adding / updating linux / android rules (#907)

* adding / updating linux / android rules

* update statement

* apply review feedback

* add additional android rules

* fix feedback

host-interaction/file-system/write/write-file-on-linux.yml

@@ -4,6 +4,7 @@ rule:
     namespace: host-interaction/file-system/write
     authors:
       - joakim@intezer.com
+      - mehunhoff@google.com
     scopes:
       static: function
       dynamic: thread
@@ -27,5 +28,9 @@ rule:
         - api: write
         - api: fwrite
         - api: putwchar
+        - api: dprintf
+        - api: vdprintf
+        - api: fprintf
+        - api: vfprintf
       - optional:
         - match: create or open file

host-interaction/process/create/create-process-on-linux.yml

@@ -19,6 +19,10 @@ rule:
         - os: android
       - or:
         - api: execve
+        - and:
+          - match: execute syscall
+          - arch: aarch64
+          - number: 0xdd = execve
         - api: execl
         - api: execlp
         - api: execle

nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml

@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: bypass hidden API restrictions via JNI on Android
+    namespace: host-interaction/bypass
+    authors:
+      - mehunhoff@google.com
+    description: Starting in Android 9 (API level 28), the platform restricts which non-SDK interfaces your app can use
+    scopes:
+      static: function
+      dynamic: thread
+    references:
+      - https://stackoverflow.com/questions/55970137/bypass-androids-hidden-api-restrictions
+  features:
+    - and:
+      - os: android
+      - string: "dalvik/system/VMRuntime"
+      - string: "getRuntime"
+      - string: "setHiddenApiExemptions"
+      - string: "java/lang/String"

nursery/execute-syscall-instruction.yml → nursery/execute-syscall.yml

@@ -1,19 +1,26 @@
 rule:
   meta:
-    name: execute syscall instruction
+    name: execute syscall
     namespace: anti-analysis
     authors:
       - "@kulinacs"
       - "@mr-tz"
+      - mehunhoff@google.com
     description: may be used to evade hooks or hinder analysis
     scopes:
       static: basic block
       dynamic: unsupported  # requires mnemonic features
     references:
       - https://github.com/j00ru/windows-syscalls
   features:
-    - and:
-      - mnemonic: syscall
-      - or:
-        - mnemonic: ret
-        - mnemonic: retn
+    - or:
+      - and:
+        - or:
+          - os: linux
+          - os: android
+        - api: syscall # https://man7.org/linux/man-pages/man2/syscall.2.html
+      - and:
+        - mnemonic: syscall
+        - or:
+          - mnemonic: ret
+          - mnemonic: retn

nursery/get-current-process-filesystem-mounts-on-linux.yml

@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: get current process filesystem mounts on Linux
+    namespace: host-interation/process
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: basic block
+      dynamic: call
+  features:
+    - and:
+      - or:
+        - os: linux
+        - os: android
+      - match: create or open file
+      - string: "/proc/self/mounts"

nursery/get-current-process-memory-mapping-on-linux.yml

@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: get current process memory mapping on Linux
+    namespace: host-interation/process
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: basic block
+      dynamic: call
+  features:
+    - and:
+      - or:
+        - os: linux
+        - os: android
+      - match: create or open file
+      - string: "/proc/self/maps"

nursery/get-system-property-on-android.yml

@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: get system property on Android
+    namespace: host-interation/process
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: basic block
+      dynamic: call
+  features:
+    - and:
+      - os: android
+      - api: __system_property_get

nursery/hook-routines-via-lsplant.yml

@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: hook routines via LSPlant
+    namespace: linking/hooking
+    authors:
+      - mehunhoff@google.com
+    description: LSPlant is an Android ART hook library, providing Java method hook/unhook and inline deoptimization
+    scopes:
+      static: basic block
+      dynamic: thread
+    references:
+      - https://github.com/LSPosed/LSPlant
+  features:
+    - and:
+      - string: "LSPHooker_"
+      - string: "hooker"
+      - string: "{target}"

nursery/load-packed-dex-via-jiagu-on-android.yml

@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: load packed DEX via Jiagu on Android
+    namespace: anti-analysis
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: thread
+    references:
+      - https://github.com/Frezrik/Jiagu
+  features:
+    - and:
+      - os: android
+      - string: "NDK_JIAGU"
+      - string: "[-]get %s handle failed:%s"
+      - string: "[-]ANONYMOUS mmap failed:%s"
+      - string: "[-]g_sdk_int Update cookie failed"
+      - string: "dalvik/system/InMemoryDexClassLoader"

nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml

@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: modify API blacklist or denylist via JNI on Android
+    namespace: host-interaction/bypass
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: thread
+  features:
+    - and:
+      - os: android
+      - string: "com/android/internal/os/ZygoteInit"
+      - or:
+        - string: "setApiBlacklistExemptions"
+        - string: "setApiDenylistExemptions"
+      - string: "java/lang/String"

nursery/truncate-file-on-linux.yml

@@ -0,0 +1,15 @@
+rule:
+  meta:
+    name: truncate file on Linux
+    namespace: host-interaction/file-system/truncate
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: basic block
+      dynamic: call
+  features:
+    - and:
+      - or:
+        - os: android
+        - os: linux
+      - api: ftruncate