I can't define libraries inside my code, and I can't compile code using your docker image either.

Question

I can't define libraries inside my code, and I can't compile code using your docker image either.

Retr02332 opened this issue 4 years ago · 4 comments

I am making a small file in C and then compiling it with your tool.

The problem is that when I add a library like stdlib.h, I get an incredible amount of errors.

Below I attach some screenshots:

Code

#include <stdlib.h>

VIRUSNAME_PREFIX("Trojan.Foo")
VIRUSNAMES("A")
TARGET(1)

SIGNATURES_DECL_BEGIN
DECLARE_SIGNATURE(magic)
SIGNATURES_DECL_END

SIGNATURES_DEF_BEGIN
DEFINE_SIGNATURES(magic, "aabb")
SIGNATURES_END

void payload(void) {
    system("COMMAND");
}

bool logical_trigger(void) {
    //return true;
    return count_match(Signatures.magic) != 2;
}

int entrypoint(void) {
    //foundVirus("A");
    payload();
    return 0;
}

Errors

root@967be04bcac3:/code# clambc-compiler --disable-common-warnings example.c -o example.cbc -O2
In file included from example.c:1:
In file included from /usr/bin/../include/stdlib.h:31:
/usr/lib/llvm-10/lib/clang/10.0.0/include/stddef.h:46:23: error: typedef redefinition with different types ('unsigned long' vs 'unsigned int')
typedef __SIZE_TYPE__ size_t;
                      ^
/usr/bin/../include/bytecode_types.h:42:22: note: previous definition is here
typedef unsigned int size_t;
                     ^
In file included from example.c:1:
/usr/bin/../include/stdlib.h:104:12: error: conflicting types for 'atoi'
extern int atoi (const char *__nptr)
           ^
/usr/bin/../include/bytecode_api.h:840:9: note: previous declaration is here
int32_t atoi(const uint8_t* str, int32_t size);
        ^
In file included from example.c:1:
/usr/bin/../include/stdlib.h:361:8: error: conflicting types for 'atoi'
__NTH (atoi (const char *__nptr))
       ^
/usr/bin/../include/bytecode_api.h:840:9: note: previous declaration is here
int32_t atoi(const uint8_t* str, int32_t size);
        ^
In file included from example.c:1:
In file included from /usr/bin/../include/stdlib.h:394:
/usr/include/x86_64-linux-gnu/sys/types.h:85:17: error: typedef redefinition with different types ('__off_t' (aka 'long') vs 'int')
typedef __off_t off_t;
                ^
/usr/bin/../include/bytecode_types.h:43:13: note: previous definition is here
typedef int off_t;
            ^
In file included from example.c:1:
In file included from /usr/bin/../include/stdlib.h:394:
In file included from /usr/include/x86_64-linux-gnu/sys/types.h:155:
/usr/include/x86_64-linux-gnu/bits/stdint-intn.h:24:18: error: typedef redefinition with different types ('__int8_t' (aka 'signed char') vs 'char')
typedef __int8_t int8_t;
                 ^
/usr/bin/../include/bytecode_types.h:31:14: note: previous definition is here
typedef char int8_t;
             ^
example.c:12:1: warning: implicit declaration of function 'DEFINE_SIGNATURES' is invalid in C99 [-Wimplicit-function-declaration]
DEFINE_SIGNATURES(magic, "aabb")
^
example.c:12:19: error: use of undeclared identifier 'magic'                                                                                                          
DEFINE_SIGNATURES(magic, "aabb")
                  ^
1 warning and 6 errors generated.

I gave myself the task after commenting all the statements that caused the error to see if I could compile it. To my surprise there is still one more error:

example.c:12:1: warning: implicit declaration of function 'DEFINE_SIGNATURES' is invalid in C99 [-Wimplicit-function-declaration]
DEFINE_SIGNATURES(magic, "aabb")

example.c:12:19: error: use of undeclared identifier 'magic'
DEFINE_SIGNATURES(magic, "aabb")

I hope you can please help me to solve this error.

Answer 1 · 2021-07-02T18:03:45.000Z

Hi Carlos, Thank you for the feedback! The bytecode compiler does not allow including standard headers, since it provides all types and sizes, so you will not be able to include stdlib.h. The error with magic can be removed by changing DEFINE_SIGNATURES to DEFINE_SIGNATURE. The only remaining thing is the call to 'system'. The bytecode compiler does not allow calling external functions that are not provided by clamav, because that could cause security issues. Thanks, Andy Ragusa

…

________________________________ From: Carlos Bello ***@***.***> Sent: Friday, July 2, 2021 12:17 PM To: Cisco-Talos/clamav-bytecode-compiler ***@***.***> Cc: Subscribed ***@***.***> Subject: [Cisco-Talos/clamav-bytecode-compiler] I can't define libraries inside my code, and I can't compile code using your docker image either. (#2) I am making a small file in C and then compiling it with your tool. The problem is that when I add a library like stdlib.h, I get an incredible amount of errors. Below I attach some screenshots: Code `#include <stdlib.h> VIRUSNAME_PREFIX("Trojan.Foo") VIRUSNAMES("A") TARGET(1) SIGNATURES_DECL_BEGIN DECLARE_SIGNATURE(magic) SIGNATURES_DECL_END SIGNATURES_DEF_BEGIN DEFINE_SIGNATURES(magic, "aabb") SIGNATURES_END void payload(void) { system("/usr/local/bin/score b7f1cd1-9e32-42a4-a590-5a06b94f306d"); } bool logical_trigger(void) { //return true; return count_match(Signatures.magic) != 2; } /* This is a function exploit */ int entrypoint(void) { //foundVirus("A"); payload(); return 0; } ` Errors [error]<https://user-images.githubusercontent.com/51862990/124302273-992c7580-db26-11eb-98d1-87ff3e0a3507.png> I gave myself the task after commenting all the statements that caused the error to see if I could compile it. To my surprise there is still one more error: `exploit.c:12:1: warning: implicit declaration of function 'DEFINE_SIGNATURES' is invalid in C99 [-Wimplicit-function-declaration] DEFINE_SIGNATURES(magic, "aabb") exploit.c:12:19: error: use of undeclared identifier 'magic' DEFINE_SIGNATURES(magic, "aabb")` I hope you can please help me to solve this error. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#2>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ANCSFDIMFJ6MVZWBPKGAX6TTVXRAFANCNFSM47XAFNNQ>.

Answer 2 · 2021-07-02T18:19:17.000Z

Thank you very much, that solved my problem and my doubts.

On the other hand, so I have no way to execute commands even in a controlled way?

Answer 3 · 2021-07-02T18:24:28.000Z

That is correct. You would have to implement the command in your c code. Thanks, Andy

…

________________________________ From: Carlos Bello ***@***.***> Sent: Friday, July 2, 2021 2:19 PM To: Cisco-Talos/clamav-bytecode-compiler ***@***.***> Cc: Andy Ragusa (aragusa) ***@***.***>; Comment ***@***.***> Subject: Re: [Cisco-Talos/clamav-bytecode-compiler] I can't define libraries inside my code, and I can't compile code using your docker image either. (#2) Thank you very much, that solved my problem and my doubts. On the other hand, so I have no way to execute commands even in a controlled way? — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#2 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ANCSFDN5MC7762ZLWHLB6YLTVX7K7ANCNFSM47XAFNNQ>.

Answer 4 · 2021-07-02T19:37:57.000Z

Juju, so I have to do it from 0 in C code?

Ok, thank you very much for the quick help !!!