Improve compiler fingerprints for tiny dexen

meprajjwal · Jan 6, 2020 · 5aee3c7 · 5aee3c7
1 parent 90cc6b6
commit 5aee3c7
Showing 1 changed file with 52 additions and 15 deletions.
diff --git a/apkid/rules/dex/compilers.yara b/apkid/rules/dex/compilers.yara
@@ -50,7 +50,8 @@ private rule dexlib2_map_type_order : internal
     description = "dexlib2 map_list type order"
 
   condition:
-    dex.map_list.map_item[7].type == 0x2002 // TYPE_STRING_DATA_ITEM
+    (dex.map_list.map_item[7].type == 0x2002 and dex.map_list.map_item[8].type == 0x1001)
+    or (dex.map_list.map_item[6].type == 0x2002 and dex.map_list.map_item[7].type == 0x1001)
 }
 
 private rule null_interfaces : internal
@@ -80,13 +81,23 @@ private rule dx_map_type_order : internal
      * The order starting at offset 7 is:
      *   0x1002 = TYPE_ANNOTATION_SET_REF_LIST (optional)
      *   0x1003 = TYPE_ANNOTATION_SET_ITEM (optional)
-     *   0x2001 = TYPE_CODE_ITEM
+     *   0x2001 = TYPE_CODE_ITEM (optional, but very common)
      *   0x2006 = TYPE_ANNOTATIONS_DIRECTORY_ITEM (optional)
-     *   0x1001 = TYPE_TYPE_LIST
+     *   0x1001 = TYPE_TYPE_LIST (optional, but common)
+     *   0x2002 = TYPE_STRING_DATA_ITEM
+     * Also, for reference:
+     *   0x0000 = TYPE_HEADER_ITEM
+     *   0x0001 = TYPE_STRING_ID_ITEM
+     *   0x0002 = TYPE_TYPE_ID_ITEM
+     *   0x0006 = TYPE_CLASS_DEF_ITEM
+     *   0x1000 = TYPE_MAP_LIST
      */
-    // missing all TYPE_ANNOTATION*
+    // missing all TYPE_ANNOTATION*, common case
     (dex.map_list.map_item[7].type == 0x2001 and dex.map_list.map_item[8].type == 0x1001)
 
+    // missing all TYPE_ANNOTATION*, and TYPE_TYPE_LIST so probably very small DEX
+    or (dex.map_list.map_item[7].type == 0x2001 and dex.map_list.map_item[8].type == 0x2002)
+
     // has all TYPE_ANNOTATION*
     or (dex.map_list.map_item[7].type == 0x1002 and dex.map_list.map_item[8].type == 0x1003 and dex.map_list.map_item[9].type == 0x2001 and dex.map_list.map_item[10].type == 0x2006 and dex.map_list.map_item[11].type == 0x1001)
 
@@ -107,6 +118,22 @@ private rule dx_map_type_order : internal
 
     // missing TYPE_ANNOTATIONS_DIRECTORY_ITEM
     or (dex.map_list.map_item[7].type == 0x1002 and dex.map_list.map_item[8].type == 0x1003 and dex.map_list.map_item[9].type == 0x2001 and dex.map_list.map_item[10].type == 0x1001)
+
+    // missing almost everything, VERY tiny dex
+    or (dex.map_list.map_item[1].type == 0x0001 and dex.map_list.map_item[2].type == 0x0002 and dex.map_list.map_item[3].type == 0x0006 and dex.map_list.map_item[4].type == 0x2002 and dex.map_list.map_item[5].type == 0x1000)
+
+    // missing code and (fields | something else), likely small dex
+    or (dex.map_list.map_item[6].type == 0x1003 and dex.map_list.map_item[7].type == 0x2006 and dex.map_list.map_item[8].type == 0x1001 and dex.map_list.map_item[9].type == 0x2002)
+}
+
+private rule ambiguous_tiny_dex_map_type_order : internal
+{
+  meta:
+    description = "ambiguous tiny dex map type order"
+
+  condition:
+    // missing almost everything, dexlib2 and r8 are identical here, impossible to type alone
+    (dex.map_list.map_item[1].type == 0x0001 and dex.map_list.map_item[2].type == 0x0002 and dex.map_list.map_item[3].type == 0x0006 and dex.map_list.map_item[4].type == 0x2002 and dex.map_list.map_item[5].type == 0x1003 and dex.map_list.map_item[6].type == 0x1000)
 }
 
 private rule r8_map_type_order : internal
@@ -126,13 +153,20 @@ private rule r8_map_type_order : internal
      */
     // missing TYPE_CALL_SITE_ID_ITEM and TYPE_METHOD_HANDLE_ITEM, common case
     (dex.map_list.map_item[7].type == 0x2001 and dex.map_list.map_item[8].type == 0x2003 and dex.map_list.map_item[9].type == 0x1001)
+
     // has everything
     or (dex.map_list.map_item[7].type == 0x0007 and dex.map_list.map_item[8].type == 0x0008 and dex.map_list.map_item[9].type == 0x2001 and dex.map_list.map_item[10].type == 0x2003 and dex.map_list.map_item[11].type == 0x1001)
+
     // missing TYPE_CALL_SITE_ID_ITEM
     or (dex.map_list.map_item[7].type == 0x0008 and dex.map_list.map_item[8].type == 0x2001 and dex.map_list.map_item[9].type == 0x2003 and dex.map_list.map_item[10].type == 0x1001)
+
     // missing TYPE_METHOD_HANDLE_ITEM
     or (dex.map_list.map_item[7].type == 0x0007 and dex.map_list.map_item[8].type == 0x2001 and dex.map_list.map_item[9].type == 0x2003 and dex.map_list.map_item[10].type == 0x1001)
-    // missing TYPE_CALL_SITE_ID_ITEM, TYPE_METHOD_HANDLE_ITEM, and TYPE_DEBUG_INFO_ITEM is possibly identical to dx map type order, so ignore that
+
+    // ignore missing TYPE_CALL_SITE_ID_ITEM, TYPE_METHOD_HANDLE_ITEM, and TYPE_DEBUG_INFO_ITEM is possibly identical to dx map type order
+
+    // missing code and (fields | something else), likely small dex
+    or (dex.map_list.map_item[6].type == 0x1001 and dex.map_list.map_item[7].type == 0x2002 and dex.map_list.map_item[8].type == 0x2004 and dex.map_list.map_item[9].type == 0x2000 and dex.map_list.map_item[10].type == 0x1003)
 }
 
 private rule r8_marker : internal
@@ -282,26 +316,27 @@ rule dexlib1 : compiler
     unsorted_string_pool
 }
 
-rule dexlib2 : compiler
+rule dexlib2beta : compiler
 {
   meta:
-    description = "dexlib 2.x"
-    sample      = "c7c566b1b185c99e338a77865eaf2eed6dc9b2b97793e262208c0b7f38bbf947"
+    description = "dexlib 2.x beta"
+    sample      = "8fd8c1e2337a4d2ac8f8f64c13a4fb304589ecf165e41de27ebc656a7475a008"
 
   condition:
-    not dexlib1 and dexlib2_map_type_order
+    not dexlib1
+    and null_interfaces
 }
 
-rule dexlib2beta : compiler
+rule dexlib2 : compiler
 {
   meta:
-    description = "dexlib 2.x beta"
-    sample      = "8fd8c1e2337a4d2ac8f8f64c13a4fb304589ecf165e41de27ebc656a7475a008"
+    description = "dexlib 2.x"
+    sample      = "c7c566b1b185c99e338a77865eaf2eed6dc9b2b97793e262208c0b7f38bbf947"
 
   condition:
     not dexlib1
-    and not dexlib2
-    and null_interfaces
+    and dexlib2_map_type_order
+    and not dexlib2beta
 }
 
 rule dx : compiler
@@ -337,10 +372,11 @@ rule r8 : compiler
   meta:
     description = "r8"
     sample      = "e45ea01eedfc7bede77669412cce07b7d41b284bc6ffc9dfa27a519270bbe99a"
+    sample2     = "bae4c7c1974fa317ecc8fbbcf7bafa3b1a0d5903fdd3040412c628277cf45258"
 
   condition:
     r8_marker
-    and r8_map_type_order
+    and (r8_map_type_order or ambiguous_tiny_dex_map_type_order)
 }
 
 rule r8_merged : compiler
@@ -360,6 +396,7 @@ rule r8_no_marker : compiler
     // Hiding the marker is easier than hiding the map type order.
     description = "r8 without marker (suspicious)"
     sample      = "f399d833ff54a798d609279bb8a51222c75be9b7fb7b3ab9cc8cb628f7d76257"
+    sample2     = "d8a5545eb3c76d8078d778eb5962398d9f2fefab34f971b19beda35e0e76f6ef"
 
   condition:
     not r8_marker