Aller au contenu

Feuille de chaleur AndroGuard

Aperçu général

AndroGuard est un outil Python conçu pour l'ingénierie inverse et l'analyse de malware des applications Android. Il fournit des capacités puissantes pour analyser les fichiers APK, le bytecode DEX et les ressources Android.

Installation

Préalables

# Install Python 3.6+
sudo apt update
sudo apt install python3 python3-pip

# Install required dependencies
sudo apt install python3-dev libxml2-dev libxslt1-dev zlib1g-dev

Installer AndroGuard

# Install from PyPI
pip3 install androguard

# Install with optional dependencies
pip3 install androguard[GUI,magic]

# Install from source
git clone https://github.com/androguard/androguard.git
cd androguard
pip3 install -e .
```_

## Utilisation de base

### Analyser l'APK Fichiers
```bash
# Basic APK analysis
androguard analyze app.apk

# Interactive analysis
androguard shell app.apk

# Generate analysis report
androguard analyze app.apk --output report.txt
```_

### Outils de ligne de commande
```bash
# APK information
apkinfo app.apk

# DEX analysis
dexdump classes.dex

# Resource analysis
axml AndroidManifest.xml

API Python Utilisation

Analyse de base

from androguard.misc import AnalyzeAPK

# Analyze APK
a, d, dx = AnalyzeAPK("app.apk")

# Get APK information
print("Package name:", a.get_package())
print("App name:", a.get_app_name())
print("Version:", a.get_androidversion_code())
print("Permissions:", a.get_permissions())

Analyse avancée

from androguard.core.bytecodes import apk, dvm
from androguard.core.analysis import analysis

# Load APK
apk_obj = apk.APK("app.apk")
dex = dvm.DalvikVMFormat(apk_obj.get_dex())
dx = analysis.Analysis(dex)

# Analyze classes and methods
for cls in dx.get_classes():
    print(f"Class: \\\\{cls.name\\\\}")
    for method in cls.get_methods():
        print(f"  Method: \\\\{method.name\\\\}")

Analyse APK

Informations de base

# APK metadata
print("Package:", a.get_package())
print("App name:", a.get_app_name())
print("Version code:", a.get_androidversion_code())
print("Version name:", a.get_androidversion_name())
print("Min SDK:", a.get_min_sdk_version())
print("Target SDK:", a.get_target_sdk_version())

Analyse des autorisations

# Get all permissions
permissions = a.get_permissions()
for perm in permissions:
    print(f"Permission: \\\\{perm\\\\}")

# Check for dangerous permissions
dangerous_perms = [
    "android.permission.READ_SMS",
    "android.permission.SEND_SMS",
    "android.permission.ACCESS_FINE_LOCATION",
    "android.permission.CAMERA"
]

for perm in permissions:
    if perm in dangerous_perms:
        print(f"Dangerous permission found: \\\\{perm\\\\}")

Analyse du certificat

# Get certificate information
certificates = a.get_certificates()
for cert in certificates:
    print(f"Certificate: \\\\{cert\\\\}")
    print(f"Subject: \\\\{cert.subject\\\\}")
    print(f"Issuer: \\\\{cert.issuer\\\\}")
    print(f"Serial: \\\\{cert.serial_number\\\\}")

Analyse de code

Analyse de la méthode

# Find specific methods
for cls in dx.get_classes():
    for method in cls.get_methods():
        if "crypto" in method.name.lower():
            print(f"Crypto method: \\\\{cls.name\\\\}->\\\\{method.name\\\\}")

Analyse des chaînes

# Extract strings
strings = dx.get_strings()
for string in strings:
    if "http" in string.get_value():
        print(f"URL found: \\\\{string.get_value()\\\\}")

Analyse croisée

# Find method calls
for method in dx.get_methods():
    if method.is_external():
        continue

    for ref in method.get_xref_from():
        print(f"\\\\{ref.class_name\\\\}->\\\\{ref.method_name\\\\} calls \\\\{method.name\\\\}")

Analyse de la sécurité

Analyse cryptographique

# Find crypto usage
crypto_methods = [
    "javax.crypto.Cipher",
    "java.security.MessageDigest",
    "javax.crypto.spec.SecretKeySpec"
]

for method in dx.get_methods():
    for crypto in crypto_methods:
        if crypto in str(method.get_method()):
            print(f"Crypto usage: \\\\{method.name\\\\}")

Analyse des réseaux

# Find network operations
network_classes = [
    "java.net.URL",
    "java.net.HttpURLConnection",
    "okhttp3.OkHttpClient"
]

for cls in dx.get_classes():
    for net_class in network_classes:
        if net_class in str(cls):
            print(f"Network class: \\\\{cls.name\\\\}")

Analyse de réflexion

# Find reflection usage
reflection_methods = [
    "java.lang.Class.forName",
    "java.lang.reflect.Method.invoke"
]

for method in dx.get_methods():
    for ref_method in reflection_methods:
        if ref_method in str(method.get_method()):
            print(f"Reflection usage: \\\\{method.name\\\\}")

Détection des logiciels malveillants

Modèles suspects

# Check for suspicious patterns
suspicious_strings = [
    "getDeviceId",
    "getSubscriberId",
    "sendTextMessage",
    "android.intent.action.BOOT_COMPLETED"
]

strings = dx.get_strings()
for string in strings:
    for suspicious in suspicious_strings:
        if suspicious in string.get_value():
            print(f"Suspicious string: \\\\{string.get_value()\\\\}")

Détection dynamique de chargement

# Find dynamic loading
dynamic_methods = [
    "dalvik.system.DexClassLoader",
    "dalvik.system.PathClassLoader"
]

for method in dx.get_methods():
    for dyn_method in dynamic_methods:
        if dyn_method in str(method.get_method()):
            print(f"Dynamic loading: \\\\{method.name\\\\}")

Analyse des ressources

Analyse du manifeste

# Parse AndroidManifest.xml
manifest = a.get_android_manifest_xml()
print("Manifest content:")
print(manifest.toprettyxml())

# Get activities
activities = a.get_activities()
for activity in activities:
    print(f"Activity: \\\\{activity\\\\}")

# Get services
services = a.get_services()
for service in services:
    print(f"Service: \\\\{service\\\\}")

Extraction des ressources

# Extract resources
for file_name in a.get_files():
    if file_name.endswith('.xml'):
        content = a.get_file(file_name)
        print(f"XML file: \\\\{file_name\\\\}")

Caractéristiques avancées

Analyse du débit de contrôle

# Analyze control flow
for method in dx.get_methods():
    if method.is_external():
        continue

    # Get basic blocks
    for bb in method.get_basic_blocks():
        print(f"Basic block: \\\\{bb\\\\}")

Analyse du flux de données

# Trace data flow
for method in dx.get_methods():
    # Get method instructions
    instructions = method.get_instructions()
    for instruction in instructions:
        if instruction.get_name() == "const-string":
            print(f"String constant: \\\\{instruction\\\\}")

Génération de graphiques d'appel

# Generate call graph
import networkx as nx

G = nx.DiGraph()
for method in dx.get_methods():
    for ref in method.get_xref_from():
        G.add_edge(f"\\\\{ref.class_name\\\\}.\\\\{ref.method_name\\\\}",
                  f"\\\\{method.class_name\\\\}.\\\\{method.name\\\\}")

# Export call graph
nx.write_gml(G, "call_graph.gml")

Scripts d'automatisation

Analyse par lots

#!/usr/bin/env python3
import os
import sys
from androguard.misc import AnalyzeAPK

def analyze_apk_batch(directory):
    for filename in os.listdir(directory):
        if filename.endswith('.apk'):
            print(f"Analyzing \\\\{filename\\\\}")
            try:
                a, d, dx = AnalyzeAPK(os.path.join(directory, filename))
                print(f"Package: \\\\{a.get_package()\\\\}")
                print(f"Permissions: \\\\{len(a.get_permissions())\\\\}")
                print("-" * 50)
            except Exception as e:
                print(f"Error analyzing \\\\{filename\\\\}: \\\\{e\\\\}")

if __name__ == "__main__":
    analyze_apk_batch(sys.argv[1])

Scanner de sécurité

#!/usr/bin/env python3
from androguard.misc import AnalyzeAPK

def security_scan(apk_path):
    a, d, dx = AnalyzeAPK(apk_path)

    # Check permissions
    dangerous_perms = [
        "android.permission.READ_SMS",
        "android.permission.SEND_SMS",
        "android.permission.ACCESS_FINE_LOCATION"
    ]

    found_perms = []
    for perm in a.get_permissions():
        if perm in dangerous_perms:
            found_perms.append(perm)

    # Check for crypto usage
    crypto_usage = False
    for method in dx.get_methods():
        if "crypto" in str(method.get_method()).lower():
            crypto_usage = True
            break

    print(f"Dangerous permissions: \\\\{found_perms\\\\}")
    print(f"Crypto usage detected: \\\\{crypto_usage\\\\}")

if __name__ == "__main__":
    security_scan("app.apk")

GUI Utilisation

GUI AndroGuard

# Launch GUI
androguard gui

# Open APK in GUI
androguard gui app.apk

Caractéristiques

  • Analyse du code visuel
  • Exploration interactive
  • Visualisation graphique
  • Capacités d'exportation

Meilleures pratiques

Analyse des flux de travail

1. Basic APK information
2. Permission analysis
3. Code structure review
4. Security pattern detection
5. Malware signature matching
6. Report generation

Conseils de performance

# Use lazy loading for large APKs
from androguard.core.bytecodes.apk import APK
a = APK("large_app.apk", raw=False)

# Process in chunks for batch analysis
import multiprocessing
pool = multiprocessing.Pool()
results = pool.map(analyze_apk, apk_list)

Ressources

  • Documentation officielle: [AndroGuard GitHub] (LINK_3)
  • Référence de l'API: [Documentation de l'AndroGuard] (LINK_3)
  • Android Security : [WOWASP Mobile Security] (LINK_3)