asthook
Usage:
usage: asthook [-h] [-v] [--config_xxhdpi CONFIG_XXHDPI]
[--verbose {debug,info,warning}] [--verbose_position]
[--config CONFIG [CONFIG ...]]
[--restore_output RESTORE_OUTPUT [RESTORE_OUTPUT ...]]
[--output {none,json}] [--output-file OUTPUT_FILE]
[--sdktools SDKTOOLS] [--version_android VERSION_ANDROID]
[--server SERVER] [--tree]
[--tree_path TREE_PATH [TREE_PATH ...]]
[--tree_exclude TREE_EXCLUDE [TREE_EXCLUDE ...]]
[--decompiler {none,jd-gui,cfr,procyon,fernflower,jadx}]
[--no_cache] [--progress] [--graph_ast] [--debug_ast]
[--seek_literal SEEK_LITERAL [SEEK_LITERAL ...]]
[--cloud_analysis] [--taint {normal,render}]
[--list_read_write] [--vuln_intent {normal,poc}]
[--vuln_broadcast {normal,poc}] [--test] [--PathTraversal]
[--vuln_data VULN_DATA] [--simplify_graph]
[--provider PROVIDER] [--api_keys {normal,full}]
[--list_funcs LIST_FUNCS LIST_FUNCS] [--user_input]
[--gen_hook GEN_HOOK [GEN_HOOK ...]]
[--list_funcs_call LIST_FUNCS_CALL LIST_FUNCS_CALL]
[--types] [--basic_vulns] [--name_file]
[--env_apks ENV_APKS [ENV_APKS ...]] [--phone PHONE]
[--no-emulation] [--noinstall] [--proxy PROXY]
[--proxy_cert PROXY_CERT] [--no_erase]
[--nativehook NATIVEHOOK [NATIVEHOOK ...]] [--files_store]
[--quickhook [QUICKHOOK [QUICKHOOK ...]]] [--sslpinning]
[--files_del]
app
Analysis for smartphone
positional arguments:
app app target <filename.apk>
optional arguments:
-h, --help show this help message and exit
-v, --version show version
--config_xxhdpi CONFIG_XXHDPI
adding xxhdpi files from google api downloader
--verbose {debug,info,warning}
active verbose
--verbose_position give verbose position
--config CONFIG [CONFIG ...]
Load config file
--restore_output RESTORE_OUTPUT [RESTORE_OUTPUT ...]
Load restore file
--output {none,json}
--output-file OUTPUT_FILE
--sdktools SDKTOOLS path of the sdktools for the emulation and some
android sdktools like the compilation of apk
--version_android VERSION_ANDROID
version targeted to compile poc. don't forget to
install the correct one: sdkmanager
"platforms;android-XX" "build-tools;XX.Y.Z" where
XX.Y.Z is version targeted
--server SERVER Use a server to delegate compute and take advantage of
RAM cache to use: --server 127.0.0.1:6000
core_static:
--tree Active syntaxical analyse
--tree_path TREE_PATH [TREE_PATH ...]
Analyse only a portion of apk
--tree_exclude TREE_EXCLUDE [TREE_EXCLUDE ...]
Expludes directory to analyszed
--decompiler {none,jd-gui,cfr,procyon,fernflower,jadx}
--no_cache disable cache and reparse all files in scope
--progress Display percent when it analyse static code
--graph_ast Draw a AST graph of the apk source code
--debug_ast print error encounter during the browsing of AST
static:
--seek_literal SEEK_LITERAL [SEEK_LITERAL ...]
seek Literal specify wit regexp
--cloud_analysis verify firebaseio
--taint {normal,render}
taint variable node
--list_read_write list all read and write on filesystem
--vuln_intent {normal,poc}
found vuln intent
--vuln_broadcast {normal,poc}
found potential vuln broadcast
--test test
--PathTraversal For the demo
--vuln_data VULN_DATA
found vuln intent deeplink
--simplify_graph Simplify the graph to remove all uselessnode
--provider PROVIDER analyse provider
--api_keys {normal,full}
find api keys
--list_funcs LIST_FUNCS LIST_FUNCS
list all funcs with regex as follow: --list_funcs
<class_regex> <function_regex>
--user_input list all users input
--gen_hook GEN_HOOK [GEN_HOOK ...]
generate hook
--list_funcs_call LIST_FUNCS_CALL LIST_FUNCS_CALL
list all funcs called with regex as follow:
--list_funcs_call <class_regex> <function_regex>
--types grab type of elements
--basic_vulns seek several potentials vulns
--name_file store the name of the file to be accessible by Node
core_dynamic:
--env_apks ENV_APKS [ENV_APKS ...]
--phone PHONE phones target emulator -list-avds
--no-emulation use a physical phone (useful for buetooth option)
--noinstall Application will not be installed and suggest that it
was already install
--proxy PROXY setup proxy address <ip>:<port>
--proxy_cert PROXY_CERT
setup proxy address <filename>.cer
--no_erase no erase data of phones
dynamic:
--nativehook NATIVEHOOK [NATIVEHOOK ...]
hook native hook
--files_store store all files read or written by application
--quickhook [QUICKHOOK [QUICKHOOK ...]]
give a list a js file to hook
--sslpinning bypass all sslpinning
--files_del prevent all files deleted
QuickStart
For the moment we only focus on the main program “asthook”
To begin the first step is to decompile the apk: You can choose one of these decompiler: jd-gui, cfr, procyon, fernflower, jadx
Advise
cfr: quick and efficient (use apkx)
procyon: quick and a little bit less efficient (use apkx)
jadx: slower and make some mistake but a good alternative if these 2 first doesn’t works
jd-gui: very slower but less mistake and works for the most of the case
fernflower: Not really complete
Warning
option decompiler is needed only the first time when you already used it the tool get back the backup of the decompilation
asthook <apk> --decompiler <decompiler>
example:
asthook example.apk --decompiler cfr
On this example the tool create on temp the directory example.apk:
└── example.apk
├── decompiled_app
├── dumpfile.pcap
└── ...
Verbose
Option verbose is really useful when tools didn’t work as expected
asthook example.apk --verbose {debug, info, warning}
If you don’t specify option verbose only errors will be show to you
debug: show you all messages useful when you wrote a new plugin
info: show you all message except debug message what I advise you if you have not the behavior excepted
warning: show behavior no expected but with no incidents on your analyse
Export Output and reinject previous analyse
To extract data you can get back like standard output with –output none parameters or in json format with –output json you just need after to precise the –output-file <file> to store it in a file.
If you extract it in json is possible to reinject the previous analysis on the tool to speed up the new analysis thanks to –restore_output <file>.
Output and input configuration files
Load a config file and work with your team
To avoid a big command line is possible to create one or some yaml file will load parameters used for the analysis.
An example of yaml file config.yaml
static:
- tree: true
- tree_path: "/com/"
- gen_hook:
- "TraceEvents.nativeDisableProviders"
- list_funcs:
- '^.*'
- '^.*'
dynamic:
- sdktools: "/usr/lib/android-sdk"
- phone: "phone_audit2"
- proxy: "127.0.0.1:8080"
- proxy_cert: "misc/burp.der"
- sslpinning: true
In commandline this should be:
asthook example.apk --config config.yaml
#
# before:
#
asthook example.apk --tree --tree_path /com/ --gen_hook "TraceEvents.nativeDisableProviders" --list_funcs '^.*' '^.*' --sdktools "/usr/lib/android-sdk" --phone "phone_audit2" --proxy "127.0.0.1:8080" --proxy_cert "misc/burp.der" --sslpinning
You can prepare different files and load it all together:
asthook example.apk --config config.yaml config2.yaml
So it’s possible to share a config file for an analysis and load it with these personal files.
Export analysis
To export your analysis –output {none,json} –output-file OUTPUT_FILE
Reuse previous analysis or external information
To reuse a previous analysis on a new analysis or if you want to inject some data in you can use restore_output option. This option will take a json file with the same structure as in output.
asthook --restore_output myoutput.json
SDKTOOLS
Sdktools is really important if you want to emulate a phone and use the functionality allow the tool to make some valid APK.
The path you should specify is the same where you install the sdktools during the setup
Analyse an apk and its environment
Apk with different xxhdpi
If an apk has some external resources, you can put into the xxhdpi format and pass it on arguments like that:
asthook example.apk --config_xxhdpi file.xxhdpi
asthook example.apk --env_apks apk1.apk apk2.apk