Add quark engine as one of the analyzer. about apklab HOT 8 CLOSED

Hi @Surendrajat

Thanks for replying us.
I'll answer your questions below with bullet points.

• Question: It seems to be a CLI frontend with preinstalled(or user-provided) rules to work on.

  • Yes! BTW, users can use command freshquark to get newest rules we provide or they can use rules written by themselves.

• Question: The main dependency here is quark and python. That can be listed along with other requirements.

  • YES

• Question: For the main UI component I guess some sort of APKLab: Malware analysis with Quark-Engine followed by an APK selector and optional(?) rules selector.

  • I agree with the idea of rules selector. But I suggest to refine this to rule type selector since we're now managing rules with labels. This is our rule viewer UI. https://bit.ly/36KlxGL

• Question: The output is to come in VS Code output channel window(?).

  • Ideally, we're thinking the output (adjusted summary report) is to come to the panel (Area D shown in the picture blow) . Once the user click on the detected behavior in area D. The editor groups (Area C) shows the exactly the decompiled source code or the smali code directly.

• Question: Some other useful features might need a separate UI component(?).
  • YES! For example, call graphs, detailed reports and classification reports.

from apklab.

our Github repository is here: https://github.com/quark-engine/quark-engine 😄

from apklab.

@18z @krnick Quark engine looks promising and I will be happy to integrate it into APKLab.
I've looked into the project page, docs, etc. and it seems to be a CLI frontend with preinstalled(or user-provided) rules to work on. Few initial observations:

• The main dependency here is quark and python. That can be listed along with other requirements.
• For the main UI component I guess some sort of APKLab: Malware analysis with Quark-Engine followed by an APK selector and optional(?) rules selector.
• The output is to come in VS Code output channel window(?).
• Some other useful features might need a separate UI component(?).

Let me know if I got it right and this flow works for you. We can discuss more in detail the points above or the ones that I missed.

CC @amsharma44

from apklab.

Hi, @Surendrajat, I am also a member of Quark-Engine.
From now on, I will take care of this issue and working on the integration.

from apklab.

@Surendrajat

Is there a list of labels shipped with quark? Or is it fixed? To show some multi-select quickpick one needs to know all the labels.

Labels are written in the detection rules and many more will be shipped with quark.

This will require most of the work I guess. Is it possible to print the smali file name in quark analysis? Hitting the exact file in java source will get a bit tricky as well due to anonymous classes (*$1.smali etc.). Let's think this through.

Yes! We can print the smali file name in quark analysis.

We did some experiments and find out that the most comprehensive information of the source code is written in file names like a.smali not the ones with numbers (a$2.smali etc).

If what we found is right, then we can ignore the anonymous classes.

from apklab.

@18z

But I suggest to refine this to rule type selector since we're now managing rules with labels.

Is there a list of labels shipped with quark? Or is it fixed? To show some multi-select quickpick one needs to know all the labels.

Ideally, we're thinking the output (adjusted summary report) is to come to the panel (Area D shown in the picture blow).

Yeah. That's what I mean by output Channel. There's an output tab in panel D where each extension has it's own channel.

Once the user click on the detected behavior in area D. The editor groups (Area C) shows the exactly the decompiled source code or the smali code directly.

This will require most of the work I guess. Is it possible to print the smali file name in quark analysis? Hitting the exact file in java source will get a bit tricky as well due to anonymous classes (*$1.smali etc.). Let's think this through.

from apklab.

Hi @pulorsok. Glad to know that.
Meanwhile, we have been working to make APKLab more contributor-friendly by adding linting and formatting rules, and basic integration tests. I'll add a contributing guide sometime soon as well.
Hope it will make things easy for you. Please feel free to ask anything related here or on telegram.

from apklab.

@18z

Labels are written in the detection rules and many more will be shipped with quark.

I hope there aren't too many rules to parse. It might be slower if these rules are in separate JSON files.

Yes! We can print the smali file name in quark analysis.

Cool. I'm wondering if we can show it relative to the currently opened dir(decoded project root) as VSCode will automatically make it clickable.

If what we found is right, then we can ignore the anonymous classes.

Hope you're right. I am planning to implement a simple smali -> java file switcher and I think it should be fine for a start. The user will click on smali file link and then something like right-click -> show java source.

from apklab.