Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ConstString rule未找到调用链 #30

Closed
mdkk opened this issue Jan 16, 2023 · 1 comment
Closed

ConstString rule未找到调用链 #30

mdkk opened this issue Jan 16, 2023 · 1 comment

Comments

@mdkk
Copy link

mdkk commented Jan 16, 2023
edited

测试代码如下:

package com.example.test.util;

public class HookInfo {
    public String className;
    public String methodName;

    public static List<HookInfo> infoList = new ArrayList<>();

    public HookInfo(String className, String methodName) {
        this.className = className;
        this.methodName = methodName;
    }

    public static List<HookInfo> getInfoList() {
        infoList.add(new HookInfo("android.telephony.TelephonyManager",
                "getDeviceId"
        ));

        infoList.add(new HookInfo("android.telephony.TelephonyManager",
                "getSubscriberId"
        ));

        return infoList;
    }

}

public class testInfo {

    public static void t(HookInfo info) throws ClassNotFoundException {
        Class cls = String.class.getClassLoader().loadClass(info.className);

        test.doTest(cls, info.methodName);

    }
}


public class test {
    public static void doTest(Class cls, String m) {

    }
}

package com.example.test;

public class Main {
    public void test() throws ClassNotFoundException {

        List<HookInfo> list = HookInfo.getInfoList();

        for (HookInfo info : list) {
            testInfo.t(info);
        }

    }
}

测试规则:

{
"ConstStringTest1": {
"ConstStringMode": true,
"traceDepth": 26,
"desc": {
"name": "test",
"category": "ConstStringTest",
"detail": "ConstStringTest",
"wiki": "",
"possibility": "4",
"model": "middle"
},
"targetStringArr": ["android.telephony.TelephonyManager"],
"minLen": 2,
"source": {
"ConstString": ["android.telephony.TelephonyManager"]
},
"sink": {
"<com.example.test.util.test: * doTest()>": {
"TaintCheck": [
"p"
]
}
}
}
}
@nkbai
Copy link
Collaborator

nkbai commented Jan 17, 2023

  1. 首先建议使用SliceMode,而不是ConstStringMode,后者的分析深度有限。
{
    "ConstStringTest1": {
      "SliceMode": true,
      "traceDepth": 28,
      "desc": {
        "name": "test",
        "category": "ConstStringTest",
        "detail": "ConstStringTest",
        "wiki": "",
        "possibility": "4",
        "model": "middle"
      },
      "minLen": 2,
      "source": {
        "ConstString": [
            "android.telephony.TelephonyManager"
        ]
    },
    "sink": {
        "<com.example.test.util.test: * doTest()>": {
            "TaintCheck": [
                "p"
            ]
        }
    }
    }
  }
  1. 我分析了一下,发现iterator的next指针传播发生了中断, 需要在EngineConfig.json5中处理next函数的指针传播问题。
    具体来说就是在PointerFlowRule->MethodName中增加一项,我已经修改了EngineConfig.json5文件。
      "next": {
        "@this->ret": {
          "I": [
            "@this"
          ],
          "O": [
            "ret"
          ]
        },
        "@this.data->ret": {
          "I": [
            "@this.data"
          ],
          "O": [
            "ret"
          ]
        }
      },

EngineConfig.json5中的PointerFlowRule和VariableFlowRule非常强大,用于覆盖appshark的默认分析方式,可以根据自己的需要,自行调整。

@nkbai nkbai closed this as completed Nov 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nkbai @mdkk