anais-apk-forensic 1.0.0

package/apkid/rules/res/common.yara

@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2024  RedNaga. https://rednaga.io
+ * All rights reserved. Contact: rednaga@protonmail.com
+ *
+ *
+ * This file is part of APKiD
+ *
+ *
+ * Commercial License Usage
+ * ------------------------
+ * Licensees holding valid commercial APKiD licenses may use this file
+ * in accordance with the commercial license agreement provided with the
+ * Software or, alternatively, in accordance with the terms contained in
+ * a written agreement between you and RedNaga.
+ *
+ *
+ * GNU General Public License Usage
+ * --------------------------------
+ * Alternatively, this file may be used under the terms of the GNU General
+ * Public License version 3.0 as published by the Free Software Foundation
+ * and appearing in the file LICENSE.GPL included in the packaging of this
+ * file. Please visit http://www.gnu.org/copyleft/gpl.html and review the
+ * information to ensure the GNU General Public License version 3.0
+ * requirements will be met.
+ *
+ **/
+
+rule is_res : file_type
+{
+  meta:
+    description = "RES"
+
+  strings:
+    // Common patterns in resources.arsc (package ID, resource type,..)
+    $magic = { 02 00 0C 00 }
+    $type1 = { 01 00 1C 00 }
+    $type2 = { 03 00 00 00 }
+    $type3 = { 00 02 00 00 }
+
+  condition:
+    $magic at 0 and 1 of ($type*)
+}
+

package/apkid/rules/res/obfuscators.yara

@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2024  RedNaga. https://rednaga.io
+ * All rights reserved. Contact: rednaga@protonmail.com
+ *
+ *
+ * This file is part of APKiD
+ *
+ *
+ * Commercial License Usage
+ * ------------------------
+ * Licensees holding valid commercial APKiD licenses may use this file
+ * in accordance with the commercial license agreement provided with the
+ * Software or, alternatively, in accordance with the terms contained in
+ * a written agreement between you and RedNaga.
+ *
+ *
+ * GNU General Public License Usage
+ * --------------------------------
+ * Alternatively, this file may be used under the terms of the GNU General
+ * Public License version 3.0 as published by the Free Software Foundation
+ * and appearing in the file LICENSE.GPL included in the packaging of this
+ * file. Please visit http://www.gnu.org/copyleft/gpl.html and review the
+ * information to ensure the GNU General Public License version 3.0
+ * requirements will be met.
+ *
+ **/
+
+include "common.yara"
+
+rule mtprotector_res : obfuscator
+{
+  meta:
+    description = "MT Protector"
+    url         = "https://mt2.cn/download/"
+    sample      = "462475fb14ef7b979d1102a61d334cffcdcfc24183be37af868d1dc681bc7126"
+    author      = "Eduardo Novella"
+
+  strings:
+    $sign = {
+      0000 0c0c                         // extra bytes
+      4d54 5f50 726f 7465 6374 6f72 00  // ..MT_Protector.
+    }
+
+  condition:
+    is_res and all of them
+}

package/apkid/rules/res/protectors.yara

@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2024  RedNaga. https://rednaga.io
+ * All rights reserved. Contact: rednaga@protonmail.com
+ *
+ *
+ * This file is part of APKiD
+ *
+ *
+ * Commercial License Usage
+ * ------------------------
+ * Licensees holding valid commercial APKiD licenses may use this file
+ * in accordance with the commercial license agreement provided with the
+ * Software or, alternatively, in accordance with the terms contained in
+ * a written agreement between you and RedNaga.
+ *
+ *
+ * GNU General Public License Usage
+ * --------------------------------
+ * Alternatively, this file may be used under the terms of the GNU General
+ * Public License version 3.0 as published by the Free Software Foundation
+ * and appearing in the file LICENSE.GPL included in the packaging of this
+ * file. Please visit http://www.gnu.org/copyleft/gpl.html and review the
+ * information to ensure the GNU General Public License version 3.0
+ * requirements will be met.
+ *
+ **/
+
+include "common.yara"
+
+rule bugsmirror : protector
+{
+    meta:
+      description = "BugsMirror"
+      url         = "https://www.bugsmirror.com/"
+      sample      = "c9bbf66ac86bf02663b7bc28a735881d4aeaa8d90e9b8b752e9cf337a26f0bdd"
+      author      = "Abhi"
+
+    strings:
+      $comment  = { 00 ?? ?? 53 65 63 75 72 65 64 20 62 79 20
+                    42 75 67 73 6D 69 72 72 6F 72 00 } // Secured by Bugsmirror
+      $comment2 = { ?? 73 65 63 75 72 65 64 5F 62 79 5F 62 75
+                    67 73 6D 69 72 72 6F 72 00 } // secured_by_bugsmirror
+
+    condition:
+      is_res and any of them
+}

package/apkid/rules.py

@@ -0,0 +1,77 @@
+"""
+ Copyright (C) 2023  RedNaga. https://rednaga.io
+ All rights reserved. Contact: rednaga@protonmail.com
+
+
+ This file is part of APKiD
+
+
+ Commercial License Usage
+ ------------------------
+ Licensees holding valid commercial APKiD licenses may use this file
+ in accordance with the commercial license agreement provided with the
+ Software or, alternatively, in accordance with the terms contained in
+ a written agreement between you and RedNaga.
+
+
+ GNU General Public License Usage
+ --------------------------------
+ Alternatively, this file may be used under the terms of the GNU General
+ Public License version 3.0 as published by the Free Software Foundation
+ and appearing in the file LICENSE.GPL included in the packaging of this
+ file. Please visit http://www.gnu.org/copyleft/gpl.html and review the
+ information to ensure the GNU General Public License version 3.0
+ requirements will be met.
+"""
+
+import hashlib
+import os
+from typing import Dict
+from typing import Optional
+
+import yara
+
+
+class RulesManager(object):
+    def __init__(self, rules_dir=None, rules_ext='.yara'):
+        if not rules_dir:
+            rules_dir = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'rules')
+        self.rules_dir: str = rules_dir
+        self.rules_path: str = os.path.join(self.rules_dir, 'rules.yarc')
+        self.rules_ext: str = rules_ext
+        self.rules: Optional[yara.Rules] = None
+        self.rules_hash: Optional[str] = None
+
+    def load(self) -> yara.Rules:
+        self.rules = yara.load(self.rules_path)
+        return self.rules
+
+    def _collect_yara_files(self) -> Dict[str, str]:
+        files = {}
+        for root, dirnames, filenames in os.walk(self.rules_dir):
+            for filename in filenames:
+                if not filename.lower().endswith(self.rules_ext):
+                    continue
+                path = os.path.join(root, filename)
+                files[path] = path
+        return files
+
+    def compile(self) -> yara.Rules:
+        yara_files = self._collect_yara_files()
+        self.rules = yara.compile(filepaths=yara_files)
+        return self.rules
+
+    def save(self) -> int:
+        self.rules.save(self.rules_path)
+        rules_count = len(set([r.identifier for r in self.rules]))
+        return rules_count
+
+    @property
+    def hash(self) -> str:
+        if not self.rules_hash:
+            h = hashlib.sha256()
+            for file_path in self._collect_yara_files():
+                with open(file_path, 'rb') as f:
+                    h.update(f.read())
+            self.rules_hash = h.hexdigest()
+        return self.rules_hash

package/bin/anais

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+
+require('../dist/cli.js');

package/dist/cli.js

@@ -0,0 +1,82 @@
+#!/usr/bin/env node
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const index_1 = require("./index");
+const utils_1 = require("./utils");
+const main = () => __awaiter(void 0, void 0, void 0, function* () {
+    const args = process.argv.slice(2);
+    if (args.length === 0) {
+        (0, utils_1.printBanner)();
+        console.log("Usage:");
+        console.log("  anais <apk-file-path>     Analyze an APK file");
+        console.log("  anais --version           Show version");
+        console.log("  anais --help              Show this help message");
+        process.exit(0);
+    }
+    if (args[0] === "--version" || args[0] === "-v") {
+        console.log("Anais APK Forensic CLI v1.0.0");
+        process.exit(0);
+    }
+    if (args[0] === "--help" || args[0] === "-h") {
+        (0, utils_1.printBanner)();
+        console.log("Usage:");
+        console.log("  anais <apk-file-path>     Analyze an APK file");
+        console.log("  anais --version           Show version");
+        console.log("  anais --help              Show this help message");
+        console.log("\nDescription:");
+        console.log("  Comprehensive APK security analysis and SAST scanner");
+        console.log("  - Decompilation with APKTool and JADX");
+        console.log("  - YARA malware detection");
+        console.log("  - Obfuscation detection");
+        console.log("  - Network traffic analysis");
+        console.log("  - AndroidManifest analysis");
+        console.log("  - Entropy analysis for encrypted payloads");
+        process.exit(0);
+    }
+    const apkPath = args[0];
+    try {
+        console.log(`🔍 Anais APK Forensic Analysis\n`);
+        (0, utils_1.printSeparator)();
+        console.log();
+        const result = yield (0, index_1.executeForensicAnalysis)(apkPath);
+        console.log();
+        (0, utils_1.printSeparator)();
+        if (result.success) {
+            console.log(`\n${(0, utils_1.formatSuccess)("Analysis completed successfully!")}\n`);
+            if (result.workspaceDir) {
+                console.log(`📁 Workspace: ${result.workspaceDir}`);
+            }
+            if (result.reportPath) {
+                console.log(`📄 Report: ${result.reportPath}`);
+            }
+            if (result.jsonReportPath) {
+                console.log(`📊 JSON Report: ${result.jsonReportPath}`);
+            }
+            console.log("\n💡 Tip: Open the report with your preferred markdown viewer");
+            console.log(`   e.g., cat "${result.reportPath}"\n`);
+        }
+        else {
+            console.log(`\n${(0, utils_1.formatError)("Analysis failed!")}\n`);
+            console.log(`Error: ${result.message}`);
+            if (result.error) {
+                console.log(`Details: ${result.error}`);
+            }
+            process.exit(1);
+        }
+    }
+    catch (error) {
+        console.error(`\n${(0, utils_1.formatError)("Unexpected error during analysis:")}`);
+        console.error(error);
+        process.exit(1);
+    }
+});
+main();

package/dist/index.js

@@ -0,0 +1,123 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.executeForensicAnalysis = void 0;
+const child_process_1 = require("child_process");
+const utils_1 = require("./utils");
+__exportStar(require("./types"), exports);
+const executeForensicAnalysis = (apkPath) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        // Resolve absolute path
+        const absoluteApkPath = (0, utils_1.resolveAbsolutePath)(apkPath);
+        // Check if APK file exists
+        if (!(0, utils_1.fileExists)(absoluteApkPath)) {
+            return resolve({
+                success: false,
+                apkPath,
+                message: `APK file not found: ${apkPath}`,
+                error: "File not found",
+            });
+        }
+        console.log(`\n📱 APK: ${(0, utils_1.getBasename)(absoluteApkPath)}`);
+        console.log(`📂 Path: ${absoluteApkPath}\n`);
+        // Get paths
+        const scriptDir = (0, utils_1.getProjectRoot)();
+        const anaisScript = (0, utils_1.getAnaisScriptPath)();
+        if (!(0, utils_1.fileExists)(anaisScript)) {
+            return resolve({
+                success: false,
+                apkPath,
+                message: `Analysis script not found: ${anaisScript}`,
+                error: "Script not found",
+            });
+        }
+        console.log(`🚀 Executing analysis...\n`);
+        // Spawn the bash script
+        const analysis = (0, child_process_1.spawn)("bash", [anaisScript, absoluteApkPath], {
+            cwd: scriptDir,
+            env: Object.assign(Object.assign({}, process.env), { PYTHONWARNINGS: "ignore" }),
+        });
+        let stdout = "";
+        let stderr = "";
+        let workspaceDir = "";
+        let reportPath = "";
+        // Capture stdout
+        analysis.stdout.on("data", (data) => {
+            const output = data.toString();
+            process.stdout.write(output);
+            stdout += output;
+            // Extract workspace directory from output
+            const workspaceMatch = output.match(/Workspace initialized: (.+)/);
+            if (workspaceMatch) {
+                workspaceDir = workspaceMatch[1].trim();
+            }
+            // Extract report path
+            const reportMatch = output.match(/Main report: (.+\.md)/);
+            if (reportMatch) {
+                reportPath = reportMatch[1].trim();
+            }
+        });
+        // Capture stderr (though we're logging warnings there)
+        analysis.stderr.on("data", (data) => {
+            stderr += data.toString();
+            // Don't print stderr to console as it's handled by the script
+        });
+        // Handle process completion
+        analysis.on("close", (code) => {
+            if (code === 0) {
+                const jsonReportPath = reportPath.replace(/\.md$/, ".json");
+                resolve({
+                    success: true,
+                    apkPath: absoluteApkPath,
+                    workspaceDir,
+                    reportPath,
+                    jsonReportPath: (0, utils_1.fileExists)(jsonReportPath)
+                        ? jsonReportPath
+                        : undefined,
+                    message: "Analysis completed successfully",
+                });
+            }
+            else {
+                resolve({
+                    success: false,
+                    apkPath: absoluteApkPath,
+                    workspaceDir,
+                    message: `Analysis failed with exit code ${code}`,
+                    error: stderr || "Unknown error",
+                });
+            }
+        });
+        // Handle errors
+        analysis.on("error", (error) => {
+            reject({
+                success: false,
+                apkPath: absoluteApkPath,
+                message: "Failed to execute analysis script",
+                error: error.message,
+            });
+        });
+    });
+});
+exports.executeForensicAnalysis = executeForensicAnalysis;

package/dist/types/index.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/utils/index.js

@@ -0,0 +1,21 @@
+"use strict";
+/**
+ * Utility functions export
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./output"), exports);
+__exportStar(require("./paths"), exports);

package/dist/utils/output.js

@@ -0,0 +1,44 @@
+"use strict";
+/**
+ * Output formatting utilities
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.colors = void 0;
+exports.formatSuccess = formatSuccess;
+exports.formatError = formatError;
+exports.formatInfo = formatInfo;
+exports.formatWarning = formatWarning;
+exports.printSeparator = printSeparator;
+exports.printBanner = printBanner;
+exports.colors = {
+    reset: "\x1b[0m",
+    bright: "\x1b[1m",
+    dim: "\x1b[2m",
+    red: "\x1b[31m",
+    green: "\x1b[32m",
+    yellow: "\x1b[33m",
+    blue: "\x1b[34m",
+    magenta: "\x1b[35m",
+    cyan: "\x1b[36m",
+};
+function formatSuccess(message) {
+    return `${exports.colors.green}✅ ${message}${exports.colors.reset}`;
+}
+function formatError(message) {
+    return `${exports.colors.red}❌ ${message}${exports.colors.reset}`;
+}
+function formatInfo(message) {
+    return `${exports.colors.blue}ℹ ${message}${exports.colors.reset}`;
+}
+function formatWarning(message) {
+    return `${exports.colors.yellow}⚠ ${message}${exports.colors.reset}`;
+}
+function printSeparator(length = 50) {
+    console.log("═".repeat(length));
+}
+function printBanner() {
+    console.log(`\n${exports.colors.cyan}╔═══════════════════════════════════════════════════════════╗${exports.colors.reset}`);
+    console.log(`${exports.colors.cyan}║   Anais APK Forensic Automation - CLI v1.0.0            ║${exports.colors.reset}`);
+    console.log(`${exports.colors.cyan}║   Comprehensive APK Security Analysis & SAST             ║${exports.colors.reset}`);
+    console.log(`${exports.colors.cyan}╚═══════════════════════════════════════════════════════════╝${exports.colors.reset}\n`);
+}

package/dist/utils/paths.js

@@ -0,0 +1,107 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getUserDocumentsPath = getUserDocumentsPath;
+exports.getDefaultWorkspacePath = getDefaultWorkspacePath;
+exports.ensureWorkspaceExists = ensureWorkspaceExists;
+exports.getProjectRoot = getProjectRoot;
+exports.getAnaisScriptPath = getAnaisScriptPath;
+exports.fileExists = fileExists;
+exports.resolveAbsolutePath = resolveAbsolutePath;
+exports.getBasename = getBasename;
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+/**
+ * Get the user's Documents folder path
+ */
+function getUserDocumentsPath() {
+    const homeDir = os.homedir();
+    return path.join(homeDir, "Documents");
+}
+/**
+ * Get the default analysis workspace path (Documents/Anais-Reports)
+ */
+function getDefaultWorkspacePath() {
+    return path.join(getUserDocumentsPath(), "Anais-Reports");
+}
+/**
+ * Ensure the analysis workspace directory exists
+ */
+function ensureWorkspaceExists() {
+    const workspacePath = getDefaultWorkspacePath();
+    if (!fs.existsSync(workspacePath)) {
+        fs.mkdirSync(workspacePath, { recursive: true });
+    }
+}
+/**
+ * Get the project root directory (where package is installed)
+ * When installed via npm, __dirname will be in node_modules/anais-apk-forensic/dist/utils
+ * We need to go up to the package root
+ */
+function getProjectRoot() {
+    // Check if we're in node_modules (installed via npm)
+    const currentDir = path.resolve(__dirname, "../..");
+    if (currentDir.includes("node_modules")) {
+        // Go up to node_modules/anais-apk-forensic/
+        return path.resolve(__dirname, "../..");
+    }
+    // Otherwise we're in development mode (dist/utils -> root)
+    return path.resolve(__dirname, "../..");
+}
+/**
+ * Get the path to anais.sh script
+ */
+function getAnaisScriptPath() {
+    return path.join(getProjectRoot(), "anais.sh");
+}
+/**
+ * Check if a file exists
+ */
+function fileExists(filePath) {
+    return fs.existsSync(filePath);
+}
+/**
+ * Resolve absolute path
+ */
+function resolveAbsolutePath(filePath) {
+    return path.resolve(filePath);
+}
+/**
+ * Get basename of a file
+ */
+function getBasename(filePath) {
+    return path.basename(filePath);
+}