Github开源工具AndroidHooker使用笔记

偶然在Github上看到了这一个工具，可以实现对于4.1.2版本的HOOK并自动化监控安卓APP的行为。国内貌似还没有人写使用笔记，我就写一个作为学习记录写在这儿吧。

https://github.com/AndroidHooker/hooker

本文主要分为安装和使用两大块,笔者以Ubuntu12.04为例子

1.安装

由于是全英文所以我们先引用此工具的README

1.1 那么我们可以看到要使用此工具，需要在LINUX环境下，且满足以下4个要求

• python 2.7,
• elasticsearch 1.1.1,
• android SDK API16 (Android 4.1.2),
• androguard 1.9.

1.2 python的安装即指定版本

相信安装Python都没问题，可以使用 python --version的指令查看一下默认的版本，如果不行的话可以使用update-alternatives --config python的方式来指定一下

1.3elasticsearch的安装

http://www.elasticsearch.org/这是官方网站

可以参考以下文章：

安装和使用 Elasticsearch 2014年05月16日 | 标签: elasticsearch, linux, python | 作者：vpsee

http://www.vpsee.com/2014/05/install-and-play-with-elasticsearch/

ElasticSearch 简单入门

http://www.oschina.net/translate/elasticsearch-getting-started?cmp

在 Ubuntu中如何安装ElasticSearch | Drupal用户联盟

cd ~
sudo apt-get update
sudo apt-get install openjdk-7-jre-headless -y

### 打开http://www.elasticsearch.org/download/ 找到最新的 ElasticSearch地址替换以下地址

# 新方法 / 容易
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticse...
sudo dpkg -i elasticsearch-0.90.0.deb
sudo service elasticsearch start

# 老方法 / 复杂
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticse...
tar -xf elasticsearch-0.90.0.tar.gz
rm elasticsearch-0.90.0.tar.gz
sudo mv elasticsearch-* elasticsearch
sudo mv elasticsearch /usr/local/share

curl -L http://github.com/elasticsearch/elasticsearch-servicewrapper/tarball/master | tar -xz
sudo mv *servicewrapper*/service /usr/local/share/elasticsearch/bin/
rm -Rf *servicewrapper*
sudo /usr/local/share/elasticsearch/bin/service/elasticsearch install
sudo ln -s `readlink -f /usr/local/share/elasticsearch/bin/service/elasticsearch` /usr/local/bin/rcelasticsearch

sudo service elasticsearch start
#curl http://localhost:9200

1.4 Andorid SDK的安装

安装的文章太多了，就不一一列举了。这里提两个可以下载到SDK的方法，实在不行再用VPN吧。

记得引入ANDROID_HOME的环境变量

Android SDK开发包国内下载地址

http://www.cnblogs.com/bjzhanghao/archive/2012/11/14/2769409.html

google hosts

http://www.360kb.com/kb/2_122.html

1.5  androguard 1.9的安装

这个androguard的安装也非常繁琐，我们耐心你点，一步一步来。

还是从官方的安装说明来看，我做了对应的中文注释。

Androguard is a collection of tools that run on Linux, Windows, MacOSX.

• Getting Androguard
• Building from source code (default install)
  • Requirements
  • Building
  • Guided install on Ubuntu/Debian
  • Run

Getting Androguard（得到Androguard）

There are three ways to get Androguard working:

1. Default solution: use the mercurial version

hg clone https://androguard.googlecode.com/hg/ androguard 

2. Use AndroGuard from a pre-installed Virtual Machine. Download ARE, then don't forget to update AndroGuard to get the latest functionalities:

hg pull && hg update

3. Use pre-built executables (Windows only). Get the Microsoft Visual C++ 2008 Redistributable Package, and download pre-built executables: currently, only androsim.exe is pre-built.

Building from source code (编译Androguard，即安装)

Requirements

Mandatory:

• >= python 2.6. Note that if you wish to use andromercury, python >= 2.7 is required.

Only with default python installation, you can disassemble/decompile Android Application (APK/DEX/ODEX), but if you need more features (images, interactive shell, similarities, elf analysis), you must install the next modules:

Optional:（可选的工具、库，后面对应适配的文件）

• python-dev
• ipython >= 0.12 is required by androlyze.py.
• pygments is required by androlyze.py, to have colors with decompilation
• pydot for androdd.py
• python-ptrace for androdump.py
• chilkat: used to unzip the APK application for python2.6, otherwise the zip python module is used (module apk.py). Also used to retrieve the APK's certificate.
• magic is used in method get_files_types in APK module to found files types (module apk.py)
• pyfuzzy is used to calculate risk indicator (module androrisk.py)
• mercury is required by andromercury.py
• the elsim subdirectory, used by androcsign.py, androsign.py, androdiff.py, androsim.py and andromercury.py, also require:
  • sparsehash
  • muparser
  • snappy
  • bzip2
  • zlib
• psyco is used to accelerate androguard, but it's not mandatory to install it.

/ To check: requirement of numpy, scipy, smiasm, xz /

Building AndroGuard（编译）

For now, androsim.py + androdiff.py + androsign.py + androcsign.py are available for linux 32/64 bits and MacOSX with native libraries. Thus, if you would like to use them, you need to compile librairies.

To compile the elsim directory (and thus Androguard), you might have to patch the formula and libelsign Makefiles:（要在MAKEFILES里面该如下的路径）

• in elsim/elsign/formula/Makefile: add the appropriate include directory where to find muParser.h. For example:

  CFLAGS += -I/usr/include/muParser

• in elsim/elsign/libelsign/Makefile, add the appropriate include directory for muParser.h and python. Example:

  CFLAGS += -I/usr/include/muParser -I/usr/include/python2.6

Once those Makefiles are patched, compile from the root directory of AndroGuard:

$ make

Guided install on Ubuntu/Debian（在Ubuntu/Debian上安装）

To build AndroGuard on a Ubuntu or Debian host, follow these instructions.

Install development packages on your host:

$ sudo apt-get install mercurial python python-setuptools g++

Download Androguard's sources:

$ hg clone https://androguard.googlecode.com/hg/ androguard 

Install requirements:（这里非常重要，所有的库他都给你现成的apt-get命令了，复制就可以了）

$ sudo apt-get install python-dev python-bzutils libbz2-dev libmuparser-dev libsparsehash-dev python-ptrace python-pygments python-pydot graphviz liblzma-dev libsnappy-dev

Some requirements should be installed from sources or as python packages (i.e the current Ubuntu/Debian package does not exist or is insufficient).

chilkat: download the latest Chilkat for Python, then install or, more simply, unpack in androguard's dir.（下载chilkat最新版本，安装。或者直接解压在androguard的目录下）

iPython:

$ sudo easy_install ipython

pyFuzzy: get the latest and install from sources. For example,

$ wget http://sourceforge.net/projects/pyfuzzy/files/latest/download?source=files
$ tar xvfz pyfuzzy-0.1.0.tar.gz
$ cd pyfuzzy-0.1.0
$ sudo python setup.py install

python-magic: the default package, released with some systems, won't work in all cases. If you get magic errors at using Androlyze, get the latest python-magic sources, and install.

$ git clone git://github.com/ahupp/python-magic.git
$ cd python-magic
$ sudo python setup.py install 

mercury: install mercury in a different directory and link that directory to a directory inside androguard:

$ mkdir mercury
$ wget http://labs.mwrinfosecurity.com/assets/254/mercury-v1.0.zip
$ unzip mercury-v1.0.zip
$ cd <ANDROGUARDDIR>
$ ln -s <PATH>/mercury ./mercury

Finally, build Androguard as explained here

Run AndroGuard（运行AndroGuard）

After the installation of requirements, you can direcly run the tools in the main directory of AndroGuard.

$ ls
androapkinfo.py  androgexf.py     androsim.py     dad        mercury     tools
androaxml.py     androguard       androxgmml.py   demos      README.txt
androcsign.py    androlyze.py     apkviewer.py    elsim      setup.py
androdd.py       andromercury.py  CHANGELOG       examples   signatures
androdiff.py     androrisk.py     COPYING         externals  specs
androdump.py     androsign.py     COPYING.LESSER  Makefile   tests

Examples :

$ ./demos/dalvikvm_format_1.py
$ ./androlyze.py -i ~/Téléchargements/com.rovio.angrybirdsseasons-1.apk -m . -p

There are a few demos in the demos directory, and all tests are in tests directory.

还可以参考

开源静态分析工具androguard体验（一）

http://blog.csdn.net/xbalien29/article/details/21885297

APK静态分析工具androguard的部署使用和原理分析

www.cr173.com/html/24374_1.html

1.6 建立虚拟机AVD

• Create a new AVD from scratch. If you want to fit our experience, please choose the following parameters:(虚拟机的配置要求)
  • Nexus One,
  • Target: Android 4.1.2,
  • Memory option: 512 Mb,
  • Internal Storage: 500 Mb,
  • SDCard: 500 Mb (you must have an SDcard storage if you want Hooker to work properly),
  • Enable snapshot
• Launch your new AVD with:Save to snapshot,(运行方式)
• Run script tools/emulatorCreator/prepareEmulator.sh to install and prepare your emulator,（要运行这个脚本来准备设备）
• In your android system:
  • disable the lockscreen security:Menu > System Settings > Security > Screen lock > None,（设置不锁屏）
  • open superuser app, validate Okay and quit,（打开安装的应用并且使超级用户生效）
  • open substrate app, clickLink Substrate Files, allow substrate, and reclick onLink substrate Files. Then clickRestart System (Soft),（允许link substrate flil 按按钮重启）
• Wait for system to start properly and close the emulator,
• Your reference AVD is now ready!

如果出现"ERROR: 32-bit Linux Android emulator binaries are DEPRECATED, to use them"

环境变量里加ANDROID_EMULATOR_FORCE_32BIT=true

用命令行启动： emulator -force-32bit -avd avd名

如果能启动，eclipse应该就可以，如果还不行，重启电脑

或者在RUN CONFIGURATION里面加 -force-32bit

1.7确认host转发规则

如果不在一个Host 可以使用以下指令：

$ socat -s -v TCP4-LISTEN:9200,fork,ignoreeof,reuseaddr TCP4:192.168.98.11:9200,ignoreeof

然后进入工具目录运行./install命令就可以完成安装了，如果出现权限不够的错误记得在指令前面加上sudo

未完待续。