{"id":18006359,"url":"https://github.com/ch0pin/medusa","last_synced_at":"2025-05-14T07:08:10.882Z","repository":{"id":37090984,"uuid":"274614921","full_name":"Ch0pin/medusa","owner":"Ch0pin","description":"Binary instrumentation framework based on FRIDA","archived":false,"fork":false,"pushed_at":"2025-04-02T10:33:38.000Z","size":53659,"stargazers_count":1842,"open_issues_count":6,"forks_count":263,"subscribers_count":47,"default_branch":"master","last_synced_at":"2025-04-11T01:41:57.755Z","etag":null,"topics":["android","android-malware","dynamic-analysis","frida","frida-scripts","frida-snippets","malware","medusa","penetration-testing","pentest"],"latest_commit_sha":null,"homepage":"https://github.com/Ch0pin/medusa/wiki","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Ch0pin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-06-24T08:21:13.000Z","updated_at":"2025-04-10T20:24:16.000Z","dependencies_parsed_at":"2023-10-21T07:24:27.724Z","dependency_job_id":"2a116990-0f9d-4a74-8ae0-97be1a0b6267","html_url":"https://github.com/Ch0pin/medusa","commit_stats":{"total_commits":489,"total_committers":26,"mean_commits":"18.807692307692307","dds":0.6339468302658486,"last_synced_commit":"b0884eda95f826823bd6cde10af620128e3c37cf"},"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ch0pin%2Fmedusa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ch0pin%2Fmedusa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ch0pin%2Fmedusa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ch0pin%2Fmedusa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Ch0pin","download_url":"https://codeload.github.com/Ch0pin/medusa/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254092656,"owners_count":22013290,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","android-malware","dynamic-analysis","frida","frida-scripts","frida-snippets","malware","medusa","penetration-testing","pentest"],"created_at":"2024-10-30T01:08:06.272Z","updated_at":"2025-05-14T07:08:10.863Z","avatar_url":"https://github.com/Ch0pin.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cimg src=\"https://raw.githubusercontent.com/Ch0pin/medusa/master/libraries/logo.svg\" width =\"1835\" height=\"508\"\u003e\n\n# Description\n\n**MEDUSA** is an extensible and modularized framework that automates processes and techniques practiced during the **dynamic analysis** **of Android and iOS Applications**.  \n\n# Installation\n\n1. Clone this repo\n2. Navigate to the medusa's directory\n3. Run the following command:\n\n```\n$ pip install -r requirements.txt\n```\n\n# Using Stheno (Σθενώ) with Medusa\n\n[Stheno](https://github.com/Ch0pin/stheno) is a subproject of Medusa, specifically designed for intent monitoring within this framework. Below is a quick guide on how to set up and use Stheno effectively.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://github.com/Ch0pin/stheno/assets/4659186/fd49c39e-865b-4dc3-b2d1-59a0f4594028\" alt=\"monitor\" width=\"400\"/\u003e\n\u003c/p\u003e\n\n1. **Include the Intent Module**:\n   Add the `intents/start_activity` module to your Medusa project:\n   ```bash\n   medusa\u003e add intents/start_activity\n   ```\n\n2. **Run the Socket Server**:\n   Start the Medusa socket server to facilitate communication:\n   ```bash\n   medusa\u003e startserver\n   ```\n\n3. **Launch Stheno**:\n   Open Stheno and navigate to the Intent Monitor menu, then click on **Start** to begin monitoring intents.\n\n## Known issues\n\n### macOS Installation\n\nDuring installation on macOS, you might encounter the following issue:\n\n\u003eReadline features including tab completion have been disabled because\nno supported version of readline was found. To resolve this, install\npyreadline3 on Windows or gnureadline on Linux/Mac.\n\nTo resolve this issue on macOS, install the gnureadline package for Python:\n\n```\npip install gnureadline\n```\n\nFor Python 3.12, use the following command to install gnureadline from a specific commit:\n\n```\npip install git+https://github.com/ludwigschwardt/python-gnureadline.git@8474e5583d4473f96b42745393c3492e2cb49224\n```\n\n\n## Using docker\n\nYou can find the docker file in the medusa/ directory. \n\n1. Build with \n\n```  \n$ docker build -t medusa:tag1 ./\n```\n2. Run with \n\n```\n$ docker run --name medusa --net=host --rm -it medusa:tag1\n```\n3. Run adbd in tcp/ip mode in your physical device or emulator\n\n```\n$ adb tcpip 5555 \n```\n4. Connect to from the image to your device using:\n   \n```\nroot@docker# adb connect device_ip:5555\n```\n\n**System requirements:** \n\n- Linux or macOS (currently medusa doesn't support windows)\n- Python 3 (Use the latest python release and not the one shipped with macOS to avoid issues with using libedit instead of GNU's readline)\n- Rooted device or emulator \n- adb\n- FRIDA server (running on the mobile device)\n\n# Usage\n\n### Check our [wiki page](https://github.com/Ch0pin/medusa/wiki) for usage details. \n\n**Demos:**\n\n- [MEDUSA | Android Penetration tool](https://www.youtube.com/watch?v=4hpjRuNJNDw) (credits [@ByteTheories](https://www.youtube.com/@ByteTheories))\n- [MEDUSA | Android Malware Analysis 101](https://www.youtube.com/watch?v=kUqucdkVtSU) (credits [@ByteTheories](https://www.youtube.com/@ByteTheories))\n- [Unpacking Android malware with Medusa](https://www.youtube.com/watch?v=D2-jREzCE9k) (credits [@cryptax](https://twitter.com/cryptax))\n- [Unpacking Android APKs with Medusa](https://www.youtube.com/watch?v=ffM5R2Wfl0A) (credits [@LaurieWired](https://twitter.com/LaurieWired))\n- [#Medusa - Extensible binary instrumentation framework based on #FRIDA for Android applications](https://www.youtube.com/watch?v=Hon7zETJawA) (credits [@AndroidAppSec](https://www.youtube.com/@AndroidAppSec))\n- [Memory inspection with Medusa](https://www.youtube.com/watch?v=odt21wiUugQ)\n- [Bypassing root detection](https://twitter.com/ch0pin/status/1381216805683924994)\n\nMedusa consists of two main scripts: **medusa.py** and **mango.py**:\n\n## Using medusa.py\n\nThe main idea behind MEDUSA is to be able to add or remove hooks for Java or Native methods in a large scale while keeping the process simple and effective. MEDUSA has **more than** **90** modules which can be combined, each one of them dedicated to a set of tasks. Indicatively, some of these tasks include:\n\n-  SSL pinning bypass\n-  UI restriction bypass (e.g. Flag secure, button enable)\n-  Class enumeration\n-  Monitoring of:\n   -  Encryption process (keys, IVs, data to be encrypted)\n   -  Intents\n   -  Http communications\n   -  Websockets\n   -  Webview events\n   -  File operations\n   -  Database interactions\n   -  Bluetooth operations\n   -  Clipboard\n-  Monitoring of API calls used by malware applications, such as:\n   -  Spyware\n   -  Click Fraud\n   -  Toll Fraud\n   -  Sms Fraud\n   \nFurthermore, you can intercept Java or Native methods that belong to 3rd party apps or create complex frida modules with just few simple commands.\n\n## Using mango.py\n\nMango is medusa's twin brother which can be used to:\n\n- Parse and analyse the Android manifest\n- Enumerate an application's attack entry points (exported activities, deeplinks, services etc.)\n- Keep track of all your analysed applications\n- Automate boring processes like: \n  - Set up a MITM\n  - Patching \n  - Wrap adb commands \n  - Set/View/Reset the device's proxy configuration\n  \n...and many many more\n\n# Updates:\n\n### (12/2022) Using the translator script:\n1. Replace the default google_trans_new.py of you google_trans_new python package with the one from the utils/google_trans_new.py\n2. Import it with medusa\u003euse helpers/translator\n\n# Contribute by:\n\n- Making a pull request\n- Creating a medusa module (see [how to](https://github.com/Ch0pin/medusa/wiki/Medusa#creating-a-medusa-module))\n- Reporting an error/issue \n- Suggesting an improvement\n- Making this project more popular by sharing it or giving a star\n- Buying a treat:\n\n**Bitcoin (BTC) Address**: bc1qhun6a7chkav6mn8fqz3924mr8m3v0wq4r7jchz\n\n**Ethereum (ETH) Address**: 0x0951D1DD2C9F57a9401BfE7D972D0D5A65e71dA4\n\n# Screenshots\n\n#### - SSL Unpinning\n\n![ssl unpinning](https://user-images.githubusercontent.com/4659186/151658672-dc80f37c-f4fb-48b8-a355-1dc0bf2b172c.png)\n\n#### - Intent Monitoring \n\n![Intent monitoring](https://user-images.githubusercontent.com/4659186/225246566-ad1e7de0-0c74-4da9-ae01-ba3fec9661a0.png)\n\n#### - Webview Monitoring\n\n![Webview monitoring](https://user-images.githubusercontent.com/4659186/225247047-f25fde47-671f-4e94-99d6-54996678e770.png)\n\n\n#### - File/Content provider monitoring\n\n![File and content providers](https://user-images.githubusercontent.com/4659186/225247734-69a58b7a-1318-4f7c-a877-6c95cdf8b07d.png)\n\n\n#### - Native Libraries Enumeration\n\n![Screenshot 2020-09-22 at 16 41 10](https://user-images.githubusercontent.com/4659186/151658663-6c77f2e3-6f42-4424-b593-d8cfe3d3bed3.png)\n\n#### - Memory READ/WRITE/SEARCH (interactive mode):\n\n![Screenshot 2020-09-22 at 16 41 10](https://user-images.githubusercontent.com/4659186/151658659-b4f83296-60ec-4818-a303-5645284b0a67.png)\n\n#### - Personal information exfiltration monitoring\n\n\u003e Hooks api calls which found to be common for this kind of malware, including:\n\u003e - Contact exfiltration \n\u003e - Call log exfiltration\n\u003e - Camera usage\n\u003e - Microphone usage\n\u003e - Location tracking\n\u003e - File uploading\n\u003e - Media recording\n\u003e - Clipboard tracking\n\u003e - Device recon\n\u003e - Screenshot capture\n\n\u003cimg src=\"https://user-images.githubusercontent.com/4659186/87245281-1c4b4c00-c43c-11ea-9cad-195ceb42794a.png\" width=\"450\" height=\"460\"\u003e\n\n#### - Translation \n\n\u003e Translates the application's UI by hooking 'setText' calls  \n\n\u003cimg src=\"https://user-images.githubusercontent.com/4659186/86785673-e59bbd00-c05a-11ea-8fb0-9c3f86043104.png\" width=\"250\" height=\"450\"\u003e                             \u003cimg src=\"https://user-images.githubusercontent.com/4659186/86785688-e9c7da80-c05a-11ea-838f-e4c7568c7c2a.png\" width=\"250\" height=\"450\"\u003e     \n\n\n\u003cimg src=\"https://user-images.githubusercontent.com/4659186/86785693-eb919e00-c05a-11ea-901e-8cc180d6274a.png\" width=\"550\" height=\"250\"\u003e\n\n\n**CREDITS**:\n\n- Special Credits to [@rscloura](https://github.com/rscloura) for his contributions\n- Logo Credits: https://www.linkedin.com/in/rafael-c-ferreira\n- https://github.com/frida/frida\n- https://github.com/dpnishant/appmon\n- https://github.com/brompwnie/uitkyk\n- https://github.com/hluwa/FRIDA-DEXDump.git\n- https://github.com/shivsahni/APKEnum\n- https://github.com/0xdea/frida-scripts\n- https://github.com/Areizen/JNI-Frida-Hook\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fch0pin%2Fmedusa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fch0pin%2Fmedusa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fch0pin%2Fmedusa/lists"}