├── .gitattributes ├── .gitignore ├── README.md ├── apk └── app-debug.apk ├── build.gradle ├── gradle └── wrapper │ ├── gradle-wrapper.jar │ └── gradle-wrapper.properties ├── gradlew ├── gradlew.bat ├── libs ├── soot-infoflow-android-classes.jar ├── soot-infoflow-classes.jar ├── soot-infoflow-cmd-jar-with-dependencies.jar └── soot-infoflow-summaries-classes.jar ├── settings.gradle └── src └── main └── java └── com └── nii └── soot ├── checker ├── EmailSootChecker.java ├── MenifestChecker.java ├── ResourceSootChecker.java ├── UrlSootChecker.java └── ZipVulnChecker.java ├── core ├── BasicChecker.java └── IChecker.java ├── graph └── AndroidFlowDroidGraph.java ├── test └── GenerateZipVulnTest.java └── zip └── GenerateZipVulnTest.java /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Windows thumbnail cache files 2 | Thumbs.db 3 | ehthumbs.db 4 | ehthumbs_vista.db 5 | 6 | # Folder config file 7 | Desktop.ini 8 | 9 | # Recycle Bin used on file shares 10 | $RECYCLE.BIN/ 11 | 12 | # Windows Installer files 13 | *.cab 14 | *.msi 15 | *.msm 16 | *.msp 17 | 18 | # Windows shortcuts 19 | *.lnk 20 | 21 | # ========================= 22 | # Operating System Files 23 | # ========================= 24 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## 简介 2 | 3 | 使用Soot对Android应用进行静态分析,目前包括 4 | 5 | 6 | - 检测应用中敏感字符串url和email 7 | - 检测应用中风险代码片段 8 | - 检测应用可能存在的漏洞 9 | 10 | ## Soot官方Wiki地址 11 | [https://github.com/Sable/soot/wiki](https://github.com/Sable/soot/wiki) 12 | 13 | [https://github.com/secure-software-engineering/FlowDroid](https://github.com/secure-software-engineering/FlowDroid) 14 | 15 | ## 代码结构 16 | src\main\java\com\nii\soot\checker\UrlSootChecker.java 检测应用中存在的url地址 17 | src\main\java\com\nii\soot\checker\EmailSootChecker.java 检测应用中存在的email地址 18 | src\main\java\com\nii\soot\checker\MenifestChecker.java 解析AndroidManifest.xml 19 | src\main\java\com\nii\soot\checker\ZipVulnChecker.java 检测zip目录遍历漏洞 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /apk/app-debug.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HelloKittyNII/soot-android-static-analysis/ba3141a0b72dac558aa367f2029ebd60b07afc9b/apk/app-debug.apk -------------------------------------------------------------------------------- /build.gradle: -------------------------------------------------------------------------------- 1 | group 'nii' 2 | version '1.0-SNAPSHOT' 3 | 4 | apply plugin: 'java' 5 | 6 | sourceCompatibility = 1.5 7 | 8 | repositories { 9 | mavenCentral() 10 | } 11 | 12 | dependencies { 13 | compile fileTree(dir: 'libs', include: ['*.jar']) 14 | compile group: 'com.google.code.gson', name: 'gson', version: '2.8.5' 15 | compile group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5' 16 | 17 | testCompile group: 'junit', name: 'junit', version: '4.11' 18 | } 19 | -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HelloKittyNII/soot-android-static-analysis/ba3141a0b72dac558aa367f2029ebd60b07afc9b/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | #Sun Jul 01 15:44:04 CST 2018 2 | distributionBase=GRADLE_USER_HOME 3 | distributionPath=wrapper/dists 4 | zipStoreBase=GRADLE_USER_HOME 5 | zipStorePath=wrapper/dists 6 | distributionUrl=https\://services.gradle.org/distributions/gradle-2.13-bin.zip 7 | -------------------------------------------------------------------------------- /gradlew: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ############################################################################## 4 | ## 5 | ## Gradle start up script for UN*X 6 | ## 7 | ############################################################################## 8 | 9 | # Attempt to set APP_HOME 10 | # Resolve links: $0 may be a link 11 | PRG="$0" 12 | # Need this for relative symlinks. 13 | while [ -h "$PRG" ] ; do 14 | ls=`ls -ld "$PRG"` 15 | link=`expr "$ls" : '.*-> \(.*\)$'` 16 | if expr "$link" : '/.*' > /dev/null; then 17 | PRG="$link" 18 | else 19 | PRG=`dirname "$PRG"`"/$link" 20 | fi 21 | done 22 | SAVED="`pwd`" 23 | cd "`dirname \"$PRG\"`/" >/dev/null 24 | APP_HOME="`pwd -P`" 25 | cd "$SAVED" >/dev/null 26 | 27 | APP_NAME="Gradle" 28 | APP_BASE_NAME=`basename "$0"` 29 | 30 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 31 | DEFAULT_JVM_OPTS="" 32 | 33 | # Use the maximum available, or set MAX_FD != -1 to use that value. 34 | MAX_FD="maximum" 35 | 36 | warn ( ) { 37 | echo "$*" 38 | } 39 | 40 | die ( ) { 41 | echo 42 | echo "$*" 43 | echo 44 | exit 1 45 | } 46 | 47 | # OS specific support (must be 'true' or 'false'). 48 | cygwin=false 49 | msys=false 50 | darwin=false 51 | nonstop=false 52 | case "`uname`" in 53 | CYGWIN* ) 54 | cygwin=true 55 | ;; 56 | Darwin* ) 57 | darwin=true 58 | ;; 59 | MINGW* ) 60 | msys=true 61 | ;; 62 | NONSTOP* ) 63 | nonstop=true 64 | ;; 65 | esac 66 | 67 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar 68 | 69 | # Determine the Java command to use to start the JVM. 70 | if [ -n "$JAVA_HOME" ] ; then 71 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 72 | # IBM's JDK on AIX uses strange locations for the executables 73 | JAVACMD="$JAVA_HOME/jre/sh/java" 74 | else 75 | JAVACMD="$JAVA_HOME/bin/java" 76 | fi 77 | if [ ! -x "$JAVACMD" ] ; then 78 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME 79 | 80 | Please set the JAVA_HOME variable in your environment to match the 81 | location of your Java installation." 82 | fi 83 | else 84 | JAVACMD="java" 85 | which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 86 | 87 | Please set the JAVA_HOME variable in your environment to match the 88 | location of your Java installation." 89 | fi 90 | 91 | # Increase the maximum file descriptors if we can. 92 | if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then 93 | MAX_FD_LIMIT=`ulimit -H -n` 94 | if [ $? -eq 0 ] ; then 95 | if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then 96 | MAX_FD="$MAX_FD_LIMIT" 97 | fi 98 | ulimit -n $MAX_FD 99 | if [ $? -ne 0 ] ; then 100 | warn "Could not set maximum file descriptor limit: $MAX_FD" 101 | fi 102 | else 103 | warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" 104 | fi 105 | fi 106 | 107 | # For Darwin, add options to specify how the application appears in the dock 108 | if $darwin; then 109 | GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" 110 | fi 111 | 112 | # For Cygwin, switch paths to Windows format before running java 113 | if $cygwin ; then 114 | APP_HOME=`cygpath --path --mixed "$APP_HOME"` 115 | CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` 116 | JAVACMD=`cygpath --unix "$JAVACMD"` 117 | 118 | # We build the pattern for arguments to be converted via cygpath 119 | ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` 120 | SEP="" 121 | for dir in $ROOTDIRSRAW ; do 122 | ROOTDIRS="$ROOTDIRS$SEP$dir" 123 | SEP="|" 124 | done 125 | OURCYGPATTERN="(^($ROOTDIRS))" 126 | # Add a user-defined pattern to the cygpath arguments 127 | if [ "$GRADLE_CYGPATTERN" != "" ] ; then 128 | OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" 129 | fi 130 | # Now convert the arguments - kludge to limit ourselves to /bin/sh 131 | i=0 132 | for arg in "$@" ; do 133 | CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` 134 | CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option 135 | 136 | if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition 137 | eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` 138 | else 139 | eval `echo args$i`="\"$arg\"" 140 | fi 141 | i=$((i+1)) 142 | done 143 | case $i in 144 | (0) set -- ;; 145 | (1) set -- "$args0" ;; 146 | (2) set -- "$args0" "$args1" ;; 147 | (3) set -- "$args0" "$args1" "$args2" ;; 148 | (4) set -- "$args0" "$args1" "$args2" "$args3" ;; 149 | (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; 150 | (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; 151 | (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; 152 | (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; 153 | (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; 154 | esac 155 | fi 156 | 157 | # Split up the JVM_OPTS And GRADLE_OPTS values into an array, following the shell quoting and substitution rules 158 | function splitJvmOpts() { 159 | JVM_OPTS=("$@") 160 | } 161 | eval splitJvmOpts $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS 162 | JVM_OPTS[${#JVM_OPTS[*]}]="-Dorg.gradle.appname=$APP_BASE_NAME" 163 | 164 | exec "$JAVACMD" "${JVM_OPTS[@]}" -classpath "$CLASSPATH" org.gradle.wrapper.GradleWrapperMain "$@" 165 | -------------------------------------------------------------------------------- /gradlew.bat: -------------------------------------------------------------------------------- 1 | @if "%DEBUG%" == "" @echo off 2 | @rem ########################################################################## 3 | @rem 4 | @rem Gradle startup script for Windows 5 | @rem 6 | @rem ########################################################################## 7 | 8 | @rem Set local scope for the variables with windows NT shell 9 | if "%OS%"=="Windows_NT" setlocal 10 | 11 | set DIRNAME=%~dp0 12 | if "%DIRNAME%" == "" set DIRNAME=. 13 | set APP_BASE_NAME=%~n0 14 | set APP_HOME=%DIRNAME% 15 | 16 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 17 | set DEFAULT_JVM_OPTS= 18 | 19 | @rem Find java.exe 20 | if defined JAVA_HOME goto findJavaFromJavaHome 21 | 22 | set JAVA_EXE=java.exe 23 | %JAVA_EXE% -version >NUL 2>&1 24 | if "%ERRORLEVEL%" == "0" goto init 25 | 26 | echo. 27 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 28 | echo. 29 | echo Please set the JAVA_HOME variable in your environment to match the 30 | echo location of your Java installation. 31 | 32 | goto fail 33 | 34 | :findJavaFromJavaHome 35 | set JAVA_HOME=%JAVA_HOME:"=% 36 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe 37 | 38 | if exist "%JAVA_EXE%" goto init 39 | 40 | echo. 41 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 42 | echo. 43 | echo Please set the JAVA_HOME variable in your environment to match the 44 | echo location of your Java installation. 45 | 46 | goto fail 47 | 48 | :init 49 | @rem Get command-line arguments, handling Windows variants 50 | 51 | if not "%OS%" == "Windows_NT" goto win9xME_args 52 | if "%@eval[2+2]" == "4" goto 4NT_args 53 | 54 | :win9xME_args 55 | @rem Slurp the command line arguments. 56 | set CMD_LINE_ARGS= 57 | set _SKIP=2 58 | 59 | :win9xME_args_slurp 60 | if "x%~1" == "x" goto execute 61 | 62 | set CMD_LINE_ARGS=%* 63 | goto execute 64 | 65 | :4NT_args 66 | @rem Get arguments from the 4NT Shell from JP Software 67 | set CMD_LINE_ARGS=%$ 68 | 69 | :execute 70 | @rem Setup the command line 71 | 72 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar 73 | 74 | @rem Execute Gradle 75 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% 76 | 77 | :end 78 | @rem End local scope for the variables with windows NT shell 79 | if "%ERRORLEVEL%"=="0" goto mainEnd 80 | 81 | :fail 82 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of 83 | rem the _cmd.exe /c_ return code! 84 | if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 85 | exit /b 1 86 | 87 | :mainEnd 88 | if "%OS%"=="Windows_NT" endlocal 89 | 90 | :omega 91 | -------------------------------------------------------------------------------- /libs/soot-infoflow-android-classes.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HelloKittyNII/soot-android-static-analysis/ba3141a0b72dac558aa367f2029ebd60b07afc9b/libs/soot-infoflow-android-classes.jar -------------------------------------------------------------------------------- /libs/soot-infoflow-classes.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HelloKittyNII/soot-android-static-analysis/ba3141a0b72dac558aa367f2029ebd60b07afc9b/libs/soot-infoflow-classes.jar -------------------------------------------------------------------------------- /libs/soot-infoflow-cmd-jar-with-dependencies.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HelloKittyNII/soot-android-static-analysis/ba3141a0b72dac558aa367f2029ebd60b07afc9b/libs/soot-infoflow-cmd-jar-with-dependencies.jar -------------------------------------------------------------------------------- /libs/soot-infoflow-summaries-classes.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HelloKittyNII/soot-android-static-analysis/ba3141a0b72dac558aa367f2029ebd60b07afc9b/libs/soot-infoflow-summaries-classes.jar -------------------------------------------------------------------------------- /settings.gradle: -------------------------------------------------------------------------------- 1 | rootProject.name = 'soot' 2 | 3 | -------------------------------------------------------------------------------- /src/main/java/com/nii/soot/checker/EmailSootChecker.java: -------------------------------------------------------------------------------- 1 | package com.nii.soot.checker; 2 | 3 | 4 | import com.nii.soot.core.BasicChecker; 5 | import soot.Scene; 6 | import soot.SootClass; 7 | import soot.SootMethod; 8 | import soot.ValueBox; 9 | 10 | import java.util.List; 11 | import java.util.regex.Matcher; 12 | import java.util.regex.Pattern; 13 | 14 | 15 | /** 16 | * @author wzj 17 | * @create 2018-07-01 16:02 18 | **/ 19 | public class EmailSootChecker extends BasicChecker 20 | { 21 | /** 22 | * 匹配email正则表达式 23 | */ 24 | private String emailReg = "[\\w-.]+@[\\w-]+(.[\\w_-]+)+"; 25 | 26 | /** 27 | * 正则表达式 28 | */ 29 | private Pattern emailPattern = Pattern.compile(emailReg); 30 | 31 | /** 32 | * 检查APK应用中的url 33 | */ 34 | public void checker() 35 | { 36 | //遍历应用中的每一个类 37 | for (SootClass sootClass : Scene.v().getApplicationClasses()) 38 | { 39 | if (isExcludeClass(sootClass)) 40 | { 41 | continue; 42 | } 43 | 44 | //遍历类中的每一个方法 45 | for (SootMethod sootMethod : sootClass.getMethods()) 46 | { 47 | if (!sootMethod.hasActiveBody()) 48 | { 49 | continue; 50 | } 51 | 52 | //遍历方法中的每一行,检查email 53 | List useBoxes = sootMethod.getActiveBody().getUseBoxes(); 54 | for (ValueBox valueBox : useBoxes) 55 | { 56 | String content = valueBox.toString(); 57 | Matcher matcher = emailPattern.matcher(content); 58 | if (!matcher.find()) 59 | { 60 | continue; 61 | } 62 | 63 | System.out.println("*********************************************"); 64 | System.out.println(matcher.group()); 65 | System.out.println(sootClass.getName()); 66 | System.out.println(sootMethod.getSubSignature()); 67 | } 68 | } 69 | } 70 | } 71 | 72 | public static void main(String[] args) 73 | { 74 | new EmailSootChecker().analyze(); 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /src/main/java/com/nii/soot/checker/MenifestChecker.java: -------------------------------------------------------------------------------- 1 | package com.nii.soot.checker; 2 | 3 | import org.xmlpull.v1.XmlPullParserException; 4 | import soot.jimple.infoflow.android.manifest.ProcessManifest; 5 | 6 | import java.io.IOException; 7 | 8 | /** 9 | * @author wzj 10 | * @create 2018-07-06 21:11 11 | **/ 12 | public class MenifestChecker 13 | { 14 | /** 15 | * apk路径 16 | */ 17 | private static String apkPath = "H:\\JAVA\\Soot\\apk\\clock.apk"; 18 | 19 | public static void main(String[] args) throws IOException, XmlPullParserException 20 | { 21 | ProcessManifest processManifest = new ProcessManifest(apkPath); 22 | 23 | //获取包名 24 | System.out.println(processManifest.getManifest().getAttribute("package")); 25 | 26 | System.out.println(processManifest.getPermissions()); 27 | System.out.println(processManifest.getActivities()); 28 | System.out.println(processManifest.getServices()); 29 | System.out.println(processManifest.getProviders()); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/com/nii/soot/checker/ResourceSootChecker.java: -------------------------------------------------------------------------------- 1 | package com.nii.soot.checker; 2 | 3 | import com.nii.soot.core.BasicChecker; 4 | import soot.jimple.infoflow.android.resources.ARSCFileParser; 5 | 6 | import java.io.IOException; 7 | import java.util.Collection; 8 | import java.util.Map; 9 | 10 | /** 11 | * @author wzj 12 | * @create 2018-07-01 21:45 13 | **/ 14 | public class ResourceSootChecker 15 | { 16 | /** 17 | * apk路径 18 | */ 19 | private static String apkPath = "H:\\JAVA\\Soot\\apk\\app-debug.apk"; 20 | 21 | public static void main(String[] args) throws IOException 22 | { 23 | ARSCFileParser arscFileParser = new ARSCFileParser(); 24 | arscFileParser.parse(apkPath); 25 | Map globalStringPoolMap = arscFileParser.getGlobalStringPool(); 26 | 27 | // Map stringTable = arscFileParser.stringTable; 28 | for (Map.Entry entry : globalStringPoolMap.entrySet()) 29 | { 30 | if (entry.getValue().startsWith("res/")) 31 | { 32 | continue; 33 | } 34 | 35 | System.out.println(entry.getValue()); 36 | } 37 | } 38 | 39 | } 40 | -------------------------------------------------------------------------------- /src/main/java/com/nii/soot/checker/UrlSootChecker.java: -------------------------------------------------------------------------------- 1 | package com.nii.soot.checker; 2 | 3 | 4 | import com.nii.soot.core.BasicChecker; 5 | import soot.Scene; 6 | import soot.SootClass; 7 | import soot.SootMethod; 8 | import soot.ValueBox; 9 | 10 | import java.util.List; 11 | import java.util.regex.Matcher; 12 | import java.util.regex.Pattern; 13 | 14 | 15 | /** 16 | * @author wzj 17 | * @create 2018-07-01 16:02 18 | **/ 19 | public class UrlSootChecker extends BasicChecker 20 | { 21 | /** 22 | * 匹配url正则表达式 23 | */ 24 | private String urlReg = "(https?|ftp|file)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]+[-A-Za-z0-9+&@#/%=~_|]"; 25 | 26 | /** 27 | * 正则表达式 28 | */ 29 | private Pattern pattern = Pattern.compile(urlReg); 30 | 31 | /** 32 | * 检查APK应用中的url 33 | */ 34 | public void checker() 35 | { 36 | //遍历应用中的每一个类 37 | for (SootClass sootClass : Scene.v().getApplicationClasses()) 38 | { 39 | if (isExcludeClass(sootClass)) 40 | { 41 | continue; 42 | } 43 | 44 | //遍历类中的每一个方法 45 | for (SootMethod sootMethod : sootClass.getMethods()) 46 | { 47 | if (!sootMethod.hasActiveBody()) 48 | { 49 | continue; 50 | } 51 | 52 | //遍历方法中的每一行,检查url 53 | List useBoxes = sootMethod.getActiveBody().getUseBoxes(); 54 | for (ValueBox valueBox : useBoxes) 55 | { 56 | String content = valueBox.toString(); 57 | Matcher matcher = pattern.matcher(content); 58 | if (!matcher.find()) 59 | { 60 | continue; 61 | } 62 | 63 | System.out.println("*********************************************"); 64 | System.out.println(matcher.group()); 65 | System.out.println(sootClass.getName()); 66 | System.out.println(sootMethod.getSubSignature()); 67 | } 68 | } 69 | } 70 | } 71 | 72 | public static void main(String[] args) 73 | { 74 | new UrlSootChecker().analyze(); 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /src/main/java/com/nii/soot/checker/ZipVulnChecker.java: -------------------------------------------------------------------------------- 1 | package com.nii.soot.checker; 2 | 3 | import com.nii.soot.core.BasicChecker; 4 | import soot.*; 5 | import soot.jimple.InvokeExpr; 6 | import soot.jimple.Stmt; 7 | import soot.jimple.StringConstant; 8 | 9 | import java.util.ArrayList; 10 | import java.util.List; 11 | 12 | /** 13 | * zip目录遍历攻击检测 14 | * 15 | * @author wzj 16 | * @create 2018-07-04 21:54 17 | **/ 18 | public class ZipVulnChecker extends BasicChecker 19 | { 20 | /** 21 | * ZipEntry 的getName()方法签名 22 | */ 23 | private static final String ENTRY_GET_NAME_SIGNATURE = ""; 24 | 25 | /** 26 | * ZipEntry类 27 | */ 28 | private static final String ENTRY_CLASS = "java.util.zip.ZipEntry"; 29 | 30 | /** 31 | * getCanonicalPath()方法签名 32 | */ 33 | private static final String GET_CANONICAL_FILE_SIGNATURE = ""; 34 | 35 | /** 36 | * contains方法签名 37 | */ 38 | private static final String CONTAINS_SIGNATURE = ""; 39 | 40 | /** 41 | * 具体的检测方法 42 | */ 43 | public void checker() 44 | { 45 | for (SootClass sootClass : Scene.v().getApplicationClasses()) 46 | { 47 | //判断是否是虚方法,是否是否是接口 48 | if (sootClass.isPhantom() || sootClass.isInterface() || isExcludeClass(sootClass)) 49 | { 50 | continue; 51 | } 52 | 53 | for (SootMethod sootMethod : sootClass.getMethods()) 54 | { 55 | if (!sootMethod.hasActiveBody()) 56 | { 57 | continue; 58 | } 59 | 60 | //判断是否含有ZipEntry类 61 | if (!isContainZipEntryClass(sootMethod.getActiveBody())) 62 | { 63 | continue; 64 | } 65 | 66 | checkZipVuln(sootClass,sootMethod); 67 | } 68 | } 69 | } 70 | 71 | private boolean isContainZipEntryClass(Body body) 72 | { 73 | List localList = new ArrayList(); 74 | localList.addAll(body.getLocals()); 75 | localList.addAll(body.getParameterLocals()); 76 | 77 | for (Local local : localList) 78 | { 79 | if (ENTRY_CLASS.equals(local.getType().toString())) 80 | { 81 | return true; 82 | } 83 | } 84 | 85 | return false; 86 | } 87 | 88 | /** 89 | * 检测是否有zip遍历漏洞,判断规则为: 90 | * 如果调用了getName()方法获取解压文件路径,如果接下来有如下一种判断则认为没有漏洞 91 | * 1、调用了File的getCanonicalFile()方法获取绝对路径 92 | * 2、判断该路径是否包含 .. 字符串 93 | * 94 | * @param sootClass sootClass 95 | * @param sootMethod sootMethod 96 | */ 97 | private void checkZipVuln(SootClass sootClass, SootMethod sootMethod) 98 | { 99 | Body body = sootMethod.getActiveBody(); 100 | Stmt targetStmt = null; 101 | 102 | //是否找到了getName() api 103 | boolean isFindGetNameApi = false; 104 | 105 | //是否有漏洞 106 | boolean isZipVul = true; 107 | 108 | for (Unit unit : body.getUnits()) 109 | { 110 | Stmt stmt = (Stmt) unit; 111 | 112 | //判断是否是一条调用语句 113 | if (!stmt.containsInvokeExpr()) 114 | { 115 | continue; 116 | } 117 | 118 | //获取调用语句的方法签名 119 | String methodSignature = stmt.getInvokeExpr().getMethod().getSignature(); 120 | if (ENTRY_GET_NAME_SIGNATURE.equals(methodSignature)) 121 | { 122 | isFindGetNameApi = true; 123 | targetStmt = stmt; 124 | } 125 | 126 | if (isFindGetNameApi) 127 | { 128 | //判断是否调用File的getCanonicalFile()方法 129 | if (GET_CANONICAL_FILE_SIGNATURE.equals(methodSignature)) 130 | { 131 | isZipVul = false; 132 | break; 133 | } 134 | 135 | //判断是否调用了contains方法,并且第一个参数值为 .. 136 | if (CONTAINS_SIGNATURE.equals(methodSignature)) 137 | { 138 | InvokeExpr invokeExpr = stmt.getInvokeExpr(); 139 | Value value = invokeExpr.getArg(0); 140 | if (value instanceof StringConstant && ((StringConstant) value).value.startsWith("..")) 141 | { 142 | isZipVul = false; 143 | break; 144 | } 145 | } 146 | } 147 | } 148 | 149 | if (isFindGetNameApi && isZipVul) 150 | { 151 | System.out.println("***************************************"); 152 | System.out.println("This apk has zip vulnerability"); 153 | System.out.println(sootClass.getName()); 154 | System.out.println(sootMethod.getSubSignature()); 155 | System.out.println(targetStmt.getJavaSourceStartLineNumber()); 156 | } 157 | } 158 | 159 | public static void main(String[] args) 160 | { 161 | new ZipVulnChecker().analyze(); 162 | } 163 | } 164 | -------------------------------------------------------------------------------- /src/main/java/com/nii/soot/core/BasicChecker.java: -------------------------------------------------------------------------------- 1 | package com.nii.soot.core; 2 | 3 | import soot.PackManager; 4 | import soot.Scene; 5 | import soot.SootClass; 6 | import soot.options.Options; 7 | 8 | import java.util.ArrayList; 9 | import java.util.List; 10 | 11 | /** 12 | * 应用检查的基础类 13 | * @author wzj 14 | * @create 2018-07-01 16:35 15 | **/ 16 | public abstract class BasicChecker implements IChecker 17 | { 18 | /** 19 | * 检查的时候,要排除的包名 20 | */ 21 | protected static List excludePackagesList = new ArrayList(); 22 | 23 | /** 24 | * apk路径 25 | */ 26 | protected String apkPath = "H:\\JAVA\\Soot\\apk\\app-debug.apk"; 27 | 28 | /** 29 | * android jar路径 30 | */ 31 | protected String jarsPath = "D:\\AndroidSDK\\platforms"; 32 | 33 | static 34 | { 35 | excludePackagesList.add("java."); 36 | excludePackagesList.add("android."); 37 | excludePackagesList.add("javax."); 38 | excludePackagesList.add("android.support."); 39 | excludePackagesList.add("sun."); 40 | excludePackagesList.add("com.google."); 41 | } 42 | 43 | /** 44 | * 初始化soot配置 45 | */ 46 | private void initSootConfig() 47 | { 48 | Options.v().set_src_prec(Options.src_prec_apk); 49 | Options.v().set_output_format(Options.output_format_jimple); 50 | String androidJarPath = Scene.v().getAndroidJarPath(jarsPath, apkPath); 51 | 52 | List pathList = new ArrayList(); 53 | pathList.add(apkPath); 54 | pathList.add(androidJarPath); 55 | 56 | Options.v().set_process_dir(pathList); 57 | Options.v().set_force_android_jar(androidJarPath); 58 | Options.v().set_keep_line_number(true); 59 | Options.v().set_process_multiple_dex(true); 60 | 61 | Options.v().set_wrong_staticness(Options.wrong_staticness_ignore); 62 | Options.v().set_exclude(excludePackagesList); 63 | 64 | Scene.v().loadNecessaryClasses(); 65 | PackManager.v().runPacks(); 66 | } 67 | 68 | /** 69 | * 是否是例外的包名 70 | * @param sootClass 当前的类 71 | * @return 检查结果 72 | */ 73 | protected boolean isExcludeClass(SootClass sootClass) 74 | { 75 | if (sootClass.isPhantom()) 76 | { 77 | return true; 78 | } 79 | 80 | String packageName = sootClass.getPackageName(); 81 | for (String exclude : excludePackagesList) 82 | { 83 | if (packageName.startsWith(exclude)) 84 | { 85 | return true; 86 | } 87 | } 88 | 89 | return false; 90 | } 91 | 92 | /** 93 | * 分析 94 | */ 95 | public void analyze() 96 | { 97 | initSootConfig(); 98 | checker(); 99 | } 100 | } 101 | -------------------------------------------------------------------------------- /src/main/java/com/nii/soot/core/IChecker.java: -------------------------------------------------------------------------------- 1 | package com.nii.soot.core; 2 | 3 | /** 4 | * 应用检查接口 5 | * @author wzj 6 | * @create 2018-07-01 16:52 7 | **/ 8 | public interface IChecker 9 | { 10 | void checker(); 11 | } 12 | -------------------------------------------------------------------------------- /src/main/java/com/nii/soot/graph/AndroidFlowDroidGraph.java: -------------------------------------------------------------------------------- 1 | package com.nii.soot.graph; 2 | 3 | import soot.Scene; 4 | import soot.jimple.infoflow.InfoflowConfiguration; 5 | import soot.jimple.infoflow.android.InfoflowAndroidConfiguration; 6 | import soot.jimple.infoflow.android.SetupApplication; 7 | import soot.jimple.toolkits.callgraph.CallGraph; 8 | 9 | /** 10 | * 获取android应用控制流图 11 | * @author wzj 12 | * @create 2018-07-01 21:20 13 | **/ 14 | public class AndroidFlowDroidGraph 15 | { 16 | /** 17 | * apk路径 18 | */ 19 | private String apkPath = "H:\\JAVA\\Soot\\apk\\app-debug.apk"; 20 | 21 | /** 22 | * android jar路径 23 | */ 24 | private String jarsPath = "D:\\AndroidSDK\\platforms"; 25 | 26 | /** 27 | * 文件一定要有,可以为空 28 | */ 29 | private String androidCallbackPath = "H:\\JAVA\\Soot\\conf\\AndroidCallbacks.txt"; 30 | 31 | 32 | public static void main(String[] args) 33 | { 34 | //初始化soot配置 35 | new AndroidFlowDroidGraph().initSootConfig(); 36 | 37 | CallGraph callGraph = Scene.v().getCallGraph(); 38 | System.out.println(callGraph); 39 | } 40 | 41 | private SetupApplication initSootConfig() 42 | { 43 | String androidJarPath = Scene.v().getAndroidJarPath(jarsPath, apkPath); 44 | SetupApplication setupApplication = new SetupApplication(androidJarPath, apkPath); 45 | InfoflowAndroidConfiguration config = setupApplication.getConfig(); 46 | config.setCallgraphAlgorithm(InfoflowConfiguration.CallgraphAlgorithm.SPARK); 47 | setupApplication.setCallbackFile(androidCallbackPath); 48 | 49 | //构建控制流图,比较耗时 50 | setupApplication.constructCallgraph(); 51 | 52 | return setupApplication; 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /src/main/java/com/nii/soot/test/GenerateZipVulnTest.java: -------------------------------------------------------------------------------- 1 | package com.nii.soot.test; 2 | 3 | import java.io.*; 4 | import java.util.ArrayList; 5 | import java.util.List; 6 | import java.util.zip.ZipEntry; 7 | import java.util.zip.ZipOutputStream; 8 | 9 | /** 10 | * 生成zip目录遍历攻击包 11 | * @author wzj 12 | * @create 2018-07-07 22:13 13 | **/ 14 | public class GenerateZipVulnTest 15 | { 16 | public static void main(String[] args) throws IOException 17 | { 18 | List filePathList = new ArrayList(); 19 | filePathList.add("C:\\Users\\wzj\\Desktop\\ww\\1.txt"); 20 | filePathList.add("C:\\Users\\wzj\\Desktop\\ww\\2.txt"); 21 | generateZip("C:\\Users\\wzj\\Desktop\\ww\\test.zip",filePathList); 22 | } 23 | 24 | /** 25 | * 生成zip目录遍历攻击压缩包 26 | * @param zipPath zip目录 27 | * @param filePathList 要压缩的文件列表 28 | */ 29 | public static void generateZip(String zipPath,List filePathList) throws IOException 30 | { 31 | OutputStream outputStream = new FileOutputStream(new File(zipPath)); 32 | ZipOutputStream zipOutputStream = new ZipOutputStream(outputStream); 33 | byte[] buffer = new byte[1024]; 34 | 35 | for (String filePath : filePathList) 36 | { 37 | FileInputStream fileInputStream = new FileInputStream(filePath); 38 | zipOutputStream.putNextEntry(new ZipEntry("../../" + filePath)); 39 | 40 | int len = 0; 41 | while ((len = fileInputStream.read(buffer)) != -1) 42 | { 43 | zipOutputStream.write(buffer,0,len); 44 | } 45 | 46 | zipOutputStream.closeEntry(); 47 | fileInputStream.close(); 48 | } 49 | 50 | zipOutputStream.close(); 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/main/java/com/nii/soot/zip/GenerateZipVulnTest.java: -------------------------------------------------------------------------------- 1 | package com.nii.soot.zip; 2 | 3 | import java.io.*; 4 | import java.util.ArrayList; 5 | import java.util.List; 6 | import java.util.zip.ZipEntry; 7 | import java.util.zip.ZipOutputStream; 8 | 9 | /** 10 | * 生成zip漏洞的测试类 11 | * 12 | * @author wzj 13 | * @create 2018-07-04 22:39 14 | **/ 15 | public class GenerateZipVulnTest 16 | { 17 | public static void main(String[] args) throws IOException 18 | { 19 | List fileList = new ArrayList(); 20 | fileList.add("C:\\Users\\wzj\\Desktop\\test\\1.txt"); 21 | 22 | FileOutputStream fileOutputStream = new FileOutputStream(new File("C:\\Users\\wzj\\Desktop\\test\\test.zip")); 23 | 24 | generateZip(fileOutputStream,fileList); 25 | } 26 | 27 | 28 | public static void generateZip(OutputStream outputStream, List fileList) throws IOException 29 | { 30 | ZipOutputStream zipOutputStream = null; 31 | 32 | byte[] buffer = new byte[1024]; 33 | zipOutputStream = new ZipOutputStream(outputStream); 34 | 35 | for (String file : fileList) 36 | { 37 | FileInputStream inputStream = new FileInputStream(new File(file)); 38 | zipOutputStream.putNextEntry(new ZipEntry("../../a.txt")); 39 | 40 | int len = 0; 41 | while ((len = inputStream.read(buffer)) != -1) 42 | { 43 | outputStream.write(buffer, 0, len); 44 | } 45 | 46 | zipOutputStream.flush(); 47 | zipOutputStream.closeEntry(); 48 | inputStream.close(); 49 | } 50 | } 51 | } 52 | --------------------------------------------------------------------------------