GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → brompwnie → Uitkyk

brompwnie / Uitkyk

Runtime memory analysis framework to identify Android malware

Programming Languages

java
68154 projects - #9 most used programming language

Labels

androidmalwareinstrumentation

Projects that are alternatives of or similar to Uitkyk

Awesome Hacking
Awesome hacking is an awesome collection of hacking tools.
Stars: ✭ 1,802 (+1254.89%)
Mutual labels:  malware
Mba
Malware Behavior Analyzer
Stars: ✭ 125 (-6.02%)
Mutual labels:  malware
Adam
Coroutine-friendly Android Debug Bridge client written in Kotlin
Stars: ✭ 129 (-3.01%)
Mutual labels:  instrumentation
Www.rootkit.com
www.rootkit.com users section mirror, sql database dump, and a few other files/rootkits.
Stars: ✭ 117 (-12.03%)
Mutual labels:  malware
Mirror Vxheaven.org
Vxheaven.org website's mirror
Stars: ✭ 123 (-7.52%)
Mutual labels:  malware
Deathransom
A ransomware developed in python, with bypass technics, for educational purposes.
Stars: ✭ 126 (-5.26%)
Mutual labels:  malware
Client java
Prometheus instrumentation library for JVM applications
Stars: ✭ 1,644 (+1136.09%)
Mutual labels:  instrumentation
Threadboat
Program Uses Thread Execution Hijacking To Inject Native Shell-code Into a Standard Win32 Application
Stars: ✭ 132 (-0.75%)
Mutual labels:  malware
The Big List Of Hacked Malware Web Sites
This repository contains a list of all web sites I come across that are either hacked with or purposefully hosting malware, ransomware, viruses or trojans.
Stars: ✭ 125 (-6.02%)
Mutual labels:  malware
Orbit
C/C++ Performance Profiler
Stars: ✭ 2,291 (+1622.56%)
Mutual labels:  instrumentation
Hosts Blocklists
Automatically updated, moderated and optimized lists for blocking ads, trackers, malware and other garbage
Stars: ✭ 1,749 (+1215.04%)
Mutual labels:  malware
Ratel
RAT-el is an open source penetration test tool that allows you to take control of a windows machine. It works on the client-server model, the server sends commands and the client executes the commands and sends the result back to the server. The client is completely undetectable by anti-virus software.
Stars: ✭ 121 (-9.02%)
Mutual labels:  malware
Mass Rat
Basic Multiplatform Remote Administration Tool - Xamarin
Stars: ✭ 127 (-4.51%)
Mutual labels:  malware
Flashmingo
Automatic analysis of SWF files based on some heuristics. Extensible via plugins.
Stars: ✭ 115 (-13.53%)
Mutual labels:  malware
Ergo Pe Av
🧠 🦠 An artificial neural network and API to detect Windows malware, based on Ergo and LIEF.
Stars: ✭ 130 (-2.26%)
Mutual labels:  malware
Block
Let's make an annoyance free, better open internet, altogether!
Stars: ✭ 1,849 (+1290.23%)
Mutual labels:  malware
Awesome Hacking Resources
A collection of hacking / penetration testing resources to make you better!
Stars: ✭ 11,466 (+8521.05%)
Mutual labels:  malware
Dynamorio
Dynamic Instrumentation Tool Platform
Stars: ✭ 1,828 (+1274.44%)
Mutual labels:  instrumentation
Practicalmalwarelabs
Keep track of the labs from the book "Practical Malware Analysis"
Stars: ✭ 130 (-2.26%)
Mutual labels:  malware
Go Http Metrics
Go modular http middleware to measure HTTP requests independent of metrics backend (with Prometheus and OpenCensus as backend implementations) and http framework/library
Stars: ✭ 128 (-3.76%)
Mutual labels:  instrumentation
View All Similar Projects ➔

Introduction

By Chris Le Roy (@brompwnie)

Uitkyk is a framework that allows you to identify Android malware according to the instantiated objects on the heap for a specific Android process.

Uitkyk was launched at Troopers18 and the talk and slides can be found here https://troopers.de/troopers18/agenda/uc9azv/

Videos showing Uitkyk in action can be found on YouTube here https://www.youtube.com/channel/UCqCZRfUpl2azw8ZfvCiOIKA

What does it do

Uitkyk scans the heap of a specific Android process using custom Frida scripts to identify malicous behaviour according to the objects instantiated by a specific Android process.

How to use Uitkyk

Uitkyk can be used in multiple ways. Firstly as a Android library with existing Android applications which can be done by adding the code in the "Android Library" folder or the AAR release as a library to your Android application. Secondly as a standalone application which can be done by building and running the Android application located in the "UitkykDemoApp" folder. Thirdly, Uitkyk can implemented using the Frida CLI by running the Frida scripts located in the "FridaScripts" folder.

Requirements

A Frida Server instance is required to be running on the device. By default Uitkyk makes use of Frida running on tcp:host=127.0.0.1,port=27042 but a custom host and IP can be used.

To run the Frida server binary on your device, you could run the command:

./fridaBinary &&

Uitkyk Library Usage

Make sure you have a Frida server instance running as described in the Requirements section. To use the Uitkyk library, add the module to your Android application as a regular Android module by either adding the AAR located in the Release section or the source code located in the "Android Library" folder. To run the Frida equivelant of "frida-ps -U", use:

UitkykUtils uitkykUtils = new UitkykUtils(fridaHost, fridaPort);
String results = uitkykUtils.analyzeProcess(this.pid);

To run the Frida equivelant of "frida -U -l AnalyzingHeapForObjects.js com.an.android.app", use:

UitkykUtils uitkykUtils= new UitkykUtils(fridaHost,fridaPort);
String results = uitkykUtils.fridaPS();

The API calls return a String which contains the output of the scans which can be used for further analysis.

Uitkyk Application Usage

First, make sure you have implemented the Requirements section. To use the Uitkyk application, either download the prebuilt APK located in the release section or build the APK from the source code located in the "UitkykDemoApp" folder. Once the apk is installed, simply run the application and provide the process ID for the process you want to analyze.

Uitkyk Scripts

The scripts located in the Scripts folder can be run as following:

frida -U -l AnalyzingHeapForObjects.js com.an.android.app

frida -U -l CatchingRuntimeExec.js com.an.android.app

License

Uitkyk is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-nc-sa/4.0).

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].