# 🫙 kavanoz 🫙
Statically unpacking common android banker malware.
Ever wanted to get payload from packed malware without running android emulator ? Me neither.
### :eyes: Installation
```
pip install kavanoz
```
### :zap: Usage
from cmdline
```bash
kavanoz /tmp/filepath
```
from python library
```py
from kavanoz.core import Kavanoz
from kavanoz import utils
utils.set_log("DEBUG")
k = Kavanoz(apk_path="tests/test_apk/coper.apk")
for plugin_result in k.get_plugin_results():
if plugin_result["status"] == "success":
print("Unpacked")
print(plugin_result)
break
```
### :snake: Scripts:
- [rc4.py](src/kavanoz/loader/rc4.py) Generic rc4 encrypted asset file. Script covers multiple versions.
- [old_rc4.py](src/kavanoz/loader/old_rc4.py) Another Generic rc4 encrypted asset file.
- [subapp.py](src/kavanozloader/subapp.py) Decryption of file with key derived from Manifest file ProtectKey variable
- [multidex.py](src/kavanoz/loader/multidex.py) Multidex like loader with inflated packed file. (zlib compression)
- [coper.py](src/kavanoz/loader/coper.py) Extract rc4 key from native lib with emulation (AndroidNativeEmu)
- [moqhao.py](src/kavanozloader/moqhao.py) Emulation for moqhau unpacking.
- [sesdex.py](src/kavanoz/loader/sesdex.py)
- [simple_aes.py](src/kavanoz/loader/simple_aes.py)
- [simple_xor.py](src/kavanoz/loader/simple_xor.py)
- [simple_xor2.py](src/kavanoz/loader/simple_xor2.py)
- [simple_xor_zlib.py](src/kavanoz/loader/simple_xor_zlib.py)
- [subapp.py](src/kavanoz/loader/subapp.py) Decrypt asset with package name
### :gear: Development
To add new plugins just create new file in loader folder. Extend Unpacker class from unpack_plugin.py file. Define start_decrypt function with your implementation.
```py
def start_decrypt(self, apk_object: APK, dexes: "list[DEX]"):
```
Add following function to make early exit from plugin.
```py
def lazy_check(self,apk_object:APK, dexes: "list[DEX]"):
```
If extraction is succesful assign self.decrypted_payload_path with extracted file path.
You can use helper functions from unpacker class:
- get_array_data
- get_smali
- find_method(class_name,method_name,descriptor="")
- check_and_write_file(file_data) : checks file has dex, zip and zlib headers and writes unpacked dex with name : "external-{m[:8]}.dex"
### :book: Tips
- self.dexes hold dex objects. You can get class with `dex.get_class(smali_annotation_of_class)`.
- You can use get_smali function and give target method obj to get smali represantation of target method. Then apply some regex to get data from smali. There are lots of defined regexs in [smali_regexes.py](smali_regexes.py) file to lookup.
- Most of the time packers use file from asset folder. You can get files with `self.apk_object.get_files()`
- Most of the time packers use Application class to start unpacking sequence. Use `application = self.apk_object.get_attribute_value("application", "name")` to get application class defined in manifest file.
### Thanks:
[apkdetect.com](https://apkdetect.com) for unique samples to work with.
Raw data
{
"_id": null,
"home_page": "",
"name": "kavanoz",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "Ahmet Bilal Can <eybisii@gmail.com>",
"keywords": "android,malware,unpacking,packer",
"author": "Ahmet Bilal Can",
"author_email": "eybisii@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/3a/06/8d041284d3211f540c869edfa1843ef146930cf8db61a98af881b8740f20/kavanoz-0.0.3.tar.gz",
"platform": null,
"description": "# \ud83e\uded9 kavanoz \ud83e\uded9\n\n\n\n\n\nStatically unpacking common android banker malware.\nEver wanted to get payload from packed malware without running android emulator ? Me neither.\n\n\n\n### :eyes: Installation\n\n```\npip install kavanoz\n```\n\n### :zap: Usage\n\nfrom cmdline\n```bash\nkavanoz /tmp/filepath\n```\n\nfrom python library\n```py\nfrom kavanoz.core import Kavanoz\nfrom kavanoz import utils\n\nutils.set_log(\"DEBUG\")\nk = Kavanoz(apk_path=\"tests/test_apk/coper.apk\")\nfor plugin_result in k.get_plugin_results():\n if plugin_result[\"status\"] == \"success\":\n print(\"Unpacked\")\n print(plugin_result)\n break\n```\n\n### :snake: Scripts:\n\n- [rc4.py](src/kavanoz/loader/rc4.py) Generic rc4 encrypted asset file. Script covers multiple versions.\n- [old_rc4.py](src/kavanoz/loader/old_rc4.py) Another Generic rc4 encrypted asset file.\n- [subapp.py](src/kavanozloader/subapp.py) Decryption of file with key derived from Manifest file ProtectKey variable\n- [multidex.py](src/kavanoz/loader/multidex.py) Multidex like loader with inflated packed file. (zlib compression)\n- [coper.py](src/kavanoz/loader/coper.py) Extract rc4 key from native lib with emulation (AndroidNativeEmu)\n- [moqhao.py](src/kavanozloader/moqhao.py) Emulation for moqhau unpacking.\n- [sesdex.py](src/kavanoz/loader/sesdex.py)\n- [simple_aes.py](src/kavanoz/loader/simple_aes.py)\n- [simple_xor.py](src/kavanoz/loader/simple_xor.py)\n- [simple_xor2.py](src/kavanoz/loader/simple_xor2.py)\n- [simple_xor_zlib.py](src/kavanoz/loader/simple_xor_zlib.py)\n- [subapp.py](src/kavanoz/loader/subapp.py) Decrypt asset with package name\n\n\n### :gear: Development\n\nTo add new plugins just create new file in loader folder. Extend Unpacker class from unpack_plugin.py file. Define start_decrypt function with your implementation. \n```py\ndef start_decrypt(self, apk_object: APK, dexes: \"list[DEX]\"):\n```\n\nAdd following function to make early exit from plugin. \n```py\ndef lazy_check(self,apk_object:APK, dexes: \"list[DEX]\"):\n```\n\nIf extraction is succesful assign self.decrypted_payload_path with extracted file path.\nYou can use helper functions from unpacker class:\n- get_array_data\n- get_smali\n- find_method(class_name,method_name,descriptor=\"\")\n- check_and_write_file(file_data) : checks file has dex, zip and zlib headers and writes unpacked dex with name : \"external-{m[:8]}.dex\"\n\n### :book: Tips\n\n- self.dexes hold dex objects. You can get class with `dex.get_class(smali_annotation_of_class)`.\n- You can use get_smali function and give target method obj to get smali represantation of target method. Then apply some regex to get data from smali. There are lots of defined regexs in [smali_regexes.py](smali_regexes.py) file to lookup. \n- Most of the time packers use file from asset folder. You can get files with `self.apk_object.get_files()` \n- Most of the time packers use Application class to start unpacking sequence. Use `application = self.apk_object.get_attribute_value(\"application\", \"name\")` to get application class defined in manifest file. \n\n### Thanks:\n[apkdetect.com](https://apkdetect.com) for unique samples to work with. \n\n",
"bugtrack_url": null,
"license": "MIT License",
"summary": "Unpacking framework for common android malware",
"version": "0.0.3",
"project_urls": null,
"split_keywords": [
"android",
"malware",
"unpacking",
"packer"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "07f5496ef863ab63d20dc643da4101b1aaf837a482a0325a4378083e05aeb5de",
"md5": "847bd709997b3d90fe5b46a006d71e88",
"sha256": "ef7f736fb0dd7f95547b92ab09093a3ada5d4ac3afc1aff40c637b252d9201ca"
},
"downloads": -1,
"filename": "kavanoz-0.0.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "847bd709997b3d90fe5b46a006d71e88",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 438774,
"upload_time": "2024-01-02T11:14:22",
"upload_time_iso_8601": "2024-01-02T11:14:22.776874Z",
"url": "https://files.pythonhosted.org/packages/07/f5/496ef863ab63d20dc643da4101b1aaf837a482a0325a4378083e05aeb5de/kavanoz-0.0.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "3a068d041284d3211f540c869edfa1843ef146930cf8db61a98af881b8740f20",
"md5": "03e6c1b41550e851aded202c5b90bdee",
"sha256": "5ea193cbbbb275faa47790a04306c318e3bc534946061a0f9076a9345f95d603"
},
"downloads": -1,
"filename": "kavanoz-0.0.3.tar.gz",
"has_sig": false,
"md5_digest": "03e6c1b41550e851aded202c5b90bdee",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 429338,
"upload_time": "2024-01-02T11:14:24",
"upload_time_iso_8601": "2024-01-02T11:14:24.606145Z",
"url": "https://files.pythonhosted.org/packages/3a/06/8d041284d3211f540c869edfa1843ef146930cf8db61a98af881b8740f20/kavanoz-0.0.3.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-01-02 11:14:24",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "kavanoz"
}
JSON