Sandroid - Dexray Intercept Documentation

Welcome to the documentation for Sandroid - Dexray Intercept, a comprehensive Frida-based Android malware analysis tool designed to create runtime profiles that track application behavior in real-time.

Warning

This tool is designed for defensive security analysis only. The samples directory contains actual malware. Use with extreme caution in isolated environments.

What is Dexray Intercept?

Dexray Intercept is part of the dynamic analysis sandbox Sandroid. It uses Frida dynamic instrumentation to:

• Monitor Android app behavior in real-time during execution

• Intercept and log cryptographic operations, network traffic, file system access, and IPC communications

• Bypass common anti-analysis techniques including root, Frida, debugger, and emulator detection

• Generate comprehensive JSON profiles for further analysis and threat intelligence

• Support custom hooks for specialized analysis requirements

Key Features

🔍 Comprehensive Monitoring

• Cryptographic operations (AES, encodings, keystore)

• Network communications (HTTP/HTTPS, WebSockets, sockets)

• File system and database operations

• Inter-process communication (intents, broadcasts, binder)

• System services (location, camera, telephony, clipboard)

• DEX unpacking and native library loading

🛡️ Anti-Analysis Bypass

• Root detection bypass

• Frida detection bypass

• Debugger detection bypass

• Emulator detection bypass

• Hook framework detection bypass

🔧 Advanced Capabilities

• TLS key extraction via integrated friTap

• Custom Frida script loading

• Selective hook configuration for performance

• Real-time terminal output with structured JSON logging

• Stack trace analysis for call origin tracking

📊 Output Formats

• Structured JSON profiles with metadata

• Real-time terminal logging

• Integration with threat intelligence platforms

Quick Start

# Install the package
pip install -e .

# Basic usage - attach to running app
dexray-intercept com.example.app

# Spawn app with crypto and network hooks
dexray-intercept -s --hooks-crypto --hooks-network com.example.app

# Comprehensive analysis with bypass hooks
dexray-intercept -s --hooks-all --hooks-bypass com.example.app

# Custom analysis with TLS extraction
dexray-intercept -s --enable-fritap --custom-script ./my_hooks.js com.example.app

Architecture Overview

Dexray Intercept uses a dual-language architecture:

Python Frontend

• CLI interface and argument parsing

• Frida session management and device connection

• Event processing and JSON profile generation

• Result analysis and output formatting

TypeScript/JavaScript Backend

• Frida hooks written in TypeScript

• Compiled to JavaScript using frida-compile

• Real-time instrumentation of Android applications

• Structured message passing to Python frontend

User Guide

• Installation
  • System Requirements
  • Installation Steps
  • Development Installation
  • Docker Installation (Alternative)
  • Troubleshooting Installation
  • Verification Steps
  • Next Steps
• Quick Start Guide
  • Prerequisites
  • First Analysis
  • Common Scenarios
  • Understanding the Output
  • Hook Categories Reference
  • Best Practices
  • Stopping Analysis
  • Next Steps
• User Guide
  • Command Line Usage
  • Hook Configuration Guide
  • Output Formats
  • Overview
  • Key Concepts
  • Workflow
  • Getting Help

API Reference

• API Reference
  • Python API Reference
  • TypeScript API Reference
  • Overview
  • Architecture Integration
  • Development Workflow
  • Quick Examples
  • TypeScript Compilation
  • API Compatibility
  • Getting Started

Development

• Development Guide
  • Creating Custom Hooks
  • Overview
  • Architecture for Developers
  • Development Environment Setup
  • Development Workflow
  • Core Development Areas
  • Testing and Validation
  • Documentation Standards
  • Contributing Workflow
  • Quality Assurance
  • Common Development Tasks
  • Next Steps

Requirements

Runtime Requirements:

• Python 3.6 or higher

• Node.js (for TypeScript compilation)

• Rooted Android device or emulator

• frida-tools installed

Development Requirements:

• TypeScript compiler

• frida-compile for hook compilation

• @types/frida-gum for TypeScript definitions

Contributing

Contributions are welcome! Please read our development guide for information on:

• Creating new hooks

• Adding parsers for new event types

• Extending the CLI interface

• Writing tests and documentation

License

This project is licensed under the MIT License. See the LICENSE file for details.

Support

For issues, questions, or contributions:

• GitHub Issues: Report bugs and request features

• Documentation: This comprehensive guide

• Code Examples: See the user guide and API reference

Indices and Tables

• Index

• Module Index

• Search Page