数据分析
- 作者仓库星标 4,750
- 许可证 Apache-2.0
- 作者更新于 实时读取
- 作者仓库 GDA-android-reversing-Tool
- 领域
- 通用
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 94 / 100 · 已通过审计
- 作者 / 版本 / 许可
- @charles2gan · Apache-2.0
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 即装即用
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- 未声明(默认跨平台)
- 底层运行要求
- Python
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- 网络行为
- 仅限本地
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: gda-analyze
description: Android APK analysis using GDA.exe. AI drives analysis by tracing code paths, extracting IOCs (i…
category: 通用
runtime: Python
---
# gda-analyze 输出预览
## PART A: 任务判断
- 适用问题:通用任务拆解、检查和交付。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Overview / Analysis Workflow / Phase 1: Recon”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于通用任务拆解、检查和交付,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Overview / Analysis Workflow / Phase 1: Recon”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、主要在本地完成、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件;主要在本地完成;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文没有稳定的斜杠命令要求。安装验证后通常全局生效,直接在对话里点名这个 Skill 并描述任务即可。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件。
先用一个小任务确认它会围绕“Overview / Analysis Workflow / Phase 1: Recon”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: gda-analyze
description: Android APK analysis using GDA.exe. AI drives analysis by tracing code paths, extracting IOCs (i…
category: 通用
source: charles2gan/GDA-android-reversing-Tool
---
# gda-analyze
## 什么时候使用
- 把通用方向的常用动作沉淀成 Agent 可调用的技能 适合处理通用任务拆解、检查、交付和复盘,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继续迭代的步骤;通常不需要额外…
- 面向通用任务拆解、检查和交付,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Overview / Analysis Workflow / Phase 1: Recon」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件;主要在本地完成;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "gda-analyze" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Overview / Analysis Workflow / Phase 1: Recon
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Python | 读取文件、写入/修改文件 | 主要在本地完成
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Overview
This skill performs malware analysis on Android APKs using GDA.exe. The workflow is: Recon -> Trace -> Extract -> Decrypt -> Report.
GDA.exe Path: GDA_EXE="${CLAUDE_SKILL_DIR}/bin/gda.exe"
Analysis Workflow
Phase 1: Recon
python gda_analyze.py sample.apk binfo
python gda_analyze.py sample.apk permission
python gda_analyze.py sample.apk axml
Phase 2: Trace
# 1. Attack surface - exported components
python gda_analyze.py sample.apk attsf
# 2. Malware scan - automated detection
python gda_analyze.py sample.apk malscan
# 3. Trace suspicious components
python gda_analyze.py sample.apk "listm com.suspicious.Class"
python gda_analyze.py sample.apk "dec -c com.suspicious.Class"
python gda_analyze.py sample.apk "xref -c com.suspicious.Class"
python gda_analyze.py sample.apk "dasm method@xxxxx"
Phase 3: Extract
# Network IOCs
python gda_analyze.py sample.apk sensinf
python gda_analyze.py sample.apk "find -s http"
python gda_analyze.py sample.apk "find -s 192"
python gda_analyze.py sample.apk "find -s socket"
python gda_analyze.py sample.apk uri
# Encryption strings
python gda_analyze.py sample.apk "find -s Base64"
python gda_analyze.py sample.apk "find -s DES"
python gda_analyze.py sample.apk "find -s AES"
python gda_analyze.py sample.apk "find -s RC4"
Phase 4: Decrypt
# Find encryption-related method calls
python gda_analyze.py sample.apk "find -m getInstance"
python gda_analyze.py sample.apk "find -m doFinal"
python gda_analyze.py sample.apk "find -m SecretKeySpec"
python gda_analyze.py sample.apk "find -m IvParameterSpec"
# Trace encryption class
python gda_analyze.py sample.apk "dec -c com.malware.CryptoClass"
# Find key storage
python gda_analyze.py sample.apk "find -s SharedPreferences"
python gda_analyze.py sample.apk "find -s getString"
# If key found, generate Python decrypt script
Malware Analysis Report Template
# [APK Name] - Malware Analysis Report
## 1. Sample Overview
| Attribute | Value |
|-----------|-------|
| Package Name | from binfo |
| File Size | from binfo |
| MD5 | from binfo |
| SHA256 | from binfo |
| DEX Info | class count, method count from binfo |
## 2. Plaintext IOCs
- C2 Addresses: [from sensinf/find -s]
- URLs: [from find -s http]
- IPs: [from find -s 192]
- Paths: [from uri]
## 3. Encrypted IOCs & Decryption
| IOC Type | Cipher | Mode | Key Source | Encrypted Value |
|----------|--------|------|------------|----------------|
| C2 URL | AES | CBC | hardcoded | [base64] |
### Decryption Script
```python
#!/usr/bin/env python3
"""Decrypt [IOC type] from [APK Name]"""
from Crypto.Cipher import AES
import base64
# Key: [extracted as hex or base64]
key = b'[16-byte key]'
# IV: [extracted or None for ECB]
iv = b'[16-byte iv]' # or None
cipher = AES.new(key, AES.MODE_CBC, iv)
encrypted = base64.b64decode('[encrypted]')
decrypted = cipher.decrypt(encrypted)
print(decrypted.decode(errors='replace').rstrip('\x00'))
4. Suspicious Components
| Component | Class Index | Key Methods | Risk |
|---|---|---|---|
| [name] | class@xxxxx | method@xxxxx | High |
5. Code Analysis
[Component Name]
- File: com/package/ClassName.class
- Evidence: [relevant code snippet from dec]
- Call Chain: [xref results]
6. Persistence Mechanism
- Boot: [receiver/service for BOOT_COMPLETED]
- Service: [from axml]
- Anti: [from code analysis]
7. Conclusion
Threat Type: [Trojan/Spyware/Adware/etc] Risk Level: [Critical/High/Medium/Low]
---
## Command Reference
### Recon Commands (Phase 1)
| Command | Purpose |
|---------|---------|
| `binfo` | File hashes, size, package, DEX info |
| `permission` | All permissions |
| `axml` | AndroidManifest.xml |
### Trace Commands (Phase 2)
| Command | Usage | Purpose |
|---------|-------|---------|
| `attsf` | `attsf` | Exported components - attack entry points |
| `malscan` | `malscan` | Malicious pattern detection |
| `listm` | `listm com.example.Class` | List methods in class |
| `dec` | `dec -c com.example.Class` | Decompile class |
| `xref` | `xref -c ClassName` | Find class references |
| `dasm` | `dasm method@xxxxx` | Disassemble method |
| `native` | `native` | Native methods |
### IOC Extract Commands (Phase 3)
| Command | Usage | Purpose |
|---------|-------|---------|
| `sensinf` | `sensinf` | API keys, passwords, tokens |
| `find -s` | `find -s pattern` | Search strings |
| `uri` | `uri` | File paths, content URIs |
| `api` | `api` | Sensitive API calls |
### Decrypt Commands (Phase 4)
| Command | Usage | Purpose |
|---------|-------|---------|
| `find -m` | `find -m methodName` | Find method calls |
| `find -s` | `find -s CryptoClass` | Find crypto classes |
| `dec` | `dec -c CryptoClass` | Analyze crypto implementation |
| `xref` | `xref -m methodName` | Trace method usage |
---
## Encryption Analysis Guide
### Step 1: Identify Encryption
Search strings:
```bash
python gda_analyze.py sample.apk "find -s Base64"
python gda_analyze.py sample.apk "find -s AES"
python gda_analyze.py sample.apk "find -s DES"
python gda_analyze.py sample.apk "find -s RC4"
Search methods:
python gda_analyze.py sample.apk "find -m getInstance"
python gda_analyze.py sample.apk "find -m doFinal"
python gda_analyze.py sample.apk "find -m SecretKeySpec"
python gda_analyze.py sample.apk "find -m IvParameterSpec"
Step 2: Trace Encryption Flow
# Find encryption utility class
python gda_analyze.py sample.apk "dec -c com.malware.CryptoUtil"
# Trace key/IV extraction
python gda_analyze.py sample.apk "find -s getBytes"
python gda_analyze.py sample.apk "find -s SharedPreferences"
Step 3: Extract Parameters
From decompiled code, identify:
- Algorithm: AES/DES/RC4 (from
Cipher.getInstance) - Mode: ECB/CBC/GCM (from
Cipher.getInstancestring) - Key: hardcoded string, byte array, or SharedPreferences
- IV: hardcoded or derived
- Padding: PKCS5/PKCS7/NoPadding
Example Cipher.getInstance string pattern:
"Cipher.getInstance(\"AES/CBC/PKCS5Padding\")"
Step 4: Generate Decrypt Script
from Crypto.Cipher import AES
import base64
import binascii
# Parameters from code analysis
key = binascii.unhexlify('[hex key]') # or base64.b64decode
iv = binascii.unhexlify('[hex iv]') # or None for ECB
cipher = AES.new(key, AES.MODE_CBC, iv)
encrypted = base64.b64decode('[base64 encrypted]')
decrypted = cipher.decrypt(encrypted)
print(decrypted.decode(errors='replace').rstrip('\x00'))
Malware Pattern Commands
SMS Malware
python gda_analyze.py sample.apk "find -m sendTextMessage"
python gda_analyze.py sample.apk "find -m abortBroadcast"
python gda_analyze.py sample.apk "dec -c com.package.SmsReceiver"
Banking Trojan
python gda_analyze.py sample.apk "find -m WindowManager"
python gda_analyze.py sample.apk "find -s TYPE_TEXT_VARIATION_PASSWORD"
Spyware/RAT
python gda_analyze.py sample.apk "find -s http"
python gda_analyze.py sample.apk "find -s socket"
python gda_analyze.py sample.apk "dec -c com.spy.DataSender"
Adware
python gda_analyze.py sample.apk "find -s admob"
python gda_analyze.py sample.apk "find -s mopub"
Analysis Principles
- Recon first - Gather context before deep analysis
- Trace suspicious components - attsf/malscan reveal malicious code
- Search encryption patterns - Many malware encrypt C2/config
- Generate decrypt scripts - When key+ciphertext found
- Cite evidence - Always include class@xxxxx and method@xxxxx
- Be adaptive - Different malware types need different focus
Constraints
- GDA closes connection after each command
- Class index: 6-digit hex from attsf/listm (e.g.,
0002d3) - Method ID:
method@xxxxxfrom listm - Quote commands:
"find -s 192.168" find -msearches method names,find -ssearches strings
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核