Merge pull request #14 from lsd-cat/xcyiwx-codex/align-java-detection-logic-with-python

Align Android Java indicators with Python

Author: lsd-cat

java/src/main/java/org/osservatorionessuno/libmvt/android/artifacts/DumpsysAccessibility.java

@@ -61,8 +61,8 @@ public void checkIndicators() {
         for (Object obj : results) {
             @SuppressWarnings("unchecked")
             Map<String, String> record = (Map<String, String>) obj;
-            String context = record.get("service");
-            detected.addAll(indicators.matchString(context, IndicatorType.PROCESS));
+            String pkg = record.get("package_name");
+            detected.addAll(indicators.matchString(pkg, IndicatorType.APP_ID));
         }
     }
 }

java/src/main/java/org/osservatorionessuno/libmvt/android/artifacts/DumpsysPackages.java

@@ -17,7 +17,26 @@ public class DumpsysPackages extends AndroidArtifact {
             "eu.chainfire.supersu",
             "com.koushikdutta.superuser",
             "com.thirdparty.superuser",
-            "com.yellowes.su"
+            "com.yellowes.su",
+            "com.koushikdutta.rommanager",
+            "com.koushikdutta.rommanager.license",
+            "com.dimonvideo.luckypatcher",
+            "com.chelpus.lackypatch",
+            "com.ramdroid.appquarantine",
+            "com.ramdroid.appquarantinepro",
+            "com.devadvance.rootcloak",
+            "com.devadvance.rootcloakplus",
+            "de.robv.android.xposed.installer",
+            "com.saurik.substrate",
+            "com.zachspong.temprootremovejb",
+            "com.amphoras.hidemyroot",
+            "com.amphoras.hidemyrootadfree",
+            "com.formyhm.hiderootPremium",
+            "com.formyhm.hideroot",
+            "me.phh.superuser",
+            "eu.chainfire.supersu.pro",
+            "com.kingouser.com",
+            "com.topjohnwu.magisk"
     );
 
     private static class PackageDetails {
@@ -174,15 +193,16 @@ public void parse(String content) {
 
     @Override
     public void checkIndicators() {
-        if (indicators == null) return;
         for (Object obj : results) {
             @SuppressWarnings("unchecked")
             Map<String, Object> record = (Map<String, Object>) obj;
             String pkg = (String) record.get("package_name");
             if (ROOT_PACKAGES.contains(pkg)) {
                 detected.add(new Detection(IndicatorType.PROCESS, pkg, "root_package"));
             }
-            detected.addAll(indicators.matchString(pkg, IndicatorType.APP_ID));
+            if (indicators != null) {
+                detected.addAll(indicators.matchString(pkg, IndicatorType.APP_ID));
+            }
         }
     }
 }

java/src/main/java/org/osservatorionessuno/libmvt/common/Indicators.java

@@ -21,13 +21,20 @@ public class Indicators {
     private final Trie processTrie;
     private final Trie appIdTrie;
     private final Trie propertyTrie;
+    private final List<String> processList;
+    private final List<String> appIdList;
+    private final List<String> propertyList;
 
-    private Indicators(Trie domainTrie, Trie urlTrie, Trie processTrie, Trie appIdTrie, Trie propertyTrie) {
+    private Indicators(Trie domainTrie, Trie urlTrie, Trie processTrie, Trie appIdTrie, Trie propertyTrie,
+                       List<String> processList, List<String> appIdList, List<String> propertyList) {
         this.domainTrie = domainTrie;
         this.urlTrie = urlTrie;
         this.processTrie = processTrie;
         this.appIdTrie = appIdTrie;
         this.propertyTrie = propertyTrie;
+        this.processList = processList;
+        this.appIdList = appIdList;
+        this.propertyList = propertyList;
     }
 
     public static Indicators loadFromDirectory(File dir) throws IOException {
@@ -37,9 +44,12 @@ public static Indicators loadFromDirectory(File dir) throws IOException {
         Trie.TrieBuilder processes = Trie.builder().ignoreCase();
         Trie.TrieBuilder appIds = Trie.builder().ignoreCase();
         Trie.TrieBuilder properties = Trie.builder().ignoreCase();
+        List<String> procList = new ArrayList<>();
+        List<String> appIdList = new ArrayList<>();
+        List<String> propList = new ArrayList<>();
 
         File[] files = dir.listFiles((d, name) -> name.endsWith(".json") || name.endsWith(".stix2"));
-        if (files == null) return new Indicators(domains.build(), urls.build(), processes.build(), appIds.build(), properties.build());
+        if (files == null) return new Indicators(domains.build(), urls.build(), processes.build(), appIds.build(), properties.build(), procList, appIdList, propList);
 
         for (File f : files) {
             if (f.getName().endsWith(".stix2")) {
@@ -48,7 +58,8 @@ public static Indicators loadFromDirectory(File dir) throws IOException {
                     BundleObject bundle = StixParsers.parseBundle(json);
                     for (BundleableObject obj : bundle.getObjects()) {
                         if (obj instanceof IndicatorSdo ind) {
-                            addPattern(domains, urls, processes, appIds, properties, ind.getPattern());
+                            addPattern(domains, urls, processes, appIds, properties,
+                                       procList, appIdList, propList, ind.getPattern());
                         }
                     }
                 } catch (Exception ex) {
@@ -58,7 +69,9 @@ public static Indicators loadFromDirectory(File dir) throws IOException {
                     if (objects != null && objects.isArray()) {
                         for (JsonNode node : objects) {
                             if ("indicator".equals(node.path("type").asText())) {
-                                addPattern(domains, urls, processes, appIds, properties, node.path("pattern").asText());
+                                addPattern(domains, urls, processes, appIds, properties,
+                                           procList, appIdList, propList,
+                                           node.path("pattern").asText());
                             }
                         }
                     }
@@ -68,21 +81,24 @@ public static Indicators loadFromDirectory(File dir) throws IOException {
                 JsonNode arr = root.get("indicators");
                 if (arr == null) continue;
                 for (JsonNode coll : arr) {
-                    addField(domains, coll, "domain-name:value");
-                    addField(domains, coll, "ipv4-addr:value");
-                    addField(urls, coll, "url:value");
-                    addField(processes, coll, "process:name");
-                    addField(appIds, coll, "app:id");
-                    addField(properties, coll, "android-property:name");
+                    addField(domains, coll, "domain-name:value", null);
+                    addField(domains, coll, "ipv4-addr:value", null);
+                    addField(urls, coll, "url:value", null);
+                    addField(processes, coll, "process:name", procList);
+                    addField(appIds, coll, "app:id", appIdList);
+                    addField(properties, coll, "android-property:name", propList);
                 }
             }
         }
-        return new Indicators(domains.build(), urls.build(), processes.build(), appIds.build(), properties.build());
+        return new Indicators(domains.build(), urls.build(), processes.build(), appIds.build(), properties.build(),
+                procList, appIdList, propList);
     }
 
     private static void addPattern(Trie.TrieBuilder domains, Trie.TrieBuilder urls,
                                    Trie.TrieBuilder processes, Trie.TrieBuilder appIds,
-                                   Trie.TrieBuilder properties, String pattern) {
+                                   Trie.TrieBuilder properties,
+                                   List<String> procList, List<String> appIdList, List<String> propList,
+                                   String pattern) {
         if (pattern == null) return;
         String p = pattern.trim();
         if (p.startsWith("[") && p.endsWith("]")) {
@@ -98,22 +114,23 @@ private static void addPattern(Trie.TrieBuilder domains, Trie.TrieBuilder urls,
         switch (key) {
             case "domain-name:value", "ipv4-addr:value" -> domains.addKeyword(value.toLowerCase());
             case "url:value" -> urls.addKeyword(value.toLowerCase());
-            case "process:name" -> processes.addKeyword(value.toLowerCase());
-            case "app:id" -> appIds.addKeyword(value.toLowerCase());
-            case "android-property:name" -> properties.addKeyword(value.toLowerCase());
+            case "process:name" -> { processes.addKeyword(value.toLowerCase()); procList.add(value.toLowerCase()); }
+            case "app:id" -> { appIds.addKeyword(value.toLowerCase()); appIdList.add(value.toLowerCase()); }
+            case "android-property:name" -> { properties.addKeyword(value.toLowerCase()); propList.add(value.toLowerCase()); }
             default -> {
             }
         }
     }
 
-    private static void addField(Trie.TrieBuilder builder, JsonNode coll, String key) {
+    private static void addField(Trie.TrieBuilder builder, JsonNode coll, String key, List<String> store) {
         if (coll == null) return;
         JsonNode node = coll.get(key);
         if (node == null || node.isNull()) return;
         for (JsonNode value : iterable(node)) {
             String s = value.asText();
             if (s != null && !s.isBlank()) {
                 builder.addKeyword(s.toLowerCase());
+                if (store != null) store.add(s.toLowerCase());
             }
         }
     }
@@ -125,16 +142,40 @@ private static Iterable<JsonNode> iterable(JsonNode node) {
 
     public List<Detection> matchString(String s, IndicatorType type) {
         if (s == null) return List.of();
-        Trie trie = switch (type) {
-            case DOMAIN -> domainTrie;
-            case URL -> urlTrie;
-            case PROCESS -> processTrie;
-            case APP_ID -> appIdTrie;
-            case PROPERTY -> propertyTrie;
-        };
+        String lower = s.toLowerCase();
         List<Detection> detections = new ArrayList<>();
-        for (Emit e : trie.parseText(s.toLowerCase())) {
-            detections.add(new Detection(type, e.getKeyword(), s));
+        switch (type) {
+            case DOMAIN -> {
+                for (Emit e : domainTrie.parseText(lower)) {
+                    detections.add(new Detection(type, e.getKeyword(), s));
+                }
+            }
+            case URL -> {
+                for (Emit e : urlTrie.parseText(lower)) {
+                    detections.add(new Detection(type, e.getKeyword(), s));
+                }
+            }
+            case PROCESS -> {
+                for (String kw : processList) {
+                    if (kw.equals(lower) || (lower.length() == 16 && kw.startsWith(lower))) {
+                        detections.add(new Detection(type, kw, s));
+                    }
+                }
+            }
+            case APP_ID -> {
+                for (String kw : appIdList) {
+                    if (kw.equals(lower)) {
+                        detections.add(new Detection(type, kw, s));
+                    }
+                }
+            }
+            case PROPERTY -> {
+                for (String kw : propertyList) {
+                    if (kw.equals(lower)) {
+                        detections.add(new Detection(type, kw, s));
+                    }
+                }
+            }
         }
         return detections;
     }

java/src/test/java/org/osservatorionessuno/libmvt/android/artifacts/DumpsysAccessibilityTest.java

@@ -46,10 +46,15 @@ public void testIocCheck() throws Exception {
         DumpsysAccessibility da = new DumpsysAccessibility();
         String data = readResource("android_data/dumpsys_accessibility.txt");
         da.parse(data);
-        Indicators indicators = Indicators.loadFromDirectory(Path.of("src", "test", "resources", "iocs").toFile());
+
+        Path temp = Files.createTempDirectory("iocs");
+        Files.list(Path.of("src","test","resources","iocs"))
+                .forEach(p -> { try { Files.copy(p, temp.resolve(p.getFileName())); } catch (Exception ignored) {} });
+        Files.writeString(temp.resolve("extra.json"), "{\"indicators\":[{\"app:id\":[\"com.sec.android.app.camera\"]}]}" );
+        Indicators indicators = Indicators.loadFromDirectory(temp.toFile());
         da.setIndicators(indicators);
         da.checkIndicators();
         assertEquals(1, da.getDetected().size());
-        assertEquals(IndicatorType.PROCESS, da.getDetected().get(0).type());
+        assertEquals(IndicatorType.APP_ID, da.getDetected().get(0).type());
     }
 }

java/src/test/java/org/osservatorionessuno/libmvt/android/artifacts/DumpsysPackagesTest.java

@@ -38,4 +38,13 @@ public void testIocCheck() throws Exception {
         dpa.checkIndicators();
         assertTrue(dpa.getDetected().size() > 0);
     }
+
+    @Test
+    public void testRootPackageDetection() {
+        DumpsysPackages dpa = new DumpsysPackages();
+        String sample = "Packages:\n  Package [com.topjohnwu.magisk] (test)\n    userId=0\n";
+        dpa.parse(sample);
+        dpa.checkIndicators();
+        assertFalse(dpa.getDetected().isEmpty());
+    }
 }

java/src/test/java/org/osservatorionessuno/libmvt/android/artifacts/ProcessesTest.java

@@ -37,4 +37,16 @@ public void testIocCheck() throws Exception {
         p.checkIndicators();
         assertTrue(p.getDetected().size() > 0);
     }
+
+    @Test
+    public void testTruncatedProcessMatch() throws Exception {
+        Processes p = new Processes();
+        String data = "USER PID PPID VSZ RSS WCHAN ADDR S NAME\n" +
+                "root 50 2 0 0 0 0 S com.bad.actor.ma\n";
+        p.parse(data);
+        Indicators indicators = Indicators.loadFromDirectory(Path.of("src", "test", "resources", "iocs").toFile());
+        p.setIndicators(indicators);
+        p.checkIndicators();
+        assertFalse(p.getDetected().isEmpty());
+    }
 }