crx

The crx parses Chrome Extension (CRX) files and enables the creation of YARA rules based on metadata extracted from these files. CRX files are used by Chromium-based browsers—such as Google Chrome and Microsoft Edge—to package and distribute browser extensions. Essentially, they are ZIP archives with a different file extension and additional metadata, including one or more digital signatures that validate the file’s integrity.

Examples

import "crx"

rule AllCrx {
    condition:
        crx.is_crx
}

rule CrxV2 {
    condition:
        crx.crx_version == 2
}


rule ProtocolPreregistration {
    condition:
        crx.name == "Protocol Preregistration"
}

Module structure

FieldType
is_crxbool
crx_versioninteger
header_sizeinteger
idstring
versionstring
namestring
descriptionstring
raw_namestring
raw_descriptionstring
homepage_urlstring
permissionsstring array
host_permissionsstring array
optional_permissionsstring array
optional_host_permissionsstring array
signaturesSignature array

Signature

Structure that describes each of the signatures found in a CRX file.

FieldType
keystring
verifiedbool

Example

import "crx"

rule crx_verified {
    condition:
        for any signature in crx.signatures {
           signature.verified
        }
}