0
# Dynamic Analysis
1
2
Dynamic analysis capabilities for runtime analysis and modification of Android applications using Frida integration. The Pentest module provides comprehensive dynamic analysis functionality including tracing, hooking, and runtime manipulation.
3
4
## Capabilities
5
6
### Pentest Engine
7
8
The main dynamic analysis engine providing Frida integration and runtime analysis capabilities.
9
10
```python { .api }
11
class Pentest:
12
def __init__(self):
13
"""Initialize the dynamic analysis engine."""
14
15
def connect_default_usb(self) -> bool:
16
"""
17
Connect to the default USB device for dynamic analysis.
18
19
Returns:
20
bool: True if connection successful, False otherwise
21
"""
22
23
def attach_package(self, package_name: str, list_file_scripts: list, pid=None) -> bool:
24
"""
25
Attach to a running package for dynamic analysis.
26
27
Parameters:
28
- package_name: Android package name to attach to
29
- list_file_scripts: List of Frida script files to inject
30
- pid: Process ID (optional, will find automatically if None)
31
32
Returns:
33
bool: True if attachment successful
34
"""
35
36
def start_trace(self, filename: str, session: Session, list_modules: list, list_packages: list = None) -> None:
37
"""
38
Start runtime tracing of specified modules and packages.
39
40
Parameters:
41
- filename: Output file for trace results
42
- session: Androguard session object
43
- list_modules: List of modules to trace
44
- list_packages: List of packages to monitor (optional)
45
"""
46
47
def dump(self, package_name: str) -> dict:
48
"""
49
Dump runtime information from a running package.
50
51
Parameters:
52
- package_name: Target package name
53
54
Returns:
55
dict: Dumped runtime information
56
"""
57
```
58
59
### Message System
60
61
Event-driven message system for handling dynamic analysis events and communications.
62
63
```python { .api }
64
class Message:
65
"""Base message class for dynamic analysis communication."""
66
67
class MessageEvent(Message):
68
"""Event-based message for dynamic analysis events."""
69
70
class MessageSystem(Message):
71
"""System-level message for dynamic analysis operations."""
72
```
73
74
### Usage Examples
75
76
#### Basic Dynamic Analysis Setup
77
78
```python
79
from androguard.pentest import Pentest
80
from androguard.session import Session
81
82
# Initialize dynamic analysis engine
83
pentest = Pentest()
84
85
# Connect to USB device
86
if pentest.connect_default_usb():
87
print("Connected to device successfully")
88
89
# Attach to target package with Frida scripts
90
scripts = ["hooks.js", "trace.js"]
91
if pentest.attach_package("com.example.app", scripts):
92
print("Successfully attached to package")
93
```
94
95
#### Runtime Tracing
96
97
```python
98
from androguard.pentest import Pentest
99
from androguard.session import Session
100
101
# Setup session and pentest engine
102
session = Session()
103
pentest = Pentest()
104
105
# Start tracing specific modules
106
modules_to_trace = ["libnative.so", "libssl.so"]
107
packages_to_monitor = ["com.example.app"]
108
109
pentest.start_trace(
110
filename="trace_output.log",
111
session=session,
112
list_modules=modules_to_trace,
113
list_packages=packages_to_monitor
114
)
115
```
116
117
#### Package Information Dumping
118
119
```python
120
from androguard.pentest import Pentest
121
122
pentest = Pentest()
123
124
# Connect and dump package information
125
if pentest.connect_default_usb():
126
package_info = pentest.dump("com.example.target")
127
128
print("Package dump results:")
129
for key, value in package_info.items():
130
print(f" {key}: {value}")
131
```
132
133
### Frida Integration
134
135
The dynamic analysis module integrates with Frida for advanced runtime analysis capabilities including:
136
137
- **Method hooking**: Intercept and modify method calls at runtime
138
- **Memory manipulation**: Read and write application memory
139
- **API tracing**: Monitor system and library API calls
140
- **Code injection**: Execute custom JavaScript code in target process
141
- **SSL pinning bypass**: Disable certificate pinning mechanisms
142
- **Anti-debugging bypass**: Circumvent common anti-analysis techniques
143
144
### Common Use Cases
145
146
#### Security Analysis
147
148
```python
149
# Hook sensitive API calls
150
frida_script = """
151
Java.perform(function() {
152
var CryptoClass = Java.use("javax.crypto.Cipher");
153
CryptoClass.doFinal.implementation = function(input) {
154
console.log("Crypto operation detected: " + input);
155
return this.doFinal(input);
156
};
157
});
158
"""
159
160
# Inject script into target
161
pentest.attach_package("com.banking.app", ["crypto_hooks.js"])
162
```
163
164
#### Behavioral Analysis
165
166
```python
167
# Trace network communications
168
network_trace_modules = ["libssl.so", "libc.so"]
169
pentest.start_trace(
170
"network_trace.log",
171
session,
172
network_trace_modules,
173
["com.suspicious.app"]
174
)
175
```
176
177
#### Reverse Engineering
178
179
```python
180
# Dump runtime class information
181
package_dump = pentest.dump("com.target.app")
182
183
# Extract loaded classes and methods
184
if "classes" in package_dump:
185
for class_name, methods in package_dump["classes"].items():
186
print(f"Class: {class_name}")
187
for method in methods:
188
print(f" Method: {method}")
189
```
190
191
## Integration with Static Analysis
192
193
Dynamic analysis complements static analysis by providing runtime verification of static findings:
194
195
```python
196
from androguard.misc import AnalyzeAPK
197
from androguard.pentest import Pentest
198
199
# Static analysis
200
a, d, dx = AnalyzeAPK("app.apk")
201
202
# Find suspicious methods statically
203
suspicious_methods = dx.find_methods(method_name="encrypt.*")
204
205
# Verify with dynamic analysis
206
pentest = Pentest()
207
pentest.connect_default_usb()
208
209
# Hook the methods found in static analysis
210
for method in suspicious_methods:
211
hook_script = f"hook_{method.name}.js"
212
pentest.attach_package(a.get_package(), [hook_script])
213
```