Fixed bug with "invoke, inject" keywords & obfuscation detection

Author: dest4590

src/detection.rs

@@ -2,7 +2,6 @@ use std::collections::HashSet;
 
 pub const NAME_LENGTH_THRESHOLD: usize = 100;
 pub const ENTROPY_THRESHOLD: f64 = 7.2;
-pub const SUSPICIOUS_CHAR_THRESHOLD: usize = 3;
 
 lazy_static::lazy_static! {
     pub static ref SAFE_STRING_CACHE: std::sync::Mutex<std::collections::HashSet<String>> = {
@@ -27,30 +26,6 @@ lazy_static::lazy_static! {
     };
 }
 
-pub fn is_obfuscated_name(name: &str) -> bool {
-    if name.len() <= 2 && name != "of" && name != "to" && name != "at" && name != "id" {
-        return true;
-    }
-
-    let chars: Vec<_> = name.chars().collect();
-    if chars.len() >= 3 {
-        let repeats = chars
-            .windows(3)
-            .filter(|w| w[0] == w[1] && w[1] == w[2])
-            .count();
-        if repeats > 0 {
-            return true;
-        }
-    }
-
-    name.contains("$_")
-        || name.contains("$$")
-        || name.contains("III")
-        || name.contains("lll")
-        || name.contains("OOO")
-        || name.matches('$').count() > 2
-}
-
 pub fn is_cached_safe_string(s: &str) -> bool {
     if let Ok(cache) = SAFE_STRING_CACHE.lock() {
         return cache.contains(s);

src/scanner.rs

@@ -1,8 +1,8 @@
 use crate::config::SYSTEM_CONFIG;
 use crate::database::GOOD_LINKS;
 use crate::detection::{
-    cache_safe_string, calculate_detection_hash, is_cached_safe_string, is_obfuscated_name,
-    ENTROPY_THRESHOLD, NAME_LENGTH_THRESHOLD, SUSPICIOUS_CHAR_THRESHOLD, SUSPICIOUS_DOMAINS,
+    cache_safe_string, calculate_detection_hash, is_cached_safe_string,
+    ENTROPY_THRESHOLD, NAME_LENGTH_THRESHOLD, SUSPICIOUS_DOMAINS,
 };
 use crate::errors::ScanError;
 use crate::parser::parse_class_structure;
@@ -35,7 +35,6 @@ pub struct CollapseScanner {
     suspicious_domains: HashSet<String>,
     crypto_regex: Regex,
     malicious_pattern_regex: Regex,
-    suspicious_consecutive_chars_regex: Regex,
     ignored_suspicious_keywords: HashSet<String>,
     ignored_crypto_keywords: HashSet<String>,
     pub options: ScannerOptions,
@@ -105,8 +104,7 @@ impl CollapseScanner {
             url_regex: Regex::new(r#"(?i)\b((?:https?://|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:'".,<>?«»""'']))"#).unwrap(),
             suspicious_domains: SUSPICIOUS_DOMAINS.clone(),
             crypto_regex: Regex::new(r"(?i)\b(aes|des|rsa|md5|sha[1-9]*-?\d*|blowfish|twofish|pgp|gpg|cipher|keystore|keygenerator|secretkey|password|encrypt|decrypt|hash|salt|ivParameterSpec|SecureRandom)\b").unwrap(),
-            malicious_pattern_regex: Regex::new(r"(?i)\b(backdoor|exploit|inject|payload|shellcode|bypass|rootkit|keylog|rat\b|trojan|malware|spyware|meterpreter|cobaltstrike|powershell|cmd\.exe|Runtime\.getRuntime\(\)\.exec|ProcessBuilder|loadLibrary|download|upload|socket\(|bind\(|connect\(|URL\(|URLConnection|Class\.forName|defineClass|getMethod|invoke|unsafe|jndi|ldap|rmi|base64|decode)\b").unwrap(),
-            suspicious_consecutive_chars_regex: Regex::new(&format!(r"[^a-zA-Z0-9_$/.]{{{},}}", SUSPICIOUS_CHAR_THRESHOLD)).unwrap(),
+            malicious_pattern_regex: Regex::new(r"(?i)\b(backdoor|exploit|payload|shellcode|bypass|rootkit|keylog|rat\b|trojan|malware|spyware|meterpreter|cobaltstrike|powershell|cmd\.exe|Runtime\.getRuntime\(\)\.exec|ProcessBuilder|loadLibrary|download|upload|socket\(|bind\(|connect\(|URL\(|URLConnection|Class\.forName|defineClass|getMethod|unsafe|jndi|ldap|rmi|base64|decode)\b").unwrap(),
             ignored_suspicious_keywords,
             ignored_crypto_keywords,
             options,
@@ -787,14 +785,6 @@ impl CollapseScanner {
                 return;
             }
 
-            if is_obfuscated_name(name) {
-                findings.push((
-                    FindingType::ObfuscationChars,
-                    format!("{} '{}'", context, name),
-                ));
-                return;
-            }
-
             let name_char_count = name.chars().count();
 
             if name.contains('/')
@@ -816,21 +806,6 @@ impl CollapseScanner {
                 ));
             }
 
-            let simple_name_to_check = get_simple_name(name);
-            if self
-                .suspicious_consecutive_chars_regex
-                .is_match(simple_name_to_check)
-            {
-                findings.push((
-                    FindingType::ObfuscationChars,
-                    format!(
-                        "Consecutive Symbols: {} '{}'",
-                        context,
-                        truncate_string(name, 20)
-                    ),
-                ));
-            }
-
             let non_ascii_count = name.chars().filter(|&c| !c.is_ascii()).count();
             if non_ascii_count > 0 {
                 findings.push((
@@ -1029,9 +1004,6 @@ impl CollapseScanner {
         let obfuscation_count = type_counts
             .get(&FindingType::ObfuscationLongName)
             .unwrap_or(&0)
-            + type_counts
-                .get(&FindingType::ObfuscationChars)
-                .unwrap_or(&0)
             + type_counts
                 .get(&FindingType::ObfuscationUnicode)
                 .unwrap_or(&0);
@@ -1155,15 +1127,6 @@ impl CollapseScanner {
             }
         }
 
-        if let Some(obfuscated) = by_type.get(&FindingType::ObfuscationChars) {
-            if !obfuscated.is_empty() {
-                explanations.push(
-                    "Uses obfuscated code, which may be trying to hide malicious functionality."
-                        .to_string(),
-                );
-            }
-        }
-
         if let Some(high_entropy) = by_type.get(&FindingType::HighEntropy) {
             if !high_entropy.is_empty() && resource_info.is_some() {
                 let ri = resource_info.unwrap();

src/types.rs

@@ -21,7 +21,6 @@ pub enum FindingType {
     Crypto,
     SuspiciousKeyword,
     ObfuscationLongName,
-    ObfuscationChars,
     ObfuscationUnicode,
     HighEntropy,
 }
@@ -36,7 +35,6 @@ impl std::fmt::Display for FindingType {
             FindingType::Crypto => write!(f, "Crypto Keyword"),
             FindingType::SuspiciousKeyword => write!(f, "Suspicious Keyword"),
             FindingType::ObfuscationLongName => write!(f, "Obfuscation (Long Name)"),
-            FindingType::ObfuscationChars => write!(f, "Obfuscation (Unusual Chars)"),
             FindingType::ObfuscationUnicode => write!(f, "Obfuscation (Unicode Name)"),
             FindingType::HighEntropy => write!(f, "High Entropy"),
         }
@@ -52,7 +50,6 @@ impl FindingType {
             FindingType::Crypto => ("🔒", "bright_yellow"),
             FindingType::SuspiciousKeyword => ("❗", "red"),
             FindingType::ObfuscationLongName => ("📏", "bright_magenta"),
-            FindingType::ObfuscationChars => ("❓", "magenta"),
             FindingType::ObfuscationUnicode => ("㊙️ ", "magenta"),
             FindingType::HighEntropy => ("🔥", "yellow"),
         }