Modernizing Java analysis pages

[Col-E]

Hello, I've seen this analysis course posted a number of times in the past few years and noticed that the Java pages are not up-to-date with modern tooling #19

I will come out and say I am a biased individual since I am the author of the tool I would like to reference in these changes, but I strongly believe that regardless of what the final changes are Ghidra for Java analysis is not the right answer, and JAD's last update is old enough to fight in the military. There are many tools that should be brought up for the page I've touched with this first commit, and what I intend to touch on the obfuscation page.

If you have any thoughts on the direction of changes proposed here let me know. So far the follow-on work I intend to do is:

1. Remove the section on JAD
   • You state it is provided in the Kali distribution, but most of the newer tools proposed below are not bundled. Something I'd like to get confirmation on being OK with you on.
2. Keep Ghidra's reference but strictly for comparison to other tools
   • Reduce the "Loading JAR files into Ghidra" to a footnote, largely redundant with the inclusion of newly proposed tools
3. Update the Java obfuscation page to cover subjects such as:
   • Name obfuscation beyond what is offered in ProGuard
   • Constant obfuscation of numbers, strings, etc
   • Control flow obfuscation
   • Reference obfuscation
   • JAR obfuscation and anti-analysis tricks
   • Java to Native transpilation for obfuscation purposes, a use case where Ghidra actually shines.
   • The contents of the linked pages would be reiterated in a form more like what is present in the other lectures in this project.
4. Add a section to the Java obfuscation page on how to automatically clean-up the patterns outlined above
   • Keep ProGuard as a name mapper
   • Add Recaf as a primary alternative given its automatic/configurable mapping generator
   • Add Enigma as an example of a manual mapping tool
   • Add Recaf, java-deobfuscator, and Deobfuscator as tools to automatically remove constant/control-flow/reference obfuscation
   • Add Recaf as a JAR obfuscation tool (outlined on JAR obfuscation page linked above)
   • (Maybe?) Add SkidSuite as a reference for looking at example obfuscated samples based on a known/safe template file.

[ckane]

Thanks! I'll try to take a look at this in the coming weeks. I agree there are a lot of new tools that have come out that are fairly useful. I just haven't been in a malware analysis focused role for about 4 years now, and I am no longer teaching (the University was able to hire full time faculty since the last year of this course that can cover this material), so I am not surprised that there are better options out now. That said, I have a lot of other priorities now and this content is definitely nowhere near the top (because nobody is paying me to maintain it and I have other new things I need to teach myself).

Though I state in the material some tools are bundled in the Kali distribution - that is specifically me talking about a derivative distribution that I used to maintain for the students as an internal-only OVA image, so that's the Kali image I am referring to throughout the content, and not the one maintained by OffSec.

Keep in mind that the structure for the course is a hybrid course format where there would have been in-person work done in a classroom and on Canvas/Blackboard as well as what is seen on the website. I started publishing it publicly as one of my colleagues at the time (back around 2016 or so) suggested I should publish the online content as it would still be helpful to the community even without enrollment and attendance.

[Col-E]

That said, I have a lot of other priorities now and this content is definitely nowhere near the top (because nobody is paying me to maintain it and I have other new things I need to teach myself).

No worries, life happens and that's totally understandable.

I started publishing it publicly as one of my colleagues at the time (back around 2016 or so) suggested I should publish the online content as it would still be helpful to the community even without enrollment and attendance.

The colleague was right, it still gets around quite well online 😄