======= asthook ======= Usage: ###### :: usage: asthook [-h] [-v] [--config_xxhdpi CONFIG_XXHDPI] [--verbose {debug,info,warning}] [--verbose_position] [--config CONFIG [CONFIG ...]] [--restore_output RESTORE_OUTPUT [RESTORE_OUTPUT ...]] [--output {none,json}] [--output-file OUTPUT_FILE] [--sdktools SDKTOOLS] [--version_android VERSION_ANDROID] [--server SERVER] [--tree] [--tree_path TREE_PATH [TREE_PATH ...]] [--tree_exclude TREE_EXCLUDE [TREE_EXCLUDE ...]] [--decompiler {none,jd-gui,cfr,procyon,fernflower,jadx}] [--no_cache] [--progress] [--graph_ast] [--debug_ast] [--seek_literal SEEK_LITERAL [SEEK_LITERAL ...]] [--cloud_analysis] [--taint {normal,render}] [--list_read_write] [--vuln_intent {normal,poc}] [--vuln_broadcast {normal,poc}] [--test] [--PathTraversal] [--vuln_data VULN_DATA] [--simplify_graph] [--provider PROVIDER] [--api_keys {normal,full}] [--list_funcs LIST_FUNCS LIST_FUNCS] [--user_input] [--gen_hook GEN_HOOK [GEN_HOOK ...]] [--list_funcs_call LIST_FUNCS_CALL LIST_FUNCS_CALL] [--types] [--basic_vulns] [--name_file] [--env_apks ENV_APKS [ENV_APKS ...]] [--phone PHONE] [--no-emulation] [--noinstall] [--proxy PROXY] [--proxy_cert PROXY_CERT] [--no_erase] [--nativehook NATIVEHOOK [NATIVEHOOK ...]] [--files_store] [--quickhook [QUICKHOOK [QUICKHOOK ...]]] [--sslpinning] [--files_del] app Analysis for smartphone positional arguments: app app target optional arguments: -h, --help show this help message and exit -v, --version show version --config_xxhdpi CONFIG_XXHDPI adding xxhdpi files from google api downloader --verbose {debug,info,warning} active verbose --verbose_position give verbose position --config CONFIG [CONFIG ...] Load config file --restore_output RESTORE_OUTPUT [RESTORE_OUTPUT ...] Load restore file --output {none,json} --output-file OUTPUT_FILE --sdktools SDKTOOLS path of the sdktools for the emulation and some android sdktools like the compilation of apk --version_android VERSION_ANDROID version targeted to compile poc. don't forget to install the correct one: sdkmanager "platforms;android-XX" "build-tools;XX.Y.Z" where XX.Y.Z is version targeted --server SERVER Use a server to delegate compute and take advantage of RAM cache to use: --server 127.0.0.1:6000 core_static: --tree Active syntaxical analyse --tree_path TREE_PATH [TREE_PATH ...] Analyse only a portion of apk --tree_exclude TREE_EXCLUDE [TREE_EXCLUDE ...] Expludes directory to analyszed --decompiler {none,jd-gui,cfr,procyon,fernflower,jadx} --no_cache disable cache and reparse all files in scope --progress Display percent when it analyse static code --graph_ast Draw a AST graph of the apk source code --debug_ast print error encounter during the browsing of AST static: --seek_literal SEEK_LITERAL [SEEK_LITERAL ...] seek Literal specify wit regexp --cloud_analysis verify firebaseio --taint {normal,render} taint variable node --list_read_write list all read and write on filesystem --vuln_intent {normal,poc} found vuln intent --vuln_broadcast {normal,poc} found potential vuln broadcast --test test --PathTraversal For the demo --vuln_data VULN_DATA found vuln intent deeplink --simplify_graph Simplify the graph to remove all uselessnode --provider PROVIDER analyse provider --api_keys {normal,full} find api keys --list_funcs LIST_FUNCS LIST_FUNCS list all funcs with regex as follow: --list_funcs --user_input list all users input --gen_hook GEN_HOOK [GEN_HOOK ...] generate hook --list_funcs_call LIST_FUNCS_CALL LIST_FUNCS_CALL list all funcs called with regex as follow: --list_funcs_call --types grab type of elements --basic_vulns seek several potentials vulns --name_file store the name of the file to be accessible by Node core_dynamic: --env_apks ENV_APKS [ENV_APKS ...] --phone PHONE phones target emulator -list-avds --no-emulation use a physical phone (useful for buetooth option) --noinstall Application will not be installed and suggest that it was already install --proxy PROXY setup proxy address : --proxy_cert PROXY_CERT setup proxy address .cer --no_erase no erase data of phones dynamic: --nativehook NATIVEHOOK [NATIVEHOOK ...] hook native hook --files_store store all files read or written by application --quickhook [QUICKHOOK [QUICKHOOK ...]] give a list a js file to hook --sslpinning bypass all sslpinning --files_del prevent all files deleted QuickStart ########## For the moment we only focus on the main program "asthook" To begin the first step is to decompile the apk: You can choose one of these decompiler: jd-gui, cfr, procyon, fernflower, jadx Advise ****** - cfr: quick and efficient (use apkx) - procyon: quick and a little bit less efficient (use apkx) - jadx: slower and make some mistake but a good alternative if these 2 first doesn't works - jd-gui: very slower but less mistake and works for the most of the case - fernflower: Not really complete .. warning:: option decompiler is needed only the first time when you already used it the tool get back the backup of the decompilation .. code-block:: bash asthook --decompiler example: .. code-block:: bash asthook example.apk --decompiler cfr On this example the tool create on `temp` the directory `example.apk`: :: └── example.apk ├── decompiled_app ├── dumpfile.pcap └── ... Verbose ####### Option verbose is really useful when tools didn't work as expected .. code-block:: bash asthook example.apk --verbose {debug, info, warning} If you don't specify option verbose only errors will be show to you - debug: show you all messages useful when you wrote a new plugin - info: show you all message except debug message what I advise you if you have not the behavior excepted - warning: show behavior no expected but with no incidents on your analyse .. asciinema:: verbose.cast :preload: Export Output and reinject previous analyse ########################################### To extract data you can get back like standard output with `--output none` parameters or in json format with `--output json` you just need after to precise the `--output-file ` to store it in a file. If you extract it in json is possible to reinject the previous analysis on the tool to speed up the new analysis thanks to `--restore_output `. Output and input configuration files ##################################### Load a config file and work with your team ******************************************* To avoid a big command line is possible to create one or some yaml file will load parameters used for the analysis. An example of yaml file `config.yaml` .. code-block:: yaml static: - tree: true - tree_path: "/com/" - gen_hook: - "TraceEvents.nativeDisableProviders" - list_funcs: - '^.*' - '^.*' dynamic: - sdktools: "/usr/lib/android-sdk" - phone: "phone_audit2" - proxy: "127.0.0.1:8080" - proxy_cert: "misc/burp.der" - sslpinning: true In commandline this should be: .. code-block:: bash asthook example.apk --config config.yaml # # before: # asthook example.apk --tree --tree_path /com/ --gen_hook "TraceEvents.nativeDisableProviders" --list_funcs '^.*' '^.*' --sdktools "/usr/lib/android-sdk" --phone "phone_audit2" --proxy "127.0.0.1:8080" --proxy_cert "misc/burp.der" --sslpinning You can prepare different files and load it all together: .. code-block:: bash asthook example.apk --config config.yaml config2.yaml So it's possible to share a config file for an analysis and load it with these personal files. Export analysis *************** To export your analysis --output {none,json} --output-file OUTPUT_FILE Reuse previous analysis or external information ************************************************ To reuse a previous analysis on a new analysis or if you want to inject some data in you can use `restore_output` option. This option will take a json file with the same structure as in output. .. code-block:: bash asthook --restore_output myoutput.json SDKTOOLS ######## Sdktools is really important if you want to emulate a phone and use the functionality allow the tool to make some valid APK. The path you should specify is the same where you install the sdktools during the `setup `_ Analyse an apk and its environment ################################## Apk with different xxhdpi ************************* If an apk has some external resources, you can put into the xxhdpi format and pass it on arguments like that: .. code-block:: bash asthook example.apk --config_xxhdpi file.xxhdpi .. code-block:: bash asthook example.apk --env_apks apk1.apk apk2.apk Static Mode =========== .. toctree:: :maxdepth: 1 :titlesonly: :glob: how.using.asthook.static Dynamic Mode ============ .. toctree:: :maxdepth: 1 :titlesonly: :glob: how.using.asthook.dynamic