Instruction Printing On Malware Scanner
This commit is contained in:
Konloch
parent
007955b2ba
commit
c209db4f5b
7 changed files with 72 additions and 56 deletions
|
|
@ -69,6 +69,8 @@ public class InstructionPrinter {
|
|||
|
||||
protected List<AbstractInsnNode> matchedInsns;
|
||||
protected Map<LabelNode, Integer> labels;
|
||||
private boolean firstLabel = false;
|
||||
private ArrayList<String> info = new ArrayList<>();
|
||||
|
||||
public InstructionPrinter(MethodNode m, TypeAndName[] args) {
|
||||
this.args = args;
|
||||
|
|
@ -99,64 +101,17 @@ public class InstructionPrinter {
|
|||
* @return The print as an ArrayList
|
||||
*/
|
||||
public ArrayList<String> createPrint() {
|
||||
ArrayList<String> info = new ArrayList<>();
|
||||
firstLabel = false;
|
||||
info.clear();
|
||||
ListIterator<?> it = mNode.instructions.iterator();
|
||||
boolean firstLabel = false;
|
||||
while (it.hasNext()) {
|
||||
AbstractInsnNode ain = (AbstractInsnNode) it.next();
|
||||
String line = "";
|
||||
if (ain instanceof VarInsnNode) {
|
||||
line = printVarInsnNode((VarInsnNode) ain);
|
||||
} else if (ain instanceof IntInsnNode) {
|
||||
line = printIntInsnNode((IntInsnNode) ain);
|
||||
} else if (ain instanceof FieldInsnNode) {
|
||||
line = printFieldInsnNode((FieldInsnNode) ain);
|
||||
} else if (ain instanceof MethodInsnNode) {
|
||||
line = printMethodInsnNode((MethodInsnNode) ain);
|
||||
} else if (ain instanceof LdcInsnNode) {
|
||||
line = printLdcInsnNode((LdcInsnNode) ain);
|
||||
} else if (ain instanceof InsnNode) {
|
||||
line = printInsnNode((InsnNode) ain);
|
||||
} else if (ain instanceof JumpInsnNode) {
|
||||
line = printJumpInsnNode((JumpInsnNode) ain);
|
||||
} else if (ain instanceof LineNumberNode) {
|
||||
line = printLineNumberNode();
|
||||
} else if (ain instanceof LabelNode) {
|
||||
if (firstLabel
|
||||
&& BytecodeViewer.viewer.appendBracketsToLabels
|
||||
.isSelected())
|
||||
info.add("}");
|
||||
|
||||
line = printLabelnode((LabelNode) ain);
|
||||
|
||||
if (BytecodeViewer.viewer.appendBracketsToLabels.isSelected()) {
|
||||
if (!firstLabel)
|
||||
firstLabel = true;
|
||||
line += " {";
|
||||
}
|
||||
} else if (ain instanceof TypeInsnNode) {
|
||||
line = printTypeInsnNode((TypeInsnNode) ain);
|
||||
} else if (ain instanceof FrameNode) {
|
||||
line = printFrameNode((FrameNode) ain);
|
||||
} else if (ain instanceof IincInsnNode) {
|
||||
line = printIincInsnNode((IincInsnNode) ain);
|
||||
} else if (ain instanceof TableSwitchInsnNode) {
|
||||
line = printTableSwitchInsnNode((TableSwitchInsnNode) ain);
|
||||
} else if (ain instanceof LookupSwitchInsnNode) {
|
||||
line = printLookupSwitchInsnNode((LookupSwitchInsnNode) ain);
|
||||
} else if (ain instanceof InvokeDynamicInsnNode) {
|
||||
line = printInvokeDynamicInsNode((InvokeDynamicInsnNode) ain);
|
||||
} else if (ain instanceof MultiANewArrayInsnNode) {
|
||||
line = printMultiANewArrayInsNode((MultiANewArrayInsnNode) ain);
|
||||
} else {
|
||||
line += "UNADDED OPCODE: " + nameOpcode(ain.getOpcode()) + " "
|
||||
+ ain;
|
||||
}
|
||||
String line = printInstruction(ain);
|
||||
if (!line.isEmpty()) {
|
||||
if (match)
|
||||
if (matchedInsns.contains(ain))
|
||||
line = " -> " + line;
|
||||
|
||||
|
||||
info.add(line);
|
||||
}
|
||||
}
|
||||
|
|
@ -165,6 +120,60 @@ public class InstructionPrinter {
|
|||
info.add("}");
|
||||
return info;
|
||||
}
|
||||
|
||||
public String printInstruction(AbstractInsnNode ain)
|
||||
{
|
||||
String line = "";
|
||||
if (ain instanceof VarInsnNode) {
|
||||
line = printVarInsnNode((VarInsnNode) ain);
|
||||
} else if (ain instanceof IntInsnNode) {
|
||||
line = printIntInsnNode((IntInsnNode) ain);
|
||||
} else if (ain instanceof FieldInsnNode) {
|
||||
line = printFieldInsnNode((FieldInsnNode) ain);
|
||||
} else if (ain instanceof MethodInsnNode) {
|
||||
line = printMethodInsnNode((MethodInsnNode) ain);
|
||||
} else if (ain instanceof LdcInsnNode) {
|
||||
line = printLdcInsnNode((LdcInsnNode) ain);
|
||||
} else if (ain instanceof InsnNode) {
|
||||
line = printInsnNode((InsnNode) ain);
|
||||
} else if (ain instanceof JumpInsnNode) {
|
||||
line = printJumpInsnNode((JumpInsnNode) ain);
|
||||
} else if (ain instanceof LineNumberNode) {
|
||||
line = printLineNumberNode();
|
||||
} else if (ain instanceof LabelNode) {
|
||||
if (firstLabel
|
||||
&& BytecodeViewer.viewer.appendBracketsToLabels
|
||||
.isSelected())
|
||||
info.add("}");
|
||||
|
||||
line = printLabelnode((LabelNode) ain);
|
||||
|
||||
if (BytecodeViewer.viewer.appendBracketsToLabels.isSelected()) {
|
||||
if (!firstLabel)
|
||||
firstLabel = true;
|
||||
line += " {";
|
||||
}
|
||||
} else if (ain instanceof TypeInsnNode) {
|
||||
line = printTypeInsnNode((TypeInsnNode) ain);
|
||||
} else if (ain instanceof FrameNode) {
|
||||
line = printFrameNode((FrameNode) ain);
|
||||
} else if (ain instanceof IincInsnNode) {
|
||||
line = printIincInsnNode((IincInsnNode) ain);
|
||||
} else if (ain instanceof TableSwitchInsnNode) {
|
||||
line = printTableSwitchInsnNode((TableSwitchInsnNode) ain);
|
||||
} else if (ain instanceof LookupSwitchInsnNode) {
|
||||
line = printLookupSwitchInsnNode((LookupSwitchInsnNode) ain);
|
||||
} else if (ain instanceof InvokeDynamicInsnNode) {
|
||||
line = printInvokeDynamicInsNode((InvokeDynamicInsnNode) ain);
|
||||
} else if (ain instanceof MultiANewArrayInsnNode) {
|
||||
line = printMultiANewArrayInsNode((MultiANewArrayInsnNode) ain);
|
||||
} else {
|
||||
line += "UNADDED OPCODE: " + nameOpcode(ain.getOpcode()) + " "
|
||||
+ ain;
|
||||
}
|
||||
|
||||
return line;
|
||||
}
|
||||
|
||||
protected String printVarInsnNode(VarInsnNode vin) {
|
||||
StringBuilder sb = new StringBuilder();
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package the.bytecode.club.bytecodeviewer.malwarescanner;
|
|||
|
||||
import org.objectweb.asm.tree.*;
|
||||
import the.bytecode.club.bytecodeviewer.BytecodeViewer;
|
||||
import the.bytecode.club.bytecodeviewer.decompilers.bytecode.InstructionPrinter;
|
||||
import the.bytecode.club.bytecodeviewer.malwarescanner.util.SearchableString;
|
||||
|
||||
/**
|
||||
|
|
@ -12,6 +13,7 @@ import the.bytecode.club.bytecodeviewer.malwarescanner.util.SearchableString;
|
|||
*/
|
||||
public abstract class MalwareCodeScanner implements CodeScanner
|
||||
{
|
||||
private final InstructionPrinter instructionPrinter = new InstructionPrinter(null, null);
|
||||
public MalwareScanModule module;
|
||||
|
||||
public abstract void scanFieldString(MalwareScan scan, ClassNode cn, FieldNode field, SearchableString string);
|
||||
|
|
@ -79,6 +81,11 @@ public abstract class MalwareCodeScanner implements CodeScanner
|
|||
return cn.name + "." + method.name + "(" + method.desc + ")";
|
||||
}
|
||||
|
||||
public String instructionToString(AbstractInsnNode instruction)
|
||||
{
|
||||
return instructionPrinter.printInstruction(instruction).trim();
|
||||
}
|
||||
|
||||
public String header()
|
||||
{
|
||||
String header = String.format("%30s", (module.getReadableName() + " ->\t"));
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ public class AWTRobotScanner extends MalwareCodeScanner
|
|||
{
|
||||
final MethodInsnNode min = (MethodInsnNode) instruction;
|
||||
if (min.owner.startsWith("java/awt/Robot"))
|
||||
foundMethod(scan, methodToString(cn, method) + nl);
|
||||
foundMethod(scan, instructionToString(instruction) + " at " + methodToString(cn, method) + nl);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -26,7 +26,7 @@ public class JavaIOScanner extends MalwareCodeScanner
|
|||
{
|
||||
final MethodInsnNode min = (MethodInsnNode) instruction;
|
||||
if (min.owner.startsWith("java/io"))
|
||||
foundMethod(scan, methodToString(cn, method) + nl);
|
||||
foundMethod(scan, instructionToString(instruction) + " at " + methodToString(cn, method) + nl);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -27,7 +27,7 @@ public class JavaNetScanner extends MalwareCodeScanner
|
|||
{
|
||||
final MethodInsnNode min = (MethodInsnNode) instruction;
|
||||
if (min.owner.startsWith("java/net"))
|
||||
foundMethod(scan, methodToString(cn, method) + nl);
|
||||
foundMethod(scan, instructionToString(instruction) + " at " + methodToString(cn, method) + nl);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -38,7 +38,7 @@ public class JavaRuntimeScanner extends MalwareCodeScanner
|
|||
{
|
||||
final MethodInsnNode min = (MethodInsnNode) instruction;
|
||||
if (min.owner.startsWith("java/lang/Runtime"))
|
||||
foundMethod(scan, methodToString(cn, method) + nl);
|
||||
foundMethod(scan, instructionToString(instruction) + " at " + methodToString(cn, method) + nl);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -29,7 +29,7 @@ public class ReflectionScanner extends MalwareCodeScanner
|
|||
{
|
||||
final MethodInsnNode min = (MethodInsnNode) instruction;
|
||||
if (min.owner.startsWith("java/lang/reflect"))
|
||||
foundMethod(scan, methodToString(cn, method) + nl);
|
||||
foundMethod(scan, instructionToString(instruction) + " at " + methodToString(cn, method) + nl);
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Reference in a new issue