From e6cb3d3b3bd5a009347c51fec52f351bd77103ec Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <wballenthin@google.com>
Date: Mon, 14 Aug 2023 10:27:19 +0000
Subject: [PATCH] os: detect Android via dependencies, too

---
 capa/features/extractors/elf.py |  2 ++
 tests/fixtures.py               |  2 ++
 tests/test_os_detection.py      | 12 ++++++++++++
 3 files changed, 16 insertions(+)

diff --git a/capa/features/extractors/elf.py b/capa/features/extractors/elf.py
index 922ca5b8..01662a12 100644
--- a/capa/features/extractors/elf.py
+++ b/capa/features/extractors/elf.py
@@ -861,6 +861,8 @@ def guess_os_from_needed_dependencies(elf: ELF) -> Optional[OS]:
             return OS.HURD
         if needed.startswith("libhurduser.so"):
             return OS.HURD
+        if needed.startswith("libandroid.so"):
+            return OS.ANDROID
 
     return None
 
diff --git a/tests/fixtures.py b/tests/fixtures.py
index 291ba1a8..a85656a6 100644
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -308,6 +308,8 @@ def get_data_path_by_name(name) -> Path:
         return CD / "data" / "2bf18d0403677378adad9001b1243211.elf_"
     elif name.startswith("ea2876"):
         return CD / "data" / "ea2876e9175410b6f6719f80ee44b9553960758c7d0f7bed73c0fe9a78d8e669.dll_"
+    elif name.startswith("1038a2"):
+        return CD / "data" / "1038a23daad86042c66bfe6c9d052d27048de9653bde5750dc0f240c792d9ac8.elf_"
     else:
         raise ValueError(f"unexpected sample fixture: {name}")
 
diff --git a/tests/test_os_detection.py b/tests/test_os_detection.py
index d5806d45..a650165d 100644
--- a/tests/test_os_detection.py
+++ b/tests/test_os_detection.py
@@ -80,6 +80,18 @@ def test_elf_symbol_table():
         assert capa.features.extractors.elf.detect_elf_os(f) == "linux"
 
 
+def test_elf_android_notes():
+    # DEBUG:capa.features.extractors.elf:guess: osabi: None
+    # DEBUG:capa.features.extractors.elf:guess: ph notes: OS.ANDROID
+    # DEBUG:capa.features.extractors.elf:guess: sh notes: None
+    # DEBUG:capa.features.extractors.elf:guess: linker: None
+    # DEBUG:capa.features.extractors.elf:guess: ABI versions needed: None
+    # DEBUG:capa.features.extractors.elf:guess: needed dependencies: OS.ANDROID
+    path = get_data_path_by_name("1038a2")
+    with Path(path).open("rb") as f:
+        assert capa.features.extractors.elf.detect_elf_os(f) == "android"
+
+
 def test_elf_parse_capa_pyinstaller_header():
     # error after misidentified large pydata section with address 0; fixed in #1454
     # compressed ELF header of capa-v5.1.0-linux