androguard.core.analysis package

The analysis module implements an abstraction layer for androguard.core.bytecodes.dvm.DalvikVMFormat objects. The the help of the androguard.core.analysis.analysis.Analsyis object, you can bundle several DEX files together. This is not only useful for multidex files, but also for a single dex, as Analysis offers many features to investigate DEX files. One of these features is crossreferencing (XREF). It allows you to build a graph of the methods inside the DEX files. You can then create callgraphs or find methods which use a specific API method.

Submodules

androguard.core.analysis.analysis module

class androguard.core.analysis.analysis.Analysis(vm=None)

Bases: object

add(vm)

Add a DalvikVMFormat to this Analysis.

Parameters

vm (androguard.core.bytecodes.dvm.DalvikVMFormat) – dvm.DalvikVMFormat to add to this Analysis

create_ipython_exports()

Warning

this feature is experimental and is currently not enabled by default! Use with caution!

Creates attributes for all classes, methods and fields on the Analysis object itself. This makes it easier to work with Analysis module in an iPython shell.

Classes can be search by typing dx.CLASS_<tab>, as each class is added via this attribute name. Each class will have all methods attached to it via dx.CLASS_Foobar.METHOD_<tab>. Fields have a similar syntax: dx.CLASS_Foobar.FIELD_<tab>.

As Strings can contain nearly anything, use find_strings() instead.

create_xref()

Create Class, Method, String and Field crossreferences for all classes in the Analysis.

If you are using multiple DEX files, this function must be called when all DEX files are added. If you call the function after every DEX file, it will only work for the first time.

find_classes(name='.*', no_external=False)

Find classes by name, using regular expression This method will return all ClassAnalysis Object that match the name of the class.

Parameters

  • name – regular expression for class name (default “.*”)

  • no_external – Remove external classes from the output (default False)

Return type

Iterator[ClassAnalysis]

find_fields(classname='.*', fieldname='.*', fieldtype='.*', accessflags='.*')

find fields by regex

Parameters

  • classname – regular expression of the classname

  • fieldname – regular expression of the fieldname

  • fieldtype – regular expression of the fieldtype

  • accessflags – regular expression of the access flags

Return type

Iterator[FieldAnalysis]

find_methods(classname='.*', methodname='.*', descriptor='.*', accessflags='.*', no_external=False)

Find a method by name using regular expression. This method will return all MethodAnalysis objects, which match the classname, methodname, descriptor and accessflags of the method.

Parameters

  • classname – regular expression for the classname

  • methodname – regular expression for the method name

  • descriptor – regular expression for the descriptor

  • accessflags – regular expression for the accessflags

  • no_external – Remove external method from the output (default False)

Return type

Iterator[MethodAnalysis]

find_strings(string='.*')

Find strings by regex

Parameters

string – regular expression for the string to search for

Return type

Iterator[StringAnalysis]

get_call_graph(classname='.*', methodname='.*', descriptor='.*', accessflags='.*', no_isolated=False, entry_points=[])

Generate a directed graph based on the methods found by the filters applied. The filters are the same as in find_methods()

A networkx.MultiDiGraph is returned, containing all xrefs. That means a method which calls another method multiple times, will have multiple edges between them. Attached to the edge is the attribute offset, which gives the code offset inside the method of the call.

Specifying filters will not remove the methods if they are called by some other method.

The callgraph will check for both directions of edges. Thus, if you specify a single class as input, it will contain all classes which are called by this class (xref_to), as well as all methods who calls the specified one (xref_from).

Each node will contain the following meta information as attribute:

  • external: is the method external or not (boolean)

  • entrypoint: is the method a known entry point (boolean)

  • native: is the method a native method by signature (boolean)

  • public: is the method declared public (boolean)

  • static: is the method declared static (boolean)

  • vm: An ID of the DEX file where this method is declared or 0 if external (signed int)

  • codesize: size of code of the method or zero if external (int)

Parameters

  • classname – regular expression of the classname (default: “.*”)

  • methodname – regular expression of the methodname (default: “.*”)

  • descriptor – regular expression of the descriptor (default: “.*”)

  • accessflags – regular expression of the access flags (default: “.*”)

  • no_isolated – remove isolated nodes from the graph, e.g. methods which do not call anything (default: False)

  • entry_points – A list of classes that are marked as entry point

Return type

networkx.MultiDiGraph

get_class_analysis(class_name)

Returns the ClassAnalysis object for a given classname.

Parameters

class_name – classname like ‘Ljava/lang/Object;’ (including L and ;)

Returns

ClassAnalysis

Return type

ClassAnalysis

get_classes()

Returns a list of ClassAnalysis objects

Returns both internal and external classes (if any)

Return type

Iterator[ClassAnalysis]

get_external_classes()

Returns all external classes, that means all classes that are not defined in the given set of DalvikVMObjects.

Return type

Iterator[ClassAnalysis]

get_field_analysis(field)

Get the FieldAnalysis for a given fieldname

Parameters

field (androguard.core.bytecodes.dvm.EncodedField) – the field

Returns

FieldAnalysis

Return type

FieldAnalysis

get_fields()

Returns a list of FieldAnalysis objects

Return type

Iterator[FieldAnalysis]

get_internal_classes()

Returns all external classes, that means all classes that are defined in the given set of DalvikVMFormat.

Return type

Iterator[ClassAnalysis]

get_method(method)

Get the MethodAnalysis object for a given EncodedMethod. This Analysis object is used to enhance EncodedMethods.

Parameters

methodEncodedMethod to search for

Returns

MethodAnalysis object for the given method, or None if method was not found

Return type

MethodAnalysis

get_method_analysis(method)

Get the MethodAnalysis object for a given EncodedMethod. This Analysis object is used to enhance EncodedMethods.

Parameters

methodEncodedMethod to search for

Returns

MethodAnalysis object for the given method, or None if method was not found

Return type

MethodAnalysis

get_method_analysis_by_name(class_name, method_name, method_descriptor)

Returns the crossreferencing object for a given method.

This function is similar to get_method_analysis(), with the difference that you can look up the Method by name

Parameters

  • class_name – name of the class, for example ‘Ljava/lang/Object;’

  • method_name – name of the method, for example ‘onCreate’

  • method_descriptor – method descriptor, for example ‘(I I)V’

Returns

MethodAnalysis

Return type

MethodAnalysis

get_method_by_name(class_name, method_name, method_descriptor)

Search for a EncodedMethod in all classes in this analysis

Parameters

  • class_name – name of the class, for example ‘Ljava/lang/Object;’

  • method_name – name of the method, for example ‘onCreate’

  • method_descriptor – descriptor, for example ‘(I I Ljava/lang/String)V

Returns

EncodedMethod or None if method was not found

Return type

androguard.core.bytecodes.dvm.EncodedMethod

get_methods()

Returns a list of MethodAnalysis objects

Return type

Iterator[MethodAnalysis]

get_permission_usage(permission, apilevel=None)

Find the usage of a permission inside the Analysis.

example::

from androguard.misc import AnalyzeAPK a, d, dx = AnalyzeAPK(“somefile.apk”)

for meth in dx.get_permission_usage(‘android.permission.SEND_SMS’, a.get_effective_target_sdk_version()):

print(“Using API method {}”.format(meth)) print(“used in:”) for _, m, _ in meth.get_xref_from():

print(m.full_name)

Note

The permission mappings might be incomplete! See also get_permissions().

Parameters

  • permission – the name of the android permission (usually ‘android.permission.XXX’)

  • apilevel – the requested API level or None for default

Returns

yields MethodAnalysis objects for all using API methods

get_permissions(apilevel=None)

Returns the permissions and the API method based on the API level specified. This can be used to find usage of API methods which require a permission. Should be used in combination with an APK.

The returned permissions are a list, as some API methods require multiple permissions at once.

The following example shows the usage and how to get the calling methods using XREF:

example::

from androguard.misc import AnalyzeAPK a, d, dx = AnalyzeAPK(“somefile.apk”)

for meth, perm in dx.get_permissions(a.get_effective_target_sdk_version()):

print(“Using API method {} for permission {}”.format(meth, perm)) print(“used in:”) for _, m, _ in meth.get_xref_from():

print(m.full_name)

..note::

This method might be unreliable and might not extract all used permissions. The permission mapping is based on [Axplorer](https://github.com/reddr/axplorer) and might be incomplete due to the nature of the extraction process. Unfortunately, there is no official API<->Permission mapping.

The output of this method relies also on the set API level. If the wrong API level is used, the results might be wrong.

Parameters

apilevel – API level to load, or None for default

Returns

yields tuples of MethodAnalysis (of the API method) and list of permission string

get_strings()

Returns a list of StringAnalysis objects

Return type

Iterator[StringAnalysis]

get_strings_analysis()

Returns a dictionary of strings and their corresponding StringAnalysis

Return type

Dict[str, StringAnalysis]

is_class_present(class_name)

Checks if a given class name is part of this Analysis.

Parameters

class_name – classname like ‘Ljava/lang/Object;’ (including L and ;)

Returns

True if class was found, False otherwise

Return type

bool

class androguard.core.analysis.analysis.BasicBlocks

Bases: object

This class represents all basic blocks of a method.

It is a collection of many DVMBasicBlock.

get()
Returns

yields each basic block (DVMBasicBlock object)

Return type

Iterator[DVMBasicBlock]

get_basic_block(idx)
get_basic_block_pos(item)

Get the basic block at the index

Parameters

item – index

Returns

The basic block

Return type

DVMBasicBlock

gets()
Returns

a list of basic blocks (DVMBasicBlock objects)

pop(idx)
push(bb)

Adds another basic block to the collection

Parameters

bb (DVBMBasicBlock) – the DVMBasicBlock to add

class androguard.core.analysis.analysis.ClassAnalysis(classobj)

Bases: object

add_field_xref_read(method, classobj, field, off)

Add a Field Read to this class

Parameters
Returns

add_field_xref_write(method, classobj, field, off)

Add a Field Write to this class in a given method

Parameters
Returns

add_method(method_analysis)

Add the given method to this analyis. usually only called during Analysis.add and Analysis._resolve_method

Parameters

method_analysis (MethodAnalysis) –

add_method_xref_from(method1, classobj, method2, offset)
Parameters
add_method_xref_to(method1, classobj, method2, offset)
Parameters
add_xref_from(ref_kind, classobj, methodobj, offset)

Creates a crossreference from this class. XrefFrom means, that the current class is called by another class.

Parameters
Returns

add_xref_to(ref_kind, classobj, methodobj, offset)

Creates a crossreference to another class. XrefTo means, that the current class calls another class. The current class should also be contained in the another class’ XrefFrom list.

Warning

The implementation of this specific method might not be what you expect! the parameter methodobj is the source method and not the destination in the case that ref_kind is const-class or new-instance!

Parameters
Returns

property extends

Return the parent class

For external classes, this is not sure, thus we return always Object (which is the parent of all classes)

Returns

a string of the parent class name

get_class()

Returns the original Dalvik VM class or the external class object.

Returns

Return type

Union[androguard.core.bytecodes.dvm.ClassDefItem, ExternalClass]

get_field_analysis(field)
get_fields()

Return all FieldAnalysis objects of this class

get_method_analysis(method)

Return the MethodAnalysis object for a given EncodedMethod

Parameters

methodEncodedMethod

Returns

MethodAnalysis

Return type

MethodAnalysis

get_methods()

Return all MethodAnalysis objects of this class

Return type

Iterator[MethodAnalysis]

get_nb_methods()

Get the number of methods in this class

get_vm_class()

Returns the original Dalvik VM class or the external class object.

Returns

Return type

Union[androguard.core.bytecodes.dvm.ClassDefItem, ExternalClass]

get_xref_from()

Returns a dictionary of all classes calling the current class. This dictionary contains also information from which method the class is accessed.

Note

this method might contains wrong information about class usage!

The dictionary contains the classes as keys (stored as ClassAnalysis) and has a tuple as values, where the first item is the ref_kind (which is an Enum of type REF_TYPE), the second one is the method in which the class is called (MethodAnalysis) and the third the offset in the method where the call is originating.

example::

# dx is an Analysis object for cls in dx.find_classes(‘.*some/name.*’):

print(“Found class {} in Analysis”.format(cls.name) for caller, refs in cls.get_xref_from().items():

print(” called from {}”.format(caller.name)) for ref_kind, ref_method, ref_offset in refs:

print(” in method {} {}”.format(ref_kind, ref_method))

Return type

Iterator[Tuple[REF_TYPE, MethodAnalysis, int]]

get_xref_to()

Returns a dictionary of all classes which are called by the current class. This dictionary contains also information about the method which is called.

Note

this method might contains wrong information about class usage!

The dictionary contains the classes as keys (stored as ClassAnalysis) and has a tuple as values, where the first item is the ref_kind (which is an Enum of type REF_TYPE), the second one is the method called (MethodAnalysis) and the third the offset in the method where the call is originating.

example::

# dx is an Analysis object for cls in dx.find_classes(‘.*some/name.*’):

print(“Found class {} in Analysis”.format(cls.name) for calling, refs in cls.get_xref_from().items():

print(” calling class {}”.format(calling.name)) for ref_kind, ref_method, ref_offset in refs:

print(” calling method {} {}”.format(ref_kind, ref_method))

Return type

Iterator[Tuple[REF_TYPE, MethodAnalysis, int]]

property implements

Get a list of interfaces which are implemented by this class

Returns

a list of Interface names

is_android_api()

Tries to guess if the current class is an Android API class.

This might be not very precise unless an apilist is given, with classes that are in fact known APIs. Such a list might be generated by using the android.jar files.

Returns

boolean

is_external()

Tests if this class is an external class

Returns

True if the Class is external, False otherwise

property name

Return the class name

Returns

class androguard.core.analysis.analysis.DVMBasicBlock(start, vm, method, context)

Bases: object

A simple basic block of a dalvik method.

A basic block consists of a series of Instruction which are not interrupted by branch or jump instructions such as goto, if, throw, return, switch etc.

add_note(note)
clear_notes()
get_end()

Get the end offset of this basic block

Returns

end offset

Return type

int

get_exception_analysis()
get_instructions()

Get all instructions from a basic block.

Returns

Return all instructions in the current basic block

get_last()

Get the last instruction in the basic block

Returns

androguard.core.bytecodes.dvm.Instruction

get_last_length()
get_method()

Returns the originiating method

Returns

the method

Return type

androguard.core.bytecodes.dvm.EncodedMethod

get_name()
get_nb_instructions()
get_next()

Get next basic blocks

Returns

a list of the next basic blocks

Return type

DVMBasicBlock

get_notes()
get_prev()

Get previous basic blocks

Returns

a list of the previous basic blocks

Return type

DVMBasicBlock

get_special_ins(idx)

Return the associated instruction to a specific instruction (for example a packed/sparse switch)

Parameters

idx – the index of the instruction

Return type

None or an Instruction

get_start()

Get the starting offset of this basic block

Returns

starting offset

Return type

int

push(i)
set_childs(values)
set_exception_analysis(exception_analysis)
set_fathers(f)
set_notes(value)
show()
class androguard.core.analysis.analysis.ExceptionAnalysis(exception, bb)

Bases: object

get()
show_buff()
class androguard.core.analysis.analysis.Exceptions

Bases: object

add(exceptions, basic_blocks)
get()
get_exception(addr_start, addr_end)
gets()
class androguard.core.analysis.analysis.ExternalClass(name)

Bases: object

The ExternalClass is used for all classes that are not defined in the DEX file, thus are external classes.

Parameters

name – Name of the external class

add_method(method)
get_methods()

Return the stored methods for this external class :return:

get_name()

Returns the name of the ExternalClass object

class androguard.core.analysis.analysis.ExternalMethod(class_name, name, descriptor)

Bases: object

ExternalMethod is a stub class for methods that are not part of the current Analysis. There are two possibilities for this:

  1. The method is defined inside another DEX file which was not loaded into the Analysis

  2. The method is an API method, hence it is defined in the Android system

External methods should have a similar API to EncodedMethod but obviously they have no code attached. The only known information about such methods are the class name, the method name and its descriptor.

Parameters

  • class_name (str) – name of the class

  • name (str) – name of the method

  • descriptor (List[str]) – descriptor string

property full_name

Returns classname + name + descriptor, separated by spaces (no access flags)

get_access_flags_string()

Returns the access flags string.

Right now, this is always an empty strings, as we can not say what kind of access flags an external method might have.

get_class_name()
get_descriptor()
get_name()
property permission_api_name

Returns a name which can be used to look up in the permission maps

class androguard.core.analysis.analysis.FieldAnalysis(field)

Bases: object

add_xref_read(classobj, methodobj, offset)
Parameters
add_xref_write(classobj, methodobj, offset)
Parameters
get_field()

Returns the actual field object

Return type

androguard.core.bytecodes.dvm.EncodedField

get_xref_read(withoffset=False)

Returns a list of xrefs where the field is read.

The list contains tuples of the originating class and methods, where the class is represented as a ClassAnalysis, while the method is a MethodAnalysis.

Parameters

withoffset (bool) – return the xrefs including the offset

get_xref_write(withoffset=False)

Returns a list of xrefs where the field is written to.

The list contains tuples of the originating class and methods, where the class is represented as a ClassAnalysis, while the method is a MethodAnalysis.

Parameters

withoffset (bool) – return the xrefs including the offset

property name
class androguard.core.analysis.analysis.MethodAnalysis(vm, method)

Bases: object

This class analyses in details a method of a class/dex file It is a wrapper around a EncodedMethod and enhances it by using multiple DVMBasicBlock encapsulated in a BasicBlocks object.

property access

Returns the access flags to the method as a string

add_xref_from(classobj, methodobj, offset)

Add a crossrefernece from another method (this method is called by another method)

Parameters
add_xref_to(classobj, methodobj, offset)

Add a crossreference to another method (this method calls another method)

Parameters
property class_name

Returns the name of the class of this method

property descriptor

Returns the type descriptor for this method

property full_name

Returns classname + name + descriptor, separated by spaces (no access flags)

get_access_flags_string()

Returns the concatenated access flags string

get_basic_blocks()

Returns the BasicBlocks generated for this method. The BasicBlocks can be used to get a control flow graph (CFG) of the method.

Return type

a BasicBlocks object

get_class_name()

Return the class name of the method

get_length()
Returns

an integer which is the length of the code

Return type

int

get_method()
Return type

androguard.core.bytecodes.dvm.EncodedMethod

Returns

get_vm()
Return type

androguard.core.bytecodes.dvm.DalvikVMFormat

Returns

get_xref_from()

Returns a list of tuples containing the class, method and offset of the call, from where this object was called.

The list of tuples has the form: (ClassAnalysis, EncodedMethod or ExternalMethod, int)

get_xref_to()

Returns a list of tuples containing the class, method and offset of the call, which are called by this method.

The list of tuples has the form: (ClassAnalysis, EncodedMethod or ExternalMethod, int)

is_android_api()

Returns True if the method seems to be an Android API method.

This method might be not very precise unless an list of known API methods is given.

Returns

boolean

is_external()

Returns True if the underlying method is external

Return type

boolean

property name

Returns the name of this method

show()

Prints the content of this method to stdout.

This will print the method signature and the decompiled code.

show_xrefs()
class androguard.core.analysis.analysis.MethodClassAnalysis(meth)

Bases: androguard.core.analysis.analysis.MethodAnalysis

Deprecated since version 3.4.0: Always use MethodAnalysis! This method is just here for compatability

class androguard.core.analysis.analysis.REF_TYPE

Bases: enum.IntEnum

Stores the opcodes for the type of usage in an XREF.

Used in ClassAnalysis to store the type of reference to the class.

INVOKE_DIRECT = 112
INVOKE_DIRECT_RANGE = 118
INVOKE_INTERFACE = 114
INVOKE_INTERFACE_RANGE = 120
INVOKE_STATIC = 113
INVOKE_STATIC_RANGE = 119
INVOKE_SUPER = 111
INVOKE_SUPER_RANGE = 117
INVOKE_VIRTUAL = 110
INVOKE_VIRTUAL_RANGE = 116
REF_CLASS_USAGE = 28
REF_NEW_INSTANCE = 34
class androguard.core.analysis.analysis.StringAnalysis(value)

Bases: object

StringAnalysis contains the XREFs of a string.

As Strings are only used as a source, they only contain the XREF_FROM set, i.e. where the string is used.

This Array stores the information in which method the String is used.

add_xref_from(classobj, methodobj, off)

Adds a xref from the given method to this string

Parameters
get_orig_value()

Return the original, read only, value of the String

Returns

the original value

get_value()

Return the (possible overwritten) value of the String

Returns

the value of the string

get_xref_from(withoffset=False)

Returns a list of xrefs accessing the String.

The list contains tuples of the originating class and methods, where the class is represented as a ClassAnalysis, while the method is a MethodAnalysis.

is_overwritten()

Returns True if the string was overwritten :return:

set_value(value)

Overwrite the current value of the String with a new value. The original value is not lost and can still be retrieved using get_orig_value().

Parameters

value (str) – new string value

androguard.core.analysis.analysis.is_ascii_obfuscation(vm)

Tests if any class inside a DalvikVMObject uses ASCII Obfuscation (e.g. UTF-8 Chars in Classnames)

Parameters

vmDalvikVMObject

Returns

True if ascii obfuscation otherwise False

androguard.core.analysis.auto module

class androguard.core.analysis.auto.AndroAuto(settings)

Bases: object

The main class which analyse automatically android apps by calling methods from a specific object

Automatic analysis requires two objects to be created:

  1. a Logger, found at key log in the settings

  2. an Analysis runner, found at key my in the settings

Both are passed to AndroAuto via a dictionary. The setting dict understands the following keys:

  • my: The Analysis runner (required)

  • log: The Logger

  • max_fetcher: Maximum number of concurrent threads

DefaultAndroLog can be used as a baseclass for the Logger, while DefaultAndroAnalysis can be used a baseclass for the Analysis. There is also DirectoryAndroAnalysis which implements a fetcher which recursively reads a directory for files and can be used a baseclass as well.

example:

from androguard.core.analysis import auto

class AndroTest(auto.DirectoryAndroAnalysis):
    # This is the Test Runner
    def analysis_app(self, log, apkobj, dexobj, analysisobj):
        # Just print all objects to stdout
        print(log.id_file, log.filename, apkobj, dexobj, analysisobj)

settings = {
    # The directory `some/directory` should contain some APK files
    "my": AndroTest('some/directory'),
    # Use the default Logger
    "log": auto.DefaultAndroLog,
    # Use maximum of 2 threads
    "max_fetcher": 2,
}

aa = auto.AndroAuto(settings)
aa.go()
Parameters

settings (dict) – the settings of the analysis

dump()

Dump the analysis

Calls dump() on the Analysis object

dump_file(filename)

Dump the analysis into a file

Calls dump_file(filename) on the Analysis object

go()

Launch the analysis.

this will start a total of max_fetcher threads.

class androguard.core.analysis.auto.DefaultAndroAnalysis

Bases: object

This class can be used as a template in order to analyse apps

The order of methods called in this class is the following:

crash() can be called during analysis if any Exception happens.

analysis_adex(log, adexobj)

This method is called in order to know if the analysis must continue

Parameters
Return type

a boolean

analysis_apk(log, apkobj)

This method is called in order to know if the analysis must continue

Parameters
Returns

True if a DEX file should be analyzed as well

Return type

bool

analysis_app(log, apkobj, dexobj, adexobj)

This method is called if you wish to analyse the final app

Parameters
analysis_arsc(log, arscobj)

This method is called in order to know if the analysis must continue

Parameters
Returns

True if the analysis should continue afterwards

Return type

bool

analysis_axml(log, axmlobj)

This method is called in order to know if the analysis must continue

Parameters
Returns

True if the analysis should continue afterwards

Return type

bool

analysis_dex(log, dexobj)

This method is called in order to know if the analysis must continue

Parameters
Returns

True if the analysis should continue with an analysis.Analysis

Return type

bool

analysis_dey(log, deyobj)

This method is called in order to know if the analysis must continue

Parameters
Returns

True if the analysis should continue with an analysis.Analysis

Return type

bool

crash(log, why)

This method is called if a crash happens

Parameters

  • log – an object which corresponds to an unique app

  • why – the exception

create_adex(log, dexobj)

This method is called in order to create an Analysis object

Parameters
Rytpe

a Analysis object

create_apk(log, fileraw)

This method is called in order to create a new APK object

Parameters

  • log – an object which corresponds to a unique app

  • fileraw – the raw apk (a string)

Return type

an APK object

create_arsc(log, fileraw)

This method is called in order to create a new ARSC object

Parameters

  • log – an object which corresponds to a unique app

  • fileraw – the raw arsc (a string)

Return type

an ARSCParser object

create_axml(log, fileraw)

This method is called in order to create a new AXML object

Parameters

  • log – an object which corresponds to a unique app

  • fileraw – the raw axml (a string)

Return type

an AXMLPrinter object

create_dex(log, dexraw)

This method is called in order to create a DalvikVMFormat object

Parameters

  • log – an object which corresponds to a unique app

  • dexraw – the raw classes.dex (a string)

Return type

a DalvikVMFormat object

create_dey(log, dexraw)

This method is called in order to create a DalvikOdexVMFormat object

Parameters

  • log – an object which corresponds to a unique app

  • dexraw – the raw odex file (a string)

Return type

a DalvikOdexVMFormat object

dump()

This method is called to dump the result

dump_file(filename)

This method is called to dump the result in a file

Parameters

filename – the filename to dump the result

fetcher(q)

This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)

must return False if the queue is filled, thus all files are read.

Parameters

q – the Queue to put new app

filter_file(log, fileraw)

This method is called in order to filer a specific app

Parameters

  • log – an object which corresponds to a unique app

  • fileraw (bytes) – the raw file as bytes

Return type

a tuple with 2 elements, the return value (boolean) if it is necessary to continue the analysis and the file type

finish(log)

This method is called before the end of the analysis

Parameters

log – an object which corresponds to an unique app

class androguard.core.analysis.auto.DefaultAndroLog(id_file, filename)

Bases: object

A base class for the Androguard Auto Logger.

The Logger contains two attributes of the analyzed File: filename and id_file, which is the Adler32 Checksum of the file.

The Logger can be extended to contain more attributes.

class androguard.core.analysis.auto.DirectoryAndroAnalysis(directory)

Bases: androguard.core.analysis.auto.DefaultAndroAnalysis

A simple class example to analyse a whole directory with many APKs in it

fetcher(q)

This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)

must return False if the queue is filled, thus all files are read.

Parameters

q – the Queue to put new app

Module contents