androguard package¶

Subpackages¶

Submodules¶

androguard.misc module¶

androguard.misc.AnalyzeAPK(_file, session=None, raw=False)¶

Analyze an android application and setup all stuff for a more quickly analysis! If session is None, no session is used at all. This is the default behaviour. If you like to continue your work later, it might be a good idea to use a session. A default session can be created by using get_default_session().

Parameters

_file (string (for filename) or bytes (for raw)) – the filename of the android application or a buffer which represents the application
session – A session (default: None)
raw – boolean if raw bytes are supplied instead of a filename

Return type

return the APK, list of DalvikVMFormat, and Analysis objects

androguard.misc.AnalyzeDex(filename, session=None)¶

Analyze an android dex file and setup all stuff for a more quickly analysis !

Parameters

filename (string) – the filename of the android dex file or a buffer which represents the dex file
session – A session (Default None)

Return type

return a tuple of (sha256hash, DalvikVMFormat, Analysis)

androguard.misc.AnalyzeODex(filename, session=None)¶

Analyze an android odex file and setup all stuff for a more quickly analysis !

Parameters

filename (string) – the filename of the android dex file or a buffer which represents the dex file
session – The Androguard Session to add the ODex to (default: None)

Return type

return a tuple of (sha256hash, DalvikOdexVMFormat, Analysis)

androguard.misc.RunDecompiler(d, dx, decompiler_name)¶

Run the decompiler on a specific analysis

Parameters

d (DalvikVMFormat object) – the DalvikVMFormat object
dx (VMAnalysis object) – the analysis of the format
decompiler (string) – the type of decompiler to use (“dad”, “dex2jad”, “ded”)

androguard.misc.clean_file_name(filename, unique=True, replace='_', force_nt=False)¶

Return a filename version, which has no characters in it which are forbidden. On Windows these are for example <, /, ?, …

The intention of this function is to allow distribution of files to different OSes.

Parameters

filename – string to clean
unique – check if the filename is already taken and append an integer to be unique (default: True)
replace – replacement character. (default: ‘_’)
force_nt – Force shortening of paths like on NT systems (default: False)

Returns

clean string

androguard.misc.get_default_session()¶

Return the default Session from the configuration or create a new one, if the session in the configuration is None.

Return type: androguard.session.Session

androguard.misc.init_print_colors()¶

androguard.misc.sign_apk(filename, keystore, storepass)¶

Use jarsigner to sign an APK file.

Parameters

filename – APK file on disk to sign (path)
keystore – path to keystore
storepass – your keystorage passphrase

androguard.session module¶

androguard.session.Load(filename)¶

load your session!

example:

s = session.Load("mysession.ag")

Parameters: filename (string) – the filename where the session has been saved
Return type: the elements of your session :)

androguard.session.Save(session, filename=None)¶

save your session to use it later.

Returns the filename of the written file. If not filename is given, a file named androguard_session_<DATE>.ag will be created in the current working directory. <DATE> is a timestamp with the following format: %Y-%m-%d_%H%M%S.

This function will overwrite existing files without asking.

If the file could not written, None is returned.

example:

s = session.Session()
session.Save(s, "msession.ag")

Parameters

session – A Session object to save
filename (string) – output filename to save the session

class androguard.session.Session(export_ipython=False)¶

Bases: object

A Session is able to store multiple APK, DEX or ODEX files and can be pickled to disk in order to resume work later.

The main function used in Sessions is probably add(), which adds files to the session and performs analysis on them.

Afterwards, the files can be gathered using methods such as get_objects_apk(), get_objects_dex() or get_classes().

example:

s = Session()
digest = s.add("some.apk")

print("SHA256 of the file: {}".format(digest))

a, d, dx = s.get_objects_apk("some.apk", digest)
print(a.get_package())

# Reset the Session for a fresh set of files
s.reset()

digest2 = s.add("classes.dex")
print("SHA256 of the file: {}".format(digest2))
for h, d, dx in s.get_objects_dex():
    print("SHA256 of the DEX file: {}".format(h))

add(filename, raw_data=None, dx=None)¶

Generic method to add a file to the session.

This is the main method to use when adding files to a Session!

If an APK file is supplied, all DEX files are analyzed too. For DEX and ODEX files, only this file is analyzed (what else should be analyzed).

Returns the SHA256 of the analyzed file.

Parameters

filename – filename to load
raw_data – bytes of the file, or None to load the file from filename
dx – An already exiting Analysis object

Returns

the sha256 of the file or None on failure

addAPK(filename, data)¶

Add an APK file to the Session and run analysis on it.

Parameters

filename – (file)name of APK file
data – binary data of the APK file

Returns

a tuple of SHA256 Checksum and APK Object

addDEX(filename, data, dx=None, postpone_xref=False)¶

Add a DEX file to the Session and run analysis.

Parameters

filename – the (file)name of the DEX file
data – binary data of the dex file
dx – an existing Analysis Object (optional)
postpone_xref – True if no xref shall be created, and will be called manually

Returns

A tuple of SHA256 Hash, DalvikVMFormat Object and Analysis object

addDEY(filename, data, dx=None)¶: Add an ODEX file to the session and run the analysis

get_all_apks()¶: Yields a list of tuples of SHA256 hash of the APK and APK objects of all analyzed APKs in the Session.

get_analysis(current_class)¶

Returns the Analysis object which contains the current_class.

Parameters: current_class (androguard.core.bytecodes.dvm.ClassDefItem) – The class to search for
Return type: androguard.core.analysis.analysis.Analysis

get_classes()¶: Returns all Java Classes from the DEX objects as an array of DEX files.

get_digest_by_class(current_class)¶

Return the SHA256 hash of the object containing the ClassDefItem

Returns the first digest this class was present. For example, if you analyzed an APK, this should return the digest of the APK and not of the DEX file.

get_filename_by_class(current_class)¶

Returns the filename of the DEX file where the class is in.

Returns the first filename this class was present. For example, if you analyzed an APK, this should return the filename of the APK and not of the DEX file.

Parameters: current_class – ClassDefItem
Returns: None if class was not found or the filename

get_format(current_class)¶

Returns the DalvikVMFormat of a given ClassDefItem.

Parameters: current_class – A ClassDefItem

get_nb_strings()¶: Return the total number of strings in all Analysis objects

get_objects_apk(filename=None, digest=None)¶

Returns APK, DalvikVMFormat and Analysis of a specified APK.

You must specify either filename or digest. It is possible to use both, but in this case only digest is used.

example:

s = Session()
digest = s.add("some.apk")
a, d, dx = s.get_objects_apk(digest=digest)

example:

s = Session()
filename = "some.apk"
digest = s.add(filename)
a, d, dx = s.get_objects_apk(filename=filename)

Parameters

filename – the filename of the APK file, only used of digest is None
digest – the sha256 hash, as returned by add() for the APK

Returns

a tuple of (APK, [DalvikVMFormat], Analysis)

get_objects_dex()¶

Yields all dex objects inclduing their Analysis objects

Returns: tuple of (sha256, DalvikVMFormat, Analysis)

get_strings()¶: Yields all StringAnalysis for all unique Analysis objects

isOpen()¶

Test if any file was analyzed in this session

Returns: True if any file was analyzed, False otherwise

reset()¶: Reset the current session, delete all added files.

save(filename=None)¶: Save the current session, see also Save().

show()¶: Print information to stdout about the current session. Gets all APKs, all DEX files and all Analysis objects.

androguard.util module¶

androguard.util.get_certificate_name_string(name, short=False, delimiter=', ')¶

Format the Name type of a X509 Certificate in a human readable form.

Parameters

name (dict or asn1crypto.x509.Name) – Name object to return the DN from
short (boolean) – Use short form (default: False)
delimiter (str) – Delimiter string or character between two parts (default: ‘, ‘)

Return type

str

androguard.util.read(filename, binary=True)¶

Open and read a file

Parameters

filename – filename to open and read
binary – True if the file should be read as binary

Returns

bytes if binary is True, str otherwise

androguard package¶

Subpackages¶

Submodules¶

androguard.misc module¶

androguard.session module¶

androguard.util module¶

Module contents¶