dexray-intercept

Name	dexray-intercept JSON
Version	0.2.9.0 JSON
	download
home_page	https://github.com/fkie-cad/Sandroid_Dexray-Intercept
Summary	This project is part of the dynamic Sandbox Sandroid. Its purpose is to create runtime profiles to track the behavior of an Android application. This is done utilizing frida.
upload_time	2025-07-31 08:12:51
maintainer	None
docs_url	None
author	Daniel Baier, Jan-Niclas Hilgert
requires_python	>=3.6
license	GPL v3
keywords	mobile instrumentation frida hook android
VCS
bugtrack_url
requirements	No requirements were recorded.
Travis-CI	No Travis.
coveralls test coverage	No coveralls.

            <div align="center">
    <img src="assets/logo.png" alt="Dexray Intercept Logo" width="400"/>
    <p></p><strong>Android Binary API Tracer</strong>
</div>

# Sandroid - Dexray Intercept
![version](https://img.shields.io/badge/version-0.2.9.0-blue) [![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.png?id=py&r=r&ts=1683906897&type=6e&v=0.2.9.0&x2=0)](https://badge.fury.io/py/dexray-intercept) [![CI](https://github.com/fkie-cad/Sandroid_Dexray-Intercept/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/fkie-cad/Sandroid_Dexray-Intercept/actions/workflows/ci.yml)
[![Ruff](https://github.com/fkie-cad/Sandroid_Dexray-Intercept/actions/workflows/lint.yml/badge.svg?branch=main)](https://github.com/fkie-cad/Sandroid_Dexray-Intercept/actions/workflows/lint.yml)
[![Publish status](https://github.com/fkie-cad/Sandroid_Dexray-Intercept/actions/workflows/publish.yml/badge.svg?branch=main)](https://github.com/fkie-cad/Sandroid_Dexray-Intercept/actions/workflows/publish.yml)

Dexray Intercept is part of the dynamic Sandbox Sandroid. Its purpose is to create runtime profiles to track the behavior of an Android application. This is done utilizing frida.

## Install

Just install it with pip:
```bash
python3 -m pip install dexray-intercept
```

This will install Dexray Intercept as command line tool `ammm` or `dexray-intercept`. 
Further it will provide a package `dexray_intercept`. More on how to use the package below. 

## Run

Ensure that your Android device is rooted. The `frida-server` will be installed to the latest version automatically. Then you can use Dexray Intercept by just invoking the following command:

```bash
ammm <target app>
```

### Hook Selection (New Feature)

All hooks are **disabled by default** for optimal performance. Enable hooks based on your analysis needs:

```bash
# Enable specific hooks
ammm --enable-aes <app_name>                    # Enable AES crypto hooks
ammm --enable-web <app_name>                    # Enable web/HTTP hooks
ammm --enable-aes --enable-web <app_name>       # Enable multiple hooks

# Enable hook groups
ammm --hooks-crypto <app_name>                  # Enable all crypto hooks
ammm --hooks-network <app_name>                 # Enable all network hooks  
ammm --hooks-filesystem <app_name>              # Enable all file system hooks

# Enable all hooks (performance impact)
ammm --hooks-all <app_name>                     # Enable all available hooks

# Use package identifier instead of app name
ammm -s com.example.package --hooks-crypto
```

### Available Hook Categories

- **Crypto**: `--hooks-crypto` (AES, encodings, keystore, certificates)
- **Network**: `--hooks-network` (HTTP, sockets, SSL/TLS)
- **File System**: `--hooks-filesystem` (file operations, databases, shared preferences)
- **IPC**: `--hooks-ipc` (intents, broadcasts, binder, shared preferences)
- **Process**: `--hooks-process` (DEX unpacking, native libraries, runtime)
- **Services**: `--hooks-services` (camera, location, telephony, bluetooth)

Here an example on monitoring the chrome app on our AVD:
```bash
ammm Chrome
        Dexray Intercept
⠀⠀⠀⠀⢀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠙⢷⣤⣤⣴⣶⣶⣦⣤⣤⡾⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⠾⠛⢉⣉⣉⣉⡉⠛⠷⣦⣄⠀⠀⠀⠀
⠀⠀⠀⠀⠀⣴⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⠋⣠⣴⣿⣿⣿⣿⣿⡿⣿⣶⣌⠹⣷⡀⠀⠀
⠀⠀⠀⠀⣼⣿⣿⣉⣹⣿⣿⣿⣿⣏⣉⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⠁⣴⣿⣿⣿⣿⣿⣿⣿⣿⣆⠉⠻⣧⠘⣷⠀⠀
⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢰⡇⢰⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠀⠀⠈⠀⢹⡇⠀
⣠⣄⠀⢠⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⣠⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⡇⢸⣿⠛⣿⣿⣿⣿⣿⣿⡿⠃⠀⠀⠀⠀⢸⡇⠀
⣿⣿⡇⢸⣿⣿⣿Sandroid⣿⣿⣿⡇⢸⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣷⠀⢿⡆⠈⠛⠻⠟⠛⠉⠀⠀⠀⠀⠀⠀⣾⠃⠀
⣿⣿⡇⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⢸⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⣧⡀⠻⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣼⠃⠀⠀
⣿⣿⡇⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⢸⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢼⠿⣦⣄⠀⠀⠀⠀⠀⠀⠀⣀⣴⠟⠁⠀⠀⠀
⣿⣿⡇⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⢸⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⣿⣦⠀⠀⠈⠉⠛⠓⠲⠶⠖⠚⠋⠉⠀⠀⠀⠀⠀⠀
⠻⠟⠁⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠈⠻⠟⠀⠀⠀⠀⠀⠀⣠⣾⣿⣿⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠉⠉⣿⣿⣿⡏⠉⠉⢹⣿⣿⣿⠉⠉⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⣿⣿⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⣿⣿⣿⡇⠀⠀⢸⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⣾⣿⣿⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⣿⣿⣿⡇⠀⠀⢸⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⢀⣄⠈⠛⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠈⠉⠉⠀⠀⠀⠀⠉⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
[*] starting app profiling
[*] press Ctrl+C to stop the profiling ...

[*] Filesystem profiling informations:
[*] [Libc::read] Read FD (anon_inode:[eventfd],0x7ac6b67540,8)

[*] Filesystem profiling informations:
[*] [Libc::read] Read FD (anon_inode:[eventfd],0x7fcb41c990,8
```



## Run as package 

### New API (Recommended)

Install Dexray Intercept as a package and use the new modular architecture:

```python
from dexray_intercept import AppProfiler, setup_frida_device
from dexray_intercept.services.hook_manager import HookManager

# Connect to device and get process
device = setup_frida_device()
process = device.attach("com.example.app")

# Configure hooks (all disabled by default for performance)
hook_config = {
    'aes_hooks': True,
    'web_hooks': True, 
    'file_system_hooks': True,
    'keystore_hooks': True
}

# Create profiler with new architecture
profiler = AppProfiler(
    process, 
    verbose_mode=True,
    output_format="JSON",
    hook_config=hook_config,
    enable_stacktrace=True
)

# Start profiling
script = profiler.start_profiling()

# ... let app run and collect data ...

# Get results
profile_data = profiler.get_profile_data()
json_output = profiler.get_profiling_log_as_json()

# Runtime hook management
profiler.enable_hook('socket_hooks', True)  # Enable more hooks at runtime
enabled_hooks = profiler.get_enabled_hooks()  # Check what's enabled

# Stop profiling
profiler.stop_profiling()
```

### Hook Categories

Enable specific hook groups based on your analysis needs:

```python
# Crypto hooks
hook_config = {
    'aes_hooks': True,
    'encodings_hooks': True, 
    'keystore_hooks': True
}

# Network hooks  
hook_config = {
    'web_hooks': True,
    'socket_hooks': True
}

# File system hooks
hook_config = {
    'file_system_hooks': True,
    'database_hooks': True
}

# Enable all hooks (performance impact)
profiler.enable_all_hooks()

# Enable hook groups
profiler.enable_hook_group('crypto')  # Enable all crypto-related hooks
```

### Legacy API (Backward Compatibility)

The old API is still available for backward compatibility:

```python
from dexray_intercept import AppProfilerLegacy
# OR use environment variable: DEXRAY_FORCE_OLD_ARCH=true

profiler = AppProfilerLegacy(process_session, verbose=True, output_format="CMD", 
                           base_path=None, deactivate_unlink=False)
profiler.instrument()  # Old method name
# ... 
profiler.finish_app_profiling()  # Old method name
```

### Sandroid usage

In order to run it as a package in Sandroid ensure that you also installed the `JobManager` from [AndroidFridaManager](https://github.com/fkie-cad/AndroidFridaManager). This allows running multpitle frida sessions in different threads.
All you have to do is running the following code:
```python
from AndroidFridaManager import JobManager
from dexray_intercept import AppProfiler 

job_manager = JobManager()
app_package = "net.classwindexampleyear.bookseapiececountry"
profiler = AppProfiler(job_manager.process_session, True, output_format="JSON", base_path=None, deactivate_unlink=False)
frida_script_path = profiler.get_frida_script()

job_manager.setup_frida_session(app_package, profiler.on_appProfiling_message)
job = job_manager.start_job(frida_script_path, custom_hooking_handler_name=profiler.on_appProfiling_message)

# close only the job and the frida session keeps active to run other frida scripts
# job_manager.stop_job_with_id(job.job_id) 
job_manager.stop_app_with_closing_frida(app_package) # stops the frida session and the app and all frida jobs

profiler.write_profiling_log() # write the log data to profile.json
# instead of writing it to a file the JSON output will just be returned
# profiler.get_profiling_log_as_JSON() 
```
Ensure that no other part of your code is trying to connect to the frida server (no other frida session).
In order to test this you can try the following sample: [catelites_2018_01_19.apk](https://gitlab.fkie.fraunhofer.de/def/androidmalwaremotionmonitor/-/blob/main/samples/unpacking/catelites_2018_01_19.apk?ref_type=heads). The name for the package is `net.classwindexampleyear.bookseapiececountry`. Ensure that your AVD is running on Android 9, so that the sample can execute everything of its malicious code. You can install this sample simple with `adb install samples/unpacking/catelites_2018_01_19.apk`.

## Compile and Development
 
In order to compile this project ensure that `npm` and `frida-compile` running on your system and installed into your path.
Than just invoke the following command in to get the latest frida agent compiled:
```bash
$ cd <AppProfiling-Project>
$ npm install .
> Dexray Intercept@0.0.1.5 prepare
> npm run build


> Dexray Intercept@0.0.1.5 build
> frida-compile agent/hooking_profile_loader.ts -o src/dexray_intercept/profiling.js


up to date, audited 75 packages in 6s

19 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
```

This ensures that the latest frida scripts/hooks are used in `ammm`.

In order to do adjustments in the python code it is recommend to install `ammm` with pip utilizing the editable mode:
```bash
python3 -m pip install -e . 
```
This way local changed in the python code gets reflected without creating a new version of the package.


## Requirements

By just invoking the following command in this directory the `setup.py` should be used to install `ammm` as a local python package to your system:
```bash
python3 -m pip install .
``` 


### Dev

In order to compile the TypeScript frida hooks we need the `frida-compile` ([link](https://github.com/frida/frida-compile)) project. Which will be bundled with `frida-tools`. 
```bash
python3 -m pip install frida-tools
```
Besides this we need also support for `frida-java-bridge` and the internal frida types:
```bash
npm install frida-java-bridge@latest --save
npm install --save-dev @types/frida-gum@latest
```

### Deep Unpacking

When unpacking, applications may load DexCode—previously pointed to distinct memory blocks—into a DexFile, which represents the code being executed. For instance, some applications may restore instructions immediately before execution. In such cases, Sandroid is unable to revert the instructions back into the DexFile. Further research is necessary to resolve this issue

## Samples

The password for unzipping the samples is `androidtrainingpassword`

### Example case Sara

First we extract and install the sample:
```bash
$ cd samples
$ unzip -P androidtrainingpassword Sara_androidtrainingpassword.zip 
$ cd ..
$ adb install samples/Sara.apk
```

Next we have identify the bundle identifier of the intalled app:
```bash
$ frida-ps -Uai
  PID  Name           Identifier
-----  -------------  ---------------------------------------
 1836  Google         com.google.android.googlequicksearchbox
 1836  Google         com.google.android.googlequicksearchbox
 1677  Messages       com.google.android.apps.messaging
  927  SIM Toolkit    com.android.stk
12185  Settings       com.android.settings
    -  Calendar       com.google.android.calendar
    -  Camera         com.android.camera2
    -  Chrome         com.android.chrome
    -  Clock          com.google.android.deskclock
    -  Contacts       com.google.android.contacts
    -  Drive          com.google.android.apps.docs
    -  Files          com.google.android.documentsui
    -  Gmail          com.google.android.gm
    -  Maps           com.google.android.apps.maps
    -  Phone          com.google.android.dialer
    -  Photos         com.google.android.apps.photos
    -  Sara           com.termuxhackers.id
    -  YouTube        com.google.android.youtube
```

In our case it is `com.termuxhackers.id`. So we can spawn this malware sample with the following command line (keep in mind to create a snapshot for your device):
```bash
$ adb shell adb shell am start -n "com.termuxhackers.id/com.MainAcitivy" -a android.intent.action.MAIN -c android.intent.category.LAUNCHER
$ ammm Sara
        Dexray Intercept
⠀⠀⠀⠀⢀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠙⢷⣤⣤⣴⣶⣶⣦⣤⣤⡾⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⠾⠛⢉⣉⣉⣉⡉⠛⠷⣦⣄⠀⠀⠀⠀
⠀⠀⠀⠀⠀⣴⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⠋⣠⣴⣿⣿⣿⣿⣿⡿⣿⣶⣌⠹⣷⡀⠀⠀
⠀⠀⠀⠀⣼⣿⣿⣉⣹⣿⣿⣿⣿⣏⣉⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⠁⣴⣿⣿⣿⣿⣿⣿⣿⣿⣆⠉⠻⣧⠘⣷⠀⠀
⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢰⡇⢰⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠀⠀⠈⠀⢹⡇⠀
⣠⣄⠀⢠⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⣠⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⡇⢸⣿⠛⣿⣿⣿⣿⣿⣿⡿⠃⠀⠀⠀⠀⢸⡇⠀
⣿⣿⡇⢸⣿⣿⣿Sandroid⣿⣿⣿⡇⢸⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣷⠀⢿⡆⠈⠛⠻⠟⠛⠉⠀⠀⠀⠀⠀⠀⣾⠃⠀
⣿⣿⡇⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⢸⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⣧⡀⠻⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣼⠃⠀⠀
⣿⣿⡇⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⢸⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢼⠿⣦⣄⠀⠀⠀⠀⠀⠀⠀⣀⣴⠟⠁⠀⠀⠀
⣿⣿⡇⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⢸⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⣿⣦⠀⠀⠈⠉⠛⠓⠲⠶⠖⠚⠋⠉⠀⠀⠀⠀⠀⠀
⠻⠟⠁⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠈⠻⠟⠀⠀⠀⠀⠀⠀⣠⣾⣿⣿⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠉⠉⣿⣿⣿⡏⠉⠉⢹⣿⣿⣿⠉⠉⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⣿⣿⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⣿⣿⣿⡇⠀⠀⢸⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⣾⣿⣿⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⣿⣿⣿⡇⠀⠀⢸⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⢀⣄⠈⠛⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠈⠉⠉⠀⠀⠀⠀⠉⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
[*] attaching to app: Sara
[*] starting app profiling
[*] press Ctrl+C to stop the profiling ...

[*] Filesystem profiling informations:
[*] [Libc::open] Open file '/data/misc/profiles/cur/0/com.termuxhackers.id/primary.prof' (fd: 97)
```

### Example case koler.apk

Again at first we have to extract the sample and install it to the device

```bash
$ unzip -P infected 18a82a21158f23148fbb58f39f597d482c186c8d2905540e750533a0df363705.zip
Archive:  18a82a21158f23148fbb58f39f597d482c186c8d2905540e750533a0df363705.zip
  inflating: 18a82a21158f23148fbb58f39f597d482c186c8d2905540e750533a0df363705
$ mv 18a82a21158f23148fbb58f39f597d482c186c8d2905540e750533a0df363705 koler.apk
$ adb install koler.apk
Performing Streamed Install
Success
```
Now we have to identify the name of the app so we can later attach to it:

```bash
frida-ps -Uai
  PID  Name           Identifier
-----  -------------  -------------------------------------------
12095  Chrome         com.android.chrome
 1836  Google         com.google.android.googlequicksearchbox
 1836  Google         com.google.android.googlequicksearchbox
 1677  Messages       com.google.android.apps.messaging
  927  SIM Toolkit    com.android.stk
12185  Settings       com.android.settings
    -  Calendar       com.google.android.calendar
    -  Camera         com.android.camera2
    -  Clock          com.google.android.deskclock
    -  Contacts       com.google.android.contacts
    -  Drive          com.google.android.apps.docs
    -  Files          com.google.android.documentsui
    -  Gmail          com.google.android.gm
    -  Maps           com.google.android.apps.maps
    -  Phone          com.google.android.dialer
    -  Photos         com.google.android.apps.photos
    -  Pornhub        upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq
```

This sample actually is unpacking itself and normaly we could see this in `Dexray Intercept` if we able to spawn the app. Unfortunately there is a bug with frida itself that the latest frida version (since version 16.0.4) is unable to spawn the target app without getting a timeout error. Currently we identify that this frida bug is related whenever an app is requesting runtime permissions (more [infos](https://github.com/frida/frida/issues/2005)). It seems that this bug is fixed in the latest frida version.

So we now just spawn this malware using `Dexray Intercept` and see some interesting output:

```bash
$ ammm -s upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq 
        Dexray Intercept
⠀⠀⠀⠀⢀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠙⢷⣤⣤⣴⣶⣶⣦⣤⣤⡾⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⠾⠛⢉⣉⣉⣉⡉⠛⠷⣦⣄⠀⠀⠀⠀
⠀⠀⠀⠀⠀⣴⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⠋⣠⣴⣿⣿⣿⣿⣿⡿⣿⣶⣌⠹⣷⡀⠀⠀
⠀⠀⠀⠀⣼⣿⣿⣉⣹⣿⣿⣿⣿⣏⣉⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⠁⣴⣿⣿⣿⣿⣿⣿⣿⣿⣆⠉⠻⣧⠘⣷⠀⠀
⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢰⡇⢰⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠀⠀⠈⠀⢹⡇⠀
⣠⣄⠀⢠⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⣠⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⡇⢸⣿⠛⣿⣿⣿⣿⣿⣿⡿⠃⠀⠀⠀⠀⢸⡇⠀
⣿⣿⡇⢸⣿⣿⣿Sandroid⣿⣿⣿⡇⢸⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣷⠀⢿⡆⠈⠛⠻⠟⠛⠉⠀⠀⠀⠀⠀⠀⣾⠃⠀
⣿⣿⡇⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⢸⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⣧⡀⠻⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣼⠃⠀⠀
⣿⣿⡇⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⢸⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢼⠿⣦⣄⠀⠀⠀⠀⠀⠀⠀⣀⣴⠟⠁⠀⠀⠀
⣿⣿⡇⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⢸⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⣿⣦⠀⠀⠈⠉⠛⠓⠲⠶⠖⠚⠋⠉⠀⠀⠀⠀⠀⠀
⠻⠟⠁⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠈⠻⠟⠀⠀⠀⠀⠀⠀⣠⣾⣿⣿⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠉⠉⣿⣿⣿⡏⠉⠉⢹⣿⣿⣿⠉⠉⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⣿⣿⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⣿⣿⣿⡇⠀⠀⢸⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⣾⣿⣿⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⣿⣿⣿⡇⠀⠀⢸⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⢀⣄⠈⠛⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠈⠉⠉⠀⠀⠀⠀⠉⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
[*] attaching to app: Pornhub
[*] starting app profiling
[*] press Ctrl+C to stop the profiling ...

[*] Filesystem profiling informations:
[*] [Libc::open] Open file '/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/cache/WebView/Default/HTTP Cache/Cache_Data/510c1bd5457bae66_0' (fd: 187)
[*] Filesystem profiling informations:
[*] [+] Unlink : /data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/cache/WebView/Default/HTTP Cache/Cache_Data/todelete_510c1bd5457bae66_0_1
[*] Filesystem profiling informations:
[*] [Libc::open] Open file '/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/app_webview/Default/Session Storage/LOG' (fd: 5)
[*] Filesystem profiling informations:
[*] [Libc::open] Open file '/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/app_webview/Default/Session Storage/LOCK' (fd: -1)
[*] Filesystem profiling informations:
[*] [Libc::open] Open file '/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/app_webview/Default/Session Storage/LOCK' (fd: 68)
[*] Filesystem profiling informations:
[*] [Libc::write] Write FD (/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/app_webview/Default/Session Storage/LOG,0x77d9937d10,156)

[*] Filesystem profiling informations:
[*] [Libc::open] Open file '/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/app_webview/Default/Session Storage/MANIFEST-000001' (fd: 70)
[*] Filesystem profiling informations:
[*] [Libc::write] Write FD (/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/app_webview/Default/Session Storage/MANIFEST-000001,0x77d9938010,7
...
```

## Roadmap

- [ x ] Create templates for the different hookings we want to install in order to get a runtime profile
- [ ] Create a test application which is using all the different features which we want to hook (we need some sort of ground truth in order to test our hooks)
- [ ] Implement the actual hooks 
- [ x ] The format to print the monitored information
- [ ] https://attack.mitre.org/matrices/mobile/ add this as a final result so we can say what kind of Attacks the Application is using
- [ ] We want to track also things like "this are privacy issues", "this might lead to bugs" ...

            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/fkie-cad/Sandroid_Dexray-Intercept",
    "name": "dexray-intercept",
    "maintainer": null,
    "docs_url": null,
    "requires_python": ">=3.6",
    "maintainer_email": null,
    "keywords": "mobile, instrumentation, frida, hook, android",
    "author": "Daniel Baier, Jan-Niclas Hilgert",
    "author_email": "daniel.baier@fkie.fraunhofer.de",
    "download_url": "https://files.pythonhosted.org/packages/fe/7b/9c42a03ffc4d471ebe2bfad1b69e6ba871954f39a27a9cad416483503e37/dexray_intercept-0.2.9.0.tar.gz",
    "platform": null,
    "description": "<div align=\"center\">\n    <img src=\"assets/logo.png\" alt=\"Dexray Intercept Logo\" width=\"400\"/>\n    <p></p><strong>Android Binary API Tracer</strong>\n</div>\n\n# Sandroid - Dexray Intercept\n![version](https://img.shields.io/badge/version-0.2.9.0-blue) [![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.png?id=py&r=r&ts=1683906897&type=6e&v=0.2.9.0&x2=0)](https://badge.fury.io/py/dexray-intercept) [![CI](https://github.com/fkie-cad/Sandroid_Dexray-Intercept/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/fkie-cad/Sandroid_Dexray-Intercept/actions/workflows/ci.yml)\n[![Ruff](https://github.com/fkie-cad/Sandroid_Dexray-Intercept/actions/workflows/lint.yml/badge.svg?branch=main)](https://github.com/fkie-cad/Sandroid_Dexray-Intercept/actions/workflows/lint.yml)\n[![Publish status](https://github.com/fkie-cad/Sandroid_Dexray-Intercept/actions/workflows/publish.yml/badge.svg?branch=main)](https://github.com/fkie-cad/Sandroid_Dexray-Intercept/actions/workflows/publish.yml)\n\nDexray Intercept is part of the dynamic Sandbox Sandroid. Its purpose is to create runtime profiles to track the behavior of an Android application. This is done utilizing frida.\n\n## Install\n\nJust install it with pip:\n```bash\npython3 -m pip install dexray-intercept\n```\n\nThis will install Dexray Intercept as command line tool `ammm` or `dexray-intercept`. \nFurther it will provide a package `dexray_intercept`. More on how to use the package below. \n\n## Run\n\nEnsure that your Android device is rooted. The `frida-server` will be installed to the latest version automatically. Then you can use Dexray Intercept by just invoking the following command:\n\n```bash\nammm <target app>\n```\n\n### Hook Selection (New Feature)\n\nAll hooks are **disabled by default** for optimal performance. Enable hooks based on your analysis needs:\n\n```bash\n# Enable specific hooks\nammm --enable-aes <app_name>                    # Enable AES crypto hooks\nammm --enable-web <app_name>                    # Enable web/HTTP hooks\nammm --enable-aes --enable-web <app_name>       # Enable multiple hooks\n\n# Enable hook groups\nammm --hooks-crypto <app_name>                  # Enable all crypto hooks\nammm --hooks-network <app_name>                 # Enable all network hooks  \nammm --hooks-filesystem <app_name>              # Enable all file system hooks\n\n# Enable all hooks (performance impact)\nammm --hooks-all <app_name>                     # Enable all available hooks\n\n# Use package identifier instead of app name\nammm -s com.example.package --hooks-crypto\n```\n\n### Available Hook Categories\n\n- **Crypto**: `--hooks-crypto` (AES, encodings, keystore, certificates)\n- **Network**: `--hooks-network` (HTTP, sockets, SSL/TLS)\n- **File System**: `--hooks-filesystem` (file operations, databases, shared preferences)\n- **IPC**: `--hooks-ipc` (intents, broadcasts, binder, shared preferences)\n- **Process**: `--hooks-process` (DEX unpacking, native libraries, runtime)\n- **Services**: `--hooks-services` (camera, location, telephony, bluetooth)\n\nHere an example on monitoring the chrome app on our AVD:\n```bash\nammm Chrome\n        Dexray Intercept\n\u2800\u2800\u2800\u2800\u2880\u28c0\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28c0\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28c0\u28c0\u28c0\u28c0\u28c0\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u2819\u28b7\u28e4\u28e4\u28f4\u28f6\u28f6\u28e6\u28e4\u28e4\u287e\u280b\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28f4\u283e\u281b\u2889\u28c9\u28c9\u28c9\u2849\u281b\u2837\u28e6\u28c4\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u28f4\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28e6\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28f4\u280b\u28e0\u28f4\u28ff\u28ff\u28ff\u28ff\u28ff\u287f\u28ff\u28f6\u28cc\u2839\u28f7\u2840\u2800\u2800\n\u2800\u2800\u2800\u2800\u28fc\u28ff\u28ff\u28c9\u28f9\u28ff\u28ff\u28ff\u28ff\u28cf\u28c9\u28ff\u28ff\u28e7\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28fc\u2801\u28f4\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28c6\u2809\u283b\u28e7\u2818\u28f7\u2800\u2800\n\u2800\u2800\u2800\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28b0\u2847\u28b0\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u287f\u2800\u2800\u2808\u2800\u28b9\u2847\u2800\n\u28e0\u28c4\u2800\u28a0\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2800\u28e0\u28c4\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28b8\u2847\u28b8\u28ff\u281b\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u287f\u2803\u2800\u2800\u2800\u2800\u28b8\u2847\u2800\n\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u28ffSandroid\u28ff\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2808\u28f7\u2800\u28bf\u2846\u2808\u281b\u283b\u281f\u281b\u2809\u2800\u2800\u2800\u2800\u2800\u2800\u28fe\u2803\u2800\n\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2838\u28e7\u2840\u283b\u2844\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28fc\u2803\u2800\u2800\n\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28bc\u283f\u28e6\u28c4\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28c0\u28f4\u281f\u2801\u2800\u2800\u2800\n\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28e0\u28fe\u28ff\u28e6\u2800\u2800\u2808\u2809\u281b\u2813\u2832\u2836\u2816\u281a\u280b\u2809\u2800\u2800\u2800\u2800\u2800\u2800\n\u283b\u281f\u2801\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u2808\u283b\u281f\u2800\u2800\u2800\u2800\u2800\u2800\u28e0\u28fe\u28ff\u28ff\u281f\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2809\u2809\u28ff\u28ff\u28ff\u284f\u2809\u2809\u28b9\u28ff\u28ff\u28ff\u2809\u2809\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28e0\u28fe\u28ff\u28ff\u281f\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u2800\u28ff\u28ff\u28ff\u2847\u2800\u2800\u28b8\u28ff\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28fe\u28ff\u28ff\u281f\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u2800\u28ff\u28ff\u28ff\u2847\u2800\u2800\u28b8\u28ff\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28c4\u2808\u281b\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u2800\u2808\u2809\u2809\u2800\u2800\u2800\u2800\u2809\u2809\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n[*] starting app profiling\n[*] press Ctrl+C to stop the profiling ...\n\n[*] Filesystem profiling informations:\n[*] [Libc::read] Read FD (anon_inode:[eventfd],0x7ac6b67540,8)\n\n[*] Filesystem profiling informations:\n[*] [Libc::read] Read FD (anon_inode:[eventfd],0x7fcb41c990,8\n```\n\n\n\n## Run as package \n\n### New API (Recommended)\n\nInstall Dexray Intercept as a package and use the new modular architecture:\n\n```python\nfrom dexray_intercept import AppProfiler, setup_frida_device\nfrom dexray_intercept.services.hook_manager import HookManager\n\n# Connect to device and get process\ndevice = setup_frida_device()\nprocess = device.attach(\"com.example.app\")\n\n# Configure hooks (all disabled by default for performance)\nhook_config = {\n    'aes_hooks': True,\n    'web_hooks': True, \n    'file_system_hooks': True,\n    'keystore_hooks': True\n}\n\n# Create profiler with new architecture\nprofiler = AppProfiler(\n    process, \n    verbose_mode=True,\n    output_format=\"JSON\",\n    hook_config=hook_config,\n    enable_stacktrace=True\n)\n\n# Start profiling\nscript = profiler.start_profiling()\n\n# ... let app run and collect data ...\n\n# Get results\nprofile_data = profiler.get_profile_data()\njson_output = profiler.get_profiling_log_as_json()\n\n# Runtime hook management\nprofiler.enable_hook('socket_hooks', True)  # Enable more hooks at runtime\nenabled_hooks = profiler.get_enabled_hooks()  # Check what's enabled\n\n# Stop profiling\nprofiler.stop_profiling()\n```\n\n### Hook Categories\n\nEnable specific hook groups based on your analysis needs:\n\n```python\n# Crypto hooks\nhook_config = {\n    'aes_hooks': True,\n    'encodings_hooks': True, \n    'keystore_hooks': True\n}\n\n# Network hooks  \nhook_config = {\n    'web_hooks': True,\n    'socket_hooks': True\n}\n\n# File system hooks\nhook_config = {\n    'file_system_hooks': True,\n    'database_hooks': True\n}\n\n# Enable all hooks (performance impact)\nprofiler.enable_all_hooks()\n\n# Enable hook groups\nprofiler.enable_hook_group('crypto')  # Enable all crypto-related hooks\n```\n\n### Legacy API (Backward Compatibility)\n\nThe old API is still available for backward compatibility:\n\n```python\nfrom dexray_intercept import AppProfilerLegacy\n# OR use environment variable: DEXRAY_FORCE_OLD_ARCH=true\n\nprofiler = AppProfilerLegacy(process_session, verbose=True, output_format=\"CMD\", \n                           base_path=None, deactivate_unlink=False)\nprofiler.instrument()  # Old method name\n# ... \nprofiler.finish_app_profiling()  # Old method name\n```\n\n### Sandroid usage\n\nIn order to run it as a package in Sandroid ensure that you also installed the `JobManager` from [AndroidFridaManager](https://github.com/fkie-cad/AndroidFridaManager). This allows running multpitle frida sessions in different threads.\nAll you have to do is running the following code:\n```python\nfrom AndroidFridaManager import JobManager\nfrom dexray_intercept import AppProfiler \n\njob_manager = JobManager()\napp_package = \"net.classwindexampleyear.bookseapiececountry\"\nprofiler = AppProfiler(job_manager.process_session, True, output_format=\"JSON\", base_path=None, deactivate_unlink=False)\nfrida_script_path = profiler.get_frida_script()\n\njob_manager.setup_frida_session(app_package, profiler.on_appProfiling_message)\njob = job_manager.start_job(frida_script_path, custom_hooking_handler_name=profiler.on_appProfiling_message)\n\n# close only the job and the frida session keeps active to run other frida scripts\n# job_manager.stop_job_with_id(job.job_id) \njob_manager.stop_app_with_closing_frida(app_package) # stops the frida session and the app and all frida jobs\n\nprofiler.write_profiling_log() # write the log data to profile.json\n# instead of writing it to a file the JSON output will just be returned\n# profiler.get_profiling_log_as_JSON() \n```\nEnsure that no other part of your code is trying to connect to the frida server (no other frida session).\nIn order to test this you can try the following sample: [catelites_2018_01_19.apk](https://gitlab.fkie.fraunhofer.de/def/androidmalwaremotionmonitor/-/blob/main/samples/unpacking/catelites_2018_01_19.apk?ref_type=heads). The name for the package is `net.classwindexampleyear.bookseapiececountry`. Ensure that your AVD is running on Android 9, so that the sample can execute everything of its malicious code. You can install this sample simple with `adb install samples/unpacking/catelites_2018_01_19.apk`.\n\n## Compile and Development\n \nIn order to compile this project ensure that `npm` and `frida-compile` running on your system and installed into your path.\nThan just invoke the following command in to get the latest frida agent compiled:\n```bash\n$ cd <AppProfiling-Project>\n$ npm install .\n> Dexray Intercept@0.0.1.5 prepare\n> npm run build\n\n\n> Dexray Intercept@0.0.1.5 build\n> frida-compile agent/hooking_profile_loader.ts -o src/dexray_intercept/profiling.js\n\n\nup to date, audited 75 packages in 6s\n\n19 packages are looking for funding\n  run `npm fund` for details\n\nfound 0 vulnerabilities\n```\n\nThis ensures that the latest frida scripts/hooks are used in `ammm`.\n\nIn order to do adjustments in the python code it is recommend to install `ammm` with pip utilizing the editable mode:\n```bash\npython3 -m pip install -e . \n```\nThis way local changed in the python code gets reflected without creating a new version of the package.\n\n\n## Requirements\n\nBy just invoking the following command in this directory the `setup.py` should be used to install `ammm` as a local python package to your system:\n```bash\npython3 -m pip install .\n``` \n\n\n### Dev\n\nIn order to compile the TypeScript frida hooks we need the `frida-compile` ([link](https://github.com/frida/frida-compile)) project. Which will be bundled with `frida-tools`. \n```bash\npython3 -m pip install frida-tools\n```\nBesides this we need also support for `frida-java-bridge` and the internal frida types:\n```bash\nnpm install frida-java-bridge@latest --save\nnpm install --save-dev @types/frida-gum@latest\n```\n\n### Deep Unpacking\n\nWhen unpacking, applications may load DexCode\u2014previously pointed to distinct memory blocks\u2014into a DexFile, which represents the code being executed. For instance, some applications may restore instructions immediately before execution. In such cases, Sandroid is unable to revert the instructions back into the DexFile. Further research is necessary to resolve this issue\n\n## Samples\n\nThe password for unzipping the samples is `androidtrainingpassword`\n\n### Example case Sara\n\nFirst we extract and install the sample:\n```bash\n$ cd samples\n$ unzip -P androidtrainingpassword Sara_androidtrainingpassword.zip \n$ cd ..\n$ adb install samples/Sara.apk\n```\n\nNext we have identify the bundle identifier of the intalled app:\n```bash\n$ frida-ps -Uai\n  PID  Name           Identifier\n-----  -------------  ---------------------------------------\n 1836  Google         com.google.android.googlequicksearchbox\n 1836  Google         com.google.android.googlequicksearchbox\n 1677  Messages       com.google.android.apps.messaging\n  927  SIM Toolkit    com.android.stk\n12185  Settings       com.android.settings\n    -  Calendar       com.google.android.calendar\n    -  Camera         com.android.camera2\n    -  Chrome         com.android.chrome\n    -  Clock          com.google.android.deskclock\n    -  Contacts       com.google.android.contacts\n    -  Drive          com.google.android.apps.docs\n    -  Files          com.google.android.documentsui\n    -  Gmail          com.google.android.gm\n    -  Maps           com.google.android.apps.maps\n    -  Phone          com.google.android.dialer\n    -  Photos         com.google.android.apps.photos\n    -  Sara           com.termuxhackers.id\n    -  YouTube        com.google.android.youtube\n```\n\nIn our case it is `com.termuxhackers.id`. So we can spawn this malware sample with the following command line (keep in mind to create a snapshot for your device):\n```bash\n$ adb shell adb shell am start -n \"com.termuxhackers.id/com.MainAcitivy\" -a android.intent.action.MAIN -c android.intent.category.LAUNCHER\n$ ammm Sara\n        Dexray Intercept\n\u2800\u2800\u2800\u2800\u2880\u28c0\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28c0\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28c0\u28c0\u28c0\u28c0\u28c0\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u2819\u28b7\u28e4\u28e4\u28f4\u28f6\u28f6\u28e6\u28e4\u28e4\u287e\u280b\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28f4\u283e\u281b\u2889\u28c9\u28c9\u28c9\u2849\u281b\u2837\u28e6\u28c4\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u28f4\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28e6\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28f4\u280b\u28e0\u28f4\u28ff\u28ff\u28ff\u28ff\u28ff\u287f\u28ff\u28f6\u28cc\u2839\u28f7\u2840\u2800\u2800\n\u2800\u2800\u2800\u2800\u28fc\u28ff\u28ff\u28c9\u28f9\u28ff\u28ff\u28ff\u28ff\u28cf\u28c9\u28ff\u28ff\u28e7\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28fc\u2801\u28f4\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28c6\u2809\u283b\u28e7\u2818\u28f7\u2800\u2800\n\u2800\u2800\u2800\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28b0\u2847\u28b0\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u287f\u2800\u2800\u2808\u2800\u28b9\u2847\u2800\n\u28e0\u28c4\u2800\u28a0\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2800\u28e0\u28c4\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28b8\u2847\u28b8\u28ff\u281b\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u287f\u2803\u2800\u2800\u2800\u2800\u28b8\u2847\u2800\n\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u28ffSandroid\u28ff\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2808\u28f7\u2800\u28bf\u2846\u2808\u281b\u283b\u281f\u281b\u2809\u2800\u2800\u2800\u2800\u2800\u2800\u28fe\u2803\u2800\n\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2838\u28e7\u2840\u283b\u2844\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28fc\u2803\u2800\u2800\n\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28bc\u283f\u28e6\u28c4\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28c0\u28f4\u281f\u2801\u2800\u2800\u2800\n\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28e0\u28fe\u28ff\u28e6\u2800\u2800\u2808\u2809\u281b\u2813\u2832\u2836\u2816\u281a\u280b\u2809\u2800\u2800\u2800\u2800\u2800\u2800\n\u283b\u281f\u2801\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u2808\u283b\u281f\u2800\u2800\u2800\u2800\u2800\u2800\u28e0\u28fe\u28ff\u28ff\u281f\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2809\u2809\u28ff\u28ff\u28ff\u284f\u2809\u2809\u28b9\u28ff\u28ff\u28ff\u2809\u2809\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28e0\u28fe\u28ff\u28ff\u281f\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u2800\u28ff\u28ff\u28ff\u2847\u2800\u2800\u28b8\u28ff\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28fe\u28ff\u28ff\u281f\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u2800\u28ff\u28ff\u28ff\u2847\u2800\u2800\u28b8\u28ff\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28c4\u2808\u281b\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u2800\u2808\u2809\u2809\u2800\u2800\u2800\u2800\u2809\u2809\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n[*] attaching to app: Sara\n[*] starting app profiling\n[*] press Ctrl+C to stop the profiling ...\n\n[*] Filesystem profiling informations:\n[*] [Libc::open] Open file '/data/misc/profiles/cur/0/com.termuxhackers.id/primary.prof' (fd: 97)\n```\n\n### Example case koler.apk\n\nAgain at first we have to extract the sample and install it to the device\n\n```bash\n$ unzip -P infected 18a82a21158f23148fbb58f39f597d482c186c8d2905540e750533a0df363705.zip\nArchive:  18a82a21158f23148fbb58f39f597d482c186c8d2905540e750533a0df363705.zip\n  inflating: 18a82a21158f23148fbb58f39f597d482c186c8d2905540e750533a0df363705\n$ mv 18a82a21158f23148fbb58f39f597d482c186c8d2905540e750533a0df363705 koler.apk\n$ adb install koler.apk\nPerforming Streamed Install\nSuccess\n```\nNow we have to identify the name of the app so we can later attach to it:\n\n```bash\nfrida-ps -Uai\n  PID  Name           Identifier\n-----  -------------  -------------------------------------------\n12095  Chrome         com.android.chrome\n 1836  Google         com.google.android.googlequicksearchbox\n 1836  Google         com.google.android.googlequicksearchbox\n 1677  Messages       com.google.android.apps.messaging\n  927  SIM Toolkit    com.android.stk\n12185  Settings       com.android.settings\n    -  Calendar       com.google.android.calendar\n    -  Camera         com.android.camera2\n    -  Clock          com.google.android.deskclock\n    -  Contacts       com.google.android.contacts\n    -  Drive          com.google.android.apps.docs\n    -  Files          com.google.android.documentsui\n    -  Gmail          com.google.android.gm\n    -  Maps           com.google.android.apps.maps\n    -  Phone          com.google.android.dialer\n    -  Photos         com.google.android.apps.photos\n    -  Pornhub        upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq\n```\n\nThis sample actually is unpacking itself and normaly we could see this in `Dexray Intercept` if we able to spawn the app. Unfortunately there is a bug with frida itself that the latest frida version (since version 16.0.4) is unable to spawn the target app without getting a timeout error. Currently we identify that this frida bug is related whenever an app is requesting runtime permissions (more [infos](https://github.com/frida/frida/issues/2005)). It seems that this bug is fixed in the latest frida version.\n\nSo we now just spawn this malware using `Dexray Intercept` and see some interesting output:\n\n```bash\n$ ammm -s upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq \n        Dexray Intercept\n\u2800\u2800\u2800\u2800\u2880\u28c0\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28c0\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28c0\u28c0\u28c0\u28c0\u28c0\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u2819\u28b7\u28e4\u28e4\u28f4\u28f6\u28f6\u28e6\u28e4\u28e4\u287e\u280b\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28f4\u283e\u281b\u2889\u28c9\u28c9\u28c9\u2849\u281b\u2837\u28e6\u28c4\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u28f4\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28e6\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28f4\u280b\u28e0\u28f4\u28ff\u28ff\u28ff\u28ff\u28ff\u287f\u28ff\u28f6\u28cc\u2839\u28f7\u2840\u2800\u2800\n\u2800\u2800\u2800\u2800\u28fc\u28ff\u28ff\u28c9\u28f9\u28ff\u28ff\u28ff\u28ff\u28cf\u28c9\u28ff\u28ff\u28e7\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28fc\u2801\u28f4\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28c6\u2809\u283b\u28e7\u2818\u28f7\u2800\u2800\n\u2800\u2800\u2800\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28b0\u2847\u28b0\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u287f\u2800\u2800\u2808\u2800\u28b9\u2847\u2800\n\u28e0\u28c4\u2800\u28a0\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2800\u28e0\u28c4\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28b8\u2847\u28b8\u28ff\u281b\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u287f\u2803\u2800\u2800\u2800\u2800\u28b8\u2847\u2800\n\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u28ffSandroid\u28ff\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2808\u28f7\u2800\u28bf\u2846\u2808\u281b\u283b\u281f\u281b\u2809\u2800\u2800\u2800\u2800\u2800\u2800\u28fe\u2803\u2800\n\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2838\u28e7\u2840\u283b\u2844\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28fc\u2803\u2800\u2800\n\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28bc\u283f\u28e6\u28c4\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28c0\u28f4\u281f\u2801\u2800\u2800\u2800\n\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u28b8\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28e0\u28fe\u28ff\u28e6\u2800\u2800\u2808\u2809\u281b\u2813\u2832\u2836\u2816\u281a\u280b\u2809\u2800\u2800\u2800\u2800\u2800\u2800\n\u283b\u281f\u2801\u28b8\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2847\u2808\u283b\u281f\u2800\u2800\u2800\u2800\u2800\u2800\u28e0\u28fe\u28ff\u28ff\u281f\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2809\u2809\u28ff\u28ff\u28ff\u284f\u2809\u2809\u28b9\u28ff\u28ff\u28ff\u2809\u2809\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28e0\u28fe\u28ff\u28ff\u281f\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u2800\u28ff\u28ff\u28ff\u2847\u2800\u2800\u28b8\u28ff\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28fe\u28ff\u28ff\u281f\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u2800\u28ff\u28ff\u28ff\u2847\u2800\u2800\u28b8\u28ff\u28ff\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28c4\u2808\u281b\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n\u2800\u2800\u2800\u2800\u2800\u2800\u2808\u2809\u2809\u2800\u2800\u2800\u2800\u2809\u2809\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\n[*] attaching to app: Pornhub\n[*] starting app profiling\n[*] press Ctrl+C to stop the profiling ...\n\n[*] Filesystem profiling informations:\n[*] [Libc::open] Open file '/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/cache/WebView/Default/HTTP Cache/Cache_Data/510c1bd5457bae66_0' (fd: 187)\n[*] Filesystem profiling informations:\n[*] [+] Unlink : /data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/cache/WebView/Default/HTTP Cache/Cache_Data/todelete_510c1bd5457bae66_0_1\n[*] Filesystem profiling informations:\n[*] [Libc::open] Open file '/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/app_webview/Default/Session Storage/LOG' (fd: 5)\n[*] Filesystem profiling informations:\n[*] [Libc::open] Open file '/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/app_webview/Default/Session Storage/LOCK' (fd: -1)\n[*] Filesystem profiling informations:\n[*] [Libc::open] Open file '/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/app_webview/Default/Session Storage/LOCK' (fd: 68)\n[*] Filesystem profiling informations:\n[*] [Libc::write] Write FD (/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/app_webview/Default/Session Storage/LOG,0x77d9937d10,156)\n\n[*] Filesystem profiling informations:\n[*] [Libc::open] Open file '/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/app_webview/Default/Session Storage/MANIFEST-000001' (fd: 70)\n[*] Filesystem profiling informations:\n[*] [Libc::write] Write FD (/data/user/0/upehfmf.xrppcuzqolwhmwxnfyes.xctrbzkvipjazq/app_webview/Default/Session Storage/MANIFEST-000001,0x77d9938010,7\n...\n```\n\n## Roadmap\n\n- [ x ] Create templates for the different hookings we want to install in order to get a runtime profile\n- [ ] Create a test application which is using all the different features which we want to hook (we need some sort of ground truth in order to test our hooks)\n- [ ] Implement the actual hooks \n- [ x ] The format to print the monitored information\n- [ ] https://attack.mitre.org/matrices/mobile/ add this as a final result so we can say what kind of Attacks the Application is using\n- [ ] We want to track also things like \"this are privacy issues\", \"this might lead to bugs\" ...\n",
    "bugtrack_url": null,
    "license": "GPL v3",
    "summary": "This project is part of the dynamic Sandbox Sandroid. Its purpose is to create runtime profiles to track the behavior of an Android application. This is done utilizing frida.",
    "version": "0.2.9.0",
    "project_urls": {
        "Homepage": "https://github.com/fkie-cad/Sandroid_Dexray-Intercept"
    },
    "split_keywords": [
        "mobile",
        " instrumentation",
        " frida",
        " hook",
        " android"
    ],
    "urls": [
        {
            "comment_text": null,
            "digests": {
                "blake2b_256": "bc49ad60f3449282f151a9053e7eacd63d9acafd6f1076a4a70cadc8c6e86f40",
                "md5": "3fd2011625e76c479b8a837a160d94e4",
                "sha256": "70294dd4f4d27d176f5c9fa15be1f5b9cc947eff9b4277d19bb1d88a2f2db844"
            },
            "downloads": -1,
            "filename": "dexray_intercept-0.2.9.0-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "3fd2011625e76c479b8a837a160d94e4",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.6",
            "size": 271288,
            "upload_time": "2025-07-31T08:12:50",
            "upload_time_iso_8601": "2025-07-31T08:12:50.162790Z",
            "url": "https://files.pythonhosted.org/packages/bc/49/ad60f3449282f151a9053e7eacd63d9acafd6f1076a4a70cadc8c6e86f40/dexray_intercept-0.2.9.0-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": null,
            "digests": {
                "blake2b_256": "fe7b9c42a03ffc4d471ebe2bfad1b69e6ba871954f39a27a9cad416483503e37",
                "md5": "7244e8ccb98f9c6775c3f802ebeaae66",
                "sha256": "fa23746a69612ec4ca5ae32bb227e10fce72bfd578986291d9e1b3d21323543e"
            },
            "downloads": -1,
            "filename": "dexray_intercept-0.2.9.0.tar.gz",
            "has_sig": false,
            "md5_digest": "7244e8ccb98f9c6775c3f802ebeaae66",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.6",
            "size": 258953,
            "upload_time": "2025-07-31T08:12:51",
            "upload_time_iso_8601": "2025-07-31T08:12:51.147684Z",
            "url": "https://files.pythonhosted.org/packages/fe/7b/9c42a03ffc4d471ebe2bfad1b69e6ba871954f39a27a9cad416483503e37/dexray_intercept-0.2.9.0.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2025-07-31 08:12:51",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "fkie-cad",
    "github_project": "Sandroid_Dexray-Intercept",
    "github_not_found": true,
    "lcname": "dexray-intercept"
}