Skip to content

drozer Protocol

metall0id edited this page Nov 25, 2014 · 1 revision

The drozer system consists of 2 components, the Console and the Agent, with an optional Server between them. The communication between these components takes place over a TCP connection, currently unencrypted.

These components interact with each other using a binary protocol, built using the Google Protocol Buffers library.

Protocol Buffers

The drozer protobuf definition is maintained in the drozer-common repository.

It defines a single format to be transferred on the wire of Message, which can be specialised into one of four message types:

  • System Messages
    Are used to control sessions, and query the server and agent about their state. There is a request and a response format for this type:
    • SystemRequest
    • SystemResponse
  • Reflection Messages
    Are used in an active session to send commands to interact with reflected objects in the agent. There is a request and a response format for this type:
    • ReflectionRequest
    • ReflectionResponse

Every message has an id field, which used to match responses to requests. All reflection messages, and some system messages, also have a session_id which represents the drozer session to which the message belongs.

Framing

When transmitting protocol buffers on-the-wire, we need a custom frame to indicate the length of the packet. This is an 8-byte header, containing two 32-bit, unsigned integers followed by the payload encoded as a protocol buffer:

| 0                   1                   2                   3   |
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 |
|                             version                             |
|                          payload length                         |
|                             payload                             |
|                               ...                               |

The byte order is little-endian.

The current protocol version number is 2. For compatibility purposes, some protocol version numbers are reserved. In particular:

  • Version 1
    To avoid confusion with the original, XML-based protocol in documentation.
  • Version 60
    To avoid problems if the drozer v1 client connected to a newer Agent and started sending XML.

This header, theoretically, allows a max packet size of 4GiB. In practice this would cause a DoS condition on the Android device. A future version update may introduce a hard limit on the frame size.

Clone this wiki locally