Coder Social home page Coder Social logo

medusa's Introduction

Description:

MEDUSA is an Extensible and Modularised framework that automates processes and techniques practiced during the dynamic analysis of Android Applications.

Some of the MEDUSA's features include:

  • Tracing and instrumentation of API calls clustered according to their action (e.g. File System, IPC, Encryption)
  • Tracing and instrumentation of Java and Native functions
  • Unpacking (effective for most of the weel known packers, including Qihoo, Secshell e.t.c.)
  • Patching on the fly or statically (autoset the debugable flag)
  • Triggering of various system events in order to initiate a reaction (e.g. send intents / notifications / events to the target app)
  • Triggering of application's components (Activities, Services e.t.c.)

Overview of the MEDUSA workflows (Presentation): MEDUSA-Usage-workflows.pdf

Changelong:

11/02/2022:

Medusa was made directory independent, meaning medusa.py can now be run from anywhere in the system. Modules, namely the scratchpad, were also made directory independent. In particular, users may now add arbitrary modules by using the add command, and specifying a full path to a custom module. These features implied a cascade of changes, described below.

  • Calls to the agent.js, snippets, utilities, libraries, and default modules are now referred to by their full path. This path is obtained at startup, by setting the base_directory property of the Parser class to hold the result of calling os.path.dirname(__file__).
  • Modules are now represented by a Module class, and may be managed by a ModuleManager, both included in the newly created Modules.py. This relieves some of the strain from medusa.py, improves readability, and significantly reduces code size and code repetition.
  • The format of modules was revamped, and now consists of JSON code. The name of the module is now [category]/[name], where the category is optional, and defaults to uncategorized if missing. Without significant changes for the end user, this makes parsing modules very easy, less prone to error, and makes the format extensible. All files in the modules directory were updated accordingly.

Additional changes include:

  • Command completion now properly handles the forward slash ('/') character.
  • Code formatting has been harmonised.
  • Many local code improvements.

Note that although the changes were tested, since they are significant, some bugs may have been inadvertently introduced.

apkutils.py has been replace with mango.py

With mango.py you can load multiple applications at once and extract attributes of their main components, including activities, services, providers and receivers. The gathered data will be saved in a local SQLite database which can be easily queried via the mango cli. All the helping functions of apkutils have been maintained and similarly to medusa.py, mango.py is directory independent.

**Added requirements: **

androguard==3.3.5 click==8.0.3 cmd2==2.3.3 colorama==0.4.4 frida==15.1.13 google_trans_new==1.1.9 requests==2.25.1

Usage:

MEDUSA's functionality is divided in two basic python scripts: the medusa.py and the mango.py with the last to be more of a helping utility which automates processes like setting a proxy server for the device, parcing the Anroid Manifest, starting/stoping activities and many more. More specifically:

  • The medusa.py

    This script is used to dynamically add or remove tracing of API calls during application's runtime. The tracing 'comes' in a form of modules, where each one of them 'specializes' in an abstract aspect. As an example, to trace the cryptographic procedures of the application (e.g. fetch AES keys or the plaintext that will be encrypted), simply inject the AES module and observer the output.

    Indicatively some of the functionalities which are implemented so far, include the following:

    • SSL pinning bypass
    • UI restriction bypass (e.g. Flag secure, button enable)
    • Class enumeration
    • Hook native functions
    • Monitoring of:
      • Encryption process (keys, IVs, data to be encrypted)
      • Intents
      • Http communications
      • Websockets
      • Webview events
      • File operations
      • Database interactions
      • Bluetooth operations
      • Clipboard
    • Monitoring of API calls used by malware applications, such as:
      • Spyware
      • Click Fraud
      • Toll Fraud
      • Sms Fraud

    MEDUSA's current module set

  • The mango.py

    Given an apk file, the specific script is able to perform the following functionalities:

    • Display the application's components and technical characteristics, including:
      • Activities
      • Services
      • Receivers
      • Permissions
      • Intent Filters
      • Content providers
    • Trace application functions
    • Trigger an activity, service or an intent
    • Automate actions performed during dynamic analysis:
      • Change device proxy settings
      • Capture screenshots of the device
      • Install/Uninstall/kill an application
    • Patch (set the debug flag to true) / Sign / Install

    apkutils.py:

Requirements:

See requirements.txt for python requirements as well as frida and adb. A rooted device or an emulator is highly recomended in order to use the framework's full capabilities.

Modules:

A module (.med file) consists of three sections.

"Name": "foo_bar_dir/module_for_com_foo_bar",
"Description": "What your module does ?",
"Help": " How your module works ?",
"Code": 
  • The 'Name' used in order to reference a module. Default name convention is lower case letters and underscores (e.g. https_communications/ssl_unpining)

  • The 'Description' where the usage of the module is described, e.g. Description: Use this module to perform the following action .

  • The 'Help' where a more detailed information message or even a link to a website providing explanations about the module's usage is inserted

  • The Code is where the javascript code should be inserted in order to hook a specific API call.

    What follows is an example of the translation module:

For example the module bellow is used to cancel the killProcess, exit and finish of an application. The script itself is a json file using a .med suffix located under the /medusa/modules/<category/ directory:

{
    "Name": "helpers/cancel_system_exit",
    "Description": "Cancels application exit",
    "Help": "Hooks system.exit, activity.finish to cancel application's exit",
    "Code": "  
console.log(\"-----------Hooking SYSTEM EXIT----------------------\");

  var sysexit = Java.use(\"java.lang.System\");
  var activity = Java.use('android.app.Activity');
  var process = Java.use('android.os.Process');

  process.killProcess.implementation = function(pid){
    colorLog(\"[i] Canceling process kill with pid:\"+pid, {c: Color.Green});

  }
  sysexit.exit.overload(\"int\").implementation = function(var_0) {
    colorLog(\"[i] Canceling system exit\", {c: Color.Green});
  };

  activity.finish.overloads[0].implementation = function(){
    colorLog(\"[+] Canceling activity's finish\" ,{c: Color.Green});
    
  }
"
}

Saving a Session (module recipies):

You can save a set of modules to a file in order to use them in another session. Export a set of used modules using the export command followed by the filename:

medusa> export MyModuleRecipe.txt

Continue your session using the -r flag when starting MEDUSA: ./medusa.py -r MyModuleRecipe.txt

How To Create a Medusa Module:

A Medusa module is essentially a Frida script on steroids combined with multiple ready-made javascript functions that may enhance the final output. Assume that you found a super cool frida script online or you have many of them that you want to save in a classified manner:

  1. Remove Frida script's prologue / epilogue by changing it

    FROM:

    	Java.perform(function() {
    
    		var hook = Java.use("com.foo.bar");
        
    		hook.function.implementation = function() {
    			console.log("Info: entered target method");		
        }
    
    	});  
    

    TO:

    		var hook = Java.use("com.foo.bar");
        
    		hook.function.implementation = function() {
    			console.log("Info: entered target method");		
        }
    
  2. Insert the modified code in the "code" segment of the following json object:

    {
        "Name": "foo_bar_dir/module_for_com_foo_bar",
        "Description": "What your module does ?",
        "Help": " How your module works ?",
        "Code": 
      "
        
        
    		var hook = Java.use(\"com.foo.bar\");
        
    		hook.function.implementation = function() {
    			console.log(\"Info\\n: entered target method\");		
        }
        
         
        
        "
    }
  3. Save the result to the /medusa/modules directory

if you think that your module can be classified in one's of Medusa's categories (e.g. http_communications), save your module as .med under the corresponding folder:

/medusa/modules/foo_bar_dir/module_for_com_foo_bar.med

Or if you think your modulde can be classified to an already existing category, add it to the corresponding folder (e.g. /medusa/modules/http_communications)

That's all ... this module is now accessible via the medusa cli:

medusa> show all

medusa> use foo_bar_dir/module_for_com_foo_bar

  1. Contribute with a PR

​ if you think that your module can be helpfull to other users, do a pull request

Show Cases

- SSL Unpinning

Screenshot 2020-09-22 at 16 41 10

- Intent Monitoring

Screenshot 2020-09-22 at 16 41 10

- Passive Monitoring of HTTP Requests

Screenshot 2020-09-22 at 16 41 10

Screenshot 2020-09-22 at 16 43 37

- Native Libraries Enumeration

Screenshot 2020-09-22 at 16 41 10

- Memory READ/WRITE/SEARCH (interactive mode):

Screenshot 2020-09-22 at 16 41 10

- Personal information exfiltration monitoring

Hooks api calls which found to be common for this kind of malware, including:

  • Contact exfiltration
  • Call log exfiltration
  • Camera usage
  • Microphone usage
  • Location tracking
  • File uploading
  • Media recording
  • Clipboard tracking
  • Device recon
  • Screenshot capture

- Translation

Translates the application's UI by hooking 'setText' calls

CREDITS:

ChangeLog:

08/05/2021:

  • Added busybox support
  • Ability to force native library loading

07/02/2021:

  • Medusa agent was modified to include certificate set up functionality as well as a floating mod
  • Burp Certificate installation
  • Transparent proxy set up

27/11/2020:

Feature added according to which the user can search for code snippets that may later imported to the current session.

The code snippets are saved in the 'examples' directory and may be imported using the 'import' command, e.g.:

medusa> import RegisterClass

The code will be appended to the scratchpad and later get compiled to the final agent script.

05/11/2020:

Added option to dump a specific module from memory

05/10/2020:

  • Introducing Medusa Agent, to load and explore dex or jar files dropped by APKs:

medusa_agent

  • Spoof the Notification Listeners
  • Hook notification events
  • Fixes to dynamic code loading module
  • Patch an apk by turning the debug flag to true

04/11/2020: More native hook options added:

  • Hook by offset
  • Hook by pattern

16/09/2020: READ/WRITE/SEARCH process memory

By issuing medusa> memops package_name module_name, the framework can be used to perform read/write operations in the process memory.

medusa>memops com.foo.app libfoo.so
[i] Using device with id Device(id="192.168.1.5:1111", name="Dev", type='usb')
[i] Attaching to process com.foo.app [pid:19538]
|(E)xit |r@offset |⏎ |w@offset |? (help)|:

Issuing a read command (r@2000)

READ MEMORY:

|(E)xit |r@offset |⏎ |w@offset |? (help)|:r@2000

0x2000
Base Address:0x7b62471000 Dumping at:0x7b62473000 Offset:2000
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
00000000  88 0d 00 00 11 00 0c 00 2f ff 02 00 00 00 00 00  ......../.......
00000010  1d 00 00 00 00 00 00 00 a0 22 00 00 10 00 f1 ff  ........."......
00000020  30 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00  0 ..............
00000030  72 0f 00 00 11 00 0c 00 24 fd 02 00 00 00 00 00  r.......$.......
00000040  01 00 00 00 00 00 00 00 42 0d 00 00 12 00 0b 00  ........B.......
00000050  3c 08 01 00 00 00 00 00 a8 0c 00 00 00 00 00 00  <...............
00000060  08 0e 00 00 11 00 0c 00 68 05 03 00 00 00 00 00  ........h.......
00000070  19 00 00 00 00 00 00 00 c2 02 00 00 11 00 0c 00  ................

Issuing a write command (w@2000)

|(E)xit |r@offset |⏎ |w@offset |? (help)|:w@2000
Bytes to write (in the form of 00 11 22 33):90 90 90 90
Bytes in:[0x90,0x90,0x90,0x90]
Base Address:0x7b62471000 Dumping at:0x7b62473000 Offset:2000
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
00000000  90 90 90 90 11 00 0c 00 2f ff 02 00 00 00 00 00  ......../.......
00000010  1d 00 00 00 00 00 00 00 a0 22 00 00 10 00 f1 ff  ........."......
00000020  30 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00  0 ..............
00000030  72 0f 00 00 11 00 0c 00 24 fd 02 00 00 00 00 00  r.......$.......
00000040  01 00 00 00 00 00 00 00 42 0d 00 00 12 00 0b 00  ........B.......
00000050  3c 08 01 00 00 00 00 00 a8 0c 00 00 00 00 00 00  <...............
00000060  08 0e 00 00 11 00 0c 00 68 05 03 00 00 00 00 00  ........h.......
00000070  19 00 00 00 00 00 00 00 c2 02 00 00 11 00 0c 00  ................
00000080  fa ff 02 00 00 00 00 00 19 00 00 00 00 00 00 00  ................

01/09/2020: Native hook support added:

medusa>hook -n
[?] Libary name:libjpeg.so
[?] Function name:jpeg_CreateDecompress
[?] Enable backtrace (yes/no):yes
[?] Enable memory read (yes/no):yes
[?] Buffer read size (0-1024):1024

Entering Native function:  jpeg_CreateDecompress
Backtrace:
	0x7891e6d40c libhwui.so!_ZN7SkCodec13skipScanlinesEi+0xa18
	0x7891e6cd18 libhwui.so!_ZN7SkCodec13skipScanlinesEi+0x324
	0x7891e6d970 libhwui.so!_ZN6SkData17MakeUninitializedEm+0x3e8
	0x7891e6d898 libhwui.so!_ZN6SkData17MakeUninitializedEm+0x310
	0x7891e618c8 libhwui.so!_ZN7SkCodec14MakeFromStreamENSt3__110unique_ptrI8SkStreamNS0_14default_deleteIS2_EEEEPNS_6ResultEP16SkPngChunkReader+0x104
	0x7892326b84 libandroid_runtime.so!_Z38register_android_graphics_ImageDecoderP7_JNIEnv+0x1738
	0x7892325834 libandroid_runtime.so!_Z38register_android_graphics_ImageDecoderP7_JNIEnv+0x3e8
	0x714050e4 boot-framework.oat!0x28b0e4
Leaving Native function:  jpeg_CreateDecompress
Return Value: 0x77a01c6180
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

25/08/2020: Hook all functions of a given class (example):

medusa>hook -a com.foo.class

Hook(s) have been added to the modules/schratchpad.me ,you may include it in the final script.

21/08/2020: Hook a function by giving the name and its class name (example):

medusa>hook -f

Enter the full name of the function(s) class: foo.com
Enter a function name (CTRL+C to Exit): onCreate

Hook has been added to the modules/schratchpad.me ,you may include it in the final script.
About me:

Ch0pins's github stats

medusa's People

Contributors

ch0pin avatar rscloura avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.