When calling any method, upon the VM entering that method we should be able to inspect parameter values and check for some conditions based on the variable types. Parameters can be matched by index.
Types:
Numeric primitives (byte, short, int, long, double, float, maybe boolean and char if you wanna be technical)
Comparisons to some N: > N, >= N, == N, < N, <= N, & N == N, & N != N
Reference types
String/CharSequence/StringBuilder
Checks with our TextMatchMode
Number boxed types
Map to primitives if not null, offer those abilities
Adjacent method calls would allow for making a match for decode --> exec, effectively saying "match exec if decode was used prior to calling in the same method". In this example such a match could be titled "using b64 to hide Runtime.exec calls"
Definitions
Basic parameter inspections
When calling any method, upon the VM entering that method we should be able to inspect parameter values and check for some conditions based on the variable types. Parameters can be matched by index.
Types:
byte,short,int,long,double,float, maybebooleanandcharif you wanna be technical)N:> N,>= N,== N,< N,<= N,& N == N,& N != NString/CharSequence/StringBuilderTextMatchModeNumberboxed typesnull, offer those abilitiesnullor notExample cases:
Runtime.exec(s)wheres.contains("malware.exe")new URL(s)wheres.matches(HTTP_PATTERN)Scoped method calls
Given the following:
Scoped calls would allow for making a match for
one -> two -> three, effectively saying "match three, if called by two, which must be called by one".Adjacent method calls
Given the following:
Adjacent method calls would allow for making a match for
decode --> exec, effectively saying "match exec if decode was used prior to calling in the same method". In this example such a match could be titled "using b64 to hide Runtime.exec calls"Action items