Cynosphere/bcv-vf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Malware Scanner Tidying

Browse source
This commit is contained in:
Konloch 2021-06-28 00:41:33 -07:00
parent c15103e78e
commit db0dbdb9dc
7 changed files with 108 additions and 202 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/main/java/the/bytecode/club/bytecodeviewer/gui/MainViewerGUI.java
View file

@ -13,7 +13,6 @@ import the.bytecode.club.bytecodeviewer.*;
import the.bytecode.club.bytecodeviewer.api.ExceptionUI;
import the.bytecode.club.bytecodeviewer.gui.components.*;
import the.bytecode.club.bytecodeviewer.gui.plugins.MaliciousCodeScannerOptions;
import the.bytecode.club.bytecodeviewer.gui.plugins.MaliciousCodeScannerOptionsV2;
import the.bytecode.club.bytecodeviewer.gui.plugins.ReplaceStringsOptions;
import the.bytecode.club.bytecodeviewer.gui.resourcelist.ResourceListPane;
import the.bytecode.club.bytecodeviewer.gui.resourcesearch.SearchBoxPane;
@ -567,7 +566,7 @@ public class MainViewerGUI extends JFrame
openExternalPlugin.addActionListener(arg0 -> openExternalPlugin());
codeSequenceDiagram.addActionListener(arg0 -> CodeSequenceDiagram.open());
maliciousCodeScanner.addActionListener(e -> MaliciousCodeScannerOptionsV2.open());
maliciousCodeScanner.addActionListener(e -> MaliciousCodeScannerOptions.open());
showMainMethods.addActionListener(e -> PluginManager.runPlugin(new ShowMainMethods()));
showAllStrings.addActionListener(e -> PluginManager.runPlugin(new ShowAllStrings()));
replaceStrings.addActionListener(arg0 -> ReplaceStringsOptions.open());

104
src/main/java/the/bytecode/club/bytecodeviewer/gui/plugins/MaliciousCodeScannerOptions.java
View file

@ -1,15 +1,16 @@
package the.bytecode.club.bytecodeviewer.gui.plugins;
import java.awt.Dimension;
import javax.swing.JButton;
import javax.swing.JCheckBox;
import javax.swing.JFrame;
import the.bytecode.club.bytecodeviewer.BytecodeViewer;
import the.bytecode.club.bytecodeviewer.Resources;
import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScanModule;
import the.bytecode.club.bytecodeviewer.malwarescanner.util.MaliciousCodeOptions;
import the.bytecode.club.bytecodeviewer.plugin.PluginManager;
import the.bytecode.club.bytecodeviewer.plugin.preinstalled.MaliciousCodeScanner;
import javax.swing.*;
import java.awt.*;
import java.util.ArrayList;
/***************************************************************************
* Bytecode Viewer (BCV) - Java & Android Reverse Engineering Suite *
* Copyright (C) 2014 Kalen 'Konloch' Kinloch - http://bytecodeviewer.com *
@ -29,97 +30,54 @@ import the.bytecode.club.bytecodeviewer.plugin.preinstalled.MaliciousCodeScanner
***************************************************************************/
/**
* A simple GUI to select the Malicious Code Scanner options.
* This GUI automatically populates the scan options from the MalwareScanModule enum.
*
* @author Konloch
* @author Adrianherrera
*/
public class MaliciousCodeScannerOptions extends JFrame
{
private static final int SPACER_HEIGHT_BETWEEN_OPTIONS = 26;
public static void open()
{
if (BytecodeViewer.getLoadedClasses().isEmpty()) {
if (BytecodeViewer.getLoadedClasses().isEmpty())
{
BytecodeViewer.showMessage("First open a class, jar, zip, apk or dex file.");
return;
}
new MaliciousCodeScannerOptions().setVisible(true);
}
public MaliciousCodeScannerOptions()
{
this.setIconImages(Resources.iconList);
setSize(new Dimension(250, 323));
setSize(new Dimension(250, 7 + (MalwareScanModule.values().length * SPACER_HEIGHT_BETWEEN_OPTIONS) + 90));
setResizable(false);
setTitle("Malicious Code Scanner Options");
getContentPane().setLayout(null);
final JCheckBox chckbxJavalangreflection = new JCheckBox("java/lang/reflection");
chckbxJavalangreflection.setSelected(true);
chckbxJavalangreflection.setBounds(6, 7, 232, 23);
getContentPane().add(chckbxJavalangreflection);
final JCheckBox chckbxJavanet = new JCheckBox("java/net");
chckbxJavanet.setSelected(true);
chckbxJavanet.setBounds(6, 81, 232, 23);
getContentPane().add(chckbxJavanet);
final JCheckBox chckbxJavaio = new JCheckBox("java/io");
chckbxJavaio.setBounds(6, 104, 232, 23);
getContentPane().add(chckbxJavaio);
final JCheckBox chckbxJavalangruntime = new JCheckBox("java/lang/Runtime");
chckbxJavalangruntime.setSelected(true);
chckbxJavalangruntime.setBounds(6, 33, 232, 23);
getContentPane().add(chckbxJavalangruntime);
final JCheckBox chckbxLdcContainswww = new JCheckBox("LDC contains 'www.'");
chckbxLdcContainswww.setSelected(true);
chckbxLdcContainswww.setBounds(6, 130, 232, 23);
getContentPane().add(chckbxLdcContainswww);
final JCheckBox chckbxLdcContainshttp = new JCheckBox("LDC contains 'http://'");
chckbxLdcContainshttp.setSelected(true);
chckbxLdcContainshttp.setBounds(6, 156, 232, 23);
getContentPane().add(chckbxLdcContainshttp);
final JCheckBox chckbxLdcContainshttps = new JCheckBox("LDC contains 'https://'");
chckbxLdcContainshttps.setSelected(true);
chckbxLdcContainshttps.setBounds(6, 182, 232, 23);
getContentPane().add(chckbxLdcContainshttps);
final JCheckBox chckbxLdcMatchesIp = new JCheckBox("LDC matches IP regex");
chckbxLdcMatchesIp.setSelected(true);
chckbxLdcMatchesIp.setBounds(6, 208, 232, 23);
getContentPane().add(chckbxLdcMatchesIp);
final JCheckBox chckbxNullSecMan = new JCheckBox("SecurityManager set to null");
chckbxNullSecMan.setSelected(true);
chckbxNullSecMan.setBounds(6, 234, 232, 23);
getContentPane().add(chckbxNullSecMan);
final JCheckBox chckbxJavaawtrobot = new JCheckBox("java/awt/Robot");
chckbxJavaawtrobot.setSelected(true);
chckbxJavaawtrobot.setBounds(6, 59, 232, 23);
getContentPane().add(chckbxJavaawtrobot);
ArrayList<MaliciousCodeOptions> checkBoxes = new ArrayList<>();
int y = 7;
for(MalwareScanModule module : MalwareScanModule.values())
{
final JCheckBox checkBox = new JCheckBox(module.getOptionText());
checkBox.setSelected(module.isToggledByDefault());
checkBox.setBounds(6, y, 232, 23);
getContentPane().add(checkBox);
checkBoxes.add(new MaliciousCodeOptions(module, checkBox));
y += SPACER_HEIGHT_BETWEEN_OPTIONS;
}
JButton btnNewButton = new JButton("Start Scanning");
/*btnNewButton.addActionListener(arg0 -> {
PluginManager.runPlugin(new MaliciousCodeScanner(
chckbxJavalangreflection.isSelected(),
chckbxJavalangruntime.isSelected(),
chckbxJavanet.isSelected(),
chckbxJavaio.isSelected(),
chckbxLdcContainswww.isSelected(),
chckbxLdcContainshttp.isSelected(),
chckbxLdcContainshttps.isSelected(),
chckbxLdcMatchesIp.isSelected(),
chckbxNullSecMan.isSelected(),
chckbxJavaawtrobot.isSelected()));
btnNewButton.addActionListener(arg0 -> {
PluginManager.runPlugin(new MaliciousCodeScanner(checkBoxes));
dispose();
});*/
});
btnNewButton.setBounds(6, 264, 232, 23);
btnNewButton.setBounds(6, y, 232, 23);
getContentPane().add(btnNewButton);
this.setLocationRelativeTo(null);
}

106
src/main/java/the/bytecode/club/bytecodeviewer/gui/plugins/MaliciousCodeScannerOptionsV2.java
View file

@ -1,106 +0,0 @@
package the.bytecode.club.bytecodeviewer.gui.plugins;
import the.bytecode.club.bytecodeviewer.BytecodeViewer;
import the.bytecode.club.bytecodeviewer.Resources;
import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScanModule;
import the.bytecode.club.bytecodeviewer.plugin.PluginManager;
import the.bytecode.club.bytecodeviewer.plugin.preinstalled.MaliciousCodeScanner;
import javax.swing.*;
import java.awt.*;
import java.util.ArrayList;
/***************************************************************************
* Bytecode Viewer (BCV) - Java & Android Reverse Engineering Suite *
* Copyright (C) 2014 Kalen 'Konloch' Kinloch - http://bytecodeviewer.com *
* *
* This program is free software: you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation, either version 3 of the License, or *
* (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this program. If not, see <http://www.gnu.org/licenses/>. *
***************************************************************************/
/**
* This GUI automatically populates the scan options from the MalwareScanModule enum.
*
* @author Konloch
*/
public class MaliciousCodeScannerOptionsV2 extends JFrame
{
private static final int SPACER_HEIGHT_BETWEEN_OPTIONS = 26;
public static void open()
{
if (BytecodeViewer.getLoadedClasses().isEmpty())
{
BytecodeViewer.showMessage("First open a class, jar, zip, apk or dex file.");
return;
}
new MaliciousCodeScannerOptionsV2().setVisible(true);
}
public MaliciousCodeScannerOptionsV2()
{
this.setIconImages(Resources.iconList);
setSize(new Dimension(250, 7+(MalwareScanModule.values().length * SPACER_HEIGHT_BETWEEN_OPTIONS)+90));
setResizable(false);
setTitle("Malicious Code Scanner Options");
getContentPane().setLayout(null);
ArrayList<MaliciousCodeOptions> checkBoxes = new ArrayList<>();
int y = 7;
for(MalwareScanModule module : MalwareScanModule.values())
{
final JCheckBox checkBox = new JCheckBox(module.getReadableName());
checkBox.setSelected(module.isToggledByDefault()); //TODO
checkBox.setBounds(6, y, 232, 23);
getContentPane().add(checkBox);
checkBoxes.add(new MaliciousCodeOptions(module, checkBox));
y += SPACER_HEIGHT_BETWEEN_OPTIONS;
}
JButton btnNewButton = new JButton("Start Scanning");
btnNewButton.addActionListener(arg0 -> {
PluginManager.runPlugin(new MaliciousCodeScanner(checkBoxes));
dispose();
});
btnNewButton.setBounds(6, y, 232, 23);
getContentPane().add(btnNewButton);
this.setLocationRelativeTo(null);
}
private static final long serialVersionUID = -2662514582647810868L;
public static class MaliciousCodeOptions
{
private final MalwareScanModule module;
private final JCheckBox checkBox;
public MaliciousCodeOptions(MalwareScanModule module, JCheckBox checkBox) {
this.module = module;
this.checkBox = checkBox;
}
public JCheckBox getCheckBox()
{
return checkBox;
}
public MalwareScanModule getModule()
{
return module;
}
}
}

20
src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/MalwareCodeScanner.java
View file

@ -1,6 +1,7 @@
package the.bytecode.club.bytecodeviewer.malwarescanner;
import org.objectweb.asm.tree.*;
import the.bytecode.club.bytecodeviewer.BytecodeViewer;
import the.bytecode.club.bytecodeviewer.malwarescanner.util.SearchableString;
/**
@ -11,6 +12,8 @@ import the.bytecode.club.bytecodeviewer.malwarescanner.util.SearchableString;
*/
public abstract class MalwareCodeScanner implements CodeScanner
{
public MalwareScanModule module;
public abstract void scanFieldString(MalwareScan scan, ClassNode cn, FieldNode field, SearchableString string);
public abstract void scanMethodString(MalwareScan scan, ClassNode cn, MethodNode method, SearchableString string);
@ -76,18 +79,29 @@ public abstract class MalwareCodeScanner implements CodeScanner
return cn.name + "." + method.name + "(" + method.desc + ")";
}
public String header()
{
String header = String.format("%30s", (module.getReadableName() + " ->\t"));
//TODO display the file container for this specific ClassNode
if(BytecodeViewer.viewer.showFileInTabTitle.isSelected())
header += "{fileContainerGoesHere}\t";
return header;
}
public void foundLDC(MalwareScan scan, String ldc, String foundAt)
{
scan.sb.append("Found LDC \"").append(ldc).append("\" ").append(foundAt);
scan.sb.append(header() + " Found LDC \"").append(ldc).append("\" ").append(foundAt);
}
public void foundMethod(MalwareScan scan, String foundAt)
{
scan.sb.append("Found Method call to ").append(foundAt);
scan.sb.append(header() + " Found Method call to ").append(foundAt);
}
public void found(MalwareScan scan, String found)
{
scan.sb.append("Found ").append(found);
scan.sb.append(header() + " Found ").append(found);
}
}

33
src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/MalwareScanModule.java
View file

@ -1,5 +1,6 @@
package the.bytecode.club.bytecodeviewer.malwarescanner;
import org.apache.commons.text.WordUtils;
import org.objectweb.asm.tree.ClassNode;
import the.bytecode.club.bytecodeviewer.malwarescanner.impl.*;
@ -12,22 +13,36 @@ import the.bytecode.club.bytecodeviewer.malwarescanner.impl.*;
public enum MalwareScanModule
{
URL_SCANNER("Scan String URLs", new URLScanner(), true),
REFLECTION_SCANNER("Scan Java Reflection", new ReflectionScanner(), true),
REFLECTION_SCANNER("Scan Java Reflection", new ReflectionScanner(), false),
JAVA_RUNTIME_SCANNER("Scan Java Runtime", new JavaRuntimeScanner(), true),
JAVA_NET_SCANNER("Scan Java Net", new JavaNetScanner(), true),
JAVA_NET_SCANNER("Scan Java Net", new JavaNetScanner(), false),
JAVA_IO_SCANNER("Scan Java IO", new JavaIOScanner(), false),
AWT_ROBOT_SCANNER("Scan AWT Robot", new AWTRobotScanner(), true),
NULL_SECURITY_MANAGER("Scan Null SecurityManager", new NullSecurityManagerScanner(), true),
;
static
{
for(MalwareScanModule module : values())
module.malwareScanner.module = module;
}
private final String readableName;
private final CodeScanner codeScanner;
private final String optionText;
private final MalwareCodeScanner malwareScanner;
private final boolean toggledByDefault;
MalwareScanModule(String readableName, CodeScanner codeScanner, boolean toggledByDefault) {
this.readableName = readableName;
this.codeScanner = codeScanner;
MalwareScanModule(String optionText, MalwareCodeScanner malwareScanner, boolean toggledByDefault)
{
this.optionText = optionText;
this.malwareScanner = malwareScanner;
this.toggledByDefault = toggledByDefault;
this.readableName = WordUtils.capitalizeFully(name().replace("_", " ").toLowerCase());
}
public String getOptionText()
{
return optionText;
}
public String getReadableName()
@ -35,9 +50,9 @@ public enum MalwareScanModule
return readableName;
}
public CodeScanner getCodeScanner()
public CodeScanner getMalwareScanner()
{
return codeScanner;
return malwareScanner;
}
public boolean isToggledByDefault()
@ -51,7 +66,7 @@ public enum MalwareScanModule
{
for (MalwareScanModule module : values())
if(scan.scanOptions.contains(module.name()))
module.codeScanner.scanningClass(scan, cn);
module.malwareScanner.scanningClass(scan, cn);
}
}
}

31
src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/util/MaliciousCodeOptions.java Normal file
View file

@ -0,0 +1,31 @@
package the.bytecode.club.bytecodeviewer.malwarescanner.util;
import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScanModule;
import javax.swing.*;
/**
* @author Konloch
* @since 6/27/2021
*/
public class MaliciousCodeOptions
{
private final MalwareScanModule module;
private final JCheckBox checkBox;
public MaliciousCodeOptions(MalwareScanModule module, JCheckBox checkBox)
{
this.module = module;
this.checkBox = checkBox;
}
public JCheckBox getCheckBox()
{
return checkBox;
}
public MalwareScanModule getModule()
{
return module;
}
}

13
src/main/java/the/bytecode/club/bytecodeviewer/plugin/preinstalled/MaliciousCodeScanner.java
View file

@ -7,12 +7,9 @@ import java.util.List;
import org.objectweb.asm.tree.ClassNode;
import the.bytecode.club.bytecodeviewer.api.Plugin;
import the.bytecode.club.bytecodeviewer.api.PluginConsole;
import the.bytecode.club.bytecodeviewer.gui.plugins.MaliciousCodeScannerOptions;
import the.bytecode.club.bytecodeviewer.gui.plugins.MaliciousCodeScannerOptionsV2;
import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScan;
import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScanModule;
import javax.swing.*;
import the.bytecode.club.bytecodeviewer.malwarescanner.util.MaliciousCodeOptions;
/***************************************************************************
* Bytecode Viewer (BCV) - Java & Android Reverse Engineering Suite *
@ -38,16 +35,15 @@ import javax.swing.*;
* This tool is used to help aid reverse engineers in identifying malicious code.
*
* @author Konloch
* @author Adrianherrera
* @author WaterWolf
* @since 10/02/2011
*/
public class MaliciousCodeScanner extends Plugin
{
public final List<MaliciousCodeScannerOptionsV2.MaliciousCodeOptions> options;
public final List<MaliciousCodeOptions> options;
public MaliciousCodeScanner(List<MaliciousCodeScannerOptionsV2.MaliciousCodeOptions> options)
public MaliciousCodeScanner(List<MaliciousCodeOptions> options)
{
this.options = options;
}
@ -58,10 +54,9 @@ public class MaliciousCodeScanner extends Plugin
PluginConsole frame = new PluginConsole("Malicious Code Scanner");
StringBuilder sb = new StringBuilder();
//TODO automate this when the GUI has been changed
HashSet<String> scanOptions = new HashSet<>();
for(MaliciousCodeScannerOptionsV2.MaliciousCodeOptions option : options)
for(MaliciousCodeOptions option : options)
if(option.getCheckBox().isSelected())
scanOptions.add(option.getModule().name());