From 3729fa314da35a7300bf79248cb0c02b290a24ae Mon Sep 17 00:00:00 2001 From: Mike Hunhoff Date: Wed, 5 Jun 2024 17:01:59 -0600 Subject: [PATCH] adding / updating linux / android rules --- .../file-system/write/write-file-on-linux.yml | 3 +++ .../create/create-process-on-linux.yml | 4 ++++ ...en-api-restrictions-via-jni-on-android.yml | 19 +++++++++++++++++++ ...ll-instruction.yml => execute-syscall.yml} | 15 +++++++++------ ...urrent-process-memory-mapping-on-linux.yml | 16 ++++++++++++++++ nursery/hook-routines-via-lsplant.yml | 17 +++++++++++++++++ ...acklist-or-denylist-via-jni-on-android.yml | 16 ++++++++++++++++ nursery/truncate-file-on-linux.yml | 12 ++++++++++++ 8 files changed, 96 insertions(+), 6 deletions(-) create mode 100644 nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml rename nursery/{execute-syscall-instruction.yml => execute-syscall.yml} (62%) create mode 100644 nursery/get-current-process-memory-mapping-on-linux.yml create mode 100644 nursery/hook-routines-via-lsplant.yml create mode 100644 nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml create mode 100644 nursery/truncate-file-on-linux.yml diff --git a/host-interaction/file-system/write/write-file-on-linux.yml b/host-interaction/file-system/write/write-file-on-linux.yml index 0be290eb..346c13d5 100644 --- a/host-interaction/file-system/write/write-file-on-linux.yml +++ b/host-interaction/file-system/write/write-file-on-linux.yml @@ -4,6 +4,7 @@ rule: namespace: host-interaction/file-system/write authors: - joakim@intezer.com + - mehunhoff@google.com scopes: static: function dynamic: thread @@ -27,5 +28,7 @@ rule: - api: write - api: fwrite - api: putwchar + - api: dprintf + - api: fprintf - optional: - match: create or open file diff --git a/host-interaction/process/create/create-process-on-linux.yml b/host-interaction/process/create/create-process-on-linux.yml index c7b6d5d8..b78a0286 100644 --- a/host-interaction/process/create/create-process-on-linux.yml +++ b/host-interaction/process/create/create-process-on-linux.yml @@ -19,6 +19,10 @@ rule: - os: android - or: - api: execve + - and: + - match: execute syscall + - arch: aarch64 + - number: 0xdd - api: execl - api: execlp - api: execle diff --git a/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml b/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml new file mode 100644 index 00000000..baaad79a --- /dev/null +++ b/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: bypass hidden API restrictions via JNI on Android + namespace: host-interaction/bypass + authors: + - mehunhoff@google.com + description: Starting in Android 9 (API level 28), the platform restricts which non-SDK interfaces your app can use + scopes: + static: function + dynamic: thread + references: + - https://stackoverflow.com/questions/55970137/bypass-androids-hidden-api-restrictions + features: + - and: + - os: android + - string: "dalvik/system/VMRuntime" + - string: "getRuntime" + - string: "setHiddenApiExemptions" + - string: "java/lang/String" diff --git a/nursery/execute-syscall-instruction.yml b/nursery/execute-syscall.yml similarity index 62% rename from nursery/execute-syscall-instruction.yml rename to nursery/execute-syscall.yml index fa284e5d..55079b3f 100644 --- a/nursery/execute-syscall-instruction.yml +++ b/nursery/execute-syscall.yml @@ -1,10 +1,11 @@ rule: meta: - name: execute syscall instruction + name: execute syscall namespace: anti-analysis authors: - "@kulinacs" - "@mr-tz" + - mehunhoff@google.com description: may be used to evade hooks or hinder analysis scopes: static: basic block @@ -12,8 +13,10 @@ rule: references: - https://github.com/j00ru/windows-syscalls features: - - and: - - mnemonic: syscall - - or: - - mnemonic: ret - - mnemonic: retn + - or: + - api: syscall + - and: + - mnemonic: syscall + - or: + - mnemonic: ret + - mnemonic: retn diff --git a/nursery/get-current-process-memory-mapping-on-linux.yml b/nursery/get-current-process-memory-mapping-on-linux.yml new file mode 100644 index 00000000..051bcba0 --- /dev/null +++ b/nursery/get-current-process-memory-mapping-on-linux.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: get current process memory mapping on Linux + namespace: host-interation/process + authors: + - mehunhoff@google.com + scopes: + static: basic block + dynamic: call + features: + - and: + - or: + - os: linux + - os: android + - match: create or open file + - string: "/proc/self/maps" diff --git a/nursery/hook-routines-via-lsplant.yml b/nursery/hook-routines-via-lsplant.yml new file mode 100644 index 00000000..8d20b485 --- /dev/null +++ b/nursery/hook-routines-via-lsplant.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: hook routines via LSPlant + namespace: linking/hooking + authors: + - mehunhoff@google.com + description: LSPlant is an Android ART hook library, providing Java method hook/unhook and inline deoptimization + scopes: + static: basic block + dynamic: thread + references: + - https://github.com/LSPosed/LSPlant + features: + - and: + - string: "LSPHooker_" + - string: "hooker" + - string: "{target}" diff --git a/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml b/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml new file mode 100644 index 00000000..95d27b18 --- /dev/null +++ b/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: modify API blacklist or denylist via JNI on Android + namespace: host-interaction/bypass + authors: + - mehunhoff@google.com + scopes: + static: function + dynamic: thread + features: + - and: + - os: android + - string: "com/android/internal/os/ZygoteInit" + - string: "setApiBlacklistExemptions" + - string: "setApiDenylistExemptions" + - string: "java/lang/String" diff --git a/nursery/truncate-file-on-linux.yml b/nursery/truncate-file-on-linux.yml new file mode 100644 index 00000000..359e7a1d --- /dev/null +++ b/nursery/truncate-file-on-linux.yml @@ -0,0 +1,12 @@ +rule: + meta: + name: truncate file on Linux + namespace: host-interaction/file-system/truncate + authors: + - mehunhoff@google.com + scopes: + static: basic block + dynamic: call + features: + - and: + - api: ftruncate