dorneanu / smalisca Goto Github PK

View Code? Open in Web Editor NEW

315.0 30.0 76.0 99 KB

Static Code Analysis for Smali files

License: Other

Makefile 0.49% Python 99.51%

android smali reverse-engineering python

smalisca's Introduction

Static Code Analysis for Smali

https://img.shields.io/pypi/dm/smalisca.svg?style=plastic

https://img.shields.io/pypi/v/smalisca.svg?style=plastic

https://img.shields.io/pypi/l/smalisca.svg?style=plastic

https://readthedocs.org/projects/smalisca/badge/?version=stable

If you ever have looked at Android applications you know to appreciate the ability of analyzing your target at the most advanced level. Dynamic program analysis will give you a pretty good overview of your applications activities and general behaviour. However sometimes you'll want to just analyze your application without running it. You'll want to have a look at its components, analyze how they interact and how data is tainted from one point to another.

This is was the major factor driving the development of smalisca. There are indeed some good reasons for a static code analysis before the dynamic one. Before interacting with the application I like to know how the application has been build, if there is any API and generate all sort of call flow graphs. In fact graphs have been very important to me since they visualize things. Instead of jumping from file to file, from class to class, I just look at the graphs.

While graph building has been an important reason for me to code such a tool, smalisca has some other neat features you should read about.

Features

At the moment there are some few major functionalities like:

parsing

You can parse a whole directory of Smali files and extract:
- class information
- class properties
- class methods
- calls between methods of different classes
You can then export the results as JSON or SQLite.

Have a loot at the parsing page for more information.
analyzing

After exporting the results you'll get an interactive prompt to take a closer look at your parsed data. You can search for classes, properties, methods and even method calls. You can then apply several filters to your search criterias like:
```
smalisca> sc -c class_name -p test -r 10 -x path -s class_type
```
This command will search for 10 (-r 10) classes which contain the pattern test (-p) in their class name (-c). Afterwards the command will exclude the column path (-x path) from the results and sort them by the class type (-s).

Let's have a look at another example:
```
smalisca> scl -fc com/android -fm init -r 10
```
This will search for all method calls whose calling class name contains the pattern com/android (-fc). Additionally we can look for calls originating from methods whose name contain the pattern init (-fm).

You can of course read your commands from a file and analyze your results in a batch- like manner:
```
$ cat cmd.txt
sc -c class_name -p com/gmail/xlibs -r 10 -x path
quit
$ ./smalisca.py analyzer -i results.sqlite -f sqlite -c cmd.txt
...
```
Have a loot at the analysis page for more information.
web API

smalisca provides a REST web service in order to easily interact with the results by just using a web client. This way you can access data in your own (fancy) web application and have a clean separation between backend and frontend.

Read more about the available REST API at the web API page.
visualizing

I think this the most valuable feature of smalisca. The ability to visualize your results in a structured way makes your life more comfortable. Depending on what you're interested in, this tool has several graph drawing features I'd like to promote.

At first you can draw your packages including their classes, properties and methods:
```
smalisca> dc -c class_name -p test -f dot -o /tmp/classes.dot
:: INFO       Wrote results to /tmp/classes.dot
smalisca>
```
This will first search classes whose class name contains test and then export the results in the Graphviz DOT language. You can then manually generate a graph using dot, neato, circo etc. Or you do that using the interactive prompt:
```
smalisca> dc -c class_name -p test -f pdf -o /tmp/classes.pdf --prog neato
:: INFO       Wrote results to /tmp/classes.pdf
smalisca>
```
Have a loot at the drawing page for more information.

Screenshots

Output results as table.

Basic relationships between classes and modules.

Have a look at the screenshots page.

Installation

Refer to the installation page. Requirements:

Python (2.x / 3.x)
cement
Graphviz
SQLAlchemy

How to use it

After installing the tool, you may want to first pick up an Android application (APK) to play with. Use apktool or my own tool ADUS to dump the APKs content. For the sake of simplicity I'll be using FakeBanker which I've analyzed in a previous blog post.

First touch

But first let's have a look at the tools main options:

$ smalisca --help

                           /\_ \    __
  ____    ___ ___      __  \//\ \  /\_\    ____    ___     __
 /',__\ /' __` __`\  /'__`\  \ \ \ \/\ \  /',__\  /'___\ /'__`\
/\__, `\/\ \/\ \/\ \/\ \L\.\_ \_\ \_\ \ \/\__, `\/\ \__//\ \L\.\_
\/\____/\ \_\ \_\ \_\ \__/.\_\/\____\\ \_\/\____/\ \____\ \__/.\_\
 \/___/  \/_/\/_/\/_/\/__/\/_/\/____/ \/_/\/___/  \/____/\/__/\/_/


--------------------------------------------------------------------------------
:: Author:       Victor <Cyneox> Dorneanu
:: Desc:         Static Code Analysis tool for Smali files
:: URL:          http://nullsecurity.net, http://{blog,www}.dornea.nu
:: Version:      0.2
--------------------------------------------------------------------------------

usage: smalisca (sub-commands ...) [options ...] {arguments ...}

[--] Static Code Analysis (SCA) tool for Baskmali (Smali) files.

commands:

  analyzer
    [--] Analyze results using an interactive prompt or on the command line.

  parser
    [--] Parse files and extract data based on Smali syntax.

  web
    [--] Analyze results using web API.

optional arguments:
  -h, --help            show this help message and exit
  --debug               toggle debug output
  --quiet               suppress all output
  --log-level {debug,info,warn,error,critical}
                        Change logging level (Default: info)
  -v, --version         show program's version number and exit

Parsing

I'll first parse some directory for Smali files before doing the analysis stuff:

$ smalisca parser -l ~/tmp/FakeBanker2/dumped/smali -s java -f sqlite  -o fakebanker.sqlite

...

:: INFO       Parsing .java files in /home/victor/tmp/FakeBanker2/dumped/smali ...
:: INFO       Finished parsing!
:: INFO       Exporting results to SQLite
:: INFO         Extract classes ...
:: INFO         Extract class properties ...
:: INFO         Extract class methods ...
:: INFO         Extract calls ...
:: INFO         Commit changes to SQLite DB
:: INFO         Wrote results to fakebanker.sqlite
:: INFO       Finished scanning

Also have a look at the parsing page for further information.

Analyzing

Now you're free to do whatever you want with your generated exports. You can inspect the SQLite DB directly or use smaliscas analysis features:

$ smalisca analyzer -f sqlite -i fakebanker.sqlite

...


smalisca>sc -x path -r 10
+----+-----------------------------------------------------------------------------------------+--------------------+--------------------------+-------+
| id | class_name                                                                              | class_type         | class_package            | depth |
+----+-----------------------------------------------------------------------------------------+--------------------+--------------------------+-------+
| 1  | Landroid/support/v4/net/ConnectivityManagerCompat                                       | public             | Landroid.support.v4.net  | 5     |
| 2  | Landroid/support/v4/view/AccessibilityDelegateCompat$AccessibilityDelegateJellyBeanImpl |                    | Landroid.support.v4.view | 5     |
| 3  | Landroid/support/v4/view/ViewCompat$ViewCompatImpl                                      | interface abstract | Landroid.support.v4.view | 5     |
| 4  | Landroid/support/v4/app/ActivityCompatHoneycomb                                         |                    | Landroid.support.v4.app  | 5     |
| 5  | Landroid/support/v4/app/NoSaveStateFrameLayout                                          |                    | Landroid.support.v4.app  | 5     |
| 6  | Landroid/support/v4/net/ConnectivityManagerCompatHoneycombMR2                           |                    | Landroid.support.v4.net  | 5     |
| 7  | Lcom/gmail/xpack/BuildConfig                                                            | public final       | Lcom.gmail.xpack         | 4     |
| 8  | Landroid/support/v4/app/BackStackRecord$Op                                              | final              | Landroid.support.v4.app  | 5     |
| 9  | Landroid/support/v4/app/FragmentManagerImpl                                             | final              | Landroid.support.v4.app  | 5     |
| 10 | Landroid/support/v4/app/ShareCompat$ShareCompatImpl                                     | interface abstract | Landroid.support.v4.app  | 5     |
+----+-----------------------------------------------------------------------------------------+--------------------+--------------------------+-------+

Also refer to the analysis page for more available commands and options.

Drawing

Please refer to the drawing page for full examples.

License

smalisca has been released under the MIT license. Have a look at the LICENSE.rst file.

Credits

This tool is dedicated to Lică. Many thanks also go to:

Stephen McAllister
- Many thanks for all those hours full of APK debugging and great ideas
My gf
- Thank you very much for your patience and understanding!
nullsecurity.net
- Hack the planet!

smalisca's People

Contributors

Stargazers

Watchers

Forkers

terry2012 nightoftwelve crudbug steelcode yujinqiu ksmaheshkumar alexanderpi mallocnode cassiodeveloper mdabbagh88 cogbee ioudkerk peval tamerplatform zubux dweinstein lpmitchell gaurav9991 lwllovewf2010 moonight10 diggold mobsecteam ever-never lizbew futurelighthouse liuyivector zhangzongchen 18z yuro pkuecho blkstone princ nnamon 0x13337 453483289 dillrich kirthimanasa muellerberndt guiguzi1110 kimkucheol rbdixon primekun wallacecs idokit hazmad razaina wuhonglei 0x90 shmulikk happyxzw shuixi2013 breadchris rtmagic mmg1 adiludmer gracebyg p0prxx seabreg abhi-r3v0 shuyu108 masroor-syed dandycheung xlibrarys snrtherock u039b reverse-dusk ulviyyamz hartl3y94 astr010gos warvyvr butterl skyn9ne kiralab

smalisca's Issues

Encounters: ImportError: No module named configparser

When I type smalisca --help, smalisca always gives the error output:

Traceback (most recent call last):
  File "/home/demonkit/work/envs/smali/bin/smalisca", line 33, in <module>
    import smalisca.core.smalisca_config as config
  File "/home/demonkit/work/envs/smali/local/lib/python2.7/site-packages/smalisca/core/smalisca_config.py", line 37, in <module>
    import configparser
ImportError: No module named configparser

my python env is python 2.7.6, os is ubuntu 14.04.3
want to know how to fix it.
thanks

requirements missing configparser

requirements.txt is missing configparser dependency

No results

There is a problem:

smalisca>sc -c class_name -p gmail -x path -r 10

No results! :(

Empty db after parsing

Hey!
I just tried smalisca, and while I found it very convenient to use (good job on that!),
my parsing results in an empty sqlite db.
I used apktool to convert an .apk to smali files and
then used smalisca like that:

smalisca parser -l /path/to/app/smali/ -s java -f sqlite -o /apk.sqlite -d 1

It parses without errors and commits the results, but the db is empty:

...
Exporting results to SQLite
:: INFO       	Extract classes ...
:: INFO       	Extract class properties ...
:: INFO       	Extract class const-strings ...
:: INFO       	Extract class methods ...
:: INFO       	Extract calls ...
:: INFO       	Commit changes to SQLite DB
:: INFO       	Wrote results to /apk.sqlite
:: INFO       Finished scanning

Output graph file

Hi,

When the full path of the output file is not provided smalisca assumes that / is being used, which leads to crash when user has no write permissions.

Example

smalisca>dc -c class_name -p ApiCrypt -f png -o test.png
Traceback (most recent call last):
File "/home/santoku/Tools/.smalienv/bin/smalisca", line 5, in
pkg_resources.run_script('smalisca==0.1', 'smalisca')
File "/home/santoku/Tools/.smalienv/local/lib/python2.7/site-packages/pkg_resources.py", line 488, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/home/santoku/Tools/.smalienv/local/lib/python2.7/site-packages/pkg_resources.py", line 1361, in run_script
exec(script_code, namespace, namespace)
File "/home/santoku/Tools/.smalienv/local/lib/python2.7/site-packages/smalisca-0.1-py2.7.egg/EGG-INFO/scripts/smalisca", line 68, in

File "/home/santoku/Tools/.smalienv/local/lib/python2.7/site-packages/cement-2.4.0-py2.7.egg/cement/core/foundation.py", line 694, in run
self.controller._dispatch()
File "/home/santoku/Tools/.smalienv/local/lib/python2.7/site-packages/cement-2.4.0-py2.7.egg/cement/core/controller.py", line 455, in _dispatch
return func()
File "/home/santoku/Tools/.smalienv/local/lib/python2.7/site-packages/cement-2.4.0-py2.7.egg/cement/core/controller.py", line 461, in _dispatch
return func()
File "build/bdist.linux-x86_64/egg/smalisca/controller/controller_analyzer.py", line 118, in default
File "/usr/lib/python2.7/cmd.py", line 142, in cmdloop
stop = self.onecmd(line)
File "/usr/lib/python2.7/cmd.py", line 221, in onecmd
return func(arg)
File "build/bdist.linux-x86_64/egg/smalisca/analysis/analysis_shell.py", line 794, in do_dc
File "build/bdist.linux-x86_64/egg/smalisca/modules/module_graph.py", line 184, in write
File "build/bdist.linux-x86_64/egg/graphviz/files.py", line 163, in render
File "build/bdist.linux-x86_64/egg/graphviz/files.py", line 152, in save
IOError: [Errno 13] Permission denied: '/test'

Install info is incorrect

Hi,
This is a very minor error, but it seems that the INSTALL info is not up to date. It says:

cd smalisca
$ make install

but there is no Makefile is smalisca. It seems that make install must rather be done from the root of the project (above smalisca).

Error

Thanks for your help
I download smalisca but when I write
$ smalisca --help
This error appear
Traceback (most recent call last):
File "", line 1, in
File "C:\python27\lib\multiprocessing\forking.py", line 380, in main
prepare(preparation_data)
File "C:\python27\lib\multiprocessing\forking.py", line 503, in prepare
file, path_name, etc = imp.find_module(main_name, dirs)
ImportError: No module named smalisca
Traceback (most recent call last):
File "C:/Python27/Scripts/smalisca", line 35, in
from smalisca.controller.controller_parser import ParserController
File "C:\python27\lib\site-packages\smalisca\controller\controller_parser.py", line 77, in
class ConcurrentParser():
File "C:\python27\lib\site-packages\smalisca\controller\controller_parser.py", line 90, in ConcurrentParser
multimanager = multiprocessing.Manager()
File "C:\python27\lib\multiprocessing__init__.py", line 99, in Manager
m.start()
File "C:\python27\lib\multiprocessing\managers.py", line 528, in start
self._address = reader.recv()
EOFError
What should I do to solve this error

Could I use it fo find file in sub-folder's sub-folder

Just Like the tutorial's graph.Could I parse the file in folder c when I specify folder a as the root folder?

Usage

Hi ,

Could you tell me the usage syntax for the tool

AttributeError: module 'cement.core.controller' has no attribute 'CementBaseController'

Python version: 3.6 (anaconda)

After I did pip install smalisca and run smalisca, it shows:

py36  tmp  smalisca --help Traceback (most recent call last): File "/Users/hoangdang/anaconda2/envs/py36/bin/smalisca", line 34, in <module> from smalisca.core.smalisca_main import SmaliscaApp, smalisca_signal_handler File "/Users/hoangdang/anaconda2/envs/py36/lib/python3.6/site-packages/smalisca/core/smalisca_main.py", line 39, in <module> from smalisca.controller.controller_base import BaseController File "/Users/hoangdang/anaconda2/envs/py36/lib/python3.6/site-packages/smalisca/controller/controller_base.py", line 40, in <module> class BaseController(controller.CementBaseController): AttributeError: module 'cement.core.controller' has no attribute 'CementBaseController'

ValueError: path 'smalisca/data/config/' cannot end with '/'

while installing on windows iam facing this error:

raise ValueError, "path '%s' cannot end with '/'" % pathname
ValueError: path 'smalisca/data/config/' cannot end with '/'

Parsing is incomplete on some apps

I'm trying to use smalisca to analyze some popular apps (whatsapp and facebook).
After parsing, the resulting sqlite database is kinda small for both, only a few kbs in size.
Analyzing the database confirms that it contains only a small number of classes ( around 50 for facebook and 120 for whatsapp) and calls (for instance, I tried scl -tm checkSelfPermission and I get 0 results, very very odd).

I'm not sure why this happens, but I noticed that a lot of the smali files have very short names (like a.smali, b.smali, c.smali, etc) and some names appear multiple times (there's several a.smali).
I guess that either:

they're using some sort of code obfuscation that prevents smalisca from working correctly OR
having multiple files with the same name "tilts" smalisca

Just to be sure, I tried baksmaling with both apktool and dex2jar, same result.

No such file or directory: 'smalisca/data/config/config.conf'

Hello, I'm running smalisca on the linux mint. I can't analyze my sqlite:

$ smalisca analyzer -f sqlite -i base.sqlite 
                            ___                                   
                           /\_ \    __                            
  ____    ___ ___      __  \//\ \  /\_\    ____    ___     __     
 /',__\ /' __` __`\  /'__`\  \ \ \ \/\ \  /',__\  /'___\ /'__`\   
/\__, `\/\ \/\ \/\ \/\ \L\.\_ \_\ \_\ \ \/\__, `\/\ \__//\ \L\.\_ 
\/\____/\ \_\ \_\ \_\ \__/.\_\/\____\\ \_\/\____/\ \____\ \__/.\_\
 \/___/  \/_/\/_/\/_/\/__/\/_/\/____/ \/_/\/___/  \/____/\/__/\/_/



--------------------------------------------------------------------------------
:: Author:   Victor <Cyneox> Dorneanu
:: Desc:     Static Code Analysis tool for Smali files
:: URL:      http://nullsecurity.net, http://{blog,www}.dornea.nu
:: Version:  0.2
--------------------------------------------------------------------------------

:: INFO       Using default conf (smalisca/data/config/config.conf)
Traceback (most recent call last):
  File "/usr/local/bin/smalisca", line 70, in <module>
    app.run()
  File "/usr/local/lib/python2.7/dist-packages/cement/core/foundation.py", line 882, in run
    return_val = self.controller._dispatch()
  File "/usr/local/lib/python2.7/dist-packages/cement/core/controller.py", line 471, in _dispatch
    return func()
  File "/usr/local/lib/python2.7/dist-packages/cement/core/controller.py", line 477, in _dispatch
    return func()
  File "/usr/local/lib/python2.7/dist-packages/smalisca/controller/controller_analyzer.py", line 99, in default
    config.smalisca_conf.read(config.PROJECT_CONF)
  File "/usr/local/lib/python2.7/dist-packages/smalisca/core/smalisca_config.py", line 251, in read
    with codecs.open(filename, 'r', encoding='utf-8') as f:
  File "/usr/lib/python2.7/codecs.py", line 878, in open
    file = __builtin__.open(filename, mode, buffering)
IOError: [Errno 2] No such file or directory: 'smalisca/data/config/config.conf'

Can smalisca be used in Windows？

After I executed "pip install smalisca",smalisca was installed successfully. But when I executed "smalisca --help" in CMD,I got "smalisca is not recognized as an internal or external command...".

Improving sql insertions

Currently smalisca uses sqlite via sqlalchemy to store all the required information that have been extracted and computed.

sqlite is soooooo sloooowwwwww, especially on very huge applications.

I resolved this by switching from sqlite to mysql (mariadb). Performances are multiplied by 100.......

However I think I can't create a new pull request if I can't push a new branch. ("remote: Permission to dorneanu/smalisca.git denied")