androguard.core.analysis package

Submodules

androguard.core.analysis.analysis module

class androguard.core.analysis.analysis.Analysis(vm=None)

Bases: object

add(vm)

Add a DalvikVMFormat to this Analysis

Parameters:vm –

create_xref()

find_classes(name='.*', no_external=False)

Find classes by name, using regular expression This method will return all ClassAnalysis Object that match the name of the class.

Parameters:

• name – regular expression for class name (default “.*”)
• no_external – Remove external classes from the output (default False)

Return type:

generator of ClassAnalysis

find_fields(classname='.*', fieldname='.*', fieldtype='.*', accessflags='.*')

find fields by regex

Parameters:

• classname – regular expression of the classname
• fieldname – regular expression of the fieldname
• fieldtype – regular expression of the fieldtype
• accessflags – regular expression of the access flags

Return type:

generator of FieldClassAnalysis

find_methods(classname='.*', methodname='.*', descriptor='.*', accessflags='.*', no_external=False)

Find a method by name using regular expression. This method will return all MethodClassAnalysis objects, which match the classname, methodname, descriptor and accessflags of the method.

Parameters:

• classname – regular expression for the classname
• methodname – regular expression for the method name
• descriptor – regular expression for the descriptor
• accessflags – regular expression for the accessflags
• no_external – Remove external method from the output (default False)

Return type:

generator of MethodClassAnalysis

find_strings(string='.*')

Find strings by regex

Parameters:string – regular expression for the string to search for Return type:generator of StringAnalysis

get_class_analysis(class_name)

get_classes()

Returns a list of ClassAnalysis objects

Return type:list of ClassAnalysis

get_external_classes()

Returns all external classes, that means all classes that are not defined in the given set of DalvikVMObjects.

Return type:generator of ClassAnalysis

get_field_analysis(field)

get_fields()

Returns a list of FieldClassAnalysis objects

get_method(method)

Parameters:method – Returns:MethodAnalysis object for the given method

get_method_analysis(method)

Parameters:method – Returns:MethodClassAnalysis for the given method

get_method_analysis_by_name(class_name, method_name, method_descriptor)

get_method_by_name(class_name, method_name, method_descriptor)

get_methods()

Returns a list of MethodClassAnalysis objects

get_strings()

Returns a list of StringAnalysis objects

Return type:list of StringAnalysis

get_strings_analysis()

is_class_present(class_name)

class androguard.core.analysis.analysis.BasicBlocks(_vm)

Bases: object

This class represents all basic blocks of a method

get()

Return type:return each basic block (DVMBasicBlock object)

get_basic_block(idx)

get_basic_block_pos(idx)

gets()

Return type:a list of basic blocks (DVMBasicBlock objects)

pop(idx)

push(bb)

class androguard.core.analysis.analysis.ClassAnalysis(classobj, internal=False)

Bases: object

AddFXrefRead(method, classobj, field)

AddFXrefWrite(method, classobj, field)

AddMXrefFrom(method1, classobj, method2, offset)

AddMXrefTo(method1, classobj, method2, offset)

AddXrefFrom(ref_kind, classobj, methodobj, offset)

AddXrefTo(ref_kind, classobj, methodobj, offset)

GetFakeMethod(name, descriptor)

get_field_analysis(field)

get_fields()

Return all FieldClassAnalysis objects of this class

get_method_analysis(method)

get_methods()

Return all MethodClassAnalysis objects of this class

get_nb_methods()

Get the number of methods in this class

get_vm_class()

get_xref_from()

get_xref_to()

class androguard.core.analysis.analysis.DVMBasicBlock(start, vm, method, context)

Bases: object

A simple basic block of a dalvik method

add_note(note)

clear_notes()

get_end()

get_exception_analysis()

get_instructions()

Get all instructions from a basic block.

Return type:Return all instructions in the current basic block

get_last()

get_last_length()

get_method()

get_name()

get_nb_instructions()

get_next()

Get next basic blocks

Return type:a list of the next basic blocks

get_notes()

get_prev()

Get previous basic blocks

Return type:a list of the previous basic blocks

get_special_ins(idx)

Return the associated instruction to a specific instruction (for example a packed/sparse switch)

Parameters:idx – the index of the instruction Return type:None or an Instruction

get_start()

push(i)

set_childs(values)

set_exception_analysis(exception_analysis)

set_fathers(f)

set_notes(value)

show()

class androguard.core.analysis.analysis.Enum(names)

Bases: object

tuples()

class androguard.core.analysis.analysis.ExceptionAnalysis(exception, bb)

Bases: object

get()

show_buff()

class androguard.core.analysis.analysis.Exceptions(_vm)

Bases: object

add(exceptions, basic_blocks)

get()

get_exception(addr_start, addr_end)

gets()

class androguard.core.analysis.analysis.ExternalClass(name)

Bases: object

GetMethod(name, descriptor)

get_methods()

get_name()

Returns the name of the ExternalClass object

class androguard.core.analysis.analysis.ExternalMethod(class_name, name, descriptor)

Bases: object

get_access_flags_string()

get_class_name()

get_descriptor()

get_name()

class androguard.core.analysis.analysis.FieldClassAnalysis(field)

Bases: object

AddXrefRead(classobj, methodobj)

AddXrefWrite(classobj, methodobj)

get_field()

get_xref_read()

get_xref_write()

class androguard.core.analysis.analysis.MethodAnalysis(vm, method)

Bases: object

get_basic_blocks()

Return type:a BasicBlocks object

get_length()

Return type:an integer which is the length of the code

get_method()

get_vm()

show()

Prints the content of this method to stdout.

This will print the method signature and the decompiled code.

class androguard.core.analysis.analysis.MethodClassAnalysis(method)

Bases: object

AddXrefFrom(classobj, methodobj, offset)

AddXrefTo(classobj, methodobj, offset)

get_method()

get_xref_from()

get_xref_to()

class androguard.core.analysis.analysis.StringAnalysis(value)

Bases: object

AddXrefFrom(classobj, methodobj)

get_orig_value()

get_value()

get_xref_from()

set_value(value)

class androguard.core.analysis.analysis.Tags(patterns={0: [0, 'Landroid'], 1: [0, 'Landroid/telephony'], 2: [0, 'Landroid/telephony/SmsManager'], 3: [0, 'Landroid/telephony/SmsMessage'], 4: [0, 'Landroid/accessibilityservice'], 5: [0, 'Landroid/accounts'], 6: [0, 'Landroid/animation'], 7: [0, 'Landroid/app'], 8: [0, 'Landroid/bluetooth'], 9: [0, 'Landroid/content'], 10: [0, 'Landroid/database'], 11: [0, 'Landroid/os/Debug'], 12: [0, 'Landroid/drm'], 13: [0, 'Landroid/gesture'], 14: [0, 'Landroid/graphics'], 15: [0, 'Landroid/hardware'], 16: [0, 'Landroid/inputmethodservice'], 17: [0, 'Landroid/location'], 18: [0, 'Landroid/media'], 19: [0, 'Landroid/mtp'], 20: [0, 'Landroid/net'], 21: [0, 'Landroid/nfc'], 22: [0, 'Landroid/opengl'], 23: [0, 'Landroid/os'], 24: [0, 'Landroid/preference'], 25: [0, 'Landroid/provider'], 26: [0, 'Landroid/renderscript'], 27: [0, 'Landroid/sax'], 28: [0, 'Landroid/security'], 29: [0, 'Landroid/service'], 30: [0, 'Landroid/speech'], 31: [0, 'Landroid/support'], 32: [0, 'Landroid/test'], 33: [0, 'Landroid/text'], 34: [0, 'Landroid/util'], 35: [0, 'Landroid/view'], 36: [0, 'Landroid/webkit'], 37: [0, 'Landroid/widget'], 38: [0, 'Ldalvik/bytecode'], 39: [0, 'Ldalvik/system'], 40: [0, 'Ljava/lang/reflect']}, reverse={0: 'ANDROID', 1: 'TELEPHONY', 2: 'SMS', 3: 'SMSMESSAGE', 4: 'ACCESSIBILITYSERVICE', 5: 'ACCOUNTS', 6: 'ANIMATION', 7: 'APP', 8: 'BLUETOOTH', 9: 'CONTENT', 10: 'DATABASE', 11: 'DEBUG', 12: 'DRM', 13: 'GESTURE', 14: 'GRAPHICS', 15: 'HARDWARE', 16: 'INPUTMETHODSERVICE', 17: 'LOCATION', 18: 'MEDIA', 19: 'MTP', 20: 'NET', 21: 'NFC', 22: 'OPENGL', 23: 'OS', 24: 'PREFERENCE', 25: 'PROVIDER', 26: 'RENDERSCRIPT', 27: 'SAX', 28: 'SECURITY', 29: 'SERVICE', 30: 'SPEECH', 31: 'SUPPORT', 32: 'TEST', 33: 'TEXT', 34: 'UTIL', 35: 'VIEW', 36: 'WEBKIT', 37: 'WIDGET', 38: 'DALVIK_BYTECODE', 39: 'DALVIK_SYSTEM', 40: 'JAVA_REFLECTION'})

Bases: object

Handle specific tags

Parameters:patterns – Params reverse:

emit(method)

emit_by_classname(classname)

empty()

get_list()

androguard.core.analysis.analysis.is_ascii_obfuscation(vm)

Tests if any class inside a DalvikVMObject uses ASCII Obfuscation (e.g. UTF-8 Chars in Classnames)

Parameters:vm – DalvikVMObject Returns:True if ascii obfuscation otherwise False

androguard.core.analysis.auto module

class androguard.core.analysis.auto.AndroAuto(settings)

Bases: object

The main class which analyse automatically android apps by calling methods from a specific object :param settings: the settings of the analysis :type settings: dict

dump()

Dump the analysis

dump_file(filename)

Dump the analysis in a filename

go()

Launch the analysis

class androguard.core.analysis.auto.DefaultAndroAnalysis

Bases: object

This class can be used as a template in order to analyse apps

analysis_adex(log, adexobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• adexobj – a VMAnalysis object

Return type:

a boolean

analysis_apk(log, apkobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• apkobj – a APK object

Return type:

a boolean

analysis_app(log, apkobj, dexobj, adexobj)

This method is called if you wish to analyse the final app

Parameters:

• log – an object which corresponds to a unique app
• apkobj – a APK object
• dexobj – a DalvikVMFormat object
• adexobj – a VMAnalysis object

analysis_arsc(log, arscobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• arscobj – a ARSCParser object

Return type:

a boolean

analysis_axml(log, axmlobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• axmlobj – a AXMLPrinter object

Return type:

a boolean

analysis_dex(log, dexobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• dexobj – a DalvikVMFormat object

Return type:

a boolean

analysis_dey(log, deyobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• deyobj – a DalvikOdexVMFormat object

Return type:

a boolean

crash(log, why)

This method is called if a crash appends

Parameters:

• log – an object which corresponds to a unique app
• why – the string exception

create_adex(log, dexobj)

This method is called in order to create a VMAnalysis object

Parameters:

• log – an object which corresponds to a unique app
• dexobj – a DalvikVMFormat object

Rytpe:

a Analysis object

create_apk(log, fileraw)

This method is called in order to create a new APK object

Parameters:

• log – an object which corresponds to a unique app
• fileraw – the raw apk (a string)

Return type:

an APK object

create_arsc(log, fileraw)

This method is called in order to create a new ARSC object

Parameters:

• log – an object which corresponds to a unique app
• fileraw – the raw arsc (a string)

Return type:

an APK object

create_axml(log, fileraw)

This method is called in order to create a new AXML object

Parameters:

• log – an object which corresponds to a unique app
• fileraw – the raw axml (a string)

Return type:

an APK object

create_dex(log, dexraw)

This method is called in order to create a DalvikVMFormat object

Parameters:

• log – an object which corresponds to a unique app
• dexraw – the raw classes.dex (a string)

Return type:

a DalvikVMFormat object

create_dey(log, dexraw)

This method is called in order to create a DalvikOdexVMFormat object

Parameters:

• log – an object which corresponds to a unique app
• dexraw – the raw odex file (a string)

Return type:

a DalvikOdexVMFormat object

dump()

This method is called to dump the result

dump_file(filename)

This method is called to dump the result in a file

Parameters:filename – the filename to dump the result

fetcher(q)

This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)

Parameters:q – the Queue to put new app

filter_file(log, fileraw)

This method is called in order to filer a specific app

Parameters:

• log – an object which corresponds to a unique app
• fileraw – the raw app (a string)

Return type:

a set with 2 elements, the return value (boolean) if it is necessary to

continue the analysis and the file type

finish(log)

This method is called before the end of the analysis

Parameters:log – an object which corresponds to a unique app

class androguard.core.analysis.auto.DirectoryAndroAnalysis(directory)

Bases: androguard.core.analysis.auto.DefaultAndroAnalysis

A simple class example to analyse a directory

fetcher(q)

This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)

Parameters:q – the Queue to put new app

Module contents