static fields showing up in wrong class #989
Comments
ehrenb
changed the title
|
I think my understanding of what ClassAnalysis is intended to do caused some confusion. After reading through the code a bit, ClassAnalysis seems to only intend to represent xrefs of a class while still offering some API into the underlying DEX. For example, accordin to the docstring, get_fields and get_methods should only return methods and fields that the current class (that the ClassAnalysis object is wrapping) calls: class ClassAnalysis:
"""
ClassAnalysis contains the XREFs from a given Class.
It is also used to wrap :class:`~androguard.core.dex.ClassDefItem`, which
contain the actual class content like bytecode.
Also external classes will generate xrefs, obviously only XREF_FROM are
shown for external classes.
:param classobj: class:`~androguard.core.dex.ClassDefItem` or :class:`ExternalClass`
"""But this is really confusing to a user that decides to use the Analysis object from AnalyzeAPK, since the method names are 'get_fields' and 'get_methods', which don't indicate (nor do the docstrings of them) they are only supposed to return xrefs from. If this is the true intention of ClassAnalysis, then it is even more confusing that methods seem to be added to ClassAnalysis regardless of them being xrefs. Fields in ClassAnalysis only seem to get added when an xref is created via ClassAnalysis.add_field_xref_read() and ClassAnalysis.add_field_xref_write(). All methods within a particular class seem to get added to a ClassAnalysis _methods field, not just xref froms, when building up an Analysis object: analysis.py Analysis object def add(self, vm):
"""
Add a DEX to this Analysis.
:param androguard.core.bytecodes.dvm.DEX vm: :class:`dvm.DEX` to add to this Analysis
"""
self.vms.append(vm)
logger.info("Adding DEX file version {}".format(vm.version))
# TODO: This step can easily be multithreaded, as there is no dependecy between the objects at this stage
tic = time.time()
for i, current_class in enumerate(vm.get_classes()):
self.classes[current_class.get_name()] = ClassAnalysis(current_class)
new_class = self.classes[current_class.get_name()]
# Fix up the hidden api annotations (Android 10)
hidden_api = vm.get_hidden_api()
if hidden_api:
rf, df = hidden_api.get_flags(i)
new_class.set_restriction_flag(rf)
new_class.set_domain_flag(df)
for method in current_class.get_methods():
self.methods[method] = MethodAnalysis(vm, method)
new_class.add_method(self.methods[method]). # All methods being added to ClassAnalysis here
# Store for faster lookup during create_xrefs
m_hash = (current_class.get_name(), method.get_name(), str(method.get_descriptor()))
self.__method_hashes[m_hash] = self.methods[method]The below is an updated version of the first script I posted above, it shows that if we access the underlying Dex classes (via orig_class or get_vm_class()) static and instance fields, we can see that the fields exist as expected, but not in the wrapped ClassAnalysis get_fields: from androguard.misc import AnalyzeAPK
from pprint import pprint
fpath = 'tests/data/APK/TestActivity.apk'
a, d, dx = AnalyzeAPK(fpath)
####################################################################
print('#'*64)
class_name = 'Ltests/androguard/TestLoops;'
print(class_name)
test_class_analysis = dx.get_class_analysis(class_name)
class_data_item = test_class_analysis.orig_class.class_data_item
print('static_fields: ')
[encoded_field.show() for encoded_field in class_data_item.static_fields]
print('instance_fields: ')
[encoded_field.show() for encoded_field in class_data_item.instance_fields]
print('fields: ')
for f in test_class_analysis.get_fields():
print(f'field: {f.name} {f.get_field().get_access_flags()}')
f.field.show()
####################################################################
####################################################################
print('#'*64)
class_name2 = 'Ltests/androguard/TestLoops$Loop;'
print(class_name2)
test_class_analysis2 = dx.get_class_analysis(class_name2)
class_data_item2 = test_class_analysis2.orig_class.class_data_item
print('static_fields: ')
[encoded_field.show() for encoded_field in class_data_item2.static_fields]
print('instance_fields: ')
[encoded_field.show() for encoded_field in class_data_item2.instance_fields]
print('fields: ')
for f in test_class_analysis2.get_fields():
print(type(f))
print(f'field: {f.name} {f.get_field().get_access_flags()}')
####################################################################
####################################################################
print('#'*64)
class_name3 = 'Ltests/androguard/TestSynthetic$1;'
print(class_name3)
test_class_analysis3 = dx.get_class_analysis(class_name3)
class_data_item3 = test_class_analysis3.orig_class.class_data_item
print('static_fields: ')
[encoded_field.show() for encoded_field in class_data_item3.static_fields]
print('instance_fields: ')
[encoded_field.show() for encoded_field in class_data_item3.instance_fields]
print('fields: ')
for f in test_class_analysis3.get_fields():
print(f'field: {f.name} {f.get_field().get_access_flags()}')
f.field.show()
####################################################################output ...
################################################################
Ltests/androguard/TestLoops;
static_fields:
instance_fields:
fields:
field: i 9
########## Field Information
Ltests/androguard/TestLoops$Loop;->i I [access_flags=public static]
field: j 9
########## Field Information
Ltests/androguard/TestLoops$Loop;->j I [access_flags=public static]
################################################################
Ltests/androguard/TestLoops$Loop;
static_fields:
########## Field Information
Ltests/androguard/TestLoops$Loop;->i I [access_flags=public static]
########## Field Information
Ltests/androguard/TestLoops$Loop;->j I [access_flags=public static]
instance_fields:
fields:
################################################################
Ltests/androguard/TestSynthetic$1;
static_fields:
instance_fields:
########## Field Information
Ltests/androguard/TestSynthetic$1;->val$o Ljava/lang/Object; [access_flags=private final synthetic]
fields:
field: val$o 4114
########## Field Information
Ltests/androguard/TestSynthetic$1;->val$o Ljava/lang/Object; [access_flags=private final synthetic]TestLoop contains the fields because it sets $Loop.i and $Loop.j at some point, which causes those fields to be added to TestLoop's fields because they're xrefs. The $Loop class doesn't have an xref to itself, so it never gets those fields added to its _fields attribute. 
Should ClassAnalysis.get_fields/methods() be returning ALL fields and methods, or just xrefs? If all fields and methods, we can simply return a list of the underlying DEX class' methods and fields, right? |
|
i will try to take a close look at this in the following days but from a first glance the get_fields/get_methods implies returning all fields and methods and not just the xrefs. |
Thanks, I'm happy to make PRs where helpful, just let me know. I have unit tests for access flags for fields and methods in a fork, but will hold until these changes make it in. |
|
having my reservations regarding my understanding over the reasons why this was initially developed this way i can say the following:
having said that, tested a bit the besides this issue with the |
maybe we can discuss further regarding adding these unit tests and along the way improve the "user friendliness" of the source |
The unit tests were added here: https://github.com/ehrenb/androguard/blob/master/tests/test_dex.py. I noticed that one of the field tests was failing, and that's what led me to the issue in this thread. For these test, I can access using the ClassAnalysis' 'orig_class' attribute for now and that will be fine (as is in my above example) and create a PR. Once new "user friendliness" designs are implemented, it probably makes sense to port those changes to the test case as well. I will try to write up my thoughts on what "user friendliness" changes may look like. I'm thinking this could be cleared up with some method name changes and definitive examples for use. |
That would be perfect and it can help in creating a plan on what needs to be done further. Unfortunately I have very very limited time these days to help sort things faster. |
My understanding has changed slightly, I don't think the This is apparent by their addition in the ...
self.classes[current_class.get_name()] = ClassAnalysis(current_class)
...
new_class.add_method(self.methods[method])But fields were seemingly never wrapped and added like the above, maybe this was left undone? They were only wrapped and added into a ClassAnalysis when an XREF occurred. That may have led to my confusion about why only certain fields were in the Analysis with my test. We can ensure all of the app-internal fields are wrapped by adding a Then, Anyways, I've spent a decent amount of time trying to understand the intent of this code. If we move forward with the above understanding about the design (which I now believe wasn't completely finished), here are some things we can add to complete it:
|
|
@ehrenb there are a few things scattered around the source that are either forgotten or stopped midway while developing them due to lack of time etc, so I would not be surprised if fields are just not completed in that sense. Additionally, its a project that is several years old, without actively being maintained since 2019 and therefore proper testing of the code is a bit behind on schedule. This is the reason why one of the first moves I did was to reinstate the tests. To conclude, I am up to proceed with your ideas, when I will get a bit more time I will review things and consider what more can be done |
Understood, getting testing up and running will help reveal some of these issues/designs that aren't so obvious (such as the fields!). I'll work on PRs for the above tasks I mentioned, then can help tackle whatever else comes up (issue backlog or new features, docs, etc). |
…. fix failing test mentioned in androguard#989 so that it assumes testing for wrapped fields. make new tests for DEX-class level testing that tests counts of parsed values in the DEX header
I was in the process of writing more test cases for fields, when I noticed that a static field was being attached to the wrong class. The 'i' and 'j' static fields are within the TestLoops$Loop class, not TestLoops. Instance fields seem to be connected properly (see TestSynthetic$1) though.
Using TestActivity.apk:
output:
In smali, TestLoops$Loop.smali:
In smali, TestLoops.smali, there are no fields:
TestSynthetic$1.smali
I also used Kaitai Struct to take a look at the dex, and the 'i' and 'j' fields are indeed within TestLoops$Loop:
The text was updated successfully, but these errors were encountered: