When you want to quickly grep for something but the pattern is too elaborate, Semgrep comes in really handy. It’s a static analysis tool that has a lot of great use cases, but one usage I don’t hear about often is quickly writing disposable rules to validate an idea when reviewing code. So that’s what we’re going to do here!
When reverse engineering an application that is shipped as compiled bytecode (jar
file, war
file, class
files, etc.), we normally use a decompiler and then audit the resulting Java code. The catch is that the language the application was written in might not have been Java! Indeed, there are multiple languages that target the Java Virtual Machine (JVM) and produce bytecode just like Java does. On top of generating generally strange decompiled code, this has for effect that the common potentially dangerous functions we normally look for might be different than the ones used in Java. For this blog post, I’m going to be looking at how each language executes shell commands and what it looks like once decompiled.