Skip to main content

Identifies TLS/SSL libraries in running processes using Frida-based dynamic instrumentation.

Project description

TlsLibHunter Logo

Identifying TLS Libraries Within Processes

TLSLibHunter

version PyPI version Publish status Lint

Identify and extract TLS/SSL libraries from running processes using dynamic instrumentation.

Installation

pip install tlsLibHunter

Quick Start

CLI Usage

# List TLS libraries in a local process
tlsLibHunter firefox -l

# Scan and extract TLS libraries
tlsLibHunter firefox

# Android device
tlsLibHunter com.example.app -m -l

# JSON output
tlsLibHunter firefox -l -f json

# Full, unfiltered diagnostic scan (show known false positives + low-confidence hits)
tlsLibHunter com.example.app -m -l --scan-everything

# Debug run — also writes everything shown in the terminal to a log file
tlsLibHunter com.example.app -m -l -d

Example output:

tlslibhunter -m -l Chrome
INFO: Platform: android
INFO: Found 324 loaded modules
INFO: Pattern match in libssl.so: 1 hits
INFO: Detected: libssl.so (boringssl, system)
INFO: Pattern match in libmonochrome_64.so: 1 hits
INFO: Fingerprint: libmonochrome_64.so identified as boringssl
INFO: Detected: libmonochrome_64.so (boringssl, app)
INFO: Scan complete: 2 TLS libraries found in 298 modules (8.06s)
        				TLS Libraries in 'Chrome' (android)                    
┏━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ #    ┃ Library             ┃ Type      ┃ Class  ┃      Size ┃ Path                       ┃
┡━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 1     libssl.so            boringssl  system  376.0 KiB  /apex/com.…                │
│ 2     libmonochrome_64.so  boringssl  app     119.1 MiB  /data/app/~~NlI…           │
└──────┴─────────────────────┴───────────┴────────┴───────────┴────────────────────────────┘

Scanned 298 modules in 8.06s

Python API

from tlslibhunter import TLSLibHunter

# Scan a local process
hunter = TLSLibHunter("firefox")
result = hunter.scan()
for lib in result.libraries:
    print(f"{lib.name} ({lib.library_type}) - {lib.path}")

# Scan and extract
result = hunter.scan()
extractions = hunter.extract(result, output_dir="./extracted_libs")

Features

  • Memory scanning for TLS string patterns
  • Supports OpenSSL, BoringSSL, GnuTLS, wolfSSL, mbedTLS, NSS, SChannel, SecureTransport
  • Multi-platform: Android, iOS, Windows, Linux, macOS
  • Multiple extraction methods: disk copy, ADB pull, APK extraction, memory dump
  • Clean Python API for programmatic use
  • Backend abstraction (currently only frida but might be extended to other frameworks in the future)

Result filtering & scan depth

By default the results table is curated to show only genuine, hookable TLS stacks so the output stays actionable:

  • Confidence threshold — only medium- and high-confidence detections are shown. The long tail of low-confidence hits (coincidental 4-byte ASCII fragments) is hidden.
  • Known false positives — crypto-primitive and JNI-wrapper libraries that carry TLS strings (and may even re-export SSL_* symbols) but are not independently hookable TLS stacks are skipped during scanning. This currently covers libcrypto.so / stable_cronet_libcrypto.so (BoringSSL/OpenSSL primitives) and libjavacrypto.so (the Conscrypt JNI bridge). The real key-extraction targets — libssl.so, libcronet*, stable_cronet_libssl.so — are kept.

Hidden detections are never lost silently: the scan summary logs how many were hidden, and the names are recorded in pipeline_stats (hidden_low_confidence_names, hidden_false_positive_names, false_positive_skipped_names).

To see everything (known false positives, low-confidence rows, and the verbose weak-evidence breakdown), run a full scan with --scan-everything. This is the only flag that disables the default filters.

Debug log file

Passing -d / --debug additionally tees all terminal output (the results table plus every log line) into a timestamped, ANSI-stripped file in the current directory, named tlslibhunter_<target>_<YYYYmmdd-HHMMSS>.log.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tlslibhunter-0.2.6.tar.gz (81.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tlslibhunter-0.2.6-py3-none-any.whl (77.7 kB view details)

Uploaded Python 3

File details

Details for the file tlslibhunter-0.2.6.tar.gz.

File metadata

  • Download URL: tlslibhunter-0.2.6.tar.gz
  • Upload date:
  • Size: 81.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for tlslibhunter-0.2.6.tar.gz
Algorithm Hash digest
SHA256 e15aa74d01c8e4798870828af36c5d1274d2756de5dcee944de755055aabcd84
MD5 c59fdfdae468837e84b5b3a903b7bbb6
BLAKE2b-256 830889dcc6c3375a1f20667ed8b82fd9ad374c31af9a8324bf420ff9276eecf0

See more details on using hashes here.

Provenance

The following attestation bundles were made for tlslibhunter-0.2.6.tar.gz:

Publisher: publish.yml on monkeywave/tlsLibHunter

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file tlslibhunter-0.2.6-py3-none-any.whl.

File metadata

  • Download URL: tlslibhunter-0.2.6-py3-none-any.whl
  • Upload date:
  • Size: 77.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for tlslibhunter-0.2.6-py3-none-any.whl
Algorithm Hash digest
SHA256 564d03643b2d2d7c8c1ae4fbb5249d37a64ef6e5862e775141ff447ffe195fdb
MD5 00a3ac569904ecb745646f3a4692234b
BLAKE2b-256 70306a567d1bc74d2b3853f13164149796a2ae9fb9c720f7e7c1eafd26818554

See more details on using hashes here.

Provenance

The following attestation bundles were made for tlslibhunter-0.2.6-py3-none-any.whl:

Publisher: publish.yml on monkeywave/tlsLibHunter

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page