androguard.core.analysis package

The analysis module implements an abstraction layer for androguard.core.bytecodes.dvm.DalvikVMFormat objects. The the help of the androguard.core.analysis.analysis.Analsyis object, you can bundle several DEX files together. This is not only useful for multidex files, but also for a single dex, as Analysis offers many features to investigate DEX files. One of these features is crossreferencing (XREF). It allows you to build a graph of the methods inside the DEX files. You can then create callgraphs or find methods which use a specific API method.

Submodules

androguard.core.analysis.analysis module

class androguard.core.analysis.analysis.Analysis(vm=None)

Bases: object

add(vm)

Add a DalvikVMFormat to this Analysis

Parameters:vm –

create_xref()

find_classes(name='.*', no_external=False)

Find classes by name, using regular expression This method will return all ClassAnalysis Object that match the name of the class.

Parameters:

• name – regular expression for class name (default “.*”)
• no_external – Remove external classes from the output (default False)

Return type:

generator of ClassAnalysis

find_fields(classname='.*', fieldname='.*', fieldtype='.*', accessflags='.*')

find fields by regex

Parameters:

• classname – regular expression of the classname
• fieldname – regular expression of the fieldname
• fieldtype – regular expression of the fieldtype
• accessflags – regular expression of the access flags

Return type:

generator of FieldClassAnalysis

find_methods(classname='.*', methodname='.*', descriptor='.*', accessflags='.*', no_external=False)

Find a method by name using regular expression. This method will return all MethodClassAnalysis objects, which match the classname, methodname, descriptor and accessflags of the method.

Parameters:

• classname – regular expression for the classname
• methodname – regular expression for the method name
• descriptor – regular expression for the descriptor
• accessflags – regular expression for the accessflags
• no_external – Remove external method from the output (default False)

Return type:

generator of MethodClassAnalysis

find_strings(string='.*')

Find strings by regex

Parameters:string – regular expression for the string to search for Return type:generator of StringAnalysis

get_class_analysis(class_name)

get_classes()

Returns a list of ClassAnalysis objects

Return type:list of ClassAnalysis

get_external_classes()

Returns all external classes, that means all classes that are not defined in the given set of DalvikVMObjects.

Return type:generator of ClassAnalysis

get_field_analysis(field)

get_fields()

Returns a list of FieldClassAnalysis objects

get_method(method)

Parameters:method – Returns:MethodAnalysis object for the given method

get_method_analysis(method)

Parameters:method – Returns:MethodClassAnalysis for the given method

get_method_analysis_by_name(class_name, method_name, method_descriptor)

get_method_by_name(class_name, method_name, method_descriptor)

get_methods()

Returns a list of MethodClassAnalysis objects

get_strings()

Returns a list of StringAnalysis objects

Return type:list of StringAnalysis

get_strings_analysis()

is_class_present(class_name)

class androguard.core.analysis.analysis.BasicBlocks(_vm)

Bases: object

This class represents all basic blocks of a method

get()

Return type:return each basic block (DVMBasicBlock object)

get_basic_block(idx)

get_basic_block_pos(idx)

gets()

Return type:a list of basic blocks (DVMBasicBlock objects)

pop(idx)

push(bb)

class androguard.core.analysis.analysis.ClassAnalysis(classobj, internal=False)

Bases: object

AddFXrefRead(method, classobj, field)

AddFXrefWrite(method, classobj, field)

AddMXrefFrom(method1, classobj, method2, offset)

AddMXrefTo(method1, classobj, method2, offset)

AddXrefFrom(ref_kind, classobj, methodobj, offset)

AddXrefTo(ref_kind, classobj, methodobj, offset)

GetFakeMethod(name, descriptor)

get_field_analysis(field)

get_fields()

Return all FieldClassAnalysis objects of this class

get_method_analysis(method)

get_methods()

Return all MethodClassAnalysis objects of this class

get_nb_methods()

Get the number of methods in this class

get_vm_class()

get_xref_from()

get_xref_to()

class androguard.core.analysis.analysis.DVMBasicBlock(start, vm, method, context)

Bases: object

A simple basic block of a dalvik method

add_note(note)

clear_notes()

get_end()

get_exception_analysis()

get_instructions()

Get all instructions from a basic block.

Return type:Return all instructions in the current basic block

get_last()

get_last_length()

get_method()

get_name()

get_nb_instructions()

get_next()

Get next basic blocks

Return type:a list of the next basic blocks

get_notes()

get_prev()

Get previous basic blocks

Return type:a list of the previous basic blocks

get_special_ins(idx)

Return the associated instruction to a specific instruction (for example a packed/sparse switch)

Parameters:idx – the index of the instruction Return type:None or an Instruction

get_start()

push(i)

set_childs(values)

set_exception_analysis(exception_analysis)

set_fathers(f)

set_notes(value)

show()

class androguard.core.analysis.analysis.Enum(names)

Bases: object

tuples()

class androguard.core.analysis.analysis.ExceptionAnalysis(exception, bb)

Bases: object

get()

show_buff()

class androguard.core.analysis.analysis.Exceptions(_vm)

Bases: object

add(exceptions, basic_blocks)

get()

get_exception(addr_start, addr_end)

gets()

class androguard.core.analysis.analysis.ExternalClass(name)

Bases: object

GetMethod(name, descriptor)

get_methods()

get_name()

Returns the name of the ExternalClass object

class androguard.core.analysis.analysis.ExternalMethod(class_name, name, descriptor)

Bases: object

get_access_flags_string()

get_class_name()

get_descriptor()

get_name()

class androguard.core.analysis.analysis.FieldClassAnalysis(field)

Bases: object

AddXrefRead(classobj, methodobj)

AddXrefWrite(classobj, methodobj)

get_field()

get_xref_read()

get_xref_write()

class androguard.core.analysis.analysis.MethodAnalysis(vm, method)

Bases: object

get_basic_blocks()

Return type:a BasicBlocks object

get_length()

Return type:an integer which is the length of the code

get_method()

get_vm()

show()

Prints the content of this method to stdout.

This will print the method signature and the decompiled code.

class androguard.core.analysis.analysis.MethodClassAnalysis(method)

Bases: object

AddXrefFrom(classobj, methodobj, offset)

AddXrefTo(classobj, methodobj, offset)

get_method()

Return the EncodedMethod object that relates to this object :return: dvm.EncodedMethod

get_xref_from()

get_xref_to()

class androguard.core.analysis.analysis.StringAnalysis(value)

Bases: object

AddXrefFrom(classobj, methodobj)

get_orig_value()

get_value()

get_xref_from()

set_value(value)

class androguard.core.analysis.analysis.Tags(patterns={0: [0, 'Landroid'], 1: [0, 'Landroid/telephony'], 2: [0, 'Landroid/telephony/SmsManager'], 3: [0, 'Landroid/telephony/SmsMessage'], 4: [0, 'Landroid/accessibilityservice'], 5: [0, 'Landroid/accounts'], 6: [0, 'Landroid/animation'], 7: [0, 'Landroid/app'], 8: [0, 'Landroid/bluetooth'], 9: [0, 'Landroid/content'], 10: [0, 'Landroid/database'], 11: [0, 'Landroid/os/Debug'], 12: [0, 'Landroid/drm'], 13: [0, 'Landroid/gesture'], 14: [0, 'Landroid/graphics'], 15: [0, 'Landroid/hardware'], 16: [0, 'Landroid/inputmethodservice'], 17: [0, 'Landroid/location'], 18: [0, 'Landroid/media'], 19: [0, 'Landroid/mtp'], 20: [0, 'Landroid/net'], 21: [0, 'Landroid/nfc'], 22: [0, 'Landroid/opengl'], 23: [0, 'Landroid/os'], 24: [0, 'Landroid/preference'], 25: [0, 'Landroid/provider'], 26: [0, 'Landroid/renderscript'], 27: [0, 'Landroid/sax'], 28: [0, 'Landroid/security'], 29: [0, 'Landroid/service'], 30: [0, 'Landroid/speech'], 31: [0, 'Landroid/support'], 32: [0, 'Landroid/test'], 33: [0, 'Landroid/text'], 34: [0, 'Landroid/util'], 35: [0, 'Landroid/view'], 36: [0, 'Landroid/webkit'], 37: [0, 'Landroid/widget'], 38: [0, 'Ldalvik/bytecode'], 39: [0, 'Ldalvik/system'], 40: [0, 'Ljava/lang/reflect']}, reverse={0: 'ANDROID', 1: 'TELEPHONY', 2: 'SMS', 3: 'SMSMESSAGE', 4: 'ACCESSIBILITYSERVICE', 5: 'ACCOUNTS', 6: 'ANIMATION', 7: 'APP', 8: 'BLUETOOTH', 9: 'CONTENT', 10: 'DATABASE', 11: 'DEBUG', 12: 'DRM', 13: 'GESTURE', 14: 'GRAPHICS', 15: 'HARDWARE', 16: 'INPUTMETHODSERVICE', 17: 'LOCATION', 18: 'MEDIA', 19: 'MTP', 20: 'NET', 21: 'NFC', 22: 'OPENGL', 23: 'OS', 24: 'PREFERENCE', 25: 'PROVIDER', 26: 'RENDERSCRIPT', 27: 'SAX', 28: 'SECURITY', 29: 'SERVICE', 30: 'SPEECH', 31: 'SUPPORT', 32: 'TEST', 33: 'TEXT', 34: 'UTIL', 35: 'VIEW', 36: 'WEBKIT', 37: 'WIDGET', 38: 'DALVIK_BYTECODE', 39: 'DALVIK_SYSTEM', 40: 'JAVA_REFLECTION'})

Bases: object

Handle specific tags

Parameters:patterns – Params reverse:

emit(method)

emit_by_classname(classname)

empty()

get_list()

androguard.core.analysis.analysis.is_ascii_obfuscation(vm)

Tests if any class inside a DalvikVMObject uses ASCII Obfuscation (e.g. UTF-8 Chars in Classnames)

Parameters:vm – DalvikVMObject Returns:True if ascii obfuscation otherwise False

androguard.core.analysis.auto module

class androguard.core.analysis.auto.AndroAuto(settings)

Bases: object

The main class which analyse automatically android apps by calling methods from a specific object :param settings: the settings of the analysis :type settings: dict

dump()

Dump the analysis

dump_file(filename)

Dump the analysis in a filename

go()

Launch the analysis

class androguard.core.analysis.auto.DefaultAndroAnalysis

Bases: object

This class can be used as a template in order to analyse apps

analysis_adex(log, adexobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• adexobj – a VMAnalysis object

Return type:

a boolean

analysis_apk(log, apkobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• apkobj – a APK object

Return type:

a boolean

analysis_app(log, apkobj, dexobj, adexobj)

This method is called if you wish to analyse the final app

Parameters:

• log – an object which corresponds to a unique app
• apkobj – a APK object
• dexobj – a DalvikVMFormat object
• adexobj – a VMAnalysis object

analysis_arsc(log, arscobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• arscobj – a ARSCParser object

Return type:

a boolean

analysis_axml(log, axmlobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• axmlobj – a AXMLPrinter object

Return type:

a boolean

analysis_dex(log, dexobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• dexobj – a DalvikVMFormat object

Return type:

a boolean

analysis_dey(log, deyobj)

This method is called in order to know if the analysis must continue

Parameters:

• log – an object which corresponds to a unique app
• deyobj – a DalvikOdexVMFormat object

Return type:

a boolean

crash(log, why)

This method is called if a crash appends

Parameters:

• log – an object which corresponds to a unique app
• why – the string exception

create_adex(log, dexobj)

This method is called in order to create a VMAnalysis object

Parameters:

• log – an object which corresponds to a unique app
• dexobj – a DalvikVMFormat object

Rytpe:

a Analysis object

create_apk(log, fileraw)

This method is called in order to create a new APK object

Parameters:

• log – an object which corresponds to a unique app
• fileraw – the raw apk (a string)

Return type:

an APK object

create_arsc(log, fileraw)

This method is called in order to create a new ARSC object

Parameters:

• log – an object which corresponds to a unique app
• fileraw – the raw arsc (a string)

Return type:

an APK object

create_axml(log, fileraw)

This method is called in order to create a new AXML object

Parameters:

• log – an object which corresponds to a unique app
• fileraw – the raw axml (a string)

Return type:

an APK object

create_dex(log, dexraw)

This method is called in order to create a DalvikVMFormat object

Parameters:

• log – an object which corresponds to a unique app
• dexraw – the raw classes.dex (a string)

Return type:

a DalvikVMFormat object

create_dey(log, dexraw)

This method is called in order to create a DalvikOdexVMFormat object

Parameters:

• log – an object which corresponds to a unique app
• dexraw – the raw odex file (a string)

Return type:

a DalvikOdexVMFormat object

dump()

This method is called to dump the result

dump_file(filename)

This method is called to dump the result in a file

Parameters:filename – the filename to dump the result

fetcher(q)

This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)

Parameters:q – the Queue to put new app

filter_file(log, fileraw)

This method is called in order to filer a specific app

Parameters:

• log – an object which corresponds to a unique app
• fileraw – the raw app (a string)

Return type:

a set with 2 elements, the return value (boolean) if it is necessary to continue the analysis and the file type

finish(log)

This method is called before the end of the analysis

Parameters:log – an object which corresponds to a unique app

class androguard.core.analysis.auto.DirectoryAndroAnalysis(directory)

Bases: androguard.core.analysis.auto.DefaultAndroAnalysis

A simple class example to analyse a directory

fetcher(q)

This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)

Parameters:q – the Queue to put new app

Module contents