YARA-X

dex

The dex module exposes most of the fields present in a DEX file. Let’s see some examples:

import "dex"

rule check_dex_version {
    condition:
        dex.header.version == 41
}

rule search_string {
    condition:
        for any string in dex.string_ids: (
            string == "Landroid/content/ComponentName;"
        )
}

Functions

checksum()

Counts the Adler-32 checksum of the DEX file.

Example

import "dex"

rule invalid_checksum {
    condition:
        dex.header.checksum != dex.checksum()
}

signature()

Return the SHA-1 signature of the DEX file.

Example

import "dex"

rule invalid_signature {
    condition:
        dex.header.signature != dex.signature()
}

contains_string()

String search using binary search. Useful for very large number of strings.

Example

import "dex

rule search_string {
    condition:
        dex.contains_string("Landroid/content/ComponentName;")
}

contains_method()

Search for the method name using binary search. It is useful for a very large number of methods.

Example

import "dex"

rule search_method {
    condition:
        dex.contains_method("<init>")
}

contains_class()

Search for the class name using binary search. It is useful for a very large number of classes.

Example

import "dex"

rule search_method {
    condition:
        dex.contains_class("Landroid/content/Context;")
}

Module structure

FieldTypeDescription
is_dexboolTrue if the file is DEX
headerDexHeaderDexHeader
stringsstring arrayList of defined strings
typesstring arrayList of defined types
protosProtoItem arrayList of defined prototypes
fieldsFieldItem arrayList of defined fields
methodsMethodItem arrayList of defined methods
class_defsClassItem arrayList of defined classes
map_listMapListList of the entire contnts of a file, in order

DexHeader

Read more about it in dex-format.

FieldTypeDescription
magicintegerDEX magic 0x6465780a
versionintegerDEX version: 35, 36, 37, 38, 39, 40, 41
checksumintegerAdler-32 checksum of the DEX file
signaturestringSHA-1 signature of the DEX file
file_sizeintegerSize of the entire file (including the header)
header_sizeintegerSize of the header
endian_tagintegerEndianness tag
link_sizeintegerSize of the link section, or 0 if this file isn’t statically linked
link_offintegerOffset from the start of the file to the link section, or 0 if link_size == 0
data_sizeintegerSize of data section (only in v40 or earlier)
data_offintegerOffset from the start of the file to the start of the data section (only in v40 or earlier)
container_sizeintegerSize of the entire file (only in v41 or later)
header_offsetintegerOffset from the start of the file to the start of this header (only in v41 or later)

ProtoItem

FieldTypeDescription
shortystringShort-form descriptor string
return_typestringReturn type string
parameters_countintegerNumber of parameters
parametersstring arrayList of parameters

FieldItem

FieldTypeDescription
classstringThe name of the class to which the field belongs
typestringField type
namestringField name

MethodItem

FieldTypeDescription
classstringThe name of the class to which the method belongs
protoProtoItemMethod prototype
namestringMethod name

ClassItem

FieldTypeDescription
classstringClass name
access_flagAccessFlagAccess flags
superclassstringSuperclass name
source_filestringName of the source file

MapList

FieldTypeDescription
sizeintegerSize of the list
itemsMapItem arrayElements of the list

MapItem

FieldTypeDescription
typeTypeCodeType of the items
unusedintegerUnused field
sizeintegerCount of the number of items
offsetintegerOffset from the start of the file to the items

AccessFlag

FieldNumberDescription
ACC_PUBLIC0x1public: visible everywhere (class, field, method)
ACC_PRIVATE0x2private: only visible to defining class (class, field, method)
ACC_PROTECTED0x4protected: visible to package and subclasses (class, field, method)
ACC_STATIC0x8static — class: not constructed with outer this; field: global to defining class; method: does not take this
ACC_FINAL0x10final — class: not subclassable; field: immutable after construction; method: not overridable
ACC_SYNCHRONIZED0x20synchronized: method lock acquired automatically on call. Only valid with ACC_NATIVE
ACC_BRIDGE0x40bridge: compiler-generated type-safe bridge method
ACC_VARARGS0x80varargs: last argument is treated as a “rest” parameter
ACC_NATIVE0x100native: method implemented in native code
ACC_INTERFACE0x200interface: multiply-implementable abstract class
ACC_ABSTRACT0x400abstract — class: not directly instantiable; method: unimplemented in this class
ACC_STRICT0x800strictfp: strict floating-point arithmetic rules
ACC_SYNTHETIC0x1000synthetic: not directly defined in source code (class, field, method)
ACC_ANNOTATION0x2000annotation: declared as an annotation class
ACC_ENUM0x4000enum — class: declared as an enum type; field: declared as enum value
ACC_CONSTRUCTOR0x10000constructor: class or instance initializer method
ACC_DECLARED_SYNCHRONIZED0x20000declared synchronized: method marked with synchronized keyword

AccessFlagSpecial

FieldNumberDescription
ACC_VOLATILE0x40volatile (field): special access rules for thread safety
ACC_TRANSIENT0x80transient (field): not saved by default serialization

TypeCode

FieldNumber
TYPE_HEADER_ITEM0x0000
TYPE_STRING_ID_ITEM0x0001
TYPE_TYPE_ID_ITEM0x0002
TYPE_PROTO_ID_ITEM0x0003
TYPE_FIELD_ID_ITEM0x0004
TYPE_METHOD_ID_ITEM0x0005
TYPE_CLASS_DEF_ITEM0x0006
TYPE_CALL_SITE_ID_ITEM0x0007
TYPE_METHOD_HANDLE_ITEM0x0008
TYPE_MAP_LIST0x1000
TYPE_TYPE_LIST0x1001
TYPE_ANNOTATION_SET_REF_LIST0x1002
TYPE_ANNOTATION_SET_ITEM0x1003
TYPE_CLASS_DATA_ITEM0x2000
TYPE_CODE_ITEM0x2001
TYPE_STRING_DATA_ITEM0x2002
TYPE_DEBUG_INFO_ITEM0x2003
TYPE_ANNOTATION_ITEM0x2004
TYPE_ENCODED_ARRAY_ITEM0x2005
TYPE_ANNOTATIONS_DIRECTORY_ITEM0x2006
TYPE_HIDDENAPI_CLASS_DATA_ITEM0xF000
Prev
elf
Next
hash