国内的大量自主知识产权的代码扫描工具都是套壳fortify,那么今天就教教大家这个操作是怎么实现的。
首先请看以前我的记录 https://my.oschina.net/9199771/blog/3096603
的第五章 
本文以这个环境为基础,强烈推荐这样扫描,只要编译正确就不会出现jar包冲突的问题
我们启动一次扫描后开始分析:
1)通过Procmon的抓取我们来看一下,foritfy一次代码扫描后台做了什么
严重注意!第三步会增加一个 -scan 参数
图中的txt内容按照 clean build scan的顺序启动了三次进程,那么这三个txt从上到下依次是:
1.1)清空buildid的内容
"-b"
"vulns-servlet"
"-clean"
1.2) 指定扫描的代码,大家可以在这里定制插件进行软件成分扫描,及时告警存在漏洞的jar包
"-b"
"vulns-servlet"
"-machine-output"
"-source"
"1.8"
"-build-label"
"vulns-servlet"
"-cp"
"C:/Users/K4N5HA0/.m2/repository/org/apache/commons/commons-collections4/4.0/commons-collections4-4.0.jar;C:/Users/K4N5HA0/.m2/repository/org/apache/taglibs/taglibs-standard-impl/1.2.5/taglibs-standard-impl-1.2.5.jar;C:/Users/K4N5HA0/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-expression/3.1.2.RELEASE/spring-expression-3.1.2.RELEASE.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-context/3.1.2.RELEASE/spring-context-3.1.2.RELEASE.jar;C:/Users/K4N5HA0/.m2/repository/xml-apis/xml-apis/1.0.b2/xml-apis-1.0.b2.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-aop/3.1.2.RELEASE/spring-aop-3.1.2.RELEASE.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-tx/3.1.2.RELEASE/spring-tx-3.1.2.RELEASE.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-asm/3.1.2.RELEASE/spring-asm-3.1.2.RELEASE.jar;C:/Java/jdk1.8.0_281/jre/lib/charsets.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-core/3.1.2.RELEASE/spring-core-3.1.2.RELEASE.jar;C:/Java/jdk1.8.0_281/jre/lib/deploy.jar;C:/Users/K4N5HA0/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/access-bridge-64.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/cldrdata.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-beans/3.1.2.RELEASE/spring-beans-3.1.2.RELEASE.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/dnsns.jar;C:/Users/K4N5HA0/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar;C:/Users/K4N5HA0/.m2/repository/org/springframework/spring-jdbc/3.1.2.RELEASE/spring-jdbc-3.1.2.RELEASE.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/jaccess.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/jfxrt.jar;C:/Users/K4N5HA0/.m2/repository/org/apache/tomcat/servlet-api/6.0.32/servlet-api-6.0.32.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/localedata.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/nashorn.jar;C:/Users/K4N5HA0/.m2/repository/javax/servlet/jsp/jsp-api/2.2/jsp-api-2.2.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/sunec.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/sunjce_provider.jar;C:/Users/K4N5HA0/.m2/repository/org/jdom/jdom/1.1/jdom-1.1.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/sunmscapi.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/sunpkcs11.jar;C:/Users/K4N5HA0/.m2/repository/mysql/mysql-connector-java/5.1.6/mysql-connector-java-5.1.6.jar;C:/Users/K4N5HA0/.m2/repository/com/squareup/okhttp/okhttp/2.7.5/okhttp-2.7.5.jar;C:/Java/jdk1.8.0_281/jre/lib/ext/zipfs.jar;C:/Java/jdk1.8.0_281/jre/lib/javaws.jar;C:/Java/jdk1.8.0_281/jre/lib/jce.jar;C:/Java/jdk1.8.0_281/jre/lib/jfr.jar;C:/Users/K4N5HA0/.m2/repository/com/squareup/okio/okio/1.12.0/okio-1.12.0.jar;C:/Users/K4N5HA0/.m2/repository/com/squareup/okhttp3/okhttp/3.7.0/okhttp-3.7.0.jar;C:/Java/jdk1.8.0_281/jre/lib/jfxswt.jar;C:/Java/jdk1.8.0_281/jre/lib/jsse.jar;C:/Java/jdk1.8.0_281/jre/lib/management-agent.jar;C:/Users/K4N5HA0/.m2/repository/org/javassist/javassist/3.20.0-GA/javassist-3.20.0-GA.jar;C:/Users/K4N5HA0/.m2/repository/ognl/ognl/3.1.12/ognl-3.1.12.jar;C:/Java/jdk1.8.0_281/jre/lib/plugin.jar;C:/Java/jdk1.8.0_281/jre/lib/resources.jar;C:/Java/jdk1.8.0_281/jre/lib/rt.jar;C:/Users/K4N5HA0/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar;C:/Users/K4N5HA0/.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar;C:/Users/K4N5HA0/.m2/repository/org/apache/httpcomponents/httpcore/4.4/httpcore-4.4.jar;C:/Users/K4N5HA0/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar;C:/Users/K4N5HA0/.m2/repository/commons-codec/commons-codec/1.2/commons-codec-1.2.jar;C:/Users/K4N5HA0/.m2/repository/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar;C:/Users/K4N5HA0/.m2/repository/commons-fileupload/commons-fileupload/1.4/commons-fileupload-1.4.jar"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/SqlPolicy.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/OkHttp.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Xxe_dom.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Xxe_stax.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Deserialization.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Directory1.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/HttpCommonClient.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Xxe_sax.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Multipart_mysql.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/WriteFile.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Xxe_dom4j.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/HttpClient.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Ognl.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Xxe_jdom.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/CommandEcho.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Log.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Mysql.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/ReadFile.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/SqlException.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/HttpURLConnection.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/MysqlPrepared.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/FileUpload.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/OkHttp3.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/SqlAccess.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Directory2.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/pom.xml"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Command.java"
"C:/Java/project/openrasp-testcases/java/vulns-servlet/src/main/java/com/baidu/rasp/Body_Xss.java"
1.3) 生成扫描的结果
"-b"
"vulns-servlet"
"-machine-output"
"-f"
"C:\Java\project\openrasp-testcases\java\vulns-servlet\vulns-servlet.fpr"
"-format"
"fpr"
很明显,其实就是 sourceanalyzer.exe 执行了这三个txt文件的参数而已
2)如图所示我先删掉了sourceanalyzer.exe
这个时候你会问,Procmon抓到的是exe进行扫描的,删掉以后怎么扫描?
3)秘密就是这个jar包
C:\Program Files\Fortify\Fortify_SCA_and_Apps_21.1.2\Core\lib\exe\sca-exe.jar
4)我们手工启动一下这个jar包
聪明的你应该明白了什么
5)切换到这个jar包的目录下开始执行命令
图中命令原文如下,严重注意!第三步会增加一个 -scan 参数
java -jar sca-exe.jar @C:\Users\K4N5HA0\AppData\Local\Fortify\IntelliJAnalysis-21.1.2\vulns-servlet\vulns-servletClean.txt
java -jar sca-exe.jar @C:\Users\K4N5HA0\AppData\Local\Fortify\IntelliJAnalysis-21.1.2\vulns-servlet\vulns-servletvulns-servletBuild.txt
java -jar sca-exe.jar -scan @C:\Users\K4N5HA0\AppData\Local\Fortify\IntelliJAnalysis-21.1.2\vulns-servlet\vulns-servletScan.txt
成功
那么接下来,我们要尝试做一些逆向工程的工作了
1)以管理员权限启动idea(必须以管理员权限),并点击idea的open按钮
打开idea后,idea需要时间扫描目录,这个时候必须耐心等待否则很多按钮都是灰色的
2)接下来配置jdk,如下图所示
2.1)点击SDKs按钮,再点击+符号,如图添加foritfy自带的jdk
2.2)点击Project按钮,并切换到foritfy自带的jdk
之后,点击这个页面下方的OK按钮就可以了
3)现在我们双击jar包是看不到反编译的源码的,所以如下图
在lib目录上右键选择 Add as Library
会跳出下图,直接点击ok就可以了
如下图,我们双击类名就能看到源码了
4)接下来,选择exe目录的 sca-exe.jar右键点击Run
我们就可以看到熟悉的内容
备注:如上图,默认采用了GBK编码,后面在扫描的时候会出现乱码
如下图的两个步骤,我们应该强制声明使用utf-8
-Dfile.encoding=UTF-8
5)我们在随便一个地方打一个断点然后点击调试
成功断下来了!
利用以上操作我们就可以反调试和学习forify了
6)创建扫描的三个执行步骤
点击下图的复制按钮,我们可以复制三个步骤
6.1)我们来看看 clean build 和 scan是如何配置的
在scan环节别忘记使用以下语句允许jdk反射以及使用-scan参数
--illegal-access=permit
现在我们开启一个新的阶段,我们逆向一下foritfy的扫描原理
在执行完build环节后,我们可以发现文件夹下存在以下以nst结尾的文件
打开其中的内容后发现其中的内容都是一些格式化后的代码元信息
虽然显得啰嗦,但是很明显是为了进行代码扫描特意设计的
之后通过跟踪,我们可以发现sca中存在一个对nst进行分析的类(这个类有1万多行,我裂开)
谢谢!