From db0dbdb9dc4bddfe1e0db4923e08d2afb0a43707 Mon Sep 17 00:00:00 2001 From: Konloch Date: Mon, 28 Jun 2021 00:41:33 -0700 Subject: [PATCH] Malware Scanner Tidying --- .../bytecodeviewer/gui/MainViewerGUI.java | 3 +- .../plugins/MaliciousCodeScannerOptions.java | 104 +++++------------ .../MaliciousCodeScannerOptionsV2.java | 106 ------------------ .../malwarescanner/MalwareCodeScanner.java | 20 +++- .../malwarescanner/MalwareScanModule.java | 33 ++++-- .../util/MaliciousCodeOptions.java | 31 +++++ .../preinstalled/MaliciousCodeScanner.java | 13 +-- 7 files changed, 108 insertions(+), 202 deletions(-) delete mode 100644 src/main/java/the/bytecode/club/bytecodeviewer/gui/plugins/MaliciousCodeScannerOptionsV2.java create mode 100644 src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/util/MaliciousCodeOptions.java diff --git a/src/main/java/the/bytecode/club/bytecodeviewer/gui/MainViewerGUI.java b/src/main/java/the/bytecode/club/bytecodeviewer/gui/MainViewerGUI.java index 78fd6ead..d6e59e4e 100644 --- a/src/main/java/the/bytecode/club/bytecodeviewer/gui/MainViewerGUI.java +++ b/src/main/java/the/bytecode/club/bytecodeviewer/gui/MainViewerGUI.java @@ -13,7 +13,6 @@ import the.bytecode.club.bytecodeviewer.*; import the.bytecode.club.bytecodeviewer.api.ExceptionUI; import the.bytecode.club.bytecodeviewer.gui.components.*; import the.bytecode.club.bytecodeviewer.gui.plugins.MaliciousCodeScannerOptions; -import the.bytecode.club.bytecodeviewer.gui.plugins.MaliciousCodeScannerOptionsV2; import the.bytecode.club.bytecodeviewer.gui.plugins.ReplaceStringsOptions; import the.bytecode.club.bytecodeviewer.gui.resourcelist.ResourceListPane; import the.bytecode.club.bytecodeviewer.gui.resourcesearch.SearchBoxPane; @@ -567,7 +566,7 @@ public class MainViewerGUI extends JFrame openExternalPlugin.addActionListener(arg0 -> openExternalPlugin()); codeSequenceDiagram.addActionListener(arg0 -> CodeSequenceDiagram.open()); - maliciousCodeScanner.addActionListener(e -> MaliciousCodeScannerOptionsV2.open()); + maliciousCodeScanner.addActionListener(e -> MaliciousCodeScannerOptions.open()); showMainMethods.addActionListener(e -> PluginManager.runPlugin(new ShowMainMethods())); showAllStrings.addActionListener(e -> PluginManager.runPlugin(new ShowAllStrings())); replaceStrings.addActionListener(arg0 -> ReplaceStringsOptions.open()); diff --git a/src/main/java/the/bytecode/club/bytecodeviewer/gui/plugins/MaliciousCodeScannerOptions.java b/src/main/java/the/bytecode/club/bytecodeviewer/gui/plugins/MaliciousCodeScannerOptions.java index 071f4bf8..303e5874 100644 --- a/src/main/java/the/bytecode/club/bytecodeviewer/gui/plugins/MaliciousCodeScannerOptions.java +++ b/src/main/java/the/bytecode/club/bytecodeviewer/gui/plugins/MaliciousCodeScannerOptions.java @@ -1,15 +1,16 @@ package the.bytecode.club.bytecodeviewer.gui.plugins; -import java.awt.Dimension; -import javax.swing.JButton; -import javax.swing.JCheckBox; -import javax.swing.JFrame; - import the.bytecode.club.bytecodeviewer.BytecodeViewer; import the.bytecode.club.bytecodeviewer.Resources; +import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScanModule; +import the.bytecode.club.bytecodeviewer.malwarescanner.util.MaliciousCodeOptions; import the.bytecode.club.bytecodeviewer.plugin.PluginManager; import the.bytecode.club.bytecodeviewer.plugin.preinstalled.MaliciousCodeScanner; +import javax.swing.*; +import java.awt.*; +import java.util.ArrayList; + /*************************************************************************** * Bytecode Viewer (BCV) - Java & Android Reverse Engineering Suite * * Copyright (C) 2014 Kalen 'Konloch' Kinloch - http://bytecodeviewer.com * @@ -29,97 +30,54 @@ import the.bytecode.club.bytecodeviewer.plugin.preinstalled.MaliciousCodeScanner ***************************************************************************/ /** - * A simple GUI to select the Malicious Code Scanner options. + * This GUI automatically populates the scan options from the MalwareScanModule enum. * * @author Konloch - * @author Adrianherrera */ public class MaliciousCodeScannerOptions extends JFrame { + private static final int SPACER_HEIGHT_BETWEEN_OPTIONS = 26; + public static void open() { - if (BytecodeViewer.getLoadedClasses().isEmpty()) { + if (BytecodeViewer.getLoadedClasses().isEmpty()) + { BytecodeViewer.showMessage("First open a class, jar, zip, apk or dex file."); return; } + new MaliciousCodeScannerOptions().setVisible(true); } public MaliciousCodeScannerOptions() { this.setIconImages(Resources.iconList); - setSize(new Dimension(250, 323)); + setSize(new Dimension(250, 7 + (MalwareScanModule.values().length * SPACER_HEIGHT_BETWEEN_OPTIONS) + 90)); setResizable(false); setTitle("Malicious Code Scanner Options"); getContentPane().setLayout(null); - - final JCheckBox chckbxJavalangreflection = new JCheckBox("java/lang/reflection"); - chckbxJavalangreflection.setSelected(true); - chckbxJavalangreflection.setBounds(6, 7, 232, 23); - getContentPane().add(chckbxJavalangreflection); - - final JCheckBox chckbxJavanet = new JCheckBox("java/net"); - chckbxJavanet.setSelected(true); - chckbxJavanet.setBounds(6, 81, 232, 23); - getContentPane().add(chckbxJavanet); - - final JCheckBox chckbxJavaio = new JCheckBox("java/io"); - chckbxJavaio.setBounds(6, 104, 232, 23); - getContentPane().add(chckbxJavaio); - - final JCheckBox chckbxJavalangruntime = new JCheckBox("java/lang/Runtime"); - chckbxJavalangruntime.setSelected(true); - chckbxJavalangruntime.setBounds(6, 33, 232, 23); - getContentPane().add(chckbxJavalangruntime); - - final JCheckBox chckbxLdcContainswww = new JCheckBox("LDC contains 'www.'"); - chckbxLdcContainswww.setSelected(true); - chckbxLdcContainswww.setBounds(6, 130, 232, 23); - getContentPane().add(chckbxLdcContainswww); - - final JCheckBox chckbxLdcContainshttp = new JCheckBox("LDC contains 'http://'"); - chckbxLdcContainshttp.setSelected(true); - chckbxLdcContainshttp.setBounds(6, 156, 232, 23); - getContentPane().add(chckbxLdcContainshttp); - - final JCheckBox chckbxLdcContainshttps = new JCheckBox("LDC contains 'https://'"); - chckbxLdcContainshttps.setSelected(true); - chckbxLdcContainshttps.setBounds(6, 182, 232, 23); - getContentPane().add(chckbxLdcContainshttps); - - final JCheckBox chckbxLdcMatchesIp = new JCheckBox("LDC matches IP regex"); - chckbxLdcMatchesIp.setSelected(true); - chckbxLdcMatchesIp.setBounds(6, 208, 232, 23); - getContentPane().add(chckbxLdcMatchesIp); - - final JCheckBox chckbxNullSecMan = new JCheckBox("SecurityManager set to null"); - chckbxNullSecMan.setSelected(true); - chckbxNullSecMan.setBounds(6, 234, 232, 23); - getContentPane().add(chckbxNullSecMan); - - final JCheckBox chckbxJavaawtrobot = new JCheckBox("java/awt/Robot"); - chckbxJavaawtrobot.setSelected(true); - chckbxJavaawtrobot.setBounds(6, 59, 232, 23); - getContentPane().add(chckbxJavaawtrobot); - + ArrayList checkBoxes = new ArrayList<>(); + + int y = 7; + for(MalwareScanModule module : MalwareScanModule.values()) + { + final JCheckBox checkBox = new JCheckBox(module.getOptionText()); + checkBox.setSelected(module.isToggledByDefault()); + checkBox.setBounds(6, y, 232, 23); + getContentPane().add(checkBox); + checkBoxes.add(new MaliciousCodeOptions(module, checkBox)); + + y += SPACER_HEIGHT_BETWEEN_OPTIONS; + } + JButton btnNewButton = new JButton("Start Scanning"); - /*btnNewButton.addActionListener(arg0 -> { - PluginManager.runPlugin(new MaliciousCodeScanner( - chckbxJavalangreflection.isSelected(), - chckbxJavalangruntime.isSelected(), - chckbxJavanet.isSelected(), - chckbxJavaio.isSelected(), - chckbxLdcContainswww.isSelected(), - chckbxLdcContainshttp.isSelected(), - chckbxLdcContainshttps.isSelected(), - chckbxLdcMatchesIp.isSelected(), - chckbxNullSecMan.isSelected(), - chckbxJavaawtrobot.isSelected())); + btnNewButton.addActionListener(arg0 -> { + PluginManager.runPlugin(new MaliciousCodeScanner(checkBoxes)); dispose(); - });*/ + }); - btnNewButton.setBounds(6, 264, 232, 23); + btnNewButton.setBounds(6, y, 232, 23); getContentPane().add(btnNewButton); this.setLocationRelativeTo(null); } diff --git a/src/main/java/the/bytecode/club/bytecodeviewer/gui/plugins/MaliciousCodeScannerOptionsV2.java b/src/main/java/the/bytecode/club/bytecodeviewer/gui/plugins/MaliciousCodeScannerOptionsV2.java deleted file mode 100644 index ab3b4a6e..00000000 --- a/src/main/java/the/bytecode/club/bytecodeviewer/gui/plugins/MaliciousCodeScannerOptionsV2.java +++ /dev/null @@ -1,106 +0,0 @@ -package the.bytecode.club.bytecodeviewer.gui.plugins; - -import the.bytecode.club.bytecodeviewer.BytecodeViewer; -import the.bytecode.club.bytecodeviewer.Resources; -import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScanModule; -import the.bytecode.club.bytecodeviewer.plugin.PluginManager; -import the.bytecode.club.bytecodeviewer.plugin.preinstalled.MaliciousCodeScanner; - -import javax.swing.*; -import java.awt.*; -import java.util.ArrayList; - -/*************************************************************************** - * Bytecode Viewer (BCV) - Java & Android Reverse Engineering Suite * - * Copyright (C) 2014 Kalen 'Konloch' Kinloch - http://bytecodeviewer.com * - * * - * This program is free software: you can redistribute it and/or modify * - * it under the terms of the GNU General Public License as published by * - * the Free Software Foundation, either version 3 of the License, or * - * (at your option) any later version. * - * * - * This program is distributed in the hope that it will be useful, * - * but WITHOUT ANY WARRANTY; without even the implied warranty of * - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * - * GNU General Public License for more details. * - * * - * You should have received a copy of the GNU General Public License * - * along with this program. If not, see . * - ***************************************************************************/ - -/** - * This GUI automatically populates the scan options from the MalwareScanModule enum. - * - * @author Konloch - */ - -public class MaliciousCodeScannerOptionsV2 extends JFrame -{ - private static final int SPACER_HEIGHT_BETWEEN_OPTIONS = 26; - - public static void open() - { - if (BytecodeViewer.getLoadedClasses().isEmpty()) - { - BytecodeViewer.showMessage("First open a class, jar, zip, apk or dex file."); - return; - } - - new MaliciousCodeScannerOptionsV2().setVisible(true); - } - - public MaliciousCodeScannerOptionsV2() - { - this.setIconImages(Resources.iconList); - setSize(new Dimension(250, 7+(MalwareScanModule.values().length * SPACER_HEIGHT_BETWEEN_OPTIONS)+90)); - setResizable(false); - setTitle("Malicious Code Scanner Options"); - getContentPane().setLayout(null); - ArrayList checkBoxes = new ArrayList<>(); - - int y = 7; - for(MalwareScanModule module : MalwareScanModule.values()) - { - final JCheckBox checkBox = new JCheckBox(module.getReadableName()); - checkBox.setSelected(module.isToggledByDefault()); //TODO - checkBox.setBounds(6, y, 232, 23); - getContentPane().add(checkBox); - checkBoxes.add(new MaliciousCodeOptions(module, checkBox)); - - y += SPACER_HEIGHT_BETWEEN_OPTIONS; - } - - JButton btnNewButton = new JButton("Start Scanning"); - btnNewButton.addActionListener(arg0 -> { - PluginManager.runPlugin(new MaliciousCodeScanner(checkBoxes)); - dispose(); - }); - - btnNewButton.setBounds(6, y, 232, 23); - getContentPane().add(btnNewButton); - this.setLocationRelativeTo(null); - } - - private static final long serialVersionUID = -2662514582647810868L; - - public static class MaliciousCodeOptions - { - private final MalwareScanModule module; - private final JCheckBox checkBox; - - public MaliciousCodeOptions(MalwareScanModule module, JCheckBox checkBox) { - this.module = module; - this.checkBox = checkBox; - } - - public JCheckBox getCheckBox() - { - return checkBox; - } - - public MalwareScanModule getModule() - { - return module; - } - } -} \ No newline at end of file diff --git a/src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/MalwareCodeScanner.java b/src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/MalwareCodeScanner.java index 39fb1b50..27024963 100644 --- a/src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/MalwareCodeScanner.java +++ b/src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/MalwareCodeScanner.java @@ -1,6 +1,7 @@ package the.bytecode.club.bytecodeviewer.malwarescanner; import org.objectweb.asm.tree.*; +import the.bytecode.club.bytecodeviewer.BytecodeViewer; import the.bytecode.club.bytecodeviewer.malwarescanner.util.SearchableString; /** @@ -11,6 +12,8 @@ import the.bytecode.club.bytecodeviewer.malwarescanner.util.SearchableString; */ public abstract class MalwareCodeScanner implements CodeScanner { + public MalwareScanModule module; + public abstract void scanFieldString(MalwareScan scan, ClassNode cn, FieldNode field, SearchableString string); public abstract void scanMethodString(MalwareScan scan, ClassNode cn, MethodNode method, SearchableString string); @@ -76,18 +79,29 @@ public abstract class MalwareCodeScanner implements CodeScanner return cn.name + "." + method.name + "(" + method.desc + ")"; } + public String header() + { + String header = String.format("%30s", (module.getReadableName() + " ->\t")); + + //TODO display the file container for this specific ClassNode + if(BytecodeViewer.viewer.showFileInTabTitle.isSelected()) + header += "{fileContainerGoesHere}\t"; + + return header; + } + public void foundLDC(MalwareScan scan, String ldc, String foundAt) { - scan.sb.append("Found LDC \"").append(ldc).append("\" ").append(foundAt); + scan.sb.append(header() + " Found LDC \"").append(ldc).append("\" ").append(foundAt); } public void foundMethod(MalwareScan scan, String foundAt) { - scan.sb.append("Found Method call to ").append(foundAt); + scan.sb.append(header() + " Found Method call to ").append(foundAt); } public void found(MalwareScan scan, String found) { - scan.sb.append("Found ").append(found); + scan.sb.append(header() + " Found ").append(found); } } diff --git a/src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/MalwareScanModule.java b/src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/MalwareScanModule.java index 8c417271..fa5bc9d2 100644 --- a/src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/MalwareScanModule.java +++ b/src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/MalwareScanModule.java @@ -1,5 +1,6 @@ package the.bytecode.club.bytecodeviewer.malwarescanner; +import org.apache.commons.text.WordUtils; import org.objectweb.asm.tree.ClassNode; import the.bytecode.club.bytecodeviewer.malwarescanner.impl.*; @@ -12,22 +13,36 @@ import the.bytecode.club.bytecodeviewer.malwarescanner.impl.*; public enum MalwareScanModule { URL_SCANNER("Scan String URLs", new URLScanner(), true), - REFLECTION_SCANNER("Scan Java Reflection", new ReflectionScanner(), true), + REFLECTION_SCANNER("Scan Java Reflection", new ReflectionScanner(), false), JAVA_RUNTIME_SCANNER("Scan Java Runtime", new JavaRuntimeScanner(), true), - JAVA_NET_SCANNER("Scan Java Net", new JavaNetScanner(), true), + JAVA_NET_SCANNER("Scan Java Net", new JavaNetScanner(), false), JAVA_IO_SCANNER("Scan Java IO", new JavaIOScanner(), false), AWT_ROBOT_SCANNER("Scan AWT Robot", new AWTRobotScanner(), true), NULL_SECURITY_MANAGER("Scan Null SecurityManager", new NullSecurityManagerScanner(), true), ; + static + { + for(MalwareScanModule module : values()) + module.malwareScanner.module = module; + } + private final String readableName; - private final CodeScanner codeScanner; + private final String optionText; + private final MalwareCodeScanner malwareScanner; private final boolean toggledByDefault; - MalwareScanModule(String readableName, CodeScanner codeScanner, boolean toggledByDefault) { - this.readableName = readableName; - this.codeScanner = codeScanner; + MalwareScanModule(String optionText, MalwareCodeScanner malwareScanner, boolean toggledByDefault) + { + this.optionText = optionText; + this.malwareScanner = malwareScanner; this.toggledByDefault = toggledByDefault; + this.readableName = WordUtils.capitalizeFully(name().replace("_", " ").toLowerCase()); + } + + public String getOptionText() + { + return optionText; } public String getReadableName() @@ -35,9 +50,9 @@ public enum MalwareScanModule return readableName; } - public CodeScanner getCodeScanner() + public CodeScanner getMalwareScanner() { - return codeScanner; + return malwareScanner; } public boolean isToggledByDefault() @@ -51,7 +66,7 @@ public enum MalwareScanModule { for (MalwareScanModule module : values()) if(scan.scanOptions.contains(module.name())) - module.codeScanner.scanningClass(scan, cn); + module.malwareScanner.scanningClass(scan, cn); } } } diff --git a/src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/util/MaliciousCodeOptions.java b/src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/util/MaliciousCodeOptions.java new file mode 100644 index 00000000..6bcaaecf --- /dev/null +++ b/src/main/java/the/bytecode/club/bytecodeviewer/malwarescanner/util/MaliciousCodeOptions.java @@ -0,0 +1,31 @@ +package the.bytecode.club.bytecodeviewer.malwarescanner.util; + +import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScanModule; + +import javax.swing.*; + +/** + * @author Konloch + * @since 6/27/2021 + */ +public class MaliciousCodeOptions +{ + private final MalwareScanModule module; + private final JCheckBox checkBox; + + public MaliciousCodeOptions(MalwareScanModule module, JCheckBox checkBox) + { + this.module = module; + this.checkBox = checkBox; + } + + public JCheckBox getCheckBox() + { + return checkBox; + } + + public MalwareScanModule getModule() + { + return module; + } +} diff --git a/src/main/java/the/bytecode/club/bytecodeviewer/plugin/preinstalled/MaliciousCodeScanner.java b/src/main/java/the/bytecode/club/bytecodeviewer/plugin/preinstalled/MaliciousCodeScanner.java index e5af7e7c..54e7b69d 100644 --- a/src/main/java/the/bytecode/club/bytecodeviewer/plugin/preinstalled/MaliciousCodeScanner.java +++ b/src/main/java/the/bytecode/club/bytecodeviewer/plugin/preinstalled/MaliciousCodeScanner.java @@ -7,12 +7,9 @@ import java.util.List; import org.objectweb.asm.tree.ClassNode; import the.bytecode.club.bytecodeviewer.api.Plugin; import the.bytecode.club.bytecodeviewer.api.PluginConsole; -import the.bytecode.club.bytecodeviewer.gui.plugins.MaliciousCodeScannerOptions; -import the.bytecode.club.bytecodeviewer.gui.plugins.MaliciousCodeScannerOptionsV2; import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScan; import the.bytecode.club.bytecodeviewer.malwarescanner.MalwareScanModule; - -import javax.swing.*; +import the.bytecode.club.bytecodeviewer.malwarescanner.util.MaliciousCodeOptions; /*************************************************************************** * Bytecode Viewer (BCV) - Java & Android Reverse Engineering Suite * @@ -38,16 +35,15 @@ import javax.swing.*; * This tool is used to help aid reverse engineers in identifying malicious code. * * @author Konloch - * @author Adrianherrera * @author WaterWolf * @since 10/02/2011 */ public class MaliciousCodeScanner extends Plugin { - public final List options; + public final List options; - public MaliciousCodeScanner(List options) + public MaliciousCodeScanner(List options) { this.options = options; } @@ -58,10 +54,9 @@ public class MaliciousCodeScanner extends Plugin PluginConsole frame = new PluginConsole("Malicious Code Scanner"); StringBuilder sb = new StringBuilder(); - //TODO automate this when the GUI has been changed HashSet scanOptions = new HashSet<>(); - for(MaliciousCodeScannerOptionsV2.MaliciousCodeOptions option : options) + for(MaliciousCodeOptions option : options) if(option.getCheckBox().isSelected()) scanOptions.add(option.getModule().name());