From a8c0425af2fcf985402742da85f4cb1ff5045994 Mon Sep 17 00:00:00 2001
From: azurda <fernandou@google.com>
Date: Mon, 30 Sep 2024 08:52:38 +0000
Subject: [PATCH 1/2] tor browser extension support

---
 .../modules/auxiliary/browsermonitor.py       |  5 +++
 .../windows/modules/packages/tor_browser.py   | 27 ++++++++++++++
 extra/browser_extension/background.js         | 36 ++++++++++++++++++-
 3 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 analyzer/windows/modules/packages/tor_browser.py

diff --git a/analyzer/windows/modules/auxiliary/browsermonitor.py b/analyzer/windows/modules/auxiliary/browsermonitor.py
index e994505f274..e46e8fbe52c 100644
--- a/analyzer/windows/modules/auxiliary/browsermonitor.py
+++ b/analyzer/windows/modules/auxiliary/browsermonitor.py
@@ -35,6 +35,11 @@ def _find_browser_extension(self):
         while not self.browser_logfile and self.do_run:
             temp_dir_list = os.listdir(temp_dir)
             for directory in temp_dir_list:
+                # TOR Browser saves directly to %temp%
+                if directory.startswith("bext_") and directory.endswith(".json"):
+                    log.debug(f"Found extension logs: {self.browser_logfile}")
+                    self.browser_logfile = os.path.join(temp_dir, directory)
+                    break
                 tmp_directory_path = os.path.join(temp_dir, directory)
                 if not os.path.isdir(tmp_directory_path):
                     continue
diff --git a/analyzer/windows/modules/packages/tor_browser.py b/analyzer/windows/modules/packages/tor_browser.py
new file mode 100644
index 00000000000..23beaec50e8
--- /dev/null
+++ b/analyzer/windows/modules/packages/tor_browser.py
@@ -0,0 +1,27 @@
+# Copyright (C) 2024 fdiaz@virustotal.com
+# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
+# See the file 'docs/LICENSE' for copying permission.
+import webbrowser
+import time
+
+from lib.common.abstracts import Package
+
+
+class TorBrowserExt(Package):
+    """TOR analysis package (with extension)."""
+
+    PATHS = [
+        ("LOCALAPPDATA", "Tor Browser", "Browser", "firefox.exe"),
+    ]
+    summary = "Opens the URL in firefox."
+    description = """Spawns TOR's firefox.exe and opens the supplied URL."""
+
+    def start(self, url):
+        webbrowser.register(
+            "firefox", None, webbrowser.BackgroundBrowser(
+                self.get_path("firefox.exe")))
+        firefox = webbrowser.get("firefox")
+        time.sleep(15)  # Rough estimate, change based on your setup times.
+        firefox.open(url)
+        time.sleep(15)  # Prevent analysis from finishing too early.
+        return
\ No newline at end of file
diff --git a/extra/browser_extension/background.js b/extra/browser_extension/background.js
index e814b9692c3..64ff7f7ea92 100644
--- a/extra/browser_extension/background.js
+++ b/extra/browser_extension/background.js
@@ -1,6 +1,29 @@
+let isTORBrowser = false;
 let networkData = [];
+let downloadTORPath = "bext_default.json";
+
+function generateRandomFilename() {
+  const asciiLetters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+  let filename = 'bext_';
+  for (let i = 0; i < 10; i++) {
+    filename += asciiLetters.charAt(Math.floor(Math.random() * asciiLetters.length));
+  }
+  filename += '.json';
+  return filename;
+}
 
 
+function storeNetworkData() {
+  const blob = new Blob([JSON.stringify(networkData, null, 2)], {type: "application/json"});
+  const url = URL.createObjectURL(blob);
+
+  browser.downloads.download({
+    url: url,
+    filename: downloadTORPath,
+    conflictAction: 'overwrite'
+  });
+}
+
 function onRequestEvent(details) {
     if (details.url.includes("/browser_extension")) {
       return;
@@ -28,7 +51,11 @@ function onResponseEvent(details) {
       requestEvent.type = details.type;
       requestEvent.ip = details.ip;
       requestEvent.originUrl = details.originUrl;
-      sendEvents();
+      if (isTORBrowser) {
+        storeNetworkData();
+      } else {
+        sendEvents()
+      }
   }
 }
 
@@ -73,4 +100,11 @@ browser.downloads.onCreated.addListener(function(downloadItem) {
 
 browser.runtime.onStartup.addListener(function () {
   networkData = [];
+});
+
+browser.runtime.getBrowserInfo().then((bInfo) => {
+  if (bInfo.vendor === "Tor Project") {
+    isTORBrowser = true;
+    downloadTORPath = generateRandomFilename();
+  }
 });
\ No newline at end of file

From c6443e47c7cf96b98607d7d62576a2eb64f26793 Mon Sep 17 00:00:00 2001
From: azurda <fernandou@google.com>
Date: Mon, 30 Sep 2024 08:57:21 +0000
Subject: [PATCH 2/2] add readme update

---
 extra/browser_extension/README.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/extra/browser_extension/README.md b/extra/browser_extension/README.md
index 697e43b9bb2..869b5013c25 100644
--- a/extra/browser_extension/README.md
+++ b/extra/browser_extension/README.md
@@ -26,3 +26,14 @@ permissions back. Then, the extension is permantently loaded. Tested on version
 
 The default path for the `chromium_ext` package is %LOCALAPPDATA%/Chromium/chrome.exe,
 change the path in .py if needed.
+
+==== TOR Browser ====
+Follow the same steps as FIREFOX. By default TOR browser always starts in a
+Private Tab, allow the extension to run in Private Tabs by default. Because TOR
+joins the TOR network, it won't see localhost and instead calls the browser
+download API to save requests.
+
+Set the default downloads directory to %temp% for the auxiliary module to find
+the .JSON file. After setting the saving path to %temp%, below untick "Always
+ask you where to save files" so that the extension is able to call the
+`browser.download` API.