Skip to content

Commit

Permalink
fix: Add rule for kiwisec (rednaga#424)
Browse files Browse the repository at this point in the history
* Add rule for kiwisec

Closes
[DETECTION] Chinese protectors and packers rednaga#389
[DETECTION] KiwiSec ApkProtect rednaga#294
[DETECTION] Detect KiwiSec VM-based protector rednaga#234

* fix indentation

* kiwisec: enhance rule
  • Loading branch information
AbhiTheModder authored Dec 8, 2024
1 parent 5ce7b38 commit 4c529c3
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 0 deletions.
20 changes: 20 additions & 0 deletions apkid/rules/apk/packers.yara
Original file line number Diff line number Diff line change
Expand Up @@ -1099,3 +1099,23 @@ rule gpresto_apk : packer
condition:
is_apk and 2 of them
}

rule kiwisec_apk : packer
{
meta:
description = "KiwiSec"
url = "https://en.kiwisec.com/"
sample = "d108652bd1b685765e3ada2b7376e3c3ff67f8162afcf8bad91e0aef79b7b08a"
author = "Abhi"

strings:
$lib = /lib\/(arm.*|x86.*)\/libkiwicrash\.so/
$lib2 = /lib\/(arm.*|x86.*)\/libkiwi_dumper\.so/
$lib3 = /lib\/(arm.*|x86.*)\/libKwProtectSDK\.so/
$lib4 = /lib\/(arm.*|x86.*)\/libkwsdataenc\.so/
$lib5 = /lib\/(arm.*|x86.*)\/libkadp\.so/
$lib6 = /lib\/(arm.*|x86.*)\/libwhite-box\.so/
condition:
is_apk and 2 of them
}
20 changes: 20 additions & 0 deletions apkid/rules/dex/packers.yara
Original file line number Diff line number Diff line change
Expand Up @@ -701,3 +701,23 @@ rule dingxiang_dex : packer
and 2 of ($class*)
and any of ($hash_code*)
}

rule kiwisec_dex : packer
{
meta:
description = "KiwiSec"
url = "https://en.kiwisec.com/"
sample = "d108652bd1b685765e3ada2b7376e3c3ff67f8162afcf8bad91e0aef79b7b08a"
author = "Abhi"

strings:
$class = { 00 1E 4C 63 6F 6D 2F 6B 69 77 69 73 65 63
2F 63 72 61 73 68 2F 43 72 61 73 68 55 74
69 6C 73 3B 00 } // Lcom/kiwisec/crash/CrashUtils;
$class2 = { 00 25 4C 63 6F 6D 2F 6B 69 77 69 76 6D 2F
73 65 63 75 72 69 74 79 2F 53 74 75 62 41
70 70 6C 69 63 61 74 69 6F 6E 3B 00 } // Lcom/kiwivm/security/StubApplication;
condition:
is_dex and any of them
}
24 changes: 24 additions & 0 deletions apkid/rules/elf/packers.yara
Original file line number Diff line number Diff line change
Expand Up @@ -979,3 +979,27 @@ rule gpresto_elf : packer
and $class
and 2 of ($name*)
}

rule kiwisec_elf : packer
{
meta:
description = "KiwiSec"
url = "https://en.kiwisec.com/"
sample = "d108652bd1b685765e3ada2b7376e3c3ff67f8162afcf8bad91e0aef79b7b08a"
author = "Abhi"

strings:
$string = "\x00kiwi_dumper\x00"
$string2 = "\x00libKwProtectSDK.so\x00"
$string3 = "\x00libkwsdataenc.so\x00"
$string4 = "\x00libkiwicrash.so\x00"
$class = { 00 63 6F 6D 2F 6B 69 77 69 73 65 63 2F 63 72 61 73
68 2F 4E 61 74 69 76 65 48 61 6E 64 6C 65 72 00 } // com/kiwisec/crash/NativeHandler
$class2 = { 00 63 6F 6D 2F 6B 69 77 69 73 65 63 2F 63 72 61 73
68 2F 43 72 61 73 68 55 74 69 6C 73 00 } // com/kiwisec/crash/CrashUtils
condition:
is_elf
and any of them
}

0 comments on commit 4c529c3

Please sign in to comment.