Skip to content

Commit

Permalink
feat rasp plugin class_filter send message to probe
Browse files Browse the repository at this point in the history
  • Loading branch information
@yoloyyh
yoloyyh committed Nov 23, 2023
1 parent 94f887e commit 52360e9
Show file tree
Hide file tree
Showing 5 changed files with 107 additions and 22 deletions.
7 changes: 6 additions & 1 deletion rasp/jvm/JVMProbe/src/main/java/com/security/smith/SmithProbe.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -388,7 +388,12 @@ private void checkClassFilter(ClassLoader loader, String className, byte[] class
classFilter.setInterfacesName(getInterfaces(ctClass));
}
classFilter.setClassPath(getCtClassPath(ctClass));
CtClass superClass = ctClass.getSuperclass();
CtClass superClass = null;
try {
superClass = ctClass.getSuperclass();
} catch(Exception e) {
// SmithLogger.exception(e);
}
// 获取父类名和父类加载器
String superClassName = superClass != null ? superClass.getName() : "";
classFilter.setParentClassName(superClassName);
Expand Down
26 changes: 19 additions & 7 deletions rasp/librasp/src/manager.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,20 +204,32 @@ impl RASPManager {
serde_json::from_str(message)?;
let mut valid_messages: Vec<libraspserver::proto::PidMissingProbeConfig> = Vec::new();
if messages.len() <= 0 {
for message_type in [6, 7, 8, 9] {
for message_type in [6, 7, 8, 9, 12, 13, 14] {
messages.push(PidMissingProbeConfig {
message_type,
data: ProbeConfigData::empty(message_type)?,
})
}
}
for m in messages.iter() {
if m.data.uuid == "" {
valid_messages.push(PidMissingProbeConfig {
message_type: m.message_type,
data: ProbeConfigData::empty(m.message_type)?,
});
} else {
if let Some(uuid) = &m.data.uuid {
if uuid == "" {
valid_messages.push(PidMissingProbeConfig {
message_type: m.message_type,
data: ProbeConfigData::empty(m.message_type)?,
});
} else {
let _ = match serde_json::to_string(&m) {
Ok(s) => s,
Err(e) => {
warn!("failed to convert json to string: {:?} {}", m, e);
continue;
}
};
valid_messages.push(m.clone());
}
}
else {
let _ = match serde_json::to_string(&m) {
Ok(s) => s,
Err(e) => {
Expand Down
16 changes: 9 additions & 7 deletions rasp/plugin/src/monitor.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -412,13 +412,15 @@ fn internal_main(
match operator.op(&mut process, state.clone(), probe_message.clone()) {
Ok(_) => {
info!("operation success: {:?}", operation_message);
let report = make_report(&process.clone(), format!("{}_success", state.clone()).as_str(), String::new());
let mut record = hashmap_to_record(report);
record.data_type = report_action_data_type.clone() as i32;
record.timestamp = time();
let _ = operation_reporter.send(
record
);
if state != "ATTACHED" {
let report = make_report(&process.clone(), format!("{}_success", state.clone()).as_str(), String::new());
let mut record = hashmap_to_record(report);
record.data_type = report_action_data_type.clone() as i32;
record.timestamp = time();
let _ = operation_reporter.send(
record
);
}
}
Err(e) => {
warn!("operation failed: {:?} {}", operation_message, e);
Expand Down
2 changes: 1 addition & 1 deletion rasp/plugin/src/operation.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ impl Operator {
"MISSING" => {
self.handle_missing(process)?;
}
"WAIT_ATTACH" => {
"WAIT_ATTACH" | "ATTACHED" => {
info!("attaching process: {:?}", process);
if let Some(process_state) = process.tracing_state.as_ref() {
match process_state.to_string().as_str() {
Expand Down
78 changes: 72 additions & 6 deletions rasp/rasp_server/src/proto.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,8 @@ pub struct PidMissingProbeConfig {

#[derive(Debug, Serialize, Deserialize, Clone, Default)]
pub struct ProbeConfigData {
pub uuid: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub uuid: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub blocks: Option<Vec<ProbeConfigBlock>>,
#[serde(skip_serializing_if = "Option::is_none")]
Expand All @@ -131,6 +132,12 @@ pub struct ProbeConfigData {
pub limits: Option<Vec<ProbeConfigLimit>>,
#[serde(skip_serializing_if = "Option::is_none")]
pub patches: Option<Vec<ProbeConfigPatch>>,
#[serde(skip_serializing_if = "Option::is_none")]
pub rule_version: Option<i32>,
#[serde(skip_serializing_if = "Option::is_none")]
pub class_filter_version: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub rule: Option<Vec<ProbeConfigClassRule>>,
}

impl ProbeConfigData {
Expand All @@ -140,35 +147,80 @@ impl ProbeConfigData {
7BLOCK,
8LIMIT,
9PATCH
12CLASSFILTERSTART
13CLASSFILTER
14CLASSFILTEREND
*/
let data = match message_type {
6 => ProbeConfigData {
uuid: "".to_string(),
uuid: Some(String::new()),
blocks: None,
filters: Some(Vec::new()),
limits: None,
patches: None,
rule_version: None,
class_filter_version: None,
rule: None,
},
7 => ProbeConfigData {
uuid: "".to_string(),
uuid: Some(String::new()),
blocks: Some(Vec::new()),
filters: None,
limits: None,
patches: None,
rule_version: None,
class_filter_version: None,
rule: None,
},
8 => ProbeConfigData {
uuid: "".to_string(),
uuid: Some(String::new()),
blocks: None,
filters: None,
limits: Some(Vec::new()),
patches: None,
rule_version: None,
class_filter_version: None,
rule: None,
},
9 => ProbeConfigData {
uuid: "".to_string(),
uuid: Some(String::new()),
blocks: None,
filters: None,
limits: None,
patches: None,
rule_version: None,
class_filter_version: None,
rule: None,
},
12 => ProbeConfigData {
uuid: None,
blocks: None,
filters: None,
limits: None,
patches: None,
rule_version: Some(0),
class_filter_version: Some(String::new()),
rule: None,
},
13 => ProbeConfigData {
uuid: None,
blocks: None,
filters: None,
limits: None,
patches: None,
rule_version: None,
class_filter_version: None,
rule: Some(Vec::new()),
},
14 => ProbeConfigData {
uuid: None,
blocks: None,
filters: None,
limits: None,
patches: Some(Vec::new()),
patches: None,
rule_version: None,
class_filter_version: None,
rule: None,
},
_ => {
return Err(anyhow!("message type not valid"));
Expand Down Expand Up @@ -241,6 +293,20 @@ pub struct ProbeConfigPatch {
pub sum_hash: Option<String>,
}

#[derive(Debug, Serialize, Deserialize, Clone, Default)]
pub struct ProbeConfigClassRule {
pub virusName: String,
pub flags: i32,
pub ruleId: i32,
pub className: Option<String>,
pub classPath: Option<String>,
pub interfacesName: Option<String>,
pub classLoaderName: Option<String>,
pub parentClassName: Option<String>,
pub virusSignature: Option<String>,
}


pub fn message_handle(message: &String) -> Result<String, String> {
// parse message
let message = match Message::from(message) {
Expand Down

0 comments on commit 52360e9

Please sign in to comment.