Switch Quark's default core library to the Shuriken-based one

[zinwang]

Refer to Issue #728 .

• Specify a Shuriken-Analyzer version for CI running the tests.
• Ensure Quark passes the unit tests and the smoke tests on Linux, macOS, and Windows platforms.
• Ensure Quark Agent, Quark Script, and Quark Report showcase work as expected.
  • Quark Agent
  • Quark Report
  • Quark Script
• Ensure Quark is installable via Pip, Pipenv, Kali Package, and Docker Image.
• Ensure the integrations with IntelOwl, Jadx, MobSF, and Apklab work as expected.

[pep8speaks]

Hello @zinwang! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:

• In the file quark/script/__init__.py:

Line 78:1: W293 blank line contains whitespace

• In the file setup.py:

Line 19:80: E501 line too long (155 > 79 characters)

Comment last updated at 2025-01-26 18:40:06 UTC

[codecov]

Codecov Report

Attention: Patch coverage is 89.65517% with 3 lines in your changes missing coverage. Please review.

Project coverage is 80.57%. Comparing base (4e6d727) to head (8203fa7).
Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
quark/core/struct/ruleobject.py	80.00%	1 Missing ⚠️
quark/forensic/forensic.py	80.00%	1 Missing ⚠️
quark/script/__init__.py	91.66%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #729      +/-   ##
==========================================
- Coverage   80.68%   80.57%   -0.11%     
==========================================
  Files          75       75              
  Lines        6253     6265      +12     
==========================================
+ Hits         5045     5048       +3     
- Misses       1208     1217       +9     

Flag	Coverage Δ
unittests	80.57% <89.65%> (-0.11%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sidra-asa]

LGTM

[zinwang]

Modifications in README.md:

New Features Coming Soon to Quark Agent

We are currently focused on:

• The next step of the detection process for auto-suggestion.
• Effortlessly create detection workflows with natural language—no coding required.
• Easily adjust and refine workflows through an intuitive drag-and-drop interface.
• Instantly update and integrate changes as Quark Agent understands and adapts to workflow modifications.

We are committed to providing an intuitive and user-friendly experience, enabling users to design detection workflows seamlessly through both textual and visual methods.

Many features are still under development and fine-tuning, and we will roll them out step by step as they become ready.

If you have any suggestions, please don’t hesitate to share them with us!

To stay updated with the latest news, make sure to watch our GitHub repository and follow us on X (Twitter).

Quark Agent - Your AI-powered Android APK Analyst

With Quark Agent, you can perform analyses using only natural language. It creates Quark Script code following your ideas and adjusts the code promptly as you provide feedback.

Showcase:

Here’s a demonstration of using Quark Agent to detect the CWE-798 vulnerability in the ovaa.apk file.

Step 1: Environment Requirements

• Make sure your Python version is 3.10 or above.
• Make sure you have the following packages installed:
  • C++ Compiler (GCC13/Microsoft Visual Studio)
  • Cmake
  • Git
  • iputils-ping (Only required for Linux users)
• Install Shuriken-Analyzer by running:

  pip install git+https://github.com/Fare9/Shuriken-Analyzer.git@main#subdirectory=shuriken/bindings/Python/
  

Step 2: Install Quark Agent

• Install Quark Agent by running:

git clone https://github.com/quark-engine/quark-engine.git && cd quark-engine
pip install .[QuarkAgent]

Step 3: Prepare the Detection Rule and the Sample File

.
├── ...
├── quark                   
    ├── ...           
    ├── agent               # Put rule file and sample file here
    ├── ...                

You can download the rule file here and the sample file here.

Step 4: Add your OpenAI API key

Add your OpenAI API key in quarkAgentWeb.py

os.environ["OPENAI_API_KEY"] = 'your-api-key-here'

Step 5: Run Quark Agent

$ cd quark/agent
$ python3 quarkAgentWeb.py

# You can now chat with Quark Agent in your browser. 
# The default URL is http://127.0.0.1:5000

Open a browser and navigate to 127.0.0.1:5000 to start using Quark Agent

See more CWE detections using quark scripts and play them with Quark Agent !

Acknowledgments

The Honeynet Project

Google Summer Of Code

Quark-Engine has been participating in the GSoC under the Honeynet Project!

• 2021:
  • YuShiang Dang: New Rule Generation Technique & Make Quark Everywhere Among Security Open Source Projects
  • Sheng-Feng Lu: Replace the core library of Quark-Engine

Stay tuned for the upcoming GSoC! Join the Honeynet Slack chat for more info.

Core Values of Quark Engine Team

• We love battle fields. We embrace uncertainties. We challenge impossibles. We rethink everything. We change the way people think. And the most important of all, we benefit ourselves by benefit others first.

[zinwang]

Modifications in docs/source/install.rst:

Installing Quark-Engine

Step 1. Install Shuriken-Analyzer

• Make sure you have the following packages installed:

  • C++ Compiler (GCC13 or Microsoft Visual Studio)
  • CMake
  • Git
  • iputils-ping (Only required for Linux users)

• Install Shuriken-Analyzer by running:

  $ pip install git+https://github.com/Fare9/Shuriken-Analyzer.git@main#subdirectory=shuriken/bindings/Python/
  

• For example, to install Shuriken-Analyzer on Ubuntu, you can run the following commands:

  $ apt install build-essential g++-13 gcc-13 cmake git iputils-ping
  $ export CC=gcc-13 CXX=g++-13
  $ pip install git+https://github.com/Fare9/Shuriken-Analyzer.git@main#subdirectory=shuriken/bindings/Python/
  

Step 2. Install Quark-Engine

• From PyPi:

  $ pip install -U quark-engine
  

• Or you can install Quark-Engine from the source:

  $ git clone https://github.com/quark-engine/quark-engine.git
  $ cd quark-engine/
  $ pipenv install --skip-lock
  $ pipenv shell
  

Step 3. Check if Quark-Engine is installed

• Run the help cmd of quark:

  $ quark --help
  

• Once you see the following message, then you're all set:

  Usage: quark [OPTIONS]
  
    Quark is an Obfuscation-Neglect Android Malware Scoring System
  
  Options:
    -s, --summary TEXT              Show summary report. Optionally specify the
                                    name of a rule/label
    -d, --detail TEXT               Show detail report. Optionally specify the
                                    name of a rule/label
    -o, --output FILE               Output report in JSON
    -w, --webreport FILE            Generate web report
    -a, --apk FILE                  APK file  [required]
    -r, --rule PATH                 Rules directory  [default:
                                    /home/jensen/.quark-engine/quark-
                                    rules/rules]
    -g, --graph [png|json]          Create call graph to call_graph_image
                                    directory
    -c, --classification            Show rules classification
    -t, --threshold [100|80|60|40|20]
                                    Set the lower limit of the confidence
                                    threshold
    -i, --list [all|native|custom]  List classes, methods and descriptors
    -p, --permission                List Android permissions
    -l, --label [max|detailed]      Show report based on label of rules
    -C, --comparison                Behaviors comparison based on max confidence
                                    of rule labels
    --generate-rule DIRECTORY       Generate rules and output to given directory
    --core-library [androguard|rizin|radare2|shuriken]
                                    Specify the core library used to analyze an
                                    APK
    --multi-process INTEGER RANGE   Allow analyzing APK with N processes, where
                                    N doesn't exceeds the number of usable CPUs
                                    - 1 to avoid memory exhaustion.  [x>=1]
    --version                       Show the version and exit.
    --help                          Show this message and exit.
  

To learn how to scan multiple samples in a directory, please have a look at Directory Scanning.

[zinwang]

Modifications in docs/source/integration.rst:

Integration

Quark Engine Integration In Just 2 Steps

First Step: Installation

You can install Quark-Engine by following the instructions.

Second Step: Code Snippet As You Go

Here we present the simplest way for quark API usage:

from quark.report import Report

APK_PATH = "14d9f1a92dd984d6040cc41ed06e273e.apk"
RULE_PATH = "sendLocation_SMS.json"

report = Report()

'''
RULE_PATH can be a directory with multiple rules inside
EX: "rules/"
'''
report.analysis(APK_PATH, RULE_PATH)
json_report = report.get_report("json")
print(json_report)

Then you get the json report. :D

{
    "md5": "14d9f1a92dd984d6040cc41ed06e273e",
    "apk_filename": "14d9f1a92dd984d6040cc41ed06e273e.apk",
    "size_bytes": 166917,
    "threat_level": "High Risk",
    "total_score": 4,
    "crimes": [
        {
            "crime": "Send Location via SMS",
            "score": 4,
            "weight": 4.0,
            "confidence": "100%",
            "permissions": [
                "android.permission.SEND_SMS",
                "android.permission.ACCESS_COARSE_LOCATION",
                "android.permission.ACCESS_FINE_LOCATION"
            ],
            "native_api": [
                {
                    "class": "Landroid/telephony/TelephonyManager;",
                    "method": "getCellLocation"
                },
                {
                    "class": "Landroid/telephony/SmsManager;",
                    "method": "sendTextMessage"
                }
            ],
            "combination": [
                {
                    "class": "Landroid/telephony/TelephonyManager",
                    "method": "getCellLocation",
                    "descriptor": "()Landroid/telephony/CellLocation;"
                },
                {
                    "class": "Landroid/telephony/SmsManager",
                    "method": "sendTextMessage",
                    "descriptor": "(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V"
                }
            ],
            "sequence": [
                {
                    "Lcom/google/progress/AndroidClientService; sendMessage ()V": {
                        "first": [
                            "invoke-virtual",
                            "v6",
                            "Lcom/google/progress/Locate;->getLocation()Ljava/lang/String;"
                        ],
                        "first_hex": "6e 10 2f 02 06 00",
                        "second": [
                            "invoke-virtual",
                            "v4",
                            "v6",
                            "v7",
                            "Lcom/google/progress/SMSHelper;->sendSms(Ljava/lang/String; Ljava/lang/String;)I"
                        ],
                        "second_hex": "6e 30 3e 02 64 07"
                    }
                },
                {
                    "Lcom/google/progress/AndroidClientService; doByte ([B)V": {
                        "first": [
                            "invoke-virtual/range",
                            "v35",
                            "Lcom/google/progress/Locate;->getLocation()Ljava/lang/String;"
                        ],
                        "first_hex": "74 01 2f 02 23 00",
                        "second": [
                            "invoke-virtual",
                            "v0",
                            "v1",
                            "v2",
                            "Lcom/google/progress/SMSHelper;->sendSms(Ljava/lang/String; Ljava/lang/String;)I"
                        ],
                        "second_hex": "6e 30 3e 02 10 02"
                    }
                },
                {
                    "Lcom/google/progress/AndroidClientService$2; run ()V": {
                        "first": [
                            "invoke-virtual",
                            "v5",
                            "Lcom/google/progress/Locate;->getLocation()Ljava/lang/String;"
                        ],
                        "first_hex": "6e 10 2f 02 05 00",
                        "second": [
                            "invoke-virtual",
                            "v3",
                            "v0",
                            "v4",
                            "Lcom/google/progress/SMSHelper;->sendSms(Ljava/lang/String; Ljava/lang/String;)I"
                        ],
                        "second_hex": "6e 30 3e 02 03 04"
                    }
                }
            ],
            "register": [
                {
                    "Lcom/google/progress/AndroidClientService; sendMessage ()V": {
                        "first": [
                            "invoke-virtual",
                            "v6",
                            "Lcom/google/progress/Locate;->getLocation()Ljava/lang/String;"
                        ],
                        "first_hex": "6e 10 2f 02 06 00",
                        "second": [
                            "invoke-virtual",
                            "v4",
                            "v6",
                            "v7",
                            "Lcom/google/progress/SMSHelper;->sendSms(Ljava/lang/String; Ljava/lang/String;)I"
                        ],
                        "second_hex": "6e 30 3e 02 64 07"
                    }
                },
                {
                    "Lcom/google/progress/AndroidClientService$2; run ()V": {
                        "first": [
                            "invoke-virtual",
                            "v5",
                            "Lcom/google/progress/Locate;->getLocation()Ljava/lang/String;"
                        ],
                        "first_hex": "6e 10 2f 02 05 00",
                        "second": [
                            "invoke-virtual",
                            "v3",
                            "v0",
                            "v4",
                            "Lcom/google/progress/SMSHelper;->sendSms(Ljava/lang/String; Ljava/lang/String;)I"
                        ],
                        "second_hex": "6e 30 3e 02 03 04"
                    }
                }
            ]
        }
    ]
}

Directory Scanning {#dir_scan}

To scan the entire directory with quark, you can use a simple bash
script.

#!/bin/bash
for apkFile in *.apk; do
    quark -a ${apkFile} -o ${apkFile%%.*}_output.json;
done;

Alternatively, you can use the quark API as well.

#!/usr/bin/env python
from glob import glob

from quark.report import Report

RULE_PATH = "./quark-rules/00001.json"

report = Report()

for file in glob('*.apk'): 
    report.analysis(file, RULE_PATH)
    json_report = report.get_report("json")
    print(json_report)

Radiocontrast

Radiocontrast is a Quark API that quickly generates Quark rules from a
specified method. It builds up 100% matched rules by using native APIs
in that method. The feature lets you easily expose the behavior of a
method, just like radiocontrast.

For example, we want to know the behavior of a method called
[Lahmyth/mine/king/ahmyth/CameraManager;->startUp(I)V,]{.title-ref} in
Ahmyth.apk. Here is the simplest way for Radiocontrast usage:

from quark.radiocontrast import RadioContrast

# The target APK.
APK_PATH = "Ahmyth.apk"

# The method that you want to generate rules. 
TARGET_METHOD = "Lahmyth/mine/king/ahmyth/CameraManager;->startUp(I)V"

# The output directory for generated rules.
GENERATED_RULE_DIR = "~/generated_rules"

radiocontrast = RadioContrast(
    APK_PATH,
    TARGET_METHOD,
    GENERATED_RULE_DIR
)
radiocontrast.rule_generate()

[zinwang]

Modifications in docs/source/quark_agent.rst:

Quark Agent

Introducing Quark's new member, Quark Agent, the AI assistant in the
Quark team. This agent lets users perform Quark analysis using natural
language, eliminating the need for scripting expertise or terminal
commands, which makes the analysis simple and user-friendly.

Quark Agent integrates with LangChain, using OpenAI's large language
model to act as a bridge between the natural language and the
Quark/Quark Script APIs. LangChain defines these APIs as tools that
large language models can understand and use. This means users can run
Quark analysis using natural language by simply adding new tools as
needed.

Below are showcases of using Quark Agent for vulnerability and malware
analysis.

Vulnerability Analysis

Showcase: Detecting CWE-798 with Quark Agent

This example uses Quark Agent to detect
CWE-798 vulnerability
in ovaa.apk. See the details
below.

Quick Start

1. Clone the repository:

   git clone https://github.com/quark-engine/quark-script.git
   

2. Install the required packages:

   apt install build-essential g++-13 gcc-13 cmake git iputils-ping
   export CC=gcc-13 CXX=g++-13
   pip install git+https://github.com/Fare9/Shuriken-Analyzer.git@main#subdirectory=shuriken/bindings/Python/
   pip install -r requirements.txt
   

3. Add your OpenAI API key in quarkScriptAgent.py.

   os.environ["OPENAI_API_KEY"] = {your API Key}

4. Run the script:

   python quarkScriptAgent.py
   

5. Result:

Decode the Prompts

Here are two prompts, each for executing different analysis processes.

1st Prompt: Initialize the rule instance with the rule path set to "constructCryptoGraphicKey.json"

Used Quark Script APIs/Tools that LLM used: loadRule

2nd Prompt: Run Quark Analysis using the rule instance on the apk sample "ovaa.apk", 
            and Check if the parameters are hard-coded. If yes, display the hard-coded values.

Used Quark Script APIs/Tools that LLM used: runQuarkAnalysis,
getBehaviorOccurList, getParameterValues and isHardCoded

The loadRule, runQuarkAnalysis, getBehaviorOccurList,
getParameterValues, and isHardCoded functions are treated as
tools within LangChain, enabling them to be invoked through the
gpt-4o model to analyze and identify
CWE-798
vulnerabilities in the ovaa.apk
sample.

Showcase: Generating Quark Script with Quark Agent

Quark Agent allows you to automate the creation of Quark Script code.
This lets users concentrate on designing the detection process, while
the LLM and Quark Script API handle the coding. This approach greatly
enhances efficiency and streamlines the workflow.

Here's an example for generating a Quark Script to detect CWE-798.

Demo Video

<iframe src="https://github.com/user-attachments/assets/dc0e782b-3500-4260-a961-c499c14e495c" width="700" height="300" scrolling="no" border="0" frameborder="no" framespacing="0" allowfullscreen="true"></iframe>

Decode the Prompts

Now, let's instruct Quark Agent to detect CWE-798 and write the Quark
Script for the detection process using the following prompt.

Assign a role to the Agent

To make Quark Agent's responses more precise and relevant to
vulnerability detection, we assign it the role of an Android APK
vulnerability analyst.

User: 
Now you are an Android APK vulnerability analyst. Please follow the steps below to analyze a sample.

Agent: 
Sure, I'd be happy to help with that. Please provide the sample APK file and the detection rule file that you would like to use for the analysis.

Instruct the detection process

Instruct Quark Agent to detect CWE-798 using the following detection
process.

Detection Process:
1. Define the behavior "Construct Cryptographic Key" in the rule instance.
2. Run Quark Analysis using the rule instance on the APK sample.
3. Obtain all instances of detected behaviors from the Quark Analysis results.
4. Retrieve the parameter values for each occurred behavior.
5. Check if any parameters are hard-coded. If found, print the hard-coded parameters.

The prompt will include details like the sample or rule path.

1. Define the behavior "Construct Cryptographic Key" in the rule
   instance.

User: 
1. Define the behavior "Construct Cryptographic Key" in the rule instance, with the rule path set to "constructCryptoGraphicKey.json".

Agent: 
The behavior "Construct Cryptographic Key" has been successfully defined in the rule instance with the rule path set to "constructCryptoGraphicKey.json". How would you like to proceed?

2. Run Quark Analysis using the rule instance on the APK sample.

User:
2. Run Quark Analysis using the rule instance on the APK sample "ovaa.apk".

Agent:
The Quark analysis on the APK sample "ovaa.apk" has been completed successfully. What would you like to do next?

3. Obtain all instances of detected behaviors from the Quark Analysis
   results.

User:
3. Obtain all instances of detected behaviors from the Quark Analysis results in the sample "ovaa.apk".

Agent
I have obtained all instances of detected behaviors from the Quark Analysis results in the sample "ovaa.apk". If you need further details or specific information about these behaviors, please let me know!

4. Retrieve the parameter values for each occurred behavior.

User:
4. Retrieve the parameter values for each occurred behavior.

Agent:
The parameter values for the occurred behavior are:
1. "49u5gh249gh24985ghf429gh4ch8f23f"
2. "AES"

Would you like to check if any of these values are hard-coded?

5. Check if any parameters are hard-coded. If found, print the
   hard-coded parameters.

User:
5. Check if any parameter values are hard-coded. If yes, display the hard-coded values.

Agent:
The following parameter values are hard-coded:

1. `49u5gh249gh24985ghf429gh4ch8f23f`
2. `AES`

Generate Quark Script

Finally, ask Quark Agent to write and execute the Python code based on
the detection process outlined above.

User:
Using the Quark Script API, implement the above logic in Python and save it to 'detectCWE798.py', with the rule path set to 'constructCryptoGraphicKey.json' and the sample path to 'ovaa.apk'.

Agent:
The code has been written to `detectCWE798.py`. You can now execute this script to perform the analysis.

Here is the generated code:

from quark.script import Rule, runQuarkAnalysis

# Load the rule
rule_path = 'constructCryptoGraphicKey.json'
rule_instance = Rule(rule_path)

# Define the sample path
sample_path = 'ovaa.apk'

# Run the Quark analysis
quark_result = runQuarkAnalysis(sample_path, rule_instance)

# Extract the behavior occurrence list
behavior_occur_list = quark_result.behaviorOccurList

# Iterate through each behavior and get parameter values
for behavior in behavior_occur_list:
    param_values = behavior.getParamValues()
    for param in param_values:
        # Check if the parameter value is hardcoded
        is_hardcoded = quark_result.isHardcoded(param)
        if is_hardcoded:
            print(f'Hardcoded value found: {param}')

User:
Execute detectCWE798.py

Here is the result.

Hardcoded value found: 49u5gh249gh24985ghf429gh4ch8f23f
Hardcoded value found: AES

We added 2 tools, writeCodeInFile and executeCode , to enable Quark
Agent to generate and execute Quark Script code.

1. The code is generated by OpenAI's GPT model, and the output may not
always match the documentation exactly. 2. Since LangChain currently
does not support passing Python instances between tools, we are
temporarily using global variables to pass parameters between tools in
quarkScriptAgent.py. 3. Place the rules, samples, and
quarkScriptAgent.py in the same folder; the LLM will automatically
find files with matching names. 4. A web GUI is under construction,
please stay tuned!

Malware Analysis

Showcase: Generate Summary Report with Quark Agent

This example uses Quark Agent to analyze
ovaa.apk and generate a
summary report <summary-report>{.interpreted-text role="ref"}. See the
details below.

Quick Start

1. Install Quark Agent:

   git clone https://github.com/quark-engine/quark-engine.git & cd quark-engine
   pip install .[QuarkAgent]

2. Prepare the rule and the sample:

   git clone https://github.com/quark-engine/quark-script
   cd quark-script

3. Add your OpenAI API key to the environment:

   export OPENAI_API_KEY='your-api-key-here'

4. Run Quark Agent:

   quark-agent

5. Result:

Decode the Prompts

Here, we explain what happens after running Quark Agent.

Preset Prompt

To ensure the gpt-4o-mini model follows the correct format of a
summary report, we designed the following preset prompt and hard-coded
it into Quark Agent.

When Quark Agent starts, it will automatically pass the preset prompt to
the gpt-4o-mini model. Hence, we don't need to pass this prompt
manually.

Preset Prompt:

When prompted to provide a summary report, follow these rules and the summary report example:

  1. Print a newline character first to prevent formatting issues.
  2. Change "<RISK_LEVEL>" in "WARNING: <RISK_LEVEL>" to the risk level with the first letter of each word capitalized.
  3. Change "<TOTAL_SCORE>" in "Total Score: <TOTAL_SCORE>" to the total score, expressed as a decimal numeral.
  4. Without using a code block, place the output of the tool, getSummaryReportTable, in the line directly after "Total Score: <TOTAL_SCORE>".

The Summary Report Example:

[!] WARNING: <RISK_LEVEL>
[*] Total Score: <TOTAL_SCORE>
+--------------------------------+-----------------------------+------------+-------+--------+  
| Filename                       | Rule                        | Confidence | Score | Weight |  
+--------------------------------+-----------------------------+------------+-------+--------+  
| constructCryptoGraphicKey.json | Construct cryptographic key | 100%       | 1     | 1.0    |  
+--------------------------------+-----------------------------+------------+-------+--------+ 

Ensure you adhere to these rules and the example when providing a summary report.

User Prompts

Then, by passing the following prompt manually, we ask Quark Agent to
analyze the ovaa.apk sample and
generate a summary report.

1st Prompt: Analyze the sample “ovaa.apk” using Quark and the rule “constructCryptoGraphicKey.json.”
            After the analysis, print the summary report.

Used Quark APIs/Tools that LLM used: initRuleObject,
initQuarkObject, runQuarkAnalysisForSummaryReport,
getSummaryReportTable, getAnalysisResultRisk, and
getAnalysisResultScore

To highlight the analysis result, we ask Quark Agent to colorize the
summary report.

2nd Prompt: Colorize "[!]" in yellow, "[*]" in cyan, the "Rule" column and its data in green,
            the "Confidence" column and its data in yellow, and the "Weight" column and its data in red.

Used Quark APIs/Tools that LLM used: colorizeInYellow,
colorizeInCyan, colorizeInGreen, and colorizeInRed

All APIs above are treated as tools within LangChain, enabling them to
be invoked through the gpt-4o-min model to analyze the
ovaa.apk sample and generate a
colorized summary report.

Showcase: Enhance Summary Report with Quark Agent

Quark Agent can enhance the summary report by refining Quark's risk
assessment mechanism. With user instructions, it can adjust the scores,
weights, and risk of the sample based on its understanding of Quark
analysis and rules, enabling users to identify high-risk samples and
locate critical behaviors accurately.

Here's an example that enhances the summary report of
Ahmyth.apk
.

Demo Video

<iframe src="https://github.com/user-attachments/assets/79023381-6b35-471f-8e49-10d654e40fa1" width="700" height="370" scrolling="no" border="0" frameborder="no" framespacing="0" allowfullscreen="true"></iframe>

Decode the Prompts

Now, let's explain what happens after running Quark Agent.

Generate a summary report

We ask Quark Agent to generate a summary report for
Ahmyth.apk.

User: 
Analyze the sample “Ahmyth.apk” using Quark and the rules in the directory “rules.” After the analysis, print the summary report.

Agent: 
[!] WARNING: High Risk  
[*] Total Score: 10  
+------------+---------------------------------------------------------------------------+------------+-------+--------+  
| Filename   | Rule                                                                      | Confidence | Score | Weight |  
+------------+---------------------------------------------------------------------------+------------+-------+--------+  
| 00001.json | Initialize bitmap object and compress data (e.g. JPEG) into bitmap object | 100%       | 1     | 1.0    |  
| 00002.json | Open the camera and take picture                                          | 100%       | 1     | 1.0    |  
| 00003.json | Put the compressed bitmap data into JSON object                           | 80%        | 1     | 0.5    |  
| 00004.json | Get filename and put it to JSON object                                    | 100%       | 1     | 1.0    |  
| 00005.json | Get absolute path of file and put it to JSON object                       | 100%       | 1     | 1.0    |  
| 00006.json | Scheduling recording task                                                 | 80%        | 1     | 0.5    |  
| 00007.json | Use absolute path of directory for the output media file path             | 100%       | 1     | 1.0    |  
| 00008.json | Check if successfully sending out SMS                                     | 100%       | 1     | 1.0    |  
| 00009.json | Put data in cursor to JSON object                                         | 100%       | 1     | 1.0    |  
| 00010.json | Read sensitive data(SMS, CALLLOG) and put it into JSON object             | 100%       | 1     | 1.0    |  
+------------+---------------------------------------------------------------------------+------------+-------+--------+

Assign a role to the agent

To make Quark Agent's responses more precise and relevant to malware
analysis, we assign it the role of an Android malware analysis expert.

User: 
As an expert in Android malware analysis, please adjust the values of each rule in the summary report based on my instructions. After each adjustment, update the report and summarize the reason behind the changes as concisely as possible.

Agent: 
Certainly! Please provide your instructions for adjusting the values of each rule in the summary report.

Enhance the summary report

Then, the agent is ready to enhance the summary report. We then ask it
to adjust the scores, weights, and the risk of the sample.

1. Adjust the scores based on the rule descriptions and their combined
   effects.

User: 
Evaluate each rule's threat to sensitive data based on their descriptions and combined effects. Then, adjust each rule's score accordingly. Scores range from 0 to 1, with higher values indicating higher threat.

Agent: 
Based on the evaluation of each rule's threat to sensitive data and their combined effects, here are the adjusted scores:

1. **Initialize bitmap object and compress data (e.g. JPEG) into bitmap object** - Score: 0.6 (Moderate threat; potential for data leakage through images)
2. **Open the camera and take picture** - Score: 0.9 (High threat; direct access to sensitive data through photos)
3. **Put the compressed bitmap data into JSON object** - Score: 0.7 (Moderate to high threat; data in JSON can be exploited)
4. **Get filename and put it to JSON object** - Score: 0.5 (Moderate threat; filenames could lead to sensitive data exposure)
5. **Get absolute path of file and put it to JSON object** - Score: 0.7 (Moderate to high threat; paths may reveal sensitive data locations)
6. **Scheduling recording task** - Score: 0.9 (High threat; potential for unauthorized audio recording)
7. **Use absolute path of directory for the output media file path** - Score: 0.6 (Moderate threat; directory paths could expose sensitive file locations)
8. **Check if successfully sending out SMS** - Score: 0.8 (High threat; sensitive data can be leaked via SMS)
9. **Put data in cursor to JSON object** - Score: 0.7 (Moderate to high threat; potentially sensitive data could be exposed)
10. **Read sensitive data(SMS, CALLLOG) and put it into JSON object** - Score: 1.0 (Critical threat; direct access to sensitive data)

Now let's update the summary report based on these adjusted scores.  


[!] WARNING: High Risk  
[*] Total Score: 8.6  
+------------+---------------------------------------------------------------------------+------------+-------+--------+  
| Filename   | Rule                                                                      | Confidence | Score | Weight |  
+------------+---------------------------------------------------------------------------+------------+-------+--------+  
| 00001.json | Initialize bitmap object and compress data (e.g. JPEG) into bitmap object | 100%       | 0.6   | 1.0    |  
| 00002.json | Open the camera and take picture                                          | 100%       | 0.9   | 1.0    |  
| 00003.json | Put the compressed bitmap data into JSON object                           | 80%        | 0.7   | 0.5    |  
| 00004.json | Get filename and put it to JSON object                                    | 100%       | 0.5   | 1.0    |  
| 00005.json | Get absolute path of file and put it to JSON object                       | 100%       | 0.7   | 1.0    |  
| 00006.json | Scheduling recording task                                                 | 80%        | 0.9   | 0.5    |  
| 00007.json | Use absolute path of directory for the output media file path             | 100%       | 0.6   | 1.0    |  
| 00008.json | Check if successfully sending out SMS                                     | 100%       | 0.8   | 1.0    |  
| 00009.json | Put data in cursor to JSON object                                         | 100%       | 0.7   | 1.0    |  
| 00010.json | Read sensitive data(SMS, CALLLOG) and put it into JSON object             | 100%       | 1.0   | 1.0    |  
+------------+---------------------------------------------------------------------------+------------+-------+--------+


**Summary of Changes:**
- Adjusted scores reflect the potential threat to sensitive data based on the rule descriptions and their implications.
- High-risk actions such as accessing the camera and reading sensitive data were assigned higher scores, while actions with a lesser impact, such as initializing bitmap objects, were reduced accordingly.
- The total score is now more representative of the overall risk posed by the application's behavior.

2. Adjust the weights based on the confidence values and their
   definitions.

User: 
Adjust each rule's weight based on the confidence values and the definitions below. Weights range from 0 to 1.

The definitions of the confidence values:
- 100%: The sample used all necessary APIs for this behavior, and a related data flow was detected.
- 80%: The sample used all necessary APIs for this behavior but found no related data flow.
- 60%: The sample used all necessary APIs for this behavior but in the wrong order.
- 40%: The sample used only some necessary APIs for this behavior.
- 20%: The sample did not use the necessary APIs but requested relevant permissions.

Agent: 
Based on the provided confidence definitions, here are the adjusted weights for each rule:

1. **Initialize bitmap object and compress data (e.g. JPEG) into bitmap object** - Weight: 1.0 (100% confidence)
2. **Open the camera and take picture** - Weight: 1.0 (100% confidence)
3. **Put the compressed bitmap data into JSON object** - Weight: 0.5 (80% confidence)
4. **Get filename and put it to JSON object** - Weight: 1.0 (100% confidence)
5. **Get absolute path of file and put it to JSON object** - Weight: 1.0 (100% confidence)
6. **Scheduling recording task** - Weight: 0.5 (80% confidence)
7. **Use absolute path of directory for the output media file path** - Weight: 1.0 (100% confidence)
8. **Check if successfully sending out SMS** - Weight: 1.0 (100% confidence)
9. **Put data in cursor to JSON object** - Weight: 1.0 (100% confidence)
10. **Read sensitive data(SMS, CALLLOG) and put it into JSON object** - Weight: 1.0 (100% confidence)

Now let's update the summary report based on these adjusted weights.  


[!] WARNING: High Risk  
[*] Total Score: 8.6  
+------------+---------------------------------------------------------------------------+------------+-------+--------+  
| Filename   | Rule                                                                      | Confidence | Score | Weight |  
+------------+---------------------------------------------------------------------------+------------+-------+--------+  
| 00001.json | Initialize bitmap object and compress data (e.g. JPEG) into bitmap object | 100%       | 0.6   | 1.0    |  
| 00002.json | Open the camera and take picture                                          | 100%       | 0.9   | 1.0    |  
| 00003.json | Put the compressed bitmap data into JSON object                           | 80%        | 0.7   | 0.5    |  
| 00004.json | Get filename and put it to JSON object                                    | 100%       | 0.5   | 1.0    |  
| 00005.json | Get absolute path of file and put it to JSON object                       | 100%       | 0.7   | 1.0    |  
| 00006.json | Scheduling recording task                                                 | 80%        | 0.9   | 0.5    |  
| 00007.json | Use absolute path of directory for the output media file path             | 100%       | 0.6   | 1.0    |  
| 00008.json | Check if successfully sending out SMS                                     | 100%       | 0.8   | 1.0    |  
| 00009.json | Put data in cursor to JSON object                                         | 100%       | 0.7   | 1.0    |  
| 00010.json | Read sensitive data(SMS, CALLLOG) and put it into JSON object             | 100%       | 1.0   | 1.0    |  
+------------+---------------------------------------------------------------------------+------------+-------+--------+  

**Summary of Changes:**
- Adjusted weights reflect the confidence values as per the definitions provided.
- Rules with 100% confidence retained the highest weight of 1.0, while those with 80% confidence received a weight of 0.5.
- The total score remains the same, but the weights provide a clearer indication of the reliability of each rule's detection capabilities.

3. Reassess the risk of the sample based on the adjusted scores and
   weights.

User: 
Recalculate the total score, reassess the risk of the sample, and explain the reason. Finally, update the report.

Agent: 
Based on the recalculated total score of **6.6**, the risk assessment remains categorized as **High Risk**. 

**Reasoning:**
- The total score reflects the aggregated threat level based on the adjusted scores and weights. A score of 6.6 indicates a significant potential for sensitive data exposure, especially with key behaviors such as accessing the camera, reading sensitive data, and sending SMS.
- Despite the adjustments, the presence of high-threat actions maintains the sample's classification as high risk. The analysis indicates that the application has behaviors that could lead to serious privacy violations.

Let's update the summary report accordingly.


[!] WARNING: High Risk  
[*] Total Score: 6.6  
+------------+---------------------------------------------------------------------------+------------+-------+--------+  
| Filename   | Rule                                                                      | Confidence | Score | Weight |  
+------------+---------------------------------------------------------------------------+------------+-------+--------+  
| 00001.json | Initialize bitmap object and compress data (e.g. JPEG) into bitmap object | 100%       | 0.6   | 1.0    |  
| 00002.json | Open the camera and take picture                                          | 100%       | 0.9   | 1.0    |  
| 00003.json | Put the compressed bitmap data into JSON object                           | 80%        | 0.7   | 0.5    |  
| 00004.json | Get filename and put it to JSON object                                    | 100%       | 0.5   | 1.0    |  
| 00005.json | Get absolute path of file and put it to JSON object                       | 100%       | 0.7   | 1.0    |  
| 00006.json | Scheduling recording task                                                 | 80%        | 0.9   | 0.5    |  
| 00007.json | Use absolute path of directory for the output media file path             | 100%       | 0.6   | 1.0    |  
| 00008.json | Check if successfully sending out SMS                                     | 100%       | 0.8   | 1.0    |  
| 00009.json | Put data in cursor to JSON object                                         | 100%       | 0.7   | 1.0    |  
| 00010.json | Read sensitive data(SMS, CALLLOG) and put it into JSON object             | 100%       | 1.0   | 1.0    |  
+------------+---------------------------------------------------------------------------+------------+-------+--------+

Here is the summary report enhanced by Quark Agent.

[!] WARNING: High Risk  
[*] Total Score: 6.6  
+------------+---------------------------------------------------------------------------+------------+-------+--------+  
| Filename   | Rule                                                                      | Confidence | Score | Weight |  
+------------+---------------------------------------------------------------------------+------------+-------+--------+  
| 00001.json | Initialize bitmap object and compress data (e.g. JPEG) into bitmap object | 100%       | 0.6   | 1.0    |  
| 00002.json | Open the camera and take picture                                          | 100%       | 0.9   | 1.0    |  
| 00003.json | Put the compressed bitmap data into JSON object                           | 80%        | 0.7   | 0.5    |  
| 00004.json | Get filename and put it to JSON object                                    | 100%       | 0.5   | 1.0    |  
| 00005.json | Get absolute path of file and put it to JSON object                       | 100%       | 0.7   | 1.0    |  
| 00006.json | Scheduling recording task                                                 | 80%        | 0.9   | 0.5    |  
| 00007.json | Use absolute path of directory for the output media file path             | 100%       | 0.6   | 1.0    |  
| 00008.json | Check if successfully sending out SMS                                     | 100%       | 0.8   | 1.0    |  
| 00009.json | Put data in cursor to JSON object                                         | 100%       | 0.7   | 1.0    |  
| 00010.json | Read sensitive data(SMS, CALLLOG) and put it into JSON object             | 100%       | 1.0   | 1.0    |  
+------------+---------------------------------------------------------------------------+------------+-------+--------+

We added the tool listDirectory to enable Quark Agent access rules in
a directory and the tool calculateTotalScore to recalculate the total
score. The entire enhancement of the summary report relies on Quark
Agent's understanding of Quark analysis and rules.

1. The summary report is generated by OpenAI's GPT model and is not
always correct. 2. Since LangChain currently does not support passing
Python instances between tools, we temporarily use global variables to
pass parameters between tools. 3. Place the rules and samples in the
working directory; the LLM will automatically find the files with
matching names.

[zinwang]

Modifications in docs/source/quark_script.rst:

Quark Script

Ecosystem for Mobile Security Tools

Innovative & Interactive

The goal of Quark Script aims to provide an innovative way for mobile
security researchers to analyze or pentest the targets.

Based on Quark, we integrate decent tools as Quark Script APIs and make
them exchange valuable intelligence to each other. This enables security
researchers to interact with staged results and perform creative
analysis with Quark Script.

Dynamic & Static Analysis

In Quark script, we integrate not only static analysis tools (e.g. Quark
itself) but also dynamic analysis tools (e.g. objection).

Re-Usable & Sharable

Once the user creates a Quark script for specific analysis scenario. The
script can be used in another targets. Also, the script can be shared to
other security researchers. This enables the exchange of knowledges.

More APIs to come

Quark Script is now in a beta version. We'll keep releasing practical
APIs and analysis scenarios.

Quickstart

| In this tutorial, we will learn how to install and run Quark Script
with a very easy example.
| We show how to detect CWE-798 in ovaa.apk.

Step 1: Environments Requirements

• Quark Script requires Python 3.10 or above.

Step 2: Install Quark Engine

• You can install Quark-Engine by following the instructions.

Step 3: Prepare Quark Script, Detection Rule and the Sample File

1. Get the CWE-798 Quark Script and the detection rule here.
2. Get the sampe file (ovaa.apk) here.
3. Put the script, detection rule, and sample file in the same
   directory.
4. Edit accordingly to the file names:

SAMPLE_PATH = "ovaa.apk"
RULE_PATH = "findSecretKeySpec.json"

Now you are ready to run the script!

Step 4: Run the script

$ python3 CWE-798.py

You should now see the detection result in the terminal.

Found hard-coded AES key 49u5gh249gh24985ghf429gh4ch8f23f

Introduce of Quark Script APIs

findMethodInAPK(samplePath, targetMethod)