Malware Scanner Tidying
This commit is contained in:
Konloch
parent
c15103e78e
commit
db0dbdb9dc
|
|
@ -13,7 +13,6 @@ import the.bytecode.club.bytecodeviewer.*;
|
|||
import the.bytecode.club.bytecodeviewer.api.ExceptionUI;
|
||||
import the.bytecode.club.bytecodeviewer.gui.components.*;
|
||||
import the.bytecode.club.bytecodeviewer.gui.plugins.MaliciousCodeScannerOptions;
|
||||
import the.bytecode.club.bytecodeviewer.gui.plugins.MaliciousCodeScannerOptionsV2;
|
||||
import the.bytecode.club.bytecodeviewer.gui.plugins.ReplaceStringsOptions;
|
||||
import the.bytecode.club.bytecodeviewer.gui.resourcelist.ResourceListPane;
|
||||
import the.bytecode.club.bytecodeviewer.gui.resourcesearch.SearchBoxPane;
|
||||
|
|
@ -567,7 +566,7 @@ public class MainViewerGUI extends JFrame
|
|||
|
||||
openExternalPlugin.addActionListener(arg0 -> openExternalPlugin());
|
||||
codeSequenceDiagram.addActionListener(arg0 -> CodeSequenceDiagram.open());
|
||||
maliciousCodeScanner.addActionListener(e -> MaliciousCodeScannerOptionsV2.open());
|
||||
maliciousCodeScanner.addActionListener(e -> MaliciousCodeScannerOptions.open());
|
||||
showMainMethods.addActionListener(e -> PluginManager.runPlugin(new ShowMainMethods()));
|
||||
showAllStrings.addActionListener(e -> PluginManager.runPlugin(new ShowAllStrings()));
|
||||
replaceStrings.addActionListener(arg0 -> ReplaceStringsOptions.open());
|
||||
|
|
|
|||
|
|
@ -1,15 +1,16 @@
|
|||
package the.bytecode.club.bytecodeviewer.gui.plugins;
|
||||
|
||||
import java.awt.Dimension;
|
||||
import javax.swing.JButton;
|
||||
import javax.swing.JCheckBox;
|
||||
import javax.swing.JFrame;
|
||||
|
||||
import the.bytecode.club.bytecodeviewer.BytecodeViewer;
|
||||
import the.bytecode.club.bytecodeviewer.Resources;
|
||||
import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScanModule;
|
||||
import the.bytecode.club.bytecodeviewer.malwarescanner.util.MaliciousCodeOptions;
|
||||
import the.bytecode.club.bytecodeviewer.plugin.PluginManager;
|
||||
import the.bytecode.club.bytecodeviewer.plugin.preinstalled.MaliciousCodeScanner;
|
||||
|
||||
import javax.swing.*;
|
||||
import java.awt.*;
|
||||
import java.util.ArrayList;
|
||||
|
||||
/***************************************************************************
|
||||
* Bytecode Viewer (BCV) - Java & Android Reverse Engineering Suite *
|
||||
* Copyright (C) 2014 Kalen 'Konloch' Kinloch - http://bytecodeviewer.com *
|
||||
|
|
@ -29,97 +30,54 @@ import the.bytecode.club.bytecodeviewer.plugin.preinstalled.MaliciousCodeScanner
|
|||
***************************************************************************/
|
||||
|
||||
/**
|
||||
* A simple GUI to select the Malicious Code Scanner options.
|
||||
* This GUI automatically populates the scan options from the MalwareScanModule enum.
|
||||
*
|
||||
* @author Konloch
|
||||
* @author Adrianherrera
|
||||
*/
|
||||
|
||||
public class MaliciousCodeScannerOptions extends JFrame
|
||||
{
|
||||
private static final int SPACER_HEIGHT_BETWEEN_OPTIONS = 26;
|
||||
|
||||
public static void open()
|
||||
{
|
||||
if (BytecodeViewer.getLoadedClasses().isEmpty()) {
|
||||
if (BytecodeViewer.getLoadedClasses().isEmpty())
|
||||
{
|
||||
BytecodeViewer.showMessage("First open a class, jar, zip, apk or dex file.");
|
||||
return;
|
||||
}
|
||||
|
||||
new MaliciousCodeScannerOptions().setVisible(true);
|
||||
}
|
||||
|
||||
public MaliciousCodeScannerOptions()
|
||||
{
|
||||
this.setIconImages(Resources.iconList);
|
||||
setSize(new Dimension(250, 323));
|
||||
setSize(new Dimension(250, 7 + (MalwareScanModule.values().length * SPACER_HEIGHT_BETWEEN_OPTIONS) + 90));
|
||||
setResizable(false);
|
||||
setTitle("Malicious Code Scanner Options");
|
||||
getContentPane().setLayout(null);
|
||||
|
||||
final JCheckBox chckbxJavalangreflection = new JCheckBox("java/lang/reflection");
|
||||
chckbxJavalangreflection.setSelected(true);
|
||||
chckbxJavalangreflection.setBounds(6, 7, 232, 23);
|
||||
getContentPane().add(chckbxJavalangreflection);
|
||||
|
||||
final JCheckBox chckbxJavanet = new JCheckBox("java/net");
|
||||
chckbxJavanet.setSelected(true);
|
||||
chckbxJavanet.setBounds(6, 81, 232, 23);
|
||||
getContentPane().add(chckbxJavanet);
|
||||
|
||||
final JCheckBox chckbxJavaio = new JCheckBox("java/io");
|
||||
chckbxJavaio.setBounds(6, 104, 232, 23);
|
||||
getContentPane().add(chckbxJavaio);
|
||||
|
||||
final JCheckBox chckbxJavalangruntime = new JCheckBox("java/lang/Runtime");
|
||||
chckbxJavalangruntime.setSelected(true);
|
||||
chckbxJavalangruntime.setBounds(6, 33, 232, 23);
|
||||
getContentPane().add(chckbxJavalangruntime);
|
||||
|
||||
final JCheckBox chckbxLdcContainswww = new JCheckBox("LDC contains 'www.'");
|
||||
chckbxLdcContainswww.setSelected(true);
|
||||
chckbxLdcContainswww.setBounds(6, 130, 232, 23);
|
||||
getContentPane().add(chckbxLdcContainswww);
|
||||
|
||||
final JCheckBox chckbxLdcContainshttp = new JCheckBox("LDC contains 'http://'");
|
||||
chckbxLdcContainshttp.setSelected(true);
|
||||
chckbxLdcContainshttp.setBounds(6, 156, 232, 23);
|
||||
getContentPane().add(chckbxLdcContainshttp);
|
||||
|
||||
final JCheckBox chckbxLdcContainshttps = new JCheckBox("LDC contains 'https://'");
|
||||
chckbxLdcContainshttps.setSelected(true);
|
||||
chckbxLdcContainshttps.setBounds(6, 182, 232, 23);
|
||||
getContentPane().add(chckbxLdcContainshttps);
|
||||
|
||||
final JCheckBox chckbxLdcMatchesIp = new JCheckBox("LDC matches IP regex");
|
||||
chckbxLdcMatchesIp.setSelected(true);
|
||||
chckbxLdcMatchesIp.setBounds(6, 208, 232, 23);
|
||||
getContentPane().add(chckbxLdcMatchesIp);
|
||||
|
||||
final JCheckBox chckbxNullSecMan = new JCheckBox("SecurityManager set to null");
|
||||
chckbxNullSecMan.setSelected(true);
|
||||
chckbxNullSecMan.setBounds(6, 234, 232, 23);
|
||||
getContentPane().add(chckbxNullSecMan);
|
||||
|
||||
final JCheckBox chckbxJavaawtrobot = new JCheckBox("java/awt/Robot");
|
||||
chckbxJavaawtrobot.setSelected(true);
|
||||
chckbxJavaawtrobot.setBounds(6, 59, 232, 23);
|
||||
getContentPane().add(chckbxJavaawtrobot);
|
||||
|
||||
ArrayList<MaliciousCodeOptions> checkBoxes = new ArrayList<>();
|
||||
|
||||
int y = 7;
|
||||
for(MalwareScanModule module : MalwareScanModule.values())
|
||||
{
|
||||
final JCheckBox checkBox = new JCheckBox(module.getOptionText());
|
||||
checkBox.setSelected(module.isToggledByDefault());
|
||||
checkBox.setBounds(6, y, 232, 23);
|
||||
getContentPane().add(checkBox);
|
||||
checkBoxes.add(new MaliciousCodeOptions(module, checkBox));
|
||||
|
||||
y += SPACER_HEIGHT_BETWEEN_OPTIONS;
|
||||
}
|
||||
|
||||
JButton btnNewButton = new JButton("Start Scanning");
|
||||
/*btnNewButton.addActionListener(arg0 -> {
|
||||
PluginManager.runPlugin(new MaliciousCodeScanner(
|
||||
chckbxJavalangreflection.isSelected(),
|
||||
chckbxJavalangruntime.isSelected(),
|
||||
chckbxJavanet.isSelected(),
|
||||
chckbxJavaio.isSelected(),
|
||||
chckbxLdcContainswww.isSelected(),
|
||||
chckbxLdcContainshttp.isSelected(),
|
||||
chckbxLdcContainshttps.isSelected(),
|
||||
chckbxLdcMatchesIp.isSelected(),
|
||||
chckbxNullSecMan.isSelected(),
|
||||
chckbxJavaawtrobot.isSelected()));
|
||||
btnNewButton.addActionListener(arg0 -> {
|
||||
PluginManager.runPlugin(new MaliciousCodeScanner(checkBoxes));
|
||||
dispose();
|
||||
});*/
|
||||
});
|
||||
|
||||
btnNewButton.setBounds(6, 264, 232, 23);
|
||||
btnNewButton.setBounds(6, y, 232, 23);
|
||||
getContentPane().add(btnNewButton);
|
||||
this.setLocationRelativeTo(null);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,106 +0,0 @@
|
|||
package the.bytecode.club.bytecodeviewer.gui.plugins;
|
||||
|
||||
import the.bytecode.club.bytecodeviewer.BytecodeViewer;
|
||||
import the.bytecode.club.bytecodeviewer.Resources;
|
||||
import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScanModule;
|
||||
import the.bytecode.club.bytecodeviewer.plugin.PluginManager;
|
||||
import the.bytecode.club.bytecodeviewer.plugin.preinstalled.MaliciousCodeScanner;
|
||||
|
||||
import javax.swing.*;
|
||||
import java.awt.*;
|
||||
import java.util.ArrayList;
|
||||
|
||||
/***************************************************************************
|
||||
* Bytecode Viewer (BCV) - Java & Android Reverse Engineering Suite *
|
||||
* Copyright (C) 2014 Kalen 'Konloch' Kinloch - http://bytecodeviewer.com *
|
||||
* *
|
||||
* This program is free software: you can redistribute it and/or modify *
|
||||
* it under the terms of the GNU General Public License as published by *
|
||||
* the Free Software Foundation, either version 3 of the License, or *
|
||||
* (at your option) any later version. *
|
||||
* *
|
||||
* This program is distributed in the hope that it will be useful, *
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
|
||||
* GNU General Public License for more details. *
|
||||
* *
|
||||
* You should have received a copy of the GNU General Public License *
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>. *
|
||||
***************************************************************************/
|
||||
|
||||
/**
|
||||
* This GUI automatically populates the scan options from the MalwareScanModule enum.
|
||||
*
|
||||
* @author Konloch
|
||||
*/
|
||||
|
||||
public class MaliciousCodeScannerOptionsV2 extends JFrame
|
||||
{
|
||||
private static final int SPACER_HEIGHT_BETWEEN_OPTIONS = 26;
|
||||
|
||||
public static void open()
|
||||
{
|
||||
if (BytecodeViewer.getLoadedClasses().isEmpty())
|
||||
{
|
||||
BytecodeViewer.showMessage("First open a class, jar, zip, apk or dex file.");
|
||||
return;
|
||||
}
|
||||
|
||||
new MaliciousCodeScannerOptionsV2().setVisible(true);
|
||||
}
|
||||
|
||||
public MaliciousCodeScannerOptionsV2()
|
||||
{
|
||||
this.setIconImages(Resources.iconList);
|
||||
setSize(new Dimension(250, 7+(MalwareScanModule.values().length * SPACER_HEIGHT_BETWEEN_OPTIONS)+90));
|
||||
setResizable(false);
|
||||
setTitle("Malicious Code Scanner Options");
|
||||
getContentPane().setLayout(null);
|
||||
ArrayList<MaliciousCodeOptions> checkBoxes = new ArrayList<>();
|
||||
|
||||
int y = 7;
|
||||
for(MalwareScanModule module : MalwareScanModule.values())
|
||||
{
|
||||
final JCheckBox checkBox = new JCheckBox(module.getReadableName());
|
||||
checkBox.setSelected(module.isToggledByDefault()); //TODO
|
||||
checkBox.setBounds(6, y, 232, 23);
|
||||
getContentPane().add(checkBox);
|
||||
checkBoxes.add(new MaliciousCodeOptions(module, checkBox));
|
||||
|
||||
y += SPACER_HEIGHT_BETWEEN_OPTIONS;
|
||||
}
|
||||
|
||||
JButton btnNewButton = new JButton("Start Scanning");
|
||||
btnNewButton.addActionListener(arg0 -> {
|
||||
PluginManager.runPlugin(new MaliciousCodeScanner(checkBoxes));
|
||||
dispose();
|
||||
});
|
||||
|
||||
btnNewButton.setBounds(6, y, 232, 23);
|
||||
getContentPane().add(btnNewButton);
|
||||
this.setLocationRelativeTo(null);
|
||||
}
|
||||
|
||||
private static final long serialVersionUID = -2662514582647810868L;
|
||||
|
||||
public static class MaliciousCodeOptions
|
||||
{
|
||||
private final MalwareScanModule module;
|
||||
private final JCheckBox checkBox;
|
||||
|
||||
public MaliciousCodeOptions(MalwareScanModule module, JCheckBox checkBox) {
|
||||
this.module = module;
|
||||
this.checkBox = checkBox;
|
||||
}
|
||||
|
||||
public JCheckBox getCheckBox()
|
||||
{
|
||||
return checkBox;
|
||||
}
|
||||
|
||||
public MalwareScanModule getModule()
|
||||
{
|
||||
return module;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
package the.bytecode.club.bytecodeviewer.malwarescanner;
|
||||
|
||||
import org.objectweb.asm.tree.*;
|
||||
import the.bytecode.club.bytecodeviewer.BytecodeViewer;
|
||||
import the.bytecode.club.bytecodeviewer.malwarescanner.util.SearchableString;
|
||||
|
||||
/**
|
||||
|
|
@ -11,6 +12,8 @@ import the.bytecode.club.bytecodeviewer.malwarescanner.util.SearchableString;
|
|||
*/
|
||||
public abstract class MalwareCodeScanner implements CodeScanner
|
||||
{
|
||||
public MalwareScanModule module;
|
||||
|
||||
public abstract void scanFieldString(MalwareScan scan, ClassNode cn, FieldNode field, SearchableString string);
|
||||
|
||||
public abstract void scanMethodString(MalwareScan scan, ClassNode cn, MethodNode method, SearchableString string);
|
||||
|
|
@ -76,18 +79,29 @@ public abstract class MalwareCodeScanner implements CodeScanner
|
|||
return cn.name + "." + method.name + "(" + method.desc + ")";
|
||||
}
|
||||
|
||||
public String header()
|
||||
{
|
||||
String header = String.format("%30s", (module.getReadableName() + " ->\t"));
|
||||
|
||||
//TODO display the file container for this specific ClassNode
|
||||
if(BytecodeViewer.viewer.showFileInTabTitle.isSelected())
|
||||
header += "{fileContainerGoesHere}\t";
|
||||
|
||||
return header;
|
||||
}
|
||||
|
||||
public void foundLDC(MalwareScan scan, String ldc, String foundAt)
|
||||
{
|
||||
scan.sb.append("Found LDC \"").append(ldc).append("\" ").append(foundAt);
|
||||
scan.sb.append(header() + " Found LDC \"").append(ldc).append("\" ").append(foundAt);
|
||||
}
|
||||
|
||||
public void foundMethod(MalwareScan scan, String foundAt)
|
||||
{
|
||||
scan.sb.append("Found Method call to ").append(foundAt);
|
||||
scan.sb.append(header() + " Found Method call to ").append(foundAt);
|
||||
}
|
||||
|
||||
public void found(MalwareScan scan, String found)
|
||||
{
|
||||
scan.sb.append("Found ").append(found);
|
||||
scan.sb.append(header() + " Found ").append(found);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
package the.bytecode.club.bytecodeviewer.malwarescanner;
|
||||
|
||||
import org.apache.commons.text.WordUtils;
|
||||
import org.objectweb.asm.tree.ClassNode;
|
||||
import the.bytecode.club.bytecodeviewer.malwarescanner.impl.*;
|
||||
|
||||
|
|
@ -12,22 +13,36 @@ import the.bytecode.club.bytecodeviewer.malwarescanner.impl.*;
|
|||
public enum MalwareScanModule
|
||||
{
|
||||
URL_SCANNER("Scan String URLs", new URLScanner(), true),
|
||||
REFLECTION_SCANNER("Scan Java Reflection", new ReflectionScanner(), true),
|
||||
REFLECTION_SCANNER("Scan Java Reflection", new ReflectionScanner(), false),
|
||||
JAVA_RUNTIME_SCANNER("Scan Java Runtime", new JavaRuntimeScanner(), true),
|
||||
JAVA_NET_SCANNER("Scan Java Net", new JavaNetScanner(), true),
|
||||
JAVA_NET_SCANNER("Scan Java Net", new JavaNetScanner(), false),
|
||||
JAVA_IO_SCANNER("Scan Java IO", new JavaIOScanner(), false),
|
||||
AWT_ROBOT_SCANNER("Scan AWT Robot", new AWTRobotScanner(), true),
|
||||
NULL_SECURITY_MANAGER("Scan Null SecurityManager", new NullSecurityManagerScanner(), true),
|
||||
;
|
||||
|
||||
static
|
||||
{
|
||||
for(MalwareScanModule module : values())
|
||||
module.malwareScanner.module = module;
|
||||
}
|
||||
|
||||
private final String readableName;
|
||||
private final CodeScanner codeScanner;
|
||||
private final String optionText;
|
||||
private final MalwareCodeScanner malwareScanner;
|
||||
private final boolean toggledByDefault;
|
||||
|
||||
MalwareScanModule(String readableName, CodeScanner codeScanner, boolean toggledByDefault) {
|
||||
this.readableName = readableName;
|
||||
this.codeScanner = codeScanner;
|
||||
MalwareScanModule(String optionText, MalwareCodeScanner malwareScanner, boolean toggledByDefault)
|
||||
{
|
||||
this.optionText = optionText;
|
||||
this.malwareScanner = malwareScanner;
|
||||
this.toggledByDefault = toggledByDefault;
|
||||
this.readableName = WordUtils.capitalizeFully(name().replace("_", " ").toLowerCase());
|
||||
}
|
||||
|
||||
public String getOptionText()
|
||||
{
|
||||
return optionText;
|
||||
}
|
||||
|
||||
public String getReadableName()
|
||||
|
|
@ -35,9 +50,9 @@ public enum MalwareScanModule
|
|||
return readableName;
|
||||
}
|
||||
|
||||
public CodeScanner getCodeScanner()
|
||||
public CodeScanner getMalwareScanner()
|
||||
{
|
||||
return codeScanner;
|
||||
return malwareScanner;
|
||||
}
|
||||
|
||||
public boolean isToggledByDefault()
|
||||
|
|
@ -51,7 +66,7 @@ public enum MalwareScanModule
|
|||
{
|
||||
for (MalwareScanModule module : values())
|
||||
if(scan.scanOptions.contains(module.name()))
|
||||
module.codeScanner.scanningClass(scan, cn);
|
||||
module.malwareScanner.scanningClass(scan, cn);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,31 @@
|
|||
package the.bytecode.club.bytecodeviewer.malwarescanner.util;
|
||||
|
||||
import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScanModule;
|
||||
|
||||
import javax.swing.*;
|
||||
|
||||
/**
|
||||
* @author Konloch
|
||||
* @since 6/27/2021
|
||||
*/
|
||||
public class MaliciousCodeOptions
|
||||
{
|
||||
private final MalwareScanModule module;
|
||||
private final JCheckBox checkBox;
|
||||
|
||||
public MaliciousCodeOptions(MalwareScanModule module, JCheckBox checkBox)
|
||||
{
|
||||
this.module = module;
|
||||
this.checkBox = checkBox;
|
||||
}
|
||||
|
||||
public JCheckBox getCheckBox()
|
||||
{
|
||||
return checkBox;
|
||||
}
|
||||
|
||||
public MalwareScanModule getModule()
|
||||
{
|
||||
return module;
|
||||
}
|
||||
}
|
||||
|
|
@ -7,12 +7,9 @@ import java.util.List;
|
|||
import org.objectweb.asm.tree.ClassNode;
|
||||
import the.bytecode.club.bytecodeviewer.api.Plugin;
|
||||
import the.bytecode.club.bytecodeviewer.api.PluginConsole;
|
||||
import the.bytecode.club.bytecodeviewer.gui.plugins.MaliciousCodeScannerOptions;
|
||||
import the.bytecode.club.bytecodeviewer.gui.plugins.MaliciousCodeScannerOptionsV2;
|
||||
import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScan;
|
||||
import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScanModule;
|
||||
|
||||
import javax.swing.*;
|
||||
import the.bytecode.club.bytecodeviewer.malwarescanner.util.MaliciousCodeOptions;
|
||||
|
||||
/***************************************************************************
|
||||
* Bytecode Viewer (BCV) - Java & Android Reverse Engineering Suite *
|
||||
|
|
@ -38,16 +35,15 @@ import javax.swing.*;
|
|||
* This tool is used to help aid reverse engineers in identifying malicious code.
|
||||
*
|
||||
* @author Konloch
|
||||
* @author Adrianherrera
|
||||
* @author WaterWolf
|
||||
* @since 10/02/2011
|
||||
*/
|
||||
|
||||
public class MaliciousCodeScanner extends Plugin
|
||||
{
|
||||
public final List<MaliciousCodeScannerOptionsV2.MaliciousCodeOptions> options;
|
||||
public final List<MaliciousCodeOptions> options;
|
||||
|
||||
public MaliciousCodeScanner(List<MaliciousCodeScannerOptionsV2.MaliciousCodeOptions> options)
|
||||
public MaliciousCodeScanner(List<MaliciousCodeOptions> options)
|
||||
{
|
||||
this.options = options;
|
||||
}
|
||||
|
|
@ -58,10 +54,9 @@ public class MaliciousCodeScanner extends Plugin
|
|||
PluginConsole frame = new PluginConsole("Malicious Code Scanner");
|
||||
StringBuilder sb = new StringBuilder();
|
||||
|
||||
//TODO automate this when the GUI has been changed
|
||||
HashSet<String> scanOptions = new HashSet<>();
|
||||
|
||||
for(MaliciousCodeScannerOptionsV2.MaliciousCodeOptions option : options)
|
||||
for(MaliciousCodeOptions option : options)
|
||||
if(option.getCheckBox().isSelected())
|
||||
scanOptions.add(option.getModule().name());
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue