Update README.md

pulorsok · web-flow · commit d7784bead0f4 · 2022-07-26T07:18:51.000+08:00
diff --git a/README.md b/README.md
@@ -52,280 +52,10 @@ Once the user creates a Quark script for specific analysis scenario. The script
 #### More APIs to come
 Quark Script is now in a beta version. We'll keep releasing practical APIs and analysis scenarios.  
 
-### Introduce of Quark Script APIs
-
-<details>
-<summary><b>  Rule(rule.json) </b></summary>
-
-<br>
-
-* Description: Making detection rule a rule instance
-* params: Path of a single Quark rule
-* return: Quark rule instance
-
-</details>
-<details>
-<summary><b>  runQuarkAnalysis(SAMPLE_PATH, ruleInstance) </b></summary>
-
-<br>
-
-* Description: Given detection rule and target sample, this instance runs the basic Quark analysis.
-* params: 1. Target file 2. Quark rule object
-* return: quarkResult instance
-
-</details>
-<details>
-<summary><b>  quarkResultInstance.behaviorOccurList </b></summary>
-
-<br>
-
-* Description: List that stores instances of detected behavior in different part of the target file.
-* params: none
-* return: detected behavior instance
-
-</details>
-<details>
-<summary><b>  quarkResultInstance.getAllStrings(none) </b></summary>
-
-<br>
-
-* Description: Get all strings inside the target APK file.
-* params: none
-* return: python list containing all strings inside the target APK file.
-
-</details>
-<details>
-<summary><b>  behaviorInstance.firstAPI.fullName </b></summary>
-
-<br>
-
-* Description: Show the name of the first key API called in this behavior.
-* params: none
-* return: API name
-
-</details>
-<details>
-<summary><b>  behaviorInstance.secondAPI.fullName </b></summary>
-
-<br>
-
-* Description: Show the name of the second key API called in this behavior.
-* params: none
-* return: API name
-
-</details>
-<details>
-<summary><b>  behaviorInstance.hasUrl(none) </b></summary>
-
-<br>
-
-* Description: Check if the behavior contains urls.
-* params: none
-* return: python list containing all detected urls.
-
-</details>
-<details>
-<summary><b>  behaviorInstance.methodCaller </b></summary>
-
-<br>
-
-* Description: Find method who calls this behavior (API1 & API2).
-* params: none
-* return: method instance 
-
-</details>
-<details>
-<summary><b>  behaviorInstance.getParamValues(none) </b></summary>
-
-<br>
-
-* Description: Get parameter values that API1 sends to API2 in the behavior.
-* params: none
-* return: python list containing parameter values.
-
-</details>
-<details>
-<summary><b>  methodInstance.getXrefFrom(none) </b></summary>
-
-<br>
-
-* Description: Find out who call this method.
-* params: none
-* return: python list containing caller methods.
-
-</details>
-<details>
-<summary><b>  methodInstance.getXrefTo(none) </b></summary>
-
-<br>
-
-* Description: Find out who this method called.
-* params: none
-* return: python list containing tuples (callee methods, index).
-
-</details>
-<details>
-<summary><b>  Objection(host) </b></summary>
-
-<br>
-
-* Description: Create an instance for Objection (dynamic analysis tool). 
-* params: Monitoring IP:port
-* return: objection instance
-
-</details>
-<details>
-<summary><b>  objInstance.hookMethod(method, watchArgs, watchBacktrace, watchRet) </b></summary>
-
-<br>
-
-* Description: Hook the target method with Objection.
-* params: 1. method: the tagrget API. (type: str or method instance) 2. watchArgs: Return Args information if True. (type: boolean) 3. watchBacktrace: Return backtrace information if True. (type: boolean) 4. watchRet: Return the return information of the target API if True (type: boolean).
-* return: none
-
-</details>
-
-### Analyzing real case (InstaStealer) using Quark Script
-#### Quark Script that dynamic hooks the method containing urls 
-The scenario is simple! We'd like to dynamic hooking the methods in the malware that contains urls. We can use APIs above to write Quark Script.
-
-```python
-from quark.script import runQuarkAnalysis, Rule
-from quark.script.objection import Objection
-
-SAMPLE_PATH = "6f032.apk"
-RULE_PATH = "00211.json"
-
-ruleInstance = Rule(RULE_PATH)
-quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
-
-for behaviorInstance in quarkResult.behaviorOccurList:
-    detectedUrl = behaviorInstance.hasUrl()
-    
-    if detectedUrl:
-        print(f"\nDetected Behavior -> {ruleInstance.crime}")
-        print(f"\nDetected Url -> {detectedUrl}")
-        
-        method = behaviorInstance.methodCaller
-        print(f"\nThe detected behavior was called by -> {method.fullName}")
-
-        print("\nAttempt to hook the method:")
-        obj = Objection("127.0.0.1:8888")
-        
-        obj.hookMethod(method, 
-                       watchArgs=True, 
-                       watchBacktrace=True, 
-                       watchRet=True)
-        print(f"\tHook -> {method.fullName}")
-        
-        for methodCaller in method.getXrefFrom():
-            obj.hookMethod(methodCaller, 
-                           watchArgs=True, 
-                           watchBacktrace=True, 
-                           watchRet=True)
-            print(f"\tHook -> {methodCaller.fullName}")
-            
-        for methodCallee, _ in method.getXrefTo():
-            obj.hookMethod(methodCallee, 
-                           watchArgs=True, 
-                           watchBacktrace=True, 
-                           watchRet=True)
-            print(f"\tHook -> {methodCallee.fullName}")
-            
-print("\nSee the hook results in Objection's terminal.")
-```
-> Note: Please make sure you have the dynamic analysis environment ready before executing the script.
-> 1. Objection installed and running. Check the guideline [here](https://github.com/sensepost/objection/wiki/Installation).
-> 2. Android Virtual Machine with frida installed. Check the guideline [here](https://frida.re/docs/android/).
-> 3. Or a rooted Android Device (Google Pixel 6) with frida installed. 
-> Check the root guideline [here](https://forum.xda-developers.com/t/guide-root-pixel-6-with-magisk-android-12-1.4388733/), frida install guideline is the [same]((https://frida.re/docs/android/)) with Android Virtual Machine.
-
-#### Quark Script Result
-![](https://i.imgur.com/elztZdC.png)
-
-#### Logs on the Objection terminal (hooking)
-![](https://i.imgur.com/XrtfgjY.jpg)
-
-#### Method (callComponentMethod) with urls is detected triggered!
-![](https://i.imgur.com/ryV3f57.jpg)
-
-### Quark Script used as a vulnerability finder
-
-####  Detect CWE-798 in Android Application
-
-This scenario seeks to find hard-coded credentials in the APK file. See [CWE-798](https://cwe.mitre.org/data/definitions/798.html) for more details.
-
-Let's use this [APK](https://github.com/oversecured/ovaa) and the above APIs to show how Quark script find this vulnerability.
-
-First, we design a detection rule `findSecretKeySpec.json` to spot on behavior uses method SecretKeySpec. Then, we get all the parameter values that input to this method. From the returned parameter values, we identify it's a AES key and parse the key out of the values. Finally, we dump all strings in the APK file and check if the AES key is in the strings. If the answer is YES, BINGO!!! We find hard-coded credentials in the APK file. 
-
-#### Quark Scipt: cwe-798.py
-```python
-import re
-from quark.script import runQuarkAnalysis, Rule
-
-SAMPLE_PATH = "ovaa.apk"
-RULE_PATH = "findSecretKeySpec.json"
-
-ruleInstance = Rule(RULE_PATH)
-quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
-
-for secretKeySpec in quarkResult.behaviorOccurList:
-    
-    allStrings = quarkResult.getAllStrings()
-    
-    firstParam = secretKeySpec.getParamValues()[0]
-    secondParam = secretKeySpec.getParamValues()[1]
-    
-    if secondParam == "AES":
-        AESKey = re.findall(r'\((.*?)\)', firstParam)[1]
-        
-    if AESKey in allStrings:
-        print(f"Found hard-coded {secondParam} key {AESKey}")
-```
-
-#### Quark Rule: findSecretKeySpec.json
-```json
-{
-    "crime": "Detect APK using SecretKeySpec.",
-    "permission": [],
-    "api": [
-        {
-            "descriptor": "()[B",
-            "class": "Ljava/lang/String;",
-            "method": "getBytes"
-        },
-        {
-            "descriptor": "([BLjava/lang/String;)V",
-            "class": "Ljavax/crypto/spec/SecretKeySpec;",
-            "method": "<init>"
-        }
-    ],
-    "score": 1,
-    "label": []
-}
-```
-
-#### Quark Script Result
-```bash
-$ python3 findSecretKeySpec.py 
-
-Found hard-coded AES key 49u5gh249gh24985ghf429gh4ch8f23f
-```
-
-#### Hard-Coded AES key in the APK file
-```
-const-string v2, "49u5gh249gh24985ghf429gh4ch8f23f"
-
-invoke-virtual {v2}, Ljava/lang/String;->getBytes()[B
-
-move-result-object v2
-
-invoke-direct {v1, v2, v0}, Ljavax/crypto/spec/SecretKeySpec;-><init>([BLjava/lang/String;)V
-```
-
-
-
+__See our APIs [here](https://quark-engine.readthedocs.io/en/latest/quark_script.html#introduce-of-quark-script-apis).__
+#### 2022 CWE Top 25 Showcases
+* [CWE-798](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-798-in-android-application-ovaa-apk)
+* [CWE-94](https://quark-engine.readthedocs.io/en/latest/quark_script.html#quark-scipt-cwe-94-py)
 
 ## Quark Web Report
 
