search

BlackArch / blackarch

An ArchLinux based distribution for penetration testers and security researchers.
https://www.blackarch.org
Other
2.79k stars 562 forks source link

APKID Yara rules not compatible #3296

Open jaykijay opened 2 years ago

jaykijay commented 2 years ago

Bug description

APKID not working after latest update because Yara rules seem to be incompatible

Steps to reproduce

Install apkid Run it

Actual result:

[+] APKiD 2.1.1 :: from RedNaga :: rednaga.io
Traceback (most recent call last):
  File "/usr/bin/apkid", line 33, in <module>
    sys.exit(load_entry_point('apkid==2.1.1', 'console_scripts', 'apkid')())
  File "/usr/lib/python3.10/site-packages/apkid/main.py", line 90, in main
    rules = options.rules_manager.load()
  File "/usr/lib/python3.10/site-packages/apkid/rules.py", line 46, in load
    self.rules = yara.load(self.rules_path)
yara.Error: rules file "/usr/lib/python3.10/site-packages/apkid/rules/rules.yarc" is incompatible with this version of YARA

Expected result: Describe here what should happen after you run the steps above (i.e. what would be the correct behaviour) Should work? :D

Info for developers

GNU/Linux distribution: Manjaro (unstable) + Blackarch Repos Tool version: APKID 2.1.1, yara-rednaga

Link to debug log

vichhika commented 2 years ago

Bug description

APKID not working after latest update because Yara rules seem to be incompatible

Steps to reproduce

Install apkid Run it

Actual result:

[+] APKiD 2.1.1 :: from RedNaga :: rednaga.io
Traceback (most recent call last):
  File "/usr/bin/apkid", line 33, in <module>
    sys.exit(load_entry_point('apkid==2.1.1', 'console_scripts', 'apkid')())
  File "/usr/lib/python3.10/site-packages/apkid/main.py", line 90, in main
    rules = options.rules_manager.load()
  File "/usr/lib/python3.10/site-packages/apkid/rules.py", line 46, in load
    self.rules = yara.load(self.rules_path)
yara.Error: rules file "/usr/lib/python3.10/site-packages/apkid/rules/rules.yarc" is incompatible with this version of YARA

Expected result: Describe here what should happen after you run the steps above (i.e. what would be the correct behaviour) Should work? :D

Info for developers

GNU/Linux distribution: Manjaro (unstable) + Blackarch Repos Tool version: APKID 2.1.1, yara-rednaga

Link to debug log

This bug was affects to all packages that depended on, for example MobSF. And I try to build manually but can't help. Any solution?

AkechiShiro commented 1 year ago

I'm not sure, but I believe MobSF is using now a dependency called yara-python-dex and not yara-rednaga.

Should I try to update the MobSF PKGBUILD to use yara-python-dex and then try and see if that, solves the issue ?

ikstream commented 1 year ago

Should I try to update the MobSF PKGBUILD to use yara-python-dex and then try and see if that, solves the issue ?

Would be great if you could try it out. Thank you

AkechiShiro commented 1 year ago

I gave it a try, but it's unrelated, I'm not sure what's going on, MobSF is using apkid, and apkid is failing, thus the issue is not with MobSF directly but with apkid, I don't know why the rules.yarc does not get recomputed or updated, I think something changed upstream for apkid, I'll try to open an issue and link it here.

AkechiShiro commented 1 year ago

A fix may be provided soon by APKiD's maintainers, an update could be needed on the BlackArch repos in order to take into account the fix.

AkechiShiro commented 1 year ago

I've fixed the issue with the help of an APKiD contributor, using yara-python-dex was the proper fix, not sure what went wrong, when I tried it, but it fixed the issue I'm having about rules being not compatible, a PR needs to land in BlackArch to add the new python-yara-dex as well as updating the apkid PKGBUILD, I'll probably open those by next week.

noraj commented 1 year ago

logs:

[ERROR] 13/Dec/2022 13:44:01 - Error Performing Static Analysis
Traceback (most recent call last):
  File "/usr/share/mobsf/mobsf/StaticAnalyzer/views/android/static_analyzer.py", line 200, in static_analyzer
    apkid_results = apkid_analysis(app_dic[
  File "/usr/share/mobsf/mobsf/MalwareAnalyzer/views/apkid.py", line 41, in apkid_analysis
    rules = options.rules_manager.load()
  File "/usr/lib/python3.10/site-packages/apkid/rules.py", line 46, in load
    self.rules = yara.load(self.rules_path)
yara.Error: rules file "/usr/lib/python3.10/site-packages/apkid/rules/rules.yarc" is incompatible with this version of YARA
[ERROR] 13/Dec/2022 13:44:01 - rules file "/usr/lib/python3.10/site-packages/apkid/rules/rules.yarc" is incompatible with this version of YARA
[ERROR] 13/Dec/2022 13:44:01 - Internal Server Error: /static_analyzer/

webui:

image

I've fixed the issue with the help of an APKiD contributor, using yara-python-dex was the proper fix, not sure what went wrong, when I tried it, but it fixed the issue I'm having about rules being not compatible, a PR needs to land in BlackArch to add the new python-yara-dex as well as updating the apkid PKGBUILD, I'll probably open those by next week.

Yes, as mentioned in https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/1998, python-yara-dex

3630 is pending and should fix this issue