Rubyfu
TwitterGithubNEW! Black Hat RubyBuy Me a Coffee
Search…
Primary version
Module 0x0 | Introduction
Contribution
Beginners
Required Gems
Module 0x1 | Basic Ruby Kung Fu
Module 0x2 | System Kung Fu
Module 0x3 | Network Kung Fu
Module 0x4 | Web Kung Fu
Module 0x5 | Exploitation Kung Fu
Module 0x6 | Forensic Kung Fu
Windows Forensic
Android Forensic
Memory Forensic
Network Traffic Analysis
Parsing Log Files
Module 0x7 | OSINT Kung Fu
References
FAQs
Contributors
Powered By GitBook
Android Forensic

Parsing APK file

Our example will be on DIVA (Damn insecure and vulnerable App) APK file. You can download the file from here.
Note: Some methods may not return the expected output because the missing information in the apk, e.g. the suggested apk doesn't have icon and signs but you can download some known apk like twitter apk or so and test it, it works.
We'll use ruby_apk gem to do that
  • Install ruby_apk gem
    1
    gem install ruby_apk
    Copied!
Now, lets start parsing
1
require 'ruby_apk'
2
​
3
apk = Android::Apk.new('diva-beta.apk')
4
​
5
# listing files in apk
6
apk.each_file do |name, data|
7
puts "#{name}: #{data.size}bytes" # puts file name and data size
8
end
9
​
10
# Extract icon data in Apk
11
icons = apk.icon
12
icons.each do |name, data|
13
File.open(File.basename(name), 'wb') {|f| f.write data } # save to file.
14
end
15
​
16
# Extract signature and certificate information from Apk
17
signs = apk.signs # retrun Hash(key: signature file path, value: OpenSSL::PKCS7)
18
signs.each do |path, sign|
19
puts path
20
puts sign
21
end
22
​
23
# Manifest
24
## Get readable xml
25
manifest = apk.manifest
26
puts manifest.to_xml
27
​
28
## Listing components and permissions
29
manifest.components.each do |c| # 'c' is Android::Manifest::Component object
30
puts "#{c.type}: #{c.name}"
31
c.intent_filters.each do |filter|
32
puts "\t#{filter.type}"
33
end
34
end
35
​
36
## Extract application label string
37
puts apk.manifest.label
38
​
39
# Resource
40
## Extract resource strings from apk
41
rsc = apk.resource
42
rsc.strings.each do |str|
43
puts str
44
end
45
​
46
## Parse resource file directly
47
rsc_data = File.open('resources.arsc', 'rb').read{|f| f.read }
48
rsc = Android::Resource.new(rsc_data)
49
​
50
# Resolve resource id
51
rsc = apk.resource
52
​
53
## assigns readable resource id
54
puts rsc.find('@string/app_name') # => 'application name'
55
​
56
## assigns hex resource id
57
puts rsc.find('@0x7f040000') # => 'application name'
58
​
59
## you can set lang attribute.
60
puts rsc.find('@0x7f040000', :lang => 'ja')
61
​
62
# Dex
63
## Extract dex information
64
dex = apk.dex
65
### listing string table in dex
66
dex.strings.each do |str|
67
puts str
68
end
69
​
70
### listing all class names
71
dex.classes.each do |cls| # cls is Android::Dex::ClassInfo
72
puts "class: #{cls.name}"
73
cls.virtual_methods.each do |m| # Android::Dex::MethodInfo
74
puts "\t#{m.definition}" # puts method definition
75
end
76
end
77
​
78
## Parse dex file directly
79
dex_data = File.open('classes.dex','rb').read{|f| f.read }
80
dex = Android::Dex.new(dex_data)
Copied!
Previous
Windows Forensic
Next
Memory Forensic
Last modified 4yr ago
Copy link