From 4c529c33245f348c976cbe8198e69939b358b68d Mon Sep 17 00:00:00 2001
From: Abhi <85984486+AbhiTheModder@users.noreply.github.com>
Date: Sun, 8 Dec 2024 23:13:17 +0530
Subject: [PATCH] fix: Add rule for kiwisec (#424)

* Add rule for kiwisec

Closes
[DETECTION] Chinese protectors and packers #389
[DETECTION] KiwiSec ApkProtect #294
[DETECTION] Detect KiwiSec VM-based protector #234

* fix indentation

* kiwisec: enhance rule
---
 apkid/rules/apk/packers.yara | 20 ++++++++++++++++++++
 apkid/rules/dex/packers.yara | 20 ++++++++++++++++++++
 apkid/rules/elf/packers.yara | 24 ++++++++++++++++++++++++
 3 files changed, 64 insertions(+)

diff --git a/apkid/rules/apk/packers.yara b/apkid/rules/apk/packers.yara
index 1f2889b..bf13e21 100644
--- a/apkid/rules/apk/packers.yara
+++ b/apkid/rules/apk/packers.yara
@@ -1099,3 +1099,23 @@ rule gpresto_apk : packer
   condition:
     is_apk and 2 of them
 }
+
+rule kiwisec_apk : packer
+{
+  meta:
+    description = "KiwiSec"
+    url         = "https://en.kiwisec.com/"
+    sample      = "d108652bd1b685765e3ada2b7376e3c3ff67f8162afcf8bad91e0aef79b7b08a"
+    author      = "Abhi"
+  
+  strings:
+    $lib  = /lib\/(arm.*|x86.*)\/libkiwicrash\.so/
+    $lib2 = /lib\/(arm.*|x86.*)\/libkiwi_dumper\.so/
+    $lib3 = /lib\/(arm.*|x86.*)\/libKwProtectSDK\.so/
+    $lib4 = /lib\/(arm.*|x86.*)\/libkwsdataenc\.so/
+    $lib5 = /lib\/(arm.*|x86.*)\/libkadp\.so/
+    $lib6 = /lib\/(arm.*|x86.*)\/libwhite-box\.so/
+
+  condition:
+    is_apk and 2 of them
+}
diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara
index 652cf85..49215d0 100644
--- a/apkid/rules/dex/packers.yara
+++ b/apkid/rules/dex/packers.yara
@@ -701,3 +701,23 @@ rule dingxiang_dex : packer
     and 2 of ($class*)
     and any of ($hash_code*)
 }
+
+rule kiwisec_dex : packer
+{
+  meta:
+    description = "KiwiSec"
+    url         = "https://en.kiwisec.com/"
+    sample      = "d108652bd1b685765e3ada2b7376e3c3ff67f8162afcf8bad91e0aef79b7b08a"
+    author      = "Abhi"
+  
+  strings:
+    $class  = { 00 1E 4C 63 6F 6D 2F 6B 69 77 69 73 65 63
+                2F 63 72 61 73 68 2F 43 72 61 73 68 55 74
+                69 6C 73 3B 00 } // Lcom/kiwisec/crash/CrashUtils;
+    $class2 = { 00 25 4C 63 6F 6D 2F 6B 69 77 69 76 6D 2F
+                73 65 63 75 72 69 74 79 2F 53 74 75 62 41
+                70 70 6C 69 63 61 74 69 6F 6E 3B 00 } // Lcom/kiwivm/security/StubApplication;
+  
+  condition:
+    is_dex and any of them
+}
diff --git a/apkid/rules/elf/packers.yara b/apkid/rules/elf/packers.yara
index 73ab449..6c6372e 100644
--- a/apkid/rules/elf/packers.yara
+++ b/apkid/rules/elf/packers.yara
@@ -979,3 +979,27 @@ rule gpresto_elf : packer
     and $class
     and 2 of ($name*)
 }
+
+rule kiwisec_elf : packer
+{
+  meta:
+    description = "KiwiSec"
+    url         = "https://en.kiwisec.com/"
+    sample      = "d108652bd1b685765e3ada2b7376e3c3ff67f8162afcf8bad91e0aef79b7b08a"
+    author      = "Abhi"
+  
+  strings:
+    $string  = "\x00kiwi_dumper\x00"
+    $string2 = "\x00libKwProtectSDK.so\x00"
+    $string3 = "\x00libkwsdataenc.so\x00"
+    $string4 = "\x00libkiwicrash.so\x00"
+
+    $class  = { 00 63 6F 6D 2F 6B 69 77 69 73 65 63 2F 63 72 61 73
+                68 2F 4E 61 74 69 76 65 48 61 6E 64 6C 65 72 00 } // com/kiwisec/crash/NativeHandler
+    $class2 = { 00 63 6F 6D 2F 6B 69 77 69 73 65 63 2F 63 72 61 73
+                68 2F 43 72 61 73 68 55 74 69 6C 73 00 } // com/kiwisec/crash/CrashUtils
+  
+  condition:
+    is_elf
+    and any of them
+}