androguard package¶

Subpackages¶

Submodules¶

androguard.misc module¶

androguard.misc.AnalyzeAPK(_file, session=None, raw=False)¶

Analyze an android application and setup all stuff for a more quickly analysis! If session is None, no session is used at all. This is the default behaviour. If you like to continue your work later, it might be a good idea to use a session. A default session can be created by using get_default_session().

Parameters:	_file (string (for filename) or bytes (for raw)) – the filename of the android application or a buffer which represents the application session – A session (default: None) raw – boolean if raw bytes are supplied instead of a filename
Return type:	return the `APK`, list of `DalvikVMFormat`, and `Analysis` objects

androguard.misc.AnalyzeDex(filename, session=None)¶

Analyze an android dex file and setup all stuff for a more quickly analysis !

Parameters:	filename (string) – the filename of the android dex file or a buffer which represents the dex file session – A session (Default None)
Return type:	return a tuple of (sha256hash, `DalvikVMFormat`, `Analysis`)

androguard.misc.AnalyzeODex(filename, session=None)¶

Analyze an android odex file and setup all stuff for a more quickly analysis !

Parameters:	filename (string) – the filename of the android dex file or a buffer which represents the dex file session – The Androguard Session to add the ODex to (default: None)
Return type:	return a tuple of (sha256hash, `DalvikOdexVMFormat`, `Analysis`)

androguard.misc.RunDecompiler(d, dx, decompiler_name)¶

Run the decompiler on a specific analysis

Parameters:	d (`DalvikVMFormat` object) – the DalvikVMFormat object dx (`VMAnalysis` object) – the analysis of the format decompiler (string) – the type of decompiler to use (“dad”, “dex2jad”, “ded”)

androguard.misc.clean_file_name(filename, unique=True, replace='_', force_nt=False)¶

Return a filename version, which has no characters in it which are forbidden. On Windows these are for example <, /, ?, …

The intention of this function is to allow distribution of files to different OSes.

Parameters:	filename – string to clean unique – check if the filename is already taken and append an integer to be unique (default: True) replace – replacement character. (default: ‘_’) force_nt – Force shortening of paths like on NT systems (default: False)
Returns:	clean string

androguard.misc.get_default_session()¶: Return the default Session from the configuration or create a new one, if the session in the configuration is None.

androguard.misc.init_print_colors()¶

androguard.misc.sign_apk(filename, keystore, storepass)¶

Use jarsigner to sign an APK file.

Parameters:	filename – APK file on disk to sign (path) keystore – path to keystore storepass – your keystorage passphrase

androguard.session module¶

androguard.session.Load(filename)¶

load your session!

example:

s = session.Load("mysession.ag")

Parameters:	filename (string) – the filename where the session has been saved
Return type:	the elements of your session :)

androguard.session.Save(session, filename=None)¶

save your session to use it later.

Returns the filename of the written file. If not filename is given, a file named androguard_session_<DATE>.ag will be created in the current working directory. <DATE> is a timestamp with the following format: %Y-%m-%d_%H%M%S.

This function will overwrite existing files without asking.

If the file could not written, None is returned.

example:

s = session.Session()
session.Save(s, "msession.ag")

Parameters:	session – A Session object to save filename (string) – output filename to save the session

class androguard.session.Session(export_ipython=False)¶

Bases: object

A Session is able to store multiple APK, DEX or ODEX files and can be pickled to disk in order to resume work later.

The main function used in Sessions is probably add(), which adds files to the session and performs analysis on them.

Afterwards, the files can be gathered using methods such as get_objects_apk(), get_objects_dex() or get_classes().

example:

s = Session()
digest = s.add("some.apk")

print("SHA256 of the file: {}".format(digest))

a, d, dx = s.get_objects_apk("some.apk", digest)
print(a.get_package())

# Reset the Session for a fresh set of files
s.reset()

digest2 = s.add("classes.dex")
print("SHA256 of the file: {}".format(digest2))
for h, d, dx in s.get_objects_dex():
    print("SHA256 of the DEX file: {}".format(h))

add(filename, raw_data=None, dx=None)¶

Generic method to add a file to the session.

This is the main method to use when adding files to a Session!

If an APK file is supplied, all DEX files are analyzed too. For DEX and ODEX files, only this file is analyzed (what else should be analyzed).

Returns the SHA256 of the analyzed file.

Parameters:	filename – filename to load raw_data – bytes of the file, or None to load the file from filename dx – An already exiting `Analysis` object
Returns:	the sha256 of the file or None on failure

addAPK(filename, data)¶

Add an APK file to the Session and run analysis on it.

Parameters:	filename – (file)name of APK file data – binary data of the APK file
Returns:	a tuple of SHA256 Checksum and APK Object

addDEX(filename, data, dx=None)¶

Add a DEX file to the Session and run analysis.

Parameters:	filename – the (file)name of the DEX file data – binary data of the dex file dx – an existing Analysis Object (optional)
Returns:	A tuple of SHA256 Hash, DalvikVMFormat Object and Analysis object

addDEY(filename, data, dx=None)¶: Add an ODEX file to the session and run the analysis

get_all_apks()¶: Yields a list of tuples of SHA256 hash of the APK and APK objects of all analyzed APKs in the Session.

get_analysis(current_class)¶

Returns the Analysis object which contains the current_class.

Parameters:	current_class (androguard.core.bytecodes.dvm.ClassDefItem) – The class to search for
Return type:	androguard.core.analysis.analysis.Analysis

get_classes()¶: Returns all Java Classes from the DEX objects as an array of DEX files.

get_digest_by_class(current_class)¶

Return the SHA256 hash of the object containing the ClassDefItem

Returns the first digest this class was present. For example, if you analyzed an APK, this should return the digest of the APK and not of the DEX file.

get_filename_by_class(current_class)¶

Returns the filename of the DEX file where the class is in.

Returns the first filename this class was present. For example, if you analyzed an APK, this should return the filename of the APK and not of the DEX file.

Parameters:	current_class – ClassDefItem
Returns:	None if class was not found or the filename

get_format(current_class)¶

Returns the DalvikVMFormat of a given ClassDefItem.

Parameters:	current_class – A ClassDefItem

get_nb_strings()¶: Return the total number of strings in all Analysis objects

get_objects_apk(filename=None, digest=None)¶

Returns APK, DalvikVMFormat and Analysis of a specified APK.

You must specify either filename or digest. It is possible to use both, but in this case only digest is used.

example:

s = Session()
digest = s.add("some.apk")
a, d, dx = s.get_objects_apk(digest=digest)

example:

s = Session()
filename = "some.apk"
digest = s.add(filename)
a, d, dx = s.get_objects_apk(filename=filename)

Parameters:	filename – the filename of the APK file, only used of digest is None digest – the sha256 hash, as returned by `add()` for the APK
Returns:	a tuple of (APK, [DalvikVMFormat], Analysis)

get_objects_dex()¶

Yields all dex objects inclduing their Analysis objects

Returns:	tuple of (sha256, DalvikVMFormat, Analysis)

get_strings()¶: Yields all StringAnalysis for all unique Analysis objects

isOpen()¶

Test if any file was analyzed in this session

Returns:	True if any file was analyzed, False otherwise

reset()¶: Reset the current session, delete all added files.

save(filename=None)¶: Save the current session, see also Save().

show()¶: Print information to stdout about the current session. Gets all APKs, all DEX files and all Analysis objects.

androguard.util module¶

androguard.util.get_certificate_name_string(name, short=False, delimiter=', ')¶

Format the Name type of a X509 Certificate in a human readable form.

Parameters:	name (dict or `asn1crypto.x509.Name`) – Name object to return the DN from short (boolean) – Use short form (default: False) delimiter (str) – Delimiter string or character between two parts (default: ‘, ‘)
Return type:	str

androguard.util.read(filename, binary=True)¶

Open and read a file

Parameters:	filename – filename to open and read binary – True if the file should be read as binary
Returns:	bytes if binary is True, str otherwise

androguard package¶

Subpackages¶

Submodules¶

androguard.misc module¶

androguard.session module¶

androguard.util module¶

Module contents¶