Add pangxie, clean up rules

Closes #11
rednaga · Sep 25, 2016 · 2e74146 · 2e74146
1 parent d2d8b32
commit 2e74146
Show file tree

Hide file tree

Showing 8 changed files with 142 additions and 35 deletions.
diff --git a/apkid/rules/apk/common.yara b/apkid/rules/apk/common.yara
@@ -25,10 +25,10 @@
  *
  **/
 
-private rule apk
+private rule is_apk
 {
   meta:
-    description = "Resembles an simple APK that is likely not corrupt"
+    description = "Resembles an APK that is likely not corrupt"
 
   strings:
     $zip_head = "PK"
@@ -38,25 +38,25 @@ private rule apk
     $zip_head at 0 and $manifest and #manifest >= 2
 }
 
-private rule signed_apk
+private rule is_signed_apk
 {
   meta:
-    description = "Resembles an simple APK that is signed and likely not corrupt"
+    description = "Resembles a signed APK that is likely not corrupt"
 
   strings:
     $meta_inf = "META-INF/"
     $rsa = ".RSA"
     $dsa = ".DSA"
 
   condition:
-    apk and for all of ($meta_inf*) : ( $rsa or $dsa in (@ + 9..@ + 9 + 100))
+    is_apk and for all of ($meta_inf*) : ($rsa or $dsa in (@ + 9..@ + 9 + 100))
 }
 
-private rule unsigned_apk
+private rule is_unsigned_apk
 {
   meta:
-    description = "Resembles an simple APK that is unsigned and likely not corrupt"
+    description = "Resembles an unsigned APK that is likely not corrupt"
 
   condition:
-    apk and not signed_apk
+    is_apk and not is_signed_apk
 }
diff --git a/apkid/rules/apk/packers.yara b/apkid/rules/apk/packers.yara
@@ -44,7 +44,7 @@ rule dexprotector : packer
     $encrptcustom = "assets/dp.mp3"
 
   condition:
-    apk and any of ($encrptlib, $encrptlib1, $encrptlib2, $encrptlib3) and $encrptcustom
+    is_apk and any of ($encrptlib, $encrptlib1, $encrptlib2, $encrptlib3) and $encrptcustom
 }
 
 rule apkprotect : packer
@@ -58,7 +58,7 @@ rule apkprotect : packer
     $lib = "libAPKProtect.so"
 
   condition:
-    apk and ($key or $dir or $lib)
+    is_apk and ($key or $dir or $lib)
 }
 
 rule bangcle : packer
@@ -73,9 +73,8 @@ rule bangcle : packer
     $encrypted_jar = "bangcleclasses.jar"
     $encrypted_jar2 = "bangcle_classes.jar"
 
-
   condition:
-    apk and any of ($main_lib, $second_lib, $container, $encrypted_jar, $encrypted_jar2)
+    is_apk and any of ($main_lib, $second_lib, $container, $encrypted_jar, $encrypted_jar2)
 }
 
 rule kiro : packer
@@ -88,7 +87,7 @@ rule kiro : packer
     $sbox = "assets/sbox"
 
   condition:
-    apk and $kiro_lib and $sbox
+    is_apk and $kiro_lib and $sbox
 }
 
 rule qihoo360 : packer
@@ -100,8 +99,9 @@ rule qihoo360 : packer
     $a = "libprotectClass.so"
 
   condition:
-    apk and $a
-    and not kiro
+    is_apk and
+    $a and
+    not kiro
 }
 
 rule jiagu : packer
@@ -116,7 +116,7 @@ rule jiagu : packer
     $art_lib = "libjiagu_art.so"
 
   condition:
-    apk and ($main_lib or $art_lib)
+    is_apk and ($main_lib or $art_lib)
 }
 
 rule qdbh_packer : packer
@@ -128,7 +128,7 @@ rule qdbh_packer : packer
     $qdbh = "assets/qdbh"
 
   condition:
-    apk and $qdbh
+    is_apk and $qdbh
 }
 
 rule unknown_packer_lib : packer
@@ -142,7 +142,7 @@ rule unknown_packer_lib : packer
     $post_jar = { 2E 6A 61 72 00 77 00 6A 61 76 61 2F 75 74 69 6C 2F 4D 61 70 00 67 65 74 49 6E 74 00 }
 
   condition:
-    //apk and
+    //is_apk and
     ($pre_jar and $jar_data and $post_jar)
 }
 
@@ -157,7 +157,7 @@ rule unicom_loader : packer
     $classes_jar = "classes.jar"
 
   condition:
-    apk and ($unicom_lib and ($decrypt_lib or $classes_jar))
+    is_apk and ($unicom_lib and ($decrypt_lib or $classes_jar))
 }
 
 rule liapp : packer
@@ -170,7 +170,7 @@ rule liapp : packer
     $lib = "LIAPPClient.sc"
 
   condition:
-    apk and any of ($dir, $lib)
+    is_apk and any of ($dir, $lib)
 }
 
 rule app_fortify : packer
@@ -182,7 +182,7 @@ rule app_fortify : packer
     $lib = "libNSaferOnly.so"
 
   condition:
-    apk and $lib
+    is_apk and $lib
 }
 
 rule nqshield : packer
@@ -196,10 +196,9 @@ rule nqshield : packer
     $lib_sec2 = "nqshell"
 
   condition:
-    apk and any of ($lib, $lib_sec1, $lib_sec2)
+    is_apk and any of ($lib, $lib_sec1, $lib_sec2)
 }
 
-
 rule tencent : packer
 {
   meta:
@@ -212,7 +211,7 @@ rule tencent : packer
     $mix_dex = "/mix.dex"
 
   condition:
-    apk and ($classpath or $decryptor_lib or $zip_lib or $mix_dex)
+    is_apk and ($classpath or $decryptor_lib or $zip_lib or $mix_dex)
 }
 
 rule ijiami : packer
@@ -226,7 +225,7 @@ rule ijiami : packer
     $ijm_lib = "assets/ijm_lib/"
 
   condition:
-    apk and ($old_dat or $new_ajm or $ijm_lib)
+    is_apk and ($old_dat or $new_ajm or $ijm_lib)
 }
 
 rule naga : packer
@@ -238,7 +237,7 @@ rule naga : packer
     $lib = "libddog.so"
 
   condition:
-    apk and $lib
+    is_apk and $lib
 }
 
 rule alibaba : packer
@@ -250,7 +249,7 @@ rule alibaba : packer
     $lib = "libmobisec.so"
 
   condition:
-    apk and $lib
+    is_apk and $lib
 }
 
 rule medusa : packer
@@ -262,7 +261,7 @@ rule medusa : packer
     $lib = "libmd.so"
 
   condition:
-    apk and $lib
+    is_apk and $lib
 }
 
 rule baidu : packer
@@ -275,5 +274,17 @@ rule baidu : packer
     $encrypted = "baiduprotect1.jar"
 
   condition:
-    apk and ($lib or $encrypted)
+    is_apk and ($lib or $encrypted)
+}
+
+rule pangxie : packer
+{
+  meta:
+    description = "PangXie"
+
+  strings:
+    $lib = "libnsecure.so"
+
+  condition:
+    is_apk and $lib
 }
diff --git a/apkid/rules/dex/abnormal.yara b/apkid/rules/dex/abnormal.yara
@@ -26,6 +26,7 @@
  **/
 
 import "dex"
+include "common.yara"
 
 rule abnormal_header_size : abnormal
 {
@@ -37,7 +38,7 @@ rule abnormal_header_size : abnormal
      * Header size is always 112 bytes but the format allows it to be bigger. This would make it
      * possible to do weird stuff like hide files after the normal header data.
      */
-    dex.header.header_size != 0x70
+    is_dex and dex.header.header_size != 0x70
 }
 
 rule non_zero_link_size : abnormal anti_disassembly

diff --git a/apkid/rules/dex/common.yara b/apkid/rules/dex/common.yara
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2016  RedNaga. http://rednaga.io
+ * All rights reserved. Contact: [email protected]
+ *
+ *
+ * This file is part of APKiD
+ *
+ *
+ * Commercial License Usage
+ * ------------------------
+ * Licensees holding valid commercial APKiD licenses may use this file
+ * in accordance with the commercial license agreement provided with the
+ * Software or, alternatively, in accordance with the terms contained in
+ * a written agreement between you and RedNaga.
+ *
+ *
+ * GNU General Public License Usage
+ * --------------------------------
+ * Alternatively, this file may be used under the terms of the GNU General
+ * Public License version 3.0 as published by the Free Software Foundation
+ * and appearing in the file LICENSE.GPL included in the packaging of this
+ * file. Please visit http://www.gnu.org/copyleft/gpl.html and review the
+ * information to ensure the GNU General Public License version 3.0
+ * requirements will be met.
+ *
+ **/
+
+private rule is_dex
+{
+  meta:
+    description = "Resembles a DEX file"
+
+  strings:
+    $dex = { 64 65 78 0A 30 33 ?? 00 }
+    $odex = { 64 65 79 0A 30 33 ?? 00 }
+
+  condition:
+    $dex at 0 or
+    $odex at 0
+}
diff --git a/apkid/rules/dex/compilers.yara b/apkid/rules/dex/compilers.yara
@@ -26,6 +26,7 @@
  **/
 
 import "dex"
+include "common.yara"
 
 rule dexlib1 : compiler
 {

diff --git a/apkid/rules/dex/obfuscators.yara b/apkid/rules/dex/obfuscators.yara
@@ -26,6 +26,7 @@
  **/
 
 import "dex"
+include "common.yara"
 
 rule dexguard : obfuscator
 {
@@ -59,6 +60,7 @@ rule dexguard : obfuscator
     $c = "invoke"
 
   condition:
+    is_dex and
     $opcodes and
     all of ($a, $b, $c) and
     uint32(dex.header.data_offset + dex.header.data_size - 4) == 0
@@ -87,6 +89,7 @@ rule dexprotector : obfuscator
     $c = "invoke"
 
   condition:
+    is_dex and
     $method and
     all of ($a, $b, $c)
 }
@@ -103,5 +106,6 @@ rule bitwise_antiskid : obfuscator
     $truth2 = "Only skids can't get plaintext. Credits to Bitwise.\x00"
 
   condition:
+    is_dex and
     any of them
 }
diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2016  RedNaga. http://rednaga.io
+ * All rights reserved. Contact: [email protected]
+ *
+ *
+ * This file is part of APKiD
+ *
+ *
+ * Commercial License Usage
+ * ------------------------
+ * Licensees holding valid commercial APKiD licenses may use this file
+ * in accordance with the commercial license agreement provided with the
+ * Software or, alternatively, in accordance with the terms contained in
+ * a written agreement between you and RedNaga.
+ *
+ *
+ * GNU General Public License Usage
+ * --------------------------------
+ * Alternatively, this file may be used under the terms of the GNU General
+ * Public License version 3.0 as published by the Free Software Foundation
+ * and appearing in the file LICENSE.GPL included in the packaging of this
+ * file. Please visit http://www.gnu.org/copyleft/gpl.html and review the
+ * information to ensure the GNU General Public License version 3.0
+ * requirements will be met.
+ *
+ **/
+
+include "common.yara"
+
+rule pangxie_dex : packer
+{
+  meta:
+    description = "PangXie"
+
+  strings:
+    // Lcom/merry/wapper/WapperApplication;
+    $wrapper = {
+      00 24 4C 63 6F 6D 2F 6D 65 72 72 79 2F 77 61 70
+      70 65 72 2F 57 61 70 70 65 72 41 70 70 6C 69 63
+      61 74 69 6F 6E 3B 00
+    }
+
+  condition:
+    is_dex and
+    $wrapper
+}
+
+
-Original file line number
+Diff line change
@@ Expand Up / @@ -26,6 +26,7 @@ @@
      **/
     import "dex"
+    include "common.yara"
     rule dexlib1 : compiler
     {
@@ Expand Down @@