Skip to main content

Identifies TLS/SSL libraries in running processes using Frida-based dynamic instrumentation.

Project description

TlsLibHunter Logo

Identifying TLS Libraries Within Processes

TLSLibHunter

version PyPI version Publish status Lint

Identify and extract TLS/SSL libraries from running processes using dynamic instrumentation.

Installation

pip install tlsLibHunter

Quick Start

CLI Usage

# List TLS libraries in a local process
tlsLibHunter firefox -l

# Scan and extract TLS libraries
tlsLibHunter firefox

# Android device
tlsLibHunter com.example.app -m -l

# JSON output
tlsLibHunter firefox -l -f json

# Full, unfiltered diagnostic scan (show known false positives + low-confidence hits)
tlsLibHunter com.example.app -m -l --scan-everything

# Debug run — also writes everything shown in the terminal to a log file
tlsLibHunter com.example.app -m -l -d

Example output:

tlslibhunter -m -l Chrome
INFO: Platform: android
INFO: Found 324 loaded modules
INFO: Pattern match in libssl.so: 1 hits
INFO: Detected: libssl.so (boringssl, system)
INFO: Pattern match in libmonochrome_64.so: 1 hits
INFO: Fingerprint: libmonochrome_64.so identified as boringssl
INFO: Detected: libmonochrome_64.so (boringssl, app)
INFO: Scan complete: 2 TLS libraries found in 298 modules (8.06s)
        				TLS Libraries in 'Chrome' (android)                    
┏━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ #    ┃ Library             ┃ Type      ┃ Class  ┃      Size ┃ Path                       ┃
┡━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 1     libssl.so            boringssl  system  376.0 KiB  /apex/com.…                │
│ 2     libmonochrome_64.so  boringssl  app     119.1 MiB  /data/app/~~NlI…           │
└──────┴─────────────────────┴───────────┴────────┴───────────┴────────────────────────────┘

Scanned 298 modules in 8.06s

Python API

from tlslibhunter import TLSLibHunter

# Scan a local process
hunter = TLSLibHunter("firefox")
result = hunter.scan()
for lib in result.libraries:
    print(f"{lib.name} ({lib.library_type}) - {lib.path}")

# Scan and extract
result = hunter.scan()
extractions = hunter.extract(result, output_dir="./extracted_libs")

Features

  • Memory scanning for TLS string patterns
  • Supports OpenSSL, BoringSSL, GnuTLS, wolfSSL, mbedTLS, NSS, SChannel, SecureTransport
  • Multi-platform: Android, iOS, Windows, Linux, macOS
  • Multiple extraction methods: disk copy, ADB pull, APK extraction, memory dump
  • Clean Python API for programmatic use
  • Backend abstraction (currently only frida but might be extended to other frameworks in the future)

Result filtering & scan depth

By default the results table is curated to show only genuine, hookable TLS stacks so the output stays actionable:

  • Confidence threshold — only medium- and high-confidence detections are shown. The long tail of low-confidence hits (coincidental 4-byte ASCII fragments) is hidden.
  • Known false positives — crypto-primitive and JNI-wrapper libraries that carry TLS strings (and may even re-export SSL_* symbols) but are not independently hookable TLS stacks are skipped during scanning. This currently covers libcrypto.so / stable_cronet_libcrypto.so (BoringSSL/OpenSSL primitives) and libjavacrypto.so (the Conscrypt JNI bridge). The real key-extraction targets — libssl.so, libcronet*, stable_cronet_libssl.so — are kept.

Hidden detections are never lost silently: the scan summary logs how many were hidden, and the names are recorded in pipeline_stats (hidden_low_confidence_names, hidden_false_positive_names, false_positive_skipped_names).

To see everything (known false positives, low-confidence rows, and the verbose weak-evidence breakdown), run a full scan with --scan-everything. This is the only flag that disables the default filters.

Debug log file

Passing -d / --debug additionally tees all terminal output (the results table plus every log line) into a timestamped, ANSI-stripped file in the current directory, named tlslibhunter_<target>_<YYYYmmdd-HHMMSS>.log.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tlslibhunter-0.2.7.tar.gz (81.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tlslibhunter-0.2.7-py3-none-any.whl (77.7 kB view details)

Uploaded Python 3

File details

Details for the file tlslibhunter-0.2.7.tar.gz.

File metadata

  • Download URL: tlslibhunter-0.2.7.tar.gz
  • Upload date:
  • Size: 81.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for tlslibhunter-0.2.7.tar.gz
Algorithm Hash digest
SHA256 5fe244be57e9d5143a23512fe8c46d9431a3faf20c74bbfc5f60f0af71e33789
MD5 2bf64ec795f91cd2ce70e138d7306ebe
BLAKE2b-256 a9928373e8292d50295119666e6d61e53f8208ce9a5e7796c5960f6f0123ac84

See more details on using hashes here.

Provenance

The following attestation bundles were made for tlslibhunter-0.2.7.tar.gz:

Publisher: publish.yml on monkeywave/tlsLibHunter

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file tlslibhunter-0.2.7-py3-none-any.whl.

File metadata

  • Download URL: tlslibhunter-0.2.7-py3-none-any.whl
  • Upload date:
  • Size: 77.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for tlslibhunter-0.2.7-py3-none-any.whl
Algorithm Hash digest
SHA256 7e02785013fec2c225a2a16e15190c5f6cbae1759bf77580851102c0c8c48291
MD5 0bd48e7f23079565400d38878499736a
BLAKE2b-256 45f3fe85dcd0675a7e23b47aa256963ffdb315f9482e902f83049a0876281d1d

See more details on using hashes here.

Provenance

The following attestation bundles were made for tlslibhunter-0.2.7-py3-none-any.whl:

Publisher: publish.yml on monkeywave/tlsLibHunter

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page