Cynosphere/bcv-vf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

2.7.0

Browse source 
01/11/2015 - Improved the Refresh Class function to be used as the
default compile function.
01/11/2015 - Implemented better error handling for decompiling class
files.
01/15/2015 - CTRL + O will open the add file interface.
01/15/2015 - CTRL + N will open the net workspace interface.
01/15/2015 - It will now save the last directory you opened.
01/15/2015 - Some how the URL for the auto updater change log got
changed, this has been fixed.
01/15/2015 - Slightly updated the change log display, it'll now show all
the changes since your version.
01/16/2015 - Made EZ-Injection UI look a bit nicer.
01/27/2015 - Decided to scrap the  JVM Sandbox POC and use the Security
Manager.
01/27/2015 - BCV now blocks exec and won't allow any ports to be bound.
This commit is contained in:
Kalen Kinloch 2015-01-27 12:45:12 -08:00
parent bc9cfe13f3
commit d9f35b8288
5 changed files with 37 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
BytecodeViewer 2.7.0.jar
View file

Binary file not shown.

11
src/the/bytecode/club/bytecodeviewer/BytecodeViewer.java
View file

@ -80,12 +80,8 @@ import the.bytecode.club.bytecodeviewer.plugins.PluginManager;
* Option to make the bytecode pane automatically scroll to where the source code pane is * Option to make the bytecode pane automatically scroll to where the source code pane is
* Replacing all string field calls with the string instance - would require EZ-Injection to run code? * Replacing all string field calls with the string instance - would require EZ-Injection to run code?
* Spiffy up the plugin console with red text optional, would require JTextPane, not JTextArea. * Spiffy up the plugin console with red text optional, would require JTextPane, not JTextArea.
* Add robot to malware scanner
* Add right click on tab > close other tabs > close this tab * Add right click on tab > close other tabs > close this tab
* Try automatic insert return null for all runtime.exec methods via ASM3; //maybe just do AMS5 then obfuscate the dex2jar shit. * maybe just do AMS5 then obfuscate the dex2jar shit.
*
* Look at Desktop.getDesktop().open();
* refine POC and just use sec man
* *
* ----Beta 1.0.0-----: * ----Beta 1.0.0-----:
* 10/4/2014 - Designed a POC GUI, still needs a lot of work. * 10/4/2014 - Designed a POC GUI, still needs a lot of work.
@ -304,15 +300,12 @@ import the.bytecode.club.bytecodeviewer.plugins.PluginManager;
* 01/16/2015 - Made EZ-Injection UI look a bit nicer. * 01/16/2015 - Made EZ-Injection UI look a bit nicer.
* 01/27/2015 - Decided to scrap the JVM Sandbox POC and use the Security Manager. * 01/27/2015 - Decided to scrap the JVM Sandbox POC and use the Security Manager.
* 01/27/2015 - BCV now blocks exec and won't allow any ports to be bound. * 01/27/2015 - BCV now blocks exec and won't allow any ports to be bound.
* 01/27/2015 - Added java.awt.Robot to the malicious code scanner.
* *
* @author Konloch * @author Konloch
* *
*/ */
/**
* Store the inst object and original class bytes, then allow optional real time toggling?
*/
public class BytecodeViewer { public class BytecodeViewer {
public static MainViewerGUI viewer = null; public static MainViewerGUI viewer = null;

35
src/the/bytecode/club/bytecodeviewer/gui/MaliciousCodeScannerOptions.java
View file

@ -25,7 +25,7 @@ import java.awt.event.ActionEvent;
public class MaliciousCodeScannerOptions extends JFrame { public class MaliciousCodeScannerOptions extends JFrame {
public MaliciousCodeScannerOptions() { public MaliciousCodeScannerOptions() {
this.setIconImages(BytecodeViewer.iconList); this.setIconImages(BytecodeViewer.iconList);
setSize(new Dimension(250, 300)); setSize(new Dimension(250, 323));
setResizable(false); setResizable(false);
setTitle("Malicious Code Scanner Options"); setTitle("Malicious Code Scanner Options");
getContentPane().setLayout(null); getContentPane().setLayout(null);
@ -38,11 +38,11 @@ public class MaliciousCodeScannerOptions extends JFrame {
final JCheckBox chckbxJavanet = new JCheckBox("java/net"); final JCheckBox chckbxJavanet = new JCheckBox("java/net");
chckbxJavanet.setSelected(true); chckbxJavanet.setSelected(true);
chckbxJavanet.setBounds(6, 59, 232, 23); chckbxJavanet.setBounds(6, 81, 232, 23);
getContentPane().add(chckbxJavanet); getContentPane().add(chckbxJavanet);
final JCheckBox chckbxJavaio = new JCheckBox("java/io"); final JCheckBox chckbxJavaio = new JCheckBox("java/io");
chckbxJavaio.setBounds(6, 85, 232, 23); chckbxJavaio.setBounds(6, 104, 232, 23);
getContentPane().add(chckbxJavaio); getContentPane().add(chckbxJavaio);
final JCheckBox chckbxJavalangruntime = new JCheckBox( final JCheckBox chckbxJavalangruntime = new JCheckBox(
@ -54,48 +54,57 @@ public class MaliciousCodeScannerOptions extends JFrame {
final JCheckBox chckbxLdcContainswww = new JCheckBox( final JCheckBox chckbxLdcContainswww = new JCheckBox(
"LDC contains 'www.'"); "LDC contains 'www.'");
chckbxLdcContainswww.setSelected(true); chckbxLdcContainswww.setSelected(true);
chckbxLdcContainswww.setBounds(6, 111, 232, 23); chckbxLdcContainswww.setBounds(6, 130, 232, 23);
getContentPane().add(chckbxLdcContainswww); getContentPane().add(chckbxLdcContainswww);
final JCheckBox chckbxLdcContainshttp = new JCheckBox( final JCheckBox chckbxLdcContainshttp = new JCheckBox(
"LDC contains 'http://'"); "LDC contains 'http://'");
chckbxLdcContainshttp.setSelected(true); chckbxLdcContainshttp.setSelected(true);
chckbxLdcContainshttp.setBounds(6, 137, 232, 23); chckbxLdcContainshttp.setBounds(6, 156, 232, 23);
getContentPane().add(chckbxLdcContainshttp); getContentPane().add(chckbxLdcContainshttp);
final JCheckBox chckbxLdcContainshttps = new JCheckBox( final JCheckBox chckbxLdcContainshttps = new JCheckBox(
"LDC contains 'https://'"); "LDC contains 'https://'");
chckbxLdcContainshttps.setSelected(true); chckbxLdcContainshttps.setSelected(true);
chckbxLdcContainshttps.setBounds(6, 163, 232, 23); chckbxLdcContainshttps.setBounds(6, 182, 232, 23);
getContentPane().add(chckbxLdcContainshttps); getContentPane().add(chckbxLdcContainshttps);
final JCheckBox chckbxLdcMatchesIp = new JCheckBox( final JCheckBox chckbxLdcMatchesIp = new JCheckBox(
"LDC matches IP regex"); "LDC matches IP regex");
chckbxLdcMatchesIp.setSelected(true); chckbxLdcMatchesIp.setSelected(true);
chckbxLdcMatchesIp.setBounds(6, 189, 232, 23); chckbxLdcMatchesIp.setBounds(6, 208, 232, 23);
getContentPane().add(chckbxLdcMatchesIp); getContentPane().add(chckbxLdcMatchesIp);
final JCheckBox chckbxNullSecMan = new JCheckBox( final JCheckBox chckbxNullSecMan = new JCheckBox(
"SecurityManager set to null"); "SecurityManager set to null");
chckbxNullSecMan.setSelected(true); chckbxNullSecMan.setSelected(true);
chckbxNullSecMan.setBounds(6, 215, 232, 23); chckbxNullSecMan.setBounds(6, 234, 232, 23);
getContentPane().add(chckbxNullSecMan); getContentPane().add(chckbxNullSecMan);
final JCheckBox chckbxJavaawtrobot = new JCheckBox("java/awt/Robot");
chckbxJavaawtrobot.setSelected(true);
chckbxJavaawtrobot.setBounds(6, 59, 232, 23);
getContentPane().add(chckbxJavaawtrobot);
JButton btnNewButton = new JButton("Start Scanning"); JButton btnNewButton = new JButton("Start Scanning");
btnNewButton.addActionListener(new ActionListener() { btnNewButton.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent arg0) { public void actionPerformed(ActionEvent arg0) {
PluginManager.runPlugin(new MaliciousCodeScanner( PluginManager.runPlugin(new MaliciousCodeScanner(
chckbxJavalangreflection.isSelected(), chckbxJavalangreflection.isSelected(),
chckbxJavalangruntime.isSelected(), chckbxJavanet chckbxJavalangruntime.isSelected(),
.isSelected(), chckbxJavaio.isSelected(), chckbxJavanet.isSelected(),
chckbxJavaio.isSelected(),
chckbxLdcContainswww.isSelected(), chckbxLdcContainswww.isSelected(),
chckbxLdcContainshttp.isSelected(), chckbxLdcContainshttp.isSelected(),
chckbxLdcContainshttps.isSelected(), chckbxLdcMatchesIp chckbxLdcContainshttps.isSelected(),
.isSelected(), chckbxNullSecMan.isSelected())); chckbxLdcMatchesIp.isSelected(),
chckbxNullSecMan.isSelected(),
chckbxJavaawtrobot.isSelected()));
dispose(); dispose();
} }
}); });
btnNewButton.setBounds(6, 245, 232, 23);
btnNewButton.setBounds(6, 264, 232, 23);
getContentPane().add(btnNewButton); getContentPane().add(btnNewButton);
this.setLocationRelativeTo(null); this.setLocationRelativeTo(null);
} }

15
src/the/bytecode/club/bytecodeviewer/plugins/MaliciousCodeScanner.java
View file

@ -28,11 +28,11 @@ import the.bytecode.club.bytecodeviewer.api.PluginConsole;
public class MaliciousCodeScanner extends Plugin { public class MaliciousCodeScanner extends Plugin {
public boolean ORE, ONE, ORU, OIO, LWW, LHT, LHS, LIP, NSM; public boolean ORE, ONE, ORU, OIO, LWW, LHT, LHS, LIP, NSM, ROB;
public MaliciousCodeScanner(boolean reflect, boolean runtime, boolean net, public MaliciousCodeScanner(boolean reflect, boolean runtime, boolean net,
boolean io, boolean www, boolean http, boolean https, boolean ip, boolean io, boolean www, boolean http, boolean https, boolean ip,
boolean nullSecMan) { boolean nullSecMan, boolean robot) {
ORE = reflect; ORE = reflect;
ONE = net; ONE = net;
ORU = runtime; ORU = runtime;
@ -42,6 +42,7 @@ public class MaliciousCodeScanner extends Plugin {
LHS = https; LHS = https;
LIP = ip; LIP = ip;
NSM = nullSecMan; NSM = nullSecMan;
ROB = robot;
} }
@Override @Override
@ -59,6 +60,8 @@ public class MaliciousCodeScanner extends Plugin {
|| (LHS && s.contains("https://")) || (LHS && s.contains("https://"))
|| (ORE && s.contains("java/lang/Runtime")) || (ORE && s.contains("java/lang/Runtime"))
|| (ORE && s.contains("java.lang.Runtime")) || (ORE && s.contains("java.lang.Runtime"))
|| (ROB && s.contains("java.awt.Robot"))
|| (ROB && s.contains("java/awt/Robot"))
|| (LIP && s || (LIP && s
.matches("\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b"))) .matches("\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b")))
sb.append("Found LDC \"" + s + "\" at field " sb.append("Found LDC \"" + s + "\" at field "
@ -73,6 +76,8 @@ public class MaliciousCodeScanner extends Plugin {
|| (LHS && s.contains("https://")) || (LHS && s.contains("https://"))
|| (ORE && s.contains("java/lang/Runtime")) || (ORE && s.contains("java/lang/Runtime"))
|| (ORE && s.contains("java.lang.Runtime")) || (ORE && s.contains("java.lang.Runtime"))
|| (ROB && s.contains("java.awt.Robot"))
|| (ROB && s.contains("java/awt/Robot"))
|| (LIP && s || (LIP && s
.matches("\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b"))) .matches("\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b")))
sb.append("Found LDC \"" + s + "\" at field " sb.append("Found LDC \"" + s + "\" at field "
@ -93,8 +98,8 @@ public class MaliciousCodeScanner extends Plugin {
final MethodInsnNode min = (MethodInsnNode) a; final MethodInsnNode min = (MethodInsnNode) a;
if ((ORE && min.owner.startsWith("java/lang/reflect")) if ((ORE && min.owner.startsWith("java/lang/reflect"))
|| (ONE && min.owner.startsWith("java/net")) || (ONE && min.owner.startsWith("java/net"))
|| (ORU && min.owner || (ORU && min.owner.equals("java/lang/Runtime"))
.equals("java/lang/Runtime")) || (ROB && min.owner.equals("java/awt/Robot"))
|| (OIO && min.owner.startsWith("java/io"))) { || (OIO && min.owner.startsWith("java/io"))) {
sb.append("Found Method call to " + min.owner + "." sb.append("Found Method call to " + min.owner + "."
+ min.name + "(" + min.desc + ") at " + min.name + "(" + min.desc + ") at "
@ -110,6 +115,8 @@ public class MaliciousCodeScanner extends Plugin {
|| (LHS && s.contains("https://")) || (LHS && s.contains("https://"))
|| (ORE && s.contains("java/lang/Runtime")) || (ORE && s.contains("java/lang/Runtime"))
|| (ORE && s.contains("java.lang.Runtime")) || (ORE && s.contains("java.lang.Runtime"))
|| (ROB && s.contains("java.awt.Robot"))
|| (ROB && s.contains("java/awt/Robot"))
|| (LIP && s || (LIP && s
.matches("\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b"))) { .matches("\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b"))) {
sb.append("Found LDC \"" + s + "\" at method " sb.append("Found LDC \"" + s + "\" at method "