androguard.core.analysis package

Submodules

androguard.core.analysis.analysis module

class androguard.core.analysis.analysis.Analysis(vm)

Bases: object

add(vm)
create_xref()
get_class_analysis(class_name)
get_external_classes()
get_field_analysis(field)
get_method(method)
get_method_analysis(method)
get_method_analysis_by_name(class_name, method_name, method_descriptor)
get_method_by_name(class_name, method_name, method_descriptor)
get_strings_analysis()
is_class_present(class_name)
class androguard.core.analysis.analysis.BasicBlocks(_vm)

Bases: object

This class represents all basic blocks of a method

get()
Return type:return each basic block (DVMBasicBlock object)
get_basic_block(idx)
get_basic_block_pos(idx)
gets()
Return type:a list of basic blocks (DVMBasicBlock objects)
pop(idx)
push(bb)
class androguard.core.analysis.analysis.ClassAnalysis(classobj, internal=False)

Bases: object

AddFXrefRead(method, classobj, field)
AddFXrefWrite(method, classobj, field)
AddMXrefFrom(method1, classobj, method2, offset)
AddMXrefTo(method1, classobj, method2, offset)
AddXrefFrom(ref_kind, classobj, methodobj, offset)
AddXrefTo(ref_kind, classobj, methodobj, offset)
GetFakeMethod(name, descriptor)
get_field_analysis(field)
get_method_analysis(method)
get_methods()
get_nb_methods()
get_vm_class()
get_xref_from()
get_xref_to()
class androguard.core.analysis.analysis.DVMBasicBlock(start, vm, method, context)

Bases: object

A simple basic block of a dalvik method

add_note(note)
clear_notes()
get_end()
get_exception_analysis()
get_instructions()

Get all instructions from a basic block.

Return type:Return all instructions in the current basic block
get_last()
get_last_length()
get_method()
get_name()
get_nb_instructions()
get_next()

Get next basic blocks

Return type:a list of the next basic blocks
get_notes()
get_prev()

Get previous basic blocks

Return type:a list of the previous basic blocks
get_special_ins(idx)

Return the associated instruction to a specific instruction (for example a packed/sparse switch)

Parameters:idx – the index of the instruction
Return type:None or an Instruction
get_start()
push(i)
set_childs(values)
set_exception_analysis(exception_analysis)
set_fathers(f)
set_notes(value)
show()
class androguard.core.analysis.analysis.Enum(names)

Bases: object

tuples()
class androguard.core.analysis.analysis.ExceptionAnalysis(exception, bb)

Bases: object

get()
show_buff()
class androguard.core.analysis.analysis.Exceptions(_vm)

Bases: object

add(exceptions, basic_blocks)
get()
get_exception(addr_start, addr_end)
gets()
class androguard.core.analysis.analysis.ExternalClass(name)

Bases: object

GetMethod(name, descriptor)
get_methods()
class androguard.core.analysis.analysis.ExternalMethod(class_name, name, descriptor)

Bases: object

get_class_name()
get_descriptor()
get_name()
class androguard.core.analysis.analysis.FieldClassAnalysis(field)

Bases: object

AddXrefRead(classobj, methodobj)
AddXrefWrite(classobj, methodobj)
get_xref_read()
get_xref_write()
class androguard.core.analysis.analysis.MethodAnalysis(vm, method)

Bases: object

This class analyses in details a method of a class/dex file

get_basic_blocks()
Return type:a BasicBlocks object
get_length()
Return type:an integer which is the length of the code
get_method()
get_tags()

Return the tags of the method

Return type:a Tags object
get_vm()
show()
show_methods()
class androguard.core.analysis.analysis.MethodClassAnalysis(method)

Bases: object

AddXrefFrom(classobj, methodobj, offset)
AddXrefTo(classobj, methodobj, offset)
get_xref_from()
get_xref_to()
class androguard.core.analysis.analysis.StringAnalysis(value)

Bases: object

AddXrefFrom(classobj, methodobj)
get_orig_value()
get_value()
get_xref_from()
set_value(value)
class androguard.core.analysis.analysis.Tags(patterns={0: [0, 'Landroid'], 1: [0, 'Landroid/telephony'], 2: [0, 'Landroid/telephony/SmsManager'], 3: [0, 'Landroid/telephony/SmsMessage'], 4: [0, 'Landroid/accessibilityservice'], 5: [0, 'Landroid/accounts'], 6: [0, 'Landroid/animation'], 7: [0, 'Landroid/app'], 8: [0, 'Landroid/bluetooth'], 9: [0, 'Landroid/content'], 10: [0, 'Landroid/database'], 11: [0, 'Landroid/os/Debug'], 12: [0, 'Landroid/drm'], 13: [0, 'Landroid/gesture'], 14: [0, 'Landroid/graphics'], 15: [0, 'Landroid/hardware'], 16: [0, 'Landroid/inputmethodservice'], 17: [0, 'Landroid/location'], 18: [0, 'Landroid/media'], 19: [0, 'Landroid/mtp'], 20: [0, 'Landroid/net'], 21: [0, 'Landroid/nfc'], 22: [0, 'Landroid/opengl'], 23: [0, 'Landroid/os'], 24: [0, 'Landroid/preference'], 25: [0, 'Landroid/provider'], 26: [0, 'Landroid/renderscript'], 27: [0, 'Landroid/sax'], 28: [0, 'Landroid/security'], 29: [0, 'Landroid/service'], 30: [0, 'Landroid/speech'], 31: [0, 'Landroid/support'], 32: [0, 'Landroid/test'], 33: [0, 'Landroid/text'], 34: [0, 'Landroid/util'], 35: [0, 'Landroid/view'], 36: [0, 'Landroid/webkit'], 37: [0, 'Landroid/widget'], 38: [0, 'Ldalvik/bytecode'], 39: [0, 'Ldalvik/system'], 40: [0, 'Ljava/lang/reflect']}, reverse={0: 'ANDROID', 1: 'TELEPHONY', 2: 'SMS', 3: 'SMSMESSAGE', 4: 'ACCESSIBILITYSERVICE', 5: 'ACCOUNTS', 6: 'ANIMATION', 7: 'APP', 8: 'BLUETOOTH', 9: 'CONTENT', 10: 'DATABASE', 11: 'DEBUG', 12: 'DRM', 13: 'GESTURE', 14: 'GRAPHICS', 15: 'HARDWARE', 16: 'INPUTMETHODSERVICE', 17: 'LOCATION', 18: 'MEDIA', 19: 'MTP', 20: 'NET', 21: 'NFC', 22: 'OPENGL', 23: 'OS', 24: 'PREFERENCE', 25: 'PROVIDER', 26: 'RENDERSCRIPT', 27: 'SAX', 28: 'SECURITY', 29: 'SERVICE', 30: 'SPEECH', 31: 'SUPPORT', 32: 'TEST', 33: 'TEXT', 34: 'UTIL', 35: 'VIEW', 36: 'WEBKIT', 37: 'WIDGET', 38: 'DALVIK_BYTECODE', 39: 'DALVIK_SYSTEM', 40: 'JAVA_REFLECTION'})

Bases: object

Handle specific tags

Parameters:patterns
Params reverse:
emit(method)
emit_by_classname(classname)
empty()
get_list()
androguard.core.analysis.analysis.is_ascii_obfuscation(vm)

androguard.core.analysis.auto module

class androguard.core.analysis.auto.AndroAuto(settings)

Bases: object

The main class which analyse automatically android apps by calling methods from a specific object :param settings: the settings of the analysis :type settings: dict

dump()

Dump the analysis

dump_file(filename)

Dump the analysis in a filename

go()

Launch the analysis

class androguard.core.analysis.auto.DefaultAndroAnalysis

Bases: object

This class can be used as a template in order to analyse apps

analysis_adex(log, adexobj)

This method is called in order to know if the analysis must continue

Parameters:
  • log – an object which corresponds to a unique app
  • adexobj – a VMAnalysis object
Return type:

a boolean
analysis_apk(log, apkobj)

This method is called in order to know if the analysis must continue

Parameters:
  • log – an object which corresponds to a unique app
  • apkobj – a APK object
Return type:

a boolean
analysis_app(log, apkobj, dexobj, adexobj)

This method is called if you wish to analyse the final app

Parameters:
  • log – an object which corresponds to a unique app
  • apkobj – a APK object
  • dexobj – a DalvikVMFormat object
  • adexobj – a VMAnalysis object
analysis_arsc(log, arscobj)

This method is called in order to know if the analysis must continue

Parameters:
  • log – an object which corresponds to a unique app
  • arscobj – a ARSCParser object
Return type:

a boolean
analysis_axml(log, axmlobj)

This method is called in order to know if the analysis must continue

Parameters:
  • log – an object which corresponds to a unique app
  • axmlobj – a AXMLPrinter object
Return type:

a boolean
analysis_dex(log, dexobj)

This method is called in order to know if the analysis must continue

Parameters:
  • log – an object which corresponds to a unique app
  • dexobj – a DalvikVMFormat object
Return type:

a boolean
analysis_dey(log, deyobj)

This method is called in order to know if the analysis must continue

Parameters:
  • log – an object which corresponds to a unique app
  • deyobj – a DalvikOdexVMFormat object
Return type:

a boolean
crash(log, why)

This method is called if a crash appends

Parameters:
  • log – an object which corresponds to a unique app
  • why – the string exception
create_adex(log, dexobj)

This method is called in order to create a VMAnalysis object

Parameters:
  • log – an object which corresponds to a unique app
  • dexobj – a DalvikVMFormat object
Rytpe:

a Analysis object
create_apk(log, fileraw)

This method is called in order to create a new APK object

Parameters:
  • log – an object which corresponds to a unique app
  • fileraw – the raw apk (a string)
Return type:

an APK object
create_arsc(log, fileraw)

This method is called in order to create a new ARSC object

Parameters:
  • log – an object which corresponds to a unique app
  • fileraw – the raw arsc (a string)
Return type:

an APK object
create_axml(log, fileraw)

This method is called in order to create a new AXML object

Parameters:
  • log – an object which corresponds to a unique app
  • fileraw – the raw axml (a string)
Return type:

an APK object
create_dex(log, dexraw)

This method is called in order to create a DalvikVMFormat object

Parameters:
  • log – an object which corresponds to a unique app
  • dexraw – the raw classes.dex (a string)
Return type:

a DalvikVMFormat object
create_dey(log, dexraw)

This method is called in order to create a DalvikOdexVMFormat object

Parameters:
  • log – an object which corresponds to a unique app
  • dexraw – the raw odex file (a string)
Return type:

a DalvikOdexVMFormat object
dump()

This method is called to dump the result

Parameters:log – an object which corresponds to a unique app
dump_file(filename)

This method is called to dump the result in a file

Parameters:
  • log – an object which corresponds to a unique app
  • filename – the filename to dump the result
fetcher(q)

This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)

Parameters:q – the Queue to put new app
filter_file(log, fileraw)

This method is called in order to filer a specific app

Parameters:
  • log – an object which corresponds to a unique app
  • fileraw – the raw app (a string)
Return type:

a set with 2 elements, the return value (boolean) if it is necessary to

continue the analysis and the file type

finish(log)

This method is called before the end of the analysis

Parameters:log – an object which corresponds to a unique app
class androguard.core.analysis.auto.DirectoryAndroAnalysis(directory)

Bases: androguard.core.analysis.auto.DefaultAndroAnalysis

A simple class example to analyse a directory

fetcher(q)

This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)

Parameters:q – the Queue to put new app

Module contents