Aller au contenu
1337skills 1337skills - Aide-mémoires

Guide de Référence AndroGuard

Vue d’Ensemble

AndroGuard est un outil Python conçu pour l’ingénierie inverse et l’analyse de logiciels malveillants d’applications Android. Il offre des capacités puissantes pour analyser les fichiers APK, le bytecode DEX et les ressources Android.

Installation

Prérequis

Would you like me to continue with the remaining sections, or do you want to provide the specific text for each section first?```bash

Install Python 3.6+

sudo apt update sudo apt install python3 python3-pip

Install required dependencies

sudo apt install python3-dev libxml2-dev libxslt1-dev zlib1g-dev


### Install AndroGuard
```bash
# Install from PyPI
pip3 install androguard

# Install with optional dependencies
pip3 install androguard[GUI,magic]

# Install from source
git clone https://github.com/androguard/androguard.git
cd androguard
pip3 install -e .

Basic Usage

Analyze APK Files

# Basic APK analysis
androguard analyze app.apk

# Interactive analysis
androguard shell app.apk

# Generate analysis report
androguard analyze app.apk --output report.txt

Command Line Tools

# APK information
apkinfo app.apk

# DEX analysis
dexdump classes.dex

# Resource analysis
axml AndroidManifest.xml

Python API Usage

Basic Analysis

from androguard.misc import AnalyzeAPK

# Analyze APK
a, d, dx = AnalyzeAPK("app.apk")

# Get APK information
print("Package name:", a.get_package())
print("App name:", a.get_app_name())
print("Version:", a.get_androidversion_code())
print("Permissions:", a.get_permissions())

Advanced Analysis

from androguard.core.bytecodes import apk, dvm
from androguard.core.analysis import analysis

# Load APK
apk_obj = apk.APK("app.apk")
dex = dvm.DalvikVMFormat(apk_obj.get_dex())
dx = analysis.Analysis(dex)

# Analyze classes and methods
for cls in dx.get_classes():
    print(f"Class: \\\\{cls.name\\\\}")
    for method in cls.get_methods():
        print(f"  Method: \\\\{method.name\\\\}")

APK Analysis

Basic Information

# APK metadata
print("Package:", a.get_package())
print("App name:", a.get_app_name())
print("Version code:", a.get_androidversion_code())
print("Version name:", a.get_androidversion_name())
print("Min SDK:", a.get_min_sdk_version())
print("Target SDK:", a.get_target_sdk_version())

Permissions Analysis

# Get all permissions
permissions = a.get_permissions()
for perm in permissions:
    print(f"Permission: \\\\{perm\\\\}")

# Check for dangerous permissions
dangerous_perms = [
    "android.permission.READ_SMS",
    "android.permission.SEND_SMS",
    "android.permission.ACCESS_FINE_LOCATION",
    "android.permission.CAMERA"
]

for perm in permissions:
    if perm in dangerous_perms:
        print(f"Dangerous permission found: \\\\{perm\\\\}")

Certificate Analysis

# Get certificate information
certificates = a.get_certificates()
for cert in certificates:
    print(f"Certificate: \\\\{cert\\\\}")
    print(f"Subject: \\\\{cert.subject\\\\}")
    print(f"Issuer: \\\\{cert.issuer\\\\}")
    print(f"Serial: \\\\{cert.serial_number\\\\}")

Code Analysis

Method Analysis

# Find specific methods
for cls in dx.get_classes():
    for method in cls.get_methods():
        if "crypto" in method.name.lower():
            print(f"Crypto method: \\\\{cls.name\\\\}->\\\\{method.name\\\\}")

String Analysis

# Extract strings
strings = dx.get_strings()
for string in strings:
    if "http" in string.get_value():
        print(f"URL found: \\\\{string.get_value()\\\\}")

Cross-Reference Analysis

# Find method calls
for method in dx.get_methods():
    if method.is_external():
        continue

    for ref in method.get_xref_from():
        print(f"\\\\{ref.class_name\\\\}->\\\\{ref.method_name\\\\} calls \\\\{method.name\\\\}")

Security Analysis

Cryptographic Analysis

# Find crypto usage
crypto_methods = [
    "javax.crypto.Cipher",
    "java.security.MessageDigest",
    "javax.crypto.spec.SecretKeySpec"
]

for method in dx.get_methods():
    for crypto in crypto_methods:
        if crypto in str(method.get_method()):
            print(f"Crypto usage: \\\\{method.name\\\\}")

Network Analysis

# Find network operations
network_classes = [
    "java.net.URL",
    "java.net.HttpURLConnection",
    "okhttp3.OkHttpClient"
]

for cls in dx.get_classes():
    for net_class in network_classes:
        if net_class in str(cls):
            print(f"Network class: \\\\{cls.name\\\\}")

Reflection Analysis

# Find reflection usage
reflection_methods = [
    "java.lang.Class.forName",
    "java.lang.reflect.Method.invoke"
]

for method in dx.get_methods():
    for ref_method in reflection_methods:
        if ref_method in str(method.get_method()):
            print(f"Reflection usage: \\\\{method.name\\\\}")

Malware Detection

Suspicious Patterns

# Check for suspicious patterns
suspicious_strings = [
    "getDeviceId",
    "getSubscriberId",
    "sendTextMessage",
    "android.intent.action.BOOT_COMPLETED"
]

strings = dx.get_strings()
for string in strings:
    for suspicious in suspicious_strings:
        if suspicious in string.get_value():
            print(f"Suspicious string: \\\\{string.get_value()\\\\}")

Dynamic Loading Detection

# Find dynamic loading
dynamic_methods = [
    "dalvik.system.DexClassLoader",
    "dalvik.system.PathClassLoader"
]

for method in dx.get_methods():
    for dyn_method in dynamic_methods:
        if dyn_method in str(method.get_method()):
            print(f"Dynamic loading: \\\\{method.name\\\\}")

Resource Analysis

Manifest Analysis

# Parse AndroidManifest.xml
manifest = a.get_android_manifest_xml()
print("Manifest content:")
print(manifest.toprettyxml())

# Get activities
activities = a.get_activities()
for activity in activities:
    print(f"Activity: \\\\{activity\\\\}")

# Get services
services = a.get_services()
for service in services:
    print(f"Service: \\\\{service\\\\}")

Resource Extraction

# Extract resources
for file_name in a.get_files():
    if file_name.endswith('.xml'):
        content = a.get_file(file_name)
        print(f"XML file: \\\\{file_name\\\\}")

Advanced Features

Control Flow Analysis

# Analyze control flow
for method in dx.get_methods():
    if method.is_external():
        continue

    # Get basic blocks
    for bb in method.get_basic_blocks():
        print(f"Basic block: \\\\{bb\\\\}")
```### Analyse du Flux de Données
```python
# Trace data flow
for method in dx.get_methods():
    # Get method instructions
    instructions = method.get_instructions()
    for instruction in instructions:
        if instruction.get_name() == "const-string":
            print(f"String constant: \\\\{instruction\\\\}")
```### Génération de Graphe d'Appels
```python
# Generate call graph
import networkx as nx

G = nx.DiGraph()
for method in dx.get_methods():
    for ref in method.get_xref_from():
        G.add_edge(f"\\\\{ref.class_name\\\\}.\\\\{ref.method_name\\\\}",
                  f"\\\\{method.class_name\\\\}.\\\\{method.name\\\\}")

# Export call graph
nx.write_gml(G, "call_graph.gml")
```## Scripts d'Automatisation
```python
#!/usr/bin/env python3
import os
import sys
from androguard.misc import AnalyzeAPK

def analyze_apk_batch(directory):
    for filename in os.listdir(directory):
        if filename.endswith('.apk'):
            print(f"Analyzing \\\\{filename\\\\}")
            try:
                a, d, dx = AnalyzeAPK(os.path.join(directory, filename))
                print(f"Package: \\\\{a.get_package()\\\\}")
                print(f"Permissions: \\\\{len(a.get_permissions())\\\\}")
                print("-" * 50)
            except Exception as e:
                print(f"Error analyzing \\\\{filename\\\\}: \\\\{e\\\\}")

if __name__ == "__main__":
    analyze_apk_batch(sys.argv[1])
```### Analyse par Lots
```python
#!/usr/bin/env python3
from androguard.misc import AnalyzeAPK

def security_scan(apk_path):
    a, d, dx = AnalyzeAPK(apk_path)

    # Check permissions
    dangerous_perms = [
        "android.permission.READ_SMS",
        "android.permission.SEND_SMS",
        "android.permission.ACCESS_FINE_LOCATION"
    ]

    found_perms = []
    for perm in a.get_permissions():
        if perm in dangerous_perms:
            found_perms.append(perm)

    # Check for crypto usage
    crypto_usage = False
    for method in dx.get_methods():
        if "crypto" in str(method.get_method()).lower():
            crypto_usage = True
            break

    print(f"Dangerous permissions: \\\\{found_perms\\\\}")
    print(f"Crypto usage detected: \\\\{crypto_usage\\\\}")

if __name__ == "__main__":
    security_scan("app.apk")
```### Scanner de Sécurité
```bash
# Launch GUI
androguard gui

# Open APK in GUI
androguard gui app.apk
```### AndroGuard GUI
```bash
1. Basic APK information
2. Permission analysis
3. Code structure review
4. Security pattern detection
5. Malware signature matching
6. Report generation
```### Fonctionnalités
- Analyse visuelle du code
- Exploration interactive
- Visualisation de graphes
- Capacités d'exportation
```python
# Use lazy loading for large APKs
from androguard.core.bytecodes.apk import APK
a = APK("large_app.apk", raw=False)

# Process in chunks for batch analysis
import multiprocessing
pool = multiprocessing.Pool()
results = pool.map(analyze_apk, apk_list)
```## Meilleures Pratiques
https://github.com/androguard/androguard##

# Workflow d'Analyse
https://androguard.readthedocs.io/##

# Conseils de Performance
https://owasp.org/www-project-mobile-security-testing-guide/#

# Ressources

- **Documentation Officielle**: [AndroGuard GitHub](