Skip to content

Home

Jump to bottom
erev0s edited this page Feb 13, 2024 · 19 revisions

Welcome to the Androguard wiki!

Installation

You can install Androguard in three different ways:

Getting one of the released versions from PyPI

pip install Androguard

or if you want an older version

pip install androguard==3.3.5

Getting a version with all the latest commits

git clone https://github.com/androguard/androguard.git
cd androguard
pip install .

or the same thing using pip and the GitHub URL of the project:

pip install git+https://github.com/androguard/androguard

Androguard is now available to be used as a CLI and as a library.

Sessions

All events are saved in the file 'androguard.db' which is basically a sqlite db (easily readable with https://sqlitebrowser.org/). There are 3 tables:

  • information (related to all APK/DEX/... analyzed during a session)
  • session (unique key to identify a particular session done)
  • pentest (events from frida saved)

Please note that the sessions are work in progress!

CLI

The CLI serves as the primary and easiest way for interacting with Androguard. Upon installing androguard with any of the methods shown above, the tool should be available in your path as androguard

Usage: androguard [OPTIONS] COMMAND [ARGS]...

  Androguard is a full Python tool to reverse Android Applications.

Options:
  --version           Show the version and exit.
  --verbose, --debug  Print more
  --help              Show this message and exit.

Commands:
  analyze      Open a IPython Shell and start reverse engineering.
  apkid        Return the packageName/versionCode/versionName per APK as...
  arsc         Decode resources.arsc either directly from a given file or...
  axml         Parse the AndroidManifest.xml.
  cg           Create a call graph based on the data of Analysis and...
  decompile    Decompile an APK and create Control Flow Graphs.
  disassemble  Disassemble Dalvik Code with size SIZE starting from an...
  dtrace       Start dynamically an installed APK on the phone and start...
  dump         Start and dump dynamically an installed APK on the phone
  sign         Return the fingerprint(s) of all certificates inside an APK.
  trace        Push an APK on the phone and start to trace all...

The following sections have some basic examples of the available options:

analyze

The 'analyze' command opens an IPython session and provides an interactive way to explore the capabilities of androguard:

# androguard analyze minimal.apk
>>> filename
minimal.apk
>>> a
<androguard.core.apk.APK object at 0x7f9ac182f730>
>>> d
[<androguard.core.dex.DEX object at 0x7f9ac18a4cd0>]
>>> dx
<analysis.Analysis VMs: 1, Classes: 3, Methods: 7, Strings: 1>

Androguard version 4.0.2 started

apkid

Return the packageName/versionCode/versionName per APK:

# androguard apkid minimal.apk 
{
  "erev0s_minimal.apk": [
    "com.erev0s.minimal",
    "1",
    "1.0"
  ]
}

arsc

Decode resources either directly from a given file or from an APK:

# androguard arsc minimal.apk
<resources>
<public type="drawable" name="$ic_launcher_foreground__0" id="0x7f010000"/>
<public type="drawable" name="ic_launcher_background" id="0x7f010001"/>
[...]

axml

Parse the AndroidManifest.xml:

androguard axml minimal.apk
<manifest xmlns:android=......

Call Graph

The resurrected callgraph option that allows to create a call graph based on the data available from Analysis:

# androguard cg minimal.apk
> creates a callgraph.gml

NOTE: For visualizing callgraphs generated with 'androguard cg', install additional dependencies

apt-get install libxcb-randr0-dev libxcb-xtest0-dev libxcb-xinerama0-dev libxcb-shape0-dev libxcb-xkb-dev

decompile

Decompile an APK and create Control Flow Graphs. Note that you might need to install graphviz in your system for the output.

# androguard decompile minimal.apk -o test_decompile -f png
Dump information minimal.apk in test_decompile
Create directory test_decompile
Decompilation ... End
Dump Lcom/erev0s/minimal/MainActivity; <init> ()V ... png ... source codes ... bytecodes ... 
Dump Lcom/erev0s/minimal/MainActivity; onCreate (Landroid/os/Bundle;)V ... png ... bytecodes ...

disassemble

Disassemble Dalvik Code with size SIZE starting from an offset

trace

Push an APK on the phone and start to trace all interesting methods from the modules list

androguard trace test.APK -m "ipc/*"  -m "webviews/*" -m "modules/**"

dtrace

Start dynamically an installed APK on the phone and start to trace all interesting methods from the modules list

androguard dtrace package_name -m "ipc/*"  -m "webviews/*" -m "modules/**"

Library (TBD)

APK

DEX

ODEX

AXML

ARSC

Pentest

This module is able to talk to a frida-server and get packets (JSON) from it:

  • timestamp of the event
  • stacktrace of the event :
  1. function called (the Android API basically)
  2. callee function (from where the API is called in the APK)
  • payload field which can handle a variable number of arguments, but where some are used like:
  1. ret value if there is something interesting from the function

All JS scripts loaded by frida is in the modules directory, but any other could be added easily. To send a packet from Frida -> Androguard, you need to use the function agPacket with a dict as argument (timestamp, stacktrace will be added automatically):

    agPacket({url: url}).send();
Clone this wiki locally