldtype='.*', accessflags='.*')¶ find fields by regex
- Parameters
classname – regular expression of the classname
fieldname – regular expression of the fieldname
fieldtype – regular expression of the fieldtype
accessflags – regular expression of the access flags
- Return type
Iterator[FieldAnalysis]
-
find_methods
(classname='.*', methodname='.*', descriptor='.*', accessflags='.*', no_external=False)¶ Find a method by name using regular expression. This method will return all MethodAnalysis objects, which match the classname, methodname, descriptor and accessflags of the method.
- Parameters
classname – regular expression for the classname
methodname – regular expression for the method name
descriptor – regular expression for the descriptor
accessflags – regular expression for the accessflags
no_external – Remove external method from the output (default False)
- Return type
Iterator[MethodAnalysis]
-
find_strings
(string='.*')¶ Find strings by regex
- Parameters
string – regular expression for the string to search for
- Return type
Iterator[StringAnalysis]
-
get_call_graph
(classname='.*', methodname='.*', descriptor='.*', accessflags='.*', no_isolated=False, entry_points=[])¶ Generate a directed graph based on the methods found by the filters applied. The filters are the same as in
find_methods()
A networkx.MultiDiGraph is returned, containing all xrefs. That means a method which calls another method multiple times, will have multiple edges between them. Attached to the edge is the attribute offset, which gives the code offset inside the method of the call.
Specifying filters will not remove the methods if they are called by some other method.
The callgraph will check for both directions of edges. Thus, if you specify a single class as input, it will contain all classes which are called by this class (xref_to), as well as all methods who calls the specified one (xref_from).
Each node will contain the following meta information as attribute:
external: is the method external or not (boolean)
entrypoint: is the method a known entry point (boolean)
native: is the method a native method by signature (boolean)
public: is the method declared public (boolean)
static: is the method declared static (boolean)
vm: An ID of the DEX file where this method is declared or 0 if external (signed int)
codesize: size of code of the method or zero if external (int)
- Parameters
classname – regular expression of the classname (default: “.*”)
methodname – regular expression of the methodname (default: “.*”)
descriptor – regular expression of the descriptor (default: “.*”)
accessflags – regular expression of the access flags (default: “.*”)
no_isolated – remove isolated nodes from the graph, e.g. methods which do not call anything (default: False)
entry_points – A list of classes that are marked as entry point
- Return type
networkx.MultiDiGraph
-
get_class_analysis
(class_name)¶ Returns the
ClassAnalysis
object for a given classname.- Parameters
class_name – classname like ‘Ljava/lang/Object;’ (including L and ;)
- Returns
- Return type
-
get_classes
()¶ Returns a list of
ClassAnalysis
objectsReturns both internal and external classes (if any)
- Return type
Iterator[ClassAnalysis]
-
get_external_classes
()¶ Returns all external classes, that means all classes that are not defined in the given set of DalvikVMObjects.
- Return type
Iterator[ClassAnalysis]
-
get_field_analysis
(field)¶ Get the FieldAnalysis for a given fieldname
- Parameters
field (androguard.core.bytecodes.dvm.EncodedField) – the field
- Returns
- Return type
-
get_fields
()¶ Returns a list of FieldAnalysis objects
- Return type
Iterator[FieldAnalysis]
-
get_internal_classes
()¶ Returns all external classes, that means all classes that are defined in the given set of
DalvikVMFormat
.- Return type
Iterator[ClassAnalysis]
-
get_method
(method)¶ Get the
MethodAnalysis
object for a givenEncodedMethod
. This Analysis object is used to enhance EncodedMethods.- Parameters
method –
EncodedMethod
to search for- Returns
MethodAnalysis
object for the given method, or None if method was not found- Return type
-
get_method_analysis
(method)¶ Get the
MethodAnalysis
object for a givenEncodedMethod
. This Analysis object is used to enhance EncodedMethods.- Parameters
method –
EncodedMethod
to search for- Returns
MethodAnalysis
object for the given method, or None if method was not found- Return type
-
get_method_analysis_by_name
(class_name, method_name, method_descriptor)¶ Returns the crossreferencing object for a given method.
This function is similar to
get_method_analysis()
, with the difference that you can look up the Method by name- Parameters
class_name – name of the class, for example ‘Ljava/lang/Object;’
method_name – name of the method, for example ‘onCreate’
method_descriptor – method descriptor, for example ‘(I I)V’
- Returns
- Return type
-
get_method_by_name
(class_name, method_name, method_descriptor)¶ Search for a
EncodedMethod
in all classes in this analysis- Parameters
class_name – name of the class, for example ‘Ljava/lang/Object;’
method_name – name of the method, for example ‘onCreate’
method_descriptor – descriptor, for example ‘(I I Ljava/lang/String)V
- Returns
EncodedMethod
or None if method was not found- Return type
-
get_methods
()¶ Returns a list of MethodAnalysis objects
- Return type
Iterator[MethodAnalysis]
-
get_permission_usage
(permission, apilevel=None)¶ Find the usage of a permission inside the Analysis.
- example::
from androguard.misc import AnalyzeAPK a, d, dx = AnalyzeAPK(“somefile.apk”)
- for meth in dx.get_permission_usage(‘android.permission.SEND_SMS’, a.get_effective_target_sdk_version()):
print(“Using API method {}”.format(meth)) print(“used in:”) for _, m, _ in meth.get_xref_from():
print(m.full_name)
Note
The permission mappings might be incomplete! See also
get_permissions()
.- Parameters
permission – the name of the android permission (usually ‘android.permission.XXX’)
apilevel – the requested API level or None for default
- Returns
yields
MethodAnalysis
objects for all using API methods
-
get_permissions
(apilevel=None)¶ Returns the permissions and the API method based on the API level specified. This can be used to find usage of API methods which require a permission. Should be used in combination with an
APK
.The returned permissions are a list, as some API methods require multiple permissions at once.
The following example shows the usage and how to get the calling methods using XREF:
- example::
from androguard.misc import AnalyzeAPK a, d, dx = AnalyzeAPK(“somefile.apk”)
- for meth, perm in dx.get_permissions(a.get_effective_target_sdk_version()):
print(“Using API method {} for permission {}”.format(meth, perm)) print(“used in:”) for _, m, _ in meth.get_xref_from():
print(m.full_name)
- ..note::
This method might be unreliable and might not extract all used permissions. The permission mapping is based on [Axplorer](https://github.com/reddr/axplorer) and might be incomplete due to the nature of the extraction process. Unfortunately, there is no official API<->Permission mapping.
The output of this method relies also on the set API level. If the wrong API level is used, the results might be wrong.
- Parameters
apilevel – API level to load, or None for default
- Returns
yields tuples of
MethodAnalysis
(of the API method) and list of permission string
-
get_strings
()¶ Returns a list of
StringAnalysis
objects- Return type
Iterator[StringAnalysis]
-
get_strings_analysis
()¶ Returns a dictionary of strings and their corresponding
StringAnalysis
- Return type
Dict[str, StringAnalysis]
-
is_class_present
(class_name)¶ Checks if a given class name is part of this Analysis.
- Parameters
class_name – classname like ‘Ljava/lang/Object;’ (including L and ;)
- Returns
True if class was found, False otherwise
- Return type
bool
-
-
class
androguard.core.analysis.analysis.
BasicBlocks
¶ Bases:
object
This class represents all basic blocks of a method.
It is a collection of many
DVMBasicBlock
.-
get
()¶ - Returns
yields each basic block (
DVMBasicBlock
object)- Return type
Iterator[DVMBasicBlock]
-
get_basic_block
(idx)¶
-
get_basic_block_pos
(item)¶ Get the basic block at the index
- Parameters
item – index
- Returns
The basic block
- Return type
-
gets
()¶ - Returns
a list of basic blocks (
DVMBasicBlock
objects)
-
pop
(idx)¶
-
push
(bb)¶ Adds another basic block to the collection
- Parameters
bb (DVBMBasicBlock) – the DVMBasicBlock to add
-
-
class
androguard.core.analysis.analysis.
ClassAnalysis
(classobj)¶ Bases:
object
-
add_field_xref_read
(method, classobj, field, off)¶ Add a Field Read to this class
- Parameters
method (MethodAnalysis) –
classobj (ClassAnalysis) –
field (androguard.code.bytecodes.dvm.EncodedField) –
off (int) –
- Returns
-
add_field_xref_write
(method, classobj, field, off)¶ Add a Field Write to this class in a given method
- Parameters
method (MethodAnalysis) –
classobj (ClassAnalysis) –
off (int) –
- Returns
-
add_method
(method_analysis)¶ Add the given method to this analyis. usually only called during Analysis.add and Analysis._resolve_method
- Parameters
method_analysis (MethodAnalysis) –
-
add_method_xref_from
(method1, classobj, method2, offset)¶ - Parameters
method1 (MethodAnalysis) –
classobj (ClassAnalysis) –
method2 (MethodAnalysis) –
offset (int) –
-
add_method_xref_to
(method1, classobj, method2, offset)¶ - Parameters
method1 (MethodAnalysis) – the calling method
classobj (ClassAnalysis) – the calling class
method2 (MethodAnalysis) – the called method
offset (int) – offset in the bytecode of calling method
-
add_xref_from
(ref_kind, classobj, methodobj, offset)¶ Creates a crossreference from this class. XrefFrom means, that the current class is called by another class.
- Parameters
ref_kind (REF_TYPE) – type of call
classobj (ClassAnalysis) –
ClassAnalysis
object to linkmethodobj (MethodAnalysis) –
offset (int) – Offset in the methods bytecode, where the call happens
- Returns
-
add_xref_to
(ref_kind, classobj, methodobj, offset)¶ Creates a crossreference to another class. XrefTo means, that the current class calls another class. The current class should also be contained in the another class’ XrefFrom list.
Warning
The implementation of this specific method might not be what you expect! the parameter
methodobj
is the source method and not the destination in the case thatref_kind
is const-class or new-instance!- Parameters
ref_kind (REF_TYPE) – type of call
classobj (ClassAnalysis) –
ClassAnalysis
object to linkmethodobj (MethodAnalysis) –
offset (int) – Offset in the Methods Bytecode, where the call happens
- Returns
-
property
extends
¶ Return the parent class
For external classes, this is not sure, thus we return always Object (which is the parent of all classes)
- Returns
a string of the parent class name
-
get_class
()¶ Returns the original Dalvik VM class or the external class object.
- Returns
- Return type
Union[androguard.core.bytecodes.dvm.ClassDefItem, ExternalClass]
-
get_field_analysis
(field)¶
-
get_fields
()¶ Return all FieldAnalysis objects of this class
-
get_method_analysis
(method)¶ Return the MethodAnalysis object for a given EncodedMethod
- Parameters
method –
EncodedMethod
- Returns
- Return type
-
get_methods
()¶ Return all
MethodAnalysis
objects of this class- Return type
Iterator[MethodAnalysis]
-
get_nb_methods
()¶ Get the number of methods in this class
-
get_vm_class
()¶ Returns the original Dalvik VM class or the external class object.
- Returns
- Return type
Union[androguard.core.bytecodes.dvm.ClassDefItem, ExternalClass]
-
get_xref_from
()¶ Returns a dictionary of all classes calling the current class. This dictionary contains also information from which method the class is accessed.
Note
this method might contains wrong information about class usage!
The dictionary contains the classes as keys (stored as
ClassAnalysis
) and has a tuple as values, where the first item is the ref_kind (which is an Enum of typeREF_TYPE
), the second one is the method in which the class is called (MethodAnalysis
) and the third the offset in the method where the call is originating.- example::
# dx is an Analysis object for cls in dx.find_classes(‘.*some/name.*’):
print(“Found class {} in Analysis”.format(cls.name) for caller, refs in cls.get_xref_from().items():
print(” called from {}”.format(caller.name)) for ref_kind, ref_method, ref_offset in refs:
print(” in method {} {}”.format(ref_kind, ref_method))
- Return type
Iterator[Tuple[REF_TYPE, MethodAnalysis, int]]
-
get_xref_to
()¶ Returns a dictionary of all classes which are called by the current class. This dictionary contains also information about the method which is called.
Note
this method might contains wrong information about class usage!
The dictionary contains the classes as keys (stored as
ClassAnalysis
) and has a tuple as values, where the first item is the ref_kind (which is an Enum of typeREF_TYPE
), the second one is the method called (MethodAnalysis
) and the third the offset in the method where the call is originating.- example::
# dx is an Analysis object for cls in dx.find_classes(‘.*some/name.*’):
print(“Found class {} in Analysis”.format(cls.name) for calling, refs in cls.get_xref_from().items():
print(” calling class {}”.format(calling.name)) for ref_kind, ref_method, ref_offset in refs:
print(” calling method {} {}”.format(ref_kind, ref_method))
- Return type
Iterator[Tuple[REF_TYPE, MethodAnalysis, int]]
-
property
implements
¶ Get a list of interfaces which are implemented by this class
- Returns
a list of Interface names
-
is_android_api
()¶ Tries to guess if the current class is an Android API class.
This might be not very precise unless an apilist is given, with classes that are in fact known APIs. Such a list might be generated by using the android.jar files.
- Returns
boolean
-
is_external
()¶ Tests if this class is an external class
- Returns
True if the Class is external, False otherwise
-
property
name
¶ Return the class name
- Returns
-
-
class
androguard.core.analysis.analysis.
DVMBasicBlock
(start, vm, method, context)¶ Bases:
object
A simple basic block of a dalvik method.
A basic block consists of a series of
Instruction
which are not interrupted by branch or jump instructions such as goto, if, throw, return, switch etc.-
add_note
(note)¶
-
clear_notes
()¶
-
get_end
()¶ Get the end offset of this basic block
- Returns
end offset
- Return type
int
-
get_exception_analysis
()¶
-
get_instructions
()¶ Get all instructions from a basic block.
- Returns
Return all instructions in the current basic block
-
get_last
()¶ Get the last instruction in the basic block
- Returns
androguard.core.bytecodes.dvm.Instruction
-
get_last_length
()¶
-
get_method
()¶ Returns the originiating method
- Returns
the method
- Return type
-
get_name
()¶
-
get_nb_instructions
()¶
-
get_next
()¶ Get next basic blocks
- Returns
a list of the next basic blocks
- Return type
-
get_notes
()¶
-
get_prev
()¶ Get previous basic blocks
- Returns
a list of the previous basic blocks
- Return type
-
get_special_ins
(idx)¶ Return the associated instruction to a specific instruction (for example a packed/sparse switch)
- Parameters
idx – the index of the instruction
- Return type
None or an Instruction
-
get_start
()¶ Get the starting offset of this basic block
- Returns
starting offset
- Return type
int
-
push
(i)¶
-
set_childs
(values)¶
-
set_exception_analysis
(exception_analysis)¶
-
set_fathers
(f)¶
-
set_notes
(value)¶
-
show
()¶
-
-
class
androguard.core.analysis.analysis.
ExceptionAnalysis
(exception, bb)¶ Bases:
object
-
get
()¶
-
show_buff
()¶
-
-
class
androguard.core.analysis.analysis.
Exceptions
¶ Bases:
object
-
add
(exceptions, basic_blocks)¶
-
get
()¶
-
get_exception
(addr_start, addr_end)¶
-
gets
()¶
-
-
class
androguard.core.analysis.analysis.
ExternalClass
(name)¶ Bases:
object
The ExternalClass is used for all classes that are not defined in the DEX file, thus are external classes.
- Parameters
name – Name of the external class
-
add_method
(method)¶
-
get_methods
()¶ Return the stored methods for this external class :return:
-
get_name
()¶ Returns the name of the ExternalClass object
-
class
androguard.core.analysis.analysis.
ExternalMethod
(class_name, name, descriptor)¶ Bases:
object
ExternalMethod is a stub class for methods that are not part of the current Analysis. There are two possibilities for this:
The method is defined inside another DEX file which was not loaded into the Analysis
The method is an API method, hence it is defined in the Android system
External methods should have a similar API to
EncodedMethod
but obviously they have no code attached. The only known information about such methods are the class name, the method name and its descriptor.- Parameters
class_name (str) – name of the class
name (str) – name of the method
descriptor (List[str]) – descriptor string
-
property
full_name
¶ Returns classname + name + descriptor, separated by spaces (no access flags)
-
get_access_flags_string
()¶ Returns the access flags string.
Right now, this is always an empty strings, as we can not say what kind of access flags an external method might have.
-
get_class_name
()¶
-
get_descriptor
()¶
-
get_name
()¶
-
property
permission_api_name
¶ Returns a name which can be used to look up in the permission maps
-
class
androguard.core.analysis.analysis.
FieldAnalysis
(field)¶ Bases:
object
-
add_xref_read
(classobj, methodobj, offset)¶ - Parameters
classobj (ClassAnalysis) –
methodobj (MethodAnalysis) –
offset (int) – offset in the bytecode
-
add_xref_write
(classobj, methodobj, offset)¶ - Parameters
classobj (ClassAnalysis) –
methodobj (MethodAnalysis) –
offset (int) – offset in the bytecode
-
get_field
()¶ Returns the actual field object
- Return type
-
get_xref_read
(withoffset=False)¶ Returns a list of xrefs where the field is read.
The list contains tuples of the originating class and methods, where the class is represented as a
ClassAnalysis
, while the method is aMethodAnalysis
.- Parameters
withoffset (bool) – return the xrefs including the offset
-
get_xref_write
(withoffset=False)¶ Returns a list of xrefs where the field is written to.
The list contains tuples of the originating class and methods, where the class is represented as a
ClassAnalysis
, while the method is aMethodAnalysis
.- Parameters
withoffset (bool) – return the xrefs including the offset
-
property
name
¶
-
-
class
androguard.core.analysis.analysis.
MethodAnalysis
(vm, method)¶ Bases:
object
This class analyses in details a method of a class/dex file It is a wrapper around a
EncodedMethod
and enhances it by using multipleDVMBasicBlock
encapsulated in aBasicBlocks
object.-
property
access
¶ Returns the access flags to the method as a string
-
add_xref_from
(classobj, methodobj, offset)¶ Add a crossrefernece from another method (this method is called by another method)
- Parameters
classobj –
ClassAnalysis
methodobj –
EncodedMethod
offset – integer where in the method the call happens
-
add_xref_to
(classobj, methodobj, offset)¶ Add a crossreference to another method (this method calls another method)
- Parameters
classobj –
ClassAnalysis
methodobj –
EncodedMethod
offset – integer where in the method the call happens
-
property
class_name
¶ Returns the name of the class of this method
-
property
descriptor
¶ Returns the type descriptor for this method
-
property
full_name
¶ Returns classname + name + descriptor, separated by spaces (no access flags)
-
get_access_flags_string
()¶ Returns the concatenated access flags string
-
get_basic_blocks
()¶ Returns the
BasicBlocks
generated for this method. TheBasicBlocks
can be used to get a control flow graph (CFG) of the method.- Return type
a
BasicBlocks
object
-
get_class_name
()¶ Return the class name of the method
-
get_length
()¶ - Returns
an integer which is the length of the code
- Return type
int
-
get_method
()¶ - Return type
- Returns
-
get_vm
()¶ - Return type
- Returns
-
get_xref_from
()¶ Returns a list of tuples containing the class, method and offset of the call, from where this object was called.
The list of tuples has the form: (
ClassAnalysis
,EncodedMethod
orExternalMethod
,int
)
-
get_xref_to
()¶ Returns a list of tuples containing the class, method and offset of the call, which are called by this method.
The list of tuples has the form: (
ClassAnalysis
,EncodedMethod
orExternalMethod
,int
)
-
is_android_api
()¶ Returns True if the method seems to be an Android API method.
This method might be not very precise unless an list of known API methods is given.
- Returns
boolean
-
is_external
()¶ Returns True if the underlying method is external
- Return type
boolean
-
property
name
¶ Returns the name of this method
-
show
()¶ Prints the content of this method to stdout.
This will print the method signature and the decompiled code.
-
show_xrefs
()¶
-
property
-
class
androguard.core.analysis.analysis.
MethodClassAnalysis
(meth)¶ Bases:
androguard.core.analysis.analysis.MethodAnalysis
Deprecated since version 3.4.0: Always use MethodAnalysis! This method is just here for compatability
-
class
androguard.core.analysis.analysis.
REF_TYPE
¶ Bases:
enum.IntEnum
Stores the opcodes for the type of usage in an XREF.
Used in
ClassAnalysis
to store the type of reference to the class.-
INVOKE_DIRECT
= 112¶
-
INVOKE_DIRECT_RANGE
= 118¶
-
INVOKE_INTERFACE
= 114¶
-
INVOKE_INTERFACE_RANGE
= 120¶
-
INVOKE_STATIC
= 113¶
-
INVOKE_STATIC_RANGE
= 119¶
-
INVOKE_SUPER
= 111¶
-
INVOKE_SUPER_RANGE
= 117¶
-
INVOKE_VIRTUAL
= 110¶
-
INVOKE_VIRTUAL_RANGE
= 116¶
-
REF_CLASS_USAGE
= 28¶
-
REF_NEW_INSTANCE
= 34¶
-
-
class
androguard.core.analysis.analysis.
StringAnalysis
(value)¶ Bases:
object
StringAnalysis contains the XREFs of a string.
As Strings are only used as a source, they only contain the XREF_FROM set, i.e. where the string is used.
This Array stores the information in which method the String is used.
-
add_xref_from
(classobj, methodobj, off)¶ Adds a xref from the given method to this string
- Parameters
classobj (ClassAnalysis) –
methodobj (MethodAnalysis) –
off (int) – offset in the bytecode of the call
-
get_orig_value
()¶ Return the original, read only, value of the String
- Returns
the original value
-
get_value
()¶ Return the (possible overwritten) value of the String
- Returns
the value of the string
-
get_xref_from
(withoffset=False)¶ Returns a list of xrefs accessing the String.
The list contains tuples of the originating class and methods, where the class is represented as a
ClassAnalysis
, while the method is aMethodAnalysis
.
-
is_overwritten
()¶ Returns True if the string was overwritten :return:
-
set_value
(value)¶ Overwrite the current value of the String with a new value. The original value is not lost and can still be retrieved using
get_orig_value()
.- Parameters
value (str) – new string value
-
-
androguard.core.analysis.analysis.
is_ascii_obfuscation
(vm)¶ Tests if any class inside a DalvikVMObject uses ASCII Obfuscation (e.g. UTF-8 Chars in Classnames)
- Parameters
vm – DalvikVMObject
- Returns
True if ascii obfuscation otherwise False
androguard.core.analysis.auto module¶
-
class
androguard.core.analysis.auto.
AndroAuto
(settings)¶ Bases:
object
The main class which analyse automatically android apps by calling methods from a specific object
Automatic analysis requires two objects to be created:
a Logger, found at key log in the settings
an Analysis runner, found at key my in the settings
Both are passed to
AndroAuto
via a dictionary. The setting dict understands the following keys:my: The Analysis runner (required)
log: The Logger
max_fetcher: Maximum number of concurrent threads
DefaultAndroLog
can be used as a baseclass for the Logger, whileDefaultAndroAnalysis
can be used a baseclass for the Analysis. There is alsoDirectoryAndroAnalysis
which implements a fetcher which recursively reads a directory for files and can be used a baseclass as well.example:
from androguard.core.analysis import auto class AndroTest(auto.DirectoryAndroAnalysis): # This is the Test Runner def analysis_app(self, log, apkobj, dexobj, analysisobj): # Just print all objects to stdout print(log.id_file, log.filename, apkobj, dexobj, analysisobj) settings = { # The directory `some/directory` should contain some APK files "my": AndroTest('some/directory'), # Use the default Logger "log": auto.DefaultAndroLog, # Use maximum of 2 threads "max_fetcher": 2, } aa = auto.AndroAuto(settings) aa.go()
- Parameters
settings (dict) – the settings of the analysis
-
dump
()¶ Dump the analysis
Calls dump() on the Analysis object
-
dump_file
(filename)¶ Dump the analysis into a file
Calls dump_file(filename) on the Analysis object
-
go
()¶ Launch the analysis.
this will start a total of max_fetcher threads.
-
class
androguard.core.analysis.auto.
DefaultAndroAnalysis
¶ Bases:
object
This class can be used as a template in order to analyse apps
The order of methods called in this class is the following:
fetcher()
is called to get filesfilter_file()
is called to get the filetypecreate_apk()
orcreate_axml()
orcreate_arsc()
andcreate_dex()
orcreate_dey()
depending on the filetypeanalysis_apk()
oranalysis_axml()
oranalysis_arsc()
andanalysis_dex()
oranalysis_dey()
depending on the filetypecreate_adex()
if at least one dex was foundanalysis_app()
with all the gathered objects so farfinish()
is called in any case after the analysis
crash()
can be called during analysis if any Exception happens.-
analysis_adex
(log, adexobj)¶ This method is called in order to know if the analysis must continue
- Parameters
log – an object which corresponds to a unique app
adexobj (androguard.core.analysis.analysis.Analysis) – a
Analysis
object
- Return type
a boolean
-
analysis_apk
(log, apkobj)¶ This method is called in order to know if the analysis must continue
- Parameters
log – an object which corresponds to a unique app
apkobj (androguard.core.bytecodes.apk.APK) – a
APK
object
- Returns
True if a DEX file should be analyzed as well
- Return type
bool
-
analysis_app
(log, apkobj, dexobj, adexobj)¶ This method is called if you wish to analyse the final app
- Parameters
log – an object which corresponds to a unique app
apkobj (androguard.core.bytecodes.apk.APK) – a
APK
objectdexobj (androguard.core.bytecodes.dvm.DalvikVMFormat) – a
DalvikVMFormat
objectadexobj (androguard.core.analysis.analysis.Analysis) – a
Analysis
object
-
analysis_arsc
(log, arscobj)¶ This method is called in order to know if the analysis must continue
- Parameters
log – an object which corresponds to a unique app
arscobj (androguard.core.bytecodes.axml.ARSCParser) – a
ARSCParser
object
- Returns
True if the analysis should continue afterwards
- Return type
bool
-
analysis_axml
(log, axmlobj)¶ This method is called in order to know if the analysis must continue
- Parameters
log – an object which corresponds to a unique app
axmlobj (androguard.core.bytecodes.axml.AXMLPrinter) – a
AXMLPrinter
object
- Returns
True if the analysis should continue afterwards
- Return type
bool
-
analysis_dex
(log, dexobj)¶ This method is called in order to know if the analysis must continue
- Parameters
log – an object which corresponds to a unique app
dexobj (androguard.core.bytecodes.dvm.DalvikVMFormat) – a
DalvikVMFormat
object
- Returns
True if the analysis should continue with an analysis.Analysis
- Return type
bool
-
analysis_dey
(log, deyobj)¶ This method is called in order to know if the analysis must continue
- Parameters
log – an object which corresponds to a unique app
deyobj (androguard.core.bytecodes.dvm.DalvikOdexVMFormat) – a
DalvikOdexVMFormat
object
- Returns
True if the analysis should continue with an analysis.Analysis
- Return type
bool
-
crash
(log, why)¶ This method is called if a crash happens
- Parameters
log – an object which corresponds to an unique app
why – the exception
-
create_adex
(log, dexobj)¶ This method is called in order to create an Analysis object
- Parameters
log – an object which corresponds to a unique app
dexobj (androguard.core.bytecodes.dvm.DalvikVMFormat) – a
DalvikVMFormat
object
- Rytpe
a
Analysis
object
-
create_apk
(log, fileraw)¶ This method is called in order to create a new APK object
- Parameters
log – an object which corresponds to a unique app
fileraw – the raw apk (a string)
- Return type
an
APK
object
-
create_arsc
(log, fileraw)¶ This method is called in order to create a new ARSC object
- Parameters
log – an object which corresponds to a unique app
fileraw – the raw arsc (a string)
- Return type
an
ARSCParser
object
-
create_axml
(log, fileraw)¶ This method is called in order to create a new AXML object
- Parameters
log – an object which corresponds to a unique app
fileraw – the raw axml (a string)
- Return type
an
AXMLPrinter
object
-
create_dex
(log, dexraw)¶ This method is called in order to create a DalvikVMFormat object
- Parameters
log – an object which corresponds to a unique app
dexraw – the raw classes.dex (a string)
- Return type
a
DalvikVMFormat
object
-
create_dey
(log, dexraw)¶ This method is called in order to create a DalvikOdexVMFormat object
- Parameters
log – an object which corresponds to a unique app
dexraw – the raw odex file (a string)
- Return type
a
DalvikOdexVMFormat
object
-
dump
()¶ This method is called to dump the result
-
dump_file
(filename)¶ This method is called to dump the result in a file
- Parameters
filename – the filename to dump the result
-
fetcher
(q)¶ This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)
must return False if the queue is filled, thus all files are read.
- Parameters
q – the Queue to put new app
-
filter_file
(log, fileraw)¶ This method is called in order to filer a specific app
- Parameters
log – an object which corresponds to a unique app
fileraw (bytes) – the raw file as bytes
- Return type
a tuple with 2 elements, the return value (boolean) if it is necessary to continue the analysis and the file type
-
finish
(log)¶ This method is called before the end of the analysis
- Parameters
log – an object which corresponds to an unique app
-
class
androguard.core.analysis.auto.
DefaultAndroLog
(id_file, filename)¶ Bases:
object
A base class for the Androguard Auto Logger.
The Logger contains two attributes of the analyzed File:
filename
andid_file
, which is the Adler32 Checksum of the file.The Logger can be extended to contain more attributes.
-
class
androguard.core.analysis.auto.
DirectoryAndroAnalysis
(directory)¶ Bases:
androguard.core.analysis.auto.DefaultAndroAnalysis
A simple class example to analyse a whole directory with many APKs in it
-
fetcher
(q)¶ This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)
must return False if the queue is filled, thus all files are read.
- Parameters
q – the Queue to put new app
-