Android Malware (Analysis | Scoring) System

Overview

Black Hat Arsenal HITB rootcon defcon
build status codecov license python version PyPi Download
Telegram
An Obfuscation-Neglect Android Malware Scoring System

Quark-Engine is also bundled with Kali Linux, BlackArch. :shipit: A trust-worthy, practical tool that's ready to boost up your malware reverse engineering. https://twitter.com/quarkengine

Available In

asciicast

Why Quark?

Android malware analysis engine is not a new story. Every antivirus company has their own secrets to build it. With curiosity, we develop a malware scoring system from the perspective of Taiwan Criminal Law in an easy but solid way.

We have an order theory of criminal which explains stages of committing a crime. For example, crime of murder consists of five stages, they are determined, conspiracy, preparation, start and practice. The latter the stage the more we’re sure that the crime is practiced.

According to the above principle, we developed our order theory of android malware. We developed five stages to see if the malicious activity is being practiced. They are 1. Permission requested. 2. Native API call. 3. Certain combination of native API. 4. Calling sequence of native API. 5. APIs that handle the same register. We not only define malicious activities and their stages but also develop weights and thresholds for calculating the threat level of a malware.

Malware evolved with new techniques to gain difficulties for reverse engineering. Obfuscation is one of the most commonly used techniques. In this talk, we present a Dalvik bytecode loader with the order theory of android malware to neglect certain cases of obfuscation.

Our Dalvik bytecode loader consists of functionalities such as 1. Finding cross reference and calling sequence of the native API. 2. Tracing the bytecode register. The combination of these functionalities (yes, the order theory) not only can neglect obfuscation but also match perfectly to the design of our malware scoring system.

Easy to Use and Reading Friendly Report

Quark is very easy to use and also provides flexible output formats. There are 6 types of output reports: detail report, call graph, rules classification, summary report, label-based report, behaviors comparison radar chart. Please see below for more details.

Detail Report

This is how we examine a real android malware (candy corn) with one single rule (crime).

$ quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -d

and the report will look like:

There is the possibility to select only one label to filter the rules:

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -d network

There is also the possibility to select only one rule:

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -d 00058.json

Call Graph for Every Potential Malicious Activity

You can add the -g option to the quark command, and you can get the call graph (only those rules match with 100% confidence)

quark -a Ahmyth.apk -s -g

Rules Classification

You can add the -c option to the quark command, and you can output the rules classification with the mutual parent function (only those rules match with 100% confidence).

quark -a Ahmyth.apk -s -c

Summary Report

Examine with rules.

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -s

There is the possibility to select only one label to filter the rules:

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -s network

There is also the possibility to select only one rule:

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -s <path_to_rule_folder>/00058.json

(If you want to select one of the rules of Quark-Rule, the default path to Quark-Rule is $HOME/.quark-engine/quark -rules/.)

Label-based Report

Check which topic (indicated by labels) of the malware is more aggressive.

quark -a Ahmyth.apk -l detailed

Behaviors Comparison Radar Chart

With the following command, you can compare different APK actions based on the max confidence of rule labels and generate a radar chart.

quark -a first.apk -a second.apk -C

Parallelizing Quark

Now Quark supports multiprocessing for analyzing APKs parallelly, by adding the option --multi-process and set the number of processes. (the default is the number of CPUs in your computer.)

quark -a Ahmyth.apk -s --multi-process 4

Upcoming unstable feature

Now Quark also supports Rizin as one of our Android analysis frameworks. You can use option --core-library with rizin to enable the Rizin-based analysis library.

quark -a Ahmyth.apk -s --core-library rizin

QuickStart

Requirements

  • Python 3.8+
  • git
  • graphviz
  • click >= 8.0.1 (For CLI supports)

Installation

$ pip3 install -U quark-engine

Get the latest quark rules from our quark-rules repo

Now you can download the quark-rules to your home directory with a simple command.

$ freshquark

Check --help to see the detailed usage description.

$ quark --help

Test It Out

You may refer to the Quark Engine Document for more details of testing and development information.

Acknowledgments

The Honeynet Project

Honeynet.org logo

Google Summer Of Code

Quark-Engine has been participating in the GSoC under the Honeynet Project!

Stay tuned for the upcoming GSoC! Join the Honeynet Slack chat for more info.

Core Values of Quark Engine Team

  • We love battle fields. We embrace uncertainties. We challenge impossibles. We rethink everything. We change the way people think. And the most important of all, we benefit ourselves by benefit others first.
Comments
  • macOS Dependencies

    macOS Dependencies

    Dependencies error during the installation of the quark-engine on macOS Catalina - 10.15.7.

    Error : - pkg_resources.DistributionNotFound: The 'androguard==3.4.0a1' distribution was not found and is required by quark-engine

    Screenshot 2020-11-02 at 6 18 56 PM test-required issue-processing-state-01 
    opened by yashomer1994 16
  • Add quark script case for CWE 319

    Add quark script case for CWE 319

    Detect CWE-319 in Android Application (ovaa.apk)

    This scenario seeks to find the Cleartext Transmission of Sensitive Information. See CWE-319 for more details.

    Let's use this APK and the above APIs to show how the Quark script finds this vulnerability. This sample uses the package Retrofit to request Web APIs, but the APIs use cleartext protocols.

    We first design a detection rule setRetrofitBaseUrl.json to spot on behavior that sets the base URL of the Retrofit instance. Then, we loop through a custom list of cleartext protocol schemes and use API behaviorInstance.hasString to filter arguments that are URL strings with cleartext protocol.

    Quark Script CWE-319.py

    from quark.script import runQuarkAnalysis, Rule
    
    SAMPLE_PATH = "./ovaa.apk"
    RULE_PATH = "setRetrofitBaseUrl.json"
    
    PROTOCOL_KEYWORDS = [
        "http",
        "smtp",
        "ftp"
    ]
    
    
    ruleInstance = Rule(RULE_PATH)
    quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
    
    for setRetrofitBaseUrl in quarkResult.behaviorOccurList: 
        for protocol in PROTOCOL_KEYWORDS:
            
            regexRule = f"{protocol}://[0-9A-Za-z./-]+"
            cleartextProtocolUrl = setRetrofitBaseUrl.hasString(regexRule, True)
            
            if cleartextProtocolUrl:
                print(f"CWE-319 detected!")
                print(f"Here are the found URLs with cleartext protocol:")
                print("\n".join(cleartextProtocolUrl))
    

    Quark Rule: setRetrofitBaseUrl.json

    {
        "crime": "Set Retrofit Base Url",
        "permission": [],
        "api": 
        [
            {
                "descriptor": "()V",
                "class": "Lretrofit2/Retrofit$Builder;",
                "method": "<init>"
            },
            {
                "descriptor": "(Ljava/lang/String;)Lretrofit2/Retrofit$Builder;",
                "class": "Lretrofit2/Retrofit$Builder;",
                "method": "baseUrl"
            }
        ],
        "score": 1,
        "label": []
    }
    

    Quark Script Result

    $ python3 CWE-319.py
    CWE-319 detected!
    Here are the found URLs with cleartext protocol:
    http://example.com./api/v1/
    
    pr-processing-state-06 
    opened by zinwang 12
  • Porting androguard to quark-engine

    Porting androguard to quark-engine

    Porting androguard version 3.4 to quark-engine project to prevent androguard from no longer being maintained.

    In the past using androguard, we all have to rely on pip install androguard from Github, but there is a problem, if something goes wrong with androguard, quark-engine might crash.

    But in fact, we only need the decompile function of androguard, so I ported this function to our project.

    In addition to improving the stability of quark-engine, it also increases the speed of pipenv installation.

    enhancement not ready 
    opened by krnick 11
  • Add Quark Script APIs to detect CWE-532

    Add Quark Script APIs to detect CWE-532

    Detect CWE-532 in Android Application (dvba.apk)

    This scenario seeks to find insertion of sensitive information into Log file. See CWE-532 for more details.

    Let’s use this APK and the above APIs to show how the Quark script finds this vulnerability.

    First, we use API findMethodInAPK to locate the method log.d. Then we use API methodInstance.getArguments to get the argument that input to log.d. Finally, we use keywords such as "token", "password", and "decrypt" to check if arguments include sensitive data. If the answer is YES, that may cause sensitive data leakage into log file.

    You can use your own keywords in the keywords list to detect sensitive data.

    API Spec

    findMethodInAPK(samplePath, targetMethod)

    • Description: Find the target method in APK
    • params:
      1. samplePath: Target file
      2. targetMethod: A python list contains class name, method name, and descriptor of target method
    • return: python list contains caller method instance of target method

    Detect CWE-532 in Android Application (dvba.apk)

    Quark Script CWE-532.py

    from quark.script import findMethodInAPK
    
    SAMPLE_PATH = "dvba.apk"
    TARGET_METHOD = [
        "Landroid/util/Log;",                       # class name
        "d",                                        # method name
        "(Ljava/lang/String; Ljava/lang/String;)I"  # descriptor
    ]
    CREDENTIAL_KEYWORDS = [
        "token",
        "decrypt",
        "password"
    ]
    
    methodsFound = findMethodInAPK(SAMPLE_PATH, TARGET_METHOD)
    
    for debugLogger in methodsFound:
        arguments = debugLogger.getArguments()
    
        for keyword in CREDENTIAL_KEYWORDS:
            if keyword in arguments[1]:
                print(f"CWE-532 is detected in method, {debugLogger.fullName}") 
    

    Quark Script Result

    $ python CWE-532.py 
    CWE-532 is detected in method, Lcom/google/firebase/auth/FirebaseAuth; d (Lc/c/b/h/o;)V
    
    pr-processing-state-04 
    opened by pulorsok 10
  • Add new feature to get url and ips from apk string

    Add new feature to get url and ips from apk string

    Use the following code can get the url and the ip address:

    from androguard.misc import AnalyzeAPK
    import re
    
    a,d,dx= AnalyzeAPK("Ahmyth.apk")
    
    
    ipv4_address = re.compile(r"\b(?:[1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-2][0-3])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-5])\b")
    
    regex = r"(?i)\b((?:https?://|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:'\".,<>?«»“”‘’]))"
    
    
    
    for i in dx.get_strings():
        url = re.findall(regex,i.get_value())
    
        if url:
    
            print("[URL Found]")
    
            print([x[0] for x in url])
    
        ips = re.findall(ipv4_address,i.get_value())
    
        if ips:
    
            print("[IP Found]")
    
            print(ips)
    
    
    enhancement 
    opened by krnick 10
  • Help section for --multi-process

    Help section for --multi-process

    Help section for --multi-process made more descriptive in respect to max number of process that can be used. w.r.t issue https://github.com/quark-engine/quark-engine/issues/315

    documentation 
    opened by PaulNicolasHunter 9
  • Refactor/enrich the rest of Quark's tests

    Refactor/enrich the rest of Quark's tests

    Description

    Please refer here. For the replacement of Androguard, I want to write tests to improve the test coverage of Quark. This is the final PR. (You can find the previous PR here )

    In this PR, I focus on these files.

    • quark/Objects/analysis.py
    • quark/Objects/quarkrule.py
    • quark/report.py
    • quark/freshquark.py
    • all seven files in quark/utils (colors.py, graph.py, pprint.py, output.py, etc.)

    Code Changes

    • For the existing tests: Divide them by their test scenarios.
    • For the new tests: Add them according to two strategies and the coding guideline discussed in the above issue.

    | Files | # Tests added for normal inputs | # Tests added for error inputs | # Tests modified | | ------------------- | :-----------------------------: | :----------------------------: | :--------------: | | test_analysis.py | 1 | 0 | 0 | | test_quarkrule.py | 1 | 4 | - | | test_report.py | 4 | 6 | - | | test_freshquark.py | 2 | 0 | - | | test_colors.py | 1 | 0 | - | | test_graph.py | 3 | 0 | - | | test_output.py | 3 | 0 | - | | test_pprint.py | 5 | 0 | - | | test_regex.py | 11 | 3 | - | | test_tools.py | 5 | 1 | 1 | | test_weight.py | 0 | 0 | 3 | | Total | 36 | 14 | 4 |

    Related Discussions

    1. issue https://github.com/quark-engine/gsoc2021-ShengFengLu/issues/1
    2. Discussion https://github.com/quark-engine/quark-engine/discussions/173
    enhancement 
    opened by haeter525 9
  • Creation of option to print Report based on Label Rules

    Creation of option to print Report based on Label Rules

    With the following pull request we (me, @cryptax, @Dil3mm3 and @3aglew0) propose you to add another option to print a report based on labels specified inside a rule.

    We have noticed they are not used and it could be interesting to print a short report taking into consideration these values. Here an example of output where it is printed for each label (found inside the rules) a description (see explanation below), the number of rules where this label is contained and other detailes described better below.

    example_of_output

    This option permits to print a report based on label with two different levels of details

    1. quark -a malware_to_be_analysed.apk -r rule_dir -l max print the maximum score for each label (as image above), this would permit us to understand in which topic (represented by label) a malware is more aggressive. For example, looking at the previous output we can see the malware performs with success malicious action related to location, calllog and sms.
    2. quark -a malware_to_be_analysed.apk -r rule_dir -l detailed print a detail report with all the previous information plus:
      • Number of rules (with that label) which have a score >= 80%
      • Average score and standard deviation (computed over the all the scores obtained by that specific label). Interesting considerations could be the following: label with high average and low standard deviation would allow us to say the malware performs a series of malicious actions (with success); then, a high standard deviation means there are some rules which take high score so the malware performs with success only some actions with that label; finally, a low standard deviation and a low average on a certain label means the malware is not performing malicious action on that topic. Example of output:

    output_detailed_report

    The column description allows to add a short and representative sentence about a label, for example for the callog the relative description is Retrieve or manipulate sensitive data from call log. In order to implement a flexible solution we have thought to add a csv file in the same directory of rules with the following structure label,description. We have chosen csv extension because it is easy to manipulate and it wasn't possible to use a json format since in that folder all json files are interpreted as rules. If this file is not present or a label,description pair is absent, the corresponding cell in the label report is filled with -. Example of output

    output_with_desc

    I leave here a sample of the csv file to be put in the folder of the rules (label_desc.csv)

    Do not hesitate to contact me for any type of clarification

    enhancement 
    opened by ciastron 9
  • [#444] Adjust CWE Show Case format in README.md.

    [#444] Adjust CWE Show Case format in README.md.

    CWE Showcases

    • CWE-020 Improper Input Validation
    • CWE-089 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    • CWE-094 Improper Control of Generation of Code ('Code Injection')
    • CWE-312 Cleartext Storage of Sensitive Information
    • CWE-319 Cleartext Transmission of Sensitive Information
    • CWE-327 Use of a Broken or Risky Cryptographic Algorithm
    • CWE-532 Insertion of Sensitive Information into Log File
    • CWE-749 Exposed Dangerous Method or Function
    • CWE-780 Use of RSA Algorithm without OAEP
    • CWE-798 Use of Hard-coded Credentials
    • CWE-921 Storage of Sensitive Data in a Mechanism without Access Control
    • CWE-926 Improper Export of Android Application Components
    work-in-progress pr-processing-state-06 
    opened by PoJenC 7
  • Add new feature for generate Quark web report

    Add new feature for generate Quark web report

    Add new feature for generate Quark report. With the following command, we can easily analyze the Android sample and output the web report.

    See the demo here.

    quark -a sample.apk -s -w quark_report.html
    

    pr-processing-state-05 
    opened by pulorsok 7
  • Have Click as an optional dependency

    Have Click as an optional dependency

    Hey everyone!

    Is your feature request related to a problem? Please describe. Quark does not separate optional dependency, like Click, from required dependency (I suppose everything else). Since Quark can be used as a module, and in this case Click it is not required at all, will solve some compatibility issues with other libraries, i.e. celery >= 5.0.0.

    Describe the solution you'd like

    Use the Optional Dependency feature in setup.py to separate the Click package from the remaining requirements. Explain in Readme.md how the user should call setup.py to be able to use the cli commands

    Describe alternatives you've considered None

    Additional context

    If the solution is considered acceptable, or another solution that I did not think of, for this issue is found, I can work on the implementation and the PR myself.

    dependencies 
    opened by 0ssigeno 7
  • Add quark script case for CWE 328

    Add quark script case for CWE 328

    Detect CWE-328 in Android Application (allsafe.apk)

    This scenario seeks to find the use of weak Hash. See CWE-328 for more details.

    Let’s use this APK and the above APIs to show how the Quark script finds this vulnerability.

    First, we use API findMethodInAPK(samplePath, targetMethod) to find the method MessageDigest.getInstance(). Next, we use API methodInstance.getArguments() with a list to check if the method uses weak hashing algorithms. If YES, that causes CWE-328 vulnerability.

    Quark Script CWE-328.py

    from quark.script import findMethodInAPK
    
    SAMPLE_PATH = "./allsafe.apk"
    
    TARGET_METHOD = [
        "Ljava/security/MessageDigest;",                        # class name
        "getInstance",                                          # method name
        "(Ljava/lang/String;)Ljava/security/MessageDigest;"     # descriptor
    ]
    
    HASH_KEYWORDS = [
        "MD2",
        "MD4",
        "MD5",
        "PANAMA",
        "SHA-0",
        "SHA-1",
        "HAVAL-128",
        "RIPEMD-128"
    ]
    
    methodsFound = findMethodInAPK(SAMPLE_PATH, TARGET_METHOD)
    
    for setHashAlgo in methodsFound:
        arguments = setHashAlgo.getArguments()
    
        for keyword in HASH_KEYWORDS:
            if keyword in arguments[0]:
                print(f"CWE-328 is detected in method, {setHashAlgo.fullName}")
    

    Quark Script Result

    $ python CWE-328.py
    CWE-328 is detected in method, Lcom/google/firebase/database/core/utilities/Utilities; sha1HexDigest (Ljava/lang/String;)Ljava/lang/String;
    CWE-328 is detected in method, Linfosecadventures/allsafe/challenges/WeakCryptography; md5Hash (Ljava/lang/String;)Ljava/lang/String;
    CWE-328 is detected in method, Linfosecadventures/allsafe/challenges/SQLInjection; md5 (Ljava/lang/String;)Ljava/lang/String;
    
    opened by zinwang 1
  • [Quark#446] Add quark script case for CWE-295

    [Quark#446] Add quark script case for CWE-295

    Detect CWE-295 in Android Application (InsecureShop.apk)

    This scenario seeks to find Improper Certificate Validation. See CWE-295 for more details.

    Let’s use this APK and the above APIs to show how the Quark script finds this vulnerability.

    We use the API findMethodInAPK to locate all SslErrorHandler.proceed methods. Then we need to identify whether the method WebViewClient.onReceivedSslError is overridden by its subclass.

    First, we check and make sure that the MethodInstance.name is onReceivedSslError, and the MethodInstance.descriptor is (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V.

    Then we use the method API MethodInstance.findSuperclassHierarchyto get the supclass list of the method's caller class.

    Finally, we check the Landroid/webkit/WebViewClient; is on the supclass list. If YES , that may cause CWE-295 vulnerability.

    API Spec

    MethodInstance.findSuperclassHierarchy()

    • Description: Find all superclass hierarchy of this method object.
    • params: None
    • Return: Python list contains all superclas's name of the this method.

    Quark Script CWE-295.py

    from quark.script import findMethodInAPK
    
    SAMPLE_PATH = "insecureShop.apk"
    TARGET_METHOD = [
        "Landroid/webkit/SslErrorHandler;",  # class name
        "proceed",                          # method name
        "()V"                               # descriptor
    ]
    OVERRIDE_METHOD = [
        "Landroid/webkit/WebViewClient;",  # class name
        "onReceivedSslError",              # method name
        # descriptor
        "(Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V"
    ]
    
    for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD):
        if (sslProceedCaller.name == OVERRIDE_METHOD[1] and
           sslProceedCaller.descriptor == OVERRIDE_METHOD[2] and
           OVERRIDE_METHOD[0] in sslProceedCaller.findSuperclassHierarchy()):
            print(f"CWE-295 is detected in method, {sslProceedCaller.fullName}")
    
    

    Quark Script Result

    $python3 CWE-295.py
    Requested API level 29 is larger than maximum we have, returning API level 28 instead.
    CWE-295 is detected in method, Lcom/insecureshop/util/CustomWebViewClient; onReceivedSslError (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V
    
    work-in-progress pr-processing-state-05 
    opened by PoJenC 3
  • Add quark script case for CWE-295

    Add quark script case for CWE-295

    Detect CWE-295 in Android Application (InsecureShop.apk)

    This scenario seeks to find Improper Certificate Validation. See CWE-295 for more details.

    Let’s use this APK and the above APIs to show how the Quark script finds this vulnerability.

    We use the API findMethodInAPK to locate all SslErrorHandler.proceed methods. Then we need to identify whether the method WebViewClient.onReceivedSslError is overridden by its subclass.

    First, we check and make sure that the MethodInstance.name is onReceivedSslError, and the MethodInstance.descriptor is (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V.

    Then we use the method API MethodInstance.findSuperclassHierarchyto get the supclass list of the method's caller class.

    Finally, we check the Landroid/webkit/WebViewClient; is on the supclass list. If YES , that may cause CWE-295 vulnerability.

    API Spec

    MethodInstance.findSuperclassHierarchy()

    • Description: Find all superclass hierarchy of this method object.
    • params: None
    • Return: Python list contains all superclas's name of the this method.

    Quark Script CWE-295.py

    from quark.script import findMethodInAPK
    
    SAMPLE_PATH = "insecureShop.apk"
    TARGET_METHOD = [
        "Landroid/webkit/SslErrorHandler;",  # class name
        "proceed",                          # method name
        "()V"                               # descriptor
    ]
    OVERRIDE_METHOD = [
        "Landroid/webkit/WebViewClient;",  # class name
        "onReceivedSslError",              # method name
        # descriptor
        "(Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V"
    ]
    
    for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD):
        if (sslProceedCaller.name == OVERRIDE_METHOD[1] and
           sslProceedCaller.descriptor == OVERRIDE_METHOD[2] and
           OVERRIDE_METHOD[0] in sslProceedCaller.findSuperclassHierarchy()):
            print(f"CWE-295 is detected in method, {sslProceedCaller.fullName}")
    
    

    Quark Script Result

    $python3 CWE-295.py
    Requested API level 29 is larger than maximum we have, returning API level 28 instead.
    CWE-295 is detected in method, Lcom/insecureshop/util/CustomWebViewClient; onReceivedSslError (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V
    
    issue-processing-state-03 
    opened by PoJenC 0
  • Add docs for CWE team

    Add docs for CWE team

    Quark CWE team

    The Quark CWE team is responsible for developing Quark Scripts to detect Common Weakness Enumeration (CWE) vulnerabilities in APKs. We also maintain the Quark Script document, API, and repository.

    Goals for 2023

    Our goals for 2023 consist of three stages. First, we will focus on increasing the number of CWE Quark Scripts to 30 and optimizing the Quark Script API by developing CWE Quark Scripts.

    Next, with a sufficient number of Quark Scripts, we will develop a system to automatically detect vulnerabilities in online APKs.

    Finally, based on the sufficient and quality Quark Script API, we will focus on developing a web system that allows users to easily combine Quark Script APIs and create their own scripts without any coding knowledge.

    Responsibilities

    We aims to make the Quark Script development process as straightforward as possible, while ensuring that the scripts are accurate and reliable. We strive to create clear and concise documentation, as well as well-designed APIs that are easy to use. Our responsibilities include:

    • Developing Quark Scripts through a five-step process:
      1. Choosing a CWE number and clearly explaining the vulnerability definition.
      2. Finding an APK sample and explaining the vulnerable code.
      3. Designing the detection process step by step.
      4. Defining a new Quark Script API (including description, input, and output) if necessary.
      5. Developing the Quark Script in a clear and easy-to-use manner.
    • Managing the Quark Script repository by:
      • Updating the repository with new Quark Scripts.
      • Updating the documentation for Quark Scripts.
    • Maintaining the Quark Script API by:
      • Developing test units for each Quark Script API.
      • Reviewing and modifying the description, input, and output for each API.

    We aim to ensure that all of our work is easy to read and follows proper grammar and usage.

    documentation pr-processing-state-05 
    opened by pulorsok 2
  • Inconsistent format of method names in Quark Script doc

    Inconsistent format of method names in Quark Script doc

    Describe the bug

    When referring to a method or file in the Quark Script showcases, we mark the name with backticks to make it easy to distinguish (e.g., configureJsExecution.json). However, some showcases in the Quark Script doc don't follow this practice.

    For example, the CWE-94 showcase doesn't mark the method name with backticks.

    cwe94

    the CWE-780 showcase shows the method name in italics font.

    cwe780

    Describe the solution you'd like

    Unify the format of method names. For example, we could mark them with backticks.

    documentation enhancement 
    opened by haeter525 0
Releases(v22.12.1)
  • v22.12.1(Dec 28, 2022)

    New Features

    • Add new Quark Script APIs to detect CWE-20 and CWE-79. (https://github.com/quark-engine/quark-engine/pull/434 and https://github.com/quark-engine/quark-engine/pull/436)
    Source code(tar.gz)
    Source code(zip)
  • v22.11.1(Nov 30, 2022)

    New Features

    • Add new Quark Script APIs to detect CWE-319 and CWE-327. (#413 and #428)

    Here's the relevant document.

    UI Enhancements

    • Fix typos in Quark Web Report. (#414 and #419)
    • Make grid lines in Quark Web Report more visible. (#419)

    Document enhancements

    • Spotlight Quark Script in README. (#424)
    • Add Quark Script Quick Start instruction. (#422)
    Source code(tar.gz)
    Source code(zip)
  • v22.10.1(Oct 26, 2022)

    New Features

    • Add new Quark Script APIs to detect CWE-532 and CWE-780. (#396 and #399)

    Here's the relevant document.

    Bug Fix

    • Fix CLI giving outdated path to the default ruleset. (#389)

    New Program

    • Introduce Quark MIT Program.
    Source code(tar.gz)
    Source code(zip)
  • v22.9.1(Sep 29, 2022)

    New Features

    • Add new Quark Script APIs to detect CWE-89, CWE-926, CWE-312, and CWE-749. (#377, #381, #379, and #374)

    Here's the relevant document.

    New Core Members

    • Introduce new core members, AnWei Kung, Zin Wong, and Zee. (#387)

    Package Dependency Update

    • Add frida and ciphey as the dependencies. (#374)
    Source code(tar.gz)
    Source code(zip)
  • v22.7.1(Jul 27, 2022)

    New Features

    • Present a new powerful project, Quark Script! (#371)
    • Add new Quark Script APIs for CWE-94, CWE-798, and CWE-921 detection. (#372, #373, and 998947d)

    Please check here for the full document.

    Document enhancement

    • Enhance README to make it user-friendly. (#366)

    Dependency updates

    • Specify CI to use Meson 0.62.0. (#368)
    • Bump lxml from 4.8.0 to 4.9.1. (#370)
    Source code(tar.gz)
    Source code(zip)
  • v22.6.1(Jun 29, 2022)

  • v22.5.1(May 25, 2022)

    New Features

    • Introduce a new visualization of analysis results, the Quark web report. (#345)
    • Add support for loading rules recursively. (#346)

    Bug Fixes

    • Update CI tests for the audio recording ruleset. (#341)
    • Update CI tests for the contact info accessing ruleset. (#343)

    Other

    • Rearrange the file structure of the default ruleset. (quark-rules#26)
    • Remove outdated content in README. (#348)
    • Update the author information in the PiPy package. (#351)
    Source code(tar.gz)
    Source code(zip)
  • v22.4.1(Apr 27, 2022)

    New feature

    • Introduce the rule generation feature, Radiocontrast. (#325)

    Bug fix

    • Update smoke test for the release of the SMS message stealing ruleset. (#327)
    Source code(tar.gz)
    Source code(zip)
  • v22.3.1(Mar 28, 2022)

    New features

    • Add a limit to the number of processes available for parallel analysis. Thank @PaulNicolasHunter for this work. (#311 and #315)
    • Update analysis library for Rizin v0.3.0 and above. (#314)

    Dependency update

    • Update pillow from 9.0.0 to 9.0.1. (#311)
    Source code(tar.gz)
    Source code(zip)
  • v22.2.1(Feb 15, 2022)

    Bug fixed

    • AttributeError occured when using Rizin as the core library. (#301)

    Dependencies update

    • Specify the minimal supported version of prettytable to 1.0.0. (#304)
    • Update pillow from 8.4.0 to 9.0.0. (#300)
    • Update ipython from 8.0.0 to 8.0.1. (#303)
    Source code(tar.gz)
    Source code(zip)
  • v22.1.1(Jan 4, 2022)

  • v21.11.2(Nov 25, 2021)

    Bugs fixed

    • Fix missing comma in Debian/control. Thanks to @Hagb for this patch. (#278)
    • Fix import errors with Graphviz 0.18. Thanks to @nplesak for this patch. (#288)

    Dependency update

    • Specify the highest compatible versions of the dependency packages. (#290)
    Source code(tar.gz)
    Source code(zip)
  • v21.11.1(Nov 2, 2021)

    New Feat

    • behaviors_comparison_radar_chart can save as images now. Thanks to @matteodalgrande for contributing the feature. (#273)

    Bugs fixed

    • Remove tqdm on loading rule files. (#270)
    • Add try-catch block to prevent potential crash problems. (#276)
    • Fix JSON report format that caused Jadx and APKLab to fail to load. (#277, #281)

    Dependency update

    • Required Python version changed from 3.7 to 3.8. (#267)
    Source code(tar.gz)
    Source code(zip)
  • v21.10.2(Oct 6, 2021)

    New Feat

    1. Quark-Engine can detect APIs in the extended classes now. (#247)
    2. Rules can write into an array to reduce the number of files and IO. (#248)
    3. Graph data can be dump in JSON format. (#250)
    4. Improve the detail report and JSON report when rules reached 60%. (#254)
    5. Add FAQ page and Organization page into the document. (#241, #253, #255)

    Bugs fixed

    1. Add hints when using freshquark and specifying rules. (#244)
    2. Reduce file IO on loading rules. (#248)
    3. Spaces between arguments in rules are no longer needed. (#249)

    Dependency update

    1. Update pillow from 8.3.1 to 8.3.2. (#246)
    Source code(tar.gz)
    Source code(zip)
  • v21.10.1(Oct 6, 2021)

    New Feat

    1. Quark-Engine can detect APIs in the extended classes now. (#247)
    2. Rules can write into an array to reduce the number of files and IO. (#248)
    3. Graph data can be dump in JSON format. (#250)
    4. Improve the detail report and JSON report when rules reached 60%. (#254)
    5. Add FAQ page and Organization page into the document. (#241, #253, #255)

    Bugs fixed

    1. Add hints when using freshquark and specifying rules. (#244)
    2. Reduce file IO on loading rules. (#248)
    3. Spaces between arguments in rules are no longer needed. (#249)

    Dependency update

    1. Update pillow from 8.3.1 to 8.3.2. (#246)
    Source code(tar.gz)
    Source code(zip)
  • v21.8.1(Aug 24, 2021)

    1. Change travis CI to Github Actions
    2. Supports parallel analysis
    3. Optimize the performance
    4. Fix graph recursion issue
    5. Fully support Rizin analysis
    6. Disable logging in Quark API usage
    7. Fix threshold filtering in the detailed report
    Source code(tar.gz)
    Source code(zip)
  • v21.7.2(Jul 20, 2021)

  • v21.7.1(Jul 15, 2021)

    1. Support a new Android reversing engineer framework, Rizin to analyze the APK. (#205)
    2. Making click package optional to install. (#214) @0ssigeno
    3. Improve the tainted analysis by @haeter525 in bytecode loader
    4. Add an Optional Parameter Filter For JSON Rules (#212)
    5. Adjust some directory names. Objects->core, Evaluator->evaluator.
    6. Add VirusTotal analysis module by @pulorsok. (#195)
    7. More tests for Quark by @haeter525. (#189)
    8. Add a new feature to show Parent Functions' Cross-References In Rule Classification by @haeter525. (#192)
    Source code(tar.gz)
    Source code(zip)
  • v21.6.3(Jun 24, 2021)

  • v21.6.2(Jun 9, 2021)

    1. Refactor the code in graph.py and cli interface.

    2. Replace the prompt package simple-term-menu with the prompt-toolkit package to support windows/Mac/Linux and Kali Linux.

    3. Adjust the description in the click option to make the word more precise.

    4. Add new option to show the version of quark

    Source code(tar.gz)
    Source code(zip)
  • v21.6.1(Jun 7, 2021)

    New features:

    1. Behaviors comparison radar chart for different APKs. (#171)
    2. Support summary report and detail report for single rule/label. (#176)

    Update:

    1. Remove duplicate code.
    2. Lock version instead of installing the latest package, such as click package for better stability.
    3. Update new command-line usage on documentation.
    Source code(tar.gz)
    Source code(zip)
  • v21.5.1(May 28, 2021)

    1. Add a new report to Quark-Engine, which is a label-based report(PR from #165)
    2. Support the summary report and detailed report for a single rule/label analysis (PR from #167)
    3. update the documentation for more usage of Quark
    4. Add new python package dependency, python3-pandas in Debian/control.

    Special thanks to @cryptax, @Dil3mm3, @ciastron, and @3aglew0 for their excellent work!

    Source code(tar.gz)
    Source code(zip)
  • v21.4.3(Apr 7, 2021)

  • v21.4.2(Apr 7, 2021)

  • v21.4.1(Apr 7, 2021)

    1. Move the log file to the current directory.
    2. Make freshquark available for download the latest rules via git clone and update via git pull inside.
    3. Modify the settings of the debian package.
    Source code(tar.gz)
    Source code(zip)
  • v21.3.4(Mar 30, 2021)

    1. Add command-line options to display methods including native Android API, custom method and all methods.
    2. Delete the automatic check for rules updates in the CLI.
    3. Do not delete the existing quark-rules git directory.
    4. Promote honeynet and GSoC.
    5. Quark will be added to Kali Linux in the near future.
    6. change the log file to current directory
    Source code(tar.gz)
    Source code(zip)
  • v21.3.3(Mar 13, 2021)

  • v21.3.2(Mar 9, 2021)

    1. Redesigned Quark's rules to make it easier to write.
    {
        "crime": "Get absolute path of file and put it to JSON object",
        "permission": [],
        "api": [
            {
                "class": "Ljava/io/File;",
                "method": "getAbsolutePath",
                "descriptor": "()Ljava/lang/String;"
            },
            {
                "class": "Lorg/json/JSONObject;",
                "method": "put",
                "descriptor": "(Ljava/lang/String; Ljava/lang/Object;)Lorg/json/JSONObject;"
            }
        ],
        "score": 1,
        "label": [
            "file"
        ]
    }
    
    Source code(tar.gz)
    Source code(zip)
  • 21.3.1(Mar 8, 2021)

  • v21.02.2(Feb 26, 2021)

    1. Better wording in the command line.
    2. Add feature of outputing Android API in command line with option -i.
    3. Fix some regular expression in forensic module.
    4. Fix the score sum issue.
    5. Remove duplicated crime description in rule classification.
    6. More test case with previous modules

    We got accepted by Black Hat Asia 2021 !!!

    Source code(tar.gz)
    Source code(zip)
xray多线程批量扫描工具

Auto_xray xray多线程批量扫描工具 简介 xray社区版貌似没有批量扫描,这就让安服仔使用起来很不方便,扫站得一个个手动添加,非常难受 Auto_xray目录下记得放xray,就跟平时一样的。 选项1:oneforall+xray 输入一个主域名,自动采集子域名然后添加到xray任务列表

1frame 13 Nov 09, 2022
Security-TXT is a python package for retrieving, parsing and manipulating security.txt files.

Security-TXT is a python package for retrieving, parsing and manipulating security.txt files.

Frank 3 Feb 07, 2022
These are Simple python scripts to test/scan your network

Disclaimer This tool is for Educational purpose only. We do not promote or encourage any illegal activities. Summary These are Simple python scripts t

Varun Jagtap 5 Oct 08, 2022
This exploit allows to connect to the remote RemoteMouse 3.008 service to virtually press arbitrary keys and execute code on the machine.

RemoteMouse-3.008-Exploit The RemoteMouse application is a program for remotely controlling a computer from a phone or tablet. This exploit allows to

Podalirius 25 Dec 04, 2022
Unauthenticated Sqlinjection that leads to dump data base but this one impersonated Admin and drops a interactive shell

Unauthenticated Sqlinjection that leads to dump database but this one impersonated Admin and drops a interactive shell

sam 16 Nov 09, 2022
CSAW 2021 writeups

CSAW 2021 Writeups Challenge Category Solved by The Magic Modbus ics root2thrill Lazy Leaks Forensics root2thrill Poem Collection warm-up root2thrill

7 Oct 06, 2021
Compilation of resources and insights that helped me on my journey to data scientist

Compilation of resources and insights that helped me on my journey to data scientist

Conor Dewey 1.5k Jan 02, 2023
TLaunch: Launch Programs on Multiple Hosts

TLaunch: Launch Programs on Multiple Hosts Introduction Deepmind launchpad is a library that helps writing distributed program in a simple way. But cu

Tsinghua AI Research Team for Reinforcement Learning 11 Nov 11, 2022
A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability

log4j-shell-poc A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability. Recently there was a new vulnerability in log4j, a java loggin

koz 1.5k Jan 04, 2023
A Tool for subdomain scan with other tools

ReconTracer A Tool for subdomain scan with other tools ReconTracer Find subdomains by using another amazing sources!. Obs: In a close future recontrac

15 Dec 18, 2021
A brute Force tool for Facebook

EliBruter A brute Force tool for Facebook Installing this tool -- $ pkg upgrade && update $ pkg install python $ pkg install python3 $ pkg install gi

Eli Hacks 3 Mar 29, 2022
Deltaspy - an advanced keylogger that can send keylogs and screenshots to gmail

Deltaspy Deltaspy is a advanced keylogger which sends keylogs and screenshot to

Praanesh S 1 Dec 31, 2021
Instagram brute force tool that uses tor as its proxy connections

Insta-crack This is a instagram brute force tool that uses tor as its proxy connections, keep in mind that you should not do anything illegal with thi

Liam 3 Jan 28, 2022
PyPasser is a Python library for bypassing reCaptchaV3 only by sending 2 requests.

PyPasser is a Python library for bypassing reCaptchaV3 only by sending 2 requests. In 1st request, gets token of captcha and in 2nd request,

253 Jan 05, 2023
Agile Threat Modeling Toolkit

Threagile is an open-source toolkit for agile threat modeling:

Threagile 425 Jan 07, 2023
Wonk is a tool for combining a set of AWS policy files into smaller compiled policy sets.

Wonk is a tool for combining a set of AWS policy files into smaller compiled policy sets.

Amino, Inc 140 Dec 16, 2022
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

mitmproxy mitmproxy is an interactive, SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets. mitmdump is the

mitmproxy 29.7k Jan 04, 2023
LaxrFar Python Obfuscator

LaxrFar Python Obfuscator Usage First do the things from "Upload to Webserver" o

LaxrFar 5 Jul 19, 2022
Proof of concept GnuCash Webinterface

Proof of Concept GnuCash Webinterface This may one day be a something truly great. Milestones [ ] Browse accounts and view transactions [ ] Record sim

Josh 14 Dec 28, 2022