Hello trid users,
some days ago just for interest i used another web browser. That was
Opera. To protect myself and my privacy i looked for Browser extensions like
Privacy Badger, uBlock Origin, that i used in other browsers. Instead of
directly installing the extension i just download the extensions. These are
stored with file name extension crx.
Many samples are described by correctly by crx.trid.xml as "Google Chrome
Extension" but some are only described as "Unknown!" (see appended
output/trid-v.txt).
For comparison reasons i also run other identifying tools on such
examples. The file command identifies all examples "Google Chrome extension"
(see appended output/file-5.39.txt). It also displays correct mime type (see
appended output/file-i-5.39.txt). So i add this to trid definition. That is
expressed by additional line like:
<Mime>application/x-chrome-extension</Mime>
After the 4 byte magic a version number is stored as long integer. For most
extensions this is nowadays 3, but i also found one example like
test_crx_dummy.crx with version 2. That is shown by file command. So i
mention this fact in remark line like:
<Rem>version like 2 or 3 stored at offset 4</Rem>
So i run tridscan on my undetected samples and i update trid definition file
crx.trid.xml. All samples still start with characteristic 4 byte magic.
That is expressed by XML construct like:
<Bytes>43723234</Bytes>
<ASCII> C r 2 4</ASCII>
<Pos>0</Pos>
In global strings section the current line looks like:
<String>MANIFEST.JSONPK</String>
After running tridscan this line gets shorter and now looks like:
<String>MANIFEST.JSON</String>
According to documentation Google Chrome Extensions contain ZIP archives. So
ZIP tools like 7z can list the file content, when forcing to use zip file
type by -tzip option (See appended output/7z-l-tzip.txt). With -slt option
more information is shown in listing. For the undetected extensions the
Characteristics of the manifest.json are not empty. I found characteristic for
UTF8, NTFS, UT and 0x7875. This information is also shown by UNZIP utility
by -Z option for zipinfo mode and -v for verbose. The unzip output is even
more suited for humans. So it shows that the sub field with ID 0x7875 is
used for Unix UID/GID. According to ZIP file format documentation after filename
like MANIFEST.JSON in local file header come optional fields like Unix UID/GID,
NTFS and/or modification/access times. If there is no extra field then the
next ZIP structure starting with PK magic immediately follows. Then we get the
string MANIFEST.JSONPK.
With the updated definition the unrecognized Google Chrome Extensions are
now described correctly (see appended output/trid-new-v.txt). TrID
definition, some examples and output are stored in archive crx.zip. I hope
that my XML file can be used in future version of triddefs.
With best wishes
Jörg Jenderek
