Created
August 17, 2016 18:29
-
-
Save arubdesu/17c177edbcdf508c49c899e2f119fa33 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| """Data file for extension whitelist lookup""" | |
| def main(): | |
| """Gimme some main""" | |
| safari_list = [ | |
| ('com.agilebits.onepassword4-safari', 'a558f819b861863f435589282f636442d26f4ee5'), | |
| ('AdBlock.safariextz', ''), | |
| ('AdBlock-2.safariextz', ''), | |
| ('BugMeNot.safariextz', ''), | |
| ('Clip to DEVONthink.safariextz', ''), | |
| ('Clip to DEVONthink-2.safariextz', ''), | |
| ('Evernote Web Clipper-2.safariextz', ''), | |
| ('Evernote Web Clipper.safariextz', ''), | |
| ('com.betteradvertising.ghostery', ''), | |
| ('com.instapaper.extension', 'bf648412be0acf0d913c7f92a42ee7b86af095ea'), | |
| ('KasperskyURLAdvisor.safariextz', ''), | |
| ('KasperskyVirtualKeyboard.safariextz', ''), | |
| ('com.lukehagan.openinchrome', ''), | |
| ('com.sobolev.stylish', '18e50b05823f72f9cf3afc3740d45ec6bdd494e2'), | |
| ('TabLinks.safariextz', '') | |
| ] | |
| firefox_list = [ | |
| 'loop@mozilla.org',# web sharing for firefox!? | |
| '{972ce4c6-7e08-4474-a285-3208198ce6fd}',# default theme | |
| 'onepassword4@agilebits.com', | |
| '{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi', | |
| 'Clip-to-DEVONthink@devon-technologies.com.xpi', | |
| 'firefox-hotfix@mozilla.org.xpi', | |
| 'jid1-YcMV6ngYmQRA2w@jetpack'#unofficial pinterest... | |
| ] | |
| chrome_list = [ | |
| "pkehgijcmpdhfbdbbnkijodmdjhbjlgp",#privacy badger | |
| "aomjjhallfgjeglblehebfpbcfeobpgk",# 1Password | |
| "lbfehkoinhhcknnbdgnnmjhiladcgbol",# Evernote 'Web' | |
| "pioclpoplcdbaefihamjohnefbikjilc",# Evernote Web Clipper | |
| "cfhdojbkjhnklbpkdaibdccddilifddb",# AdBlockPlus | |
| "gighmmpiobklfepjocnamgkkbiglidom",#adblockRegular... | |
| "iooicodkiihhpojmmeghjclgihfjdjhj",# Clearly | |
| "jlhmfgmfgeifomenelglieieghnjghma",# WebEx, | |
| "bfogiafebfohielmmehodmfbbebbbpei",# Keeper password mgr | |
| "gcgikpombjkodabhbdalkcdhmllafipp",# GoToMeetingProSomethingOrOther | |
| "lneaknkopdijkpnocmklfnjbeapigfbh",# Google Maps | |
| "mgndgikekgjfcpckkfioiadnlibdjbkf",# "Chrome", | |
| "dliochdbjfkdbacpmhlcpmleaejidimm",# chromecast beta | |
| "noondiphcddnnabmjcihcjfbhfklnnep",# Google phishing/password checker | |
| "lccekmodgklaepjeofjdjpbminllajkg",# Chrome Hotword for 'Ok, Google' | |
| "nmmhkkegccagdldgiimedpiccmgmieda",# "Google Wallet", | |
| "ahfgeienlihckogmohjhadlkjgocpleb",# "Google Store", | |
| "aapocclcgogkmnckokdopfmhonfmgoek",# "Google Slides" | |
| "boadgeojelhgndaghljhdicfkmllpafd",# "Google Cast" | |
| "felcaaldnbdncclmgdcncolpebgiejap",# "Google Sheets" | |
| "gfdkimpbcpahaombhbimeihdjnejgicl",# "Chrome FeedBack", | |
| "pjkljhegncpnkpknbcohdijeoejaedia",# "Gmail", | |
| "nkeimhogjdpnpccoofpliimaahmaaome",# "Google Hangouts", | |
| "nckgahadagoaajjgafhacjanaoiihapd",# " | |
| "coobgpohoikkiipiblmjeljniedjpjpf",# "Google Search", | |
| "neajdppkdcdipfabeoofebfddakdcjhd",# "Google Network Speech", | |
| "kmendfapggjehodndflmmgagdbamhnfd",# "Chrome Crypto Token Extension", | |
| "apdfllckaahabafndbhieahigkjlhalf",# "Google Drive", | |
| "lmjegmlicamnimmfhcmpkclmigmmcbeh",# Google Drive file open in native apps | |
| "dnhpdliibojhegemfjheidglijccjfmc",# "Google Hotword Helper", | |
| "bepbmhgboaologfdajaanbcjmnhjmhfn",# "Google Voice Search Hotword", | |
| "blpcfgokakmgnkcojhhkbfbldkacnbeo",# "Google YouTube", | |
| "aohghmighlieiainnegkcijnfilokake",# "Google Docs", | |
| "eemcgdkfndhakfknompkggombfjjjeno",# "Chrome Bookmark Manager", | |
| "gmlllbghnfkpflemihljekbapjopfjik",# ditto | |
| "mfehgcgbbipciphmccgaenjidiccnmng",# "Chrome Cloud Print", | |
| "ennkphjdgehloodpbhlhldgbnhmacadg",# "Chrome Settings", | |
| "pafkbggdmjlpgkdkcbjmhmfcdpncadgh",# "Google Now", | |
| "kcnhkahnjcbndmmehfkdnkjomaanaooo",# GoogleVoice | |
| "gpdjojdkbbmdfjfahjcgigfpmkopogic",# Pinterest... | |
| "mfffpogegjflfpflabcdkioaeobkgjik",# "GAIA Component Extension" | |
| #"gkojfkhlekighikafcpjkiklfbnlmeio", unless you like customers using free VPN services like 'hola internet' | |
| "aknpkdffaafgjchaibgeefbgmgeghloj",# misc junk, not reported diseased yet | |
| "ejjicmeblgpmajnghnpcppodonldlgfn", | |
| "knipolnnllmklapflnccelgolnpehhpl", | |
| "mcemheplgccbimaplmppfdofjghnpmmn", | |
| "aciahcmjmecflokailenpkdchphgkefd", | |
| "bfjgbcjfpbbfepcccpaffkjofcmglifg", | |
| "bhmicilclplefnflapjmnngmkkkkpfad", | |
| "hnkkehjnlfplmdnallbjjdnokolhblgb", | |
| "mcbkbpnkkkipelfledbfocopglifcfmi", | |
| "ajpgkpeckebdhofmmjfgcjjiiejpodla", | |
| "aofbadhekfmdddiihifojhjjpkaoojkn", | |
| "dhaphijmoldalicdpbnpgjeeheglbppo", | |
| "elicpjhcidhpjomhibiffojpinpmmpil", | |
| "hdgenjhkjihnmigcommchefpajjhdmba", | |
| "idknbmbdnapjicclomlijcgfpikmndhd", | |
| "ifhgjbjejfocglfphkdecifccicemfll", | |
| "ghbmnnjooekpmoecnnnilnnbdlolhkhi" | |
| ] | |
| whitelist = [] | |
| for each in safari_list: | |
| row = {} | |
| row['browser'] = 'safari' | |
| row['filename'] = each[0] | |
| row['hash'] = each[1] | |
| whitelist.append(row) | |
| for each in firefox_list: | |
| row = {} | |
| row['browser'] = 'firefox' | |
| row['filename'] = each | |
| row['hash'] = '' | |
| whitelist.append(row) | |
| for each in chrome_list: | |
| row = {} | |
| row['browser'] = 'chrome' | |
| row['filename'] = each | |
| row['hash'] = '' | |
| whitelist.append(row) | |
| return whitelist | |
| if __name__ == '__main__': | |
| main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import osquery | |
| import browser_whitelist | |
| @osquery.register_plugin | |
| class BrowserWhitelist(osquery.TablePlugin): | |
| def name(self): | |
| return "BrowserWhitelist" | |
| def columns(self): | |
| return [ | |
| osquery.TableColumn(name="browser", type=osquery.STRING), | |
| osquery.TableColumn(name="filename", type=osquery.STRING), | |
| osquery.TableColumn(name="hash", type=osquery.STRING) | |
| ] | |
| def generate(self, context): | |
| query_data = browser_whitelist.main() | |
| return query_data | |
| if __name__ == "__main__": | |
| osquery.start_extension(name="browser_extension_whitelist", | |
| version="1.0.0",) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment