add additional android rules

mandiant · Jun 6, 2024 · 96ed529 · 96ed529
1 parent 6fedeac
commit 96ed529
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 0 deletions.
diff --git a/nursery/get-current-process-filesystem-mounts-on-linux.yml b/nursery/get-current-process-filesystem-mounts-on-linux.yml
@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: get current process filesystem mounts on Linux
+    namespace: host-interation/process
+    authors:
+      - [email protected]
+    scopes:
+      static: basic block
+      dynamic: call
+  features:
+    - and:
+      - or:
+        - os: linux
+        - os: android
+      - match: create or open file
+      - string: "/proc/self/mounts"
diff --git a/nursery/get-system-property-on-android.yml b/nursery/get-system-property-on-android.yml
@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: get system property on Android
+    namespace: host-interation/process
+    authors:
+      - [email protected]
+    scopes:
+      static: basic block
+      dynamic: call
+  features:
+    - and:
+      - os: android
+      - api: __system_property_get
diff --git a/nursery/load-packed-dex-via-jiagu-on-android.yml b/nursery/load-packed-dex-via-jiagu-on-android.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: load packed DEX via Jiagu on Android
+    namespace: anti-analysis
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: thread
+    references:
+      - https://github.com/Frezrik/Jiagu
+  features:
+    - and:
+      - os: android
+      - string: "NDK_JIAGU"
+      - string: "[-]get %s handle failed:%s"
+      - string: "[-]ANONYMOUS mmap failed:%s"
+      - string: "[-]g_sdk_int Update cookie failed"
+      - string: "dalvik/system/InMemoryDexClassLoader"