-
Notifications
You must be signed in to change notification settings - Fork 1k
Home
Welcome to the Androguard wiki!
You can install Androguard in three different ways:
pip install Androguard
or if you want an older version
pip install androguard==3.3.5
git clone https://github.com/androguard/androguard.git
cd androguard
pip install .
or the same thing using pip and the GitHub URL of the project:
pip install git+https://github.com/androguard/androguard
All events are saved in the file 'androguard.db' which is basically a sqlite db (easily readable with https://sqlitebrowser.org/). There are 3 tables:
- information (related to all APK/DEX/... analyzed during a session)
- session (unique key to identify a particular session done)
- pentest (events from frida saved)
Please note that the sessions are work in progress!
The CLI serves as the primary and easiest way for interacting with Androguard.
Upon installing androguard with any of the methods shown above, the tool should be available in your path as androguard
Usage: androguard [OPTIONS] COMMAND [ARGS]...
Androguard is a full Python tool to reverse Android Applications.
Options:
--version Show the version and exit.
--verbose, --debug Print more
--help Show this message and exit.
Commands:
analyze Open a IPython Shell and start reverse engineering.
apkid Return the packageName/versionCode/versionName per APK as...
arsc Decode resources.arsc either directly from a given file or...
axml Parse the AndroidManifest.xml.
cg Create a call graph based on the data of Analysis and...
decompile Decompile an APK and create Control Flow Graphs.
disassemble Disassemble Dalvik Code with size SIZE starting from an...
dtrace Start dynamically an installed APK on the phone and start...
dump Start and dump dynamically an installed APK on the phone
sign Return the fingerprint(s) of all certificates inside an APK.
trace Push an APK on the phone and start to trace all...
The following sections have some basic examples of the available options:
The 'analyze' command opens an IPython session and provides an interactive way to explore the capabilities of androguard:
# androguard analyze minimal.apk
>>> filename
minimal.apk
>>> a
<androguard.core.apk.APK object at 0x7f9ac182f730>
>>> d
[<androguard.core.dex.DEX object at 0x7f9ac18a4cd0>]
>>> dx
<analysis.Analysis VMs: 1, Classes: 3, Methods: 7, Strings: 1>
Androguard version 4.0.2 started
Return the packageName/versionCode/versionName per APK:
# androguard apkid minimal.apk
{
"erev0s_minimal.apk": [
"com.erev0s.minimal",
"1",
"1.0"
]
}
Decode resources either directly from a given file or from an APK:
# androguard arsc minimal.apk
<resources>
<public type="drawable" name="$ic_launcher_foreground__0" id="0x7f010000"/>
<public type="drawable" name="ic_launcher_background" id="0x7f010001"/>
[...]
Parse the AndroidManifest.xml:
androguard axml minimal.apk
<manifest xmlns:android=......
The resurrected callgraph option that allows to create a call graph based on the data available from Analysis:
# androguard cg minimal.apk
> creates a callgraph.gml
NOTE: For visualizing callgraphs generated with 'androguard cg', install additional dependencies
apt-get install libxcb-randr0-dev libxcb-xtest0-dev libxcb-xinerama0-dev libxcb-shape0-dev libxcb-xkb-dev
Decompile an APK and create Control Flow Graphs. Note that you might need to install graphviz
in your system for the output.
# androguard decompile minimal.apk -o test_decompile -f png
Dump information minimal.apk in test_decompile
Create directory test_decompile
Decompilation ... End
Dump Lcom/erev0s/minimal/MainActivity; <init> ()V ... png ... source codes ... bytecodes ...
Dump Lcom/erev0s/minimal/MainActivity; onCreate (Landroid/os/Bundle;)V ... png ... bytecodes ...
Disassemble Dalvik Code with size SIZE starting from an offset
Push an APK on the phone and start to trace all interesting methods from the modules list
androguard trace test.APK -m "ipc/*" -m "webviews/*" -m "modules/**"
Start dynamically an installed APK on the phone and start to trace all interesting methods from the modules list
androguard dtrace package_name -m "ipc/*" -m "webviews/*" -m "modules/**"
This module is able to talk to a frida-server and get packets (JSON) from it:
-
timestamp
of the event -
stacktrace
of the event :
function
called (the Android API basically)callee
function (from where the API is called in the APK)
-
payload
field which can handle a variable number of arguments, but where some are used like:
ret
value if there is something interesting from the function
All JS scripts loaded by frida is in the modules directory, but any other could be added easily. To send a packet from Frida -> Androguard, you need to use the function agPacket
with a dict as argument (timestamp, stacktrace will be added automatically):
agPacket({url: url}).send();