From ded27447332704dfaa6be5ae9aa7add9750a5eab Mon Sep 17 00:00:00 2001
From: Mike Hunhoff <mike.hunhoff@gmail.com>
Date: Fri, 31 May 2024 13:24:19 -0400
Subject: [PATCH] adding new and updating linux / android rules (#903)

* adding new and updating linux / android rules

* fix lints
---
 .../change-file-permission-on-linux.yml       |  8 +++++++-
 .../create/create-process-on-linux.yml        |  2 ++
 nursery/change-memory-permission-on-linux.yml | 17 +++++++++++++++++
 nursery/check-file-permission-on-linux.yml    | 17 +++++++++++++++++
 ...ning-under-android-emulator-on-android.yml | 19 +++++++++++++++++++
 nursery/map-or-unmap-memory-on-linux.yml      | 17 +++++++++++++++++
 6 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 nursery/change-memory-permission-on-linux.yml
 create mode 100644 nursery/check-file-permission-on-linux.yml
 create mode 100644 nursery/check-if-process-is-running-under-android-emulator-on-android.yml
 create mode 100644 nursery/map-or-unmap-memory-on-linux.yml

diff --git a/host-interaction/file-system/change-file-permission-on-linux.yml b/host-interaction/file-system/change-file-permission-on-linux.yml
index 29bd1a33..8572aa9f 100644
--- a/host-interaction/file-system/change-file-permission-on-linux.yml
+++ b/host-interaction/file-system/change-file-permission-on-linux.yml
@@ -4,6 +4,7 @@ rule:
     namespace: host-interaction/file-system
     authors:
       - joakim@intezer.com
+      - mehunhoff@google.com
     scopes:
       static: basic block
       dynamic: call
@@ -13,9 +14,14 @@ rule:
       - 7351f8a40c5450557b24622417fc478d:0x407C68
   features:
     - and:
-      - os: linux
+      - or:
+        - os: android
+        - os: linux
       - or:
         - api: chown
         - api: fchown
         - api: lchown
         - api: fchownat
+        - api: chmod
+        - api: fchmod
+        - api: fchmodat
diff --git a/host-interaction/process/create/create-process-on-linux.yml b/host-interaction/process/create/create-process-on-linux.yml
index ab98b7e0..c7b6d5d8 100644
--- a/host-interaction/process/create/create-process-on-linux.yml
+++ b/host-interaction/process/create/create-process-on-linux.yml
@@ -4,6 +4,7 @@ rule:
     namespace: host-interaction/process/create
     authors:
       - joakim@intezer.com
+      - mehunhoff@google.com
     scopes:
       static: basic block
       dynamic: call
@@ -27,3 +28,4 @@ rule:
         - api: posix_spawn
         - api: posix_spawnp
         - api: popen
+        - api: fork
diff --git a/nursery/change-memory-permission-on-linux.yml b/nursery/change-memory-permission-on-linux.yml
new file mode 100644
index 00000000..15edf0dd
--- /dev/null
+++ b/nursery/change-memory-permission-on-linux.yml
@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: change memory permission on Linux
+    namespace: host-interaction/memory
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: call
+  features:
+    - and:
+      - or:
+        - os: linux
+        - os: android
+      - or:
+        - api: mprotect
+        - api: pkey_mprotect
diff --git a/nursery/check-file-permission-on-linux.yml b/nursery/check-file-permission-on-linux.yml
new file mode 100644
index 00000000..181fb167
--- /dev/null
+++ b/nursery/check-file-permission-on-linux.yml
@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: check file permission on Linux
+    namespace: host-interaction/file-system
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: call
+  features:
+    - and:
+      - or:
+        - os: android
+        - os: linux
+      - or:
+        - api: access
+        - api: faccessat
diff --git a/nursery/check-if-process-is-running-under-android-emulator-on-android.yml b/nursery/check-if-process-is-running-under-android-emulator-on-android.yml
new file mode 100644
index 00000000..65e7ce7f
--- /dev/null
+++ b/nursery/check-if-process-is-running-under-android-emulator-on-android.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: check if process is running under Android emulator on Android
+    namespace: anti-analysis/anti-emulation/android
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: call
+    references:
+      - https://github.com/happylishang/AntiFakerAndroidChecker/blob/master/antifake/src/main/jni/emulator/emcheck64.c
+  features:
+    - and:
+      - or:
+        - os: linux
+        - os: android
+      - string: "com/snail/antifake/jni/EmulatorDetectUtil"
+      - optional:
+        - string: "getSystemArch"
diff --git a/nursery/map-or-unmap-memory-on-linux.yml b/nursery/map-or-unmap-memory-on-linux.yml
new file mode 100644
index 00000000..e3e6ea04
--- /dev/null
+++ b/nursery/map-or-unmap-memory-on-linux.yml
@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: map or unmap memory on Linux
+    namespace: host-interaction/memory
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: call
+  features:
+    - and:
+      - or:
+        - os: linux
+        - os: android
+      - or:
+        - api: mmap
+        - api: munmap