Source Code Recovery, Analysis & Debugging

Source Code Recovery

Managed .NET Code

Open dnSpy (https://github.com/dnSpy/dnSpy) and drag the exe file.

To see the source code expand the navigation tree.

Then to search for terms use the search tab in the lower part of the window once selected the exe or dll in the navigation tree.

- Cross-references, Analysis

If we noticed a few Base64-encoded values in the HTTP requests captured by Burp Suite, we could search the term base64 and pick one function to find its cross-references. This could be done right-clicking the function > Analyze, then in the analyze tab, if we now click on the cross-reference, dnSpy reveals the location of the function call in the source code.

- Assemblies Modification

We can use this technique to add debugging statements to a log file or alter an assembly’s attributes in order to better debug our target application.

Right-click Program and choose Edit Class, change what you want, then click Compile, then File > Save All

Java

Open JD-GUI decompiler and drag the java file.

- Set Up

Check running Java processes, click properties and locate the files, then find the most interesting ones and run them through JD-GUI decompiler, for finding thins, use Notepad ++

- Funtion Searching

Search in Notepad ++ the following regular expression: ^.*?query.*?select.*?

We can also search the HTTP Requests:

• doGet

• doPost

• doPut

• doDelete

• doCopy

• doOptions

Source Code Analysis Methodology

- Approach

First walk through the web application in a browser to familiarize with its functionality and analyze HTTP requests and responses with Burp.

We need to be mindful of sources and sinks. For example, when we submit a username and password to the application in a POST request, the code that handles this POST request is a source and the call to the database to run the query is the sink.

In a “top down” approach, we would identify sources first since we do not have authenticated access to the web application and we should begin searching for vulnerabilities in unauthenticated resources.

In a “bottom up” approach, we would first identify sinks since our goal would be to determine if any sinks contain vulnerabilities and what variables or values the vulnerable code uses. For this, we need to determine how the application calls the vulnerable function and trace the application flow back to a source.

- IDEs

We should use an IDE (Integrated Development Environment) like VSCode. In this, for example, we could search for "password", then, we could refine our search by clicking the Toggle Search Details button (represented by three dots) and limit searches to java files typing ".java".

If a search term returns too many results, we could use unique keywords from the application to narrow the search results, for example, if the login page of a target application returns an “Incorrect credentials” message, we could search for that text to find where the error is thrown and work backwards to discover the login function.

If we identify a vulnerable function and need to determine where the application uses it, right-click on the function or method name and "Find All References".

- HTTP Routing Patterns

HTTP routing determines how an application processes HTTP requests and generates responses. It's influenced by the web server, programming language, and framework. Common routing patterns include File System Routing, where URLs map to server files, and Servlet Mappings in Java applications, where the web.xml file defines request handling.

- Checklist

  • Check authenticated application areas.

  • Analyze user input sanitization methods.

  • Examine database query construction, focusing on parameterization and input sanitation.

  • Review account creation and password reset/recovery processes for vulnerabilities.

  • Assess application's interaction with the operating system for command modification or injection risks.

  • Identify potential programming language-specific vulnerabilities.

Debugging

To debug a Java application using VSCode, install "RedHat Language Support for Java" and the "Microsoft Debugger for Java" plugins.

We can debug this application right from our IDE, but first we need to set a breakpoint by clicking to the left of line numbers.

A red dot will appear next to the line number at the location of our breakpoint. Now we can debug the application by clicking on Run, then Run and Debug.

The new debugging context menu includes:

  • Continue: Resumes execution until completion or next breakpoint.

  • Step Over: Executes next method call, pausing at the next line.

  • Step Into: Follows execution into the current function, pausing inside.

  • Step Out: Completes current method and pauses when returning to the calling method.

  • Restart: Restarts the debugging process.

  • Stop: Stops the debugging process.

  • Hot Code Replace: Modifies source file and updates executing process, not available in all languages.

- Remote Debugging

Remote debugging involves debugging a process on a different system, requiring access to the source code and the debugger port on the remote system.

We will extract the ZIP file, add the files to Visual Studio Code by clicking on File > Open Folder, and then select the extracted directory.

Then, to add the dependencies to VS Code, we can extract them from the JAR file:

unzip -j example.jar "BOOT-INF/lib/*" -d example/lib/

We can verify it by clicking Java Projects pane, expanding it, and clicking on Project and External dependencies to expand the list of dependencies and verify that the extracted JARs are listed.

If the JAR files are not listed, we can add them manually by clicking the + button next to Project and External Dependencies and selecting them from the resulting file window.

Then, to start the remote debugging:

  • Create launch.json by clicking Run, then 'create a launch.json file'.

  • Open launch.json (located in the .vscode directory) and add a new remote debugging configuration: Choose 'Java: Attach to Remote Program'.

  • Update launch.json: Set “hostName” to “127.0.0.1” and “port” to 9898, then save.

  • Run JAR file with debugging enabled: Use command java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=9898 -jar NumberGame.jar.

  • Access the application on port 8000 via a browser.

  • Start the debugger in VS Code: Open Run view, select 'Attach to Remote Program' from the dropdown next to the green arrow, then click Start Debugging.

  • Once connected, use the debugger to inspect and control the program execution, like setting breakpoints and examining variables.

  • Disconnect the debugger and stop the Java application when done

If you have ssh conection and want to mount a directory to debug it with your IDE:

sudo apt-get install sshfs

sshfs username@remote_server:/path/to/remote/directory /path/to/local/mount/point

sshfs john@example.com:/home/john/files /mnt/remote_custom_mount

Then to unmount:

umount /path/to/local/mount/point

PreviousWhiteboxNextPython PoC Building

Last updated