diff --git a/rasp/jvm/JVMProbe/src/main/java/com/security/smith/SmithProbe.java b/rasp/jvm/JVMProbe/src/main/java/com/security/smith/SmithProbe.java index b3834fc42..b9000cd27 100644 --- a/rasp/jvm/JVMProbe/src/main/java/com/security/smith/SmithProbe.java +++ b/rasp/jvm/JVMProbe/src/main/java/com/security/smith/SmithProbe.java @@ -388,7 +388,12 @@ private void checkClassFilter(ClassLoader loader, String className, byte[] class classFilter.setInterfacesName(getInterfaces(ctClass)); } classFilter.setClassPath(getCtClassPath(ctClass)); - CtClass superClass = ctClass.getSuperclass(); + CtClass superClass = null; + try { + superClass = ctClass.getSuperclass(); + } catch(Exception e) { + // SmithLogger.exception(e); + } // 获取父类名和父类加载器 String superClassName = superClass != null ? superClass.getName() : ""; classFilter.setParentClassName(superClassName); diff --git a/rasp/librasp/src/manager.rs b/rasp/librasp/src/manager.rs index c4485f639..71d0108f9 100644 --- a/rasp/librasp/src/manager.rs +++ b/rasp/librasp/src/manager.rs @@ -204,7 +204,7 @@ impl RASPManager { serde_json::from_str(message)?; let mut valid_messages: Vec = Vec::new(); if messages.len() <= 0 { - for message_type in [6, 7, 8, 9] { + for message_type in [6, 7, 8, 9, 12, 13, 14] { messages.push(PidMissingProbeConfig { message_type, data: ProbeConfigData::empty(message_type)?, @@ -212,12 +212,24 @@ impl RASPManager { } } for m in messages.iter() { - if m.data.uuid == "" { - valid_messages.push(PidMissingProbeConfig { - message_type: m.message_type, - data: ProbeConfigData::empty(m.message_type)?, - }); - } else { + if let Some(uuid) = &m.data.uuid { + if uuid == "" { + valid_messages.push(PidMissingProbeConfig { + message_type: m.message_type, + data: ProbeConfigData::empty(m.message_type)?, + }); + } else { + let _ = match serde_json::to_string(&m) { + Ok(s) => s, + Err(e) => { + warn!("failed to convert json to string: {:?} {}", m, e); + continue; + } + }; + valid_messages.push(m.clone()); + } + } + else { let _ = match serde_json::to_string(&m) { Ok(s) => s, Err(e) => { diff --git a/rasp/plugin/src/monitor.rs b/rasp/plugin/src/monitor.rs index de4ae7a38..939af8c21 100644 --- a/rasp/plugin/src/monitor.rs +++ b/rasp/plugin/src/monitor.rs @@ -412,13 +412,15 @@ fn internal_main( match operator.op(&mut process, state.clone(), probe_message.clone()) { Ok(_) => { info!("operation success: {:?}", operation_message); - let report = make_report(&process.clone(), format!("{}_success", state.clone()).as_str(), String::new()); - let mut record = hashmap_to_record(report); - record.data_type = report_action_data_type.clone() as i32; - record.timestamp = time(); - let _ = operation_reporter.send( - record - ); + if state != "ATTACHED" { + let report = make_report(&process.clone(), format!("{}_success", state.clone()).as_str(), String::new()); + let mut record = hashmap_to_record(report); + record.data_type = report_action_data_type.clone() as i32; + record.timestamp = time(); + let _ = operation_reporter.send( + record + ); + } } Err(e) => { warn!("operation failed: {:?} {}", operation_message, e); diff --git a/rasp/plugin/src/operation.rs b/rasp/plugin/src/operation.rs index 083214f48..393a5214d 100644 --- a/rasp/plugin/src/operation.rs +++ b/rasp/plugin/src/operation.rs @@ -141,7 +141,7 @@ impl Operator { "MISSING" => { self.handle_missing(process)?; } - "WAIT_ATTACH" => { + "WAIT_ATTACH" | "ATTACHED" => { info!("attaching process: {:?}", process); if let Some(process_state) = process.tracing_state.as_ref() { match process_state.to_string().as_str() { diff --git a/rasp/rasp_server/src/proto.rs b/rasp/rasp_server/src/proto.rs index 30d620d54..a49f40604 100644 --- a/rasp/rasp_server/src/proto.rs +++ b/rasp/rasp_server/src/proto.rs @@ -122,7 +122,8 @@ pub struct PidMissingProbeConfig { #[derive(Debug, Serialize, Deserialize, Clone, Default)] pub struct ProbeConfigData { - pub uuid: String, + #[serde(skip_serializing_if = "Option::is_none")] + pub uuid: Option, #[serde(skip_serializing_if = "Option::is_none")] pub blocks: Option>, #[serde(skip_serializing_if = "Option::is_none")] @@ -131,6 +132,12 @@ pub struct ProbeConfigData { pub limits: Option>, #[serde(skip_serializing_if = "Option::is_none")] pub patches: Option>, + #[serde(skip_serializing_if = "Option::is_none")] + pub rule_version: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub class_filter_version: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub rule: Option>, } impl ProbeConfigData { @@ -140,35 +147,80 @@ impl ProbeConfigData { 7BLOCK, 8LIMIT, 9PATCH + 12CLASSFILTERSTART + 13CLASSFILTER + 14CLASSFILTEREND */ let data = match message_type { 6 => ProbeConfigData { - uuid: "".to_string(), + uuid: Some(String::new()), blocks: None, filters: Some(Vec::new()), limits: None, patches: None, + rule_version: None, + class_filter_version: None, + rule: None, }, 7 => ProbeConfigData { - uuid: "".to_string(), + uuid: Some(String::new()), blocks: Some(Vec::new()), filters: None, limits: None, patches: None, + rule_version: None, + class_filter_version: None, + rule: None, }, 8 => ProbeConfigData { - uuid: "".to_string(), + uuid: Some(String::new()), blocks: None, filters: None, limits: Some(Vec::new()), patches: None, + rule_version: None, + class_filter_version: None, + rule: None, }, 9 => ProbeConfigData { - uuid: "".to_string(), + uuid: Some(String::new()), + blocks: None, + filters: None, + limits: None, + patches: None, + rule_version: None, + class_filter_version: None, + rule: None, + }, + 12 => ProbeConfigData { + uuid: None, + blocks: None, + filters: None, + limits: None, + patches: None, + rule_version: Some(0), + class_filter_version: Some(String::new()), + rule: None, + }, + 13 => ProbeConfigData { + uuid: None, + blocks: None, + filters: None, + limits: None, + patches: None, + rule_version: None, + class_filter_version: None, + rule: Some(Vec::new()), + }, + 14 => ProbeConfigData { + uuid: None, blocks: None, filters: None, limits: None, - patches: Some(Vec::new()), + patches: None, + rule_version: None, + class_filter_version: None, + rule: None, }, _ => { return Err(anyhow!("message type not valid")); @@ -241,6 +293,20 @@ pub struct ProbeConfigPatch { pub sum_hash: Option, } +#[derive(Debug, Serialize, Deserialize, Clone, Default)] +pub struct ProbeConfigClassRule { + pub virusName: String, + pub flags: i32, + pub ruleId: i32, + pub className: Option, + pub classPath: Option, + pub interfacesName: Option, + pub classLoaderName: Option, + pub parentClassName: Option, + pub virusSignature: Option, +} + + pub fn message_handle(message: &String) -> Result { // parse message let message = match Message::from(message) {