Skip to content

Add a Rizin-based core library#205

Merged
krnick merged 7 commits intoev-flow:masterfrom
haeter525:master
Jul 10, 2021
Merged

Add a Rizin-based core library#205
krnick merged 7 commits intoev-flow:masterfrom
haeter525:master

Conversation

@haeter525
Copy link
Copy Markdown
Member

@haeter525 haeter525 commented Jul 9, 2021
edited
Loading

Description

Quark needs an alternate core library apart from Androguard. Here are the concerns of the Quark team.

  1. Androguard is no longer maintained. (#833 from Androguard)
  2. Androguard takes up too much memory during analysis.

Hence, this PR aims to add a core library based on Rizin.

Why is Rizin?

Rizin is a fork of the radare2 reverse engineering tools. Here are the advantages.

  1. A strong community supports the project.
  2. It provides analysis assists that cover the functions of Androguard.
  3. It focuses on usability and working features.

How to enable it?

Command Line

Add an option --core-library with the parameter Rizin.

quark --core-library "Rizin" -a APK_FILE -s

Python Module

Add a keyword argument named "core_library" with the string Rizin.

from quark.report import Report

report = Report(APK_FILE, core_library="Rizin")

How accurate is the Rizin-based core library?

For now, most of the analysis results are not correct.

The reason is that Rizin doesn't fully support the following analysis on APKs.

  1. Multi-dex analysis
  2. Comprehensive cross-references between methods

I have reported these issues to the Rizin community. They are currently working on them.

Also, to ensure the core library works with those functions in the future, I made two assumptions to build the core library.

  1. The commands in Rizin have handled the multi-dex issue.
  2. The cross-reference provided by Rizin is correct.

Once Rizin fixes the above issues, the core library will work as expected.

How do you prove your code is reliable?

I collected a set of rules that are not impacted by the above issues to verify the analysis results.

For example, 0007.json is one of these rules.

The confidence has been confirmed 100% by the Androguard-based core library.

Then, I will ensure that the Rizin-based core library reports the same confidence.

Code Changes

  • quark/Objects/axmlreader/*

    • A Rizin-based AndroidManifest Reader for the core library

  • quark/Objects/rzapkinfo.py

    • A file that stores the Rizin-based core library

  • quark/Objects/quark.py

    • Add an if-statement to check if the references exist.
    • Add a keyword argument to specify the core library.

  • quark/Objects/forensic.py and quark/report.py

    • Add a keyword argument to specify the core library.

  • quark/cli.py

    • Add an option --core-library to specify the core library.

  • Pipfile and setup.py

    • Add rzpipe package.

Test Plans

  • Ensure the PR passes all existing tests.

@pep8speaks
Copy link
Copy Markdown

pep8speaks commented Jul 9, 2021
edited
Loading

Hello @haeter525! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:

There are currently no PEP 8 issues detected in this Pull Request. Cheers! 🍻

Comment last updated at 2021-07-09 10:56:50 UTC

@sourcery-ai sourcery-ai Bot mentioned this pull request Jul 9, 2021
Closed
@sourcery-ai
Copy link
Copy Markdown

sourcery-ai Bot commented Jul 9, 2021

Sourcery Code Quality Report

Merging this PR leaves code quality unchanged.

Quality metrics Before After Change
Complexity 29.30 😞 29.00 😞 -0.30 👍
Method Length 62.65 🙂 64.74 🙂 2.09 👎
Working memory 15.45 ⛔ 16.09 ⛔ 0.64 👎
Quality 49.71% 😞 49.71% 😞 0.00%
Other metrics Before After Change
Lines 1270 1311 41
Changed files Quality Before Quality After Quality Change
setup.py 66.25% 🙂 66.09% 🙂 -0.16% 👎
quark/cli.py 2.26% ⛔ 2.13% ⛔ -0.13% 👎
quark/report.py 73.94% 🙂 73.64% 🙂 -0.30% 👎
quark/Objects/quark.py 51.12% 🙂 50.91% 🙂 -0.21% 👎
quark/forensic/forensic.py 93.12% ⭐ 91.32% ⭐ -1.80% 👎
tests/Object/test_apkinfo.py 91.07% ⭐ 90.03% ⭐ -1.04% 👎

Here are some functions in these files that still need a tune-up:

File Function Complexity Length Working Memory Quality Recommendation
quark/cli.py entry_point 91 ⛔ 895 ⛔ 39 ⛔ 0.50% ⛔ Refactor to reduce nesting. Try splitting into smaller methods. Extract out complex expressions
quark/Objects/quark.py Quark.check_parameter 40 ⛔ 184 😞 12 😞 28.27% 😞 Refactor to reduce nesting. Try splitting into smaller methods. Extract out complex expressions
quark/Objects/quark.py Quark.run 19 😞 307 ⛔ 14 😞 29.19% 😞 Refactor to reduce nesting. Try splitting into smaller methods. Extract out complex expressions
quark/Objects/quark.py Quark.generate_json_report 15 🙂 198 😞 18 ⛔ 33.64% 😞 Try splitting into smaller methods. Extract out complex expressions
quark/Objects/quark.py Quark.show_detail_report 13 🙂 201 😞 11 😞 44.06% 😞 Try splitting into smaller methods. Extract out complex expressions

Legend and Explanation

The emojis denote the absolute quality of the code:

  • ⭐ excellent
  • 🙂 good
  • 😞 poor
  • ⛔ very poor

The 👍 and 👎 indicate whether the quality has improved or gotten worse with this pull request.

Please see our documentation here for details on how these metrics are calculated.

We are actively working on this report - lots more documentation and extra metrics to come!

Help us improve this quality report!

@lgtm-com
Copy link
Copy Markdown

lgtm-com Bot commented Jul 9, 2021

This pull request introduces 1 alert when merging 6718711 into 18a7115 - view on LGTM.com

new alerts:

  • 1 for Except block handles 'BaseException'

@krnick krnick self-requested a review July 10, 2021 06:41
@krnick krnick self-assigned this Jul 10, 2021
@krnick krnick added the enhancement New feature or request label Jul 10, 2021
krnick
krnick approved these changes Jul 10, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@krnick krnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work @haeter525 !
Supporting rizin will make our code base more stable!

@krnick krnick merged commit 8f59f01 into ev-flow:master Jul 10, 2021
krnick added a commit that referenced this pull request Jul 15, 2021
@krnick
Update version to v21.7.1
b86017d 
1. Support a new Android reversing engineer framework, Rizin to analyze the APK. (#205)
2. Making `click` package optional to install. (#214) @0ssigeno
3. Improve the tainted analysis by @haeter525 in bytecode loader
4. Add an Optional Parameter Filter For JSON Rules (#212)
5. Adjust some directory names. Objects->core, Evaluator->evaluator.
6. Add VirusTotal analysis module by @pulorsok. (#195)
7. More tests for Quark by @haeter525. (#189)
8. Add a new feature to show Parent Functions' Cross-References In Rule Classification by @haeter525. (#192)
@pulorsok pulorsok mentioned this pull request Apr 1, 2026
Merged
@pulorsok pulorsok mentioned this pull request Apr 10, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@krnick krnick krnick approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@krnick krnick

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@haeter525 @pep8speaks @krnick