Coder Social home page Coder Social logo

swing-rce-inspector's Introduction

swing-rce-inspector

自用小工具,没有什么太大的意义,练习Golang为主

本项目编写于2022/9/27,在2022/10/7日上传Github,于2022/10/28开源

对比分析

网上已有一些分析工具,本项目的优势在于使用简单效率较高,可拓展性远不如其他工具

同时分析rt.jarcobaltstrike.jar文件速度对比:

  • 使用tabby分析:初始化时间很长
  • 使用CodeQL分析:初始化时间很长
  • 使用Java ASM分析:在Linux6-8秒,在Windows18-20
  • 使用本项目分析:在Linux2-3秒,在Windows7-9

使用

Golang编写,无任何其他依赖,编译生成可执行文件,快速分析

命令:./swing-rce-inspector

前提:

  • swing-rce-inspector当前目录创建jars目录
  • 请把需要的Jar文件放入jars目录中(例如rt.jar
  • 请以root权限运行

扫描rt.jarcobaltstrike.jar的结果如下:

符合条件的类 目标set方法
-> 该set方法中存在的方法调用1 (最有可能的方法会标记taint)
-> 该set方法中存在的方法调用2 (最有可能的方法会标记taint)
-> 该set方法中存在的方法调用3 (最有可能的方法会标记taint)
-> 该set方法中存在的方法调用n (最有可能的方法会标记taint)

org/apache/batik/apps/svgbrowser/StatusBar setMessage
-> org/apache/batik/apps/svgbrowser/StatusBar.getPreferredSize
-> java/awt/Dimension.<init>
-> org/apache/batik/apps/svgbrowser/StatusBar.setPreferredSize
-> org/apache/batik/apps/svgbrowser/StatusBar$DisplayThread.finish
-> org/apache/batik/apps/svgbrowser/StatusBar$DisplayThread.<init> (taint)
-> org/apache/batik/apps/svgbrowser/StatusBar$DisplayThread.start

org/apache/batik/apps/svgbrowser/StatusBar setMainMessage
-> javax/swing/JLabel.setText (taint)
-> org/apache/batik/apps/svgbrowser/StatusBar$DisplayThread.finish
-> org/apache/batik/apps/svgbrowser/StatusBar.getPreferredSize
-> java/awt/Dimension.<init>
-> org/apache/batik/apps/svgbrowser/StatusBar.setPreferredSize

org/apache/batik/swing/JSVGCanvas setURI
-> org/apache/batik/swing/JSVGCanvas.loadSVGDocument (taint)
-> org/apache/batik/swing/JSVGCanvas.setSVGDocument
-> java/beans/PropertyChangeSupport.firePropertyChange

org/apache/batik/swing/svg/AbstractJSVGComponent setFragmentIdentifier
-> org/apache/batik/swing/svg/AbstractJSVGComponent.computeRenderingTransform (taint)
-> org/apache/batik/swing/svg/AbstractJSVGComponent.scheduleGVTRendering

java/awt/Checkbox setLabel
-> java/lang/String.equals (taint)
-> java/awt/peer/CheckboxPeer.setLabel (taint)
-> java/awt/Checkbox.invalidateIfValid

java/awt/Label setText
-> java/lang/String.equals (taint)
-> java/awt/peer/LabelPeer.setText (taint)
-> java/awt/Label.invalidateIfValid

java/awt/Button setLabel
-> java/lang/String.equals (taint)
-> java/awt/peer/ButtonPeer.setLabel (taint)
-> java/awt/Button.invalidateIfValid

java/awt/Frame setTitle
-> java/awt/peer/FramePeer.setTitle (taint)
-> java/awt/Frame.firePropertyChange (taint)

javax/swing/AbstractButton setText
-> javax/swing/AbstractButton.firePropertyChange (taint)
-> javax/swing/AbstractButton.getMnemonic (taint)
-> javax/swing/AbstractButton.updateDisplayedMnemonicIndex
-> javax/accessibility/AccessibleContext.firePropertyChange (taint)
-> java/lang/String.equals (taint)
-> javax/swing/AbstractButton.revalidate
-> javax/swing/AbstractButton.repaint

javax/swing/JFileChooser setDialogTitle
-> javax/swing/JDialog.setTitle (taint)
-> javax/swing/JFileChooser.firePropertyChange (taint)

javax/swing/JFileChooser setApproveButtonToolTipText
-> javax/swing/JFileChooser.firePropertyChange (taint)

javax/swing/JFileChooser setApproveButtonText
-> javax/swing/JFileChooser.firePropertyChange (taint)

javax/swing/JInternalFrame setTitle
-> javax/swing/JInternalFrame.firePropertyChange (taint)

javax/swing/JLabel setText
-> javax/accessibility/AccessibleContext.getAccessibleName
-> javax/swing/JLabel.firePropertyChange (taint)
-> javax/swing/JLabel.getDisplayedMnemonic (taint)
-> javax/swing/SwingUtilities.findDisplayedMnemonicIndex
-> javax/swing/JLabel.setDisplayedMnemonicIndex
-> javax/accessibility/AccessibleContext.getAccessibleName
-> javax/accessibility/AccessibleContext.getAccessibleName
-> javax/accessibility/AccessibleContext.firePropertyChange
-> java/lang/String.equals (taint)
-> javax/swing/JLabel.revalidate
-> javax/swing/JLabel.repaint

javax/swing/JPopupMenu setLabel
-> javax/swing/JPopupMenu.firePropertyChange (taint)
-> javax/accessibility/AccessibleContext.firePropertyChange (taint)
-> javax/swing/JPopupMenu.invalidate
-> javax/swing/JPopupMenu.repaint

javax/swing/JToolTip setTipText
-> javax/swing/JToolTip.firePropertyChange (taint)
-> java/util/Objects.equals (taint)
-> javax/swing/JToolTip.revalidate
-> javax/swing/JToolTip.repaint

分析过程:

  • 解压Jar包得到所有class文件
  • 分析所有class文件得到类和方法信息
  • 构建类之间的继承关系
  • 根据规则分析得到结果

注意事项

如果想扫描多个Jar包,全部放入jar目录即可

如果想扫描cobaltstrike.jar等第三方jar包,请保证rt.jar也加入了lib

原因:

进行继承关系分析的时候,第三方Jar通常不包含java.awt.Component 类以及常用的子类,但实际上很多类是继承自它们的,如果不导入rt.jar会导致无法正确分析继承关系,以至于后续分析无法继续最终没有结果

继承关系分析原则:

example:
class A extends B
class B extends C
class C implements D,E

result:
A is subclass of B,C,D,E
B is subclass of C,D,E
C is subclass of D,E

swing-rce-inspector's People

Contributors

4ra1n avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.