ev-flow
diff --git a/‎.github/workflows/pytest.yml‎
Lines changed: 12 additions & 6 deletions b/‎.github/workflows/pytest.yml‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎.github/workflows/smoke_test.yml‎
Lines changed: 22 additions & 14 deletions b/‎.github/workflows/smoke_test.yml‎
Lines changed: 22 additions & 14 deletions
diff --git a/‎Pipfile‎
Lines changed: 2 additions & 0 deletions b/‎Pipfile‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎quark/script/ciphey.py‎
Lines changed: 15 additions & 0 deletions b/‎quark/script/ciphey.py‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎quark/script/frida/__init__.py‎
Lines changed: 220 additions & 0 deletions b/‎quark/script/frida/__init__.py‎
Lines changed: 220 additions & 0 deletions
@@ -23,13 +23,12 @@ jobs:
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install pytest pipenv rzpipe meson==0.62.0 ninja coverage
+        python -m pip install pytest rzpipe meson==0.62.0 ninja coverage ciphey frida objection
         sudo apt-get install -y ninja-build
         
         # Install graphviz
         sudo apt-get -y install graphviz
         
-        
         # Install Rizin
         sudo git clone --branch v0.3.4 https://github.com/rizinorg/rizin /opt/rizin/
         cd /opt/rizin/
@@ -39,12 +38,19 @@ jobs:
         sudo ldconfig -v
         cd -
         
-        
+        # Install click >= 8.0.0 for CLI supports
+        python -m pip install click==8.0.3
+
+    - name: Install Quark-Engine
+      run: |
+        python setup.py build
+        python setup.py install
+
     - name: Test with pytest
       run: |
-          pipenv install --dev
-          pipenv install coveralls codecov pytest-cov --skip-lock
-          pipenv run pytest --cov=./
+        python -m pip install black pytest sphinx sphinx-rtd-theme
+        python -m pip install coveralls codecov pytest-cov
+        pytest --cov=./
 
     - name: Upload coverage to Codecov
       uses: codecov/codecov-action@v1
 
@@ -27,46 +27,54 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+
     - name: Set up Python
       uses: actions/setup-python@v2
       with:
         python-version: ${{ matrix.python-version }}
 
-    # Runs a single command using the runners shell
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        python -m pip install pipenv
-        pipenv install --skip-lock --dev
+        python -m pip install ciphey frida objection
+        python -m pip install black pytest sphinx sphinx-rtd-theme
+
+        # Install click >= 8.0.0 for CLI supports
+        python -m pip install click==8.0.3
 
     - run: sudo apt-get -y install graphviz
       if: matrix.os == 'ubuntu-latest'
     - run: brew install graphviz
       if: matrix.os == 'macOS-latest'
     - run: choco install graphviz
       if: matrix.os == 'windows-latest'
+
+    - name: Install Quark-Engine
+      run: |
+        python setup.py build
+        python setup.py install
+
     # Download the latest rule set
     - name: Download rule from https://github.com/quark-engine/quark-rules
-      run: |
-        pipenv run freshquark
+      run: freshquark
 
     # Runs a set of commands using the quark-engine
     - name: Run a multi-line script
       run: |
-        pipenv run quark --help
+        quark --help
         git clone https://github.com/quark-engine/apk-malware-samples
-        pipenv run quark -a apk-malware-samples/14d9f1a92dd984d6040cc41ed06e273e.apk -s
-        pipenv run quark -a apk-malware-samples/14d9f1a92dd984d6040cc41ed06e273e.apk -d
-        pipenv run quark -a apk-malware-samples/14d9f1a92dd984d6040cc41ed06e273e.apk -s -g
-        pipenv run quark -a apk-malware-samples/14d9f1a92dd984d6040cc41ed06e273e.apk -d -g
-        pipenv run quark -a apk-malware-samples/14d9f1a92dd984d6040cc41ed06e273e.apk -s -c
+        quark -a apk-malware-samples/14d9f1a92dd984d6040cc41ed06e273e.apk -s
+        quark -a apk-malware-samples/14d9f1a92dd984d6040cc41ed06e273e.apk -d
+        quark -a apk-malware-samples/14d9f1a92dd984d6040cc41ed06e273e.apk -s -g
+        quark -a apk-malware-samples/14d9f1a92dd984d6040cc41ed06e273e.apk -d -g
+        quark -a apk-malware-samples/14d9f1a92dd984d6040cc41ed06e273e.apk -s -c
 
     - name: Check Accuracy
       shell: bash
       run: |
-        echo "Ahmyth_RESULT=$(pipenv run quark -a apk-malware-samples/Ahmyth.apk -s -t 100 | grep 100% | wc -l | awk '{print $1}')" >> $GITHUB_ENV
-        echo "a4db_RESULT=$(pipenv run quark -a apk-malware-samples/13667fe3b0ad496a0cd157f34b7e0c991d72a4db.apk -s -t 100 | grep 100% | wc -l | awk '{print $1}')" >> $GITHUB_ENV
-        echo "e273e_RESULT=$(pipenv run quark -a apk-malware-samples/14d9f1a92dd984d6040cc41ed06e273e.apk -s -t 100 | grep 100% | wc -l | awk '{print $1}')" >> $GITHUB_ENV
+        echo "Ahmyth_RESULT=$(quark -a apk-malware-samples/Ahmyth.apk -s -t 100 | grep 100% | wc -l | awk '{print $1}')" >> $GITHUB_ENV
+        echo "a4db_RESULT=$(quark -a apk-malware-samples/13667fe3b0ad496a0cd157f34b7e0c991d72a4db.apk -s -t 100 | grep 100% | wc -l | awk '{print $1}')" >> $GITHUB_ENV
+        echo "e273e_RESULT=$(quark -a apk-malware-samples/14d9f1a92dd984d6040cc41ed06e273e.apk -s -t 100 | grep 100% | wc -l | awk '{print $1}')" >> $GITHUB_ENV
 
     - name: Check Ahmyt Result
       shell: bash
 
@@ -23,6 +23,8 @@ plotly = "<=5.4.0"
 prompt-toolkit = "==3.0.19"
 rzpipe = "<=0.1.2"
 objection = "<=1.11.0"
+frida = "<=15.2.2"
+ciphey = ">=5.0.0,<=5.14.0"
 
 [requires]
 python_version = "3.8"
 
@@ -0,0 +1,15 @@
+# -*- coding: utf-8 -*-
+# This file is part of Quark-Engine - https://github.com/quark-engine/quark-engine
+# See the file 'LICENSE' for copying permission.
+
+from ciphey import decrypt
+from ciphey.iface import Config
+
+
+def checkClearText(inputString: str) -> str:
+    """Check the decrypted value of the input string.
+
+    :param inputString: string to be checked.
+    :return: the decrypted value
+    """
+    return decrypt(Config().library_default().complete_config(), inputString)
@@ -0,0 +1,220 @@
+# -*- coding: utf-8 -*-
+# This file is part of Quark-Engine - https://github.com/quark-engine/quark-engine
+# See the file 'LICENSE' for copying permission.
+
+import functools
+import json
+import re
+import sys
+from dataclasses import dataclass
+from time import sleep
+from typing import Any, Dict, List, Tuple, Union
+
+import pkg_resources
+from quark.utils.regex import URL_REGEX
+
+import frida
+from frida.core import Device
+from frida.core import Session as FridaSession
+
+MethodCallEvent = Dict[str, Union[List[str], str]]
+
+
+class MethodCallEventDispatcher:
+    def __init__(self, frida: FridaSession) -> None:
+        self.frida = frida
+        self.watchedMethods = {}
+
+    @staticmethod
+    def _getMethodIdentifier(targetMethod: str, paramType: str):
+        return (targetMethod, paramType)
+
+    def startWatchingMethodCall(
+        self, targetMethod: str, methodParamTypes: str
+    ) -> List[MethodCallEvent]:
+        """Start tracking calls to the target method.
+
+        :param targetMethod: the target API
+        :param methodParamTypes: the parameter types of the target API
+        :return: python list that holds calls to the target method
+        """
+        eventBuffer = []
+        methodId = self._getMethodIdentifier(targetMethod, methodParamTypes)
+
+        self.watchedMethods[methodId] = eventBuffer
+        self.script.exports.watch_method_call(targetMethod, methodParamTypes)
+
+        return eventBuffer
+
+    def stopWatchingMethodCall(
+        self, targetMethod: str, methodParamTypes: str
+    ) -> None:
+        """Stop tracking calls to the target method.
+
+        :param targetMethod: the target API
+        :param methodParamTypes: the parameter types of the target API
+        """
+        methodId = self._getMethodIdentifier(targetMethod, methodParamTypes)
+
+        if methodId in self.watchedMethods:
+            del self.watchedMethods[methodId]
+
+    def handleCapturedEvent(self, eventWrapperFromFrida: dict, _) -> None:
+        """Send the event captured by Frida to the corresponding
+         buffers.
+
+        :param eventWrapperFromFrida: python dict containing captured events
+        """
+        if eventWrapperFromFrida["type"] == "error":
+            errorDescription = eventWrapperFromFrida["description"]
+            print(errorDescription, file=sys.stderr)
+            return
+
+        methodCallEvent = json.loads(eventWrapperFromFrida["payload"])
+
+        eventType = methodCallEvent.get("type", None)
+
+        if eventType == "CallCaptured":
+            methodId = tuple(methodCallEvent["identifier"][0:2])
+
+            if methodId in self.watchedMethods:
+                messageBuffer = self.watchedMethods[methodId]
+                messageBuffer.append(methodCallEvent)
+
+        elif eventType == "FailedToWatch":
+            methodId = tuple(methodCallEvent["identifier"])
+            self.watchedMethods.pop(methodId)
+
+
+@functools.lru_cache
+def _spawnApp(
+    appPackageName: str, protocol="usb", **kwargs: Any
+) -> Tuple[Device, FridaSession, int]:
+    """Spawn the target APP with Frida
+
+    :param appPackageName: the package name of the target APP
+    :param protocol: string that holds the protocol to communicate with the
+     Frida server, defaults to "usb"
+    :return: tuple containing the device ID, the Frida instance and the process
+     ID of the APP.
+    """
+    device = None
+    if protocol == "usb":
+        device = frida.get_usb_device(**kwargs)
+    elif protocol == "local":
+        device = frida.get_local_device(**kwargs)
+    elif protocol == "remote":
+        device = frida.get_remote_device(**kwargs)
+
+    processId = device.spawn([appPackageName])
+    session = device.attach(processId)
+
+    return device, session, processId
+
+
+@functools.lru_cache
+def _injectAgent(frida: FridaSession) -> MethodCallEventDispatcher:
+    """Inject a Frida agent to help track method calls.
+
+    :param frida: Frida instance to be injected
+    :return: dispatcher that stores the captured calls to the appropriate
+     buffers
+    """
+    dispatcher = MethodCallEventDispatcher(frida)
+
+    pathToFridaAgentSource = pkg_resources.resource_filename(
+        "quark.script.frida", "agent.js"
+    )
+
+    with open(pathToFridaAgentSource, "r") as fridaAgentSource:
+        fridaAgent = dispatcher.frida.create_script(fridaAgentSource.read())
+        fridaAgent.on("message", dispatcher.handleCapturedEvent)
+        fridaAgent.load()
+        dispatcher.script = fridaAgent
+
+    return dispatcher
+
+
+@dataclass
+class Behavior:
+    _callEvent: MethodCallEvent
+
+    def hasString(self, pattern: str, regex: bool = False) -> List[str]:
+        """Check if the behavior contains strings
+
+        :param pattern: string to be checked
+        :param regex: True if the string is a regular expression, defaults to
+         False
+        :return: python list containing all matched strings
+        """
+        arguments = self.getParamValues()
+
+        allMatchedStrings = set()
+        for argument in arguments:
+            if regex:
+                matchedStrings = [
+                    match.group(0) for match in re.finditer(pattern, argument)
+                ]
+                allMatchedStrings.update(matchedStrings)
+            else:
+                if pattern in argument:
+                    return [pattern]
+
+        return list(allMatchedStrings)
+
+    def hasUrl(self) -> List[str]:
+        """Check if the behavior contains urls.
+
+        :return: python list containing all detected urls
+        """
+        return self.hasString(URL_REGEX, True)
+
+    def getParamValues(self) -> List[str]:
+        """Get parameter values from behavior.
+
+        :return: python list containing parameter values
+        """
+        return self._callEvent["paramValues"]
+
+
+@dataclass
+class FridaResult:
+    _eventBuffer: List[MethodCallEvent]
+
+    @property
+    def behaviorOccurList(self) -> List[Behavior]:
+        """List that stores instances of detected behavior in different part of
+         the target file.
+
+        :return: detected behavior instance
+        """
+        return [Behavior(message) for message in self._eventBuffer]
+
+
+def runFridaHook(
+    apkPackageName: str,
+    targetMethod: str,
+    methodParamTypes: str,
+    secondToWait: int = 10,
+) -> FridaResult:
+    """Track calls to the specified method for given seconds.
+
+    :param apkPackageName: the package name of the target APP
+    :param targetMethod: the target API
+    :param methodParamTypes: string that holds the parameters used by the
+     target API
+    :param secondToWait: seconds to wait for method calls, defaults to 10
+    :return: FridaResult instance
+    """
+    device, frida, appProcess = _spawnApp(apkPackageName)
+    dispatcher = _injectAgent(frida)
+
+    eventBuffer = dispatcher.startWatchingMethodCall(
+        targetMethod, methodParamTypes
+    )
+    device.resume(appProcess)
+
+    sleep(secondToWait)
+    dispatcher.stopWatchingMethodCall(targetMethod, methodParamTypes)
+
+    return FridaResult(eventBuffer)