碳基体

奋斗在产品安全第一线的安全妹子

DroidBox-Android APP动态分析工具&APIMonitor

一、DroidBox简介

DroidBox是一款,可以获得以下信息


1.APK包hash值

2.网络通信数据

3.文件读写操作

4.网络通信,文件读写,SMS中的信息泄露

5.权限漏洞

6.调用Android API进行的加密操作

7.Broadcast receiver组件信息

8.SMS短信与电话信息

9.DexClassLoader加载信息


并展示可视化的结果

 

 



二、安装运行

前置条件

为了得到可视化的分析结果,需要安装 pylab and matplotlib

安装

1.配置好Android SDK环境变量

export ANDROID_SDK_HOME=/home/dani/android/android-sdk-linux

export PATH=$ANDROID_SDK_HOME/tools:$ANDROID_SDK_HOME/platform-tools:$PATH

2.下载Drodibox

wget https://droidbox.googlecode.com/files/DroidBox.tar.gz

3.安装依赖包

apt-get install git python-dev python-numpy python-scipy python-matplotlib ipython ipython-notebook python-pandas python-sympy python-nose

4.创建一个AVD(android 2.1/2.3)

我创建的是API Level

android create avd -n <avd name> -t <android id>

5.启动创建的AVD

./startemu.sh <avd name>

或者

emulator -avd <avd name> -system images/system.img -ramdisk images/ramdisk.img -kernel images/zImage -prop dalvik.vm.execution-mode=int:portable &


6.当模拟器启动后,开始分析

./droidbox.sh <file.apk> <duration in secs可选>


二、APIMonitor

1.简介

由于Andorid更新很快,较之Droidbox这种通过hook系统动态分析APK行为的方法,APIMonitor这种通过在APK包中注入监控代码(监控API调用然后保存为日志)然后重打包APK包的方法要更为适用。


2.安装

easy_install pip

pip install python-magic

wget https://droidbox.googlecode.com/files/APIMonitor-beta3.tar.gz

3.运行

cd APIMonitor-beta/

./apimonitor.py xx.apk<APK文件路径>

通过上面的操纵就会生成新的APK,在android设备上运行该应用,APP中的API调用会存储在日志中,以供查看,默认监控的API列表存放在config/default_api_collection文件下,如下所示

# DEFAULT API LIST# IntentLandroid/content/Intent;-><init> #signature of methods with the same nameLandroid/content/ContextWrapper;->sendBroadcast #signature of one methodsLandroid/content/ContextWrapper;->sendOrderedBroadcastLandroid/content/ContextWrapper;->sendStickyBroadcastLandroid/content/ContextWrapper;->sendStickyOrderedBroadcastLandroid/content/ContextWrapper;->startActivityLandroid/content/ContextWrapper;->startActivities# UriLandroid/net/Uri;->parse(Ljava/lang/String;)# File IOLandroid/content/ContextWrapper;->openFileInputLandroid/content/ContextWrapper;->openFileOutputLjava/io/FileReader;-><init>Ljava/io/FileWriter;-><init># Network IOLjava/net/URL;-><init>Ljava/net/URL;->openConnectionLjava/net/URL;->openStream# IOLjava/io/Reader;->readLjava/io/Writer;->writeLjava/io/BufferedReader;->readLjava/io/BufferedReader;->readLineLjava/io/BufferedWriter;->writeLjava/io/BufferedWriter;->newLineLjava/io/InputStreamReader;->readLjava/io/OutputStreamWriter;->writeLjava/io/CharArrayReader;->readLjava/io/CharArrayWriter;->writeLjava/io/CharArrayWriter;->writeToLjava/io/FilterReader;->readLjava/io/FilterWriter;->writeLjava/io/StringReader;->readLjava/io/StringWriter;->writeLjava/io/PrintWriter;->appendLjava/io/PrintWriter;->formatLjava/io/PrintWriter;->printLjava/io/PrintWriter;->printfLjava/io/PrintWriter;->printlnLjava/io/PrintWriter;->write# DatabaseLandroid/content/ContextWrapper;->openOrCreateDatabaseLandroid/database/sqlite/SQLiteDatabase;->openDatabaseLandroid/database/sqlite/SQLiteDatabase;->openOrCreateDatabaseLandroid/database/sqlite/SQLiteDatabase;->queryLandroid/database/sqlite/SQLiteDatabase;->rawQueryLandroid/database/sqlite/SQLiteDatabase;->queryWithFactoryLandroid/database/sqlite/SQLiteDatabase;->rawQueryWithFactory# All methods of ContentResolverLandroid/content/ContentResolver;//signature of all methods of the same class#Landroid.content.ContentResolver;->query#Landroid.content.ContentResolver;->insert#Landroid.content.ContentResolver;->openInputStream#Landroid.content.ContentResolver;->openOutputStream#Landroid.content.ContentProviderClient;->query#Landroid.content.ContentProviderClient;->insert#Landroid.content.ContentProviderClient;->bulkInsert#Landroid.content.ContentProviderClient;->delete#Landroid.content.ContentProviderClient;->openAssetFile# SMSLandroid/telephony/SmsManager;->sendTextMessageLandroid/telephony/SmsManager;->sendDataMessageLandroid/telephony/SmsManager;->sendMultipartTextMessage# App ListLandroid/content/pm/PackageManager;->getInstalledApplications# TelephonyManagerLandroid/telephony/TelephonyManager;->getDeviceIdLandroid/telephony/TelephonyManager;->getSubscriberIdLandroid/telephony/TelephonyManager;->getCallStateLandroid/telephony/TelephonyManager;->getCellLocation# DigestLjava/security/MessageDigest;->getInstanceLjava/security/MessageDigest;->updateLjava/security/MessageDigest;->digest# CipherLjavax/crypto/Cipher;->getInstanceLjavax/crypto/spec/SecretKeySpec;-><init>Ljavax/crypto/Cipher;->initLjavax/crypto/Cipher;->doFinal

我们可以通过修改该文件来指定想要监控的API。




参考:

https://code.google.com/p/droidbox/

https://mohsin-junaid.blogspot.com/2013/02/Dynamic-analysis-with-droidbox.html


来源:碳基体