API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 17th, 2019
113
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 11.38 KB | None | 0 0
raw download clone embed print report
  1. import pymongo
  2. import json
  3.  
  4.  
  5. def init_database():
  6.     myclient = pymongo.MongoClient("mongodb://localhost:27017/")
  7.     mydb = myclient["ChromeExtension"]
  8.     mycol = mydb["API"]
  9.     return mycol
  10.  
  11. mycol = init_database()
  12.  
  13. # get behavior form file api.json define
  14. # Return json behavior
  15. def GetBehaviorMalicious(behavior):
  16.     with open("api.json") as f:
  17.         _behavior = json.load(f)
  18.     return _behavior[behavior]
  19.  
  20. def GetApiCalledByExtension(idx):
  21.     list_api_from_database = mycol.find({"extensionId": idx})
  22.     return list_api_from_database
  23.  
  24. def UninstallBehaviorTracking(api_of_extension):
  25.     _behavior_info = GetBehaviorMalicious("uninstall_other_extension")
  26.     for api_of_behavior in (_behavior_info):
  27.         if "behavior" in api_of_behavior:
  28.             list_api_behavior = api_of_behavior["behavior"]
  29.    
  30.     #Checking
  31.     if(api_of_extension in list_api_behavior):
  32.         return True
  33.     return False
  34.  
  35. def PreventsUninstallTracking(api_of_extension):
  36.     _behavior_info = GetBehaviorMalicious("prevents_extension_uninstall")
  37.     for api_of_behavior in (_behavior_info):
  38.         if "behavior" in api_of_behavior:
  39.             list_api_behavior = api_of_behavior["behavior"]
  40.  
  41.     list_name_api_of_behavior = []
  42.     for api_behavior in list_api_behavior:
  43.         list_name_api_of_behavior.append(api_behavior["apiCall"])
  44.  
  45.     if(api_of_extension["apiCall"] in list_name_api_of_behavior):
  46.         if("argUrl" in api_of_extension.keys() and api_of_extension["argUrl"] in "chrome://extensions/"):
  47.             return True
  48.     return False
  49.  
  50. def KeyloggerTracking(api_of_extension):
  51.     # Kiem tra apiCall co nam trong danh sach api hanh vi cua keylloging hay khong, cu the la:blinkAddEventListener
  52.     # Neu có api blinkAddEventListener thi kiem tra args duoc truyen vao
  53.     # args [ "#document", "keypress"] hoac "args": [ "#document", "keydown" ] thi return True
  54.     # -> Extension chua hanh vi cua keylogger
  55.     _behavior_info = GetBehaviorMalicious("keylogging_functionality")
  56.     for api_of_behavior in (_behavior_info):
  57.         if "behavior" in api_of_behavior:
  58.             list_api_behavior = api_of_behavior["behavior"]
  59.  
  60.     list_name_api_of_behavior = []
  61.     list_args = []
  62.     for api_behavior in list_api_behavior:
  63.         if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
  64.             list_name_api_of_behavior.append(api_behavior["apiCall"])
  65.         list_args.append(api_behavior["args"])
  66.    
  67.    
  68.     if(api_of_extension["apiCall"] in list_name_api_of_behavior):
  69.         if(json.loads(api_of_extension["args"]) in list_args):
  70.             return True
  71.     return False
  72.  
  73. def StealInformationFormTracking(api_of_extension):
  74.     # Kiem tra blinkAddEventListener api co gia tri args ["FORM","submit"]
  75.     # Neu co thi lay pageUrl
  76.     # Kiem tra pageUrl co activityType la content_script
  77.     # Neu co thi extension da inject script vao page de get form thong tin
  78.     # Den day kiem tra xem pageUrl co api blinkAddEventListener voi tham so ["XMLHttpRequest","load"]
  79.     # Neu co kha nang cao se gui thong tin dang nhap ra ngoai
  80.  
  81.     _behavior_info = GetBehaviorMalicious("steal_information_form")
  82.     for api_of_behavior in (_behavior_info):
  83.         if "behavior" in api_of_behavior:
  84.             list_api_behavior = api_of_behavior["behavior"]
  85.    
  86.     list_name_api_of_behavior = []
  87.     list_args = []
  88.     list_activityType = []
  89.     for api_behavior in list_api_behavior:
  90.         # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
  91.         # Neu chua co thi them vao list
  92.         if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
  93.             list_name_api_of_behavior.append(api_behavior["apiCall"])
  94.         list_args.append(api_behavior["args"])
  95.         if("activityType" in api_behavior):
  96.             list_activityType.append(api_behavior["activityType"])
  97.  
  98.     #Kiem tra cac behavior
  99.     if(api_of_extension["apiCall"] in list_name_api_of_behavior):
  100.         if(api_of_extension["args"] in "[\"FORM\",\"submit\"]"):
  101.             find_activity = mycol.find({"extensionId": api_of_extension["extensionId"],"pageUrl":api_of_extension["pageUrl"],"activityType":"content_script"})
  102.             if(len(list(find_activity)) != 0):
  103.                 return True
  104.     return False
  105.  
  106. def BlockAntiVirusSiteTracking(api_of_extension):
  107.     # Kiem tra api co phai Apicall co phai la webRequestInternal.addEventListener
  108.     # Neu la api do thi kiem tra args
  109.     # Args chua hanh dong blocking thi kieu tra tham so domain
  110.     # Neu tham domain co chua cac domain antivius thi return True
  111.  
  112.     _behavior_info = GetBehaviorMalicious("block_antivirus_site")
  113.     for api_of_behavior in (_behavior_info):
  114.         if "behavior" in api_of_behavior:
  115.             list_api_behavior = api_of_behavior["behavior"]
  116.    
  117.     list_name_api_of_behavior = []
  118.     list_args = []
  119.     for api_behavior in list_api_behavior:
  120.         # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
  121.         # Neu chua co thi them vao list
  122.         if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
  123.             list_name_api_of_behavior.append(api_behavior["apiCall"])
  124.         list_args.append(api_behavior["args"])
  125.  
  126.     def parse_args(list_args):
  127.         list_av = []
  128.         for ele in list_args:
  129.             for i in ele:
  130.                 if("avira" in i):
  131.                     list_av = i
  132.                     return list_av
  133.         return list_av
  134.  
  135.     list_av = parse_args(list_args)
  136.  
  137.     #Kiem tra behavior
  138.     if(api_of_extension["apiCall"] in list_name_api_of_behavior):
  139.         if ["blocking"] in json.loads(api_of_extension["args"]):
  140.             for ele in json.loads(api_of_extension["args"]):
  141.                 if(type(ele) is dict):
  142.                     for args_ele in ele:
  143.                         if("urls" in args_ele):
  144.                             for domain_in_ags in ele["urls"]:
  145.                                 for domain_av in list_av:
  146.                                     if domain_av in domain_in_ags:
  147.                                         return True
  148.         #if(list_args in api_of_extension["apiCall"] ) :
  149.         #    print(api_of_extension)
  150.        
  151.     return False
  152.  
  153. def DeleteReponseHeaderTracking(api_of_extension):
  154.     # Kiem tra api co phai Apicall co phai la webRequestInternal.addEventListener
  155.     # Neu la api do thi kiem tra args
  156.     # Args chua hanh dong blocking thi kieu tra tham so domain
  157.     # Neu tham domain co chua cac domain antivius thi return True
  158.    
  159.     _behavior_info = GetBehaviorMalicious("block_antivirus_site")
  160.     for api_of_behavior in (_behavior_info):
  161.         if "behavior" in api_of_behavior:
  162.             list_api_behavior = api_of_behavior["behavior"]
  163.    
  164.     list_name_api_of_behavior = []
  165.     list_args = []
  166.     for api_behavior in list_api_behavior:
  167.         # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
  168.         # Neu chua co thi them vao list
  169.         if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
  170.             list_name_api_of_behavior.append(api_behavior["apiCall"])
  171.         list_args.append(api_behavior["args"])
  172.  
  173. def AnalyzerOnlyOneExtension(idx):
  174.     total_call = 0
  175.     count_api = {}
  176.  
  177.     # Get api called of chrome extension from mongodb with id
  178.     # Count total api called
  179.     # Save element of info to report
  180.  
  181.     list_api_from_database = GetApiCalledByExtension(idx)
  182.     for api_call in list_api_from_database:
  183.         total_call += 1
  184.         if(api_call["apiCall"] in count_api.keys()):
  185.             count_api[api_call["apiCall"]] += 1
  186.         else:
  187.             count_api[api_call["apiCall"]] = 1
  188.  
  189.     beauty_report = {"id": idx, "api_called": total_call, "apis": {}}
  190.  
  191.     print(beauty_report)
  192.     exit()
  193.     for i in count_api:
  194.         testing = {}
  195.         count = 0
  196.         for obj in (mycol.find({"extensionId": idx, "apiCall": i})):
  197.             count +=1
  198.             beauty_report["apis"][str(count)] = {}
  199.             testing["time"] = obj["time"]
  200.             testing["args"] = obj["args"]
  201.             testing["activityType"] = obj["activityType"]
  202.             if("argUrl" in obj.keys()):
  203.                 testing["argUrl"] = obj["argUrl"]
  204.             beauty_report["apis"][str(count)] = testing
  205.         print(json.dumps(beauty_report,indent=4))
  206.         exit()
  207.     print("==========================================")
  208.    
  209.     # Get malicious, suspicious api form api.json
  210.     patterns = GetBehaviorMalicious("api.json")
  211.     malicious_api = []
  212.     test_api = []
  213.     for i in patterns.items():
  214.         if(i[1]["risk"] == "Malicious"):
  215.             malicious_api.append(i[0])
  216.         if(i[1]["risk"] == "Test"):
  217.             test_api.append(i[0])
  218.  
  219.     print("[+] Total API called: %d" % (total_call))
  220.     print(json.dumps(count_api, indent=4))
  221.  
  222.     # Get name api from object count_api
  223.     # Checking api of extension call with malicious and suspicious list api
  224.     # Print api info
  225.     for i in count_api:
  226.         if(i in malicious_api):
  227.             print("[!] Malicious API called: %s (%d times)" %
  228.                   (i, count_api[i]))
  229.             for obj in (mycol.find({"extensionId": idx, "apiCall": i})):
  230.                 print("[+] Time call : %s\n==> Args: %s\n" %
  231.                       (obj["time"], obj["args"]))
  232.         if(i in test_api):
  233.             print("Test API called: %s (%d times)" % (i, count_api[i]))
  234.             for obj in (mycol.find({"extensionId": idx, "apiCall": i})):
  235.                 print("[+] Time call : %s\n==> Args: %s\n" %
  236.                       (obj["time"], obj["args"]))
  237.  
  238.     return list_api_from_database
  239.  
  240. if __name__ == "__main__":
  241.     #list_api = AnalyzerOnlyOneExtension("aklmaophoojkakkcijlkcfegdcgifgch")
  242.     list_api = GetApiCalledByExtension("ggaeifnbnleakhecohkbpnbkfafgkkca")
  243.  
  244.     uninstall_other_extension=[]
  245.     prevents_extension_uninstall=[]
  246.     keylogging_functionality=[]
  247.     steal_information_form=[]
  248.     block_antivirus_site=[]
  249.     for api in list_api:
  250.         if (UninstallBehaviorTracking(api)):
  251.             uninstall_other_extension.append(api)
  252.             continue
  253.         # detect PreventsUninstallTracking
  254.        
  255.         if(PreventsUninstallTracking(api)):
  256.             prevents_extension_uninstall.append(api)
  257.             continue
  258.         if(KeyloggerTracking(api)):
  259.             keylogging_functionality.append(api)
  260.             continue
  261.         if(StealInformationFormTracking(api)):
  262.             all_info_behavior = []
  263.             all_info_behavior.append(api)
  264.             find_activity = mycol.find({"extensionId": api["extensionId"],"pageUrl":api["pageUrl"],"activityType":"content_script"})
  265.             for api_content_script in find_activity:
  266.                 all_info_behavior.append(api_content_script)
  267.             steal_information_form.append(all_info_behavior)
  268.             continue
  269.         if(BlockAntiVirusSiteTracking(api)):
  270.             block_antivirus_site.append(api)
  271.             continue
  272.     print("[+] uninstall_other_extension api:\n",uninstall_other_extension)
  273.     print("[+] prevents_extension_uninstall api:\n",(prevents_extension_uninstall))    
  274.     print("[+] keylogging_functionality api:\n",(keylogging_functionality))
  275.     print("[+] keylogging_functionality api:\n",(steal_information_form))
  276.     print("[+] block_antivirus_site api:\n",(block_antivirus_site))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!