Skip to content
/ kavanoz Public

Statically unpacking common android banker malware.

License

Notifications You must be signed in to change notification settings

eybisi/kavanoz

Repository files navigation

🫙 kavanoz 🫙

Statically unpacking common android banker malware. Ever wanted to get payload from packed malware without running android emulator ? Me neither.

👀 Installation

pip install kavanoz

To install from source, clone the repository and do an editable install with -e. Which means if you edit or add new plugins to the project it will be used without reinstalling.

git clone https://github.com/eybisi/kavanoz.git
cd kavanoz
pip install -e .

⚡ Usage

from cmdline

kavanoz /tmp/filepath

You can use -vvv parameter to print verbose logs. (useful for debugging plugins)

as python library

from kavanoz.core import Kavanoz
from kavanoz import utils

utils.set_log("DEBUG")
k = Kavanoz(apk_path="tests/test_apk/coper.apk")
for plugin_result in k.get_plugin_results():
    if plugin_result["status"] == "success":
        print("Unpacked")
        print(plugin_result)
        break

🐍 Scripts:

⚙️ Development

Make sure to install kavanoz as editable (with -e). To add new plugins just create new file in loader folder. Extend Unpacker class from unpack_plugin.py file. Define start_decrypt function with your implementation.

def start_decrypt(self, apk_object: APK, dexes: "list[DEX]"):

Add following function to make early exit from plugin.

def lazy_check(self,apk_object:APK, dexes: "list[DEX]"):

If extraction is successful assign self.decrypted_payload_path with extracted file path. You can use helper functions from unpacker class:

  • get_array_data
  • get_smali
  • find_method(class_name,method_name,descriptor="")
  • check_and_write_file(file_data) : checks file has dex, zip and zlib headers and writes unpacked dex with name : "external-{m[:8]}.dex"

📖 Tips

  • self.dexes hold dex objects. You can get class with dex.get_class(smali_annotation_of_class).
  • You can use get_smali function and give target method obj to get smali represantation of target method. Then apply some regex to get data from smali. There are lots of defined regexs in smali_regexes.py file to lookup.
  • Most of the time packers use file from asset folder. You can get files with self.apk_object.get_files()
  • Most of the time packers use Application class to start unpacking sequence. Use application = self.apk_object.get_attribute_value("application", "name") to get application class defined in manifest file.

Thanks:

apkdetect.com for unique samples to work with.

About

Statically unpacking common android banker malware.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages