{"id":19556041,"url":"https://github.com/thecomputeguy/kratos","last_synced_at":"2025-04-26T22:32:46.981Z","repository":{"id":184776689,"uuid":"620477544","full_name":"TheComputeGuy/kratos","owner":"TheComputeGuy","description":"A malware detection pipeline tailored for CMS plugin files","archived":true,"fork":false,"pushed_at":"2023-05-16T16:50:03.000Z","size":140,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-02-26T07:43:37.067Z","etag":null,"topics":["cyber-forensics","malware-detection","web-malware"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TheComputeGuy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-03-28T19:00:45.000Z","updated_at":"2023-10-01T19:28:14.000Z","dependencies_parsed_at":"2023-07-30T07:50:33.615Z","dependency_job_id":null,"html_url":"https://github.com/TheComputeGuy/kratos","commit_stats":null,"previous_names":["thecomputeguy/kratos"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheComputeGuy%2Fkratos","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheComputeGuy%2Fkratos/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheComputeGuy%2Fkratos/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheComputeGuy%2Fkratos/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TheComputeGuy","download_url":"https://codeload.github.com/TheComputeGuy/kratos/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251063667,"owners_count":21530837,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyber-forensics","malware-detection","web-malware"],"created_at":"2024-11-11T04:36:33.073Z","updated_at":"2025-04-26T22:32:44.886Z","avatar_url":"https://github.com/TheComputeGuy.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kratos\n\nThis tool builds on top of [Jedi](https://github.com/TheComputeGuy/Jedi), a fork of [Cyber Forensics Innovation Lab's](https://cyfi.ece.gatech.edu/) [Yoda](https://github.com/CyFI-Lab-Public/YODA), a tool to analyse website backups for malicious plugins delivered via well-known Content Management Systems.\n\nJedi aims to run analysis on non-plugin files to perform the same, and also aims to add more analysis rules to improve the web malware detection capabilities of Yoda.\n\n## Installing\n\nThis app best works in Linux, running it in Windows requires certain quirks especially regarding the PHP runtime and how the phar files are executed.\n\nStart by cloning this repo\n\n### [Optional - Recommended] Using a virtual environment\n\nInstall and setup virtual environment\n\n```\npip install virtualenv\nvirtualenv venv\n```\n\nTo activate your virtualenv\n\n```\nsource ./venv/bin/activate\n```\n\nTo exit the virtual environment\n\n```\ndeactivate\n```\n\n### App setup\n\nInstall the required dependencies\n\n```\npip install -r requirements.txt\n```\n\nOther requirements include having a PHP runtime and having the php-dev packages installed.\n\n### PHP library setup\n\nYou will need to have installed php and php{x}-dev (x=your PHP runtime version) in your machine  \nThe script ```ast-setup.sh``` will help you in setting up the nikic/php-ast library  \n[Composer](https://getcomposer.org/) is used as the package manager for PHP libraries  \nTo complete the setup of all PHP libraries, run the script ```ast_vendor_setup.sh``` in the ast_utils directory.  \n\n## Running locally\n\n```\npython framework.py \u003cpath to downloaded plugin folder\u003e\n```\n\n## Running as a container (using Docker)\n\n### Note\n\nWhen running as a container, the plugin path is provided using the environment variable BASE_PATH (this is a MANDATORY environment variable since running Kratos as a container in current state cannot accept plugin path as an argument). If the plugins are a part of your bridge directory, BASE_PATH should be relative to mount path inside the container (```/usr/src/bridge/``` by default, as defined in the Dockerfile)  \nKratos has been modified to use a bridge directory with the host when running as a container (when the environment variable BRIDGE_DIR is available - has been hardcoded in the Dockerfile as of now), hence, it needs a volume mount to write the reports from the container. Modify the Dockerfile to remove this environment variable if this functionality is not needed.  \n\n| Environment Variable | Purpose | Mandatory in container mode? |\n| - | - | - |\n| BASE_PATH | Path to the downloaded plugin | Yes |\n| BRIDGE_DIR | Path to the mount destination of bridge directory volume in the container | No* |\n\n\\* Defined by default in the Dockerfile to be ```/usr/src/bridge/```\n\n\u003cbr /\u003e\n\n```\ndocker build -t kratos .\ndocker run --mount type=bind,src=$volume_src_dir,target='/usr/src/bridge' -e BASE_PATH=$base_path kratos\n```\n\n\n## Included scripts\n1. [RAR Extractor](scripts/extractor_rar.py) - Recursively extracts all RAR files in a directory (also extracts ZIP files inside the RAR file when in recursive mode)\n2. [ZIP Extractor](scripts/extractor.py) - Recursively extracts all ZIP files in a directory\n3. [Run All](scripts/run_all.ps1) - A powershell script to run the framework on all plugins in a given folder as containers. Bash equivalent can be generated trivially easily.\n\n\n## Note\n1. This code has been tested in Python 3.8.10 and may not necessarily work in Python 3.10 and onwards owing to changes in some method signatures in Python 3.10.  \n2. Kratos does not support writing results to AWS S3/Azure Blob Storage/GCP Object Storage/Cloudflare R2/Backblaze B2, but can be trivially modified to include this support using the boto SDK. AWS-specific implementation can be found in the Jedi code, and can be generalized to work for any cloud provider.  \n\n---\n\n\n## Relevant previous work from CyFI Lab\n[TARDIS](https://ieeexplore.ieee.org/document/9152609)\n\nR. Pai Kasturi et al., \"TARDIS: Rolling Back The Clock On CMS-Targeting Cyber Attacks,\" 2020 IEEE Symposium on Security and Privacy (SP), 2020, pp. 1156-1171, doi: 10.1109/SP40000.2020.00116.\n\u003cbr\u003e\u003c/br\u003e\n[YODA](https://www.usenix.org/conference/usenixsecurity22/presentation/kasturi)\n\n‘Mistrust Plugins You Must: A Large-Scale Study Of Malicious Plugins In WordPress Marketplaces’, στο 31st USENIX Security Symposium (USENIX Security 22), 2022.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthecomputeguy%2Fkratos","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthecomputeguy%2Fkratos","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthecomputeguy%2Fkratos/lists"}