Dynamic scan match model capabilities

[Col-E]

Definitions

Basic parameter inspections

When calling any method, upon the VM entering that method we should be able to inspect parameter values and check for some conditions based on the variable types. Parameters can be matched by index.

Types:

• Numeric primitives (byte, short, int, long, double, float, maybe boolean and char if you wanna be technical)
  • Comparisons to some N: > N, >= N, == N, < N, <= N, & N == N, & N != N
• Reference types
  • String/CharSequence/StringBuilder
    • Checks with our TextMatchMode
  • Number boxed types
    • Map to primitives if not null, offer those abilities
  • Anything
    • Is null or not

Example cases:

• Runtime.exec(s) where s.contains("malware.exe")
• new URL(s) where s.matches(HTTP_PATTERN)

Scoped method calls

Given the following:

static void one() {
	two();
}
static void two() {
	three();
}
static void three() {
	// ...
}

Scoped calls would allow for making a match for one -> two -> three, effectively saying "match three, if called by two, which must be called by one".

Adjacent method calls

Given the following:

Runtime.getRuntime()
    .exec(new String(Base64.getDecoder().decode("ZXhhbXBsZQ==")));

Adjacent method calls would allow for making a match for decode --> exec, effectively saying "match exec if decode was used prior to calling in the same method". In this example such a match could be titled "using b64 to hide Runtime.exec calls"

Action items

• Basic parameter value inspections
• Scoped method calls with parameter checking
• Adjacent method calls with parameter checking