quark.core.struct package

Submodules

quark.core.struct.bytecodeobject module

class quark.core.struct.bytecodeobject.BytecodeObject(mnemonic, registers, parameter)

Bases: object

BytecodeObject is used to store the instructions in smali, including mnemonic, registers, parameter

property mnemonic

Dalvik bytecode instructions set, for example ‘invoke-virtual’.

Returns:

a string of mnemonic

property parameter

Commonly used for functions called by invoke-kind instructions, for example ‘Lcom/google/progress/APNOperator;->deleteAPN()Z’.

Returns:

a string of the function name

property registers

Registers used in Dalvik instructions, for example ‘[v3]’.

Returns:

a list containing all the registers used

quark.core.struct.methodobject module

class quark.core.struct.methodobject.MethodObject(class_name: str, name: str, descriptor: str, access_flags: str = '', cache: object | None = None)

Bases: object

Information about a method in a dex file.

access_flags: str = ''
cache: object = None
class_name: str
descriptor: str
property full_name: str
is_android_api() bool
name: str

quark.core.struct.registerobject module

class quark.core.struct.registerobject.RegisterObject(register_name, value, called_by_func=None, value_type=None)

Bases: object

The RegisterObject is used to record the state of each register

property called_by_func

Record which functions have been called by using this register as a parameter.

Returns:

a list containing function name

property current_type

Get the type of the value in the register

Returns:

a plant text that describes a data type

Return type:

str

property hash_index

Get the index number from given VarabileObject.

Returns:

an integer corresponding to the register index

property register_name

Individual register name, for example ‘v3’.

Returns:

a string of register name

property type_histroy
property value

The current value stored in the register.

Returns:

a string of the value

quark.core.struct.ruleobject module

class quark.core.struct.ruleobject.RuleObject(ruleJson: PathLike, jsonData: dict | None = None)

Bases: object

RuleObject is used to store the rule from json file

property api

Key native APIs that do the action and target in order.

Returns:

a list recording the APIs class_name and method_name in order

check_item
property crime

Description of given crime.

Returns:

a string of the crime

get_score(confidence)

According to the state of the five stages, we calculate the weighted score based on exponential growth. For example, we captured the third stage in five stages, then the weighted score would be (2^3-1) / 2^4.

2^(confidence - 1)

Parameters:

confidence

Returns:

floating point

property label

A list contains various lebels described in https://github.com/quark-engine/quark-rules/blob/master/label_desc.csv

Returns:

a label list defined in rules

property permission

Permission requested by the apk to practice the crime.

Returns:

a list of given permissions

rule_filename
property score

The value used to calculate the weighted score

Returns:

integer

quark.core.struct.tableobject module

class quark.core.struct.tableobject.TableObject(count_reg)

Bases: object

This table is used to track the usage of variables in the register

get_obj_list(index)

Return the list which contains the VariableObject.

Parameters:

index – the index to get the corresponding VariableObject

Returns:

a list containing VariableObject

get_table()

Get the entire hash table.

Returns:

a two-dimensional list

hash_table
insert(index, var_obj)

Insert VariableObject into the nested list in the hashtable.

Parameters:
  • index – the index to insert to the table

  • var_obj – instance of VariableObject

Returns:

None

pop(index)

Override the built-in pop function, to get the top element, which is VariableObject on the stack while not delete it.

Parameters:

index – the index to get the corresponding VariableObject

Returns:

VariableObject

Module contents