主要看了又一篇chrome扩展恶意代码的文章,记录一些知识,便于分析chrome扩展的恶意代码,其实就是分析js,不过首先要找到js啊
https://blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c
下载
可以通过商店下载,但是还要安装,还要去目标找不方便
可通过下面的链接下载
https://chrome-extension-downloader.com/
下载后用压缩软件解压就好
扩展所在目录
C:Users<Your_User_Name>AppDataLocalGoogleChromeUser DataDefaultExtensions关于manifest.json
这相当于全局配置文件吧,包含描述,权限,版本等信息,权限是很重要的,注意权限是关键
还有各种action使用的html,js,还有就是图标什么的
以下面这个为例,我看到的很多恶意代码就写在background.js里面了,里面当然是经过压缩和混淆的了
{
"background": {
"scripts": [ "background.js" ]
},
"browser_action": {
"default_icon": "opurie.png",
"default_popup": "popup.html",
"default_title": "Opurie"
},
"description": "Whiohoo! Welcome back to Opurie",
"icons": {
"128": "opurie.png"
},
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApp4LoBV2R/4bfoAcj+5m2uG7Clg3zWZLMYjXcG8dNN1172V/QbBJ5o1m2ij/3F3Re9qvwmbDvGcR23XUOU0CfG/WvuE4WRFE4+oqEJsNHoy6W8iVq6jLAT5xk3zJgVa0OxDG5k52aPFfMQb66TbUwji9Ckn+6ahdxbzaxGz/vCraXU1iRlwRuhWgd69APIrsq2e+hIulk4BeEeIS+vZhvS+XE/zjznDk0QGCqSQeAtG75UArfn+JxTrXK/EXUuNKKOH82XtNK6vBGJSUxR2NYYJv+iOinpU0/xh4OheIghTn/dy+jANIfLECjcmqCGc9qVeZX6Hrz355oJKIuOg7qQIDAQAB",
"manifest_version": 2,
"name": "Opurie",
"permissions": [ "storage", "http://*/*", "tabs", "https://*/*", "webRequest", "cookies" ],
"update_url": "https://clients2.google.com/service/update2/crx",
"version": "1.2.5"
}上面代码来源:https://blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c
了解扩展的一些信息: