From 3a6e46db509b2e6e75d60969ca5ae9965ec94c11 Mon Sep 17 00:00:00 2001 From: h20190011 Date: Tue, 3 Nov 2020 14:14:56 +0530 Subject: [PATCH 1/4] process.popen() shell parameter fixed --- analyzer/android/lib/api/adb.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/analyzer/android/lib/api/adb.py b/analyzer/android/lib/api/adb.py index b5e99ba..cbf766c 100644 --- a/analyzer/android/lib/api/adb.py +++ b/analyzer/android/lib/api/adb.py @@ -108,8 +108,9 @@ def execute_sample(package,activity): """Execute the sample on the emulator via adb""" log.info("executing sample on emulator:adb shell am start -n " +package+"/"+activity) str="" - #proc = subprocess.Popen(["/system/bin/am","start","-n", package+"/"+activity], stdout=subprocess.PIPE, stderr=subprocess.PIPE)#adb shell am start -n $pkg/$act - str = os.popen("/system/bin/am start -n "+package+"/"+activity).read() + proc = subprocess.Popen("/system/bin/am start -n" + package+"/"+activity, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, executable='/system/bin/sh')#adb shell am start -n $pkg/$act + #str = os.popen("/system/bin/am start -n "+package+"/"+activity).read() + #this os.open() is no more supported(depricated) on python latest version. Instaed use subprocess.Popen() function. lines = str.split("\n") for line in lines: if("Error" in line): From ff890a703a40f2965855803bd17d52047d6a853b Mon Sep 17 00:00:00 2001 From: h20190011 Date: Tue, 3 Nov 2020 15:53:25 +0530 Subject: [PATCH 2/4] cuckoo.py python file is running without any error; *.conf file fixed --- conf/avd.conf | 8 +-- conf/cuckoo.conf | 121 +++++++++++++++++++++++++++++++++++++++++++ conf/processing.conf | 58 +++++++++++++++++++++ 3 files changed, 183 insertions(+), 4 deletions(-) mode change 100644 => 100755 conf/avd.conf create mode 100755 conf/cuckoo.conf create mode 100755 conf/processing.conf diff --git a/conf/avd.conf b/conf/avd.conf old mode 100644 new mode 100755 index 1966ce9..3a75ea0 --- a/conf/avd.conf +++ b/conf/avd.conf @@ -1,12 +1,12 @@ [avd] #Path to the local installation of the android emulator -emulator_path = /Applications/adt-bundle/sdk/tools/emulator +emulator_path = /home/test/Android/Sdk/emulator/emulator #Path to the local installation of the adb - android debug bridge utility. -adb_path = /Applications/adt-bundle/sdk/platform-tools/adb +adb_path = /home/test/Android/Sdk/platform-tools/adb #Path to the emulator machine files is located -avd_path = /Users/guardianangel/.android/avd +avd_path = /home/test/.android/avd #name of the reference machine that is used to duplicate reference_machine = aosx @@ -49,4 +49,4 @@ resultserver_ip = 10.0.2.2 # the port for the Result Server as your machine sees it. If you don't specify a port # here, the machine will use the default value from cuckoo.conf. # Example: -resultserver_port = 2042 \ No newline at end of file +resultserver_port = 2042 diff --git a/conf/cuckoo.conf b/conf/cuckoo.conf new file mode 100755 index 0000000..da244d9 --- /dev/null +++ b/conf/cuckoo.conf @@ -0,0 +1,121 @@ +[cuckoo] +# Enable or disable startup version check. When enabled, Cuckoo will connect +# to a remote location to verify whether the running version is the latest +# one available. +version_check = on + +# If turned on, Cuckoo will delete the original file after its analysis +# has been completed. +delete_original = off + +# If turned on, Cuckoo will delete the copy of the original file in the +# local binaries repository after the analysis has finished. (On *nix this +# will also invalidate the file called "binary" in each analysis directory, +# as this is a symlink.) +delete_bin_copy = off + +# Specify the name of the machinery module to use, this module will +# define the interaction between Cuckoo and your virtualization software +# of choice. +machinery = avd + +# Enable creation of memory dump of the analysis machine before shutting +# down. Even if turned off, this functionality can also be enabled at +# submission. Currently available for: VirtualBox and libvirt modules (KVM). +memory_dump = off + +# When the timeout of an analysis is hit, the VM is just killed by default. +# For some long-running setups it might be interesting to terminate the +# moinitored processes before killing the VM so that connections are closed. +terminate_processes = off + +# Enable automatically re-schedule of "broken" tasks each startup. +# Each task found in status "processing" is re-queued for analysis. +reschedule = off + +# Enable processing of results within the main cuckoo process. +# This is the default behavior but can be switched off for setups that +# require high stability and process the results in a separate task. +process_results = on + +# Limit the amount of analysis jobs a Cuckoo process goes through. +# This can be used together with a watchdog to mitigate risk of memory leaks. +max_analysis_count = 0 + +# Limit the number of concurrently executing analysis machines. +# This may be useful on systems with limited resources. +# Set to 0 to disable any limits. +max_machines_count = 0 + +# Minimum amount of free space (in MB) available before starting a new task. +# This tries to avoid failing an analysis because the reports can't be written +# due out-of-diskspace errors. Setting this value to 0 disables the check. +# (Note: this feature is currently not supported under Windows.) +freespace = 64 + +# Temporary directory containing the files uploaded through Cuckoo interfaces +# (web.py, api.py, Django web interface). +tmppath = /tmp + +[resultserver] +# The Result Server is used to receive in real time the behavioral logs +# produced by the analyzer. +# Specify the IP address of the host. The analysis machines should be able +# to contact the host through such address, so make sure it's valid. +# NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option +# `resultserver_ip` for all your virtual machines in machinery configuration. +#ip = 192.168.56.1 +ip = 0.0.0.0 + +# Specify a port number to bind the result server on. +port = 2042 + +# Should the server write the legacy CSV format? +# (if you have any custom processing on those, switch this on) +store_csvs = off + +# Maximum size of uploaded files from VM (screenshots, dropped files, log) +# The value is expressed in bytes, by default 10Mb. +upload_max_size = 10485760 + +[processing] +# Set the maximum size of analyses generated files to process. This is used +# to avoid the processing of big files which may take a lot of processing +# time. The value is expressed in bytes, by default 100Mb. +analysis_size_limit = 104857600 + +# Enable or disable DNS lookups. +resolve_dns = on + +# Enable PCAP sorting, needed for the connection content view in the web interface. +sort_pcap = on + +[database] +# Specify the database connection string. +# Examples, see documentation for more: +# sqlite:///foo.db +# postgresql://foo:bar@localhost:5432/mydatabase +# mysql://foo:bar@localhost/mydatabase +# If empty, default is a SQLite in db/cuckoo.db. +connection = sqlite:///foo.db + +# Database connection timeout in seconds. +# If empty, default is set to 60 seconds. +timeout = + +[timeouts] +# Set the default analysis timeout expressed in seconds. This value will be +# used to define after how many seconds the analysis will terminate unless +# otherwise specified at submission. +default = 240 + +# Set the critical timeout expressed in seconds. After this timeout is hit +# Cuckoo will consider the analysis failed and it will shutdown the machine +# no matter what. When this happens the analysis results will most likely +# be lost. Make sure to have a critical timeout greater than the +# default timeout. +critical = 250 + +# Maximum time to wait for virtual machine status change. For example when +# shutting down a vm. Default is 300 seconds. +vm_state = 300 diff --git a/conf/processing.conf b/conf/processing.conf new file mode 100755 index 0000000..18d703b --- /dev/null +++ b/conf/processing.conf @@ -0,0 +1,58 @@ +# Enable or disable the available processing modules [on/off]. +# If you add a custom processing module to your Cuckoo setup, you have to add +# a dedicated entry in this file, or it won't be executed. +# You can also add additional options under the section of your module and +# they will be available in your Python class. + +[analysisinfo] +enabled = yes + +[behavior] +enabled = yes + +[debug] +enabled = yes + +[dropped] +enabled = yes + +[memory] +enabled = no + +[network] +enabled = yes + +[procmemory] +enabled = yes + +[static] +enabled = yes + +[strings] +enabled = yes + +[targetinfo] +enabled = yes + +[virustotal] +enabled = yes +timeout = 60 +# Add your VirusTotal API key here. The default API key, kindly provided +# by the VirusTotal team, should enable you with a sufficient throughput +# and while being shared with all our users, it shouldn't affect your use. +key = a0283a2c3d55728300d064874239b5346fb991317e8449fe43c902879d758088 + +[apkinfo] +enabled = yes +#Decompiling dex with androguard in a heavy operation and for a big dex's +#he can really consume performance from the cuckoo host ,so it's recommended to limit the size of dex that you will decompile +#decompilation_threshold=2000000 + +[droidmon] +enabled = yes + +[googleplay] +enabled = no +android_id = +google_login = +google_password = From 0adf8b829a4727aa8ed17dd4e337c2d47306812f Mon Sep 17 00:00:00 2001 From: Ajay Kharat <73453739+h20190011@users.noreply.github.com> Date: Tue, 3 Nov 2020 16:42:46 +0530 Subject: [PATCH 3/4] Update adb.py --- analyzer/android/lib/api/adb.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/analyzer/android/lib/api/adb.py b/analyzer/android/lib/api/adb.py index cbf766c..b5e99ba 100644 --- a/analyzer/android/lib/api/adb.py +++ b/analyzer/android/lib/api/adb.py @@ -108,9 +108,8 @@ def execute_sample(package,activity): """Execute the sample on the emulator via adb""" log.info("executing sample on emulator:adb shell am start -n " +package+"/"+activity) str="" - proc = subprocess.Popen("/system/bin/am start -n" + package+"/"+activity, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, executable='/system/bin/sh')#adb shell am start -n $pkg/$act - #str = os.popen("/system/bin/am start -n "+package+"/"+activity).read() - #this os.open() is no more supported(depricated) on python latest version. Instaed use subprocess.Popen() function. + #proc = subprocess.Popen(["/system/bin/am","start","-n", package+"/"+activity], stdout=subprocess.PIPE, stderr=subprocess.PIPE)#adb shell am start -n $pkg/$act + str = os.popen("/system/bin/am start -n "+package+"/"+activity).read() lines = str.split("\n") for line in lines: if("Error" in line): From 26faab4dcc4c59d577eeeaeba109bcd1ba9b4678 Mon Sep 17 00:00:00 2001 From: Ajay Kharat <73453739+h20190011@users.noreply.github.com> Date: Sat, 7 Nov 2020 13:34:08 +0530 Subject: [PATCH 4/4] Extraxt System calls features we have developed a SHELL SCRIPT that extracts the android kernel SYSTEM CALLS during app execution and generate a log file. This shell script generates the system call log file for every android app in our dataset. Output of SHELL SCRIPT is system calls log file. This extracted system call acts as features in ML/Data science research community. --- Extract_SYSCALL.sh | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 Extract_SYSCALL.sh diff --git a/Extract_SYSCALL.sh b/Extract_SYSCALL.sh new file mode 100644 index 0000000..1791acb --- /dev/null +++ b/Extract_SYSCALL.sh @@ -0,0 +1,38 @@ +#!/bin/bash + + +while : +do + +ADB=$(adb devices) + +if [ $? -eq 0 ] +then + + + +package=$(adb shell dumpsys window windows | grep -E 'mFocusedApp'| cut -d / -f 1 | cut -d " " -f 6) + while [[ $package != "com.android.launcher" ]] + do + echo $? + + echo $package + getprocessid=$(adb shell ps | grep $package | head -n 1 | awk -F ' ' '{print $2}') + fname=$(adb shell ls /data/local/tmp/ | awk '{printf("%s",$0);exit}') + echo $fname + echo $getprocessid + adb shell strace -t -f -p $getprocessid >> ~/$fname + package=$(adb shell dumpsys window windows | grep -E 'mFocusedApp'| cut -d / -f 1 | cut -d " " -f 6) + done + + + echo $package + +fi + +done + + + + +