-
Notifications
You must be signed in to change notification settings - Fork 160
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
adding / updating linux / android rules
- Loading branch information
1 parent
9e0ffdf
commit 3729fa3
Showing
8 changed files
with
96 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,6 +4,7 @@ rule: | |
| namespace: host-interaction/file-system/write | ||
| authors: | ||
| - [email protected] | ||
| - [email protected] | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
|
|
@@ -27,5 +28,7 @@ rule: | |
| - api: write | ||
| - api: fwrite | ||
| - api: putwchar | ||
| - api: dprintf | ||
| - api: fprintf | ||
| - optional: | ||
| - match: create or open file | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| rule: | ||
| meta: | ||
| name: bypass hidden API restrictions via JNI on Android | ||
| namespace: host-interaction/bypass | ||
| authors: | ||
| - [email protected] | ||
| description: Starting in Android 9 (API level 28), the platform restricts which non-SDK interfaces your app can use | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| references: | ||
| - https://stackoverflow.com/questions/55970137/bypass-androids-hidden-api-restrictions | ||
| features: | ||
| - and: | ||
| - os: android | ||
| - string: "dalvik/system/VMRuntime" | ||
| - string: "getRuntime" | ||
| - string: "setHiddenApiExemptions" | ||
| - string: "java/lang/String" |
15 changes: 9 additions & 6 deletions
15
nursery/execute-syscall-instruction.yml → nursery/execute-syscall.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,19 +1,22 @@ | ||
| rule: | ||
| meta: | ||
| name: execute syscall instruction | ||
| name: execute syscall | ||
| namespace: anti-analysis | ||
| authors: | ||
| - "@kulinacs" | ||
| - "@mr-tz" | ||
| - [email protected] | ||
| description: may be used to evade hooks or hinder analysis | ||
| scopes: | ||
| static: basic block | ||
| dynamic: unsupported # requires mnemonic features | ||
| references: | ||
| - https://github.com/j00ru/windows-syscalls | ||
| features: | ||
| - and: | ||
| - mnemonic: syscall | ||
| - or: | ||
| - mnemonic: ret | ||
| - mnemonic: retn | ||
| - or: | ||
| - api: syscall | ||
| - and: | ||
| - mnemonic: syscall | ||
| - or: | ||
| - mnemonic: ret | ||
| - mnemonic: retn |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| rule: | ||
| meta: | ||
| name: get current process memory mapping on Linux | ||
| namespace: host-interation/process | ||
| authors: | ||
| - [email protected] | ||
| scopes: | ||
| static: basic block | ||
| dynamic: call | ||
| features: | ||
| - and: | ||
| - or: | ||
| - os: linux | ||
| - os: android | ||
| - match: create or open file | ||
| - string: "/proc/self/maps" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| rule: | ||
| meta: | ||
| name: hook routines via LSPlant | ||
| namespace: linking/hooking | ||
| authors: | ||
| - [email protected] | ||
| description: LSPlant is an Android ART hook library, providing Java method hook/unhook and inline deoptimization | ||
| scopes: | ||
| static: basic block | ||
| dynamic: thread | ||
| references: | ||
| - https://github.com/LSPosed/LSPlant | ||
| features: | ||
| - and: | ||
| - string: "LSPHooker_" | ||
| - string: "hooker" | ||
| - string: "{target}" |
16 changes: 16 additions & 0 deletions
16
nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| rule: | ||
| meta: | ||
| name: modify API blacklist or denylist via JNI on Android | ||
| namespace: host-interaction/bypass | ||
| authors: | ||
| - [email protected] | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| features: | ||
| - and: | ||
| - os: android | ||
| - string: "com/android/internal/os/ZygoteInit" | ||
| - string: "setApiBlacklistExemptions" | ||
| - string: "setApiDenylistExemptions" | ||
| - string: "java/lang/String" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| rule: | ||
| meta: | ||
| name: truncate file on Linux | ||
| namespace: host-interaction/file-system/truncate | ||
| authors: | ||
| - [email protected] | ||
| scopes: | ||
| static: basic block | ||
| dynamic: call | ||
| features: | ||
| - and: | ||
| - api: ftruncate |