-
Notifications
You must be signed in to change notification settings - Fork 1k
Home
Welcome to the Androguard wiki!
Androguard is intended to be launch directly without any particular installation, only the packages that we are using:
git clone https://github.com/androguard/androguard.git
pip install -r requirements.txt
You can now directly start to play with some APK !!
python3 cli.py apkid download-eded3bc3451011237ec5cfba1f723c41e6d46cfed5124ffd4659c8895b88e62f.apk
2022-07-20 15:51:31.132 | INFO | androguard.core.axml:__init__:371 - AXMLParser
{
"download-eded3bc3451011237ec5cfba1f723c41e6d46cfed5124ffd4659c8895b88e62f.apk": [
"it.toscana.regione.smartsst",
"36010",
"3.0.6"
]
All events are saved in the file 'androguard.db' which is basically a sqlite db (easily readable with https://sqlitebrowser.org/). There is 3 tables:
- information (related to all APK/DEX/... analyzed during a session)
- session (unique key to identify a particular session done)
- pentest (events from frida saved)
The cli.py is the main and quickest entry points to play with Androguard. This tool is divided in different components.
python cli.py OPTIONS COMMAND OPTIONS
The 'analyze' command will directly bring you into the IPython session and provide some analyzed objects.
python cli.py analyze test.apk
The 'strace' command will directly analyze the provided APK, install it on the default connected phone and run it and start to trace all syscalls.
python3 cli.py strace test.apk
The 'trace' command will directly analyze the provided APK, install it on the default connected phone and run it and start to trace all events specified in the modules list.
python3 cli.py trace test.apk -m "androguard/pentest/modules/**"
This module is able to talk to a frida-server and get packets (JSON) from it:
-
timestamp
of the event -
stacktrace
of the event :
function
called (the Android API basically)callee
function (from where the API is called in the APK)
-
payload
field which can handle a variable number of arguments, but where some are used like:
ret
value if there is something interesting from the function
All JS scripts loaded by frida is in the modules directory, but any other could be added easily. To send a packet from Frida -> Androguard, you need to use the function agPacket
with a dict as argument (timestamp, stacktrace will be added automatically):
agPacket({url: url}).send();