bytedance · yoloyyh · Sep 9, 2024 · Aug 29, 2024 · Aug 29, 2024 · Aug 30, 2024
diff --git a/.github/workflows/Elkeid.yml b/.github/workflows/Elkeid.yml
@@ -34,7 +34,7 @@ jobs:
     - name: Build RASP
       run: |
         curl -fsSL https://lf3-static.bytednsdoc.com/obj/eden-cn/kplrsl/ljhwZthlaukjlkulzlp/php-headers.tar.gz | tar -xz -C rasp/php
-        docker run --rm --pull=always -v $(pwd):/Elkeid yoloyyh/rasp-toolchain:v1.0 \
+        docker run --rm --pull=always -v $(pwd):/Elkeid yoloyyh/rasp-toolchain:v3.0 \
         make -C /Elkeid/rasp \
           STATIC=TRUE \
           PY_PREBUILT=TRUE \

diff --git a/.github/workflows/Elkeid_rasp_release.yml b/.github/workflows/Elkeid_rasp_release.yml
@@ -16,7 +16,7 @@ jobs:
     - name: Build
       run: |
         curl -fsSL https://lf3-static.bytednsdoc.com/obj/eden-cn/kplrsl/ljhwZthlaukjlkulzlp/php-headers.tar.gz | tar -xz -C rasp/php
-        docker run --rm --pull=always -v $(pwd):/Elkeid yoloyyh/rasp-toolchain:v1.0 \
+        docker run --rm --pull=always -v $(pwd):/Elkeid yoloyyh/rasp-toolchain:v3.0 \
         make -C /Elkeid/rasp \
           STATIC=TRUE \
           PY_PREBUILT=TRUE \

diff --git a/rasp/jvm/JVMProbe/build.gradle b/rasp/jvm/JVMProbe/build.gradle
@@ -11,6 +11,7 @@ repositories {
 }
 
 dependencies {
+    implementation files('lib/nashorn.jar') 
     testImplementation group: 'junit', name: 'junit', version: '4.13.1'
     implementation group: 'org.ow2.asm', name: 'asm-tree', version: '9.6'
     implementation group: 'org.ow2.asm', name: 'asm-commons', version: '9.6'
@@ -19,6 +20,7 @@ dependencies {
     implementation group: 'com.lmax', name: 'disruptor', version: '3.4.4'
     implementation 'com.google.code.gson:gson:2.8.9'
     implementation 'com.esotericsoftware.yamlbeans:yamlbeans:1.14'
+    implementation 'org.lz4:lz4-java:1.8.0'
     api group: 'org.javassist', name: 'javassist', version: '3.29.0-GA'
 }
 
@@ -48,5 +50,6 @@ shadowJar {
     relocate 'com.google','rasp.com.google'
     relocate 'com.esotericsoftware', 'rasp.com.esotericsoftware'
     relocate 'javassist', 'rasp.javassist'
+    relocate 'net.jpountz', 'rasp.net.jpountz'
     relocate 'META-INF/native/libnetty', 'META-INF/native/librasp_netty'
 }
diff --git a/rasp/jvm/JVMProbe/lib/nashorn.jar b/rasp/jvm/JVMProbe/lib/nashorn.jar
diff --git a/rasp/jvm/JVMProbe/src/main/java/com/security/smith/SmithProbe.java b/rasp/jvm/JVMProbe/src/main/java/com/security/smith/SmithProbe.java
@@ -17,6 +17,8 @@
 import com.security.smith.log.AttachInfo;
 import com.security.smith.log.SmithLogger;
 import com.security.smith.module.Patcher;
+import com.security.smith.ruleengine.JsRuleEngine;
+import com.security.smith.rulemgr.StackRuleManager;
 import com.security.smith.type.*;
 import com.security.smith.client.*;
 import com.esotericsoftware.yamlbeans.YamlReader;
@@ -161,6 +163,7 @@ public class SmithProbe implements ClassFileTransformer, MessageHandler, EventHa
     private SmithproxyTimerTask smithproxyTimerTask;
     private String proberVersion;
     private String proberPath;
+    private JsRuleEngine jsRuleEngine;
 
     public SmithProbe() {
         disable = false;
@@ -192,6 +195,11 @@ public void setProbePath(String proberPath) {
         this.proberPath = proberPath;
     }
 
+    public String getProbePath() {
+        return proberPath;
+
+    }
+
     public void init() {
         AttachInfo.info();
         SmithLogger.loggerProberInit();
@@ -228,8 +236,9 @@ public Trace newInstance() {
         ruleconfig = new Rule_Config(rulemgr);
 
         smithProxy = new SmithProbeProxy();
-
-      InputStream inputStream = getResourceAsStream("class.yaml");
+
+
+        InputStream inputStream = getResourceAsStream("class.yaml");
 
         if(inputStream != null) {
             SmithLogger.logger.info("find class.yaml");
@@ -251,9 +260,76 @@ public Trace newInstance() {
         else {
             SmithLogger.logger.info("not find class.yaml");
         }
+
+        try {
+            SmithLogger.logger.info("jsRuleEngine init");
+            jsRuleEngine = JsRuleEngine.InitializeEngine();
+            if (jsRuleEngine != null) {
+                SmithLogger.logger.info("jsRuleEngine init success");
+            }
+        } catch (Throwable e) {
+            SmithLogger.exception(e);
+        }
 
         SmithLogger.logger.info("probe init leave");
     }
+
+    public boolean addJsFile(Path scriptFilePath) {
+        boolean ret = false;
+        try {
+            if (scriptFilePath != null && jsRuleEngine != null) {
+                SmithLogger.logger.info("add js rule enter");
+                int result = jsRuleEngine.addJsRule(scriptFilePath);
+                if (result == 0) {
+                    SmithLogger.logger.info("add js rule success");
+                    ret = true;
+                } else {
+                    SmithLogger.logger.info("add js rule failed, ret :" + result);
+                }
+            } else {
+                SmithLogger.logger.info("not find js rule path: " + scriptFilePath);
+            }
+        }
+        catch (Throwable e) {
+            SmithLogger.exception(e);
+        }
+        return ret;
+    }
+    public void addJsRule() {
+        try {
+            // SmithLogger.logger.info("add js rule");
+            File ruleFile = new File(getProbePath());
+            File ruleDir = new File(ruleFile.getParent(), "rules");
+            if (ruleDir == null || !ruleDir.exists() || !ruleDir.isDirectory()) {
+                SmithLogger.logger.info("not find js rule dir: " + ruleDir);
+                return;
+            }
+            SmithLogger.logger.info("find js rule dir: " + ruleDir);
+
+            File[] files = ruleDir.listFiles();
+            if (files != null) {
+                for (File file : files) {
+                    if (file.isFile()) {
+                        Path jsPath = file.toPath();
+                        if (addJsFile(jsPath)) {
+                            SmithLogger.logger.info("add js rule success: " + jsPath);
+                        } else {
+                            SmithLogger.logger.info("add js rule failed: " + jsPath);
+                        }
+                    }
+                }
+            }
+
+
+
+        } catch (Throwable e) {
+            SmithLogger.exception(e);
+        }
+
+    }
+    public JsRuleEngine getJsRuleEngine() {
+        return jsRuleEngine;
+    }
     private boolean isBypassHookClass(String className) {
 
         if(SmithTools.isGlassfish() && SmithTools.getMajorVersion() > 5) {
@@ -269,6 +345,7 @@ private boolean isBypassHookClass(String className) {
 
         return false;
     }
+
     public boolean isFunctionEnabled(int classId, int methodId) {
         String key = classId + "-" + methodId;
         Set<String> types = hookTypes.get(key);
@@ -324,8 +401,13 @@ public void start() {
         smithProxy.setClient(client);
         smithProxy.setDisruptor(disruptor);
         smithProxy.setProbe(this);
-        smithProxy.setReflectField();
-        smithProxy.setReflectMethod();
+
+        try {
+            addJsRule();
+        } catch (Exception e) {
+            SmithLogger.exception(e);
+        }
+
 
         inst.addTransformer(this, true);
         reloadClasses();
@@ -413,6 +495,9 @@ public void uninit() {
         ourInstance = null;
         proberVersion = null;
         proberPath = null;
+        JsRuleEngine.UninitializeEngine();
+        jsRuleEngine = null;
+
         MessageSerializer.delInstance();
 
         MessageEncoder.delInstance();