A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python.

Overview
                  ___ ___
                 /   |   \  ____  __ __  ______ ____
                /    ~    \/  _ \|  |  \/  ___// __ \
                \    Y    (  <_> )  |  /\___ \  ___/
                 \___|_  / \____/|____//____  >\___  >
                       \/      House        \/     \/
                
                    Dynamic Mobile Analysis Tool
                    Contact: [email protected]

House: A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python. It is designed for helping assess mobile applications by implementing dynamic function hooking and intercepting and intended to make Frida script writing as simple as possible.

TL;DR

git clone https://github.com/nccgroup/house
cd house
pip3 install -r requirements.txt
pip3 install pipenv
pipenv --python=/usr/bin/python3 install
pipenv --python=/usr/bin/python3 shell
python3 app.py <PORT>

# or:
mkvirtualenv --python=/usr/local/bin/python3 house
workon house
pip install -r requirements.txt
python app.py <PORT>

# or: (only for Mac OS)
git clone https://github.com/nccgroup/house
cd house
pip3 install -r requirements.txt
pip3 install pipenv
pipenv --python=/usr/local/bin/python3 install
pipenv --python=/usr/local/bin/python3 shell
python3 app.py <PORT>

By default, House binds to http://127.0.0.1:8000.

To get an overview of House capabilities, you can visit user's manual for details.

News

  • Added dynamic dex/jar hooking, House now can hook functions in dynamically loaded dex/jar files hook.gif
  • Added Mini Script option for Hooks hook.gif
  • ClassLoader Enum

Note: Make sure to update your Frida version to >= 12.8.3 for /dex/jar function hooking

Example Usage

In this section, a small example is provided to illustrate basic usage of House. The demo case is performed against a small testing android application: com.ha0k3.overloads.

Start

  • Make sure an Android device is plugged in over USB and Frida server is running on the device. Check the Frida server is successfully spawned using the following command: frida-ps -U.

  • Start the House application by running app.py : python app.py <PORT>.

  • Open a browser and navigate to http://127.0.0.1:PORT.

  • Observe the device information is displayed on the page, if not, click the Refresh button or restart the application and Frida server. start.gif

Monitor

  • Dynamically generating hook script from templates based on the config file, monitor key operations including FILEIO, IPC, etc.

monitor.png

  • It is experimental at this point, If you find more functions needed to be hooked, feel free to let me know or file a PR.

Preload & Sideload

  • House now support sideload. It supports stetho side loading at this point; which makes it easier for us to examine the UI; storage; etc. sideload_stetho.png
  • It is experimental at this point, but more functionalities such as SSLStrip will be added under this tab.

Enumeration

  • Enumerate all loaded classes: enum_load.gif
  • Enumerate all classes in the Dex file: enum_dex.gif
  • Enumerates all methods within a given class enum_method1.gif enum_method2.gif
  • History Scripts management enum_history_script.gif

Multiple Function Tracing

  • Scripts rendering and Function Tracing hook.gif

  • Hooks for functions in dynamically loaded dex/jar files hook.gif

  • Mini Script option hook.gif

  • History Scripts management hook_history_script.gif

Function intercepting

  • Via House, researchers can dynamically change the arguments being passed to the target functions and forward it. int1.gif

  • Sometimes House cannot perfectly parse argument informations. For example, an arguments can be with special type. In the example app, it implemented isLit function that takes customized object as its argument. To tackle those situations, a simple "REPL" is provided by House. Security researchers can dynamically type in Frida script in the REPL and modify the function behaviors. int2.gif

  • Several REPL functions were provided by House to make the testing easier:

    • inspectObject(obj) uses java.lang.reflect to inspect fields information within an object.
    • setRetval(ret) takes a parameter and will try to cast it to the correct return type using the original return value's constructor.
    • getStackTrace() will print the stack trace.
    • More REPL functions will be added in the future.

    int3.gif

Note: For constructor method hooking/intercept, input $init as method name.

FAQ

Prerequisite:

To make House work; you would need:

  1. A rooted android device with frida-server running plugged in your computer, use only one USB device is recommended.
  2. Local frida-python version matches frida-server's.

Cannot get device? Does not work?

Also please try to restart both the frida server and House, if still not working, please file an issue.

Time out error?

Often occues when there are multiple USB devices connected, try to restart the target application.

Frida error?

House has been tested using Frida version 12.8.6; there might be some issues with some other versions, also make sure frida-python matches frida-server's version. If still not working, try to run the generated frida scripts manually to see if it works.

Acknowledgements

Special thanks to following open-source projects for inspirations on House:

  1. Frida, the great instrumentation toolkit that making all of these possible.
  2. Objection, an inspiration and guide in building part of the Frida templating scripts of House.
  3. Inspeckage, an inspiration on the Monitor functionality of House.
  4. 0xdea/frida-scripts - a great Frida scripts arsenal.

Contact

If you have more questions about House, or want to help extending it, feel free to contact:

@haoOnBeat

Or send an email to: Hao Ke

Comments
  • App shelling?

    App shelling?

    I may be an idiot (has happened before), but is there a way to launch app instead of attach using house? I need to perform hooks as soon as the app is loaded. Thanks in advance.

    enhancement 
    opened by idb- 4
  • Classes won't load

    Classes won't load

    Keep getting message "[+] Updating intercept_conf with {"classname": "", "packagename": "com.ha0k3.overloads", "methodname": "", "overloadIndex": 0}" and nothing happens. Recorded screencap: https://streamable.com/w85wa

    opened by dec0dOS 3
  • fixed missing cgi.escape() when running under python3.8

    fixed missing cgi.escape() when running under python3.8

    When running under python 3.8 house throws the following error:

    [+] Trying to get device..                                                                                                                                                
    Exception in thread Thread-33:                                                                                                                                            
    Traceback (most recent call last):                                                                                                                                        
      File "/home/merzjo/VMShared/playground/android/house/houseUtil.py", line 235, in getDevice                                                                              
        {'data': cgi.escape(str(house_global.device))},                                                                                                                       
    AttributeError: module 'cgi' has no attribute 'escape'                                                                                                                    
                                                                                                                                                                              
    During handling of the above exception, another exception occurred:                                                                                                       
                                                                                                                                                                              
    Traceback (most recent call last):                                                                                                                                        
      File "/usr/lib64/python3.8/threading.py", line 932, in _bootstrap_inner                                                                                                 
        self.run()                                                                                                                                                            
      File "/usr/lib64/python3.8/threading.py", line 870, in run                                                                                                              
        self._target(*self._args, **self._kwargs)                                                                                                                             
      File "/home/merzjo/VMShared/playground/android/house/venv/lib/python3.8/site-packages/socketio/server.py", line 651, in _handle_event_internal
        r = server._trigger_event(data[0], namespace, sid, *data[1:])
      File "/home/merzjo/VMShared/playground/android/house/venv/lib/python3.8/site-packages/socketio/server.py", line 680, in _trigger_event
        return self.handlers[namespace][event](*args)
      File "/home/merzjo/VMShared/playground/android/house/venv/lib/python3.8/site-packages/flask_socketio/__init__.py", line 283, in _handler
        return self._handle_event(handler, message, namespace, sid,
      File "/home/merzjo/VMShared/playground/android/house/venv/lib/python3.8/site-packages/flask_socketio/__init__.py", line 698, in _handle_event
        ret = handler(*args)
      File "/home/merzjo/VMShared/playground/android/house/houseSock.py", line 56, in wrapped
        return f(*args, **kwargs)
      File "/home/merzjo/VMShared/playground/android/house/houseSock.py", line 90, in refresh_device
        getDevice()
      File "/home/merzjo/VMShared/playground/android/house/houseUtil.py", line 256, in getDevice
        {'data': cgi.escape(str(house_global.device))},
    AttributeError: module 'cgi' has no attribute 'escape'
    

    The following change seems to resolve that issue.

    Taken from: tensorflow

    opened by clydegale 2
  • the frida require python3.x , and house is require python2.x

    the frida require python3.x , and house is require python2.x

    Hi, I have one question is that the frida require python3.x , and house is require python2.x , if i use python3.x ,and run python3.x app.py 8888 , an error appeared ,

    File "app.py", line 127 """ ^ SyntaxError: invalid syntax

    opened by ldzSpace 2
  • Keep getting [!]load_script Exception Error.

    Keep getting [!]load_script Exception Error.

    Device : LGE Nexus 5X. Frida Server version: 11.0.13 android arm64. Device OS: Android 8.1.0 Rooted.

    Frida Server is running and Fridump & Frida-ps work like a charm.

    House recognizes the device but the package does not get loaded in the House Browser UI.

    opened by h4ck3r893 2
  • Server not Starting

    Server not Starting

    When I run command: python3 app.py 8000 I get the following error: Traceback (most recent call last): File "/Users/uh/Downloads/house/app.py", line 23, in from houseGlobal import house_global, app, socketio, random_token File "/Users/uh/Downloads/house/houseGlobal.py", line 23, in from flask import Flask ModuleNotFoundError: No module named 'flask'

    OS: Same on MAC and Kali. Thank you for help.

    opened by umarhyatt00 1
  • Batch update

    Batch update

    Added following new features:

    • Hooks for functions in dynamically loaded dex/jar files;
    • Options for generating mini scripts;
    • ClassLoader Enum option.

    Also updated:

    • Testing APK files
    • README.md
    • Bug fix
    opened by H4oK3 1
  • [!]load_script Exception: unable to communicate with remote frida-server;

    [!]load_script Exception: unable to communicate with remote frida-server;

    After loading an application, I am getting this error: scren

    Frida-server is running on the device (frida-ps -U works and shows running app). Any idea where does it come from?

    opened by Gr0minet 1
  • miss monitor_conf.json

    miss monitor_conf.json

    Traceback (most recent call last): File "app.py", line 191, in main() File "app.py", line 168, in main with open('./config/monitor_conf.json','r') as f: FileNotFoundError: [Errno 2] No such file or directory: './config/monitor_conf.json'

    opened by flynnch 1
  • how to use the native hooking?

    how to use the native hooking?

    Sorry for not a bug, but I can't quite figure out the native hooking:

    {"classname":"libc.so","methodname":"recvfrom"}
    {"classname":"libc.so","methodname":"open"}
    

    seems to load fine but neither get hit. I can see them hit in frida-trace however. Happy to write up some docs on it so figured file as a bug for record rather than emailing.

    opened by mitchcapper 1
  • Use Travis CI to run flake8 tests on all pull requests

    Use Travis CI to run flake8 tests on all pull requests

    @nccgroup would need to turn on the switch for this repo at https://www.travis-ci.org/nccgroup

    http://flake8.pycqa.org will flag the Travis CI build if there are Python syntax errors or undefined names.

    E901,E999,F821,F822,F823 are the "showstopper" flake8 issues that can halt the runtime with a SyntaxError, NameError, etc. Most other flake8 issues are merely "style violations" -- useful for readability but they do not effect runtime safety. This PR therefore recommends a flake8 run of these tests on the entire codebase.

    • F821: undefined name name
    • F822: undefined name name in __all__
    • F823: local variable name referenced before assignment
    • E901: SyntaxError or IndentationError
    • E999: SyntaxError -- failed to compile a file into an Abstract Syntax Tree
    opened by cclauss 1
  • how install windows 10

    how install windows 10

    "pipenv --python=/usr/bin/python3 install" cmd not run my windows 10 C:\Users\gsudi\house>pipenv --python=/usr/bin/python3 install 'pipenv' is not recognized as an internal or external command, operable program or batch file.

    C:\Users\gsudi\AppData\Roaming\Python\Python39\Scripts>pipenv --python=/usr/bin/python3 install Usage: pipenv [OPTIONS] COMMAND [ARGS]... Try 'pipenv -h' for help.

    Error: Invalid value for '--python': Expected Python at path /usr/bin/python3 does not exist

    solve my problem

    opened by suraj9098 0
  • load_script Exception: need Gadget to attach on jailed Android

    load_script Exception: need Gadget to attach on jailed Android

    I tried to connect my rooted phone but get this error:

    [!]load_script Exception: need Gadget to attach on jailed Android; its default location is: C:\Users\XXX\AppData\Local\Microsoft\Windows\INetCache\frida\gadget-android-arm64.so

    What should I do?

    opened by Kaaveh 5
  • Connection issues with VM

    Connection issues with VM

    Environment

    OS and Version: Ubuntu 20.0.4.2 LTS Python Version: Python 3.8.5 Genymotionvm: Android API 25, Android 7.1

    Explanation of the Issue

    House connection timeout when used with Genymotion VM.

    Steps to Reproduce the issue

    1. Downloading and installing House, making sure the requirements are correct
    2. Start House

    Stack trace

    `Error on request:
    Traceback (most recent call last):
    File "/home/appanalyse/.local/share/virtualenvs/house-C-9l96Nc/lib/python3.8/site-packages/werkzeug/serving.py", line 319, 
    in run_wsgi execute(self.server.app) 
    File "/home/appanalyse/.local/share/virtualenvs/house-C-9l96Nc/lib/python3.8/site-packages/werkzeug/serving.py", line 308, 
    in execute application_iter = app(environ, start_response)  
    File "/home/appanalyse/.local/share/virtualenvs/house-C-9l96Nc/lib/python3.8/site-packages/flask/app.py", line 2463, in call
    return self.wsgi_app(environ, start_response)
    File "/home/appanalyse/.local/share/virtualenvs/house-C-9l96Nc/lib/python3.8/site-packages/flask_socketio/init.py", line 45, in 
    call return super(_SocketIOMiddleware, self).call(environ,
    File "/home/appanalyse/.local/share/virtualenvs/house-C-9l96Nc/lib/python3.8/site-packages/engineio/middleware.py", line 
    60, in call return self.engineio_app.handle_request(environ, start_response)
    File "/home/appanalyse/.local/share/virtualenvs/house-C-9l96Nc/lib/python3.8/site-packages/socketio/server.py", line 563, in 
    handle_request return self.eio.handle_request(environ, start_response)
    File "/home/appanalyse/.local/share/virtualenvs/house-C-9l96Nc/lib/python3.8/site-packages/engineio/server.py", line 416, in 
    handle_request socket = self._get_socket(sid)
    File "/home/appanalyse/.local/share/virtualenvs/house-C-9l96Nc/lib/python3.8/site-packages/engineio/server.py", line 609, in 
    _get_socket raise KeyError('Session is disconnected')
    KeyError: 'Session is disconnected'`
    

    Possible Solution

    install frida 12.8.3, aswell as frida-server 12.8.3 in the VM.

    Further testing is being done right now, but it looks like this fixes the issues.

    This Issue looks similiar to: https://github.com/miguelgrinberg/Flask-SocketIO/issues/248 but the solution consists of downgrading Frida instead of Flask-SocketIO, so I am unsure if everything is fixed. Also the Flask-SocketIO-Issue used python2, but apart from that it looks pretty similiar.

    Here is a screenshot with the bug present (it's stuck waiting for device & package):

    house_bug

    Here is a screenshot with the bug fixed: house_fixed

    opened by JosuaWelss 0
  • Unsupported version of the Socket.IO or Engine.IO protocols error

    Unsupported version of the Socket.IO or Engine.IO protocols error

    I'm not able to see the device connected to the USD port. frida-ps -U works and lists the processes.

    When the app starts I see the following:

    
      ___ ___
     /   |   \  ____  __ __  ______ ____
    /    ~    \/  _ \|  |  \/  ___// __ \
    \    Y    (  <_> )  |  /\___ \  ___/
     \___|_  / \____/|____//____  >\___  >
           \/      House        \/     \/
    
        Dynamic Mobile Analysis Tool
        Contact: [email protected]
    
    Communications will happen over USB, make sure have your android device plugged in.
    
    [+] House running at http://127.0.0.1:5000
     * Serving Flask app "houseGlobal" (lazy loading)
     * Environment: production
       WARNING: This is a development server. Do not use it in a production deployment.
       Use a production WSGI server instead.
     * Debug mode: off
    The client is using an unsupported version of the Socket.IO or Engine.IO protocols (further occurrences of this error will be logged with level INFO)
    
    opened by detunized 3
  • Hooks on a dynamic loaded class works, sometimes not

    Hooks on a dynamic loaded class works, sometimes not

    I am using malicious sample Android/Alien dc215663af92d41f40f36088ec1b850b81092ea94a4a061a9ce88178daee965a. I want to hook in class mgcmudrfccmnwasmkd.qalnmoqsc.oygfoqispqmmjqqkuij.gjavovxatuj, which is dynamically loaded, a method private String a(String arg5). I use:

    • Start panel: an Android emulator, via USB, and package name msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
    • Hook panel: I specify the class and method name. I managed to get it to work without specifying anything more! (did not need to specify overload type nor dynamic path).

    Sometimes it works. See below. house-decrypted This is good. But sometimes (often) it does not work. The most common error I get is [!] Process not found, trying to spawn it... Some other times I get [!]Error: Error: java.lang.ClassNotFoundException: Didn&#x27;t find class &quot;msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr.gjavovxatuj&quot; on path: DexPathList[[zip file &quot;/data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json&quot;],nativeLibraryDirectories=[, /system/lib64, /vendor/lib64]] Note that the path /data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json corresponds to the dynamically loaded dex (unpacked). Sometimes I get "nothing". Nothing happens.

    I am unsure if this is a bug, or if I am doing something wrong, but I'd be grateful to have a solution that works 100% all the time :)

    opened by cryptax 0
A Program Analysis Toolkit for Android

PATDroid PATDroid is a collection of tools and data structures for analyzing Android applications and the system itself. We intend to build it as a co

Mingyuan Xia 103 Dec 10, 2022
A simple text encryption/decryption password based GUI+CLI tool

ZeText: Zero disk exposition texts This is a simple text encryption/decryption password based GUI+CLI tool, allowing to enter, edit and decrypt files

sergeych 0 Dec 21, 2021
A program analysis tool to find cryptographic misuse in Java and Android.

A program analysis tool to find cryptographic misuse in Java and Android.

null 92 Dec 15, 2022
Android Malware (Analysis | Scoring) System

An Obfuscation-Neglect Android Malware Scoring System Quark-Engine is also bundled with Kali Linux, BlackArch. A trust-worthy, practical tool that's r

Quark-Engine 999 Dec 20, 2022
Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.

Document Index 1.overview 2.startup 3.how to write rules 4.how to find compliance problems use appshark 5.a path traversal game 6.argument 7.engine co

Bytedance Inc. 998 Jan 7, 2023
PermissionX is an extension Android library that makes Android runtime permission request extremely easy

PermissionX is an extension Android library that makes Android runtime permission request extremely easy. You can use it for basic pe

Lin Guo 2.9k Dec 28, 2022
Find Security Bugs is the SpotBugs plugin for security audits of Java web applications

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

OWASP Find Security Bugs 2k Jan 6, 2023
BlackDex is an Android unpack tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

BlackDex is an Android unpack tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

null 4.3k Jan 2, 2023
A collection of Kotlin Multiplatform Mobile cryptographic hashing functions.

crypto A collection of Kotlin Multiplatform Mobile libraries to aid in mobile app development. cryptohash: A set of cryptographic (and not so cryptogr

Appmattus Limited 58 Dec 15, 2022
Mobile Security Framework (MobSF)

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Mobile Security Framework 13.2k Jan 4, 2023
Compose Multiplatform Application

Compose Multiplatform Application Desktop ./gradlew run - run application ./gradlew package - package native distribution into build/compose/binaries

null 0 Nov 21, 2021
Deobfuscator for Android Application

This Tool is selected as BlackHat Arsenal USA 2020 What is Deoptfuscator Deoptfuscator is a tool for deobfuscating Android applications that have been

null 282 Dec 20, 2022
Runtime Mobile Security (RMS) 📱🔥 - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime

Runtime Mobile Security (RMS) ?? ?? by @mobilesecurity_ Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to

Mobile Security 2k Dec 20, 2022
Android Resource Manager application to manage and analysis your app resources with many features like image resize, Color, Dimens and code Analysis

Android Resource Manager application to manage and analysis your app resources with many features like image resize, Color, Dimens and code Analysis

Amr Hesham 26 Nov 16, 2022
A basic application demonstrating IPFS for collaborative data analysis, from the perspective of a Data Analysis Provider.

Spacebox A basic application demonstrating IPFS for collaborative data analysis, from the perspective of a Data Analysis Provider. Description This pr

null 0 Jan 15, 2022
enjarify 8.6 0.0 L5 Python Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications.

Note: This repository may be out of date. Future development will occur at https://github.com/Storyyeller/enjarify. Introduction Enjarify is a tool fo

Google 2.7k Jan 8, 2023
Link-converter - A web service that converts links between web url and deeplink for mobile and web applications

Deep Link Converter Linkleri, mobil ve web uygulamaları için web url ile deeplin

Muhammed Eren DURSUN 2 Apr 9, 2022
A Program Analysis Toolkit for Android

PATDroid PATDroid is a collection of tools and data structures for analyzing Android applications and the system itself. We intend to build it as a co

Mingyuan Xia 103 Dec 10, 2022
A Frida based tool that traces usage of the JNI API in Android apps.

jnitrace A Frida based tool to trace use of the JNI API in Android apps. Native libraries contained within Android Apps often make use of the JNI API

null 1.1k Jan 7, 2023
A universal memory dumper using Frida

Fridump Fridump (v0.1) is an open source memory dumping tool, primarily aimed to penetration testers and developers. Fridump is using the Frida framew

null 547 Dec 22, 2022