Äú¿ÉÒÔ¾èÖú£¬Ö§³ÖÎÒÃǵĹ«ÒæÊÂÒµ¡£

1Ôª 10Ôª 50Ôª





ÈÏÖ¤Â룺  ÑéÖ¤Âë,¿´²»Çå³þ?Çëµã»÷Ë¢ÐÂÑéÖ¤Âë ±ØÌî



  ÇóÖª ÎÄÕ ÎÄ¿â Lib ÊÓÆµ iPerson ¿Î³Ì ÈÏÖ¤ ×Éѯ ¹¤¾ß ½²×ù Model Center   Code  
»áÔ±   
   
 
     
   
 ¶©ÔÄ
  ¾èÖú
MobSF Android¾²Ì¬·ÖÎöʹÓÃÐĵÃ
 
 
  4181  次浏览      30
2020-11-20 
 
±à¼­ÍƼö:
±¾ÎÄÊ×ÏÈ˵ÁËһϴ»·¾³¡¢È»ºó˵ÁËMobSF¾²Ì¬·ÖÎö¡¢½Ó×Å˵ÁËÔ´Âë¼°Ô­Àí·ÖÎö£¬×îºó×ܽáÁËÈ«ÎÄÄÚÈÝ¡£
±¾ÎÄÀ´×ÔÓÚmaxwell-nc.github.io£¬ÓÉ»ðÁú¹ûÈí¼þAnna±à¼­¡¢ÍƼö¡£

ǰÐò

´ËǰҲ½Ó´¥¹ýһЩµÚÈý·½¾²Ì¬·ÖÎö¹¤¾ß£¬ÒòΪ¹¤×÷Ô­Òò½Ó´¥ÁËÒ»¿î¿ªÔ´Òƶ¯App°²È«¿ò¼ÜMobileSecurityFramework£¬¾­¹ýÒ»·¬ÕÛÌÚºó¾ö¶¨Ð´ÏÂһƪ²©ÎļǼһÏÂÐĵá£

´î½¨»·¾³

±¾ÎÄÊÇ»ùÓÚWindows´î½¨µÄAndroid App¾²Ì¬·ÖÎö»·¾³£¬Ê×ÏÈÊÇÏÈÒªµ½GithubÉÏÄÃÈ¥À­Ò»·ÝÔ´ÂëÏÂÀ´¡£ÓÉÓÚÕâ¸ö¿ò¼ÜÊÇ»ùÓÚPython¿ª·¢µÄ£¬¶øÇÒÐèÒª·´±àÒëApk£¬ËùÒÔÎÒÃÇÁÐÏÂÐèÒªµÄ»·¾³Çåµ¥£º

Python 2.7(²»ÄÜʹ3.x°æ±¾£¬µÍÓÚ2.7ÎÒҲûÓÐÊÔ¹ý)

Oracle JDK 1.7+

MobSFÔ´Âë

ÒÔÉÏÊǾ²Ì¬·ÖÎöÐèÒªµÄ»·¾³£¬ÁíÍâÔٹٷ½µÄÎĵµÖÐдÁËÒ»¾äÍÆ¼öʹÓÃÐéÄâ»ú»·¾³´î½¨£¬·ñÔò´æÔÚ°²È«ÎÊÌ⣬ÕâÀïÖ»ÊÇÊÔÓÃһϾͲ»Ê¹ÓÃÐéÄâ»úÁË¡£

Äõ½Ô´Âëºó½âѹµ½Ò»¸öĿ¼ÀÔÚÕâ¸öĿ¼´ò¿ªCMD£¬ÊäÈëÃüÁ

py -2 pip install -r requirements.txt

×¢ÒâÎÒÕâÀïÒòΪͬʱ°²×°ÁËPython2.xºÍ3.x£¬ËùÒÔʹÓÃpyÆô¶¯Æ÷À´Ö¸¶¨°æ±¾£¬Èç¹ûÖ»ÓÐPython2.x£¬¿ÉÒÔÖ±½Ó²ÉÓãº

pip install -r requirements.txt

ÆäÖÐrequirements.txtÊÇÔËÐÐMobSFµÄPythonÒÀÀµ»·¾³¡£Èç¹û°²×°Íê³É£¬½ÓÏÂÀ´¾ÍÊÇÔËÐÐMobSFµÄ·þÎñÆ÷ÁË£¬ÔÚÃüÁîÐÐÊäÈ룺

python manage.py runserver

ͬÑùÐèҪעÒâPython°æ±¾ÎÊÌ⣬µÚÒ»´ÎÆô¶¯·þÎñÆ÷»á×Ô¶¯°²×°·þÎñÆ÷ÐèÒªµÄ¶«Î÷£¬Ö÷ÒªÊÇnuget¡¢binskim¡¢binscopeµÈ¶«Î÷£¬¹úÄÚµÄÓû§×¢Òâ´úÀí£¬·ñÔò¿ÉÄÜ¿¨×¡²»¶¯¡£

note£ºÈç¹ûµÚÒ»´Î°²×°Ê§°Ü²»É÷Í˳öÁË£¬¿ÉÒÔ½øÈëinstallĿ¼ÏÈÔËÐÐsetup.pyÊÖ¶¯°²×°£¬È»ºóÔÚÖ´ÐÐrunserverÃüÁî¡£°²×°Ö®ºó»á×Ô¶¯Éú³ÉÒ»¸ö×ÔÆô¶¯batÎļþ£¬¸ù¾ÝÔ´´úÂë¿ÉÒÔ¿´³öʵ¼ÊÉÏËû¾ÍÊÇÔËÐÐrpc_client.py¡£

Èç¹ûÒ»ÇÐ˳ÀûµÄ»°£¬¿ÉÒÔ¿´µ½DjangoÔËÐгɹ¦£º

DjangoÕâ¸ö¼àÌý¶Ë¿Ú¿ÉÒÔͨ¹ýÖ¸¶¨Æô¶¯²ÎÊýÀ´Ð޸ģ¬È磺

python manage.py runserver 8100

È»ºó¿ÉÒÔ´ò¿ªä¯ÀÀÆ÷ÊäÈëµØÖ·£¬±ÈÈçĬÈ϶˿ÚΪ£ºhttp://127.0.0.1:8000/£¬ÎÒÕâ±ß³öÏÖÁËÒ»¸öÕâÑùµÄÎÊÌ⣨ҲÐíÄã¿ÉÒÔÖ±½Ó¿´µ½³É¹¦»­Ã棬¹§Ï²£©£º

Èç¹ûºÍÎÒÒ»Ñù³öÏÖ¡°Don't Play Around. An Error just popped in!¡±µÄÅóÓÑ£¬¿ÉÒÔÖ´ÐкóÖØÐÂÆô¶¯·þÎñÆ÷£º

python manage.py migrate
python manage.py makemigrations

×¢ÒâÔ­ÒòÊÇ¡°no such table: StaticAnalyzer_staticanalyzerandroid¡±²ÅÊÊÓÃÕâ¸ö·½·¨¡£³É¹¦Ö®ºó¾Í¿ÉÒÔ¿´µ½MobSFµÄ½çÃæ£º

ÕâÑù¾ÍËã´î½¨Íê³ÉÁË£¬µ±È»Ò²ÓпÉÄÜÉÏ´«AppÎļþµÄʱºò·¢Éú´íÎó£¬Õâ¾ÍÐèÒª´ó¼Ò¶¯¶¯ÄÔ´üÀ´´¦ÀíÁË¡£

MobSF¾²Ì¬·ÖÎö

ʹÓÃMobSFµÄ¾²Ì¬·ÖÎöÊ®·Ö¼òµ¥£¬Ö±½ÓÉÏ´«Ò»¸öApk°ü£¬µÈ´ý·þÎñÆ÷½â°ü·´±àÒë·ÖÎö½á¹û¼´¿É¡£²»¹ýÎÒʹÓÃÁ˶à´Î·¢ÏÖÕâ¸ö¿ò¼ÜºÜÓпÉÄÜ¿¨ÔÚMalwareAnalyzerÉÏÃæ£¬¿ÉÄÜÊÇÁªÍø¼ì²éµÄÎÊÌ⣬¾ßÌåÎÒ²¢Ã»ÓзÖÎö£¬È»ºó¼ÙÉèÄãÖжÏÁ˲Ù×÷£¬Ï´ÎÔÙÆô¶¯»áÖØÐ½â°üÖØÐ·ÖÎö£¬Ê®·ÖºÄʱ¡£Ò»ÇÐÕý³£µÄ»°£¬Ä㽫»á¿´µ½·ÖÎö±¨¸æÒ³Ã棺

Õâ¸ö·ÖÎö±¨¸æ¿ÉÒÔ˵¡°½ö¹©²Î¿¼¡±£¬±ÈÈç˵PERMISSIONµÄ¼ì²â£¬º¬ÓÐandroid.permission.INTERNET¾Í˵Dangerous£¨ºóÃæ»á·ÖÎöÔ´Â룩£¬ÕâÊDZȽÏÁîÈ˷ѽâµÄ¡£±Ï¾¹Õâ¸öȨÏÞÖ»ÒªÊÇÍøÂçÓ¦Óö¼»áʹÓõ½£¬ÄÇÆñ²»ÊÇËùÓеÄÓ¦Óö¼ÊÇΣÏÕ£¿£¿

¶ø¶ÔÓÚCode AnalysisÀïÃæµÄISSUE£¬ÆäÖÐÒ»¸ö¡°App can read/write to External Storage. Any App can read data written to External Storage.¡±Ò²ÊÇSEVERITYΪHigh£¬ÆäʵҲֻÊÇÌáʾÄãÆäËûApp¿ÉÄܻᴮ¸ÄÊý¾Ý¶øÒÑ£¬¶ø²»ÊÇ˵Äã²»ÄÜʹÓÃÍⲿ´æ´¢Æ÷£¬ËùÒÔÖ»ÒªÄã·ÃÎÊÁËÍⲿ´æ´¢Æ÷µÄAPI¾ÍÒ»¶¨»á±¨Õâ¸öÎÊÌ⣨º¹ÑÕ£©¡£

Ô´Âë¼°Ô­Àí·ÖÎö

ÓÉÓÚÉÏÃæ¸ø³öµÄ·ÖÎö½á¹ûÓеãÈÃÈËÃþ²»×ÅÍ·ÄÔ£¬¶øÇÒҲûÓбê×¢´íÎóµÄλÖã¬ËùÒÔÖ»ÄÜ´ÓÔ´ÂëÈëÊÖ£¬·ÖÎöÆäÔ­Àí¡£Ô´ÂëµÄĿ¼½á¹¹Ê®·ÖÇåÎú£¬ÓÉÓÚÎÒÃDzÉÓõÄʾ²Ì¬·ÖÎö£¬¿ÉÒÔÖ±½ÓÕÒµ½StaticAnalyzerĿ¼¡£

©À©¤test_files
©À©¤tools
©¦ ©À©¤apkid
©¦ ©¦ ©¸©¤rules
©¦ ©À©¤d2j2
©¦ ©¦ ©¸©¤lib
©¦ ©À©¤enjarify
©¦ ©¦ ©À©¤enjarify
©¦ ©¦ ©¦ ©À©¤jvm
©¦ ©¦ ©¦ ©¦ ©À©¤constants
©¦ ©¦ ©¦ ©¦ ©¸©¤optimizatio
©¦ ©¦ ©¦ ©¸©¤typeinference
©¦ ©¦ ©¸©¤tests
©¦ ©¸©¤mac
©¸©¤views
©À©¤android
©¸©¤ios

 

ͨ¹ý´òÓ¡StaticAnalyzerĿ¼µÄÊ÷½á¹¹¿ÉÒÔ´ÖÂÔÖªµÀ£¬migrationsÊÇÇ¨ÒÆÎļþ£¬test_filesÊÇÓÃÀ´²âÊÔ¾²Ì¬²âÊÔµÄÎļþ£¬toolsÊÇÓÃÀ´·´±àÒëµÈµÄ¹¤¾ß£¬views²ÅÊÇÎÒÃÇÏëÒªÕҵķÖÎöÔ´Âë¡£ ??Ö±½Óµ½StaticAnalyzer\views\androidĿ¼Ï¿ÉÒԺܿìÕÒµ½¶ÔÓ¦·ÖÎöµÄÔ´Â루ʮ·ÖÇåÎúµÄÄ£¿éÃû£©¡£±ÈÈçÎÒÃÇÕÒÒ»ÏÂÉÏÎÄËùÊöµÄPremissionÎÊÌ⣬һÑÛ¿ÉÒÔ¿´µ½dvm_permissions.py,´ò¿ª·¢ÏÖÖ»ÊÇÒ»¸ö×ֵ䣬¶ÔӦÿ¸öȨÏÞºÍ״ֵ̬¡¢ÃèÊöµÈÐÅÏ¢£º

"INTERNET": ["dangerous", "full Internet access", "Allows an application to create network sockets."]

Õ⻹²»ÄÜ˵Ã÷ʲô£¬ÎÒÃÇ¿ÉÒÔ¼ÌÐø·¢ÏÖmanifest_analysis.pyÎļþÖе¼ÈëÁËdvm_permissions£¬ÆäÖдúÂëÖУº

...
for permission in permissions:
perm.append(permission.getAttribute("android:name"))

for i in perm:
prm = i
pos = i.rfind(".")
if pos != -1:
prm = i[pos + 1:]
try:
dvm_perm[i] = DVM_PERMISSIONS["MANIFEST_PERMISSION"][prm]
except KeyError:
dvm_perm[i] = [
"dangerous",
"Unknown permission from android reference",
"Unknown permission from android reference"
]

 

¿´ÒÔ¿´³öÕâ¸öȨÏ޵ļì²âÖ±½Ó¾ÍÊǸù¾Ýdvm_permissions.pyÖж¨ÒåµÄ×ÖµäÀ´¾ö¶¨µÄ£¬²¢Ã»Óиü¶àµÄÅжϹæÔò¡£

½ÓÏÂÀ´ÎÒÃÇ¿´¿´Code Analysis ISSUE£º¡°The App uses an insecure Random Number Generator.¡±µÄÅжÏÔ­Àí¡£Í¬ÀíÎÒÃÇÒ²¿ÉÒÔÕÒµ½code_analysis.pyÎļþÖ±½Ó·ÖÎö¡£ÏÈÕÒµ½Ò»¸ö×Öµä×Ö¶ÎÃèÊöÕâ¸öÎÊÌ⣺

'rand':('The App uses an insecure Random Number Generator.'),

È»ºóÎÒÃÇËÑË÷key'rand'¿ÉÒÔ¿´µ½,

if typ == "apk":
java_src = os.path.join(app_dir, 'java_source/')
elif typ == "studio":
java_src = os.path.join(app_dir, 'app/src/main/java/')
elif typ == "eclipse":
java_src = os.path.join(app_dir, 'src/')
...
dat = file_pointer.read()
...
if re.findall(r'java\.util\.Random', dat):
code['rand'].append(jfile_path.replace(java_src,''))

 

±íʾֻҪʹÓÃÁËjava.util.RandomÕâ¸öÀà¾Í»á±¨Õâ¸öÎÊÌ⡣ʵ¼ÊÉϼ´Ê¹ÊÇjava.security.SecureRandomÒ²´æÔÚ°²È«·çÏÕ¡£ËùÒÔÕâÀàÎÊÌ⻹ÊDZȽÏÄÑ´¦ÀíµÄ£¬²»¹ýÈç¹û²»Éæ¼°°²È«µÄËæ»úÊý£¨±ÈÈçΪÓû§ÆðÒ»¸öËæ»úêdzƣ¬¶øÕâ¸öêdzƲ¢²»×÷ΪΨһ±êʶ£©£¬¼´Ê¹Ê¹ÓÃÁËҲûÓйØÏµ£¬ÕâÀï¾Í²»Õ¹¿ªÌÖÂÛÁË¡£

ÆäËû»¹Óкܶà¼ì²é´óÌåÔ­ÀíÏàËÆ£¬Èç¹û¾­³£ÐèÒªÓõ½Ä³Ò»¸ö¼ì²â£¬Ò²¿ÉÒÔ°ÑÄDz¿·ÖÔ´Âëµ¥¶À¿½³öÀ´×ö³ÉÒ»¸öµ¥¶À¼ì²â¹¤¾ß£¬ÕâÑù²»ÐèҪÿ´Î¶¼È¥ÍêÕûµÄ¼ì²â²ÅÖªµÀ½á¹û¡£

βÉù

ʹÓùýºóÎÒ¾õµÃºÜʧÍû£¬ºÜ¶à¹¦Äܶ¼Ã»ÓУ¬±ÈÈ磺

²»Ö§³ÖÅųýµÚÈý·½

²»Ö§³ÖÏÔʾ´íÎóÐÐÊý»òÕßλÖÃ

²»Ö§³ÖMapping

²»Ö§³Ö×Ô¶¨Ò广Ôò

²»Ö§³Ö±ê¼ÇÒÑ´¦ÀíµÄÎÊÌâ

ºÜ¶àÇé¿öÏÂʹÓÃÕâ¸ö¿ò¼Ü£¬¶¼ÊÇÓɳÌÐòÔ±´î½¨ºÃÒ»¸ö·þÎñÆ÷¹©¿ª·¢ÈËÔ±»òÕßÊÇ·Ç¿ª·¢ÈËԱȥ¼ì²âʹÓá£ÌÈÈô³öÁËÕâôһ·Ý³äÂúDangerousºÍHigh SEVERITYµÄ±¨¸æ¸ø·Ç¼¼ÊõÈËÔ±¿´£¬¸üÖØÒªµÄÊÇÎÞÂÛÄãÔõô¸Ä¶¼ÎÞ·¨È¥µô£¬ÕâÏë±ØµÃ»¨ºÃÒ»¶Îʱ¼äÈ¥½âÎö°É£¿ËùÒÔ¸öÈ˲»ÊǺÜÍÆ¼öÕâ¸ö¿ò¼Ü¸ø·Ç¼¼ÊõÈËԱʹÓá£

µ±È»Ä¿Ç°Õâ¸ö¿ò¼Ü»¹´¦ÓÚBeta½×¶Î£¬°æ±¾ºÅҲûÓе½1.0£¬ÎÒ½ö½öʹÓÃÁËËüµÄ¾²Ì¬·ÖÎö¹¦ÄÜ£¬Ëü»¹Óж¯Ì¬·ÖÎöµÈµÈ£¬×ÜÌåÀ´ËµÕâÊÇÒ»¸öºÜ²»´íµÄ¹¤¾ß£¬µ«ÊÇ»¹Ã»ÓÐ×ã¹»µÄÍêÉÆ£¬ÎÒÃÇÆÚ´ýËû¸üºÃµØ·¢Õ¹¡£ÌرðÊǹæÔò×Ô¶¨Ò壬ϣÍû¿ÉÒÔµ¥¶À³öÀ´£¬ÕâÑù¿ÉÒÔÈøü¶à¿ªÔ´Á¦Á¿È¥Î¬»¤ÔöÇ¿Ëü¡£

   
4181 ´Îä¯ÀÀ       30
 
Ïà¹ØÎÄÕÂ

iOSÓ¦Óð²È«¿ª·¢£¬Äã²»ÖªµÀµÄÄÇЩÊÂÊõ
Web°²È«Ö®SQL×¢Èë¹¥»÷
ÒÆ¶¯APP°²È«ÔÚÉøÍ¸²âÊÔÖеÄÓ¦ÓÃ
´ÓGoogle±¸·Ý»¥ÁªÍø¿´¡°Êý¾Ý°²È«¡±
 
Ïà¹ØÎĵµ

web°²È«Éè¼ÆÓë·À»¤
»¥ÁªÍøº£Á¿ÄÚÈݰ²È«´¦Àí¼¼Êõ
ºÚ¿Í¹¥»÷Óë·À·¶¼¼Êõ
WEBºÚºÐ°²È«¼ì²â
 
Ïà¹Ø¿Î³Ì

WEBÍøÕ¾ÓëÓ¦Óð²È«Ô­ÀíÓëʵ¼ù
webÓ¦Óð²È«¼Ü¹¹Éè¼Æ
´´½¨°²È«µÄJ2EE WebÓ¦ÓôúÂë
ÐÅÏ¢°²È«ÎÊÌâÓë·À·¶
×îл¼Æ»®
DeepSeek´óÄ£ÐÍÓ¦Óÿª·¢ 6-12[ÏÃÃÅ]
È˹¤ÖÇÄÜ.»úÆ÷ѧϰTensorFlow 6-22[Ö±²¥]
»ùÓÚ UML ºÍEA½øÐзÖÎöÉè¼Æ 6-30[±±¾©]
ǶÈëʽÈí¼þ¼Ü¹¹-¸ß¼¶Êµ¼ù 7-9[±±¾©]
Óû§ÌåÑé¡¢Ò×ÓÃÐÔ²âÊÔÓëÆÀ¹À 7-25[Î÷°²]
ͼÊý¾Ý¿âÓë֪ʶͼÆ× 8-23[±±¾©]
 
×îÐÂÎÄÕÂ
ÎïÁªÍø°²È«¸ÅÊö
Ê·ÉÏ×îÏêϸµÄÇø¿éÁ´¼¼Êõ¼Ü¹¹·ÖÎö
Ò»ÎĶÁ¶®Çø¿éÁ´ÕûÌå¼Ü¹¹¼°Ó¦Óð¸Àý
Çø¿éÁ´¼¼Êõ¼Ü¹¹
°²È«¼Ü¹¹ÆÀÉóʵս
×îпγÌ
WebÓ¦Óð²È«¼Ü¹¹¡¢ÈëÇÖ¼ì²âÓë·À»¤
ÎïÁªÍø¹Ø¼ü¼¼Êõ¡¢°²È«Óë±ßÔµ¼ÆËã
Çø¿éÁ´°²È«¼¼Êõʵ¼ùÖ¸ÄÏ
ÔÆ·þÎñÓ밲ȫ¼Ü¹¹
»¥ÁªÍø°²È«¿ª·¢·½·¨Óëʵ¼ù
³É¹¦°¸Àý
ÖйúÒøÐÐ ÐÅÏ¢°²È«¼¼Êõ¼°Éî¶È·ÀÓù
±±¾© WebÓ¦Óð²È«¼Ü¹¹¡¢ÈëÇÖ¼ì²âÓë·À»¤
ij²ÆË°ÁìÓòÖªÃûIT·þÎñÉÌ Web°²È«²âÊÔ
ÆÕÈð¿Ë˹ web°²È«Éè¼Æ¡¢²âÊÔÓëÓÅ»¯
±±¾©ºÍÀûʱ ÐÔÄܺͰ²È«ÐÔ²âÊÔ