Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make rule writing and debugging easier #59

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Make rule writing and debugging easier #59

wants to merge 5 commits into from

Conversation

firmianay
Copy link
Contributor

允许调试多条规则,当指定为“all”时表示全部

image

@firmianay
Copy link
Contributor Author

firmianay commented Nov 8, 2023
edited
Loading

另外有些疑问
1、EngineConfig.json5里定义的这些库,在初始化soot时好像不会被排除?IgnoreList和Library的区别是什么?
2、搜到了flowdroid的写法,把它的excludeList复制过来怎么样?
3、我使用PackManager.v().writeOutput()的时候还是会输出这些已经set_exclude的库,有什么办法减少输出?

  IgnoreList: {
    "PackageName": [
      "com.meituan.robust",
      "kotlin.jvm.internal.Intrinsics",
      "com.bytedance.frameworks.apm.trace.MethodCollector"
    ],
    "MethodName": [],
    "MethodSignature": []
  },
  Library: {
    "Package": [
      "java.",
      "sun.",
      "javax.",

    fun setExclude() {
        // reduce time
        val excludeList = ArrayList<String>()
        excludeList.add("java.*")
        excludeList.add("org.*")
        excludeList.add("sun.*")
        //        excludeList.add("android.*");
//        excludeList.add("androidx.*");
        Options.v().set_exclude(excludeList)
        // do not load body in exclude list
        Options.v().set_no_bodies_for_excluded(true)

@nkbai
Copy link
Collaborator

nkbai commented Nov 8, 2023

允许调试多条规则,当指定为“all”时表示全部

image

不建议调试多条规则,调试规则的时候,会把指针指向关系表和数据流向关系表输出到文件中:

  1. 这两个文件可能非常大
  2. 他们的名字是固定的
    所以调试多条规则,意义并不大。

@nkbai
Copy link
Collaborator

nkbai commented Nov 8, 2023

另外有些疑问 1、EngineConfig.json5里定义的这些库,在初始化soot时好像不会被排除?IgnoreList和Library的区别是什么? 2、搜到了flowdroid的写法,把它的excludeList复制过来怎么样? 3、我使用PackManager.v().writeOutput()的时候还是会输出这些已经set_exclude的库,有什么办法减少输出?

  IgnoreList: {
    "PackageName": [
      "com.meituan.robust",
      "kotlin.jvm.internal.Intrinsics",
      "com.bytedance.frameworks.apm.trace.MethodCollector"
    ],
    "MethodName": [],
    "MethodSignature": []
  },
  Library: {
    "Package": [
      "java.",
      "sun.",
      "javax.",

    fun setExclude() {
        // reduce time
        val excludeList = ArrayList<String>()
        excludeList.add("java.*")
        excludeList.add("org.*")
        excludeList.add("sun.*")
        //        excludeList.add("android.*");
//        excludeList.add("androidx.*");
        Options.v().set_exclude(excludeList)
        // do not load body in exclude list
        Options.v().set_no_bodies_for_excluded(true)

主要用于SSA生成的时候,避免处理这部分代码,也避免指针分析这部分代码。
soot加载花费的时间,和整体时间相比,可以忽略不计。

@firmianay
Copy link
Contributor Author

firmianay commented Nov 8, 2023
edited
Loading

不建议调试多条规则,调试规则的时候,会把指针指向关系表和数据流向关系表输出到文件中:

  1. 这两个文件可能非常大
  2. 他们的名字是固定的
    所以调试多条规则,意义并不大。

名字固定不是问题,这个只是现有功能的增强,每条规则输出到自己的子目录

是这么个需求,appshark运行在服务器上,有几百个测试样本,就想每个apk一次性跑完所有规则,把调试信息都保存下来,文件大点无所谓,然后第二天上班直接把数据拿下来分析

现在没解决的问题是第二个commit,把jimple打印下来,写函数签名的时候能对照着看,比如某条链为什么是断的,这个打印下来确实很多很大,就想怎么把库给排除掉,set_exclude貌似是不行的。看了soot的代码,writeOutput()打印的其实是applicationClasses(带参数的writeOutput是protect方法,没法直接调用),所以想请教这个问题

  public void writeOutput() {
    switch (Options.v().output_format()) {
      default:
        writeOutput(reachableClasses());

  protected void writeOutput(Iterator<SootClass> classes) {...}

  private Iterator<SootClass> reachableClasses() {
    return Scene.v().getApplicationClasses().snapshotIterator();
  }

  /**
   * Returns a chain of the application classes in this scene. These classes are the ones which can be freely analysed &
   * modified.
   */
  public Chain<SootClass> getApplicationClasses() {
    return applicationClasses;
  }

更新:我发现setLibraryClass()好像可以将某个类从applicationClasses里删掉,然后设置成libraryClasses。就是不知道对后续的分析有没有影响。。。

  /** Makes this class a library class. */
  public void setLibraryClass() {
    if (isLibraryClass()) {
      return;
    }
    Chain<SootClass> c = Scene.v().getContainingChain(this);
    if (c != null) {
      c.remove(this);
    }
    Scene.v().getLibraryClasses().add(this);

    isPhantom = false;
  }

  Chain<SootClass> getContainingChain(SootClass c) {
    if (c.isApplicationClass()) {
      return getApplicationClasses();
    } else if (c.isLibraryClass()) {
      return getLibraryClasses();
    } else if (c.isPhantomClass()) {
      return getPhantomClasses();
    } else {
      return null;
    }
  }

@firmianay firmianay changed the title allows multiple debugRule Make rule writing and debugging easier Nov 9, 2023
@nkbai
Copy link
Collaborator

nkbai commented Nov 10, 2023
edited
Loading

IgnoreList和Library的区别是什么?
IgnoreList主要是针对robust这种到处存在的代码,在指针分析的时候,直接忽略,认为这些调用不存在。
Library 是认为被调用的对象是库函数,不跟进去分析,也不生成SSA

@firmianay
Copy link
Contributor Author

掌握了Java反射的基本用法哈哈

这部分完成,师傅可以看一下

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@firmianay @nkbai