mandiant
diff --git a/‎CHANGELOG.md‎
Lines changed: 67 additions & 10 deletions b/‎CHANGELOG.md‎
Lines changed: 67 additions & 10 deletions
diff --git a/‎scripts/frida/.gitignore‎
Lines changed: 2 additions & 6 deletions b/‎scripts/frida/.gitignore‎
Lines changed: 2 additions & 6 deletions
diff --git a/‎scripts/frida/README.md‎
Lines changed: 36 additions & 157 deletions b/‎scripts/frida/README.md‎
Lines changed: 36 additions & 157 deletions
@@ -3,10 +3,72 @@
 ## master (unreleased)
 
 ### New Features
+- add Frida dynamic analysis support for Android applications #2712 @xukunzh
+- add FridaExtractor for processing Android runtime behavioral data
+- add automated Android analysis workflow with emulator creation and script generation
+- ci: add support for arm64 binary releases
 
 ### Breaking Changes
 
-### New Rules (21)
+### New Rules (13)
+
+- anti-analysis/anti-vm/vm-detection/detect-mouse-movement-via-activity-checks-on-windows [email protected]
+- nursery/create-executable-heap [email protected]
+- anti-analysis/packer/dxpack/packed-with-dxpack [email protected]
+- anti-analysis/anti-av/patch-bitdefender-hooking-dll-function [email protected]
+- nursery/acquire-load-driver-privileges [email protected]
+- nursery/communicate-using-ftp [email protected]
+- linking/static/eclipse-paho-mqtt-c/linked-against-eclipse-paho-mqtt-c [email protected]
+- linking/static/qmqtt/linked-against-qmqtt [email protected]
+- anti-analysis/anti-forensic/disable-powershell-transcription [email protected]
+- host-interaction/powershell/bypass-powershell-constrained-language-mode-via-getsystemlockdownpolicy-patch [email protected]
+- linking/static/grpc/linked-against-grpc [email protected]
+- linking/static/hp-socket/linked-against-hp-socket [email protected]
+-
+
+### Bug Fixes
+
+### capa Explorer Web
+
+### capa Explorer IDA Pro plugin
+
+### Development
+
+- ci: remove redundant "test_run" action from build workflow @mike-hunhoff #2692
+
+### Raw diffs
+- [capa v9.2.1...master](https://github.com/mandiant/capa/compare/v9.2.1...master)
+- [capa-rules v9.2.1...master](https://github.com/mandiant/capa-rules/compare/v9.2.1...master)
+
+## v9.2.1
+
+This point release fixes bugs including removing an unnecessary PyInstaller warning message and enabling the standalone binary to execute on systems running older versions of glibc.
+
+### Bug Fixes
+
+- ci: exclude pkg_resources from PyInstaller build @mike-hunhoff #2684
+- ci: downgrade Ubuntu version to accommodate older glibc versions @mike-hunhoff #2684
+
+### Development
+
+- ci: upgrade Windows version to avoid deprecation @mike-hunhoff #2684
+- ci: check if build runs without warnings or errors @mike-hunhoff #2684
+
+### Raw diffs
+- [capa v9.2.0...v9.2.1](https://github.com/mandiant/capa/compare/v9.2.0...v9.2.1)
+- [capa-rules v9.2.0...v9.2.1](https://github.com/mandiant/capa-rules/compare/v9.2.0...v9.2.1)
+
+## v9.2.0
+
+This release improves a few aspects of dynamic analysis, including relaxing our validation on fields across many CAPE versions and processing additional VMRay submission file types, for example.
+It also includes an updated rule pack containing new rules and rule fixes.
+
+### New Features
+- vmray: do not restrict analysis to PE and ELF files, e.g. docx @mike-hunhoff #2672
+
+### Breaking Changes
+
+### New Rules (22)
 
 - communication/socket/connect-socket [email protected] [email protected] [email protected]
 - communication/socket/udp/connect-udp-socket [email protected]
@@ -28,22 +90,17 @@
 - exploitation/gadgets/load-ntoskrnl [email protected]
 - exploitation/gadgets/resolve-ntoskrnl-gadgets [email protected]
 - exploitation/spraying/make-suspicious-ntfscontrolfile-call [email protected]
--
+- anti-analysis/anti-forensic/unload-sysmon JakePeralta7
 
 ### Bug Fixes
 - cape: make some fields optional @williballenthin #2631 #2632
 - lint: add WARN for regex features that contain unescaped dot #2635
 - lint: add ERROR for incomplete registry control set regex #2643
-
-### capa Explorer Web
-
-### capa Explorer IDA Pro plugin
-
-### Development
+- binja: update unit test core version #2670
 
 ### Raw diffs
-- [capa v9.1.0...master](https://github.com/mandiant/capa/compare/v9.1.0...master)
-- [capa-rules v9.1.0...master](https://github.com/mandiant/capa-rules/compare/v9.1.0...master)
+- [capa v9.1.0...v9.2.0](https://github.com/mandiant/capa/compare/v9.1.0...v9.2.0)
+- [capa-rules v9.1.0...v9.2.0](https://github.com/mandiant/capa-rules/compare/v9.1.0...v9.2.0)
 
 ## v9.1.0
 
 
@@ -1,13 +1,9 @@
 agent/
-node_modules/
-package-lock.json
 
+frida_outputs/
+frida_scripts/
 test_rules/*.yml
 frida_apis/*.json
-frida_outputs/*.jsonl
-frida_scripts/*.js
-frida_scripts/*.ts
-.temp/
 
 # Sample
 !frida_apis/frida_apis.json
 
@@ -1,185 +1,64 @@
-# Frida Dynamic Analysis
+# Frida Analysis for capa
+This tool uses Frida to monitor Android applications and generates behavioral JSONL data that capa can analyze to identify program capabilities.
 
-This guide shows how to generate Frida hooks and analyze Android app API calls with capa.
+Frida enables dynamic analysis by watching what API calls an Android app makes when it runs. This tool instruments Android apps with Frida, recording hooked API call information. The recorded data is formatted as JSONL for capa to analyze using its capability detection rules.
 
 ## Prerequisites
 
-### 1. Download Android Studio
-Download from: https://developer.android.com/studio
+**Android Development Environment**
 
-**Required SDK components for auto-emulator creation** 
-(install via Settings → Languages & Frameworks → Android SDK → SDK Tools):
-- Android SDK Command-line Tools
-- Android Emulator  
-- Android SDK Platform-Tools
+Download Android Studio from [Android Studio Website](https://developer.android.com/studio).
 
-**Default SDK locations:**
+Install these SDK components in Android Studio → Settings → Languages & Frameworks → Android SDK → SDK Tools: 
+`Android SDK Command-line Tools`, `Android Emulator`, `Android SDK Platform-Tools`, and `Android SDK Build-Tools`.
+
+Default SDK locations:
 - macOS: `~/Library/Android/sdk`
 - Linux: `~/Android/Sdk`
 - Windows: `~\AppData\Local\Android\Sdk`
 
-### 2. Install Dependencies
-```bash
-# jinja2 pydantic could be added to requirements.txt later
-
-# Python packages
-pip install frida==17.2.15 frida-tools jinja2 pydantic
-pip install capa[frida]
-
-# Node.js (for frida-compile)
-brew install node  # macOS
-# sudo apt install nodejs npm  # Linux
-# Download from nodejs.org for Windows
-```
+**Analysis Tool**
 
-### (Optional) Create emulator and start frida-server
-We can auto-create an rooted emulator with frida-server for you.
-But you can manully setup your own emualtor/device.
-For more details, see our [manual setup guide](setup.md) and
-[Frida Server + Rooted Emulator](https://docs.google.com/document/d/1WpPRcdtnPYdOn4n7Wl3aghbZUv2wmefiuaf2WDIR5Pw/edit?tab=t.0#heading=h.sqgvzr4xgg42)
+Download capa from [capa repo](https://github.com/mandiant/capa) to analyze the behavioral data output.
 
-## Usage
-### Automated Analysis (Recommended)
+**Dependencies**
 
 ```bash
-# Complete pipeline - creates emulator if needed
-# To start the AVDs auto-created, open your Android Studio
-# Tools → Device Manager → find 'frida-emulator' and start it"
+# Python dependencies needed
+pip install frida==17.2.15 frida-tools jinja2
 
-python main.py --package com.scottyab.rootbeer.sample 
-
-# python apk_meta_extractor.py --package com.app --apk /path/to/app.apk --apis frida_apis.json --script frida_monitor.ts --output api_calls.jsonl
-# Options:
-# --package: Android package name (required)
-# --apk: Local APK file path (optional, will use ADB to get from device if not provided) 
-# --apis: JSON filename containing APIs (default: frida_apis.json)
-# --script: Output script filename (default: frida_monitor.ts)  
-# --output: JSONL output filename in emulator that you wanna create after monitoring (default: api_calls.jsonl)
+# Install Node.js npm for frida-compile
+# macOS: `brew install node`
+# Linux: `sudo apt install nodejs npm`
+# Windows: Download from [nodejs.org](https://nodejs.org)
 ```
 
-### Manual Steps (if you want)
-
-### Step 0: Device Preparation
-```bash
-# Create output directory with full permissions
-adb shell su -c "mkdir -p /data/local/tmp/frida_outputs"
-adb shell su -c "chmod -R 777 /data/local/tmp/frida_outputs"
+## Quick start
 
-# Disable SELinux enforcement (resets on reboot)
-adb shell su -c "setenforce 0"
+The tool creates an Android emulator automatically if you don't have one connected.
 
-# Start Frida server on device
-adb shell su -c "/data/local/tmp/frida-server &"
-```
+```bash
+# Scenario 1: Analyze app already on device
+python main.py --package com.example.app
 
-### Step 1: Generate Frida Monitoring Script
+# Scenario 2: Install APK and analyze
+python main.py --apk /path/to/app.apk
 
-```bash
-# Navigate to the frida dir
-cd scripts/frida/
-
-# Extract APK metadata and hashes from apk getting via adb in device
-python apk_meta_extractor.py --package com.app
-# Options:
-# python apk_meta_extractor.py --package com.app --apk /path/to/app.apk
-# --package: Android package name (required)
-# --apk: Local APK file path (optional, will use ADB to get from device if not provided) 
-
-# Generate monitoring script
-python hook_builder.py
-# Options:
-# python hook_builder.py --apis frida_apis.json --script frida_monitor.ts --output api_calls.jsonl
+# Additional customized options:
 # --apis: JSON filename containing APIs (default: frida_apis.json)
 # --script: Output script filename (default: frida_monitor.ts)  
-# --output: JSONL output filename in emulator that you wanna create after monitoring (default: api_calls.jsonl)
-```
-### Step 2(Optional): JavaScript bundle via frida-compile
-The generated TypeScript script could be compiled with frida-compile:
-automation part contain this, because Frida 17.x bridge...
-```bash
-mkdir -p agent
-cd agent
-frida-create -t agent
-npm install
-npm install frida-java-bridge
-cd ..
-
-# Prepare script for compilation (for example Java bridge import), add this to script: 
-import Java from "frida-java-bridge"; 
-
-# Compile TypeScript to JavaScript bundle
-frida-compile path_to_your_script -o agent/compiled_bundle.js
+# --output: JSONL output filename on device (default: api_calls.jsonl)
 ```
 
-### Step 3: Run Dynamic Analysis
-
-```bash
-# Launch Rootbeer app with Frida monitoring
-# With frida-compile step, use compiled bundle:
-frida -U -f com.scottyab.rootbeer.sample -l agent/compiled_bundle.js
-
-# Otherwise, use:
-frida -U -f com.scottyab.rootbeer.sample -l frida_scripts/frida_monitor.ts
-
-# For other apps, use their package name:
-# frida -U -f com.example.app -l frida_scripts/frida_monitor.ts
-
-# Let the app run and perform the behaviors you want to analyze
-# Type `exit` and Press `Ctrl+C` to stop monitoring
-```
-
-**Notes:**
-- File Permission Conflicts
-Root Cause: Android apps create files with their UID ownership. App A cannot overwrite files created by App B.
-- Solution 1: Delete this file before next analysis
-- Solution 2: Change to a new filename for {jsonl_filename} in frida_monitor.ts, you can directly use --output command line:
-var filePath = "/data/local/tmp/frida_outputs/{{jsonl_filename}}";
-
-### Step 4: Retrieve Analysis Data
-
-```bash
-# (Check if file exits)
-adb shell su -c "ls -la /data/local/tmp/frida_outputs/"
-
-adb root
-# Using adb pull
-adb pull /data/local/tmp/frida_outputs/api_calls.jsonl ./frida_outputs/api_calls.jsonl
-```
-
-## Analyze with capa
-```bash
-# Navigate back to capa root directory
-cd ../../
-
-# Activate your capa environment
-source ~/capa-env/bin/activate 
-
-# Using your custom Frida rules (for development/testing)
-python capa/main.py -r scripts/frida/test_rules/ -d scripts/frida/frida_outputs/api_calls.jsonl
-
-# Using this after integrated
-capa api_calls.jsonl
-```
-
-### Folder Components
-- **main.py**: Complete automation pipeline
-
-**Directories:**
-- **/frida_apis/*.json**: Contains API JSON files
-- **/frida_templates/**: Jinja2 templates for script generation
-- **/frida_scripts/*.ts**: Generated executable scripts (output)
-- **/agent/**: frida-compile environment and compiled bundles
-- **/frida_outputs/*.jsonl**: outputs that need capa to anlaysis
-
-
-!!!
-Put these here for now
+Press Ctrl+D to stop Frida monitoring, results are saved to `frida_outputs/` folder. Then you can run capa on the output files to analyze capabilities.
 
-- **Rooted Android emulator with Frida server running**  
-[Frida Server + Rooted Emulator](https://docs.google.com/document/d/1WpPRcdtnPYdOn4n7Wl3aghbZUv2wmefiuaf2WDIR5Pw/edit?tab=t.0#heading=h.sqgvzr4xgg42)
+**What the automation does:**
+Creates an configed emulator
+Extracts APK metadata and hashes
+Generates monitoring script from API specifications
+Executes Frida analysis with compiled script
+Retrieves results for capa
 
-- **Python virtual environment with capa installed**  
-[capa install page](https://github.com/mandiant/capa/blob/master/doc/installation.md)
+## Manual Workflow (if you want)
 
-- **Target app installed on emulator**  
-Example: RootBeer sample app from Google Play Store, or build from [Rootbeer Github](https://github.com/scottyab/rootbeer?tab=readme-ov-file) (Rootbeer GitHub version is newer)
+For users who prefer step-by-step control, see [Manual Steps Guide](manual_steps.md).