ruby_apk 0.4.0

data/.rspec

@@ -0,0 +1 @@
+--color --format d

data/Gemfile

@@ -0,0 +1,16 @@
+source "http://rubygems.org"
+# Add dependencies required to use your gem here.
+# Example:
+#   gem "activesupport", ">= 2.3.5"
+gem "rubyzip"
+
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem "rspec", "~> 2.11.0"
+  gem "bundler", "~> 1.1.5"
+  gem "jeweler", "~> 1.6.4"
+  gem "yard", require: false
+  gem "redcarpet"
+  gem "simplecov", require: false
+end

data/Gemfile.lock

@@ -0,0 +1,38 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    diff-lcs (1.1.3)
+    git (1.2.5)
+    jeweler (1.6.4)
+      bundler (~> 1.0)
+      git (>= 1.2.5)
+      rake
+    multi_json (1.3.6)
+    rake (0.9.2.2)
+    redcarpet (2.2.2)
+    rspec (2.11.0)
+      rspec-core (~> 2.11.0)
+      rspec-expectations (~> 2.11.0)
+      rspec-mocks (~> 2.11.0)
+    rspec-core (2.11.1)
+    rspec-expectations (2.11.2)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.11.1)
+    rubyzip (0.9.9)
+    simplecov (0.6.4)
+      multi_json (~> 1.0)
+      simplecov-html (~> 0.5.3)
+    simplecov-html (0.5.3)
+    yard (0.8.2.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.1.5)
+  jeweler (~> 1.6.4)
+  redcarpet
+  rspec (~> 2.11.0)
+  rubyzip
+  simplecov
+  yard

data/LICENSE.txt

@@ -0,0 +1,22 @@
+(The MIT License)
+
+Copyright (c) 2012 Securebrain
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,106 @@
+# ruby_apk
+Android Apk static analysis library for Ruby.
+
+## Requirements
+- ruby(>=1.9.x)
+- rubyzip gem(>=0.9.9)
+
+## Install
+	$ gem install ruby_apk
+
+## Usage
+### Initialize
+	require 'ruby_apk'
+	apk = Android::Apk.new('sample.apk') # set apk file path
+
+### Apk
+#### Listing files in Apk
+	# listing files in apk
+	apk = Android::Apk.new('sample.apk')
+	apk.each_file do |name, data|
+		puts "#{name}: #{data.size}bytes" # puts file name and data size
+	end
+
+#### Find files in Apk
+	apk = Android::Apk.new('sample.apk')
+	elf_files = apk.find{|name, data| data[0..3] == [0x7f, 0x45, 0x4c, 0x46] } # ELF magic number
+
+### Manifest
+#### Get readable xml
+	apk = Android::Apk.new('sample.apk')
+	manifest = apk.manifest
+	puts manifest.to_xml
+
+#### Listing components and permissions
+	apk = Android::Apk.new('sample.apk')
+	manifest = apk.manifest
+	# listing components
+	manifest.components.each do |c| # 'c' is Android::Manifest::Component object
+		puts "#{c.type}: #{c.name}" 
+		c.intent_filters.each do |filter|
+			puts "\t#{filter.type}"
+		end
+	end
+
+	# listing use-permission tag
+	manifest.use_permissions.each do |permission|
+		puts permission
+	end
+
+### Resource
+#### Extract resource strings from apk
+	apk = Android::Apk.new('sample.apk')
+	rsc = apk.resource
+	rsc.strings.each do |str|
+		puts str
+	end
+
+#### Parse resource file directly
+	rsc_data = File.open('resources.arsc', 'rb').read{|f| f.read }
+	rsc = Android::Resource.new(rsc_data)
+
+### Dex
+#### Extract dex information
+	apk = Android::Apk.new('sample.apk')
+	dex = apk.dex
+	# listing string table in dex
+	dex.strings do |str|
+		puts str
+	end
+
+	# listing all class names
+	dex.classes do |cls| # cls is Android::Dex::ClassInfo
+		puts cls.name
+	end
+
+#### Parse dex file directly
+	dex_data = File.open('classes.dex','rb').read{|f| f.read }
+	dex = Android::Dex.new(dex_data)
+
+
+## ChangeLog
+### 0.4.0
+* add resource parser
+* enhance dex parser
+
+### 0.3.0
+* add and change name space
+* add Android::Utils module and some util methods
+* add Apk#entry, Apk#each_entry, and Apk#time methods,
+
+### 0.2.0
+* update documents
+* add Apk::Dex#each_strings, Apk::Dex#each_class_names
+
+### 0.1.2
+* fix bug(improve android binary xml parser)
+
+### 0.1.1
+* fix bug(failed to initialize Apk::Manifest::Meta class)
+* replace iconv to String#encode(for ruby1.9)
+
+
+## Copyright
+
+Copyright (c) 2012 SecureBrain. See LICENSE.txt for further details.
+

data/Rakefile

@@ -0,0 +1,43 @@
+# encoding: utf-8
+
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "ruby_apk"
+  gem.homepage = "http://www.securebrain.co.jp/"
+  gem.license = "MIT"
+  gem.summary = %Q{static analysis tool for android apk}
+  gem.description = %Q{static analysis tool for android apk}
+  gem.email = "info@securebrain.co.jp"
+  gem.authors = ["SecureBrain"]
+  # dependencies defined in Gemfile
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+
+
+task :default => :spec
+
+require 'yard'
+require 'yard/rake/yardoc_task'
+YARD::Rake::YardocTask.new do |t|
+  t.files = ['lib/**/*.rb']
+  t.options = []
+  t.options << '--debug' << '--verbose' if $trace
+end

data/VERSION

@@ -0,0 +1 @@
+0.4.0

data/lib/android/apk.rb

@@ -0,0 +1,155 @@
+require 'zip/zip' # need rubyzip gem -> doc: http://rubyzip.sourceforge.net/
+require 'digest/md5'
+require 'digest/sha1'
+require 'digest/sha2'
+
+module Android
+  class NotApkFileError < StandardError; end
+  class NotFoundError < StandardError; end
+
+  # apk object class
+  class Apk
+
+    # @return [String] apk file path
+    attr_reader :path
+    # @return [Android::Manifest] manifest instance
+    # @return [nil] when parsing manifest is failed.
+    attr_reader  :manifest
+    # @return [Android::Dex] dex instance
+    # @return [nil] when parsing dex is failed.
+    attr_reader :dex
+    # @return [String] binary data of apk
+    attr_reader :bindata
+    # @return [Resource] resouce data
+    # @return [nil] when parsing resource is failed.
+    attr_reader :resource
+
+    # AndroidManifest file name
+    MANIFEST = 'AndroidManifest.xml'
+    # dex file name
+    DEX = 'classes.dex'
+    # resource file name
+    RESOURCE = 'resources.arsc'
+
+    # create new apk object
+    # @param [String] filepath apk file path
+    # @raise [Android::NotFoundError] path file does'nt exist
+    # @raise [Android::NotApkFileError] path file is not Apk file.
+    def initialize(filepath)
+      @path = filepath
+      raise NotFoundError, "'#{filepath}'" unless File.exist? @path
+      begin
+        @zip = Zip::ZipFile.open(@path)
+      rescue Zip::ZipError => e
+        raise NotApkFileError, e.message 
+      end
+
+      @bindata = File.open(@path, 'rb') {|f| f.read }
+      @bindata.force_encoding(Encoding::ASCII_8BIT)
+      raise NotApkFileError, "manifest file is not found." if @zip.find_entry(MANIFEST).nil?
+      begin
+        @manifest = Android::Manifest.new(self.file(MANIFEST))
+      rescue => e
+        $stderr.puts "failed to parse manifest:#{e}"
+        #$stderr.puts e.backtrace
+      end
+      begin
+        @dex = Android::Dex.new(self.file(DEX))
+      rescue => e
+        $stderr.puts "failed to parse dex:#{e}"
+        #$stderr.puts e.backtrace
+      end
+      begin
+        @resource = Android::Resource.new(self.file(RESOURCE))
+      rescue => e
+        $stderr.puts "failed to parse resource:#{e}"
+        #$stderr.puts e.backtrace
+      end
+    end
+
+    # return apk file size
+    # @return [Integer] bytes
+    def size
+      @bindata.size
+    end
+
+    # return hex digest string of apk file
+    # @param [Symbol] type hash digest type(:sha1, sha256, :md5)
+    # @return [String] hex digest string
+    # @raise [ArgumentError] type is knknown type
+    def digest(type = :sha1)
+      case type
+      when :sha1
+        Digest::SHA1.hexdigest(@bindata)
+      when :sha256
+        Digest::SHA256.hexdigest(@bindata)
+      when :md5
+        Digest::MD5.hexdigest(@bindata)
+      else
+        raise ArgumentError
+      end
+    end
+
+    # returns date of AndroidManifest.xml as Apk date
+    # @return [Time]
+    def time
+      entry(MANIFEST).time
+    end
+
+    # @yield [name, data]
+    # @yieldparam [String] name file name in apk
+    # @yieldparam [String] data file data in apk
+    def each_file
+      @zip.each do |entry|
+        next unless entry.file?
+        yield entry.name, @zip.read(entry)
+      end
+    end
+
+    # find and return binary data with name
+    # @param [String] name file name in apk(fullpath)
+    # @return [String] binary data
+    # @raise [NotFoundError] when 'name' doesn't exist in the apk
+    def file(name) # get data by entry name(path)
+      @zip.read(entry(name))
+    end
+
+    # @yield [entry]
+    # @yieldparam [Zip::Entry] entry zip entry
+    def each_entry
+      @zip.each do |entry|
+        next unless entry.file?
+        yield entry
+      end
+    end
+
+    # find and return zip entry with name
+    # @param [String] name file name in apk(fullpath)
+    # @return [Zip::ZipEntry] zip entry object
+    # @raise [NotFoundError] when 'name' doesn't exist in the apk
+    def entry(name)
+      entry = @zip.find_entry(name)
+      raise NotFoundError, "'#{name}'" if entry.nil?
+      return entry
+    end
+
+    # find files which is matched with block condition
+    # @yield [name, data] find condition
+    # @yieldparam [String] name file name in apk
+    # @yieldparam [String] data file data in apk
+    # @yieldreturn [Array] Array of matched entry name
+    # @return [Array] Array of matched entry name
+    # @example
+    #   apk = Apk.new(path)
+    #   elf_files = apk.find  { |name, data|  data[0..3] == [0x7f, 0x45, 0x4c, 0x46] } # ELF magic number
+    def find(&block)
+      found = []
+      self.each_file do |name, data|
+        ret = block.call(name, data)
+        found << name if ret
+      end
+      found
+    end
+  end
+end
+

data/lib/android/axml_parser.rb

@@ -0,0 +1,178 @@
+require 'rexml/document'
+require 'stringio'
+
+
+module Android
+  # binary AXML parser
+  # @see https://android.googlesource.com/platform/frameworks/base.git Android OS frameworks source
+  # @note
+  #   refer to Android OS framework code:
+  #   
+  #   /frameworks/base/include/androidfw/ResourceTypes.h,
+  #   
+  #   /frameworks/base/libs/androidfw/ResourceTypes.cpp
+  class AXMLParser
+    # axml parse error
+    class ReadError < StandardError; end
+
+    TAG_START_DOC = 0x00100100
+    TAG_END_DOC =   0x00100101
+    TAG_START =     0x00100102
+    TAG_END =       0x00100103
+    TAG_TEXT =      0x00100104
+    TAG_CDSECT =    0x00100105
+    TAG_ENTITY_REF= 0x00100106
+
+    VAL_TYPE_NULL              =0
+    VAL_TYPE_REFERENCE         =1
+    VAL_TYPE_ATTRIBUTE         =2
+    VAL_TYPE_STRING            =3
+    VAL_TYPE_FLOAT             =4
+    VAL_TYPE_DIMENSION         =5
+    VAL_TYPE_FRACTION          =6
+    VAL_TYPE_INT_DEC           =16
+    VAL_TYPE_INT_HEX           =17
+    VAL_TYPE_INT_BOOLEAN       =18
+    VAL_TYPE_INT_COLOR_ARGB8   =28
+    VAL_TYPE_INT_COLOR_RGB8    =29
+    VAL_TYPE_INT_COLOR_ARGB4   =30
+    VAL_TYPE_INT_COLOR_RGB4    =31
+
+    # @return [Array<String>] strings defined in axml
+    attr_reader :strings
+
+    # @param [String] axml binary xml data
+    def initialize(axml)
+      @io = StringIO.new(axml, "rb")
+      @strings = []
+    end
+
+    # parse binary xml
+    # @return [REXML::Document]
+    def parse
+      @doc = REXML::Document.new
+      @doc << REXML::XMLDecl.new
+
+      @num_str = word(4*4)
+      @xml_offset = word(3*4)
+
+      @parents = [@doc]
+      @ns = []
+      parse_strings
+      parse_tags
+      @doc
+    end
+
+
+    private
+    # read one word(4byte) as integer
+    # @param [Integer] offset offset from top position. current position is used if ofset is nil
+    # @return [Integer] little endian word value
+    def word(offset=nil)
+      @io.pos = offset unless offset.nil?
+      @io.read(4).unpack("V")[0]
+    end
+
+    # read 2byte as short integer
+    # @param [Integer] offset offset from top position. current position is used if ofset is nil
+    # @return [Integer] little endian unsign short value
+    def short(offset)
+      @io.pos = offset unless offset.nil?
+      @io.read(2).unpack("v")[0]
+    end
+
+    # parse string table
+    def parse_strings
+      sit_off = 0x24                  # string index table offset
+      st_off = sit_off + @num_str * 4 # string table offset
+      @strings = []
+      @num_str.times do |i|
+        pos = st_off + word(sit_off + (4 * i)) # get position from string index table
+        len = short(pos) # read string length(not bytes)
+        str = @io.read(len*2) # read string(UTF-16LE)
+        str.force_encoding(Encoding::UTF_16LE)
+        @strings[i] = str.encode(Encoding::UTF_8)
+      end
+    end
+
+    # parse tag
+    def parse_tags
+      # skip until START_TAG
+      pos = @xml_offset
+      pos += 4 until (word(pos) == TAG_START) #ugh!
+      @io.pos -= 4
+
+      # read tags
+      #puts "start tag parse: %d(%#x)" % [@io.pos, @io.pos]
+      until @io.eof?
+        last_pos = @io.pos
+        tag, tag1, line, tag3, ns_id, name_id = @io.read(4*6).unpack("V*")
+        case tag
+        when TAG_START
+          tag6, num_attrs, tag8  = @io.read(4*3).unpack("V*")
+          elem = REXML::Element.new(@strings[name_id])
+          #puts "start tag %d(%#x): #{@strings[name_id]} attrs:#{num_attrs}" % [last_pos, last_pos]
+          @parents.last.add_element elem
+          num_attrs.times do
+            key, val = parse_attribute
+            elem.add_attribute(key, val)
+          end
+          @parents.push elem
+        when TAG_END
+          @parents.pop
+        when TAG_END_DOC
+          break
+        when TAG_TEXT
+          text = REXML::Text.new(@strings[ns_id])
+          @parents.last.text = text
+          dummy = @io.read(4*1).unpack("V*") # skip 4bytes
+        when TAG_START_DOC, TAG_CDSECT, TAG_ENTITY_REF
+          # not implemented yet.
+        else
+          raise ReadError, "pos=%d(%#x)[tag:%#x]" % [last_pos, last_pos, tag]
+        end
+      end
+    end
+
+    # parse attribute of a element
+    def parse_attribute
+      ns_id, name_id, val_str_id, flags, val = @io.read(4*5).unpack("V*")
+      key = @strings[name_id]
+      unless ns_id == 0xFFFFFFFF
+        ns = @strings[ns_id] 
+        prefix = ns.sub(/.*\//,'')
+        unless @ns.include? ns
+          @ns << ns
+          @doc.root.add_namespace(prefix, ns)
+        end
+        key = "#{prefix}:#{key}"
+      end
+      value = convert_value(val_str_id, flags, val)
+      return key, value
+    end
+
+
+    def convert_value(val_str_id, flags, val)
+      unless val_str_id == 0xFFFFFFFF
+        value = @strings[val_str_id]
+      else
+        type = flags >> 24
+        case type
+        when VAL_TYPE_NULL
+          value = nil
+        when VAL_TYPE_REFERENCE
+          value = "@%#x" % val # refered resource id.
+        when VAL_TYPE_INT_DEC
+          value = val
+        when VAL_TYPE_INT_HEX
+          value = "%#x" % val
+        when VAL_TYPE_INT_BOOLEAN
+          value = val != 0xFFFFFFFE ? true : false # ugh! is it ok??
+        else
+          value = "[%#x, flag=%#x]" % [val, flags]
+        end
+      end
+    end
+  end
+
+end

data/lib/android/dex/access_flag.rb

@@ -0,0 +1,74 @@
+
+module Android
+  class Dex
+    # access flag object
+    class AccessFlag
+      # @return [Integer] flag value
+      attr_reader :flag
+      def initialize(flag)
+        @flag = flag
+      end
+    end
+
+    # access flag object for class in dex
+    class ClassAccessFlag < AccessFlag
+      ACCESSORS = [
+        {value:0x1,     name:'public'},
+        {value:0x2,     name:'private'},
+        {value:0x4,     name:'protected'},
+        {value:0x8,     name:'static'},
+        {value:0x10,    name:'final'},
+        {value:0x20,    name:'synchronized'},
+        {value:0x40,    name:'volatile'},
+        {value:0x80,    name:'transient'},
+        {value:0x100,   name:'native'},
+        {value:0x200,   name:'interface'},
+        {value:0x400,   name:'abstract'},
+        {value:0x800,   name:'strict'},
+        {value:0x1000,  name:'synthetic'},
+        {value:0x2000,  name:'annotation'},
+        {value:0x4000,  name:'enum'},
+        #{value:0x8000,  name:'unused'},
+        {value:0x10000, name:'constructor'},
+        {value:0x20000, name:'declared-synchronized'},
+      ]
+
+      # convert access flag to string
+      # @return [String]
+      def to_s
+        ACCESSORS.select{|e| ((e[:value] & @flag) != 0) }.map{|e| e[:name] }.join(' ')
+      end
+    end
+   
+    # access flag object for method in dex
+    class MethodAccessFlag < AccessFlag
+      ACCESSORS = [
+        {value: 0x1,     name:'public'},
+        {value: 0x2,     name:'private'},
+        {value: 0x4,     name:'protected'},
+        {value: 0x8,     name:'static'},
+        {value: 0x10,    name:'final'},
+        {value: 0x20,    name:'synchronized'},
+        {value: 0x40,    name:'bridge'},
+        {value: 0x80,    name:'varargs'},
+        {value: 0x100,   name:'native'},
+        {value: 0x200,   name:'interface'},
+        {value: 0x400,   name:'abstract'},
+        {value: 0x800,   name:'strict'},
+        {value: 0x1000,  name:'synthetic'},
+        {value: 0x2000,  name:'annotation'},
+        {value: 0x4000,  name:'enum'},
+        #{value: 0x8000,  name:'unused'},
+        {value: 0x10000, name:'constructor'},
+        {value: 0x20000, name:'declared-synchronized'},
+      ]
+      # convert access flag to string
+      # @return [String]
+      def to_s
+        ACCESSORS.select{|e| ((e[:value] & @flag) != 0) }.map{|e| e[:name] }.join(' ')
+      end
+    end
+  end
+end
+
+