# 🫙 kavanoz 🫙
Statically unpacking common android banker malware.
Ever wanted to get payload from packed malware without running android emulator ? Me neither.
### :eyes: Installation
```
pip install kavanoz
```
To install from source, clone the repository and do an editable install with -e. Which means if you edit or add new plugins to the project it will be used without reinstalling.
```
git clone https://github.com/eybisi/kavanoz.git
cd kavanoz
pip install -e .
```
### :zap: Usage
from cmdline
```bash
kavanoz /tmp/filepath
```
You can use `-vvv` parameter to print verbose logs. (useful for debugging plugins)
as python library
```py
from kavanoz.core import Kavanoz
from kavanoz import utils
utils.set_log("DEBUG")
k = Kavanoz(apk_path="tests/test_apk/coper.apk")
for plugin_result in k.get_plugin_results():
if plugin_result["status"] == "success":
print("Unpacked")
print(plugin_result)
break
```
### :snake: Scripts:
- [rc4.py](src/kavanoz/loader/rc4.py) Generic rc4 encrypted asset file. Script covers multiple versions.
- [old_rc4.py](src/kavanoz/loader/old_rc4.py) Another Generic rc4 encrypted asset file.
- [subapp.py](src/kavanozloader/subapp.py) Decryption of file with key derived from Manifest file ProtectKey variable
- [multidex.py](src/kavanoz/loader/multidex.py) Multidex like loader with inflated packed file. (zlib compression)
- [coper.py](src/kavanoz/loader/coper.py) Extract rc4 key from native lib with emulation (AndroidNativeEmu)
- [moqhao.py](src/kavanozloader/moqhao.py) Emulation for moqhau unpacking.
- [sesdex.py](src/kavanoz/loader/sesdex.py)
- [simple_aes.py](src/kavanoz/loader/simple_aes.py)
- [simple_xor.py](src/kavanoz/loader/simple_xor.py)
- [simple_xor2.py](src/kavanoz/loader/simple_xor2.py)
- [simple_xor_zlib.py](src/kavanoz/loader/simple_xor_zlib.py)
- [subapp.py](src/kavanoz/loader/subapp.py) Decrypt asset with package name
### :gear: Development
Make sure to install kavanoz as editable (with -e). To add new plugins just create new file in loader folder. Extend Unpacker class from unpack_plugin.py file. Define start_decrypt function with your implementation.
```py
def start_decrypt(self, apk_object: APK, dexes: "list[DEX]"):
```
Add following function to make early exit from plugin.
```py
def lazy_check(self,apk_object:APK, dexes: "list[DEX]"):
```
If extraction is successful assign self.decrypted_payload_path with extracted file path.
You can use helper functions from unpacker class:
- get_array_data
- get_smali
- find_method(class_name,method_name,descriptor="")
- check_and_write_file(file_data) : checks file has dex, zip and zlib headers and writes unpacked dex with name : "external-{m[:8]}.dex"
### :book: Tips
- self.dexes hold dex objects. You can get class with `dex.get_class(smali_annotation_of_class)`.
- You can use get_smali function and give target method obj to get smali represantation of target method. Then apply some regex to get data from smali. There are lots of defined regexs in [smali_regexes.py](smali_regexes.py) file to lookup.
- Most of the time packers use file from asset folder. You can get files with `self.apk_object.get_files()`
- Most of the time packers use Application class to start unpacking sequence. Use `application = self.apk_object.get_attribute_value("application", "name")` to get application class defined in manifest file.
### Thanks:
[apkdetect.com](https://apkdetect.com) for unique samples to work with.
Raw data
{
"_id": null,
"home_page": null,
"name": "kavanoz",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": "Ahmet Bilal Can <eybisii@gmail.com>",
"keywords": "android, malware, unpacking, packer",
"author": "Ahmet Bilal Can",
"author_email": "eybisii@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/cd/b4/6a5a7c54e126455291bfecee76d35ffd901d71c6b9d6e3296cefd62f6523/kavanoz-0.0.4.tar.gz",
"platform": null,
"description": "# \ud83e\uded9 kavanoz \ud83e\uded9\n\n\n\n\n\nStatically unpacking common android banker malware.\nEver wanted to get payload from packed malware without running android emulator ? Me neither.\n\n\n\n### :eyes: Installation\n\n```\npip install kavanoz\n```\n\nTo install from source, clone the repository and do an editable install with -e. Which means if you edit or add new plugins to the project it will be used without reinstalling.\n\n```\ngit clone https://github.com/eybisi/kavanoz.git\ncd kavanoz\npip install -e .\n```\n\n### :zap: Usage\n\nfrom cmdline\n```bash\nkavanoz /tmp/filepath\n```\nYou can use `-vvv` parameter to print verbose logs. (useful for debugging plugins)\n\nas python library\n```py\nfrom kavanoz.core import Kavanoz\nfrom kavanoz import utils\n\nutils.set_log(\"DEBUG\")\nk = Kavanoz(apk_path=\"tests/test_apk/coper.apk\")\nfor plugin_result in k.get_plugin_results():\n if plugin_result[\"status\"] == \"success\":\n print(\"Unpacked\")\n print(plugin_result)\n break\n```\n\n### :snake: Scripts:\n\n- [rc4.py](src/kavanoz/loader/rc4.py) Generic rc4 encrypted asset file. Script covers multiple versions.\n- [old_rc4.py](src/kavanoz/loader/old_rc4.py) Another Generic rc4 encrypted asset file.\n- [subapp.py](src/kavanozloader/subapp.py) Decryption of file with key derived from Manifest file ProtectKey variable\n- [multidex.py](src/kavanoz/loader/multidex.py) Multidex like loader with inflated packed file. (zlib compression)\n- [coper.py](src/kavanoz/loader/coper.py) Extract rc4 key from native lib with emulation (AndroidNativeEmu)\n- [moqhao.py](src/kavanozloader/moqhao.py) Emulation for moqhau unpacking.\n- [sesdex.py](src/kavanoz/loader/sesdex.py)\n- [simple_aes.py](src/kavanoz/loader/simple_aes.py)\n- [simple_xor.py](src/kavanoz/loader/simple_xor.py)\n- [simple_xor2.py](src/kavanoz/loader/simple_xor2.py)\n- [simple_xor_zlib.py](src/kavanoz/loader/simple_xor_zlib.py)\n- [subapp.py](src/kavanoz/loader/subapp.py) Decrypt asset with package name\n\n\n### :gear: Development\n\nMake sure to install kavanoz as editable (with -e). To add new plugins just create new file in loader folder. Extend Unpacker class from unpack_plugin.py file. Define start_decrypt function with your implementation. \n```py\ndef start_decrypt(self, apk_object: APK, dexes: \"list[DEX]\"):\n```\n\nAdd following function to make early exit from plugin. \n```py\ndef lazy_check(self,apk_object:APK, dexes: \"list[DEX]\"):\n```\n\nIf extraction is successful assign self.decrypted_payload_path with extracted file path.\nYou can use helper functions from unpacker class:\n- get_array_data\n- get_smali\n- find_method(class_name,method_name,descriptor=\"\")\n- check_and_write_file(file_data) : checks file has dex, zip and zlib headers and writes unpacked dex with name : \"external-{m[:8]}.dex\"\n\n### :book: Tips\n\n- self.dexes hold dex objects. You can get class with `dex.get_class(smali_annotation_of_class)`.\n- You can use get_smali function and give target method obj to get smali represantation of target method. Then apply some regex to get data from smali. There are lots of defined regexs in [smali_regexes.py](smali_regexes.py) file to lookup. \n- Most of the time packers use file from asset folder. You can get files with `self.apk_object.get_files()` \n- Most of the time packers use Application class to start unpacking sequence. Use `application = self.apk_object.get_attribute_value(\"application\", \"name\")` to get application class defined in manifest file. \n\n### Thanks:\n[apkdetect.com](https://apkdetect.com) for unique samples to work with. \n\n",
"bugtrack_url": null,
"license": "MIT License",
"summary": "Unpacking framework for common android malware",
"version": "0.0.4",
"project_urls": null,
"split_keywords": [
"android",
" malware",
" unpacking",
" packer"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "5fff7c5be004794e053d426f9071a5a4bc81798b7f50f41e88848f882c58b363",
"md5": "d1224cf95e4a736961ba4fe955111f29",
"sha256": "3dd55988ab78dab508c80f521793c9aaebc0b7d36ee294c9c7945ef0ec237ac0"
},
"downloads": -1,
"filename": "kavanoz-0.0.4-py3-none-any.whl",
"has_sig": false,
"md5_digest": "d1224cf95e4a736961ba4fe955111f29",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 440370,
"upload_time": "2024-09-26T12:52:43",
"upload_time_iso_8601": "2024-09-26T12:52:43.581181Z",
"url": "https://files.pythonhosted.org/packages/5f/ff/7c5be004794e053d426f9071a5a4bc81798b7f50f41e88848f882c58b363/kavanoz-0.0.4-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "cdb46a5a7c54e126455291bfecee76d35ffd901d71c6b9d6e3296cefd62f6523",
"md5": "fce9e4e71672104c0022f1d98cdf38a1",
"sha256": "f5316511d72028175e7e484637969471991306d4f10e4aab95c00584ba8c5927"
},
"downloads": -1,
"filename": "kavanoz-0.0.4.tar.gz",
"has_sig": false,
"md5_digest": "fce9e4e71672104c0022f1d98cdf38a1",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 431032,
"upload_time": "2024-09-26T12:52:45",
"upload_time_iso_8601": "2024-09-26T12:52:45.603612Z",
"url": "https://files.pythonhosted.org/packages/cd/b4/6a5a7c54e126455291bfecee76d35ffd901d71c6b9d6e3296cefd62f6523/kavanoz-0.0.4.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-09-26 12:52:45",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "kavanoz"
}
JSON