Android Dynamic Class Dumper — dump all DEX files and classes from running Android apps

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for anatoliyfeed from gravatar.com anatoliyfeed

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: clsdumper contributors
  • Tags android , class-dumper , dex , frida , reverse-engineering
  • Requires: Python >=3.10
Classifiers
Report project as malware

Project description

clsdumper

       _         _
   ___| |___  __| |_   _ _ __ ___  _ __   ___ _ __
  / __| / __|/ _` | | | | '_ ` _ \| '_ \ / _ \ '__|
 | (__| \__ \ (_| | |_| | | | | | | |_) |  __/ |
  \___|_|___/\__,_|\__,_|_| |_| |_| .__/ \___|_|
                                   |_|

Python 3.10+ License: MIT

Android Dynamic Class Dumper — dump all DEX files from running Android apps using Frida.

clsdumper hooks into a running (or freshly spawned) Android application and extracts every DEX file it can find using 9 different strategies. It works against apps with anti-Frida protections, packed/encrypted DEX files, and dynamically loaded code.

Features

  • 9 extraction strategies — ART runtime walk, function hooking, memory scanning, OAT/VDEX parsing, and more
  • Anti-Frida bypass — blocks signal-handler registration, filters /proc/self/maps, neutralizes watchdog threads
  • Spawn & attach — start the app fresh or hook into an already running process
  • Automatic deduplication — agent-side fast hash + host-side SHA-256
  • Class extraction — optionally decompile DEX files into individual .smali classes via androguard
  • Works without Java bridge — native strategies run outside Java.perform(), so they work even when the Java bridge crashes

Quick Start

# Install from source
pip install .

# Dump DEX from a running app (USB-connected device)
clsdumper com.example.app

# Spawn the app and dump
clsdumper com.example.app --spawn

# Attach by PID
clsdumper 12345

Requirements

  • Python 3.10+
  • Rooted Android device with frida-server running
  • USB debugging enabled (or use --host for TCP)

Usage

clsdumper [target] [options]
Option Description
target Package name or PID of the target app
-o, --output DIR Output directory (default: ./dump_<target>)
--spawn Spawn the app instead of attaching
--host HOST Frida server host for TCP connection (default: USB)
--strategies LIST Comma-separated list of strategies to use
--no-scan Disable memory scan strategy
--deep-scan Enable deep scan (CDEX files, slower)
--extract-classes Extract individual classes from dumped DEX files
--no-anti-frida Disable anti-Frida bypass
-d, --debug Enable debug output
--list List running processes on the device
--list-apps List installed applications
-v, --version Show version

Examples

# Use specific strategies only
clsdumper com.example.app --strategies fart_dump,oat_extract

# Spawn with class extraction
clsdumper com.example.app --spawn --extract-classes

# Connect to remote frida-server
clsdumper com.example.app --host 192.168.1.100

# List all installed apps
clsdumper --list-apps

Strategies

# Strategy Phase Description
1 art_walk Native Walks Runtime -> ClassLinker -> DexFile structs in ART
2 open_common_hook Native Hooks DexFile::OpenCommon in libdexfile.so
3 memory_scan Native Scans readable memory regions for DEX magic bytes
4 cookie Java Reads mCookie field from ClassLoaders via reflection
5 classloader_hook Java Monitors loadClass / DexClassLoader / InMemoryDexClassLoader
6 mmap_hook Native Intercepts mmap/mmap64 calls (not in default set)
7 oat_extract Native Parses mapped .vdex / .oat files for embedded DEX
8 fart_dump Native Hooks DefineClass + walks class_table_ (best coverage)
9 dexfile_constructor Native Hooks OatDexFile C++ constructors

Default set: all except mmap_hook (causes performance issues when combined with other hooks).

Building from Source

The Frida agent is pre-built and included as clsdumper/frida/scripts/agent.js. To modify the agent:

# Install agent dependencies
cd agent && npm install

# Build the TypeScript agent
npm run build

# Install the Python package
cd .. && pip install -e .

How It Works

clsdumper runs in three phases:

  1. Phase 0 — Anti-Frida bypass: Hooks sigaction/signal to block anti-debugging signal handlers, replaces /proc/self/maps reads via memfd_create, and monitors pthread_create to neutralize watchdog threads.

  2. Phase 1 — Native strategies: Runs outside Java.perform() using direct memory access and native function hooks. This works even when the Java bridge fails (common with heavily protected apps).

  3. Phase 2 — Java strategies: Uses the Java bridge to inspect ClassLoaders and hook class loading. Falls back gracefully if the bridge is unavailable.

All found DEX files are deduplicated (fast djb2 hash on the agent, SHA-256 on the host) and saved with metadata including the strategy that found them.

Output

dump_com.example.app/
  dex/
    classes_001.dex    # Dumped DEX files
    classes_002.dex
    ...
  classes/             # Only with --extract-classes
    com/example/...
  metadata.json        # Dump metadata and per-file info

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for anatoliyfeed from gravatar.com anatoliyfeed

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: clsdumper contributors
  • Tags android , class-dumper , dex , frida , reverse-engineering
  • Requires: Python >=3.10
Classifiers

Release history Release notifications | RSS feed

0.2.0

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

clsdumper-0.1.0.tar.gz (241.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

clsdumper-0.1.0-py3-none-any.whl (213.9 kB view details)

Uploaded Python 3

File details

Details for the file clsdumper-0.1.0.tar.gz.

File metadata

  • Download URL: clsdumper-0.1.0.tar.gz
  • Upload date:
  • Size: 241.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for clsdumper-0.1.0.tar.gz
Algorithm Hash digest
SHA256 4e2421594d29717cfc45ae54dcd39350bce1c9dfd0ab09d765ce8f14090f0e69
MD5 990274ac3aa9973a2a736eccee3b1c0d
BLAKE2b-256 843fb2ca51ee4146c04d3ee6b47cf6b9fc1e69442e7e01659d77c4f6a13f57dd

See more details on using hashes here.

Provenance

The following attestation bundles were made for clsdumper-0.1.0.tar.gz:

Publisher: release.yml on TheQmaks/clsdumper

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file clsdumper-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: clsdumper-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 213.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for clsdumper-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 29f5b1eb032a594967d6937ac3cf52ef9839b74391003835f25f98e9fc2a2f4c
MD5 c6d5eec8af2d4aadb25a0c47c7b3528d
BLAKE2b-256 f4e133aff706fe224a49c5319f9eb9aa5c9d32ff728afbaea77325c51dc52f17

See more details on using hashes here.

Provenance

The following attestation bundles were made for clsdumper-0.1.0-py3-none-any.whl:

Publisher: release.yml on TheQmaks/clsdumper

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page