ai_root_shield 0.1.0

data/examples/device_logs/rooted_android.json

@@ -0,0 +1,93 @@
+{
+  "platform": "android",
+  "system_info": {
+    "os_version": "Android 11",
+    "kernel_version": "4.19.95-g0123456789ab",
+    "build_fingerprint": "google/flame/flame:11/RQ3A.210905.001/7511028:user/test-keys",
+    "bootloader_status": "unlocked",
+    "selinux_status": "permissive",
+    "developer_options": true
+  },
+  "installed_packages": [
+    {
+      "name": "com.topjohnwu.magisk",
+      "signature": "test-keys"
+    },
+    {
+      "name": "eu.chainfire.supersu",
+      "signature": "debug.keystore"
+    },
+    {
+      "name": "com.android.chrome",
+      "signature": "platform.pk8"
+    }
+  ],
+  "file_system": {
+    "suspicious_files": [
+      "/system/bin/su",
+      "/system/xbin/su",
+      "/system/app/Superuser.apk",
+      "/data/local/tmp/frida-server"
+    ],
+    "system_binaries": [
+      "/system/bin/magisk",
+      "/system/xbin/daemonsu"
+    ],
+    "writable_system_dirs": [
+      "/system/app"
+    ]
+  },
+  "running_processes": [
+    {
+      "name": "magisk",
+      "pid": 1234
+    },
+    {
+      "name": "frida-server",
+      "pid": 5678,
+      "loaded_libraries": [
+        "libfrida-gadget.so"
+      ]
+    }
+  ],
+  "network": {
+    "proxy_settings": {
+      "enabled": true,
+      "host": "127.0.0.1",
+      "port": 8080
+    },
+    "vpn_active": false,
+    "certificates": [
+      {
+        "subject": "CN=PortSwigger CA, O=PortSwigger, L=Knaresborough",
+        "issuer": "CN=PortSwigger CA, O=PortSwigger, L=Knaresborough",
+        "user_installed": true
+      }
+    ]
+  },
+  "security": {
+    "screen_lock_enabled": true,
+    "encryption_enabled": true,
+    "unknown_sources": true,
+    "usb_debugging": true
+  },
+  "hardware": {
+    "device_model": "Pixel 4",
+    "manufacturer": "Google",
+    "sensors": ["accelerometer", "gyroscope", "magnetometer"],
+    "baseband_version": "g7250-00042-200421-B-6404797",
+    "serial_number": "HT1ABC123456"
+  },
+  "certificates": [
+    {
+      "subject": "CN=Android Debug, O=Android, C=US",
+      "issuer": "CN=Android Debug, O=Android, C=US",
+      "not_after": "2025-01-01T00:00:00Z"
+    }
+  ],
+  "system_logs": [
+    "magisk: Magisk v23.0 daemon started",
+    "frida: Frida gadget loaded successfully",
+    "xposed: Xposed framework initialized"
+  ]
+}

data/exe/ai_root_shield

@@ -0,0 +1,155 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative "../lib/ai_root_shield"
+require "optparse"
+require "json"
+
+# CLI interface for AI Root Shield
+class AiRootShieldCLI
+  def initialize
+    @options = {
+      config: {},
+      output_format: "json",
+      verbose: false
+    }
+  end
+
+  def run(args)
+    parse_options(args)
+    
+    if args.empty?
+      puts "Error: Please provide a device logs file path"
+      puts "Usage: ai_root_shield [options] <device_logs.json>"
+      exit 1
+    end
+
+    device_logs_path = args.first
+    
+    unless File.exist?(device_logs_path)
+      puts "Error: Device logs file not found: #{device_logs_path}"
+      exit 1
+    end
+
+    begin
+      result = AiRootShield.scan_device_with_config(device_logs_path, @options[:config])
+      output_result(result)
+    rescue AiRootShield::Error => e
+      puts "Error: #{e.message}"
+      exit 1
+    rescue StandardError => e
+      puts "Unexpected error: #{e.message}"
+      puts e.backtrace if @options[:verbose]
+      exit 1
+    end
+  end
+
+  private
+
+  def parse_options(args)
+    OptionParser.new do |opts|
+      opts.banner = "Usage: ai_root_shield [options] <device_logs.json>"
+      opts.separator ""
+      opts.separator "Options:"
+
+      opts.on("-f", "--format FORMAT", ["json", "text", "summary"], 
+              "Output format (json, text, summary)") do |format|
+        @options[:output_format] = format
+      end
+
+      opts.on("-v", "--verbose", "Enable verbose output") do
+        @options[:verbose] = true
+      end
+
+      opts.on("-t", "--threshold SCORE", Integer, 
+              "Risk threshold (0-100, default: 50)") do |threshold|
+        @options[:config][:risk_threshold] = threshold
+      end
+
+      opts.on("--no-root", "Disable root detection") do
+        @options[:config][:enable_root_detection] = false
+      end
+
+      opts.on("--no-emulator", "Disable emulator detection") do
+        @options[:config][:enable_emulator_detection] = false
+      end
+
+      opts.on("--no-hooking", "Disable hooking detection") do
+        @options[:config][:enable_hooking_detection] = false
+      end
+
+      opts.on("--no-integrity", "Disable integrity checks") do
+        @options[:config][:enable_integrity_checks] = false
+      end
+
+      opts.on("--no-network", "Disable network analysis") do
+        @options[:config][:enable_network_analysis] = false
+      end
+
+      opts.on("-h", "--help", "Show this help message") do
+        puts opts
+        exit
+      end
+
+      opts.on("--version", "Show version") do
+        puts "AI Root Shield v#{AiRootShield::VERSION}"
+        exit
+      end
+    end.parse!(args)
+  end
+
+  def output_result(result)
+    case @options[:output_format]
+    when "json"
+      puts JSON.pretty_generate(result)
+    when "text"
+      output_text_format(result)
+    when "summary"
+      output_summary_format(result)
+    end
+  end
+
+  def output_text_format(result)
+    puts "AI Root Shield Security Scan Results"
+    puts "=" * 40
+    puts "Risk Score: #{result[:risk_score]}/100 (#{AiRootShield::RiskCalculator.risk_level_description(result[:risk_score])})"
+    puts "Scan Time: #{Time.at(result[:timestamp]).strftime('%Y-%m-%d %H:%M:%S')}"
+    puts "Version: #{result[:version]}"
+    puts ""
+    
+    if result[:factors].any?
+      puts "Detected Security Factors:"
+      result[:factors].each do |factor|
+        puts "  • #{factor.gsub('_', ' ').downcase.capitalize}"
+      end
+      puts ""
+      
+      recommended_actions = AiRootShield::RiskCalculator.recommended_actions(result[:factors])
+      if recommended_actions.any?
+        puts "Recommended Actions:"
+        recommended_actions.each do |action|
+          puts "  → #{action}"
+        end
+      end
+    else
+      puts "No security threats detected."
+    end
+  end
+
+  def output_summary_format(result)
+    risk_level = AiRootShield::RiskCalculator.risk_level_description(result[:risk_score])
+    
+    puts "Risk Level: #{risk_level} (#{result[:risk_score]}/100)"
+    puts "Threats: #{result[:factors].length} detected"
+    
+    if result[:factors].any?
+      puts "Primary Concerns: #{result[:factors].first(3).join(', ')}"
+    end
+  end
+end
+
+# Run CLI if this file is executed directly
+if __FILE__ == $0
+  cli = AiRootShieldCLI.new
+  cli.run(ARGV)
+end

data/lib/ai_root_shield/analyzers/emulator_detector.rb

@@ -0,0 +1,331 @@
+# frozen_string_literal: true
+
+module AiRootShield
+  module Analyzers
+    # Detects emulator and simulator environments
+    class EmulatorDetector
+      # Known emulator indicators
+      EMULATOR_FILES = %w[
+        /dev/socket/qemud
+        /dev/qemu_pipe
+        /system/lib/libc_malloc_debug_qemu.so
+        /sys/qemu_trace
+        /system/bin/qemu-props
+        /dev/socket/baseband_genyd
+        /dev/socket/genyd
+        /proc/tty/drivers
+        /proc/cpuinfo
+        /system/lib/libdvm.so
+        /system/bin/androVM-prop
+        /system/bin/microvirt-prop
+        /system/lib/libhoudini.so
+        /system/lib/arm/libhoudini.so
+      ].freeze
+
+      EMULATOR_PROPERTIES = %w[
+        ro.kernel.qemu
+        ro.bootmode
+        ro.hardware
+        ro.product.device
+        ro.product.model
+        ro.product.name
+        ro.product.brand
+        ro.build.product
+        ro.build.fingerprint
+        init.svc.qemud
+        qemu.hw.mainkeys
+        qemu.sf.fake_camera
+        qemu.sf.lcd_density
+        ro.kernel.android.qemud
+      ].freeze
+
+      EMULATOR_PACKAGES = %w[
+        com.google.android.launcher.layouts.genymotion
+        com.bluestacks
+        com.bignox.app
+        com.vphone.launcher
+        com.microvirt.guide
+        com.microvirt.market
+        com.microvirt.memuplay
+        com.android.development_settings
+        com.android.development
+        com.android.emulator.smoketests
+      ].freeze
+
+      # iOS Simulator indicators
+      IOS_SIMULATOR_INDICATORS = %w[
+        i386
+        x86_64
+        Simulator
+        iPhone Simulator
+        iPad Simulator
+        AppleTV Simulator
+      ].freeze
+
+      def analyze(device_data)
+        factors = []
+        risk_score = 0
+
+        case device_data[:platform]
+        when "android"
+          android_result = check_android_emulator(device_data)
+          factors.concat(android_result[:factors])
+          risk_score += android_result[:risk_score]
+        when "ios"
+          ios_result = check_ios_simulator(device_data)
+          factors.concat(ios_result[:factors])
+          risk_score += ios_result[:risk_score]
+        end
+
+        # Cross-platform checks
+        cross_platform_result = check_cross_platform_indicators(device_data)
+        factors.concat(cross_platform_result[:factors])
+        risk_score += cross_platform_result[:risk_score]
+
+        {
+          factors: factors,
+          risk_score: [risk_score, 100].min
+        }
+      end
+
+      private
+
+      def check_android_emulator(device_data)
+        factors = []
+        risk_score = 0
+
+        # Check for emulator files
+        emulator_files = check_emulator_files(device_data[:file_system])
+        factors.concat(emulator_files)
+        risk_score += emulator_files.length * 15
+
+        # Check system properties
+        property_factors = check_system_properties(device_data[:system_info])
+        factors.concat(property_factors)
+        risk_score += property_factors.length * 12
+
+        # Check for emulator packages
+        package_factors = check_emulator_packages(device_data[:installed_packages])
+        factors.concat(package_factors)
+        risk_score += package_factors.length * 18
+
+        # Check hardware characteristics
+        hardware_factors = check_hardware_indicators(device_data[:hardware_info])
+        factors.concat(hardware_factors)
+        risk_score += hardware_factors.length * 10
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_ios_simulator(device_data)
+        factors = []
+        risk_score = 0
+
+        # Check hardware info for simulator indicators
+        hardware_info = device_data[:hardware_info] || {}
+        
+        IOS_SIMULATOR_INDICATORS.each do |indicator|
+          device_model = hardware_info[:device_model].to_s
+          if device_model.include?(indicator)
+            factors << "SIMULATOR_IOS"
+            risk_score += 20
+            break
+          end
+        end
+
+        # Check for simulator-specific file paths
+        file_system = device_data[:file_system] || {}
+        suspicious_files = file_system[:suspicious_files] || []
+        
+        if suspicious_files.any? { |file| file.to_s.include?("Simulator") }
+          factors << "SIMULATOR_FILES_DETECTED"
+          risk_score += 15
+        end
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_cross_platform_indicators(device_data)
+        factors = []
+        risk_score = 0
+
+        # Check for missing baseband (common in emulators)
+        baseband_factor = check_baseband_presence(device_data[:hardware_info])
+        if baseband_factor
+          factors << baseband_factor
+          risk_score += 12
+        end
+
+        # Check sensor anomalies
+        sensor_factors = check_sensor_anomalies(device_data[:hardware_info])
+        factors.concat(sensor_factors)
+        risk_score += sensor_factors.length * 8
+
+        # Check for virtualization indicators in processes
+        process_factors = check_virtualization_processes(device_data[:processes])
+        factors.concat(process_factors)
+        risk_score += process_factors.length * 10
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_emulator_files(file_system)
+        factors = []
+        suspicious_files = file_system[:suspicious_files] || []
+        system_binaries = file_system[:system_binaries] || []
+        
+        all_files = suspicious_files + system_binaries
+
+        EMULATOR_FILES.each do |emulator_file|
+          if all_files.any? { |file| file.to_s.include?(emulator_file) }
+            case emulator_file
+            when /qemu/i
+              factors << "EMULATOR_QEMU"
+            when /genyd/i
+              factors << "EMULATOR_GENYMOTION"
+            when /microvirt/i
+              factors << "EMULATOR_MICROVIRT"
+            else
+              factors << "EMULATOR_FILE_DETECTED"
+            end
+          end
+        end
+
+        factors
+      end
+
+      def check_system_properties(system_info)
+        factors = []
+        
+        # Check build fingerprint
+        fingerprint = system_info[:build_fingerprint].to_s
+        if fingerprint.include?("generic") || fingerprint.include?("emulator")
+          factors << "EMULATOR_BUILD_GENERIC"
+        end
+
+        # Check kernel version for emulator indicators
+        kernel_version = system_info[:kernel_version].to_s
+        if kernel_version.include?("goldfish") || kernel_version.include?("ranchu")
+          factors << "EMULATOR_KERNEL_GOLDFISH"
+        end
+
+        factors
+      end
+
+      def check_emulator_packages(packages)
+        factors = []
+        package_names = packages.map { |pkg| pkg.is_a?(Hash) ? pkg["name"] : pkg.to_s }
+
+        EMULATOR_PACKAGES.each do |emulator_pkg|
+          if package_names.any? { |pkg| pkg&.include?(emulator_pkg) }
+            case emulator_pkg
+            when /genymotion/i
+              factors << "EMULATOR_GENYMOTION"
+            when /bluestacks/i
+              factors << "EMULATOR_BLUESTACKS"
+            when /nox/i
+              factors << "EMULATOR_NOX"
+            when /memu/i
+              factors << "EMULATOR_MEMU"
+            else
+              factors << "EMULATOR_PACKAGE_DETECTED"
+            end
+          end
+        end
+
+        factors
+      end
+
+      def check_hardware_indicators(hardware_info)
+        factors = []
+        
+        device_model = hardware_info[:device_model].to_s.downcase
+        manufacturer = hardware_info[:manufacturer].to_s.downcase
+
+        # Check for generic device names
+        if device_model.include?("generic") || device_model.include?("emulator")
+          factors << "EMULATOR_GENERIC_DEVICE"
+        end
+
+        # Check for known emulator manufacturers
+        if manufacturer.include?("genymotion") || manufacturer.include?("android")
+          factors << "EMULATOR_MANUFACTURER"
+        end
+
+        # Check serial number patterns
+        serial = hardware_info[:serial_number].to_s
+        if serial.include?("android") || serial == "unknown"
+          factors << "EMULATOR_SERIAL_PATTERN"
+        end
+
+        factors
+      end
+
+      def check_baseband_presence(hardware_info)
+        baseband_version = hardware_info[:baseband_version]
+        
+        # Missing or null baseband is common in emulators
+        if baseband_version.nil? || baseband_version.to_s.empty? || baseband_version.to_s.downcase.include?("unknown")
+          return "MISSING_BASEBAND"
+        end
+
+        nil
+      end
+
+      def check_sensor_anomalies(hardware_info)
+        factors = []
+        sensors = hardware_info[:sensors] || []
+
+        # Check for missing common sensors
+        common_sensors = %w[accelerometer gyroscope magnetometer proximity light]
+        missing_sensors = common_sensors - sensors.map(&:downcase)
+
+        if missing_sensors.length >= 3
+          factors << "VIRTUAL_SENSORS"
+        end
+
+        # Check for emulator-specific sensor patterns
+        if sensors.any? { |sensor| sensor.to_s.downcase.include?("goldfish") }
+          factors << "EMULATOR_GOLDFISH_SENSORS"
+        end
+
+        factors
+      end
+
+      def check_virtualization_processes(processes)
+        factors = []
+        process_names = processes.map { |proc| proc.is_a?(Hash) ? proc["name"] : proc.to_s }
+
+        virtualization_indicators = %w[
+          qemu
+          vbox
+          vmware
+          virtualbox
+          genymotion
+          bluestacks
+          nox
+          memu
+          ldplayer
+        ]
+
+        virtualization_indicators.each do |indicator|
+          if process_names.any? { |proc| proc&.downcase&.include?(indicator) }
+            factors << "VIRTUALIZATION_PROCESS_DETECTED"
+            break
+          end
+        end
+
+        factors
+      end
+    end
+  end
+end