Androguard Documentation：官方文档阅读笔记

打算快速阅读下官方文档，然后做一个笔记方便查阅，文章目录按照官方文档目录来的

DOCUMENTATION

Getting Started

使用 androguard axml和androguard arsc解码分析AndroidManifest.xml或者resources.arsc。
创建call graphs可以使用androguard cg，control flow graphs使用androguard decompile。
要分析apk文件和dex文件可以使用AnalyzeAPK(filename)、AnalyzeDEX(filename)。
a, d, dx = AnalyzeAPK("examples/android/abcore/app-prod-debug.apk")
The three objects you get are a an APK object, d an array of DalvikVMFormat object and dx an Analysis object.
在apk对象中，可以获取到apk的各种信息，包括包名、权限信息、AndroidManifest.xml或其它资源文件。
DalvikVMFormat corresponds to the DEX file found inside the APK file. You can get classes, methods or strings from the DEX file. But when using multi-DEX APK’s it might be a better idea to get those from another place. The Analysis object should be used instead, as it contains special classes, which link information about the classes.dex and can even handle many DEX files at once.

Getting Information about an APK

a.get_permissions()
#getting a list of all activites, which are defined in the AndroidManifest.xml
a.get_activities()
a.get_package()
a.get_app_name()
a.get_app_icon() # path of the icon
#Get the numeric version and the version string, and the minimal, maximal, target and effective SDK version
 a.get_androidversion_code()
a.get_androidversion_name()
a.get_min_sdk_version()
a.get_max_sdk_version()
 a.get_target_sdk_version()
 a.get_effective_target_sdk_version()
1
2
3
4
5
6
7
8
9
10
11
12
13

有关AndroidManifest.xml

 #you can even get the decoded XML for the AndroidManifest.xml
a.get_android_manifest_axml().get_xml()
#use the AndroidManifest.xml as an ElementTree object
a.get_android_manifest_xml()
1
2
3
4

Using the Analysis object
可根据特定api构建调用图
~androguard.core.analysis.analysis.Analysis对象中有all information about the classes, methods, fields and strings inside one or multiple DEX files，Additionally it enables you to get call graphs and crossreferences (XREFs) for each method, class, field and string. This means you can investigate the application for certain API calls or create graphs to see the dependencies of different classes.

dx.get_classes() #  get all classes from the Analysis
1

get_classes返回ClassAnalysis对象
其中被标记为 EXTERNAL的类并没有在dex文件中定义
A ClassAnalysis does not contain the actual code but the ClassDefItem can be loaded using the get_vm_class():
dx.get_classes()[2].get_vm_class()
If the class is EXTERNAL, a ExternalClass is returned instead.

XREFs（交叉引用）

可以理解为在一个类中调用了另一个类的方法或者对象。
XREFs are generated for four things: Classes、Methods、Fields、Strings
XREFs work in two directions: xref_from and xref_to. To means, that the current object is calling another object. From means, that the current object is called by another object.
使用其提供的测试apk进行测试：examples/android/TestsAndroguard/bin/TestActivity.apk

Get XREFs for method calls
In order to get the class, you can simply use classes or find_classes():
dx.classes['Ltests/androguard/TestActivity;']
This will return a ClassAnalysis object. Now you can iterate over all methods inside the class and query for the xrefs (the output is abbreviated):

for meth in dx.classes['Ltests/androguard/TestActivity;'].get_methods():
   print("inside method {}".format(meth.name))
   for _, call, _ in meth.get_xref_to():
   print(" calling -> {} -- {}".format(call.class_name, call.name))   
1
2
3
4

可以看到testCall方法调用了很多的其它方法
同样的思路也可以用在API类中，如：

for meth in dx.classes['Ljava/io/File;'].get_methods():
	print("usage of method {}".format(meth.name))
	for _, call, _ in meth.get_xref_from():
	print(" called by -> {} -- {}".format(call.class_name, call.name))
1
2
3
4

Get XREFs for Strings
查找哪些字符串在被不同地方引用
You can use either strings or find_strings() to get the proper object for the XREFs:
如： dx.strings['boom']

for _, meth in dx.strings['boom'].get_xref_from():
	print("Used in: {} -- {}".format(meth.class_name, meth.name))
1
2

Get XREFs for Fields
Fields are a little bit different and do not use xref_from and xref_to but xref_read() and xref_write()
可以使用find_methods() 查找fields
For example, you want to get the read’s and write’s to the field value inside tests.androguard. TestActivity:

for field in dx.find_fields(classname='Ltests/androguard/TestActivity;', fieldname='^value$'):
	print("Field: {}".format(field.name))
	for _, meth in field.get_xref_read():
	print(" read in {} -- {}".format(meth.class_name, meth.name))
	for _, meth in field.get_xref_write():
	print(" write in {} -- {}".format(meth.class_name, meth.name))
1
2
3
4
5
6

Basic Blocks

可以使用 decompile 来获取 Control Flow Graph (CFG)
androguard decompile -d output_folder -f jpg --limit "LTestDefaultPackage.*" examples/android/TestsAndroguard/bin/TestActivity.apk
之后生成的图片，每一个矩形都是一个DVMBasicBlock