最近在研究APP脱壳,然后网上撸了个APK壳检测代码,发现Python写的不能直接用,调试了下可以用了,还是花了些时间。
原作者代码:
https://github.com/zsdlove/ApkVulCheck/blob/master/plugin/shellDetector.py
import zipfile
'''
first,get namelist from apk
second,matching the features
thrid,julging for the shellType
so easy~~
by zsdlove
2018/8/24 Morning
'''
shellfeatures={
"libchaosvmp.so":"娜迦",
"libddog.so":"娜迦",
"libfdog.so":"娜迦",
"libedog.so":"娜迦企业版",
"libexec.so":"爱加密",
"libexecmain.so":"爱加密",
"ijiami.dat":"爱加密",
"ijiami.ajm":"爱加密企业版",
"libsecexe.so":"梆梆免费版",
"libsecmain.so":"梆梆免费版",
"libSecShell.so":"梆梆免费版",
"libDexHelper.so":"梆梆企业版",
"libDexHelper-x86.so":"梆梆企业版",
"libprotectClass.so":"360",
"libjiagu.so":"360",
"libjiagu_art.so":"360",
"libjiagu_x86.so":"360",
"libegis.so":"通付盾",
"libNSaferOnly.so":"通付盾",
"libnqshield.so":"网秦",
"libbaiduprotect.so":"百度",
"aliprotect.dat":"阿里聚安全",
"libsgmain.so":"阿里聚安全",
"libsgsecuritybody.so":"阿里聚安全",
"libmobisec.so":"阿里聚安全",
"libtup.so":"腾讯",
"libexec.so":"腾讯",
"libshell.so":"腾讯",
"mix.dex":"腾讯",
"lib/armeabi/mix.dex":"腾讯",
"lib/armeabi/mixz.dex":"腾讯",
"libtosprotection.armeabi.so":"腾讯御安全",
"libtosprotection.armeabi-v7a.so":"腾讯御安全",
"libtosprotection.x86.so":"腾讯御安全",
"libnesec.so":"网易易盾",
"libAPKProtect.so":"APKProtect",
"libkwscmm.so":"几维安全",
"libkwscr.so":"几维安全",
"libkwslinker.so":"几维安全",
"libx3g.so":"顶像科技",
"libapssec.so":"盛大",
"librsprotect.so":"瑞星"
}
def shellDetector(apkpath):
shellType=""
shellsign=""
flag=True
zipfiles=zipfile.ZipFile(apkpath)
nameList=zipfiles.namelist()
for fileName in nameList:
for shell in shellfeatures.keys():
if shell in fileName:
flag=True
shellType=shellfeatures[shell]
shellsign=shell
break
else:
flag=False
if flag==True:
print("经检测,该apk使用了"+shellType+"进行加固")
if __name__ == '__main__':
shellDetector("test.apk")
``复制或者去GitHub 下载过来 你直接运行是会报错的。
用IDE打开调试看看发现Python 很严谨,可能作者在复制或者上传过程中,还是浏览器问题,少了个table键,然后少了回车键造成代码运行不了,调试好的代码如下
```python
import zipfile
'''
first,get namelist from apk
second,matching the features
thrid,julging for the shellType
so easy~~
by zsdlove
2018/8/24 Morning
'''
shellfeatures={
"libchaosvmp.so":"娜迦",
"libddog.so":"娜迦",
"libfdog.so":"娜迦",
"libedog.so":"娜迦企业版",
"libexec.so":"爱加密",
"libexecmain.so":"爱加密",
"ijiami.dat":"爱加密",
"ijiami.ajm":"爱加密企业版",
"libsecexe.so":"梆梆免费版",
"libsecmain.so":"梆梆免费版",
"libSecShell.so":"梆梆免费版",
"libDexHelper.so":"梆梆企业版",
"libDexHelper-x86.so":"梆梆企业版",
"libprotectClass.so":"360",
"libjiagu.so":"360",
"libjiagu_art.so":"360",
"libjiagu_x86.so":"360",
"libegis.so":"通付盾",
"libNSaferOnly.so":"通付盾",
"libnqshield.so":"网秦",
"libbaiduprotect.so":"百度",
"aliprotect.dat":"阿里聚安全",
"libsgmain.so":"阿里聚安全",
"libsgsecuritybody.so":"阿里聚安全",
"libmobisec.so":"阿里聚安全",
"libtup.so":"腾讯",
"libexec.so":"腾讯",
"libshell.so":"腾讯",
"mix.dex":"腾讯",
"lib/armeabi/mix.dex":"腾讯",
"lib/armeabi/mixz.dex":"腾讯",
"libtosprotection.armeabi.so":"腾讯御安全",
"libtosprotection.armeabi-v7a.so":"腾讯御安全",
"libtosprotection.x86.so":"腾讯御安全",
"libnesec.so":"网易易盾",
"libAPKProtect.so":"APKProtect",
"libkwscmm.so":"几维安全",
"libkwscr.so":"几维安全",
"libkwslinker.so":"几维安全",
"libx3g.so":"顶像科技",
"libapssec.so":"盛大",
"librsprotect.so":"瑞星"
}
def shellDetector(apkpath):
shellType=""
shellsign=""
flag=True
zipfiles=zipfile.ZipFile(apkpath)
nameList=zipfiles.namelist()
for fileName in nameList:
for shell in shellfeatures.keys():
if shell in fileName:
flag=True
shellType=shellfeatures[shell]
shellsign=shell
break
else:
flag=False
if flag==True:
print("经检测,该apk使用了"+shellType+"进行加固")
if __name__ == '__main__':
shellDetector("test.apk")
``
特别要注意地方:
这段代码意思 是解压apk 然后检索解压文件里面有没有各厂商特征的加壳文件。有的话就能检测出是哪家厂商的壳。
后面同事帮我修改下代码。
import zipfile
'''
first,get namelist from apk
second,matching the features
thrid,julging for the shellType
so easy~~
by zsdlove
2018/8/24 Morning
'''
shellfeatures={
"libchaosvmp.so":"娜迦",
"libddog.so":"娜迦",
"libfdog.so":"娜迦",
"libedog.so":"娜迦企业版",
"libexec.so":"爱加密",
"libexecmain.so":"爱加密",
"ijiami.dat":"爱加密",
"ijiami.ajm":"爱加密企业版",
"libsecexe.so":"梆梆免费版",
"libsecmain.so":"梆梆免费版",
"libSecShell.so":"梆梆免费版",
"libDexHelper.so":"梆梆企业版",
"libDexHelper-x86.so":"梆梆企业版",
"libprotectClass.so":"360",
"libjiagu.so":"360",
"libjiagu_art.so":"360",
"libjiagu_x86.so":"360",
"libegis.so":"通付盾",
"libNSaferOnly.so":"通付盾",
"libnqshield.so":"网秦",
"libbaiduprotect.so":"百度",
"aliprotect.dat":"阿里聚安全",
"libsgmain.so":"阿里聚安全",
"libsgsecuritybody.so":"阿里聚安全",
"libmobisec.so":"阿里聚安全",
"libtup.so":"腾讯",
"libexec.so":"腾讯",
"libshell.so":"腾讯",
"mix.dex":"腾讯",
"lib/armeabi/mix.dex":"腾讯",
"lib/armeabi/mixz.dex":"腾讯",
"libtosprotection.armeabi.so":"腾讯御安全",
"libtosprotection.armeabi-v7a.so":"腾讯御安全",
"libtosprotection.x86.so":"腾讯御安全",
"libnesec.so":"网易易盾",
"libAPKProtect.so":"APKProtect",
"libkwscmm.so":"几维安全",
"libkwscr.so":"几维安全",
"libkwslinker.so":"几维安全",
"libx3g.so":"顶像科技",
"libapssec.so":"盛大",
"librsprotect.so":"瑞星"
}
def shellDetector(apkpath):
shellType=""
shellsign=""
flag=False
zipfiles=zipfile.ZipFile(apkpath)
nameList=zipfiles.namelist()
for fileName in nameList:
for shell in shellfeatures.keys():
if shell in fileName:
shellType=shellfeatures[shell]
shellsign=shell
break
else:
flag=False
if shellType == '':
print("经检测,该apk使用了未识别加固方式")
else:
print("经检测,该apk使用了"+shellType+"进行加固")
if __name__ == '__main__':
shellDetector("test.apk")
小伙伴们可以关注我微信公众号,一起交流进步,有问题直接留言,我能解答,都会免费解答,没有任何套路。