Giter Site home page Giter Site logo

androguard-yara's Introduction

Build Status

Androguard module for Yara

This module for Yara is part of the Koodous project https://koodous.com and it integrates static APK analysis with Yara. You can use it to find APKs by package name, permissions or API level, etc. You can find the documentation for this module in the Koodous documentation's site: http://docs.koodous.com/yara/androguard/

Preparing compilation

If you want to use this module, first you need to re-compile Yara with the androguard module. To do so, you need to modify some files. Follow the basic steps in the official docs: http://yara.readthedocs.org/en/latest/writingmodules.html#building-our-hello-world

  • Include the file androguard.c in folder libyara/modules.
  • Modify "libyara/modules/module_list" and add "MODULE(androguard)" in the cuckoo block. The file should looks like following:
MODULE(pe)
MODULE(elf)
MODULE(math)

#ifdef CUCKOO
MODULE(cuckoo)
MODULE(androguard)
#endif
  • Modify "libyara/Makefile.am" to add androguard module ("MODULES += modules/androguard.c") in the cuckoo block:
MODULES =  modules/tests.c
MODULES += modules/pe.c

if CUCKOO
MODULES += modules/cuckoo.c
MODULES += modules/androguard.c
endif
  • Recompile Yara, but enabling cuckoo module. The reason to include it is because cuckoo module uses libjansson like androguard module, and this is the easy way to prepare all dependencies. If you don't want to include cuckoo module, you have to browse for all Makefile files and include libjansson without condition (this is the hard way).
./bootstrap.sh
./configure --enable-cuckoo
make
make install

Using Androguard module

Androguard module is ready to use with Koodous reports, hence we provide an script called download_androguard_report.py (inside this repository) to get this reports automatically.

  • Use the script with the sha256 of the sample that you refer, in this example is d8adb784d08a951ebacf2491442cf90d21c20192085e44d1cd22e2b6bdd4ef5f:
$ python download_androguard_report.py -s d8adb784d08a951ebacf2491442cf90d21c20192085e44d1cd22e2b6bdd4ef5f

Androguard report saved in d8adb784d08a951ebacf2491442cf90d21c20192085e44d1cd22e2b6bdd4ef5f-report.json
  • And finally, use it with Yara!
$ yara -x androguard=d8adb784d08a951ebacf2491442cf90d21c20192085e44d1cd22e2b6bdd4ef5f-report.json rule.yar sample.apk

clicker sample.apk

androguard-yara's People

Contributors

plutec avatar xumeiquer avatar diviei avatar jovimon avatar xgusix avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.