[DETECTION] Appdome : Enhance Elf rule #431
Labels
detection-issue
Bad detection or no detection
Comments
|
I propose adding a new section name rule appdome_elf_a : protector
{
meta:
description = "Appdome"
sample = "0143ddce30b16890180cfa71c49520bde4cce706762f4da756e8c4d06283a481"
url = "https://www.appdome.com/"
author = "Eduardo Novella"
condition:
is_elf and not appdome_elf and
// Match at least 2 section names from hook,.hookname,adinit,.adi,ipcent,ipcsel,rhash
for 2 i in (0..elf.number_of_sections):
(elf.sections[i].name matches /(hook|\.hookname|adinit|\.adi|ipcent|rhash|ipcsel)/)
}$ yara appdome.yara libloader.so
is_elf libloader.so
appdome_elf_a libloader.so |
You meant |
|
@AbhiTheModder can you share the ARM64 library? |
|
|
Which segments do you believe that are unique to the protector? [0x00057000]> iS
nth paddr size vaddr vsize perm flags type name
―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x00000000 0x0 0x00000000 0x0 ---- 0x0 NULL
1 0x00000190 0x8b0 0x00000190 0x8b0 -r-- 0x2 HASH .hash
2 0x00000a40 0x1b48 0x00000a40 0x1b48 -r-- 0x2 DYNSYM .dynsym
3 0x00002588 0xbd4 0x00002588 0xbd4 -r-- 0x2 STRTAB .dynstr
4 0x0000315c 0x246 0x0000315c 0x246 -r-- 0x2 GNU_VERSYM .gnu.version
5 0x000033a8 0x60 0x000033a8 0x60 -r-- 0x2 GNU_VERNEED .gnu.version_r
6 0x00003408 0x506a0 0x00003408 0x506a0 -r-- 0x2 RELA .rela.dyn
7 0x00053aa8 0x1a70 0x00053aa8 0x1a70 -r-- 0x42 RELA .rela.plt
8 0x00055520 0x11c0 0x00055520 0x11c0 -r-x 0x6 PROGBITS .plt
9 0x00057000 0x6dc304 0x00057000 0x6dc304 -r-x 0x6 PROGBITS .text
10 0x00733310 0x55c30 0x00733310 0x55c30 -r-- 0x2 PROGBITS .rodata
11 0x00788f40 0x9dfa 0x00788f40 0x9dfa -r-- 0x2 PROGBITS .gcc_ctx
12 0x00792d3a 0x7d21 0x00792d3a 0x7d21 -r-- 0x2 PROGBITS .dyncall
13 0x0079aa5c 0x70 0x0079aa5c 0x70 -r-- 0x2 PROGBITS .abi
14 0x0079aacc 0x71 0x0079aacc 0x71 -r-- 0x2 PROGBITS .eh_stack
15 0x0079ab3d 0x1c 0x0079ab3d 0x1c -r-- 0x2 PROGBITS .gnu.plt
16 0x0079ab5c 0xa574 0x0079ab5c 0xa574 -r-- 0x2 PROGBITS .eh_frame_hdr
17 0x007a50d0 0x32c48 0x007a50d0 0x32c48 -r-- 0x2 PROGBITS .eh_frame
18 0x007d7d18 0x3bcc 0x007d7d18 0x3bcc -r-- 0x2 PROGBITS .gcc_except_table
19 0x007dbf48 0x58 0x007ebf48 0x58 -rw- 0x3 INIT_ARRAY .init_array
20 0x007dbfa0 0x10 0x007ebfa0 0x10 -rw- 0x3 FINI_ARRAY .fini_array
21 0x007dbfb0 0x27c20 0x007ebfb0 0x27c20 -rw- 0x3 PROGBITS .data.rel.ro
22 0x00803bd0 0x230 0x00813bd0 0x230 -rw- 0x3 DYNAMIC .dynamic
23 0x00803e00 0x21e8 0x00813e00 0x21e8 -rw- 0x3 PROGBITS .got
24 0x00808000 0x8e8 0x00818000 0x8e8 -rw- 0x3 PROGBITS .got.plt
25 0x008088f0 0xb2438 0x008188f0 0xb2438 -rw- 0x3 PROGBITS .data
26 0x008bad30 0x240 0x008cad30 0x240 -rw- 0x3 PROGBITS .imtab
27 0x008baf70 0x5ba 0x008caf70 0x5ba -rw- 0x33 PROGBITS .rhash
28 0x008bb530 0xc78 0x008cb530 0xc78 -rw- 0x3 PROGBITS .stack
29 0x008bc1a8 0x264 0x008cc1a8 0x264 -rw- 0x3 PROGBITS .adi
30 0x008bc40c 0x0 0x008cc410 0xbe9af0 -rw- 0x3 NOBITS .bss
31 0x008bc40c 0x27 0x00000000 0x27 ---- 0x30 PROGBITS .comment
32 0x008bc433 0x11d 0x00000000 0x11d ---- 0x0 STRTAB .shstrtab |
|
ARM 32 bits segments: armeabi-v7a$ r2 libloader.so
ERROR: Cannot determine entrypoint, using 0x00001000
[0x00001000]> iS
nth paddr size vaddr vsize perm flags type name
―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x00000000 0x0 0x00000000 0x0 ---- 0x0 NULL
1 0x00000174 0xd94 0x00000174 0xd94 -r-x 0x6 PROGBITS .plt
2 0x00001000 0x535a9c 0x00001000 0x535a9c -r-x 0x6 PROGBITS .text
3 0x00537000 0x13 0x00537000 0x13 -r-- 0x2 PROGBITS .interp
4 0x00537014 0x1320 0x00537014 0x1320 -r-- 0x2 DYNSYM .dynsym
5 0x00538334 0xd79 0x00538334 0xd79 -r-- 0x2 STRTAB .dynstr
6 0x005390b0 0x8ec 0x005390b0 0x8ec -r-- 0x2 HASH .hash
7 0x0053999c 0x264 0x0053999c 0x264 -r-- 0x2 GNU_VERSYM .gnu.version
8 0x00539c00 0x1c 0x00539c00 0x1c -r-- 0x2 GNU_VERDEF .gnu.version_d
9 0x00539c1c 0x60 0x00539c1c 0x60 -r-- 0x2 GNU_VERNEED .gnu.version_r
10 0x00539c7c 0x1f2d8 0x00539c7c 0x1f2d8 -r-- 0x2 REL .rel.dyn
11 0x00558f54 0x900 0x00558f54 0x900 -r-- 0x42 REL .rel.plt
12 0x00559854 0x7110 0x00559854 0x7110 -r-- 0x82 ---- .ARM.exidx
13 0x00560964 0x9da3 0x00560964 0x9da3 -r-- 0x2 PROGBITS .gcc_abi
14 0x0056a710 0x4726c 0x0056a710 0x4726c -r-- 0x2 PROGBITS .rodata
15 0x005b197c 0x8190 0x005b197c 0x8190 -r-- 0x2 PROGBITS .ARM.extab
16 0x005b9b0c 0x7c6a 0x005b9b0c 0x7c6a -r-- 0x2 PROGBITS .gnu.plt
17 0x005c1776 0x1c 0x005c1776 0x1c -r-- 0x2 PROGBITS .gnu.got
18 0x005c1794 0x38 0x005c1794 0x38 -r-- 0x2 PROGBITS .elf
19 0x005c17cc 0x71 0x005c17cc 0x71 -r-- 0x2 PROGBITS .eh_trace
20 0x005c1840 0x34 0x005c1840 0x34 -r-- 0x2 PROGBITS .eh_frame
21 0x005c1874 0x14 0x005c1874 0x14 -r-- 0x2 PROGBITS .eh_frame_hdr
22 0x005c2410 0xecf0 0x005c3410 0xecf0 -rw- 0x3 PROGBITS .data.rel.ro.local
23 0x005d1100 0x8 0x005d2100 0x8 -rw- 0x3 FINI_ARRAY .fini_array
24 0x005d1108 0x783c 0x005d2108 0x783c -rw- 0x3 PROGBITS .data.rel.ro
25 0x005d8944 0x28 0x005d9944 0x28 -rw- 0x3 INIT_ARRAY .init_array
26 0x005d896c 0x130 0x005d996c 0x130 -rw- 0x3 DYNAMIC .dynamic
27 0x005d8a9c 0x1564 0x005d9a9c 0x1564 -rw- 0x3 PROGBITS .got
28 0x005da000 0xd2588 0x005db000 0xd2588 -rw- 0x3 PROGBITS .data
29 0x006ac588 0x648 0x006ad588 0x648 -rw- 0x3 PROGBITS .imtab
30 0x006acbd0 0x120 0x006adbd0 0x120 -rw- 0x3 PROGBITS .frame
31 0x006accf0 0x5ba 0x006adcf0 0x5ba -rw- 0x33 PROGBITS .rhash
32 0x006ad2aa 0x264 0x006ae2aa 0x264 -rw- 0x3 PROGBITS .adi
33 0x006ad50e 0x0 0x006ae510 0xbd845c -rw- 0x3 NOBITS .bss
34 0x006ad50e 0x37 0x00000000 0x37 ---- 0x30 PROGBITS .comment
35 0x006ad548 0x1c 0x00000000 0x1c ---- 0x0 NOTE .note.gnu.gold-version
36 0x006ad564 0x3a 0x00000000 0x3a ---- 0x0 ---- .ARM.attributes
37 0x006ad59e 0x167 0x00000000 0x167 ---- 0x0 STRTAB .shstrtab |
Haven't worked/looked with/into appdome before so i'm not sure but |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sample:
br.gov.caixa.temDescribe the detection issue
aarch64 elf binary missed detection
APKiD current results...
The text was updated successfully, but these errors were encountered: