XIT07/JiaguSentinelPro

## 🧬 为何选择 360 Jiagu？ **360 Jiagu (加固)** is one of China's most widely-deployed commercial Android packers, used by over 100,000 applications. While its legitimate purpose is to protect intellectual property, it is **heavily abused by malware authors** to evade static detection by antivirus engines. **The problem:** - Packed apps render traditional static analysis useless — the real DEX bytecode is encrypted inside native `.so` libraries - The unpacking stub uses anti-debugging, anti-Frida, and integrity checks to prevent runtime extraction - Security researchers need reliable tools to recover the original DEX for malware analysis **JiaguSentinel's approach:** - **Static Engine**: Entropy-based payload detection + byte-pattern matching + multi-layer decompression to extract DEX without execution - **Dynamic Engine**: Frida-based memory dumping with advanced anti-detection bypass to capture decrypted DEX at runtime - **Analytics Engine**: Automated threat scoring of extracted payloads for C2, exfiltration, and persistence indicators ## 🏗️ 架构 ``` JiaguSentinel/ ├── main.py # Intelligent CLI/GUI router ├── core/ │ ├── static_engine.py # Entropy analysis, LIEF, YARA, XOR brute-force │ ├── dynamic_engine.py # Frida injection, anti-anti-Frida, memory scanning │ └── adb_manager.py # Self-healing ADB, arch detection, Frida deployment ├── analytics/ │ ├── malware_scorer.py # 40+ suspicious API patterns, threat scoring (0-100) │ └── report_gen.py # JSON + Markdown forensic reports ├── ui/ │ ├── gui_main.py # CustomTkinter dark-mode tabbed UI │ └── cli_main.py # Rich + Click professional CLI ├── payloads/ │ └── dex_dump.js # Enhanced Frida agent with ART hooks ├── rules/ # Custom YARA rules (optional) ├── requirements.txt └── README.md ``` ## ⚡ 快速开始 ### 先决条件 - Python 3.10+ - Android device with **root access** (for dynamic engine) - ADB installed and on PATH - `frida-server` matching your device architecture ### 安装 ``` git clone https://github.com/yourrepo/JiaguSentinel.git cd JiaguSentinel pip install -r requirements.txt ``` ### 用法 #### GUI 模式（默认） ``` python main.py ``` #### CLI 模式 ``` # 静态分析 python main.py --cli scan path/to/suspicious.apk # 动态转储（需要已 root 的设备 + frida-server） python main.py --cli dump com.suspicious.app # 提取 DEX 上的恶意软件评分 python main.py --cli analyze unpacked_output/extracted.dex # 生成取证报告 python main.py --cli report path/to/suspicious.apk -f both # 设备信息 python main.py --cli device # 列出可用的 Frida 载荷 python main.py --cli payloads # CI/CD 的 JSON 输出 python main.py --cli --json-output scan suspicious.apk ``` ## 🔬 引擎深度解析 ### 静态引擎 | Feature | Description | |---------|-------------| | **DEX Signature Scan** | Multi-version magic bytes (v035–v041) with header validation | | **Entropy Heatmap** | Block-level Shannon entropy to pinpoint encrypted regions | | **LIEF ELF Analysis** | Section entropy, symbol table, relocation scanning of `libjiagu*.so` | | **Multi-Layer Decompress** | zlib → gzip → LZMA cascade on high-entropy blobs | | **XOR Brute-Force** | Single-byte key recovery for XOR-encrypted payloads | | **YARA Matching** | Custom rule scanning for packer and malware signatures | ### 动态引擎 | Feature | Description | |---------|-------------| | **Anti-Anti-Frida** | Hooks `open`, `read`, `strstr`, `access`, `fopen`, `connect` to hide Frida | | **Memory DEX Scanner** | Scans all readable memory regions for DEX magic bytes | | **ART Constructor Hook** | Intercepts `DexFile::OpenMemory` for early-stage capture | | **InMemoryDexClassLoader** | Java-level hook for fileless DEX loading | | **Periodic Rescan** | Catches late-decrypted DEX with configurable rescan intervals | | **Session Recovery** | Auto-retry on transport errors with crash reports | ### 恶意软件评分器 | Category | Examples | Weight Range | |----------|----------|-------------| | **Exfiltration** | SmsManager, sendTextMessage, ContentResolver | 4.0–9.0 | | **Surveillance** | Camera, AudioRecord, AccessibilityService, LocationManager | 4.0–9.0 | | **Code Execution** | Runtime.exec, ProcessBuilder, DexClassLoader | 6.0–10.0 | | **Persistence** | RECEIVE_BOOT_COMPLETED, DeviceAdminReceiver | 3.0–10.0 | | **Network/C2** | Socket, WebSocket, DatagramSocket | 3.0–6.0 | | **Evasion** | isDebuggerConnected, Build properties | 2.0–7.0 | ## 🧩 扩展 JiaguSentinel ### 添加新的 Frida 载荷 1. Create a `.js` file in `payloads/` 2. Use `send({type: "dex_scan", results: [...]})` to report findings 3. The payload will automatically appear in the GUI dropdown and CLI ``` // payloads/my_custom_hook.js 'use strict'; Java.perform(function() { // Your custom hooks here send({type: "dex_scan", results: [], total: 0}); }); ``` ### 添加分析模块 Create a new module in `analytics/` following the `MalwareScorer` pattern: ``` # analytics/my_analyzer.py class MyAnalyzer: def analyze(self, dex_path: str) -> dict: # Your analysis logic return {"findings": [...]} ``` ### 添加 YARA 规则 Drop `.yar` files into a `rules/` directory — the static engine loads them automatically. ## 📄 报告输出 Reports are generated in both **JSON** (machine-readable) and **Markdown** (human-readable) formats: - **JSON**: Full structured data for integration with SIEM/SOAR platforms - **Markdown**: Formatted report with entropy heatmaps, threat score tables, and network indicators ## ⚠️ 法律免责声明 ## 📜 许可证 This project is licensed under the **MIT License**. See [LICENSE](LICENSE) for details. ## 🤝 贡献 Contributions are welcome! Areas where help is needed: - [ ] New YARA rules for emerging packer variants - [ ] Custom Frida payloads for specific protection schemes - [ ] Additional analytics modules (network traffic analysis, APK diff) - [ ] Multi-language support for the GUI - [ ] Unit tests and CI/CD pipeline Please open an issue or PR on GitHub.

标签：360加固, ADB调试, Android逆向, APK解包, C2检测, DAST, DEX提取, DNS信息、DNS暴力破解, Frida自动化, GUI路由, JiaguSentinel, LIEF解析, Python3.10, SecList, YARA规则, 云安全监控, 内存取证, 反反调试, 多引擎框架, 威胁评分, 恶意软件分析, 持久化分析, 架构检测, 熵分析, 自愈ADB, 跨平台WindowsLinuxMac, 逆向工具, 静态分析