· 6 years ago · Dec 14, 2019, 04:20 PM
1 #!/usr/bin/env python -W ignore::DeprecationWarning
2
3import pymongo
4import json
5from collections import Counter
6from operator import itemgetter
7
8def init_thesis(collection):
9 myclient = pymongo.MongoClient("mongodb://localhost:27017/")
10 mydb = myclient["Thesis"]
11 mycol = mydb[collection]
12 return mycol
13
14def init_database(collection):
15 myclient = pymongo.MongoClient("mongodb://localhost:27017/")
16 mydb = myclient["ChromeExtension"]
17 mycol = mydb[collection]
18 return mycol
19
20mycol = init_database("API")
21
22# get behavior form file api.json define
23# Return json behavior
24def GetBehaviorMalicious(behavior):
25 with open(r"G:\New\Extensions\KhoaLuan\source\sandbox\api.json") as f:
26 _behavior = json.load(f)
27 return _behavior[behavior]
28
29def GetApiCalledByExtension(idx):
30 list_api_from_database = mycol.find({"extensionId": idx})
31 return list_api_from_database
32
33def UninstallBehaviorTracking(api_of_extension):
34 _behavior_info = GetBehaviorMalicious("uninstall_other_extension")
35 for api_of_behavior in (_behavior_info):
36 if "behavior" in api_of_behavior:
37 list_api_behavior = api_of_behavior["behavior"]
38
39 #Checking
40 if(api_of_extension in list_api_behavior):
41 return True
42 return False
43
44def PreventsUninstallTracking(api_of_extension):
45 _behavior_info = GetBehaviorMalicious("prevents_extension_uninstall")
46 for api_of_behavior in (_behavior_info):
47 if "behavior" in api_of_behavior:
48 list_api_behavior = api_of_behavior["behavior"]
49
50 list_name_api_of_behavior = []
51 for api_behavior in list_api_behavior:
52 list_name_api_of_behavior.append(api_behavior["apiCall"])
53
54 if(api_of_extension["apiCall"] in list_name_api_of_behavior):
55 if("argUrl" in api_of_extension.keys() and api_of_extension["argUrl"] in "chrome://extensions/"):
56 return True
57 return False
58
59def KeyloggerTracking(api_of_extension):
60 # Kiem tra apiCall co nam trong danh sach api hanh vi cua keylloging hay khong, cu the la:blinkAddEventListener
61 # Neu có api blinkAddEventListener thi kiem tra args duoc truyen vao
62 # args [ "#document", "keypress"] hoac "args": [ "#document", "keydown" ] thi return True
63 # -> Extension chua hanh vi cua keylogger
64 _behavior_info = GetBehaviorMalicious("keylogging_functionality")
65 for api_of_behavior in (_behavior_info):
66 if "behavior" in api_of_behavior:
67 list_api_behavior = api_of_behavior["behavior"]
68
69 list_name_api_of_behavior = []
70 list_args = []
71 for api_behavior in list_api_behavior:
72 if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
73 list_name_api_of_behavior.append(api_behavior["apiCall"])
74 list_args.append(api_behavior["args"])
75
76
77 if(api_of_extension["apiCall"] in list_name_api_of_behavior):
78 if(json.loads(api_of_extension["args"]) in list_args):
79 return True
80 return False
81
82def StealInformationFormTracking(api_of_extension):
83 # Kiem tra blinkAddEventListener api co gia tri args ["FORM","submit"]
84 # Neu co thi lay pageUrl
85 # Kiem tra pageUrl co activityType la content_script
86 # Neu co thi extension da inject script vao page de get form thong tin
87 # Den day kiem tra xem pageUrl co api blinkAddEventListener voi tham so ["XMLHttpRequest","load"]
88 # Neu co kha nang cao se gui thong tin dang nhap ra ngoai
89
90 _behavior_info = GetBehaviorMalicious("steal_information_form")
91 for api_of_behavior in (_behavior_info):
92 if "behavior" in api_of_behavior:
93 list_api_behavior = api_of_behavior["behavior"]
94
95 list_name_api_of_behavior = []
96 list_args = []
97 list_activityType = []
98 for api_behavior in list_api_behavior:
99 # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
100 # Neu chua co thi them vao list
101 if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
102 list_name_api_of_behavior.append(api_behavior["apiCall"])
103 list_args.append(api_behavior["args"])
104 if("activityType" in api_behavior):
105 list_activityType.append(api_behavior["activityType"])
106
107 #Kiem tra cac behavior
108 if(api_of_extension["apiCall"] in list_name_api_of_behavior):
109 if(api_of_extension["args"] in "[\"FORM\",\"submit\"]"):
110 find_activity = mycol.find({"extensionId": api_of_extension["extensionId"],"pageUrl":api_of_extension["pageUrl"],"activityType":"content_script"})
111 if(len(list(find_activity)) != 0):
112 return True
113 return False
114
115def BlockAntiVirusSiteTracking(api_of_extension):
116 # Kiem tra api co phai Apicall co phai la webRequestInternal.addEventListener
117 # Neu la api do thi kiem tra args
118 # Args chua hanh dong blocking thi kieu tra tham so domain
119 # Neu tham domain co chua cac domain antivius thi return True
120
121 _behavior_info = GetBehaviorMalicious("block_antivirus_site")
122 for api_of_behavior in (_behavior_info):
123 if "behavior" in api_of_behavior:
124 list_api_behavior = api_of_behavior["behavior"]
125
126 list_name_api_of_behavior = []
127 list_args = []
128 for api_behavior in list_api_behavior:
129 # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
130 # Neu chua co thi them vao list
131 if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
132 list_name_api_of_behavior.append(api_behavior["apiCall"])
133 list_args = (api_behavior["args"])
134
135 #Kiem tra behavior
136 # matches = [x for x in white_list_testcase if x in i["request"]["url"]]
137 if(api_of_extension["apiCall"] in list_name_api_of_behavior):
138
139 if("webRequest" in api_of_extension["other"]):
140 cancel_stt = json.loads(api_of_extension["other"]["webRequest"])
141 if("cancel" in cancel_stt):
142 matches = [x for x in list_args if x in api_of_extension["pageUrl"]]
143 if(cancel_stt["cancel"] == True and len(matches) != 0 ):
144 return True
145 #if(list_args in api_of_extension["apiCall"] ) :
146 # print(api_of_extension)
147 return False
148
149def DeleteReponseHeaderTracking(api_of_extension):
150 # Kiem tra activityType co phai web_request hay khong
151 # Neu phai thi chuyen sang kiem tra apiCall co phai la webRequest.onHeadersReceived
152 # Kiem tra thuoc tinh other co chua webRequest["deleted_response_headers"]
153 # Kiem tra webRequest["deleted_response_headers"] co chua cac gia tri header bao mat hay khong
154
155 _behavior_info = GetBehaviorMalicious("deleted_response_headers")
156 for api_of_behavior in (_behavior_info):
157 if "behavior" in api_of_behavior:
158 list_api_behavior = api_of_behavior["behavior"]
159
160 list_name_api_of_behavior = []
161
162 for api_behavior in list_api_behavior:
163 # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
164 # Neu chua co thi them vao list
165 if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
166 list_name_api_of_behavior.append(api_behavior["apiCall"])
167
168 # Checking
169 if((api_of_extension["apiCall"] in list_name_api_of_behavior)):
170 if("webRequest" in api_of_extension["other"]):
171 if("deleted_response_headers" in api_of_extension["other"]["webRequest"]):
172 return True
173 return False
174
175def InjectsDynamicJsTracking(api_of_extension):
176 _behavior_info = GetBehaviorMalicious("injects_dynamic_javascript")
177 for api_of_behavior in (_behavior_info):
178 if "behavior" in api_of_behavior:
179 list_api_behavior = api_of_behavior["behavior"]
180
181 list_name_api_of_behavior = []
182 list_args = []
183 for api_behavior in list_api_behavior:
184 # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
185 # Neu chua co thi them vao list
186 if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
187 list_name_api_of_behavior.append(api_behavior["apiCall"])
188 list_args = (api_behavior["args"])
189
190 #Tracking APi
191 if((api_of_extension["apiCall"] in list_name_api_of_behavior)):
192 for args_in_apicall in json.loads(api_of_extension["args"]):
193 if([x for x in list_args if x in args_in_apicall]):
194 return True
195 return False
196
197def GetAllCookiesTracking(api_of_extension):
198 _behavior_info = GetBehaviorMalicious("get_all_cookies")
199 for api_of_behavior in (_behavior_info):
200 if "behavior" in api_of_behavior:
201 list_api_behavior = api_of_behavior["behavior"]
202
203 list_name_api_of_behavior = []
204 for api_behavior in list_api_behavior:
205 # Kiem tra api trong list_name_api_of_behavior hay khong chua, khong add cac api null
206 # Neu chua co thi them vao list
207 if(api_behavior["apiCall"] != "" and api_behavior["apiCall"] not in list_name_api_of_behavior):
208 list_name_api_of_behavior.append(api_behavior["apiCall"])
209
210 #Tracking APi
211 if((api_of_extension["apiCall"] in list_name_api_of_behavior)):
212 return True
213 return False
214
215white_list_http = ["https://fbsbx.com/ajax/bz","https://www.paypal.com/signin/client-log","https://www.amazon.com/gp/recent-history-footer/external/rhf-handler.html","https://www.paypal.com/auth/verifychallenge"]
216white_list_testcase =["facebook","fb","google","timo","paypal","amazon","shopee","twitter","bitdefender","norton","kaspersky","eset","myvisualiq"]
217def NetworkRequest4xxTracking(idx):
218 http_request_4xx = []
219 mycol = init_database("NETWORK")
220 my_network = mycol.find({"idx":idx})
221 for info in my_network:
222 path_file_network = info["Path"]
223 with open(path_file_network, 'r') as f:
224 entry = json.load(f)
225 entries = entry["log"]["entries"]
226 for i in entries:
227 if(i["response"]["status"] >= 400 and i["response"]["status"] < 500):
228 matches = [x for x in white_list_testcase if x in i["request"]["url"]]
229 if(len(matches)!=0):
230 continue
231 if(i["request"]["url"] not in white_list_http):
232 http_request_4xx.append({i["request"]["url"]:i["response"]["status"]})
233 return http_request_4xx
234
235def DnsResponseTracking(idx):
236 dns_domain_whitelist = []
237 with open(r"G:\New\Extensions\KhoaLuan\source\sandbox\white_list_dns.json", 'r') as f:
238 entry = json.load(f)
239 dns_domain_whitelist = entry["domain"]
240
241 dns_no_response = []
242 mycol = init_database("DNS")
243 list_dns_of_idx = mycol.find({"idx":idx})
244 for dns_record in list_dns_of_idx:
245 if(dns_record["request"]["qname"][:-1] in dns_domain_whitelist):
246 continue
247 if("response" not in dns_record):
248 dns_no_response.append(dns_record)
249 return dns_no_response
250
251def AnalyzerOnlyOneExtension(idx):
252 total_call = 0
253 count_api = {}
254 api_called = []
255 # Get api called of chrome extension from mongodb with id
256 # Count total api called
257 # Save element of info to report
258
259 list_api_from_database = GetApiCalledByExtension(idx)
260 for api_call in list_api_from_database:
261 api_called.append(api_call)
262 total_call += 1
263 if(api_call["apiCall"] in count_api.keys()):
264 count_api[api_call["apiCall"]] += 1
265 else:
266 count_api[api_call["apiCall"]] = 1
267 beauty_report = {"id": idx, "total_api": total_call, "apis": count_api,"api_called":api_called}
268 print("==========================================")
269 list_api = GetApiCalledByExtension(idx)
270 uninstall_other_extension=[]
271 prevents_extension_uninstall=[]
272 keylogging_functionality=[]
273 steal_information_form=[]
274 block_antivirus_site=[]
275 deleted_response_headers=[]
276 injects_dynamic_javascript=[]
277 get_all_cookies=[]
278 http_request_4xx = []
279 dns_no_response = []
280 for api in list_api:
281 if (UninstallBehaviorTracking(api)):
282 uninstall_other_extension.append(api)
283 continue
284 # detect PreventsUninstallTracking
285
286 if(PreventsUninstallTracking(api)):
287 prevents_extension_uninstall.append(api)
288 continue
289 if(KeyloggerTracking(api)):
290 keylogging_functionality.append(api)
291 continue
292 if(StealInformationFormTracking(api)):
293 all_info_behavior = []
294 all_info_behavior.append(api)
295 find_activity = mycol.find({"extensionId": api["extensionId"],"pageUrl":api["pageUrl"],"activityType":"content_script"})
296 for api_content_script in find_activity:
297 all_info_behavior.append(api_content_script)
298 steal_information_form.append(all_info_behavior)
299 continue
300 if(BlockAntiVirusSiteTracking(api)):
301 block_antivirus_site.append(api)
302 continue
303 if(DeleteReponseHeaderTracking(api)):
304 deleted_response_headers.append(api)
305 continue
306 if(InjectsDynamicJsTracking(api)):
307 injects_dynamic_javascript.append(api)
308 continue
309 if(GetAllCookiesTracking(api)):
310 get_all_cookies.append(api)
311 continue
312
313 http_request_4xx = NetworkRequest4xxTracking(idx)
314 dns_no_response = DnsResponseTracking(idx)
315 beauty_report["uninstall_other_extension"] = uninstall_other_extension
316 beauty_report["prevents_extension_uninstall"] = prevents_extension_uninstall
317 beauty_report["keylogging_functionality"] = keylogging_functionality
318 beauty_report["steal_information_form"] = steal_information_form
319 beauty_report["block_antivirus_site"] = block_antivirus_site
320 beauty_report["deleted_response_headers"] = deleted_response_headers
321 beauty_report["injects_dynamic_javascript"] = injects_dynamic_javascript
322 beauty_report["get_all_cookies"] = get_all_cookies
323 beauty_report["http_request_4xx"] = http_request_4xx
324 beauty_report["dns_no_response"] = dns_no_response
325 col = init_database("REPORT")
326 col.insert(beauty_report,check_keys=False)
327 print("[+] Inserted ",idx)
328
329def AnalyzerAllExtension():
330# Doc tung report trong Database "REPORT" bang mycol.find
331 malicious = 0
332 suspicious = 0
333 clean = 0
334 top_10_extension_malicious = []
335 top_10_api_called = {}
336 info = {}
337 uninstall_other_extension= 0
338 prevents_extension_uninstall=0
339 keylogging_functionality=0
340 steal_information_form=0
341 block_antivirus_site=0
342 deleted_response_headers=0
343 injects_dynamic_javascript=0
344 get_all_cookies=0
345 http_request_4xx = 0
346 dns_no_response = 0
347 mycol = init_database("REPORT")
348 a = mycol.estimated_document_count()
349 print("[+] Total %d reports"%(a))
350 for ext in mycol.find():
351 is_malicious = False
352 is_suspicious = False
353 count = 0
354 behavior = []
355 if(len(ext["uninstall_other_extension"]) != 0):
356 count += 1
357 uninstall_other_extension +=1
358 behavior.append("uninstall_other_extension")
359 is_malicious = True
360
361 if(len(ext["prevents_extension_uninstall"]) != 0):
362 count += 1
363 prevents_extension_uninstall +=1
364 behavior.append("prevents_extension_uninstall")
365 is_malicious = True
366
367 if(len(ext["keylogging_functionality"]) != 0):
368 count += 1
369 keylogging_functionality +=1
370 behavior.append("keylogging_functionality")
371 is_malicious = True
372
373 if(len(ext["steal_information_form"]) != 0):
374 count += 1
375 steal_information_form +=1
376 behavior.append("steal_information_form")
377 is_malicious = True
378
379 if(len(ext["block_antivirus_site"]) != 0):
380 count += 1
381 block_antivirus_site +=1
382 behavior.append("block_antivirus_site")
383 is_malicious = True
384
385 if(len(ext["deleted_response_headers"]) != 0):
386 count += 1
387 deleted_response_headers +=1
388 behavior.append("deleted_response_headers")
389 is_malicious = True
390
391 if(len(ext["injects_dynamic_javascript"]) != 0):
392 count += 1
393 injects_dynamic_javascript +=1
394 behavior.append("injects_dynamic_javascript")
395 if(is_malicious == False):
396 is_suspicious = True
397
398 if(len(ext["get_all_cookies"]) != 0):
399 count += 1
400 get_all_cookies +=1
401 behavior.append("get_all_cookies")
402 if(is_malicious == False):
403 is_suspicious = True
404
405 if(len(ext["http_request_4xx"]) != 0):
406 count += 1
407 http_request_4xx +=1
408 behavior.append("http_request_4xx")
409 if(is_malicious == False):
410 is_suspicious = True
411
412 if(len(ext["dns_no_response"]) != 0):
413 #count += 1
414 dns_no_response +=1
415 #behavior.append("dns_no_response")
416
417
418 if(is_malicious):
419 malicious +=1
420 elif(is_suspicious):
421 suspicious +=1
422 else:
423 clean +=1
424 info["id"] = ext["id"]
425 info["count"] = count
426 info["behavior"] = behavior
427 datatest = info.copy()
428 top_10_extension_malicious.append(datatest)
429
430 for api_name in ext["apis"]:
431 if(api_name not in top_10_api_called):
432 top_10_api_called[api_name] =ext["apis"][api_name]
433 else:
434 top_10_api_called[api_name] += ext["apis"][api_name]
435
436 top_10_api_called = Counter(top_10_api_called)
437 top10 = dict(top_10_api_called.most_common(10))
438 print("[+] Malicious:",malicious)
439 print(" |- uninstall_other_extension:",uninstall_other_extension)
440 print(" |- prevents_extension_uninstall:",prevents_extension_uninstall)
441 print(" |- keylogging_functionality:",keylogging_functionality)
442 print(" |- steal_information_form:",steal_information_form)
443 print(" |- block_antivirus_site:",block_antivirus_site)
444 print(" |- deleted_response_headers:",deleted_response_headers)
445 print("[+] Suspicious:",suspicious)
446 print(" |- injects_dynamic_javascript:",injects_dynamic_javascript)
447 print(" |- get_all_cookies:",get_all_cookies)
448 print(" |- http_request_4xx:",http_request_4xx)
449 print("[+] Clean:",clean)
450 print(" |- dns_no_response:",dns_no_response)
451 print("[*] Top 10 API Called:")
452 print(top10)
453 print("[*] Top 10 Extension:")
454 print(sorted(top_10_extension_malicious, key = lambda i: i['count'],reverse=True)[:10])
455
456if __name__ == "__main__":
457 AnalyzerAllExtension()