androguard.core.analysis package¶
The analysis module implements an abstraction layer for androguard.core.bytecodes.dvm.DalvikVMFormat
objects.
The the help of the androguard.core.analysis.analysis.Analsyis
object, you can bundle several DEX files together.
This is not only useful for multidex files, but also for a single dex, as Analysis offers many features to investigate
DEX files.
One of these features is crossreferencing (XREF). It allows you to build a graph of the methods inside the DEX files.
You can then create callgraphs or find methods which use a specific API method.
Submodules¶
androguard.core.analysis.analysis module¶
-
class
androguard.core.analysis.analysis.
Analysis
(vm=None)¶ Bases:
object
-
add
(vm)¶ Add a DalvikVMFormat to this Analysis
Parameters: vm –
-
create_xref
()¶
-
find_classes
(name='.*', no_external=False)¶ Find classes by name, using regular expression This method will return all ClassAnalysis Object that match the name of the class.
Parameters: - name – regular expression for class name (default “.*”)
- no_external – Remove external classes from the output (default False)
Return type: generator of ClassAnalysis
-
find_fields
(classname='.*', fieldname='.*', fieldtype='.*', accessflags='.*')¶ find fields by regex
Parameters: - classname – regular expression of the classname
- fieldname – regular expression of the fieldname
- fieldtype – regular expression of the fieldtype
- accessflags – regular expression of the access flags
Return type: generator of FieldClassAnalysis
-
find_methods
(classname='.*', methodname='.*', descriptor='.*', accessflags='.*', no_external=False)¶ Find a method by name using regular expression. This method will return all MethodClassAnalysis objects, which match the classname, methodname, descriptor and accessflags of the method.
Parameters: - classname – regular expression for the classname
- methodname – regular expression for the method name
- descriptor – regular expression for the descriptor
- accessflags – regular expression for the accessflags
- no_external – Remove external method from the output (default False)
Return type: generator of MethodClassAnalysis
-
find_strings
(string='.*')¶ Find strings by regex
Parameters: string – regular expression for the string to search for Return type: generator of StringAnalysis
-
get_class_analysis
(class_name)¶
-
get_classes
()¶ Returns a list of ClassAnalysis objects
Return type: list of ClassAnalysis
-
get_external_classes
()¶ Returns all external classes, that means all classes that are not defined in the given set of DalvikVMObjects.
Return type: generator of ClassAnalysis
-
get_field_analysis
(field)¶
-
get_fields
()¶ Returns a list of FieldClassAnalysis objects
-
get_method
(method)¶ Parameters: method – Returns: MethodAnalysis object for the given method
-
get_method_analysis
(method)¶ Parameters: method – Returns: MethodClassAnalysis for the given method
-
get_method_analysis_by_name
(class_name, method_name, method_descriptor)¶
-
get_method_by_name
(class_name, method_name, method_descriptor)¶
-
get_methods
()¶ Returns a list of MethodClassAnalysis objects
-
get_strings
()¶ Returns a list of StringAnalysis objects
Return type: list of StringAnalysis
-
get_strings_analysis
()¶
-
is_class_present
(class_name)¶
-
-
class
androguard.core.analysis.analysis.
BasicBlocks
(_vm)¶ Bases:
object
This class represents all basic blocks of a method
-
get
()¶ Return type: return each basic block ( DVMBasicBlock
object)
-
get_basic_block
(idx)¶
-
get_basic_block_pos
(idx)¶
-
gets
()¶ Return type: a list of basic blocks ( DVMBasicBlock
objects)
-
pop
(idx)¶
-
push
(bb)¶
-
-
class
androguard.core.analysis.analysis.
ClassAnalysis
(classobj, internal=False)¶ Bases:
object
-
AddFXrefRead
(method, classobj, field)¶
-
AddFXrefWrite
(method, classobj, field)¶
-
AddMXrefFrom
(method1, classobj, method2, offset)¶
-
AddMXrefTo
(method1, classobj, method2, offset)¶
-
AddXrefFrom
(ref_kind, classobj, methodobj, offset)¶
-
AddXrefTo
(ref_kind, classobj, methodobj, offset)¶
-
GetFakeMethod
(name, descriptor)¶
-
get_field_analysis
(field)¶
-
get_fields
()¶ Return all FieldClassAnalysis objects of this class
-
get_method_analysis
(method)¶
-
get_methods
()¶ Return all MethodClassAnalysis objects of this class
-
get_nb_methods
()¶ Get the number of methods in this class
-
get_vm_class
()¶
-
get_xref_from
()¶
-
get_xref_to
()¶
-
-
class
androguard.core.analysis.analysis.
DVMBasicBlock
(start, vm, method, context)¶ Bases:
object
A simple basic block of a dalvik method
-
add_note
(note)¶
-
clear_notes
()¶
-
get_end
()¶
-
get_exception_analysis
()¶
-
get_instructions
()¶ Get all instructions from a basic block.
Return type: Return all instructions in the current basic block
-
get_last
()¶
-
get_last_length
()¶
-
get_method
()¶
-
get_name
()¶
-
get_nb_instructions
()¶
-
get_next
()¶ Get next basic blocks
Return type: a list of the next basic blocks
-
get_notes
()¶
-
get_prev
()¶ Get previous basic blocks
Return type: a list of the previous basic blocks
-
get_special_ins
(idx)¶ Return the associated instruction to a specific instruction (for example a packed/sparse switch)
Parameters: idx – the index of the instruction Return type: None or an Instruction
-
get_start
()¶
-
push
(i)¶
-
set_childs
(values)¶
-
set_exception_analysis
(exception_analysis)¶
-
set_fathers
(f)¶
-
set_notes
(value)¶
-
show
()¶
-
-
class
androguard.core.analysis.analysis.
ExceptionAnalysis
(exception, bb)¶ Bases:
object
-
get
()¶
-
show_buff
()¶
-
-
class
androguard.core.analysis.analysis.
Exceptions
(_vm)¶ Bases:
object
-
add
(exceptions, basic_blocks)¶
-
get
()¶
-
get_exception
(addr_start, addr_end)¶
-
gets
()¶
-
-
class
androguard.core.analysis.analysis.
ExternalClass
(name)¶ Bases:
object
-
GetMethod
(name, descriptor)¶
-
get_methods
()¶
-
get_name
()¶ Returns the name of the ExternalClass object
-
-
class
androguard.core.analysis.analysis.
ExternalMethod
(class_name, name, descriptor)¶ Bases:
object
-
get_access_flags_string
()¶
-
get_class_name
()¶
-
get_descriptor
()¶
-
get_name
()¶
-
-
class
androguard.core.analysis.analysis.
FieldClassAnalysis
(field)¶ Bases:
object
-
AddXrefRead
(classobj, methodobj)¶
-
AddXrefWrite
(classobj, methodobj)¶
-
get_field
()¶
-
get_xref_read
()¶
-
get_xref_write
()¶
-
-
class
androguard.core.analysis.analysis.
MethodAnalysis
(vm, method)¶ Bases:
object
-
get_basic_blocks
()¶ Return type: a BasicBlocks
object
-
get_length
()¶ Return type: an integer which is the length of the code
-
get_method
()¶
-
get_vm
()¶
-
show
()¶ Prints the content of this method to stdout.
This will print the method signature and the decompiled code.
-
-
class
androguard.core.analysis.analysis.
MethodClassAnalysis
(method)¶ Bases:
object
-
AddXrefFrom
(classobj, methodobj, offset)¶
-
AddXrefTo
(classobj, methodobj, offset)¶
-
get_method
()¶ Return the EncodedMethod object that relates to this object :return: dvm.EncodedMethod
-
get_xref_from
()¶
-
get_xref_to
()¶
-
-
class
androguard.core.analysis.analysis.
StringAnalysis
(value)¶ Bases:
object
-
AddXrefFrom
(classobj, methodobj)¶
-
get_orig_value
()¶
-
get_value
()¶
-
get_xref_from
()¶
-
set_value
(value)¶
-
-
class
androguard.core.analysis.analysis.
Tags
(patterns={0: [0, 'Landroid'], 1: [0, 'Landroid/telephony'], 2: [0, 'Landroid/telephony/SmsManager'], 3: [0, 'Landroid/telephony/SmsMessage'], 4: [0, 'Landroid/accessibilityservice'], 5: [0, 'Landroid/accounts'], 6: [0, 'Landroid/animation'], 7: [0, 'Landroid/app'], 8: [0, 'Landroid/bluetooth'], 9: [0, 'Landroid/content'], 10: [0, 'Landroid/database'], 11: [0, 'Landroid/os/Debug'], 12: [0, 'Landroid/drm'], 13: [0, 'Landroid/gesture'], 14: [0, 'Landroid/graphics'], 15: [0, 'Landroid/hardware'], 16: [0, 'Landroid/inputmethodservice'], 17: [0, 'Landroid/location'], 18: [0, 'Landroid/media'], 19: [0, 'Landroid/mtp'], 20: [0, 'Landroid/net'], 21: [0, 'Landroid/nfc'], 22: [0, 'Landroid/opengl'], 23: [0, 'Landroid/os'], 24: [0, 'Landroid/preference'], 25: [0, 'Landroid/provider'], 26: [0, 'Landroid/renderscript'], 27: [0, 'Landroid/sax'], 28: [0, 'Landroid/security'], 29: [0, 'Landroid/service'], 30: [0, 'Landroid/speech'], 31: [0, 'Landroid/support'], 32: [0, 'Landroid/test'], 33: [0, 'Landroid/text'], 34: [0, 'Landroid/util'], 35: [0, 'Landroid/view'], 36: [0, 'Landroid/webkit'], 37: [0, 'Landroid/widget'], 38: [0, 'Ldalvik/bytecode'], 39: [0, 'Ldalvik/system'], 40: [0, 'Ljava/lang/reflect']}, reverse={0: 'ANDROID', 1: 'TELEPHONY', 2: 'SMS', 3: 'SMSMESSAGE', 4: 'ACCESSIBILITYSERVICE', 5: 'ACCOUNTS', 6: 'ANIMATION', 7: 'APP', 8: 'BLUETOOTH', 9: 'CONTENT', 10: 'DATABASE', 11: 'DEBUG', 12: 'DRM', 13: 'GESTURE', 14: 'GRAPHICS', 15: 'HARDWARE', 16: 'INPUTMETHODSERVICE', 17: 'LOCATION', 18: 'MEDIA', 19: 'MTP', 20: 'NET', 21: 'NFC', 22: 'OPENGL', 23: 'OS', 24: 'PREFERENCE', 25: 'PROVIDER', 26: 'RENDERSCRIPT', 27: 'SAX', 28: 'SECURITY', 29: 'SERVICE', 30: 'SPEECH', 31: 'SUPPORT', 32: 'TEST', 33: 'TEXT', 34: 'UTIL', 35: 'VIEW', 36: 'WEBKIT', 37: 'WIDGET', 38: 'DALVIK_BYTECODE', 39: 'DALVIK_SYSTEM', 40: 'JAVA_REFLECTION'})¶ Bases:
object
Handle specific tags
Parameters: patterns – Params reverse: -
emit
(method)¶
-
emit_by_classname
(classname)¶
-
empty
()¶
-
get_list
()¶
-
-
androguard.core.analysis.analysis.
is_ascii_obfuscation
(vm)¶ Tests if any class inside a DalvikVMObject uses ASCII Obfuscation (e.g. UTF-8 Chars in Classnames)
Parameters: vm – DalvikVMObject Returns: True if ascii obfuscation otherwise False
androguard.core.analysis.auto module¶
-
class
androguard.core.analysis.auto.
AndroAuto
(settings)¶ Bases:
object
The main class which analyse automatically android apps by calling methods from a specific object :param settings: the settings of the analysis :type settings: dict
-
dump
()¶ Dump the analysis
-
dump_file
(filename)¶ Dump the analysis in a filename
-
go
()¶ Launch the analysis
-
-
class
androguard.core.analysis.auto.
DefaultAndroAnalysis
¶ Bases:
object
This class can be used as a template in order to analyse apps
-
analysis_adex
(log, adexobj)¶ This method is called in order to know if the analysis must continue
Parameters: - log – an object which corresponds to a unique app
- adexobj – a
VMAnalysis
object
Return type: a boolean
-
analysis_apk
(log, apkobj)¶ This method is called in order to know if the analysis must continue
Parameters: - log – an object which corresponds to a unique app
- apkobj – a
APK
object
Return type: a boolean
-
analysis_app
(log, apkobj, dexobj, adexobj)¶ This method is called if you wish to analyse the final app
Parameters: - log – an object which corresponds to a unique app
- apkobj – a
APK
object - dexobj – a
DalvikVMFormat
object - adexobj – a
VMAnalysis
object
-
analysis_arsc
(log, arscobj)¶ This method is called in order to know if the analysis must continue
Parameters: - log – an object which corresponds to a unique app
- arscobj – a
ARSCParser
object
Return type: a boolean
-
analysis_axml
(log, axmlobj)¶ This method is called in order to know if the analysis must continue
Parameters: - log – an object which corresponds to a unique app
- axmlobj – a
AXMLPrinter
object
Return type: a boolean
-
analysis_dex
(log, dexobj)¶ This method is called in order to know if the analysis must continue
Parameters: - log – an object which corresponds to a unique app
- dexobj – a
DalvikVMFormat
object
Return type: a boolean
-
analysis_dey
(log, deyobj)¶ This method is called in order to know if the analysis must continue
Parameters: - log – an object which corresponds to a unique app
- deyobj – a
DalvikOdexVMFormat
object
Return type: a boolean
-
crash
(log, why)¶ This method is called if a crash appends
Parameters: - log – an object which corresponds to a unique app
- why – the string exception
-
create_adex
(log, dexobj)¶ This method is called in order to create a VMAnalysis object
Parameters: - log – an object which corresponds to a unique app
- dexobj – a
DalvikVMFormat
object
Rytpe: a
Analysis
object
-
create_apk
(log, fileraw)¶ This method is called in order to create a new APK object
Parameters: - log – an object which corresponds to a unique app
- fileraw – the raw apk (a string)
Return type: an
APK
object
-
create_arsc
(log, fileraw)¶ This method is called in order to create a new ARSC object
Parameters: - log – an object which corresponds to a unique app
- fileraw – the raw arsc (a string)
Return type: an
APK
object
-
create_axml
(log, fileraw)¶ This method is called in order to create a new AXML object
Parameters: - log – an object which corresponds to a unique app
- fileraw – the raw axml (a string)
Return type: an
APK
object
-
create_dex
(log, dexraw)¶ This method is called in order to create a DalvikVMFormat object
Parameters: - log – an object which corresponds to a unique app
- dexraw – the raw classes.dex (a string)
Return type: a
DalvikVMFormat
object
-
create_dey
(log, dexraw)¶ This method is called in order to create a DalvikOdexVMFormat object
Parameters: - log – an object which corresponds to a unique app
- dexraw – the raw odex file (a string)
Return type: a
DalvikOdexVMFormat
object
-
dump
()¶ This method is called to dump the result
-
dump_file
(filename)¶ This method is called to dump the result in a file
Parameters: filename – the filename to dump the result
-
fetcher
(q)¶ This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)
Parameters: q – the Queue to put new app
-
filter_file
(log, fileraw)¶ This method is called in order to filer a specific app
Parameters: - log – an object which corresponds to a unique app
- fileraw – the raw app (a string)
Return type: a set with 2 elements, the return value (boolean) if it is necessary to continue the analysis and the file type
-
finish
(log)¶ This method is called before the end of the analysis
Parameters: log – an object which corresponds to a unique app
-
-
class
androguard.core.analysis.auto.
DirectoryAndroAnalysis
(directory)¶ Bases:
androguard.core.analysis.auto.DefaultAndroAnalysis
A simple class example to analyse a directory
-
fetcher
(q)¶ This method is called to fetch a new app in order to analyse it. The queue must be fill with the following format: (filename, raw)
Parameters: q – the Queue to put new app
-