Cynosphere/bcv-vf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #16 from adrianherrera/null-security-manager

Browse source 
Added new "set security manager to null" heuristic to the MaliciousCodeS...
This commit is contained in:
Kalen (Konloch) Kinloch 2014-12-31 11:07:50 -08:00
commit 8adee814cc
2 changed files with 40 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/the/bytecode/club/bytecodeviewer/gui/MaliciousCodeScannerOptions.java
View file

@ -17,7 +17,7 @@ import java.awt.event.ActionEvent;
public class MaliciousCodeScannerOptions extends JFrame {
public MaliciousCodeScannerOptions() {
this.setIconImages(BytecodeViewer.iconList);
setSize(new Dimension(250, 277));
setSize(new Dimension(250, 300));
setResizable(false);
setTitle("Malicious Code Scanner Options");
getContentPane().setLayout(null);
@ -67,6 +67,12 @@ public class MaliciousCodeScannerOptions extends JFrame {
chckbxLdcMatchesIp.setBounds(6, 189, 232, 23);
getContentPane().add(chckbxLdcMatchesIp);
final JCheckBox chckbxNullSecMan = new JCheckBox(
"SecurityManager set to null");
chckbxNullSecMan.setSelected(true);
chckbxNullSecMan.setBounds(6, 215, 232, 23);
getContentPane().add(chckbxNullSecMan);
JButton btnNewButton = new JButton("Start Scanning");
btnNewButton.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent arg0) {
@ -77,11 +83,11 @@ public class MaliciousCodeScannerOptions extends JFrame {
chckbxLdcContainswww.isSelected(),
chckbxLdcContainshttp.isSelected(),
chckbxLdcContainshttps.isSelected(), chckbxLdcMatchesIp
.isSelected()));
.isSelected(), chckbxNullSecMan.isSelected()));
dispose();
}
});
btnNewButton.setBounds(6, 219, 232, 23);
btnNewButton.setBounds(6, 245, 232, 23);
getContentPane().add(btnNewButton);
this.setLocationRelativeTo(null);
}

33
src/the/bytecode/club/bytecodeviewer/plugins/MaliciousCodeScanner.java
View file

@ -2,10 +2,12 @@ package the.bytecode.club.bytecodeviewer.plugins;
import java.util.ArrayList;
import org.objectweb.asm.Opcodes;
import org.objectweb.asm.tree.AbstractInsnNode;
import org.objectweb.asm.tree.ClassNode;
import org.objectweb.asm.tree.FieldNode;
import org.objectweb.asm.tree.InsnList;
import org.objectweb.asm.tree.InsnNode;
import org.objectweb.asm.tree.LdcInsnNode;
import org.objectweb.asm.tree.MethodInsnNode;
import org.objectweb.asm.tree.MethodNode;
@ -25,10 +27,11 @@ import the.bytecode.club.bytecodeviewer.api.PluginConsole;
public class MaliciousCodeScanner extends Plugin {
public boolean ORE, ONE, ORU, OIO, LWW, LHT, LHS, LIP;
public boolean ORE, ONE, ORU, OIO, LWW, LHT, LHS, LIP, NSM;
public MaliciousCodeScanner(boolean reflect, boolean runtime, boolean net,
boolean io, boolean www, boolean http, boolean https, boolean ip) {
boolean io, boolean www, boolean http, boolean https, boolean ip,
boolean nullSecMan) {
ORE = reflect;
ONE = net;
ORU = runtime;
@ -37,6 +40,7 @@ public class MaliciousCodeScanner extends Plugin {
LHT = http;
LHS = https;
LIP = ip;
NSM = nullSecMan;
}
@Override
@ -77,6 +81,8 @@ public class MaliciousCodeScanner extends Plugin {
}
}
boolean prevInsn_aconst_null = false;
for (Object o : classNode.methods.toArray()) {
MethodNode m = (MethodNode) o;
@ -111,6 +117,29 @@ public class MaliciousCodeScanner extends Plugin {
}
}
}
// Check if the security manager is getting set to null
if ((a instanceof InsnNode)
&& (a.getOpcode() == Opcodes.ACONST_NULL)) {
prevInsn_aconst_null = true;
} else if ((a instanceof MethodInsnNode)
&& (a.getOpcode() == Opcodes.INVOKESTATIC)) {
final String owner = ((MethodInsnNode) a).owner;
final String name = ((MethodInsnNode) a).name;
if ((NSM && prevInsn_aconst_null
&& owner.equals("java/lang/System") && name
.equals("setSecurityManager"))) {
sb.append("Found Security Manager set to null at method "
+ classNode.name
+ "."
+ m.name
+ "("
+ m.desc + ")" + BytecodeViewer.nl);
prevInsn_aconst_null = false;
}
} else {
prevInsn_aconst_null = false;
}
}
}
}