From 541a02da45dbd4c8e46b191fae4d6f54d4afa1af Mon Sep 17 00:00:00 2001 From: Abhi <85984486+AbhiTheModder@users.noreply.github.com> Date: Wed, 20 Nov 2024 15:11:39 +0530 Subject: [PATCH 1/3] Add rule for kiwisec Closes [DETECTION] Chinese protectors and packers #389 [DETECTION] KiwiSec ApkProtect #294 [DETECTION] Detect KiwiSec VM-based protector #234 --- apkid/rules/apk/packers.yara | 20 ++++++++++++++++++++ apkid/rules/dex/packers.yara | 20 ++++++++++++++++++++ apkid/rules/elf/packers.yara | 22 ++++++++++++++++++++++ 3 files changed, 62 insertions(+) diff --git a/apkid/rules/apk/packers.yara b/apkid/rules/apk/packers.yara index 1f2889b..bf13e21 100644 --- a/apkid/rules/apk/packers.yara +++ b/apkid/rules/apk/packers.yara @@ -1099,3 +1099,23 @@ rule gpresto_apk : packer condition: is_apk and 2 of them } + +rule kiwisec_apk : packer +{ + meta: + description = "KiwiSec" + url = "https://en.kiwisec.com/" + sample = "d108652bd1b685765e3ada2b7376e3c3ff67f8162afcf8bad91e0aef79b7b08a" + author = "Abhi" + + strings: + $lib = /lib\/(arm.*|x86.*)\/libkiwicrash\.so/ + $lib2 = /lib\/(arm.*|x86.*)\/libkiwi_dumper\.so/ + $lib3 = /lib\/(arm.*|x86.*)\/libKwProtectSDK\.so/ + $lib4 = /lib\/(arm.*|x86.*)\/libkwsdataenc\.so/ + $lib5 = /lib\/(arm.*|x86.*)\/libkadp\.so/ + $lib6 = /lib\/(arm.*|x86.*)\/libwhite-box\.so/ + + condition: + is_apk and 2 of them +} diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index 652cf85..3132a3f 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -701,3 +701,23 @@ rule dingxiang_dex : packer and 2 of ($class*) and any of ($hash_code*) } + +rule kiwisec_dex : packer +{ + meta: + description = "KiwiSec" + url = "https://en.kiwisec.com/" + sample = "d108652bd1b685765e3ada2b7376e3c3ff67f8162afcf8bad91e0aef79b7b08a" + author = "Abhi" + + strings: + $class = { 00 1E 4C 63 6F 6D 2F 6B 69 77 69 73 65 63 + 2F 63 72 61 73 68 2F 43 72 61 73 68 55 74 + 69 6C 73 3B 00 } // Lcom/kiwisec/crash/CrashUtils; + $class2 = { 00 25 4C 63 6F 6D 2F 6B 69 77 69 76 6D 2F + 73 65 63 75 72 69 74 79 2F 53 74 75 62 41 + 70 70 6C 69 63 61 74 69 6F 6E 3B 00 } // Lcom/kiwivm/security/StubApplication; + + condition: + is_dex and any of them +} diff --git a/apkid/rules/elf/packers.yara b/apkid/rules/elf/packers.yara index 73ab449..5b97986 100644 --- a/apkid/rules/elf/packers.yara +++ b/apkid/rules/elf/packers.yara @@ -979,3 +979,25 @@ rule gpresto_elf : packer and $class and 2 of ($name*) } + +rule kiwisec_elf : packer +{ + meta: + description = "KiwiSec" + url = "https://en.kiwisec.com/" + sample = "d108652bd1b685765e3ada2b7376e3c3ff67f8162afcf8bad91e0aef79b7b08a" + author = "Abhi" + + strings: + $string = "kiwisec" + $string2 = "kiwicrash" + $string3 = "\x00kiwi_dumper\x00" + $string4 = "\x00libKwProtectSDK.so\x00" + $string5 = "\x00libkwsdataenc.so\x00" + $string6 = "\x00libkiwicrash.so\x00" + + $class = { 00 63 6F 6D 2F 6B 69 77 69 73 65 63 2F 63 72 61 73 68 2F 4E 61 74 69 76 65 48 61 6E 64 6C 65 72 00 } // com/kiwisec/crash/NativeHandler + + condition: + is_elf and any of them +} From f70feeaf7d179d96f905c8035aa63d53f21db6e6 Mon Sep 17 00:00:00 2001 From: Abhi <85984486+AbhiTheModder@users.noreply.github.com> Date: Wed, 20 Nov 2024 15:16:40 +0530 Subject: [PATCH 2/3] fix indentation --- apkid/rules/dex/packers.yara | 6 +++--- apkid/rules/elf/packers.yara | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apkid/rules/dex/packers.yara b/apkid/rules/dex/packers.yara index 3132a3f..49215d0 100644 --- a/apkid/rules/dex/packers.yara +++ b/apkid/rules/dex/packers.yara @@ -711,9 +711,9 @@ rule kiwisec_dex : packer author = "Abhi" strings: - $class = { 00 1E 4C 63 6F 6D 2F 6B 69 77 69 73 65 63 - 2F 63 72 61 73 68 2F 43 72 61 73 68 55 74 - 69 6C 73 3B 00 } // Lcom/kiwisec/crash/CrashUtils; + $class = { 00 1E 4C 63 6F 6D 2F 6B 69 77 69 73 65 63 + 2F 63 72 61 73 68 2F 43 72 61 73 68 55 74 + 69 6C 73 3B 00 } // Lcom/kiwisec/crash/CrashUtils; $class2 = { 00 25 4C 63 6F 6D 2F 6B 69 77 69 76 6D 2F 73 65 63 75 72 69 74 79 2F 53 74 75 62 41 70 70 6C 69 63 61 74 69 6F 6E 3B 00 } // Lcom/kiwivm/security/StubApplication; diff --git a/apkid/rules/elf/packers.yara b/apkid/rules/elf/packers.yara index 5b97986..09248b0 100644 --- a/apkid/rules/elf/packers.yara +++ b/apkid/rules/elf/packers.yara @@ -989,7 +989,7 @@ rule kiwisec_elf : packer author = "Abhi" strings: - $string = "kiwisec" + $string = "kiwisec" $string2 = "kiwicrash" $string3 = "\x00kiwi_dumper\x00" $string4 = "\x00libKwProtectSDK.so\x00" From 0e35cfabc32e51bb7d562186502d4281ec40af53 Mon Sep 17 00:00:00 2001 From: Abhi <85984486+AbhiTheModder@users.noreply.github.com> Date: Sun, 8 Dec 2024 04:42:19 +0530 Subject: [PATCH 3/3] kiwisec: enhance rule --- apkid/rules/elf/packers.yara | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/apkid/rules/elf/packers.yara b/apkid/rules/elf/packers.yara index 09248b0..6c6372e 100644 --- a/apkid/rules/elf/packers.yara +++ b/apkid/rules/elf/packers.yara @@ -989,15 +989,17 @@ rule kiwisec_elf : packer author = "Abhi" strings: - $string = "kiwisec" - $string2 = "kiwicrash" - $string3 = "\x00kiwi_dumper\x00" - $string4 = "\x00libKwProtectSDK.so\x00" - $string5 = "\x00libkwsdataenc.so\x00" - $string6 = "\x00libkiwicrash.so\x00" - - $class = { 00 63 6F 6D 2F 6B 69 77 69 73 65 63 2F 63 72 61 73 68 2F 4E 61 74 69 76 65 48 61 6E 64 6C 65 72 00 } // com/kiwisec/crash/NativeHandler + $string = "\x00kiwi_dumper\x00" + $string2 = "\x00libKwProtectSDK.so\x00" + $string3 = "\x00libkwsdataenc.so\x00" + $string4 = "\x00libkiwicrash.so\x00" + + $class = { 00 63 6F 6D 2F 6B 69 77 69 73 65 63 2F 63 72 61 73 + 68 2F 4E 61 74 69 76 65 48 61 6E 64 6C 65 72 00 } // com/kiwisec/crash/NativeHandler + $class2 = { 00 63 6F 6D 2F 6B 69 77 69 73 65 63 2F 63 72 61 73 + 68 2F 43 72 61 73 68 55 74 69 6C 73 00 } // com/kiwisec/crash/CrashUtils condition: - is_elf and any of them + is_elf + and any of them }