Cross-Platform Android Remote Administration Tool | Official maintained repository for the AhMyth R.A.T Project | A dedicated revival of the original repository at https://GitHub.com/AhMyth/AhMyth-Android-RAT
This release is a Revision of v1.0-beta.5 which contained breaking bugs, these bugs have since been fixed, and a few new other updates were added to. This uses the same update information as the v1.0-beta.5 release, with the only changes to the info being where the bugs have been fixed.
See the Changelog below for more Update Information on this release.
On Boot
& On Launch
checkbox names in the UI when binding is enabled, to Boot Method
& Activity Method
."$appCtrl.copyPermissions"
function to "$appCtrl.modifyManifest"
and Completely rewrote the function to utilise the "xml2js"
library when copying over permissions, it also now handles the injection of the payload service and receiver for the Activity and Boot methods for binding. This contains a lot more useful features than the legacy "$appCtrl.copyPermissions"
function. Click the dropdown tab below to see what the rewrite of this function does."$appCtrl.copyPermissions"
.data
and callback
.CONSTANTS.permissions
.selectedPermissions
to store selected permissions.selectedPermissions
array.selectedPermissions
to default permissions array.selectedPermissions
to default permissions array.data
to a string if it's not already a string.xml2js.parseString
.callback
with an error message.manifest
object from the parsed XML result.manifestObj.application.receiver
is an array and convert it to an array if necessary.manifestObj.application.service
is an array and convert it to an array if necessary.Set
called existingPermissions
to store existing permissions.existingPermissions
set.existingPermissions
set.selectedPermissions
array to exclude duplicates and existing permissions.selectedPermissions
.manifestObj.application.receiver
and manifestObj.application.service
arrays.xml2js.Builder
and modified manifest object.</application>
tag.</manifest>
tag with a new closing tag without extra newline.callback
with null (no error) and the final modified XML as the result."GetLauncherActivity"
function utilised by the "$appCtrl.BindOnLauncher"
function to make use of the "xml2js"
library to help in finding a suitable main class file for hooking from the manifest file data, this aids in solving Binding problems for Issue #315 When using the On Launch method for binding. Click the dropdown tab below for a step by step explanation of what the rewrite for this function does:It attempts to extract the <application>
tag from the manifest object by accessing manifest['manifest']['application'][0]
. This assumes that the manifest object has a structure where manifest
contains a manifest
property, which contains an application
property that is an array (hence the [0]
index).
It then checks if the extracted application
object exists and if it has an android:name
attribute (application['$']['android:name']
). The android:name
attribute typically specifies the fully qualified class name of the main application class in the AndroidManifest.xml file.
If the android:name
attribute exists and the class name doesn't start with "android.app", it performs some manipulation on the class name. It splits the class name by the dot (.
) separator and takes the last part (i.e., the class name without the package). If the class name starts with a dot (.
), it removes the dot. Then it logs a message indicating that it has scoped the main application class for hooking and returns the manipulated class name appended with the ".smali" extension.
If the previous step doesn't find the main application class, the function proceeds to search for the launcher activity. It looks for an activity
object within the application
object that contains an intent filter with the action "android.intent.action.MAIN"
and category "android.intent.category.LAUNCHER"
or "android.intent.category.DEFAULT"
.
It iterates over the activity
objects in the manifest using the Array.prototype.find()
method and checks if any of them have an intent filter that matches the launcher conditions mentioned in the previous step. If it finds a matching activity, it retrieves the android:name
attribute of that activity.
Similar to step 3, if the retrieved activity class name doesn't start with "android.app", it performs the same manipulation to get the class name without the package. If the class name starts with a dot (.
), it removes the dot. Then it logs a message indicating that it has scoped the main launcher activity class for hooking and returns the manipulated class name with the ".smali" extension.
If no launcher activity is found in the activities, the function checks for activity aliases (activity-alias
objects) that have the same intent filter conditions as in step 4.
It iterates over the activity-alias
objects in the manifest and checks if any of them have an intent filter that matches the launcher conditions. If it finds a matching activity alias, it retrieves the android:targetActivity
attribute, which specifies the target activity of the alias.
The target activity name is then manipulated in the same way as before (without the package and without a leading dot), logged as a message indicating that it has scoped the main launcher activity class in an alias for hooking, and returned with the .smali
extension.
If none of the above conditions match (no main application class, no launcher activity, and no launcher activity alias), the function returns -1 to indicate that the launcher activity couldn't be found.
"autoinstall"
file used for installing AhMyth from source on Linux so it correctly installs the needed dependencies, if they're already installed then the script will do nothing, the "autoinstall"
file for Linux has also been renamed from "autoinstall"
to "autoinstall_linux"
, the file has also been upgraded to correctly install AhMyth and its needed dependencies for Debian & APT Based Linux Distro's as well as Arch Linux & pacman based Linux Distro's"install.bat"
file for installing electron v11 for AhMyth on Windows to "autoinstall_win.bat"
"start_linux"
script for Linux Users that starts AhMyth correctly based on the users Privilege Level (i.e root | non-root)"start.bat"
file for starting AhMyth on Windows, to start and then minimize, so that the command prompt can start AhMyth in the background, the file has also been renamed from "start.bat"
to "start_win.bat"
"xml2js"
library."GetLauncherPath"
function utilized by the "$appCtrl.BindOnLauncher"
function to use readdirp, a cross platform recursive version of nodeJS's fs.readdir()
, this allows AhMyth to recursively search an entire APK for a hookable class file when using the On Launch method for binding regardless of the platform it's running on! This function takes its namesake from the original "GetLauncherActivity"
function. This rewrite completely eliminates the need for installing external dependencies to run the Binding Features such as PowerShell for Windows, and findutils for macOS & Linux.$appCtrl.CopyAhmythFilesAndGenerateApk
to $appCtrl.copyAhmythFilesAndGenerateApk
.$appCtrl.BindOnLauncher
& $appCtrl.BindOnBoot
functions and instances to $appCtrl.bindOnActivity
& $appCtrl.bindOnBoot
.GetLauncherActivity
to getLauncherActivity
.GetLauncherPath
to getLauncherPath
.WriteErrorLog
to writeErrorLog
.
[!] WARNING:
Deprecation message for 32bit users stating the AhMyth will cease support for Operating Systems running 32bit architecture as soon as Apktool reaches v3.0.0, the function also greets 64bit users with a green [★] Welcome to AhMyth
message.$appCtrl.generateApk
function so that certain functions for building standalone APK payload files dont interfere when the user is Binding with an original APK, such functions that did this included the following:
The checkbox code in the generateApk function which is used for selecting and applying certain permissions for Standalone Payloads, this has now been updated to to apply permissions for Standalone Payloads only, the updated function also makes use of async/await to make sure everything runs smoothly and in order instead like buggy shit lol.
The checkbox code in the modifyManifest function which is used when binding to modify and original apk manifest.
Permissions for Bound and Standalone payloads are both taken care of seperately now and will no longer interfere with other functions, which fixes further performance bottlenecks.
"$appCtrl.createPayloadDirectory"
function which is now called inside the "$appCtrl.CopyAhmythFilesAndGenerateApk(apkFolder)"
function, which is called when using either the Activity or Boot methods for binding. This helps in solving "Unsigned Short Value Out of Range"
errors with Apktool when binding with original applications and also further aids in solving the binding problems with Issue #315. Click the drop down tab below for a step-by-step explanation of what the new function does.Reads the contents of the target APK folder, then filters and sorts the directories, excluding specific ones.
Determines what the last smali directory in the sorted list is. If the last directory is titled smali
, then it creates a new directory named smali_classes2
, however if the last directory is not titled smali
, the function then extracts the number from the name of the last smali_classesX
directory (where "X" is the number that's being extracted), then increments the extracted number by 1 to get a new number, which is then used to create a new directory named smali_classesX
(where "X" is the new number).
Copies the payload files from the AhMyth payload's smali
directory over to the newly created payload directory in the original APK.
Removes specific subdirectories from the newly created directory to help bypass the 64k Dalvik Method when Building.
Then finally calls the generateApk
function to build and sign the payload APK.
Added the [★]
attribute to all of the main Blue messages that get printed to the AhMyth GUI's black message box when a process is running.
Added the [¡]
information attribute to all of the Yellow information messages that get printed to the AhMyth GUI's message box to indicate that the corresponding text being shown in the message box is informative.
Added the [x]
attribute to all of the Red error messages that get printed to the AhMyth GUI's message box screen when something goes wrong.
Added the [✓]
attribute to all of the Green Success messages that get printed to the AhMyth GUI's message box screen when something goes has successfully finished doing what it's doing such as Building
, or when something has initiated successfully such as Listening
"delayedLog"
function that delays the main logs printed to the black message box in the AhMyth GUI by 0o500 seconds
(500 milliseconds)."WriteErrorLog"
function for better handling of logging errors to text files when errors such as "Building Failed!"
, "Signing Failed!"
, etc, arise."Stop"
button with the function that allows users to disconnect the AhMyth Server from EVERY active/connected client on specific ports, this is located next to the Listen
button."clearLogs()"
function that clears the black Message Box of its logs each time the "Build", "Bind", "Browse APK", "Listen" & "Stop" buttons are clicked.This release contains updates to the UI as well as major stability upgrades to the Binding Features + more.
This release unfortunately contains broken Binding Features, only standalone payloads work with this release, sorry for any inconvenience, a Revision of this release will be release soon to fix this problem.
See the Changelog below for more Update Information on this release.
"$appCtrl.copyPermissions"
function to "$appCtrl.modifyManifest"
and Completely rewrote the function to utilise the "xml2js"
library when copying over permissions, it also now handles the injection of the payload service and receiver for the On Boot and On Launch methods for binding. This contains a lot more useful features than the legacy "$appCtrl.copyPermissions"
function. Click the dropdown tab below to see what the rewrite of this function does."$appCtrl.copyPermissions"
.data
and callback
.CONSTANTS.permissions
.selectedPermissions
to store selected permissions.selectedPermissions
array.selectedPermissions
to default permissions array.selectedPermissions
to default permissions array.data
to a string if it's not already a string.xml2js.parseString
.callback
with an error message.manifest
object from the parsed XML result.manifestObj.application.receiver
is an array and convert it to an array if necessary.manifestObj.application.service
is an array and convert it to an array if necessary.Set
called existingPermissions
to store existing permissions.existingPermissions
set.existingPermissions
set.selectedPermissions
array to exclude duplicates and existing permissions.selectedPermissions
.manifestObj.application.receiver
and manifestObj.application.service
arrays.xml2js.Builder
and modified manifest object.</application>
tag.</manifest>
tag with a new closing tag without extra newline.callback
with null (no error) and the final modified XML as the result."GetLauncherActivity"
function utilised by the "$appCtrl.BindOnLauncher"
function to make use of the "xml2js"
library to help in finding a suitable main class file for hooking from the manifest file data, this aids in solving Binding problems for Issues #277, #139 & #315 When using the On Launch method for binding. Click the dropdown tab below for a step by step explanation of what the rewrite for this function does:It attempts to extract the <application>
tag from the manifest object by accessing manifest['manifest']['application'][0]
. This assumes that the manifest object has a structure where manifest
contains a manifest
property, which contains an application
property that is an array (hence the [0]
index).
It then checks if the extracted application
object exists and if it has an android:name
attribute (application['$']['android:name']
). The android:name
attribute typically specifies the fully qualified class name of the main application class in the AndroidManifest.xml file.
If the android:name
attribute exists and the class name doesn't start with "android.app", it performs some manipulation on the class name. It splits the class name by the dot (.
) separator and takes the last part (i.e., the class name without the package). If the class name starts with a dot (.
), it removes the dot. Then it logs a message indicating that it has scoped the main application class for hooking and returns the manipulated class name appended with the ".smali" extension.
If the previous step doesn't find the main application class, the function proceeds to search for the launcher activity. It looks for an activity
object within the application
object that contains an intent filter with the action "android.intent.action.MAIN"
and category "android.intent.category.LAUNCHER"
or "android.intent.category.DEFAULT"
.
It iterates over the activity
objects in the manifest using the Array.prototype.find()
method and checks if any of them have an intent filter that matches the launcher conditions mentioned in the previous step. If it finds a matching activity, it retrieves the android:name
attribute of that activity.
Similar to step 3, if the retrieved activity class name doesn't start with "android.app", it performs the same manipulation to get the class name without the package. If the class name starts with a dot (.
), it removes the dot. Then it logs a message indicating that it has scoped the main launcher activity class for hooking and returns the manipulated class name with the ".smali" extension.
If no launcher activity is found in the activities, the function checks for activity aliases (activity-alias
objects) that have the same intent filter conditions as in step 4.
It iterates over the activity-alias
objects in the manifest and checks if any of them have an intent filter that matches the launcher conditions. If it finds a matching activity alias, it retrieves the android:targetActivity
attribute, which specifies the target activity of the alias.
The target activity name is then manipulated in the same way as before (without the package and without a leading dot), logged as a message indicating that it has scoped the main launcher activity class in an alias for hooking, and returned with the .smali
extension.
If none of the above conditions match (no main application class, no launcher activity, and no launcher activity alias), the function returns -1 to indicate that the launcher activity couldn't be found.
"autoinstall"
file used for installing AhMyth from source on Linux so it correctly installs the needed dependencies, if they're already installed then the script will do nothing, the "autoinstall"
file for Linux has also been renamed from "autoinstall"
to "autoinstall_linux"
, the file has also been upgraded to correctly install AhMyth and its needed dependencies for Debian & APT Based Linux Distro's as well as Arch Linux & pacman based Linux Distro's"install.bat"
file for installing electron v11 for AhMyth on Windows to "autoinstall_win.bat"
"start_linux"
script for Linux Users that starts AhMyth correctly based on the users Privilege Level (i.e root | non-root)"start.bat"
file for starting AhMyth on Windows, to start and then minimize, so that the command prompt can start AhMyth in the background, the file has also been renamed from "start.bat"
to "start_win.bat"
"xml2js"
library."GetLauncherPath"
function utilized by the "$appCtrl.BindOnLauncher"
function to use readdirp, a cross platform recursive version of nodeJS's fs.readdir()
, this allows AhMyth to recursively search an entire APK for a hookable class file when using the On Launch method for binding regardless of the platform it's running on! This function takes its namesake from the original "GetLauncherActivity"
function. This rewrite completely eliminates the need for installing external dependencies to run the Binding Features such as PowerShell for Windows, and findutils for macOS & Linux.
"Smali Payload Directory Creator"
function which is now used inside the "$appCtrl.CopyAhmythFilesAndGenerateApk(apkFolder)"
function, which is called when using either the On Launch or On Boot methods for binding. This helps in solving "Unsigned Short Value Out of Range"
errors with Apktool when binding with original applications and also further aids in solving the binding problems with Issues #277, #139 and #315. Click the drop down tab below for a step-by-step explanation of what the new function does.Reads the contents of the target APK folder, then filters and sorts the directories, excluding specific ones.
Determines what the last smali directory in the sorted list is. If the last directory is titled smali
, then it creates a new directory named smali_classes2
, however if the last directory is not titled smali
, the function then extracts the number from the name of the last smali_classesX
directory (where "X" is the number that's being extracted), then increments the extracted number by 1 to get a new number, which is then used to create a new directory named smali_classesX
(where "X" is the new number).
Copies the payload files from the AhMyth payload's smali
directory over to the newly created payload directory in the original APK.
Removes specific subdirectories from the newly created directory to help bypass the 64k Dalvik Method when Building.
Then finally calls the generateApk
function to build and sign the payload APK.
Added the [★]
attribute to all of the main Blue messages that get printed to the AhMyth GUI's black message box when a process is running.
Added the [¡]
information attribute to all of the Yellow information messages that get printed to the AhMyth GUI's message box to indicate that the corresponding text being shown in the message box is informative.
Added the [x]
attribute to all of the Red error messages that get printed to the AhMyth GUI's message box screen when something goes wrong.
Added the [✓]
attribute to all of the Green Success messages that get printed to the AhMyth GUI's message box screen when something goes has successfully finished doing what it's doing such as Building
, or when something has initiated successfully such as Listening
"delayedLog"
function that delays the main logs printed to the black message box in the AhMyth GUI by 0o500 seconds
(500 milliseconds)."WriteErrorLog"
function for better handling of logging errors to text files when errors such as "Building Failed!"
, "Signing Failed!"
, etc, arise."Stop"
button with the function that allows users to disconnect the AhMyth Server from EVERY active/connected client, this is located next to the Listen
button."clearLogs()"
function that clears the black Message Box of its logs each time the "Build", "Bind", "Browse APK", "Listen" & "Stop" buttons are clicked.This release contains major updates, bug fixes, stability improvements, and more.
This release was promised to be released a long time ago, but a lot of things came up, so I apologize to everyone for how long this took to do.
See the Changelog below for more Update Information on this release.
Fixed a limitation in the Bind On Launch feature, where AhMyth was only capable of searching through smali
directories for launcher activities when backdooring original APK files. AhMyth can now search any smali
or smali_classes
directory recursively for the launcher activity when backdooring APKs using this method.
Updated the APK Browser Dialog to only allow the selection of APK files to avoid misselection of other files.
Updated code for rendering HTML pages in the main.js
file to allow AhMyth to upgrade from [email protected]
to [email protected]
for Windows and [email protected]
for Linux and macOS.
Added a new, simpler, static hook method for backdooring APK files when using the On Launch binding method. This supersedes the old onCreate hook method used before. This integration was borrowed from Metasploit-Framework's androidpayload
files, which work in conjunction with Client Update No. 1
seen further down this list.
Fixed building problems with Windows by integrating a child process to empty the Apktool framework directory before building a standalone or bound APK payload. This was done because Windows users required doing this manually to allow AhMyth's building process to work properly. It's now done automatically before building each payload APK.
Fixed a bug in the function for modifying Launcher Activity files when using the Bind on Launch
method. This bug would cause the package name of a legit APK file to be the absolute path of the Launcher Activity, which was not good. The newer cross-platform Bind On Launch feature has since fixed thanks to the use of RegExp.
Fixed a bug in the Bind On Launch
feature where the function for the extraction of the launcher activity from the android:targetActivity
attribute was not the full converted launcher activity string. Apparently, the code wasn't finished by the creator because it was not having its instances of XML periods (.
) converted to path separating slashes (/
- \\
). This used to cause a major freeze in binding with some APKs, but it has now been fixed and will no longer happen anymore.
Added new functions to modify an original APK's SDK version number when binding on launch to aid in allowing permissions of the payload to be granted after installing a bound payload. This works with most APKs tested, but there were a few exceptions, so don't expect this to work on every APK you try it with.
Corrected returned picture size from the camera snap feature. Major thank you to GitHub user HiddenPirates for doing this.
Some Small but Major updates to the AhMyth Server, fixing some very major bugs with client installation and with binding.
See the Changelog below for more Update Information on this release.
Migrated AhMyth's original APK Signer from Sign by Appium Boneyard to Uber APK Signer by Patrick Fav Fixing parsing package
errors & other errors with installing AhMyth payload APK's, the new Signer for AhMyth also handles zipaligning as well which was not present in the old Signer
Fixed typo's in AppCtrl.js
that were causing problems with Binding with both On Launch
& On Boot
, Binding is now more stable than the previous versions, for both binding methods.
See the Changelog below for more Update Information on this Release.
Socket.io
version to fix Slow Victim Connectionsbuffer() is deprecated please use buffer.alloc() buffer.from() or buffer.allocUnsafe() instead
Fixed autoinstallers for Kali and Parrot OS - had to seperate the autoinstaller into two seperate autoinstallers, there is one for Kali & one for Parrot
Upgraded the black AhMyth UI Terminal font colors
The birth of AhMyth Android RAT
Released by GitHub user and AhMyth-RAT creator, Ahmed Al 'AhMyth' Hajri on July 7, 2017
See the Changelog below for more Update Information on this release.
AppCtrl.js