Java程序辅导
C C++ Java Python Processing编程在线培训 程序编写 软件开发 视频讲解
C C++ Java Python Processing编程在线培训 程序编写 软件开发 视频讲解
W.Buchanan 1
Code Forensics
The code objectives of this lab are to:
Understand the lack of protection that .NET and Java have with code protection.
Investigate methods of obfuscation of code.
Create Microsoft .NET code in order to investigate a host.
On-line lecture: http://www.youtube.com/watch?v=jy-yR1DxPMM
Lab demo: http://www.youtube.com/watch?v=x1jhSIo-GoI
A Microsoft .NET Obfuscation
A.1 Microsoft .NET does not have inherent protection against the reverse
engineering of the code. To prove this, first create a C# program named
simple.cs, with the contents of:
namespace simple {
class simple {
private static void Main(string[] args) {
string s;
System.Console.Write("What is your name?");
s = System.Console.ReadLine();
System.Console.WriteLine("Hello " + s);
}
}
}
A.2 Compile the program, and program and make sure that that it works. From the
command prompt you can compile it with:
csc simple.cs
A.3 Next download the reverse engineering package from:
http://networksims.com/exemplar.zip
and prove that you can reverse the code using:
exemplar simple.exe > mycode.cs
A.4 Next run the obfuscator (from 9Rays) with:
ob.exe FTBSNM4ALPERC9# /src=simple.exe
The obfuscator is downloaded from:
http://networksims.com/ob.zip
W.Buchanan 2
A.5 Go into the /obfuscated folder, and copy the obfuscated EXE into the home
folder. Show that the EXE is now obfuscated.
What has changed in the obfuscated EXE?
Is it still possible to compile the reverse engineered code? Yes/No
Using Google, which packages can be used to obfuscate .NET assemblies?
Which options in the obfuscator changes the names of the variables to non-
printing characters?
B Java Reverse Engineering
B.1 Create a Java program (sample.java) with:
public class sample
{
public static void main(String[] args)
{
int i;
i=10;
System.out.println("This is an example of the ");
System.out.println("output from the standalone");
System.out.println("program");
System.out.println("The value of i is " + i);
}
}
B.2 Next produce the byte code with:
javac sample.java
B.3 Finally download JAD, and try and decompile the byte code. Prove that you
can reverse the code. The download for JAD is at:
http://networksims.com/jad.zip
Using Google, which packages can be used to obfuscate Java class files?
C Digital Forensics Code: URL cache
The objective of this series of labs is to build an integrated toolkit. Open up:
W.Buchanan 3
http://buchananweb.co.uk/2011toolkit.zip
and extract to a local folder. Next open up C# solution file toolkit.sln, and double
click on client.cs.
C.1 Select the [OS] tab, and, if not already added, add two DateTimePickers (dtStart
and dtEnd), two buttons, and two datagridviews (dgURLCache and
dgFileCache). Add the following code on the Show History button:
Showhistory();
and the method:
public void Showhistory()
{
this.dgURLCache.Rows.Clear();
this.dgFileCache.Rows.Clear();
urlHistory = new UrlHistoryWrapperClass();
enumerator = urlHistory.GetEnumerator();
list = new ArrayList();
GetHistoryItems();
list.Reverse();
if (textBoxFilter.Text != "")
{
enumerator.SetFilter(textBoxFilter.Text,STATURLFLAGS.STATURLFLAG_ISTOPLEVEL);
}
foreach (STATURL u in list)
{
string[] url = new string[2];
url[0] = Convert.ToString(u.LastVisited);
url[1] = u.URL;
STATURL u1 = (STATURL)list[0];
if (u.LastVisited >= dtStart.Value && u.LastVisited <= dtEnd.Value)
{
u1 = (STATURL)list[list.Count - 1];
if (url[1].StartsWith("http")) this.dgURLCache.Rows.Add(url);
else if (url[1].StartsWith("file")) this.dgFileCache.Rows.Add(url);
}
}
GC.Collect();
}
C.2 Test that the program can view the URL history. Next add the following code to
the Clear URL History button:
DialogResult rtn=MessageBox.Show("Are you sure you want to delete all your
URL history?","URL History",MessageBoxButtons.YesNo);
if (rtn == DialogResult.Yes) urlHistory.ClearHistory();
C.3 Test the program for its operation.
W.Buchanan 4
C.4 If you have time, investigate the “Special Folders” tab (see Figure 2), such as
with the following code to the “Recent” button:
DirectoryInfo d = new
DirectoryInfo(System.Environment.GetFolderPath(Environment.SpecialFolder.Rec
ent));
ShowFiles(dgFilesRecent, d.FullName);
and add the method:
public void ShowFiles(DataGridView dg, string folder)
{
try
{
dg.Rows.Clear();
string[] files = Directory.GetFiles(folder);
CreateMessageForStatus(tbFiles, folder);
foreach (string s in files)
{
string filename = s;
FileInfo f = new FileInfo(filename);
string[] s1 = new string[2];
s1[0] = Convert.ToString(f.LastAccessTime);
s1[1] = s;
CreateMessageForStatusAppend(dg, s1);
}
}
catch (Exception ex)
{ }
}
Figure 1: Show URL
W.Buchanan 5
Figure 2: Special Folders
C.5 Next do the same for “Cookies”, “Application Data”, “Desktop” and all the
other buttons within “Special Folders”.
How might these special folders be used to gain forensics information:
D Digital Forensics Code: File Type Identification
D.1 Files can be often identified from the contents. For example a GIF file has the
characters “G”, “I”, “F” at the start of the file (Figure 3). Select the “Binary
Reader” tab, and then add the following code to the “Load GIF file” button:
try
{
openFileDialog1.InitialDirectory = homeFolder + "\\log";
openFileDialog1.Filter = "gif files (*.gif) |All files (*.*)|*.*";
openFileDialog1.FilterIndex = 1;
openFileDialog1.FileName = "*.gif";
openFileDialog1.ShowDialog();
string file = openFileDialog1.FileName;
tbCurrentFolder.Text = file;
open_file(file);
}
catch (Exception ex)
{
CreateMessageForStatusAppend(lbError, "Error068: " + ex.Message);
}
D.2 Next do the same for the other buttons (JPG, ZIP and Other).
W.Buchanan 6
Does your code now load the specific files? Yes/No
D.3 Next, on the “Identify file type” button add the following code to detect a GIF
file:
if (fileName == "") return;
try
{
tbFileType.Text = "Not known";
byte[] buff = getBytes(fileName);
if (buff[0] == 'G' && buff[1] == 'I' && buff[2] == 'F')
tbFileType.Text = "GIF file";
if (!tbFileType.Text.StartsWith("Not")) return;
/* foreach (string[] s in filesig)
{
if (inFile(fileName, s[0]))
{
if (tbFileType.Text.StartsWith("Not"))
{
tbFileType.Text = "Possible: [" + s[2] + ", sig: " + s[0] + "]";
}
else tbFileType.Text += "[" + s[2] + ", sig: " + s[0] + "]";
}
} */
}
catch (Exception ex)
{
lbError.Items.Add(ex.Message);
}
D.3 Next modify the code so that it detects the following:
JPEG file Detect: JFIF
PDF file Detect: %PDF
MP3 Detect: ID3
Find the file types given above, and test that your program can identify them.
Did it work? Yes/No
D.4 Some file detection types require a hex code. For the following modify your
code so that it detects the following file types
ZIP file Detect: 0x504B03
CAB file Detect: 0x4D534346
MP4 file Detect: 0x000000186674797033677035
Find the file types given above, and test that your program can identify them.
Did it work? Yes/No
W.Buchanan 7
Figure 3: Loading files
D.5 Finally, uncomment the following code and investigate its operation:
/* foreach (string[] s in filesig)
{
if (inFile(fileName, s[0]))
{
if (tbFileType.Text.StartsWith("Not"))
{
tbFileType.Text = "Possible: [" + s[2] + ", sig: " + s[0] + "]";
}
else tbFileType.Text += "[" + s[2] + ", sig: " + s[0] + "]";
}
} */
Where are the file signatures found within the program, and can you identify
some of the signatures in filesig?
Can you determine a file signature method to determine typical video
content (such as MP4, AVI, SWF, and so on), and for it to display a
message: “This is video content”? What is the code used: