Title here
Summary here
crx
The crx module parses Chrome Extension (CRX) files and enables the creation of
YARA rules based on metadata extracted from these files. CRX files are used by
Chromium-based browsers—such as Google Chrome and Microsoft Edge—to package and
distribute browser extensions. Essentially, they are ZIP archives with a
different file extension and additional metadata, including one or more digital
signatures that validate the file’s integrity.
Functions
Important
Hashes returned by the functions below are always in lowercase.
permhash()
Returns permhash of the crx. See Google blog post for more details.
Example: crx.permhash() == "0bd16e5d8c30b71e844aa6f30b381adf20dc14cc555f5594fc3ac49985c9a52e"
Examples
import "crx"
rule AllCrx {
condition:
crx.is_crx
}
rule CrxV2 {
condition:
crx.crx_version == 2
}
rule ProtocolPreregistration {
condition:
crx.name == "Protocol Preregistration"
}Module structure
| Field | Type |
|---|---|
| is_crx | bool |
| crx_version | integer |
| header_size | integer |
| id | string |
| version | string |
| name | string |
| description | string |
| raw_name | string |
| raw_description | string |
| homepage_url | string |
| permissions | string array |
| host_permissions | string array |
| optional_permissions | string array |
| optional_host_permissions | string array |
| signatures | Signature array |
Signature
Structure that describes each of the signatures found in a CRX file.
| Field | Type |
|---|---|
| key | string |
| verified | bool |
Example
import "crx"
rule crx_verified {
condition:
for any signature in crx.signatures {
signature.verified
}
}Prev
Config file