forked from aylhex/ApkSecurityAnalysis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
MatchRule.py
187 lines (144 loc) · 6.57 KB
/
MatchRule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
import re
from androguard.core.bytecodes.apk import APK
from androguard.core.bytecodes import dvm
from androguard.core.analysis import analysis
class MatchRule(object):
'''
This class is analysis source to audit
:param d: specify the DalvikVMFormat object
:param dx: specify the VMAnalysis object
:type d: androguard.core.bytecodes.dvm.DalvikVMFormat
:type dx: androguard.core.analysis.VMAnalysis
:Example SourceAudit(d, dx)
'''
def __init__(self, d, dx):
self.d = d
self.dx = dx
self.webview = {}
self.register_receiver = {}
self.allowallhostnameverifier = {}
self.onreceivedsslerror = {}
self.dexclassloader = {}
self.https = {}
self.log = {}
def webview_audit(self):
self.webview = self.__mathods_search(".", "addJavascriptInterface", ".")
#self.webview = self.__mathods_search("", "webview", ".")
#self.webview = self.__mathods_search(".", "removeJavascriptInterface", ".")
def register_receiver_audit(self):
self.register_receiver = self.__mathods_search(".", "registerReceiver", ".")
def allowallhostnameverifier_audit(self):
self.allowallhostnameverifier = self.__mathods_search(".", "AllowAllHostnameVerifier", ".")
def onreceivedsslerror_audit(self):
self.onreceivedsslerror = self.__mathods_search(".", "OnReceivedSslError", ".")
def dexclassloader_audit(self):
self.dexclassloader = self.__mathods_search("Ldalvik/system/DexClassLoader", "loadClass", ".")
def https_audit(self):
self.https = self.__mathods_search("Lorg/apache/http/conn/ssl/SSLSocketFactory;", "setHostnameVerifier", ".")
def intent_scheme_audit(self):
self.intent_scheme = self.__mathods_search("Landroid/content/Intent;", "parseUri", ".")
def log_audit(self):
self.log = self.__mathods_search_log("Landroid/util/Log;", "i", ".")
#pass
def __mathods_search(self, package_name, method_name, descriptor):
'''
This method is search method's ref and get the method's java source
:param package_name: specify the taint class name
:param method_name: specify the taint mathod name
:param package_name: string
:param method_name: string
'''
nodes = []
names = {}
analysis_res = {}
tainted_packages = self.dx.get_tainted_packages()
paths = tainted_packages.search_methods(package_name, method_name, descriptor)
if not paths:
return
#analysis.show_Paths(self.d, paths)
#path's struct {'src': 'Lclass; method(parm_type;parm_type;)ret_type;', 'dst': 'Lclass; method(parm_type;parm_type;)ret_type;', 'idx': 170}
#nodes containt many path's struct
for path in paths:
nodes.append(analysis.get_Path(self.d, path))
for node in nodes:
tmp = node["src"].split(" ")
#names struct : {'class':['method_name']['method_name']}
if names.has_key(tmp[0]):
names[tmp[0]].append(tmp[1])
else:
names[tmp[0]] = []
names[tmp[0]].append(tmp[1])
#print names :src class and method
for current_class in self.d.get_classes():
class_name = current_class.get_name()
#this class is the src class for tainted method
if names.has_key(class_name):
for method in current_class.get_methods():
name = method.get_name()
#src method to call tainted method
if name in names[class_name]:
java = method.get_source()
java_code = java.split("\n")
for code in java_code:
if code.find(method_name) != -1:
analysis_res["%s->%s.java:%s" % (class_name, name, code.lstrip())]=java
return analysis_res
def __mathods_search_log(self, package_name, method_name, descriptor):
'''
This method is search method's ref and get the method's java source
:param package_name: specify the taint class name
:param method_name: specify the taint mathod name
:param package_name: string
:param method_name: string
'''
nodes = []
names = {}
analysis_res = {}
tainted_packages = self.dx.get_tainted_packages()
paths = tainted_packages.search_methods(package_name, method_name, descriptor)
if not paths:
return
#analysis.show_Paths(self.d, paths)
#path's struct {'src': 'Lclass; method(parm_type;parm_type;)ret_type;', 'dst': 'Lclass; method(parm_type;parm_type;)ret_type;', 'idx': 170}
#nodes containt many path's struct
for path in paths:
nodes.append(analysis.get_Path(self.d, path))
for node in nodes:
tmp = node["src"].split(" ")
#names struct : {'class':['method_name']['method_name']}
if names.has_key(tmp[0]):
names[tmp[0]].append(tmp[1])
else:
names[tmp[0]] = []
names[tmp[0]].append(tmp[1])
#print names :src class and method
for current_class in self.d.get_classes():
class_name = current_class.get_name()
#this class is the src class for tainted method
if names.has_key(class_name):
for method in current_class.get_methods():
name = method.get_name()
#src method to call tainted method
if name in names[class_name]:
java = method.get_source()
java_code = java.split("\n")
for code in java_code:
if code.lower().find("log.i") != -1:
analysis_res["%s->%s.java:%s" % (class_name, name, code.lstrip())]=java
return analysis_res
def get_webview_res(self):
return self.webview
def get_register_receiver(self):
return self.register_receiver
def get_allowallhostnameverifier(self):
return self.allowallhostnameverifier
def get_onreceivedsslerror(self):
return self.onreceivedsslerror
def get_dexclassloader(self):
return self.dexclassloader
def get_https(self):
return self.https
def get_intent_scheme(self):
return self.intent_scheme
def get_logs(self):
return self.log