國內的大量自主知識產權的代碼掃描工具都是套殼fortify,那麼今天就教教大家這個操作是怎麼實現的。
首先請看以前我的記錄 https://my.oschina.net/9199771/blog/3096603
的第五章 
本文以這個環境爲基礎,強烈推薦這樣掃描,只要編譯正確就不會出現jar包衝突的問題
我們啓動一次掃描後開始分析:
1)通過Procmon的抓取我們來看一下,foritfy一次代碼掃描後臺做了什麼
嚴重注意!第三步會增加一個 -scan 參數
圖中的txt內容按照 clean build scan的順序啓動了三次進程,那麼這三個txt從上到下依次是:
1.1)清空buildid的內容
"-b"
"vulns-servlet"
"-clean"
1.2) 指定掃描的代碼,大家可以在這裏定製插件進行軟件成分掃描,及時告警存在漏洞的jar包
"-b"
"vulns-servlet"
"-machine-output"
"-source"
"1.8"
"-build-label"
"vulns-servlet"
"-cp"
"C:/Users/K4N5HA0/.m2/repository/org/apache/commons/commons-collections4/4.0/commons-collections4-4.0.jar;C:/Users/K4N5HA0/.m2/repository/org/apache/taglibs/taglibs-standard-impl/1.2.5/taglibs-standard-impl-1.2.5.jar;C:/Users/K4N5HA0/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-expression/3.1.2.RELEASE/spring-expression-3.1.2.RELEASE.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-context/3.1.2.RELEASE/spring-context-3.1.2.RELEASE.jar;C:/Users/K4N5HA0/.m2/repository/xml-apis/xml-apis/1.0.b2/xml-apis-1.0.b2.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-aop/3.1.2.RELEASE/spring-aop-3.1.2.RELEASE.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-tx/3.1.2.RELEASE/spring-tx-3.1.2.RELEASE.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-asm/3.1.2.RELEASE/spring-asm-3.1.2.RELEASE.jar;C:/Java/jdk1.8.0_281/jre/lib/charsets.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-core/3.1.2.RELEASE/spring-core-3.1.2.RELEASE.jar;C:/Java/jdk1.8.0_281/jre/lib/deploy.jar;C:/Users/K4N5HA0/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/access-bridge-64.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/cldrdata.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-beans/3.1.2.RELEASE/spring-beans-3.1.2.RELEASE.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/dnsns.jar;C:/Users/K4N5HA0/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-jdbc/3.1.2.RELEASE/spring-jdbc-3.1.2.RELEASE.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/jaccess.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/jfxrt.jar;C:/Users/K4N5HA0/.m2/repository/org/apache/tomcat/servlet-api/6.0.32/servlet-api-6.0.32.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/localedata.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/nashorn.jar;C:/Users/K4N5HA0/.m2/repository/javax/servlet/jsp/jsp-api/2.2/jsp-api-2.2.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/sunec.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/sunjce_provider.jar;C:/Users/K4N5HA0/.m2/repository/org/jdom/jdom/1.1/jdom-1.1.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/sunmscapi.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/sunpkcs11.jar;C:/Users/K4N5HA0/.m2/repository/mysql/mysql-connector-java/5.1.6/mysql-connector-java-5.1.6.jar;C:/Users/K4N5HA0/.m2/repository/com/squareup/okhttp/okhttp/2.7.5/okhttp-2.7.5.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/zipfs.jar;C:/Java/jdk1.8.0_281/jre/lib/javaws.jar;C:/Java/jdk1.8.0_281/jre/lib/jce.jar;C:/Java/jdk1.8.0_281/jre/lib/jfr.jar;C:/Users/K4N5HA0/.m2/repository/com/squareup/okio/okio/1.12.0/okio-1.12.0.jar;C:/Users/K4N5HA0/.m2/repository/com/squareup/okhttp3/okhttp/3.7.0/okhttp-3.7.0.jar;C:/Java/jdk1.8.0_281/jre/lib/jfxswt.jar;C:/Java/jdk1.8.0_281/jre/lib/jsse.jar;C:/Java/jdk1.8.0_281/jre/lib/management-agent.jar;C:/Users/K4N5HA0/.m2/repository/org/javassist/javassist/3.20.0-GA/javassist-3.20.0-GA.jar;C:/Users/K4N5HA0/.m2/repository/ognl/ognl/3.1.12/ognl-3.1.12.jar;C:/Java/jdk1.8.0_281/jre/lib/plugin.jar;C:/Java/jdk1.8.0_281/jre/lib/resources.jar;C:/Java/jdk1.8.0_281/jre/lib/rt.jar;C:/Users/K4N5HA0/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar;C:/Users/K4N5HA0/.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar;C:/Users/K4N5HA0/.m2/repository/org/apache/httpcomponents/httpcore/4.4/httpcore-4.4.jar;C:/Users/K4N5HA0/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar;C:/Users/K4N5HA0/.m2/repository/commons-codec/commons-codec/1.2/commons-codec-1.2.jar;C:/Users/K4N5HA0/.m2/repository/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar;C:/Users/K4N5HA0/.m2/repository/commons-fileupload/commons-fileupload/1.4/commons-fileupload-1.4.jar"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/SqlPolicy.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/OkHttp.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Xxe_dom.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Xxe_stax.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Deserialization.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Directory1.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/HttpCommonClient.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Xxe_sax.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Multipart_mysql.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/WriteFile.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Xxe_dom4j.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/HttpClient.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Ognl.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Xxe_jdom.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/CommandEcho.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Log.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Mysql.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/ReadFile.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/SqlException.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/HttpURLConnection.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/MysqlPrepared.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/FileUpload.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/OkHttp3.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/SqlAccess.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Directory2.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/pom.xml"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Command.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Body_Xss.java"
1.3) 生成掃描的結果
"-b"
"vulns-servlet"
"-machine-output"
"-f"
"C:\Java\project\openrasp-testcases\java\vulns-servlet\vulns-servlet.fpr"
"-format"
"fpr"
很明顯,其實就是 sourceanalyzer.exe 執行了這三個txt文件的參數而已
2)如圖所示我先刪掉了sourceanalyzer.exe
這個時候你會問,Procmon抓到的是exe進行掃描的,刪掉以後怎麼掃描?
3)祕密就是這個jar包
C:\Program Files\Fortify\Fortify_SCA_and_Apps_21.1.2\Core\lib\exe\sca-exe.jar
4)我們手工啓動一下這個jar包
聰明的你應該明白了什麼
5)切換到這個jar包的目錄下開始執行命令
圖中命令原文如下,嚴重注意!第三步會增加一個 -scan 參數
java -jar sca-exe.jar @C:\Users\K4N5HA0\AppData\Local\Fortify\IntelliJAnalysis-21.1.2\vulns-servlet\vulns-servletClean.txt
java -jar sca-exe.jar @C:\Users\K4N5HA0\AppData\Local\Fortify\IntelliJAnalysis-21.1.2\vulns-servlet\vulns-servletvulns-servletBuild.txt
java -jar sca-exe.jar -scan @C:\Users\K4N5HA0\AppData\Local\Fortify\IntelliJAnalysis-21.1.2\vulns-servlet\vulns-servletScan.txt
成功
那麼接下來,我們要嘗試做一些逆向工程的工作了
1)以管理員權限啓動idea(必須以管理員權限),並點擊idea的open按鈕
打開idea後,idea需要時間掃描目錄,這個時候必須耐心等待否則很多按鈕都是灰色的
2)接下來配置jdk,如下圖所示
2.1)點擊SDKs按鈕,再點擊+符號,如圖添加foritfy自帶的jdk
2.2)點擊Project按鈕,並切換到foritfy自帶的jdk
之後,點擊這個頁面下方的OK按鈕就可以了
3)現在我們雙擊jar包是看不到反編譯的源碼的,所以如下圖
在lib目錄上右鍵選擇 Add as Library
會跳出下圖,直接點擊ok就可以了
如下圖,我們雙擊類名就能看到源碼了
4)接下來,選擇exe目錄的 sca-exe.jar右鍵點擊Run
我們就可以看到熟悉的內容
備註:如上圖,默認採用了GBK編碼,後面在掃描的時候會出現亂碼
如下圖的兩個步驟,我們應該強制聲明使用utf-8
-Dfile.encoding=UTF-8
5)我們在隨便一個地方打一個斷點然後點擊調試
成功斷下來了!
利用以上操作我們就可以反調試和學習forify了
6)創建掃描的三個執行步驟
點擊下圖的複製按鈕,我們可以複製三個步驟
6.1)我們來看看 clean build 和 scan是如何配置的
在scan環節別忘記使用以下語句允許jdk反射以及使用-scan參數
--illegal-access=permit
現在我們開啓一個新的階段,我們逆向一下foritfy的掃描原理
在執行完build環節後,我們可以發現文件夾下存在以下以nst結尾的文件
打開其中的內容後發現其中的內容都是一些格式化後的代碼元信息
雖然顯得囉嗦,但是很明顯是爲了進行代碼掃描特意設計的
之後通過跟蹤,我們可以發現sca中存在一個對nst進行分析的類(這個類有1萬多行,我裂開)
謝謝!