Unpacking framework for common android malware
Project description
🫙 kavanoz 🫙
Statically unpacking common android banker malware.
Ever wanted to get payload from packed malware without running android emulator ? Me neither.
Requirements
- python >= 3.9
- arc4
- androguard
- lief
- unicorn
- androidemu
- pycryptodome
:eyes: Installation
pip install -e . --user
:zap: Usage
from cmdline
kavanoz /tmp/filepath
from python library
from kavanoz.core import Kavanoz
k = Kavanoz(apk_path)
for plugin_result in k.get_plugin_results():
if plugin_result['status'] = 'success':
print('Unpacked')
print(plugin_result)
:snake: Scripts:
- rc4.py Generic rc4 encrypted asset file. Script covers multiple versions.
- old_rc4.py Another Generic rc4 encrypted asset file.
- subapp.py Decryption of file with key derived from Manifest file ProtectKey variable
- multidex.py Multidex like loader with inflated packed file. (zlib compression)
- coper.py Extract rc4 key from native lib with emulation (AndroidNativeEmu)
- moqhao.py Emulation for moqhau unpacking.
- sesdex.py
- simple_aes.py
- simple_xor.py
- simple_xor2.py
- simple_xor_zlib.py
- subapp.py Decrypt asset with package name
Note
Do not use cryptodome for rc4 decryption. It does not work with 2-4 key size.
:gear: Development
To add new plugins just create new file in loader folder. Extend Unpacker class from unpack_plugin.py file. Define start_decrypt function with your implementation.
def start_decrypt(self, apk_object: APK, dvms: "list[DalvikVMFormat]"):
Add following function to make early exit from plugin.
def lazy_check(self,apk_object:APK, dvms: "list[DalvikVMFormat]"):
If extraction is succesful assign self.decrypted_payload_path with extracted file path. You can use helper functions from unpacker class:
- get_array_data
- get_smali
- find_method(class_name,method_name,descriptor="")
- check_and_write_file(file_data) : checks file has dex, zip and zlib headers and writes unpacked dex with name : "external-{m[:8]}.dex"
:book: Tips
- self.dvms hold dex dvm objects. You can get class with
dvm.get_class(smali_annotation_of_class). - You can use get_smali function and give target method obj to get smali represantation of target method. Then apply some regex to get data from smali. There are lots of defined regexs in smali_regexes.py file to lookup.
- Most of the time packers use file from asset folder. You can get files with
self.apk_object.get_files() - Most of the time packers use Application class to start unpacking sequence. Use
application = self.apk_object.get_attribute_value("application", "name")to get application class defined in manifest file.
Thanks:
apkdetect.com for unique samples to work with.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file kavanoz-0.0.2.tar.gz.
File metadata
- Download URL: kavanoz-0.0.2.tar.gz
- Upload date:
- Size: 429.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.18
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 08a7ffb0ba54692dc58cd6866d90b8f80cd3e830c1c8d3e80b6a422adc5025b1 |
|
| MD5 | d8fb58fb6048c01f1078c3c5818bcaa5 |
|
| BLAKE2b-256 | f95feb001df91dfd66f7ccc80f172d3b277cec1f391f5812b59d5dee2ad0c0f2 |
File details
Details for the file kavanoz-0.0.2-py3-none-any.whl.
File metadata
- Download URL: kavanoz-0.0.2-py3-none-any.whl
- Upload date:
- Size: 438.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.18
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | f04719ee3d145535bcaf695316fe6e2e8a0feec79ca01844746e34dee37dd1ee |
|
| MD5 | 3a84c7df734ad22358e2b5c8ec6dea27 |
|
| BLAKE2b-256 | ca989a30a2301350ad805f20f31773ce1774033f9a6771a1c3f29f621f007ffa |
