anais-apk-forensic 1.0.0

package/analysis_tools/manifest_analyzer.py

@@ -0,0 +1,214 @@
+#!/usr/bin/env python3
+"""
+AndroidManifest.xml Analyzer
+Detects security issues and misconfigurations in manifest
+"""
+
+import sys
+import json
+import xml.etree.ElementTree as ET
+from pathlib import Path
+
+class ManifestAnalyzer:
+    def __init__(self, manifest_path):
+        self.manifest_path = Path(manifest_path)
+        self.findings = []
+        self.info = {}
+        
+        try:
+            self.tree = ET.parse(manifest_path)
+            self.root = self.tree.getroot()
+        except Exception as e:
+            self.findings.append({
+                'severity': 'critical',
+                'title': 'Failed to parse manifest',
+                'description': str(e)
+            })
+            self.tree = None
+            self.root = None
+    
+    def check_dangerous_permissions(self):
+        """Check for dangerous permissions"""
+        if not self.root:
+            return
+        
+        dangerous_perms = {
+            'READ_SMS': 'Can read SMS messages',
+            'RECEIVE_SMS': 'Can intercept incoming SMS',
+            'SEND_SMS': 'Can send SMS messages',
+            'READ_CONTACTS': 'Can access contacts',
+            'WRITE_CONTACTS': 'Can modify contacts',
+            'READ_CALL_LOG': 'Can read call history',
+            'WRITE_CALL_LOG': 'Can modify call history',
+            'RECORD_AUDIO': 'Can record audio',
+            'CAMERA': 'Can access camera',
+            'ACCESS_FINE_LOCATION': 'Can access precise location',
+            'READ_PHONE_STATE': 'Can read phone state and device ID',
+            'SYSTEM_ALERT_WINDOW': 'Can draw over other apps',
+            'REQUEST_INSTALL_PACKAGES': 'Can install packages',
+            'REQUEST_DELETE_PACKAGES': 'Can delete packages',
+            'BIND_ACCESSIBILITY_SERVICE': 'Accessibility service (high risk)',
+            'BIND_DEVICE_ADMIN': 'Device administrator',
+            'WRITE_EXTERNAL_STORAGE': 'Can write to external storage',
+        }
+        
+        namespace = {'android': 'http://schemas.android.com/apk/res/android'}
+        
+        for perm in self.root.findall('.//uses-permission', namespace):
+            name = perm.get('{http://schemas.android.com/apk/res/android}name', '')
+            perm_name = name.split('.')[-1]
+            
+            if perm_name in dangerous_perms:
+                severity = 'critical' if perm_name in ['BIND_ACCESSIBILITY_SERVICE', 'SYSTEM_ALERT_WINDOW', 'REQUEST_INSTALL_PACKAGES'] else 'high'
+                
+                self.findings.append({
+                    'severity': severity,
+                    'category': 'dangerous_permission',
+                    'title': f'Dangerous Permission: {perm_name}',
+                    'description': dangerous_perms[perm_name],
+                    'permission': name
+                })
+    
+    def check_exported_components(self):
+        """Check for exported components without permissions"""
+        if not self.root:
+            return
+        
+        namespace = {'android': 'http://schemas.android.com/apk/res/android'}
+        
+        components = [
+            ('activity', 'Activity'),
+            ('service', 'Service'),
+            ('receiver', 'Receiver'),
+            ('provider', 'Provider')
+        ]
+        
+        for comp_type, comp_name in components:
+            for comp in self.root.findall(f'.//{comp_type}', namespace):
+                exported = comp.get('{http://schemas.android.com/apk/res/android}exported', 'false')
+                permission = comp.get('{http://schemas.android.com/apk/res/android}permission', None)
+                name = comp.get('{http://schemas.android.com/apk/res/android}name', 'Unknown')
+                
+                # Check for intent filters (makes component exported by default in older APIs)
+                has_intent_filter = len(comp.findall('.//intent-filter')) > 0
+                
+                if (exported == 'true' or has_intent_filter) and not permission:
+                    self.findings.append({
+                        'severity': 'high',
+                        'category': 'exported_component',
+                        'title': f'Exported {comp_name} Without Permission',
+                        'description': f'{comp_name} is exported but lacks permission protection',
+                        'component': name,
+                        'type': comp_type
+                    })
+    
+    def check_debuggable(self):
+        """Check if app is debuggable"""
+        if not self.root:
+            return
+        
+        namespace = {'android': 'http://schemas.android.com/apk/res/android'}
+        app = self.root.find('.//application', namespace)
+        
+        if app is not None:
+            debuggable = app.get('{http://schemas.android.com/apk/res/android}debuggable', 'false')
+            
+            if debuggable == 'true':
+                self.findings.append({
+                    'severity': 'critical',
+                    'category': 'debuggable',
+                    'title': 'Application is Debuggable',
+                    'description': 'App can be debugged, allowing code injection and data extraction'
+                })
+    
+    def check_backup_allowed(self):
+        """Check if backup is allowed"""
+        if not self.root:
+            return
+        
+        namespace = {'android': 'http://schemas.android.com/apk/res/android'}
+        app = self.root.find('.//application', namespace)
+        
+        if app is not None:
+            backup = app.get('{http://schemas.android.com/apk/res/android}allowBackup', 'true')
+            
+            if backup == 'true':
+                self.findings.append({
+                    'severity': 'medium',
+                    'category': 'backup_allowed',
+                    'title': 'Backup Allowed',
+                    'description': 'App data can be backed up via adb, potentially exposing sensitive data'
+                })
+    
+    def check_cleartext_traffic(self):
+        """Check if cleartext traffic is allowed"""
+        if not self.root:
+            return
+        
+        namespace = {'android': 'http://schemas.android.com/apk/res/android'}
+        app = self.root.find('.//application', namespace)
+        
+        if app is not None:
+            cleartext = app.get('{http://schemas.android.com/apk/res/android}usesCleartextTraffic', 'true')
+            
+            if cleartext == 'true':
+                self.findings.append({
+                    'severity': 'medium',
+                    'category': 'cleartext_traffic',
+                    'title': 'Cleartext Traffic Allowed',
+                    'description': 'App can use HTTP connections, data can be intercepted'
+                })
+    
+    def extract_info(self):
+        """Extract basic manifest info"""
+        if not self.root:
+            return
+        
+        namespace = {'android': 'http://schemas.android.com/apk/res/android'}
+        
+        self.info = {
+            'package': self.root.get('package', 'Unknown'),
+            'version_code': self.root.get('{http://schemas.android.com/apk/res/android}versionCode', 'Unknown'),
+            'version_name': self.root.get('{http://schemas.android.com/apk/res/android}versionName', 'Unknown'),
+        }
+        
+        # Count components
+        self.info['component_counts'] = {
+            'activities': len(self.root.findall('.//activity', namespace)),
+            'services': len(self.root.findall('.//service', namespace)),
+            'receivers': len(self.root.findall('.//receiver', namespace)),
+            'providers': len(self.root.findall('.//provider', namespace)),
+        }
+    
+    def analyze(self):
+        """Run all checks"""
+        self.extract_info()
+        self.check_dangerous_permissions()
+        self.check_exported_components()
+        self.check_debuggable()
+        self.check_backup_allowed()
+        self.check_cleartext_traffic()
+        
+        return {
+            'info': self.info,
+            'findings': self.findings
+        }
+
+def main():
+    if len(sys.argv) < 3:
+        print("Usage: manifest_analyzer.py <manifest_path> <output_json>")
+        sys.exit(1)
+    
+    manifest_path = sys.argv[1]
+    output_json = sys.argv[2]
+    
+    analyzer = ManifestAnalyzer(manifest_path)
+    results = analyzer.analyze()
+    
+    with open(output_json, 'w') as f:
+        json.dump(results, f, indent=2)
+    
+    print(f"Manifest analysis complete: {len(results['findings'])} findings")
+
+if __name__ == '__main__':
+    main()

package/analysis_tools/network_analyzer.py

@@ -0,0 +1,287 @@
+#!/usr/bin/env python3
+"""
+Network Artifacts Analyzer
+Extracts and analyzes network-related artifacts from APK
+"""
+
+import sys
+import json
+import re
+import argparse
+from pathlib import Path
+from collections import defaultdict
+from urllib.parse import urlparse
+
+class NetworkAnalyzer:
+    def __init__(self, decompiled_dir, jadx_dir):
+        self.decompiled_dir = Path(decompiled_dir) if decompiled_dir else None
+        self.jadx_dir = Path(jadx_dir) if jadx_dir else None
+        
+        self.findings = {
+            'urls': [],
+            'domains': [],
+            'ip_addresses': [],
+            'websockets': [],
+            'api_endpoints': [],
+            'suspicious_urls': [],
+            'c2_indicators': []
+        }
+    
+    def extract_urls(self, content):
+        """Extract URLs from content"""
+        # URL patterns
+        url_pattern = r'https?://[^\s\'"<>)}\]]+|wss?://[^\s\'"<>)}\]]+'
+        urls = re.findall(url_pattern, content, re.IGNORECASE)
+        
+        # Filter and clean URLs
+        cleaned_urls = []
+        for url in urls:
+            # Remove trailing punctuation
+            url = url.rstrip('.,;:!?')
+            
+            # Must have valid domain structure
+            try:
+                parsed = urlparse(url)
+                if parsed.netloc and '.' in parsed.netloc:
+                    # Skip if netloc looks like a variable/class name
+                    if not any([
+                        parsed.netloc.startswith('$'),
+                        parsed.netloc.startswith('{'),
+                        'localhost' in parsed.netloc.lower(),
+                        '127.0.0.1' in parsed.netloc,
+                        parsed.netloc.endswith('.local'),
+                    ]):
+                        cleaned_urls.append(url)
+            except:
+                continue
+        
+        return cleaned_urls
+    
+    def extract_domains(self, content):
+        """Extract domain names"""
+        # Domain pattern (more flexible)
+        domain_pattern = r'(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}'
+        domains = re.findall(domain_pattern, content)
+        
+        # Filter out false positives
+        filtered_domains = []
+        for domain in domains:
+            domain_lower = domain.lower()
+            
+            # Skip if it looks like a Java class/method pattern
+            if any([
+                domain.startswith('super.'),
+                domain.startswith('this.'),
+                '.on' in domain_lower and len(domain.split('.')) <= 3,  # onCancel, onCreate, etc
+                domain.endswith('.java'),
+                domain.endswith('.class'),
+                domain.endswith('.xml'),
+                '.get' in domain_lower and len(domain.split('.')) <= 3,
+                '.set' in domain_lower and len(domain.split('.')) <= 3,
+                '.is' in domain_lower and len(domain.split('.')) <= 3,
+                all(part[0].isupper() for part in domain.split('.') if part),  # ClassName.MethodName
+                domain.count('.') > 6,  # Too many dots, likely not a domain
+                len(domain.split('.')[-1]) > 10,  # TLD too long
+            ]):
+                continue
+            
+            # Must have valid TLD
+            tld = domain.split('.')[-1].lower()
+            if tld in ['com', 'net', 'org', 'io', 'co', 'app', 'dev', 'ai', 'me', 'info', 
+                       'xyz', 'online', 'site', 'top', 'cn', 'ru', 'de', 'uk', 'jp', 'kr',
+                       'in', 'br', 'au', 'fr', 'it', 'es', 'nl', 'pl', 'se', 'no', 'fi',
+                       'id', 'my', 'sg', 'th', 'vn', 'ph', 'tw', 'hk']:
+                filtered_domains.append(domain)
+        
+        return filtered_domains
+    
+    def extract_ip_addresses(self, content):
+        """Extract IP addresses"""
+        ip_pattern = r'\b(?:\d{1,3}\.){3}\d{1,3}\b'
+        ips = re.findall(ip_pattern, content)
+        # Filter valid IPs
+        valid_ips = [ip for ip in ips if all(0 <= int(octet) <= 255 for octet in ip.split('.'))]
+        return valid_ips
+    
+    def is_suspicious_url(self, url):
+        """Check if URL is suspicious"""
+        suspicious_tlds = ['.top', '.xyz', '.tk', '.ml', '.ga', '.cf', '.gq', '.pw']
+        suspicious_keywords = ['api', 'upload', 'download', 'c2', 'cmd', 'command', 'bot']
+        
+        parsed = urlparse(url)
+        domain = parsed.netloc.lower()
+        path = parsed.path.lower()
+        
+        # Check TLD
+        for tld in suspicious_tlds:
+            if domain.endswith(tld):
+                return True, f'Suspicious TLD: {tld}'
+        
+        # Check keywords in domain or path
+        for keyword in suspicious_keywords:
+            if keyword in domain or keyword in path:
+                return True, f'Suspicious keyword: {keyword}'
+        
+        # Check for WebSocket
+        if url.startswith('wss://') or url.startswith('ws://'):
+            return True, 'WebSocket connection'
+        
+        return False, None
+    
+    def scan_java_files(self):
+        """Scan Java files for network artifacts"""
+        if not self.jadx_dir or not self.jadx_dir.exists():
+            return
+        
+        print("Scanning Java files for network artifacts...")
+        
+        java_files = list(self.jadx_dir.rglob('*.java'))
+        
+        all_urls = set()
+        all_domains = set()
+        all_ips = set()
+        
+        for java_file in java_files:
+            try:
+                content = java_file.read_text(errors='ignore')
+                
+                # Extract URLs
+                urls = self.extract_urls(content)
+                for url in urls:
+                    all_urls.add(url)
+                    
+                    # Check if suspicious
+                    is_susp, reason = self.is_suspicious_url(url)
+                    if is_susp:
+                        self.findings['suspicious_urls'].append({
+                            'url': url,
+                            'reason': reason,
+                            'file': str(java_file.relative_to(self.jadx_dir))
+                        })
+                    
+                    # Check for WebSocket
+                    if url.startswith('ws'):
+                        self.findings['websockets'].append({
+                            'url': url,
+                            'file': str(java_file.relative_to(self.jadx_dir))
+                        })
+                
+                # Extract domains
+                domains = self.extract_domains(content)
+                all_domains.update(domains)
+                
+                # Extract IPs
+                ips = self.extract_ip_addresses(content)
+                all_ips.update(ips)
+                
+            except Exception as e:
+                continue
+        
+        self.findings['urls'] = list(all_urls)
+        self.findings['domains'] = list(all_domains)
+        self.findings['ip_addresses'] = list(all_ips)
+    
+    def scan_smali_files(self):
+        """Scan SMALI files for network strings"""
+        if not self.decompiled_dir:
+            return
+        
+        print("Scanning SMALI files for network artifacts...")
+        
+        smali_dirs = [d for d in self.decompiled_dir.iterdir() if d.is_dir() and d.name.startswith('smali')]
+        
+        for smali_dir in smali_dirs:
+            smali_files = list(smali_dir.rglob('*.smali'))[:200]  # Limit
+            
+            for smali_file in smali_files:
+                try:
+                    content = smali_file.read_text(errors='ignore')
+                    
+                    # Look for string constants
+                    string_pattern = r'const-string.*?"([^"]+)"'
+                    strings = re.findall(string_pattern, content)
+                    
+                    for string in strings:
+                        # Check if it's a URL
+                        if re.match(r'https?://', string) or re.match(r'wss?://', string):
+                            self.findings['urls'].append(string)
+                            
+                            is_susp, reason = self.is_suspicious_url(string)
+                            if is_susp:
+                                self.findings['suspicious_urls'].append({
+                                    'url': string,
+                                    'reason': reason,
+                                    'file': str(smali_file.relative_to(self.decompiled_dir))
+                                })
+                
+                except Exception:
+                    continue
+    
+    def detect_c2_patterns(self):
+        """Detect C2 communication patterns"""
+        
+        # Check URLs for C2 indicators
+        c2_patterns = [
+            r'/api/.*/(upload|download|command|cmd)',
+            r'/bot/',
+            r'/c2/',
+            r'/panel/',
+            r'/gate/',
+        ]
+        
+        for url in self.findings['urls']:
+            for pattern in c2_patterns:
+                if re.search(pattern, url, re.IGNORECASE):
+                    self.findings['c2_indicators'].append({
+                        'url': url,
+                        'pattern': pattern,
+                        'description': 'Potential C2 endpoint'
+                    })
+        
+        # Check for DGA-like domains (Domain Generation Algorithm)
+        for domain in self.findings['domains']:
+            # Simple heuristic: long subdomain with random-looking characters
+            parts = domain.split('.')
+            for part in parts[:-2]:  # Exclude TLD and main domain
+                if len(part) > 15 and sum(c.isdigit() for c in part) > 3:
+                    self.findings['c2_indicators'].append({
+                        'domain': domain,
+                        'description': 'Potential DGA domain (long random subdomain)'
+                    })
+    
+    def analyze(self):
+        """Run all analysis"""
+        self.scan_java_files()
+        self.scan_smali_files()
+        self.detect_c2_patterns()
+        
+        # Deduplicate
+        self.findings['urls'] = list(set(self.findings['urls']))
+        self.findings['domains'] = list(set(self.findings['domains']))
+        self.findings['ip_addresses'] = list(set(self.findings['ip_addresses']))
+        
+        return self.findings
+
+def main():
+    parser = argparse.ArgumentParser(description='Network Artifacts Analyzer')
+    parser.add_argument('--decompiled', help='Path to decompiled directory')
+    parser.add_argument('--jadx', help='Path to JADX output')
+    parser.add_argument('--output', required=True, help='Output JSON file')
+    
+    args = parser.parse_args()
+    
+    analyzer = NetworkAnalyzer(args.decompiled, args.jadx)
+    findings = analyzer.analyze()
+    
+    with open(args.output, 'w') as f:
+        json.dump(findings, f, indent=2)
+    
+    print(f"\nNetwork Analysis Results:")
+    print(f"  URLs found: {len(findings['urls'])}")
+    print(f"  Domains found: {len(findings['domains'])}")
+    print(f"  IP addresses: {len(findings['ip_addresses'])}")
+    print(f"  Suspicious URLs: {len(findings['suspicious_urls'])}")
+    print(f"  C2 indicators: {len(findings['c2_indicators'])}")
+
+if __name__ == '__main__':
+    main()