APKiD icon indicating copy to clipboard operation
APKiD copied to clipboard

Published 20 hours ago verified publisher icon rednaga

Added protector to yara (FreeRASP)

Open Fare9 opened this issue 2 years ago • 2 comments

Added a protector to yara rules for APK.

Fare9 avatar Sep 13 '22 14:09 Fare9

Added improvements of readability!

Fare9 avatar Sep 21 '22 18:09 Fare9

Added a protector to yara rules for APK.

@Fare9 This rule need slight modification as https://virustotal.com/gui/file/e10b8772fd9b6aaf8ba030c5bcb324fb9b91f34e893a62bdf238629df856e047 not matching with it . There is no asset/talsec file

apkunpacker avatar Sep 22 '22 02:09 apkunpacker

Ready to be merged @Fare9. What do you think about @apkunpacker's comment?

enovella avatar Sep 22 '22 10:09 enovella

I can balance the whitespaces, regarding what @apkunpacker says, I have not been able to download the APK for testing it, I tested it with applications generated with Android Studio, and using the provided configuration from the FreeRASP webpage. In the cases I generated they had the asset of talsec, and also the libraries. The libsecurity.so, for example, is where all the protections of anti-analysis are implemented.

Fare9 avatar Sep 22 '22 12:09 Fare9

I can balance the whitespaces, regarding what @apkunpacker says, I have not been able to download the APK for testing it, I tested it with applications generated with Android Studio, and using the provided configuration from the FreeRASP webpage. In the cases I generated they had the asset of talsec, and also the libraries. The libsecurity.so, for example, is where all the protections of anti-analysis are implemented.

Here is sample attached TalsecRaspSample.apk.zip

apkunpacker avatar Sep 22 '22 13:09 apkunpacker

Will check the yara with that apk, and modify it accordingly to detect that one, and detect all those from my dataset too as test. Thanks!

Fare9 avatar Sep 22 '22 14:09 Fare9

For what I see there are not assets in this APK, but the libraries are included, I can change it tonight. And probably add some of DEX or ELF that they have in common between these apps.

Fare9 avatar Sep 22 '22 15:09 Fare9

@Fare9 LGTM! Happy to merge when you reply my last comments.

enovella avatar Sep 23 '22 08:09 enovella

Okay, I will add a last commit, one with the asset the other without it, the rule will be _old and _new, and yes I will be happy to include the code from the offsets, in that way as you said is easier to understand the rule (I was worried that the code would be too verbose)

Fare9 avatar Sep 23 '22 13:09 Fare9