{"id":13844954,"url":"https://github.com/aress31/sci","last_synced_at":"2025-03-22T16:30:54.999Z","repository":{"id":74506030,"uuid":"59829323","full_name":"aress31/sci","owner":"aress31","description":"Framework designed to automate the process of assembly code injection (trojanising) within Android applications.","archived":false,"fork":false,"pushed_at":"2022-10-15T23:28:36.000Z","size":39051,"stargazers_count":40,"open_issues_count":1,"forks_count":13,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-18T13:32:17.768Z","etag":null,"topics":["android","assembly","code-injection","framework","malware","mobile-security","pentesting","python","reverse-engineering","smali","spyware","trojan"],"latest_commit_sha":null,"homepage":"","language":"Smali","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aress31.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"aress31","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2016-05-27T11:20:16.000Z","updated_at":"2024-12-29T08:21:40.000Z","dependencies_parsed_at":"2023-06-15T21:00:42.801Z","dependency_job_id":null,"html_url":"https://github.com/aress31/sci","commit_stats":{"total_commits":39,"total_committers":2,"mean_commits":19.5,"dds":"0.10256410256410253","last_synced_commit":"f747f31c5487e425990e96564ced8a72baca63c5"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fsci","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fsci/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fsci/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fsci/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aress31","download_url":"https://codeload.github.com/aress31/sci/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244986362,"owners_count":20543002,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","assembly","code-injection","framework","malware","mobile-security","pentesting","python","reverse-engineering","smali","spyware","trojan"],"created_at":"2024-08-04T17:03:04.108Z","updated_at":"2025-03-22T16:30:54.972Z","avatar_url":"https://github.com/aress31.png","language":"Smali","funding_links":["https://github.com/sponsors/aress31"],"categories":["Smali (7)","Smali"],"sub_categories":[],"readme":"# Smali Code Injector (SCI)\n\n[![Language](https://img.shields.io/badge/Lang-Java-blue.svg)](https://java.com)\n[![Language](https://img.shields.io/badge/Lang-PHP-blue.svg)](https://www.php.net)\n[![Language](https://img.shields.io/badge/Lang-Python-blue.svg)](https://www.python.org)\n![Language](https://img.shields.io/badge/Lang-Smali-blue.svg)\n[![License](https://img.shields.io/badge/License-Apache%202.0-red.svg)](https://opensource.org/licenses/Apache-2.0)\n\n## Automate assembly code (`smali`) injection within `Android` applications.\n\nThe initial ambition of this project was to automate stack trace injections within `Android` applications in order to facilitate my master thesis work. Being able to log and display applications' runtime method calls along with their returned value greatly helps in reverse engineering complex applications by providing an insight into their logic and workflow.\n\nThen, new features and payloads were progressively added in an attempt to create a framework fully capable of injecting any type of assembly code. Users familiar with `Android` development can easily implement compatible payloads. SCI is in charge of automating low level operation such as registers allocation, dependancie, type, etc.\n\n_Tampering `Android` applications has never been that easy!_\n\nFurther information about `Android` reverse engineering can be found at:\n\n- http://www.n00blinuxhacker.com/android-pentesting-reverse-engineering-android-app.html\n\n### Automation for a simpler world...\n\nCode injections are performed at the assembly level (`smali` files) making the differenciation process between legit and modified applications complicated and time consuming - it would require considerable forensic work such as network, permissions, signature and code analysis -.\n\nA high level overview of the steps involved during code injection is:\n\n1. Disassembling the application.\n2. Collecting relevant information about the application.\n   - Classes name.\n   - Methods name.\n   - Registers number and type.\n   - etc.\n3. Editing the AndroidManifest.xml to add permissions, services and broadcastReceivers (depending on the payload requirements).\n4. Injecting and tweaking up the selected payload within the targeted method(s). Some `Android` libraries are also injected in order to defeat obfuscation.\n5. Reassembling and signing the app with a valid self-signed certificate.\n\n## Usage\n\n- To list the available options:\n\n  ```bash\n  python3 sci.py -h\n\n  -a APP, --app APP  \tAndroid application to trojanize\n\n  positional arguments:\n      search          search command - identifies the main activity\n      payload         payload command\n  ```\n\n- To list `search` options:\n\n  ```bash\n  python3 sci.py -a APP search -h\n\n  -a APP, --app APP   Android application to trojanize\n  ```\n\n- To list `payload` options:\n\n  ```bash\n  python3 sci.py -a APP payload -h\n\n  -a APP, --app APP   Android application to trojanize\n  -d DESTINATION, --dest DESTINATION\n                      the destination file or directoy for injection\n  -k KEYWORDS, --keywords KEYWORDS\n                      keywords (separated by ',') for injection filtering\n\n  positional arguments:\n      logger          logger command\n      spyware         spyware command\n  ```\n\n  - To list `logger` options:\n\n    ```bash\n    python3 sci.py -a APP [-d DESTINATION] [-k KEYWORDS] logger -h\n\n    -a APP, --app APP   Android application to trojanize\n    -d DESTINATION, --dest DESTINATION\n                        the destination file or directoy for injection\n    -k KEYWORDS, --keywords KEYWORDS\n                        keywords (separated by ',') for injection filtering\n    ```\n\n    Launch the `Android` debugger `adb` using the following command to view application's runtime method calls:\n\n    ```bash\n    adb logcat | grep \"::trace\"\n    ```\n\n  - To list `spyware` options:\n\n    ```bash\n    python3 sci.py -a APP payload [-d DESTINATION] [-k KEYWORDS] spyware -h\n\n    -a APP, --app APP   Android application to trojanize\n    -d DESTINATION, --dest DESTINATION\n                        the destination file or directoy for injection\n    -k KEYWORDS, --keywords KEYWORDS\n                        keywords (separated by ',') for injection filtering\n    -ppg PROPAGATE, --propagate PROPAGATE\n                        spoofed SMS to send for the malware propagation\n    -rh RHOST, --rhost RHOST\n                        attacker's host/ip for stolen data transmission, e.g.\n                        http://192.168.0.24/handler.php\n    ```\n\n    \u003e [!IMPORTANT] \n    \u003e For optimal results, inject `Spyware` on the `onCreate()` method of the application main activity.\n\n    Server-side scripts used to insert and store the stolen data sent into an attacker-controlled `MySQL` database are available under [scripts](https://github.com/aress31/sci/tree/master/scripts).\n\n    To enable `spyware` debugging mode set `DEV_MODE` to `true` in [payloads\\smali\\spyware](https://github.com/aress31/sci/blob/master/payloads/smali/spyware/Spyware.smali) at line 7. Then launch the `Android` debugger `adb` using the following command:\n\n    ```bash\n    adb logcat | grep \"::trace\"\n    ```\n\n## Roadmap\n\n- [ ] Implement new payloads (e.g. `reverse shell`).\n- [ ] Source code optimisation.\n\n## Project Information\n\nThis framework was developed in the context of my [master thesis work](https://www.slideshare.net/AlexandreTeyar/security-in-mobile-banking-apps-154409860) in July 2015 and rewritten in 2017.\n\n## Sponsor 💖\n\nIf you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next cup of coffee. ☕\n\nIt is easy, all you got to do is press the `Sponsor` button at the top of this page or alternatively [click this link](https://github.com/sponsors/aress31). 💸\n\n## Reporting Issues\n\nFound a bug? I would love to squash it! 🐛\n\nPlease report all issues on the GitHub [issues tracker](https://github.com/aress31/sci/issues).\n\n## Contributing\n\nYou would like to contribute to better this project? 🤩\n\nPlease submit all `PRs` on the GitHub [pull requests tracker](https://github.com/aress31/sci/pulls).\n\n## License\n\nSee [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faress31%2Fsci","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faress31%2Fsci","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faress31%2Fsci/lists"}