Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python -W ignore::DeprecationWarning
- import pymongo
- import json
- from collections import Counter
- from operator import itemgetter
- def init_thesis(collection):
- myclient = pymongo.MongoClient("mongodb://localhost:27017/")
- mydb = myclient["Thesis"]
- mycol = mydb[collection]
- return mycol
- def init_database(collection):
- myclient = pymongo.MongoClient("mongodb://localhost:27017/")
- mydb = myclient["ChromeExtension"]
- mycol = mydb[collection]
- return mycol
- mycol = init_database("API")
- # get behavior form file api.json define
- # Return json behavior
- def GetBehaviorMalicious(behavior):
- with open(r"G:\New\Extensions\KhoaLuan\source\sandbox\api.json") as f:
- _behavior = json.load(f)
- return _behavior[behavior]
- def GetApiCalledByExtension(idx):
- list_api_from_database = mycol.find({"extensionId": idx})
- return list_api_from_database
- def UninstallBehaviorTracking(api_of_extension):
- _behavior_info = GetBehaviorMalicious("uninstall_other_extension")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- #Checking
- if(api_of_extension in list_api_behavior):
- return True
- return False
- def PreventsUninstallTracking(api_of_extension):
- _behavior_info = GetBehaviorMalicious("prevents_extension_uninstall")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- list_name_api_of_behavior = []
- for api_behavior in list_api_behavior:
- list_name_api_of_behavior.append(api_behavior["apiCall"])
- if(api_of_extension["apiCall"] in list_name_api_of_behavior):
- if("argUrl" in api_of_extension.keys() and api_of_extension["argUrl"] in "chrome://extensions/"):
- return True
- return False
- def KeyloggerTracking(api_of_extension):
- # Kiem tra apiCall co nam trong danh sach api hanh vi cua keylloging hay khong, cu the la:blinkAddEventListener
- # Neu có api blinkAddEventListener thi kiem tra args duoc truyen vao
- # args [ "#document", "keypress"] hoac "args": [ "#document", "keydown" ] thi return True
- # -> Extension chua hanh vi cua keylogger
- _behavior_info = GetBehaviorMalicious("keylogging_functionality")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- list_name_api_of_behavior = []
- list_args = []
- for api_behavior in list_api_behavior:
- if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
- list_name_api_of_behavior.append(api_behavior["apiCall"])
- list_args.append(api_behavior["args"])
- if(api_of_extension["apiCall"] in list_name_api_of_behavior):
- if(json.loads(api_of_extension["args"]) in list_args):
- return True
- return False
- def StealInformationFormTracking(api_of_extension):
- # Kiem tra blinkAddEventListener api co gia tri args ["FORM","submit"]
- # Neu co thi lay pageUrl
- # Kiem tra pageUrl co activityType la content_script
- # Neu co thi extension da inject script vao page de get form thong tin
- # Den day kiem tra xem pageUrl co api blinkAddEventListener voi tham so ["XMLHttpRequest","load"]
- # Neu co kha nang cao se gui thong tin dang nhap ra ngoai
- _behavior_info = GetBehaviorMalicious("steal_information_form")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- list_name_api_of_behavior = []
- list_args = []
- list_activityType = []
- for api_behavior in list_api_behavior:
- # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
- # Neu chua co thi them vao list
- if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
- list_name_api_of_behavior.append(api_behavior["apiCall"])
- list_args.append(api_behavior["args"])
- if("activityType" in api_behavior):
- list_activityType.append(api_behavior["activityType"])
- #Kiem tra cac behavior
- if(api_of_extension["apiCall"] in list_name_api_of_behavior):
- if(api_of_extension["args"] in "[\"FORM\",\"submit\"]"):
- find_activity = mycol.find({"extensionId": api_of_extension["extensionId"],"pageUrl":api_of_extension["pageUrl"],"activityType":"content_script"})
- if(len(list(find_activity)) != 0):
- return True
- return False
- def BlockAntiVirusSiteTracking(api_of_extension):
- # Kiem tra api co phai Apicall co phai la webRequestInternal.addEventListener
- # Neu la api do thi kiem tra args
- # Args chua hanh dong blocking thi kieu tra tham so domain
- # Neu tham domain co chua cac domain antivius thi return True
- _behavior_info = GetBehaviorMalicious("block_antivirus_site")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- list_name_api_of_behavior = []
- list_args = []
- for api_behavior in list_api_behavior:
- # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
- # Neu chua co thi them vao list
- if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
- list_name_api_of_behavior.append(api_behavior["apiCall"])
- list_args = (api_behavior["args"])
- #Kiem tra behavior
- # matches = [x for x in white_list_testcase if x in i["request"]["url"]]
- if(api_of_extension["apiCall"] in list_name_api_of_behavior):
- if("webRequest" in api_of_extension["other"]):
- cancel_stt = json.loads(api_of_extension["other"]["webRequest"])
- if("cancel" in cancel_stt):
- matches = [x for x in list_args if x in api_of_extension["pageUrl"]]
- if(cancel_stt["cancel"] == True and len(matches) != 0 ):
- return True
- #if(list_args in api_of_extension["apiCall"] ) :
- # print(api_of_extension)
- return False
- def DeleteReponseHeaderTracking(api_of_extension):
- # Kiem tra activityType co phai web_request hay khong
- # Neu phai thi chuyen sang kiem tra apiCall co phai la webRequest.onHeadersReceived
- # Kiem tra thuoc tinh other co chua webRequest["deleted_response_headers"]
- # Kiem tra webRequest["deleted_response_headers"] co chua cac gia tri header bao mat hay khong
- _behavior_info = GetBehaviorMalicious("deleted_response_headers")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- list_name_api_of_behavior = []
- for api_behavior in list_api_behavior:
- # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
- # Neu chua co thi them vao list
- if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
- list_name_api_of_behavior.append(api_behavior["apiCall"])
- # Checking
- if((api_of_extension["apiCall"] in list_name_api_of_behavior)):
- if("webRequest" in api_of_extension["other"]):
- if("deleted_response_headers" in api_of_extension["other"]["webRequest"]):
- return True
- return False
- def InjectsDynamicJsTracking(api_of_extension):
- _behavior_info = GetBehaviorMalicious("injects_dynamic_javascript")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- list_name_api_of_behavior = []
- list_args = []
- for api_behavior in list_api_behavior:
- # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
- # Neu chua co thi them vao list
- if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
- list_name_api_of_behavior.append(api_behavior["apiCall"])
- list_args = (api_behavior["args"])
- #Tracking APi
- if((api_of_extension["apiCall"] in list_name_api_of_behavior)):
- for args_in_apicall in json.loads(api_of_extension["args"]):
- if([x for x in list_args if x in args_in_apicall]):
- return True
- return False
- def GetAllCookiesTracking(api_of_extension):
- _behavior_info = GetBehaviorMalicious("get_all_cookies")
- for api_of_behavior in (_behavior_info):
- if "behavior" in api_of_behavior:
- list_api_behavior = api_of_behavior["behavior"]
- list_name_api_of_behavior = []
- for api_behavior in list_api_behavior:
- # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
- # Neu chua co thi them vao list
- if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
- list_name_api_of_behavior.append(api_behavior["apiCall"])
- #Tracking APi
- if((api_of_extension["apiCall"] in list_name_api_of_behavior)):
- return True
- return False
- white_list_http = ["https://fbsbx.com/ajax/bz","https://www.paypal.com/signin/client-log","https://www.amazon.com/gp/recent-history-footer/external/rhf-handler.html","https://www.paypal.com/auth/verifychallenge"]
- white_list_testcase =["facebook","fb","google","timo","paypal","amazon","shopee","twitter","bitdefender","norton","kaspersky","eset","myvisualiq"]
- def NetworkRequest4xxTracking(idx):
- http_request_4xx = []
- mycol = init_database("NETWORK")
- my_network = mycol.find({"idx":idx})
- for info in my_network:
- path_file_network = info["Path"]
- with open(path_file_network, 'r') as f:
- entry = json.load(f)
- entries = entry["log"]["entries"]
- for i in entries:
- if(i["response"]["status"] >= 400 and i["response"]["status"] < 500):
- matches = [x for x in white_list_testcase if x in i["request"]["url"]]
- if(len(matches)!=0):
- continue
- if(i["request"]["url"] not in white_list_http):
- http_request_4xx.append({i["request"]["url"]:i["response"]["status"]})
- return http_request_4xx
- def DnsResponseTracking(idx):
- dns_domain_whitelist = []
- with open(r"G:\New\Extensions\KhoaLuan\source\sandbox\white_list_dns.json", 'r') as f:
- entry = json.load(f)
- dns_domain_whitelist = entry["domain"]
- dns_no_response = []
- mycol = init_database("DNS")
- list_dns_of_idx = mycol.find({"idx":idx})
- for dns_record in list_dns_of_idx:
- if(dns_record["request"]["qname"][:-1] in dns_domain_whitelist):
- continue
- if("response" not in dns_record):
- dns_no_response.append(dns_record)
- return dns_no_response
- def AnalyzerOnlyOneExtension(idx):
- total_call = 0
- count_api = {}
- api_called = []
- # Get api called of chrome extension from mongodb with id
- # Count total api called
- # Save element of info to report
- list_api_from_database = GetApiCalledByExtension(idx)
- for api_call in list_api_from_database:
- api_called.append(api_call)
- total_call += 1
- if(api_call["apiCall"] in count_api.keys()):
- count_api[api_call["apiCall"]] += 1
- else:
- count_api[api_call["apiCall"]] = 1
- beauty_report = {"id": idx, "total_api": total_call, "apis": count_api,"api_called":api_called}
- print("==========================================")
- list_api = GetApiCalledByExtension(idx)
- uninstall_other_extension=[]
- prevents_extension_uninstall=[]
- keylogging_functionality=[]
- steal_information_form=[]
- block_antivirus_site=[]
- deleted_response_headers=[]
- injects_dynamic_javascript=[]
- get_all_cookies=[]
- http_request_4xx = []
- dns_no_response = []
- for api in list_api:
- if (UninstallBehaviorTracking(api)):
- uninstall_other_extension.append(api)
- continue
- # detect PreventsUninstallTracking
- if(PreventsUninstallTracking(api)):
- prevents_extension_uninstall.append(api)
- continue
- if(KeyloggerTracking(api)):
- keylogging_functionality.append(api)
- continue
- if(StealInformationFormTracking(api)):
- all_info_behavior = []
- all_info_behavior.append(api)
- find_activity = mycol.find({"extensionId": api["extensionId"],"pageUrl":api["pageUrl"],"activityType":"content_script"})
- for api_content_script in find_activity:
- all_info_behavior.append(api_content_script)
- steal_information_form.append(all_info_behavior)
- continue
- if(BlockAntiVirusSiteTracking(api)):
- block_antivirus_site.append(api)
- continue
- if(DeleteReponseHeaderTracking(api)):
- deleted_response_headers.append(api)
- continue
- if(InjectsDynamicJsTracking(api)):
- injects_dynamic_javascript.append(api)
- continue
- if(GetAllCookiesTracking(api)):
- get_all_cookies.append(api)
- continue
- http_request_4xx = NetworkRequest4xxTracking(idx)
- dns_no_response = DnsResponseTracking(idx)
- beauty_report["uninstall_other_extension"] = uninstall_other_extension
- beauty_report["prevents_extension_uninstall"] = prevents_extension_uninstall
- beauty_report["keylogging_functionality"] = keylogging_functionality
- beauty_report["steal_information_form"] = steal_information_form
- beauty_report["block_antivirus_site"] = block_antivirus_site
- beauty_report["deleted_response_headers"] = deleted_response_headers
- beauty_report["injects_dynamic_javascript"] = injects_dynamic_javascript
- beauty_report["get_all_cookies"] = get_all_cookies
- beauty_report["http_request_4xx"] = http_request_4xx
- beauty_report["dns_no_response"] = dns_no_response
- col = init_database("REPORT")
- col.insert(beauty_report,check_keys=False)
- print("[+] Inserted ",idx)
- def AnalyzerAllExtension():
- # Doc tung report trong Database "REPORT" bang mycol.find
- malicious = 0
- suspicious = 0
- clean = 0
- top_10_extension_malicious = []
- top_10_api_called = {}
- info = {}
- uninstall_other_extension= 0
- prevents_extension_uninstall=0
- keylogging_functionality=0
- steal_information_form=0
- block_antivirus_site=0
- deleted_response_headers=0
- injects_dynamic_javascript=0
- get_all_cookies=0
- http_request_4xx = 0
- dns_no_response = 0
- mycol = init_database("REPORT")
- a = mycol.estimated_document_count()
- print("[+] Total %d reports"%(a))
- for ext in mycol.find():
- is_malicious = False
- is_suspicious = False
- count = 0
- behavior = []
- if(len(ext["uninstall_other_extension"]) != 0):
- count += 1
- uninstall_other_extension +=1
- behavior.append("uninstall_other_extension")
- is_malicious = True
- if(len(ext["prevents_extension_uninstall"]) != 0):
- count += 1
- prevents_extension_uninstall +=1
- behavior.append("prevents_extension_uninstall")
- is_malicious = True
- if(len(ext["keylogging_functionality"]) != 0):
- count += 1
- keylogging_functionality +=1
- behavior.append("keylogging_functionality")
- is_malicious = True
- if(len(ext["steal_information_form"]) != 0):
- count += 1
- steal_information_form +=1
- behavior.append("steal_information_form")
- is_malicious = True
- if(len(ext["block_antivirus_site"]) != 0):
- count += 1
- block_antivirus_site +=1
- behavior.append("block_antivirus_site")
- is_malicious = True
- if(len(ext["deleted_response_headers"]) != 0):
- count += 1
- deleted_response_headers +=1
- behavior.append("deleted_response_headers")
- is_malicious = True
- if(len(ext["injects_dynamic_javascript"]) != 0):
- count += 1
- injects_dynamic_javascript +=1
- behavior.append("injects_dynamic_javascript")
- if(is_malicious == False):
- is_suspicious = True
- if(len(ext["get_all_cookies"]) != 0):
- count += 1
- get_all_cookies +=1
- behavior.append("get_all_cookies")
- if(is_malicious == False):
- is_suspicious = True
- if(len(ext["http_request_4xx"]) != 0):
- count += 1
- http_request_4xx +=1
- behavior.append("http_request_4xx")
- if(is_malicious == False):
- is_suspicious = True
- if(len(ext["dns_no_response"]) != 0):
- #count += 1
- dns_no_response +=1
- #behavior.append("dns_no_response")
- if(is_malicious):
- malicious +=1
- elif(is_suspicious):
- suspicious +=1
- else:
- clean +=1
- info["id"] = ext["id"]
- info["count"] = count
- info["behavior"] = behavior
- datatest = info.copy()
- top_10_extension_malicious.append(datatest)
- for api_name in ext["apis"]:
- if(api_name not in top_10_api_called):
- top_10_api_called[api_name] =ext["apis"][api_name]
- else:
- top_10_api_called[api_name] += ext["apis"][api_name]
- top_10_api_called = Counter(top_10_api_called)
- top10 = dict(top_10_api_called.most_common(10))
- print("[+] Malicious:",malicious)
- print(" |- uninstall_other_extension:",uninstall_other_extension)
- print(" |- prevents_extension_uninstall:",prevents_extension_uninstall)
- print(" |- keylogging_functionality:",keylogging_functionality)
- print(" |- steal_information_form:",steal_information_form)
- print(" |- block_antivirus_site:",block_antivirus_site)
- print(" |- deleted_response_headers:",deleted_response_headers)
- print("[+] Suspicious:",suspicious)
- print(" |- injects_dynamic_javascript:",injects_dynamic_javascript)
- print(" |- get_all_cookies:",get_all_cookies)
- print(" |- http_request_4xx:",http_request_4xx)
- print("[+] Clean:",clean)
- print(" |- dns_no_response:",dns_no_response)
- print("[*] Top 10 API Called:")
- print(top10)
- print("[*] Top 10 Extension:")
- print(sorted(top_10_extension_malicious, key = lambda i: i['count'],reverse=True)[:10])
- if __name__ == "__main__":
- AnalyzerAllExtension()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement