Identifies TLS/SSL libraries in running processes using Frida-based dynamic instrumentation.
Project description
TLSLibHunter
Identify and extract TLS/SSL libraries from running processes using dynamic instrumentation.
Installation
pip install tlsLibHunter
Quick Start
CLI Usage
# List TLS libraries in a local process
tlsLibHunter firefox -l
# Scan and extract TLS libraries
tlsLibHunter firefox
# Android device
tlsLibHunter com.example.app -m -l
# JSON output
tlsLibHunter firefox -l -f json
# Full, unfiltered diagnostic scan (show known false positives + low-confidence hits)
tlsLibHunter com.example.app -m -l --scan-everything
# Debug run — also writes everything shown in the terminal to a log file
tlsLibHunter com.example.app -m -l -d
Example output:
tlslibhunter -m -l Chrome
INFO: Platform: android
INFO: Found 324 loaded modules
INFO: Pattern match in libssl.so: 1 hits
INFO: Detected: libssl.so (boringssl, system)
INFO: Pattern match in libmonochrome_64.so: 1 hits
INFO: Fingerprint: libmonochrome_64.so identified as boringssl
INFO: Detected: libmonochrome_64.so (boringssl, app)
INFO: Scan complete: 2 TLS libraries found in 298 modules (8.06s)
TLS Libraries in 'Chrome' (android)
┏━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ # ┃ Library ┃ Type ┃ Class ┃ Size ┃ Path ┃
┡━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 1 │ libssl.so │ boringssl │ system │ 376.0 KiB │ /apex/com.… │
│ 2 │ libmonochrome_64.so │ boringssl │ app │ 119.1 MiB │ /data/app/~~NlI… │
└──────┴─────────────────────┴───────────┴────────┴───────────┴────────────────────────────┘
Scanned 298 modules in 8.06s
Python API
from tlslibhunter import TLSLibHunter
# Scan a local process
hunter = TLSLibHunter("firefox")
result = hunter.scan()
for lib in result.libraries:
print(f"{lib.name} ({lib.library_type}) - {lib.path}")
# Scan and extract
result = hunter.scan()
extractions = hunter.extract(result, output_dir="./extracted_libs")
Features
- Memory scanning for TLS string patterns
- Supports OpenSSL, BoringSSL, GnuTLS, wolfSSL, mbedTLS, NSS, SChannel, SecureTransport
- Multi-platform: Android, iOS, Windows, Linux, macOS
- Multiple extraction methods: disk copy, ADB pull, APK extraction, memory dump
- Clean Python API for programmatic use
- Backend abstraction (currently only frida but might be extended to other frameworks in the future)
Result filtering & scan depth
By default the results table is curated to show only genuine, hookable TLS stacks so the output stays actionable:
- Confidence threshold — only
medium- andhigh-confidence detections are shown. The long tail oflow-confidence hits (coincidental 4-byte ASCII fragments) is hidden. - Known false positives — crypto-primitive and JNI-wrapper libraries that carry TLS strings
(and may even re-export
SSL_*symbols) but are not independently hookable TLS stacks are skipped during scanning. This currently coverslibcrypto.so/stable_cronet_libcrypto.so(BoringSSL/OpenSSL primitives) andlibjavacrypto.so(the Conscrypt JNI bridge). The real key-extraction targets —libssl.so,libcronet*,stable_cronet_libssl.so— are kept.
Hidden detections are never lost silently: the scan summary logs how many were hidden, and the
names are recorded in pipeline_stats (hidden_low_confidence_names,
hidden_false_positive_names, false_positive_skipped_names).
To see everything (known false positives, low-confidence rows, and the verbose weak-evidence
breakdown), run a full scan with --scan-everything. This is the only flag that disables the
default filters.
Debug log file
Passing -d / --debug additionally tees all terminal output (the results table plus every
log line) into a timestamped, ANSI-stripped file in the current directory, named
tlslibhunter_<target>_<YYYYmmdd-HHMMSS>.log.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tlslibhunter-0.2.7.tar.gz.
File metadata
- Download URL: tlslibhunter-0.2.7.tar.gz
- Upload date:
- Size: 81.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5fe244be57e9d5143a23512fe8c46d9431a3faf20c74bbfc5f60f0af71e33789
|
|
| MD5 |
2bf64ec795f91cd2ce70e138d7306ebe
|
|
| BLAKE2b-256 |
a9928373e8292d50295119666e6d61e53f8208ce9a5e7796c5960f6f0123ac84
|
Provenance
The following attestation bundles were made for tlslibhunter-0.2.7.tar.gz:
Publisher:
publish.yml on monkeywave/tlsLibHunter
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
tlslibhunter-0.2.7.tar.gz -
Subject digest:
5fe244be57e9d5143a23512fe8c46d9431a3faf20c74bbfc5f60f0af71e33789 - Sigstore transparency entry: 1939478912
- Sigstore integration time:
-
Permalink:
monkeywave/tlsLibHunter@2575107564bdef50a59e3f89935b42cab779ed99 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/monkeywave
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@2575107564bdef50a59e3f89935b42cab779ed99 -
Trigger Event:
push
-
Statement type:
File details
Details for the file tlslibhunter-0.2.7-py3-none-any.whl.
File metadata
- Download URL: tlslibhunter-0.2.7-py3-none-any.whl
- Upload date:
- Size: 77.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7e02785013fec2c225a2a16e15190c5f6cbae1759bf77580851102c0c8c48291
|
|
| MD5 |
0bd48e7f23079565400d38878499736a
|
|
| BLAKE2b-256 |
45f3fe85dcd0675a7e23b47aa256963ffdb315f9482e902f83049a0876281d1d
|
Provenance
The following attestation bundles were made for tlslibhunter-0.2.7-py3-none-any.whl:
Publisher:
publish.yml on monkeywave/tlsLibHunter
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
tlslibhunter-0.2.7-py3-none-any.whl -
Subject digest:
7e02785013fec2c225a2a16e15190c5f6cbae1759bf77580851102c0c8c48291 - Sigstore transparency entry: 1939478995
- Sigstore integration time:
-
Permalink:
monkeywave/tlsLibHunter@2575107564bdef50a59e3f89935b42cab779ed99 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/monkeywave
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@2575107564bdef50a59e3f89935b42cab779ed99 -
Trigger Event:
push
-
Statement type: