def download():
"""
Download the latest quark-rules from https://github.com/quark-engine/quark-rules.
:return: None
"""
try:
git.Repo.clone_from(url=SOURCE, to_path=DIR_PATH)
except git.GitCommandError as error:
dir_exists = "destination path"
network_unavailable = "unable to access"
if dir_exists in error.stderr:
# remove the entire quark-rules directory and then clone again
shutil.rmtree(DIR_PATH)
download()
if network_unavailable in error.stderr:
print_warning(
f"Your network is currently unavailable, "
f"you can use {green('freshquark')} "
"to update the quark-rules later!\n"
)
logger()
def download():
try:
print_info(f"Download the latest rules from {SOURCE}")
git.Repo.clone_from(url=SOURCE, to_path=DIR_PATH)
print_success("Complete downloading the latest quark-rules")
except git.GitCommandError:
print_warning("quark-rules directory already exists!")
if click.confirm("Do you want to download again?", default=True):
shutil.rmtree(DIR_PATH)
download()
def entry_point(summary, detail, apk, rule):
"""Quark is an Obfuscation-Neglect Android Malware Scoring System"""
if summary:
# show summary report
# Load APK
data = XRule(apk)
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = RuleObject(rulepath)
# Run the checker
data.run(rule_checker)
data.show_summary_report(rule_checker)
w = Weight(data.score_sum, data.weight_sum)
print_warning(w.calculate())
print_info("Total Score: " + str(data.score_sum))
print(data.tb)
if detail:
# show summary report
# Load APK
data = XRule(apk)
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
print(rulepath)
rule_checker = RuleObject(rulepath)
# Run the checker
data.run(rule_checker)
data.show_detail_report(rule_checker)
print_success("OK")
def download():
"""
Download the latest quark-rules from https://github.com/quark-engine/quark-rules.
:return: None
"""
try:
result = subprocess.run(
[
"git",
"clone",
"https://github.com/quark-engine/quark-rules",
config.DIR_PATH,
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
check=True,
)
if result.returncode == 0:
# Download successful
print_success("Complete downloading the latest quark-rules")
except FileNotFoundError:
print_warning("FileNotFoundError with git clone")
except subprocess.CalledProcessError as error:
# Download failed
dir_exists = "destination path"
network_unavailable = "unable to access"
if dir_exists in error.stderr.decode("utf-8"):
print_warning(
f"quark-rules already exists in {config.DIR_PATH}, "
f"you can use {green('git pull')} "
"to update the quark-rules!\n"
)
if network_unavailable in error.stderr.decode("utf-8"):
print_warning(
f"Your network is currently unavailable, "
f"you can use {green('freshquark')} "
"to update the quark-rules later!\n"
)
def download():
"""
Download the latest quark-rules from https://github.com/quark-engine/quark-rules.
:return: None
"""
try:
result = subprocess.run(["git", "clone", "https://github.com/quark-engine/quark-rules", DIR_PATH],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
if result.returncode != 0:
# Download failed
dir_exists = "destination path"
network_unavailable = "unable to access"
if dir_exists in result.stderr.decode("utf-8"):
shutil.rmtree(DIR_PATH, onerror=set_rw)
download()
if network_unavailable in result.stderr.decode("utf-8"):
print_warning(
f"Your network is currently unavailable, "
f"you can use {green('freshquark')} "
"to update the quark-rules later!\n"
)
except FileNotFoundError:
print_warning("FileNotFoundError with git clone")
except subprocess.CalledProcessError as e:
print_warning(f"CalledProcessError with git clone, error: {e}")
logger()
def entry_point(summary, detail, apk, folder, rule, output, graph,
classification, threshold):
"""Quark is an Obfuscation-Neglect Android Malware Scoring System"""
if apk:
# Load APK
datas = []
datas.append(Quark(apk))
elif folder:
# Load APK Files from specific folder
datas = []
for roots, dirs, files in os.walk(str(folder)):
for f in files:
if f.endswith(".apk"):
datas.append(Quark(os.path.join(roots, f)))
else:
# Set folder to be "./" & Load folder
folder = "./"
datas = []
for roots, dirs, files in os.walk(str(folder)):
for f in files:
if f.endswith(".apk"):
datas.append(Quark(os.path.join(roots, f)))
if summary:
# Show summary report
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
for data in datas:
data.run(rule_checker)
data.show_summary_report(rule_checker, threshold)
for data in datas:
w = Weight(data.quark_analysis.score_sum,
data.quark_analysis.weight_sum)
print_warning(w.calculate())
print_info("Total Score: " + str(data.quark_analysis.score_sum))
print(data.quark_analysis.summary_report_table)
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
if detail:
# Show detail report
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
print(rulepath)
rule_checker = QuarkRule(rulepath)
# Run the checker
for data in datas:
data.run(rule_checker)
data.show_detail_report(rule_checker)
print_success("OK")
for data in datas:
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
if output:
# show json report
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
for data in datas:
data.run(rule_checker)
data.generate_json_report(rule_checker)
for data in datas:
json_report = data.get_json_report()
with open(output, "w") as file:
json.dump(json_report, file, indent=4)
file.close()
def entry_point(jreport, reports, generate, summary, detail, apk, rule):
"""Quark is an Obfuscation-Neglect Android Malware Scoring System"""
if generate:
# Generate rules
# Load rules
rules_list = os.listdir(rule)
# Load apks
apk_list = os.listdir(apk)
# Pretty Table Output
tb = PrettyTable()
tb.field_names = ["Count", "Rule No.", "crime", "confidence"]
tb.align = "l"
filted_rules = []
# count filting rule amount
rule_count = 0
for apk_file in apk_list:
apk_file = os.path.join(apk, apk_file)
data = XRule(apk_file)
print("Analyzing {} ====".format(apk_file))
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = RuleObject(rulepath)
# Run the checker
data.run(rule_checker)
confidence = data.get_conf(rule_checker)
# only get 100% confidence
if confidence > 4:
tb.add_row([
rule_count, single_rule, rule_checker.crime,
str(confidence * 20) + "%"
])
rule_count += 1
filted_rules.append(single_rule)
# open rule list file
LIST_FILE_PATH = "../android_rule/quark_android_rule/data/"
with open(LIST_FILE_PATH + "rule_list", "w+") as rule_list_file:
rule_list_file.writelines("%s\n" % line for line in filted_rules)
rule_list_file.close()
print(tb)
if reports:
# show summary report
# Load APK
# Load rules
rules_list = os.listdir(rule)
# Loads apks
apk_list = []
try:
apk_list = os.listdir(apk)
except:
a = apk.split('/')[-1]
apk = apk.replace(a, "")
apk_list = [a]
pass
for apk_file in apk_list:
json_crimes = []
apk_file = os.path.join(apk, apk_file)
print("now analyze: " + apk_file)
data = XRule(apk_file)
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = RuleObject(rulepath)
# Run the checker
try:
data.run(rule_checker)
except:
pass
data.show_summary_report(rule_checker)
crime, confidence, score, weight = data.get_json_report(
rule_checker)
if crime == "":
continue
json_crime = {
"_id": str(uuid.uuid4()),
"rule": crime,
"permissions": rule_checker.x1_permission,
"methods": rule_checker.x2n3n4_comb,
"confidence": confidence,
"score": score,
"weight": weight
}
check = True
if json_crime["confidence"] > 0:
for j in json_crimes:
if j["permissions"].sort(
) == json_crime["permissions"].sort():
if j["methods"][0] == json_crime["methods"][
1] and j["methods"][1] == json_crime[
"methods"][0]:
# count += 1
check = False
break
if check:
json_crimes.append(json_crime)
w = Weight(data.score_sum, data.weight_sum)
print_warning(w.calculate())
print_info("Total Score: " + str(data.score_sum))
# If command --json output report by json
if jreport:
sha512 = FileHash("sha512")
f_hash = sha512.hash_file(apk_file)
path = "/Users/pock/quark/quark-engine-web/data/report/"
json_report = {
"_id": str(uuid.uuid4()),
"sample": f_hash,
"apk-name": apk_file.split('/')[-1],
"size": os.path.getsize(apk_file),
"warnning": w.calculate(),
"total-score": data.score_sum,
"last-update": datetime.datetime.now().strftime("%c"),
"crimes": json_crimes
}
name = "report_" + f_hash + ".json"
with open(path + name, "w+") as report_file:
json.dump(json_report, report_file, indent=4)
report_file.close()
# print(data.tb)
if summary:
# show summary report
# Load APK
data = XRule(apk)
# Load rules
rules_list = os.listdir(rule)
json_crimes = []
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = RuleObject(rulepath)
# Run the checker
data.run(rule_checker)
data.show_summary_report(rule_checker)
crime, confidence, score, weight = data.get_json_report(
rule_checker)
json_crime = {
"rule": crime,
"permissions": rule_checker.x1_permission,
"methods": rule_checker.x2n3n4_comb,
"confidence": confidence,
"score": score,
"weight": weight
}
if json_crime["confidence"] > 0:
json_crimes.append(json_crime)
w = Weight(data.score_sum, data.weight_sum)
print_warning(w.calculate())
print_info("Total Score: " + str(data.score_sum))
# If command --json output report by json
if jreport:
sha512 = FileHash("sha512")
f_hash = sha512.hash_file(apk)
path = "/Users/pock/quark/quark-engine-web/data/report/"
json_report = {
"sample": f_hash,
"apk-name": apk.split('/')[-1],
"size": os.path.getsize(apk),
"warnning": w.calculate(),
"total-score": data.score_sum,
"crimes": json_crimes
}
name = "report_" + f_hash + ".json"
with open(path + name, "w+") as report_file:
json.dump(json_report, report_file, indent=4)
print(json.dumps(json_report, indent=4))
report_file.close()
print(data.tb)
if detail:
# show summary report
# Load APK
data = XRule(apk)
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
print(rulepath)
rule_checker = RuleObject(rulepath)
# Run the checker
data.run(rule_checker)
data.show_detail_report(rule_checker)
print_success("OK")
def entry_point(summary, detail, apk, rule, output, graph, classification):
"""Quark is an Obfuscation-Neglect Android Malware Scoring System"""
if summary:
# show summary report
# Load APK
data = Quark(apk)
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.show_summary_report(rule_checker)
w = Weight(data.quark_analysis.score_sum,
data.quark_analysis.weight_sum)
print_warning(w.calculate())
print_info("Total Score: " + str(data.quark_analysis.score_sum))
print(data.quark_analysis.summary_report_table)
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
if detail:
# show summary report
# Load APK
data = Quark(apk)
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
print(rulepath)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.show_detail_report(rule_checker)
print_success("OK")
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
if output:
# show json report
# Load APK
data = Quark(apk)
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.generate_json_report(rule_checker)
json_report = data.get_json_report()
with open(output, "w") as f:
json.dump(json_report, f, indent=4)
f.close()
def entry_point(
summary, detail, apk, rule, output, graph, classification, threshold, list
):
"""Quark is an Obfuscation-Neglect Android Malware Scoring System"""
# Load APK
data = Quark(apk)
# Load rules
rules_list = [x for x in os.listdir(rule) if x.endswith("json")]
# Show summary report
if summary:
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.show_summary_report(rule_checker, threshold)
w = Weight(data.quark_analysis.score_sum, data.quark_analysis.weight_sum)
print_warning(w.calculate())
print_info("Total Score: " + str(data.quark_analysis.score_sum))
print(data.quark_analysis.summary_report_table)
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
# Show detail report
if detail:
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
print(rulepath)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.show_detail_report(rule_checker)
print_success("OK")
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
# Show JSON report
if output:
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.generate_json_report(rule_checker)
json_report = data.get_json_report()
with open(output, "w") as file:
json.dump(json_report, file, indent=4)
file.close()
if list:
for api in data.apkinfo.android_apis:
print(api.full_name)
def entry_point(
summary,
detail,
apk,
rule,
output,
graph,
classification,
threshold,
list,
permission,
label,
):
"""Quark is an Obfuscation-Neglect Android Malware Scoring System"""
# Load APK
data = Quark(apk)
# Load rules
rules_list = [x for x in os.listdir(rule) if x.endswith("json")]
if label:
all_labels = {}
# dictionary containing
# key: label
# value: list of confidence values
# $ print(all_rules["accessibility service"])
# > [60, 40, 60, 40, 60, 40]
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
confidence = rule_checker.check_item.count(True) * 20
labels = rule_checker._label # array type, e.g. ['network', 'collection']
for single_label in labels:
if single_label in all_labels:
all_labels[single_label].append(confidence)
else:
all_labels[single_label] = [confidence]
# get how many label with max confidence >= 80%
counter_high_confidence = 0
for single_label in all_labels:
if max(all_labels[single_label]) >= 80:
counter_high_confidence += 1
print_info("Total Label found: " + yellow(str(len(all_labels))))
print_info("Rules with label which max confidence >= 80%: " +
yellow(str(counter_high_confidence)))
data.show_label_report(rule, all_labels, label)
print(data.quark_analysis.label_report_table)
# Show summary report
if summary:
if summary == "all_rules":
label_flag = False
elif summary.endswith("json"):
rules_list = [summary]
label_flag = False
else:
label_flag = True
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
labels = rule_checker._label
if label_flag:
if summary not in labels:
continue
# Run the checker
data.run(rule_checker)
data.show_summary_report(rule_checker, threshold)
w = Weight(data.quark_analysis.score_sum,
data.quark_analysis.weight_sum)
print_warning(w.calculate())
print_info("Total Score: " + str(data.quark_analysis.score_sum))
print(data.quark_analysis.summary_report_table)
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
# Show detail report
if detail:
if detail == "all_rules":
label_flag = False
elif detail.endswith("json"):
rules_list = [detail]
label_flag = False
else:
label_flag = True
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
labels = rule_checker._label
if label_flag:
if detail not in labels:
continue
# Run the checker
data.run(rule_checker)
print("Rulepath: " + rulepath)
print("Rule crime: " + rule_checker._crime)
data.show_detail_report(rule_checker)
print_success("OK")
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
# Show JSON report
if output:
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.generate_json_report(rule_checker)
json_report = data.get_json_report()
with open(output, "w") as file:
json.dump(json_report, file, indent=4)
file.close()
if list:
if list == "all":
for all_method in data.apkinfo.all_methods:
print(all_method.full_name)
if list == "native":
for api in data.apkinfo.android_apis:
print(api.full_name)
if list == "custom":
for custom_method in data.apkinfo.custom_methods:
print(custom_method.full_name)
if permission:
for p in data.apkinfo.permissions:
print(p)