Friday, February 26, 2021

Microsoft has released CodeQL with sample queries to sniff out malware

Microsoft open sources CodeQL queries used to hunt for Solorigate activity - Microsoft Security

Based on LGTM - Continuous security analysis open-source solution Microsoft has created CodeQL with sample queries to sniff out malware.

CodeQL is a powerful semantic code analysis engine that is now part of GitHub. Unlike many analysis solutions, it works in two distinct stages. First, as part of the compilation of source code into binaries, CodeQL builds a database that captures the model of the compiling code. For interpreted languages, it parses the source and builds its own abstract syntax tree model, as there is no compiler. Second, once constructed, this database can be queried repeatedly like any other database. The CodeQL language is purpose-built to enable the easy selection of complex code conditions from the database.

I posted the following question: 

How would you list methods not in a try-catch clause?

var fi2 = new FileInfo(path2);

How to list methods not wrapped in Using statement?

StreamWriter sw = new StreamWriter("hello.txt")


I'm assuming this is in C#. Something like this should work to find method calls not lexically contained by a try-catch.

import csharp

predicate inTryCatch(MethodCall mc) {
  exists(TryStmt ts | ts = mc.getParent*())
    or exists(CatchClause cc | cc = mc.getParent*())

from MethodCall mc
where not inTryCatch(mc)
select mc

Of course, this only finds method calls lexically enclosed. Are you looking for method calls that are part of a data flow that is not in a try-catch block? For that you will need to use data-flow analysis.

No comments:

Post a Comment