All skills
Skillintermediate

YARA-X CRX Module Reference

The `crx` module enables analysis of Chrome extension packages (CRX files). Use it to detect malicious extensions based on their declared permissions, manifest structure, and metadata.

Claude Code Knowledge Pack7/10/2026

Overview

YARA-X CRX Module Reference

The crx module enables analysis of Chrome extension packages (CRX files). Use it to detect malicious extensions based on their declared permissions, manifest structure, and metadata.

Version requirements: YARA-X v1.5.0+

Module Import

API Reference

File Type Validation

FieldTypeDescription
crx.is_crxboolReturns true if file is a valid CRX package

Always check crx.is_crx first. The module's other fields will not work correctly on non-CRX files.

Extension Metadata

FieldTypeDescription
crx.idstringExtension identifier
crx.versionstringExtension version string
crx.namestringExtension display name (localized)
crx.descriptionstringExtension description (localized)
crx.raw_namestringExtension name without localization
crx.raw_descriptionstringExtension description without localization
crx.homepage_urlstringExtension homepage URL

CRX Format Information

FieldTypeDescription
crx.crx_versionintegerCRX format version (2 or 3)
crx.header_sizeintegerSize of the CRX header in bytes

Permission Analysis

FieldDescriptionExample
crx.permissionsArray of declared permissionsfor any perm in crx.permissions
crx.optional_permissionsArray of optional permissionsfor any perm in crx.optional_permissions
crx.host_permissionsArray of host patterns (MV3)for any host in crx.host_permissions
crx.optional_host_permissionsArray of optional host patternsfor any host in crx.optional_host_permissions

Signature Verification

FieldTypeDescription
crx.signaturesarrayArray of signature objects
crx.signatures[i].keystringPublic key for this signature
crx.signatures[i].verifiedboolWhether signature verification passed
// Check if extension has a verified signature
rule CRX_VerifiedSignature
{
    condition:
        crx.is_crx and
        for any sig in crx.signatures : (sig.verified)
}

Permission Risk Assessment

High-Risk Permissions

These permissions enable significant access and should trigger careful review:

PermissionRiskLegitimate Uses
debuggerCan intercept all traffic, modify any pageDevTools extensions
nativeMessagingCommunicate with local executablesPassword managers, native integrations
<all_urls>Access all websitesAd blockers, universal tools
proxyRoute all traffic through specified proxyVPN extensions
webRequest + webRequestBlockingIntercept/modify requestsAd blockers, privacy tools
cookies (with broad hosts)Access authentication tokensSession managers
historyRead complete browsing historyProductivity trackers

Red Flag Combinations

These permission combinations are especially suspicious:

// Data exfiltration potential
condition:
    crx.is_crx and
    for any perm in crx.permissions : (perm == "nativeMessaging") and
    for any perm in crx.permissions : (perm == "<all_urls>" or perm == "*://*/*")

// Credential theft potential
condition:
    crx.is_crx and
    for any perm in crx.permissions : (perm == "webRequest") and
    for any perm in crx.permissions : (perm == "webRequestBlocking") and
    for any host in crx.host_permissions : (host contains "://*/*")

// Man-in-the-browser potential
condition:
    crx.is_crx and
    for any perm in crx.permissions : (perm == "debugger") and
    for any perm in crx.permissions : (perm == "tabs")

Example Rules

Detect High-Risk Extension


rule SUSP_CRX_HighRiskProfile
{
    meta:
        description = "Detects extensions with high-risk permission combinations"
        score = 70

    condition:
        crx.is_crx and

        // Count dangerous permissions
        (
            (for any p in crx.permissions : (p == "debugger")) +
            (for any p in crx.permissions : (p == "nativeMessaging")) +
            (for any p in crx.permissions : (p == "proxy")) +
            (for any p in crx.permissions : (p == "webRequestBlocking"))
        ) >= 2 and

        // Has broad host access
        for any h in crx.host_permissions : (
            h == "<all_urls>" or h contains "://*/*"
        )
}

Detect Unverified Signatures


rule SUSP_CRX_UnverifiedSignature
{
    meta:
        description = "Detects CRX files with unverified or missing signatures"
        score = 60

    condition:
        crx.is_crx and
        not for any sig in crx.signatures : (sig.verified)
}

Combine with String Patterns


rule SUSP_CRX_CryptoMiner
{
    meta:
        description = "Detects potential cryptomining extensions"
        score = 80

    strings:
        $miner1 = "CoinHive" ascii wide nocase
        $miner2 = "coinhive.min.js" ascii
        $miner3 = /Miner\\.(start|stop)\\s*\\(/
        $wasm_miner = "cryptonight" ascii
        $pool_stratum = /stratum\\+tcp:\\/\\//

    condition:
        crx.is_crx and

        // Needs background execution
        for any perm in crx.permissions : (
            perm == "background" or perm == "alarms"
        ) and

        // Miner indicators
        (2 of ($miner*) or $wasm_miner or $pool_stratum)
}

Best Practices

  1. Always validate file type first — Start conditions with crx.is_crx

  2. Don't over-match on common permissionsstorage, activeTab, tabs are used by most extensions

  3. Combine permissions with behavioral indicators — Permission + suspicious string pattern is stronger than permission alone

  4. Use signatures for hunting — Extensions with unverified signatures are worth investigating

  5. Test against legitimate extensions — Chrome Web Store top extensions are your goodware corpus

Troubleshooting

Rule doesn't match CRX files:

  • Verify the file is a valid CRX (not just a renamed ZIP)
  • Check YARA-X version (yr --version) meets requirements
  • Use yr dump -m crx extension.crx to inspect what the module sees

Permission iteration not working:

  • Ensure proper syntax: for any perm in crx.permissions : (perm == "...")
  • Permissions are strings, not identifiers

Signature verification questions:

  • crx.signatures may be empty for unsigned extensions
  • CRX v2 uses RSA signatures; CRX v3 uses ECDSA