TOR Browser extension support

analyzer/windows/modules/auxiliary/browsermonitor.py

@@ -35,6 +35,11 @@ def _find_browser_extension(self):
         while not self.browser_logfile and self.do_run:
             temp_dir_list = os.listdir(temp_dir)
             for directory in temp_dir_list:
+                # TOR Browser saves directly to %temp%
+                if directory.startswith("bext_") and directory.endswith(".json"):
+                    log.debug(f"Found extension logs: {self.browser_logfile}")
+                    self.browser_logfile = os.path.join(temp_dir, directory)
+                    break
                 tmp_directory_path = os.path.join(temp_dir, directory)
                 if not os.path.isdir(tmp_directory_path):
                     continue

analyzer/windows/modules/packages/tor_browser.py

@@ -0,0 +1,27 @@
+# Copyright (C) 2024 [email protected]
+# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
+# See the file 'docs/LICENSE' for copying permission.
+import webbrowser
+import time
+
+from lib.common.abstracts import Package
+
+
+class TorBrowserExt(Package):
+    """TOR analysis package (with extension)."""
+
+    PATHS = [
+        ("LOCALAPPDATA", "Tor Browser", "Browser", "firefox.exe"),
+    ]
+    summary = "Opens the URL in firefox."
+    description = """Spawns TOR's firefox.exe and opens the supplied URL."""
+
+    def start(self, url):
+        webbrowser.register(
+            "firefox", None, webbrowser.BackgroundBrowser(
+                self.get_path("firefox.exe")))
+        firefox = webbrowser.get("firefox")
+        time.sleep(15)  # Rough estimate, change based on your setup times.
+        firefox.open(url)
+        time.sleep(15)  # Prevent analysis from finishing too early.
+        return

extra/browser_extension/README.md

@@ -26,3 +26,14 @@ permissions back. Then, the extension is permantently loaded. Tested on version
 
 The default path for the `chromium_ext` package is %LOCALAPPDATA%/Chromium/chrome.exe,
 change the path in .py if needed.
+
+==== TOR Browser ====
+Follow the same steps as FIREFOX. By default TOR browser always starts in a
+Private Tab, allow the extension to run in Private Tabs by default. Because TOR
+joins the TOR network, it won't see localhost and instead calls the browser
+download API to save requests.
+
+Set the default downloads directory to %temp% for the auxiliary module to find
+the .JSON file. After setting the saving path to %temp%, below untick "Always
+ask you where to save files" so that the extension is able to call the
+`browser.download` API. 

extra/browser_extension/background.js

@@ -1,6 +1,29 @@
+let isTORBrowser = false;
 let networkData = [];
+let downloadTORPath = "bext_default.json";
+
+function generateRandomFilename() {
+  const asciiLetters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+  let filename = 'bext_';
+  for (let i = 0; i < 10; i++) {
+    filename += asciiLetters.charAt(Math.floor(Math.random() * asciiLetters.length));
+  }
+  filename += '.json';
+  return filename;
+}
 
 
+function storeNetworkData() {
+  const blob = new Blob([JSON.stringify(networkData, null, 2)], {type: "application/json"});
+  const url = URL.createObjectURL(blob);
+
+  browser.downloads.download({
+    url: url,
+    filename: downloadTORPath,
+    conflictAction: 'overwrite'
+  });
+}
+
 function onRequestEvent(details) {
     if (details.url.includes("/browser_extension")) {
       return;
@@ -28,7 +51,11 @@ function onResponseEvent(details) {
       requestEvent.type = details.type;
       requestEvent.ip = details.ip;
       requestEvent.originUrl = details.originUrl;
-      sendEvents();
+      if (isTORBrowser) {
+        storeNetworkData();
+      } else {
+        sendEvents()
+      }
   }
 }
 
@@ -73,4 +100,11 @@ browser.downloads.onCreated.addListener(function(downloadItem) {
 
 browser.runtime.onStartup.addListener(function () {
   networkData = [];
+});
+
+browser.runtime.getBrowserInfo().then((bInfo) => {
+  if (bInfo.vendor === "Tor Project") {
+    isTORBrowser = true;
+    downloadTORPath = generateRandomFilename();
+  }
 });