Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import pymongo
- import json
- def init_database():
- myclient = pymongo.MongoClient("mongodb://localhost:27017/")
- mydb = myclient["ChromeExtension"]
- mycol = mydb["API"]
- return mycol
- mycol = init_database()
- # get behavior form file api.json define
- # Return json behavior
- def GetBehaviorMalicious(behavior):
- with open("api.json") as f:
- _behavior = json.load(f)
- return _behavior[behavior]
- def GetApiCalledByExtension(idx):
- list_api_from_database = mycol.find({"extensionId": idx})
- return list_api_from_database
- def UninstallBehaviorTracking(api_of_extension):
- _behavior_info = GetBehaviorMalicious("uninstall_other_extension")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- #Checking
- if(api_of_extension in list_api_behavior):
- return True
- return False
- def PreventsUninstallTracking(api_of_extension):
- _behavior_info = GetBehaviorMalicious("prevents_extension_uninstall")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- list_name_api_of_behavior = []
- for api_behavior in list_api_behavior:
- list_name_api_of_behavior.append(api_behavior["apiCall"])
- if(api_of_extension["apiCall"] in list_name_api_of_behavior):
- if("argUrl" in api_of_extension.keys() and api_of_extension["argUrl"] in "chrome://extensions/"):
- return True
- return False
- def KeyloggerTracking(api_of_extension):
- # Kiem tra apiCall co nam trong danh sach api hanh vi cua keylloging hay khong, cu the la:blinkAddEventListener
- # Neu có api blinkAddEventListener thi kiem tra args duoc truyen vao
- # args [ "#document", "keypress"] hoac "args": [ "#document", "keydown" ] thi return True
- # -> Extension chua hanh vi cua keylogger
- _behavior_info = GetBehaviorMalicious("keylogging_functionality")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- list_name_api_of_behavior = []
- list_args = []
- for api_behavior in list_api_behavior:
- if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
- list_name_api_of_behavior.append(api_behavior["apiCall"])
- list_args.append(api_behavior["args"])
- if(api_of_extension["apiCall"] in list_name_api_of_behavior):
- if(json.loads(api_of_extension["args"]) in list_args):
- return True
- return False
- def StealInformationFormTracking(api_of_extension):
- # Kiem tra blinkAddEventListener api co gia tri args ["FORM","submit"]
- # Neu co thi lay pageUrl
- # Kiem tra pageUrl co activityType la content_script
- # Neu co thi extension da inject script vao page de get form thong tin
- # Den day kiem tra xem pageUrl co api blinkAddEventListener voi tham so ["XMLHttpRequest","load"]
- # Neu co kha nang cao se gui thong tin dang nhap ra ngoai
- _behavior_info = GetBehaviorMalicious("steal_information_form")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- list_name_api_of_behavior = []
- list_args = []
- list_activityType = []
- for api_behavior in list_api_behavior:
- # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
- # Neu chua co thi them vao list
- if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
- list_name_api_of_behavior.append(api_behavior["apiCall"])
- list_args.append(api_behavior["args"])
- if("activityType" in api_behavior):
- list_activityType.append(api_behavior["activityType"])
- #Kiem tra cac behavior
- if(api_of_extension["apiCall"] in list_name_api_of_behavior):
- if(api_of_extension["args"] in "[\"FORM\",\"submit\"]"):
- find_activity = mycol.find({"extensionId": api_of_extension["extensionId"],"pageUrl":api_of_extension["pageUrl"],"activityType":"content_script"})
- if(len(list(find_activity)) != 0):
- return True
- return False
- def BlockAntiVirusSiteTracking(api_of_extension):
- # Kiem tra api co phai Apicall co phai la webRequestInternal.addEventListener
- # Neu la api do thi kiem tra args
- # Args chua hanh dong blocking thi kieu tra tham so domain
- # Neu tham domain co chua cac domain antivius thi return True
- _behavior_info = GetBehaviorMalicious("block_antivirus_site")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- list_name_api_of_behavior = []
- list_args = []
- for api_behavior in list_api_behavior:
- # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
- # Neu chua co thi them vao list
- if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
- list_name_api_of_behavior.append(api_behavior["apiCall"])
- list_args.append(api_behavior["args"])
- def parse_args(list_args):
- list_av = []
- for ele in list_args:
- for i in ele:
- if("avira" in i):
- list_av = i
- return list_av
- return list_av
- list_av = parse_args(list_args)
- #Kiem tra behavior
- if(api_of_extension["apiCall"] in list_name_api_of_behavior):
- if ["blocking"] in json.loads(api_of_extension["args"]):
- for ele in json.loads(api_of_extension["args"]):
- if(type(ele) is dict):
- for args_ele in ele:
- if("urls" in args_ele):
- for domain_in_ags in ele["urls"]:
- for domain_av in list_av:
- if domain_av in domain_in_ags:
- return True
- #if(list_args in api_of_extension["apiCall"] ) :
- # print(api_of_extension)
- return False
- def DeleteReponseHeaderTracking(api_of_extension):
- # Kiem tra api co phai Apicall co phai la webRequestInternal.addEventListener
- # Neu la api do thi kiem tra args
- # Args chua hanh dong blocking thi kieu tra tham so domain
- # Neu tham domain co chua cac domain antivius thi return True
- _behavior_info = GetBehaviorMalicious("block_antivirus_site")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- list_name_api_of_behavior = []
- list_args = []
- for api_behavior in list_api_behavior:
- # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
- # Neu chua co thi them vao list
- if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
- list_name_api_of_behavior.append(api_behavior["apiCall"])
- list_args.append(api_behavior["args"])
- def AnalyzerOnlyOneExtension(idx):
- total_call = 0
- count_api = {}
- # Get api called of chrome extension from mongodb with id
- # Count total api called
- # Save element of info to report
- list_api_from_database = GetApiCalledByExtension(idx)
- for api_call in list_api_from_database:
- total_call += 1
- if(api_call["apiCall"] in count_api.keys()):
- count_api[api_call["apiCall"]] += 1
- else:
- count_api[api_call["apiCall"]] = 1
- beauty_report = {"id": idx, "api_called": total_call, "apis": {}}
- print(beauty_report)
- exit()
- for i in count_api:
- testing = {}
- count = 0
- for obj in (mycol.find({"extensionId": idx, "apiCall": i})):
- count +=1
- beauty_report["apis"][str(count)] = {}
- testing["time"] = obj["time"]
- testing["args"] = obj["args"]
- testing["activityType"] = obj["activityType"]
- if("argUrl" in obj.keys()):
- testing["argUrl"] = obj["argUrl"]
- beauty_report["apis"][str(count)] = testing
- print(json.dumps(beauty_report,indent=4))
- exit()
- print("==========================================")
- # Get malicious, suspicious api form api.json
- patterns = GetBehaviorMalicious("api.json")
- malicious_api = []
- test_api = []
- for i in patterns.items():
- if(i[1]["risk"] == "Malicious"):
- malicious_api.append(i[0])
- if(i[1]["risk"] == "Test"):
- test_api.append(i[0])
- print("[+] Total API called: %d" % (total_call))
- print(json.dumps(count_api, indent=4))
- # Get name api from object count_api
- # Checking api of extension call with malicious and suspicious list api
- # Print api info
- for i in count_api:
- if(i in malicious_api):
- print("[!] Malicious API called: %s (%d times)" %
- (i, count_api[i]))
- for obj in (mycol.find({"extensionId": idx, "apiCall": i})):
- print("[+] Time call : %s\n==> Args: %s\n" %
- (obj["time"], obj["args"]))
- if(i in test_api):
- print("Test API called: %s (%d times)" % (i, count_api[i]))
- for obj in (mycol.find({"extensionId": idx, "apiCall": i})):
- print("[+] Time call : %s\n==> Args: %s\n" %
- (obj["time"], obj["args"]))
- return list_api_from_database
- if __name__ == "__main__":
- #list_api = AnalyzerOnlyOneExtension("aklmaophoojkakkcijlkcfegdcgifgch")
- list_api = GetApiCalledByExtension("ggaeifnbnleakhecohkbpnbkfafgkkca")
- uninstall_other_extension=[]
- prevents_extension_uninstall=[]
- keylogging_functionality=[]
- steal_information_form=[]
- block_antivirus_site=[]
- for api in list_api:
- if (UninstallBehaviorTracking(api)):
- uninstall_other_extension.append(api)
- continue
- # detect PreventsUninstallTracking
- if(PreventsUninstallTracking(api)):
- prevents_extension_uninstall.append(api)
- continue
- if(KeyloggerTracking(api)):
- keylogging_functionality.append(api)
- continue
- if(StealInformationFormTracking(api)):
- all_info_behavior = []
- all_info_behavior.append(api)
- find_activity = mycol.find({"extensionId": api["extensionId"],"pageUrl":api["pageUrl"],"activityType":"content_script"})
- for api_content_script in find_activity:
- all_info_behavior.append(api_content_script)
- steal_information_form.append(all_info_behavior)
- continue
- if(BlockAntiVirusSiteTracking(api)):
- block_antivirus_site.append(api)
- continue
- print("[+] uninstall_other_extension api:\n",uninstall_other_extension)
- print("[+] prevents_extension_uninstall api:\n",(prevents_extension_uninstall))
- print("[+] keylogging_functionality api:\n",(keylogging_functionality))
- print("[+] keylogging_functionality api:\n",(steal_information_form))
- print("[+] block_antivirus_site api:\n",(block_antivirus_site))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement