Header Ads Widget

Responsive Advertisement

Droidefense: Advance Android Malware Analysis Framework


Droidefense: Advance Android Malware Analysis Framework


Droidefense (originally named atom: analysis through observation machine) is the codename for android apps/malware analysis/reversing tool. It was built focused on security issues and tricks that malware researcher have on they every day work.

For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and 'bad boy' routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on.

Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding.


Droidefense Features

  • .apk unpacker
  • .apk resource decoder
  • .apk file enumeration
  • .apk file classification and identification
  • binary xml decoder
  • in-memory processing using a virtual filesystem
  • resource fuzzing and hashing
  • entropy calculator
  • native code dump
  • certificate analysis
  • debug certificate detection
  • opcode analysis
  • unused opcode detection
  • androidManifest.xml analysis
  • internal structure analysis
  • dalvik bytecode flow analysis
  • multipath analysis implementation (not tested)
  • CFG generation
  • simple reflection resolver
  • String classification
  • simulated workflow generation
  • dynamic rules engine


Droidefense modules

  • PSCout data module
  • Full Android manifest parser, based on official SDK documentation v23.
  • Plugins
  • Machine Learning (Weka based) module


Droidefense plugins

  • Hidden ELF file detector plugin
  • Hidden APK file detector plugin
  • Application UID detector plugin
  • Privacy plugin


Usage


TL;DR
java -jar droidefense-cli-1.0-SNAPSHOT.jar -i /path/to/your/sample.apk

Detailed usage
java -jar droidefense-cli-1.0-SNAPSHOT.jar

________               .__    .___      _____                            
\______ \_______  ____ |__| __| _/_____/ ____\____   ____   ______ ____  
 |    |  \_  __ \/  _ \|  |/ __ |/ __ \   __\/ __ \ /    \ /  ___// __ \ 
 |    `   \  | \(  <_> )  / /_/ \  ___/|  | \  ___/|   |  \\___ \\  ___/ 
/_______  /__|   \____/|__\____ |\___  >__|  \___  >___|  /____  >\___  >
        \/                     \/    \/          \/     \/     \/     \/ 

* Current build:  2018_03_09__09_17_34
* Check out on Github:  https://github.com/droidefense/
* Report your issue:  https://github.com/droidefense/engine/issues
* Lead developer:  @zerjioang

usage: droidefense
 -d,--debug                 print debugging information
 -h,--help                  print this message
 -i,--input <apk>           input .apk to be analyzed
 -o,--output <format>       select prefered output:
                            json
                            json.min
                            html
 -p,--profile               Wait for JVM profiler
 -s,--show                  show generated report after scan
 -u,--unpacker <unpacker>   select prefered unpacker:
                            zip
                            memapktool
 -v,--verbose               be verbose
 -V,--version               show current version information

Useful info

Checkout how to compile new version at:
https://github.com/droidefense/engine/wiki/Compilation

Checkout report example at:
https://github.com/droidefense/engine/wiki/Pornoplayer-report

Checkout execution logs at:
https://github.com/droidefense/engine/wiki/Execution-logs

Contributing

Everybody is welcome to contribute to DROIDEFENSE. Please check out the DROIDEFENSE Contribution Steps for instructions about how to proceed.

And any other comments will be very appreciate.

Citing

Feel free to cite droidefense on your works. We added next boilerplate for your references:

@Manual{,
  title        = {Droidefense: Advance Android Malware Analysis Framework},
  author       = {{zerjioang}},
  organization = {opensource},
  address      = {Bilbao, Spain},
  year         = 2017,
  url          = {https://droidefense.wordpress.com/}
}




Download






Post a Comment

0 Comments