A modular, dual-engine framework for unpacking 360 Jiagu-protected Android applications and performing deep malware forensics.
360 Jiagu (ε εΊ) is one of China's most widely-deployed commercial Android packers, used by over 100,000 applications. While its legitimate purpose is to protect intellectual property, it is heavily abused by malware authors to evade static detection by antivirus engines.
The problem:
- Packed apps render traditional static analysis useless β the real DEX bytecode is encrypted inside native
.solibraries - The unpacking stub uses anti-debugging, anti-Frida, and integrity checks to prevent runtime extraction
- Security researchers need reliable tools to recover the original DEX for malware analysis
JiaguSentinel's approach:
- Static Engine: Entropy-based payload detection + byte-pattern matching + multi-layer decompression to extract DEX without execution
- Dynamic Engine: Frida-based memory dumping with advanced anti-detection bypass to capture decrypted DEX at runtime
- Analytics Engine: Automated threat scoring of extracted payloads for C2, exfiltration, and persistence indicators
JiaguSentinel/
βββ main.py # Intelligent CLI/GUI router
βββ core/
β βββ static_engine.py # Entropy analysis, LIEF, YARA, XOR brute-force
β βββ dynamic_engine.py # Frida injection, anti-anti-Frida, memory scanning
β βββ adb_manager.py # Self-healing ADB, arch detection, Frida deployment
βββ analytics/
β βββ malware_scorer.py # 40+ suspicious API patterns, threat scoring (0-100)
β βββ report_gen.py # JSON + Markdown forensic reports
βββ ui/
β βββ gui_main.py # CustomTkinter dark-mode tabbed UI
β βββ cli_main.py # Rich + Click professional CLI
βββ payloads/
β βββ dex_dump.js # Enhanced Frida agent with ART hooks
βββ rules/ # Custom YARA rules (optional)
βββ requirements.txt
βββ README.md
- Python 3.10+
- Android device with root access (for dynamic engine)
- ADB installed and on PATH
frida-servermatching your device architecture
git clone https://github.com/yourrepo/JiaguSentinel.git
cd JiaguSentinel
pip install -r requirements.txtpython main.py# Static analysis
python main.py --cli scan path/to/suspicious.apk
# Dynamic dump (requires rooted device + frida-server)
python main.py --cli dump com.suspicious.app
# Malware scoring on extracted DEX
python main.py --cli analyze unpacked_output/extracted.dex
# Generate forensic report
python main.py --cli report path/to/suspicious.apk -f both
# Device info
python main.py --cli device
# List available Frida payloads
python main.py --cli payloads
# JSON output for CI/CD
python main.py --cli --json-output scan suspicious.apk| Feature | Description |
|---|---|
| DEX Signature Scan | Multi-version magic bytes (v035βv041) with header validation |
| Entropy Heatmap | Block-level Shannon entropy to pinpoint encrypted regions |
| LIEF ELF Analysis | Section entropy, symbol table, relocation scanning of libjiagu*.so |
| Multi-Layer Decompress | zlib β gzip β LZMA cascade on high-entropy blobs |
| XOR Brute-Force | Single-byte key recovery for XOR-encrypted payloads |
| YARA Matching | Custom rule scanning for packer and malware signatures |
| Feature | Description |
|---|---|
| Anti-Anti-Frida | Hooks open, read, strstr, access, fopen, connect to hide Frida |
| Memory DEX Scanner | Scans all readable memory regions for DEX magic bytes |
| ART Constructor Hook | Intercepts DexFile::OpenMemory for early-stage capture |
| InMemoryDexClassLoader | Java-level hook for fileless DEX loading |
| Periodic Rescan | Catches late-decrypted DEX with configurable rescan intervals |
| Session Recovery | Auto-retry on transport errors with crash reports |
| Category | Examples | Weight Range |
|---|---|---|
| Exfiltration | SmsManager, sendTextMessage, ContentResolver | 4.0β9.0 |
| Surveillance | Camera, AudioRecord, AccessibilityService, LocationManager | 4.0β9.0 |
| Code Execution | Runtime.exec, ProcessBuilder, DexClassLoader | 6.0β10.0 |
| Persistence | RECEIVE_BOOT_COMPLETED, DeviceAdminReceiver | 3.0β10.0 |
| Network/C2 | Socket, WebSocket, DatagramSocket | 3.0β6.0 |
| Evasion | isDebuggerConnected, Build properties | 2.0β7.0 |
- Create a
.jsfile inpayloads/ - Use
send({type: "dex_scan", results: [...]})to report findings - The payload will automatically appear in the GUI dropdown and CLI
// payloads/my_custom_hook.js
'use strict';
Java.perform(function() {
// Your custom hooks here
send({type: "dex_scan", results: [], total: 0});
});Create a new module in analytics/ following the MalwareScorer pattern:
# analytics/my_analyzer.py
class MyAnalyzer:
def analyze(self, dex_path: str) -> dict:
# Your analysis logic
return {"findings": [...]}Drop .yar files into a rules/ directory β the static engine loads them automatically.
Reports are generated in both JSON (machine-readable) and Markdown (human-readable) formats:
- JSON: Full structured data for integration with SIEM/SOAR platforms
- Markdown: Formatted report with entropy heatmaps, threat score tables, and network indicators
JiaguSentinel Pro is developed for authorized security research, malware analysis, and educational purposes ONLY.
Do NOT use this tool to bypass protections on applications you do not own or have explicit authorization to analyze. The authors assume no liability for misuse.
Always comply with applicable laws, regulations, and terms of service.
This project is licensed under the MIT License. See LICENSE for details.
Contributions are welcome! Areas where help is needed:
- New YARA rules for emerging packer variants
- Custom Frida payloads for specific protection schemes
- Additional analytics modules (network traffic analysis, APK diff)
- Multi-language support for the GUI
- Unit tests and CI/CD pipeline
Please open an issue or PR on GitHub.
Built for the security research community.
If JiaguSentinel helped your research, consider starring the repo β
