scrt / avcleaner Goto Github PK
View Code? Open in Web Editor NEWC/C++ source obfuscator for antivirus bypass
License: GNU General Public License v3.0
avcleaner's People
Contributors
Stargazers
Watchers
Forkers
askyeye gavz red-infosec dmknght thau0x01 ufwt maxwelldps msf-ntdll 4n6strider krouser dauth r3dfruitrollup runonceex devkw fcccode peterg75 githangar arryboom wbglil fuckup1337 crackercat y11en hanbule an4kein jack51706 samuelriesz chanpu9 andrey-kovinjonok mmg1 asdyxcyxc jg789346bnfgewrew09876345 minkione cobranail 5l1v3r1 loveshell usama7628674 m3g4byt3 ktan-ccsf elephacking b-xiang eniac888 penneke lunarobliq bhassani mitbad-d viencokhi seeblog oakicode fraggler0ck sec-js h4xl0r redteams philippmao isiaon t43wiu6 killvxk matrixkung rdbo trietptm-on-coding-algorithms damingshidashi itsxactly akz747 asdlei99 axax002 fengjixuchui youyong123 sros-yort optionalg tomay3000 hofamilymaker bambooqj nosorry xrv3ovl skybulk fadinglr jim00000 papundutta itsbriany gcoollinux daffodi1 onesorzer0es alterant zha0 hello-xbugs aliakbarrashidi kelamrani pianomanx reap- morpheusc jermainlaforce one10001 cutff th3xace whoami2323 phuong39 witchfindertr majid-derkaoui caomeiniuniu yangfan6888 huangzccnavcleaner's Issues
0/n occurrences replaced with obfuscate meterpreter script
Think it is set up correctly - appears to run without issue - the only problem is the output indicates nothing is to be replaced.
INFO:root:Found 514 files with strings.
INFO:root:Found 36 files with suspicious API calls.
INFO:root:0/52 occurrences of WriteProcessMemory replaced.
INFO:root:0/8 occurrences of NtCreateSection replaced.
INFO:root:0/8 occurrences of NtMapViewOfSection replaced.
INFO:root:0/10 occurrences of CreateRemoteThread replaced.
INFO:root:0/4 occurrences of NtQueueApcThread replaced.
INFO:root:0/18 occurrences of ReadProcessMemory replaced.
INFO:root:0/8 occurrences of NtUnmapViewOfSection replaced.
INFO:root:0/2 occurrences of GetTempFileNameA replaced.
INFO:root:0/16 occurrences of SamEnumerateDomainsInSamServer replaced.
INFO:root:0/4 occurrences of SamRidToSid replaced.
INFO:root:0/10 occurrences of SamConnect replaced.
INFO:root:0/8 occurrences of SamLookupDomainInSamServer replaced.
INFO:root:0/12 occurrences of SamOpenDomain replaced.
INFO:root:0/6 occurrences of SamOpenUser replaced.
INFO:root:0/2 occurrences of SamOpenGroup replaced.
INFO:root:0/2 occurrences of SamOpenAlias replaced.
INFO:root:0/2 occurrences of SamGetGroupsForUser replaced.
INFO:root:0/4 occurrences of SamGetAliasMembership replaced.
INFO:root:0/2 occurrences of SamGetMembersInGroup replaced.
INFO:root:0/2 occurrences of SamGetMembersInAlias replaced.
INFO:root:0/4 occurrences of SamEnumerateUsersInDomain replaced.
INFO:root:0/2 occurrences of SamEnumerateGroupsInDomain replaced.
INFO:root:0/2 occurrences of SamEnumerateAliasesInDomain replaced.
INFO:root:0/4 occurrences of SamLookupIdsInDomain replaced.
INFO:root:0/32 occurrences of SamCloseHandle replaced.
INFO:root:0/56 occurrences of SamFreeMemory replaced.
INFO:root:0/2 occurrences of SamQueryInformationUser replaced.
INFO:root:0/4 occurrences of SamSetInformationUser replaced.
INFO:root:0/2 occurrences of SamiChangePasswordUser replaced.
INFO:root:0/4 occurrences of SamLookupNamesInDomain replaced.
INFO:root:0/8 occurrences of NtResumeProcess replaced.
INFO:root:0/4 occurrences of NtSuspendProcess replaced.
Not really sure what I can offer in the way of logs or extra error messages, or where to look for them. Or if I've just done something daft!
Add blog article to readme
Syntax Error in Part2
#include <Windows.h>
typedef int (*_MessageBoxA)(
HWND hWnd,
LPCTSTR lpText,
LPCTSTR lpCaption,
UINT uType
);
int main(int argc, char** argv) {
HMODULE hUser32 = LoadLibraryA("User32.dll");
_MessageBoxA fMessageBoxA = (_MessageBoxA) GetProcAddress(hUser32, "MessageBoxA");
fMessageBoxA(NULL, TEXT("Test"), TEXT("Something"), MB_OK);
return 0;
}
LoadLibraryA returns HMODULE
fMessageBoxA needs LPCTSTR (wchar_t *, not char)
Docker is on drugs
All in screenshot
Build instructions in README.md
- docker instruction is missing the path
docker build -t avcleaner
"docker build" requires exactly 1 argument(s).
See 'docker build --help'.
Usage: docker build [OPTIONS] PATH | URL | -
Build an image from a Dockerfile
docker build . -t avcleaner
- Problem target_link_directories linking Clang LLVM libs
[toto@b6a91874768b ~]$ make -j2
[ 16%] Linking CXX executable avcleaner.bin
/usr/sbin/ld: cannot find -lclangTooling
/usr/sbin/ld: cannot find -lclangToolingInclusions
/usr/sbin/ld: cannot find -lclangLex
/usr/sbin/ld: cannot find -lclangToolingCore
/usr/sbin/ld: cannot find -lclangAST
/usr/sbin/ld: cannot find -lclangASTMatchers
/usr/sbin/ld: cannot find -lclangBasic
/usr/sbin/ld: cannot find -lclangFrontend
/usr/sbin/ld: cannot find -lclangFrontendTool
/usr/sbin/ld: cannot find -lclangRewrite
/usr/sbin/ld: cannot find -lclangRewriteFrontend
/usr/sbin/ld: cannot find -lclangSerialization
collect2: error: ld returned 1 exit status
make[2]: *** [CMakeFiles/avcleaner.bin.dir/build.make:205: avcleaner.bin] Error 1
make[1]: *** [CMakeFiles/Makefile2:97: CMakeFiles/avcleaner.bin.dir/all] Error 2
make: *** [Makefile:103: all] Error 2
[toto@b6a91874768b ~]$
Multiple compilation errors
Hello, the make -j 2 command returns the following errors:
[toto@bd4bda4cbef8 CMakeBuild]$ make -j 2
Consolidate compiler generated dependencies of target avcleaner.bin
[ 16%] Building CXX object CMakeFiles/avcleaner.bin.dir/main.cpp.o
[ 33%] Building CXX object CMakeFiles/avcleaner.bin.dir/MatchHandler.cpp.o
In file included from /home/toto/Consumer.h:10,
from /home/toto/main.cpp:17:
/home/toto/MatchHandler.h:52:80: error: ‘clang::ast_type_traits’ has not been declared
52 | bool climbParentsIgnoreCast(const clang::StringLiteral &NodeString, clang::ast_type_traits::DynTypedNode node,
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:52:110: error: expected ‘,’ or ‘...’ before ‘node’
52 | bool climbParentsIgnoreCast(const clang::StringLiteral &NodeString, clang::ast_type_traits::DynTypedNode node,
| ^~~~
/home/toto/MatchHandler.h:64:67: error: ‘clang::ast_type_traits’ has not been declared
64 | getNodeParents(const clang::StringLiteral &NodeString, clang::ast_type_traits::DynTypedNode Node,
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:64:97: error: expected ‘,’ or ‘...’ before ‘Node’
64 | getNodeParents(const clang::StringLiteral &NodeString, clang::ast_type_traits::DynTypedNode Node,
| ^~~~
/home/toto/MatchHandler.h:74:39: error: ‘clang::ast_type_traits’ has not been declared
74 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:74:69: error: expected ‘,’ or ‘...’ before ‘node’
74 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~
/home/toto/MatchHandler.h:83:32: error: ‘clang::ast_type_traits’ has not been declared
83 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:83:62: error: expected ‘,’ or ‘...’ before ‘node’
83 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~
/home/toto/MatchHandler.h:95:58: error: ‘clang::ast_type_traits’ has not been declared
95 | findInjectionSpot(clang::ASTContext *Context, clang::ast_type_traits::DynTypedNode Parent,
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:95:88: error: expected ‘,’ or ‘...’ before ‘Parent’
95 | findInjectionSpot(clang::ASTContext *Context, clang::ast_type_traits::DynTypedNode Parent,
| ^~~~~~
/home/toto/MatchHandler.h:106:36: error: ‘clang::ast_type_traits’ has not been declared
106 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:106:66: error: expected ‘,’ or ‘...’ before ‘node’
106 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~
/home/toto/MatchHandler.h:122:28: error: ‘clang::ast_type_traits’ has not been declared
122 | clang::ast_type_traits::DynTypedNode node, std::string StringType="", std::string NewType="");
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:122:58: error: expected ‘,’ or ‘...’ before ‘node’
122 | clang::ast_type_traits::DynTypedNode node, std::string StringType="", std::string NewType="");
| ^~~~
/home/toto/MatchHandler.h:125:35: error: ‘clang::ast_type_traits’ has not been declared
125 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:125:65: error: expected ‘,’ or ‘...’ before ‘node’
125 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~
In file included from /home/toto/main.cpp:19:
/home/toto/ApiMatchHandler.h:57:90: error: ‘clang::ast_type_traits’ has not been declared
57 | static clang::SourceRange findInjectionSpot(clang::ASTContext *const Context, clang::ast_type_traits::DynTypedNode Parent,
| ^~~~~~~~~~~~~~~
/home/toto/ApiMatchHandler.h:57:120: error: expected ‘,’ or ‘...’ before ‘Parent’
57 | ang::SourceRange findInjectionSpot(clang::ASTContext *const Context, clang::ast_type_traits::DynTypedNode Parent,
| ^~~~~~
In file included from /home/toto/MatchHandler.cpp:5:
/home/toto/MatchHandler.h:52:80: error: ‘clang::ast_type_traits’ has not been declared
52 | bool climbParentsIgnoreCast(const clang::StringLiteral &NodeString, clang::ast_type_traits::DynTypedNode node,
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:52:110: error: expected ‘,’ or ‘...’ before ‘node’
52 | bool climbParentsIgnoreCast(const clang::StringLiteral &NodeString, clang::ast_type_traits::DynTypedNode node,
| ^~~~
/home/toto/MatchHandler.h:64:67: error: ‘clang::ast_type_traits’ has not been declared
64 | getNodeParents(const clang::StringLiteral &NodeString, clang::ast_type_traits::DynTypedNode Node,
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:64:97: error: expected ‘,’ or ‘...’ before ‘Node’
64 | getNodeParents(const clang::StringLiteral &NodeString, clang::ast_type_traits::DynTypedNode Node,
| ^~~~
/home/toto/MatchHandler.h:74:39: error: ‘clang::ast_type_traits’ has not been declared
74 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:74:69: error: expected ‘,’ or ‘...’ before ‘node’
74 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~
/home/toto/MatchHandler.h:83:32: error: ‘clang::ast_type_traits’ has not been declared
83 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:83:62: error: expected ‘,’ or ‘...’ before ‘node’
83 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~
/home/toto/MatchHandler.h:95:58: error: ‘clang::ast_type_traits’ has not been declared
95 | findInjectionSpot(clang::ASTContext *Context, clang::ast_type_traits::DynTypedNode Parent,
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:95:88: error: expected ‘,’ or ‘...’ before ‘Parent’
95 | findInjectionSpot(clang::ASTContext *Context, clang::ast_type_traits::DynTypedNode Parent,
| ^~~~~~
/home/toto/MatchHandler.h:106:36: error: ‘clang::ast_type_traits’ has not been declared
106 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:106:66: error: expected ‘,’ or ‘...’ before ‘node’
106 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~
/home/toto/MatchHandler.h:122:28: error: ‘clang::ast_type_traits’ has not been declared
122 | clang::ast_type_traits::DynTypedNode node, std::string StringType="", std::string NewType="");
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:122:58: error: expected ‘,’ or ‘...’ before ‘node’
122 | clang::ast_type_traits::DynTypedNode node, std::string StringType="", std::string NewType="");
| ^~~~
/home/toto/MatchHandler.h:125:35: error: ‘clang::ast_type_traits’ has not been declared
125 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.h:125:65: error: expected ‘,’ or ‘...’ before ‘node’
125 | clang::ast_type_traits::DynTypedNode node, std::string StringType);
| ^~~~
/home/toto/main.cpp: In member function ‘virtual void AVObfuscator::Action::EndSourceFileAction()’:
/home/toto/main.cpp:136:85: error: conversion from ‘llvm::StringRef’ to non-scalar type ‘std::string’ {aka ‘std::__cxx11::basic_string<char>’} requested
136 | std::string FileName = SM.getFileEntryForID(SM.getMainFileID())->getName();
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~
/home/toto/MatchHandler.cpp:25:70: error: ‘clang::ast_type_traits’ has not been declared
25 | MatchHandler::getNodeParents(const StringLiteral &NodeString, clang::ast_type_traits::DynTypedNode Node,
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:25:100: error: expected ‘,’ or ‘...’ before ‘Node’
25 | MatchHandler::getNodeParents(const StringLiteral &NodeString, clang::ast_type_traits::DynTypedNode Node,
| ^~~~
/home/toto/MatchHandler.cpp: In static member function ‘static std::vector<std::__cxx11::basic_string<char> > MatchHandler::getNodeParents(const clang::StringLiteral&, int)’:
/home/toto/MatchHandler.cpp:29:9: error: ‘Iterations’ was not declared in this scope
29 | if (Iterations > Globs::CLIMB_PARENTS_MAX_ITER) {
| ^~~~~~~~~~
/home/toto/MatchHandler.cpp:30:16: error: ‘CurrentParents’ was not declared in this scope
30 | return CurrentParents;
| ^~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:33:17: error: ‘DynTypedNodeList’ is not a member of ‘clang::ASTContext’
33 | ASTContext::DynTypedNodeList parents = Context->getParents(NodeString);
| ^~~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:35:9: error: ‘Iterations’ was not declared in this scope
35 | if (Iterations > 0) {
| ^~~~~~~~~~
/home/toto/MatchHandler.cpp:36:9: error: ‘parents’ was not declared in this scope
36 | parents = Context->getParents(Node);
| ^~~~~~~
/home/toto/MatchHandler.cpp:36:19: error: ‘Context’ was not declared in this scope
36 | parents = Context->getParents(Node);
| ^~~~~~~
/home/toto/MatchHandler.cpp:36:19: note: suggested alternatives:
In file included from /usr/include/clang/Frontend/ASTUnit.h:17,
from /usr/include/clang/Frontend/FrontendAction.h:23,
from /usr/include/clang/Tooling/Tooling.h:35,
from /home/toto/MatchHandler.h:16,
from /home/toto/MatchHandler.cpp:5:
/usr/include/clang/AST/ASTContext.h:142:7: note: ‘clang::Builtin::Context’
142 | class Context;
| ^~~~~~~
/usr/include/clang/AST/ASTContext.h:157:7: note: ‘clang::interp::Context’
157 | class Context;
| ^~~~~~~
/home/toto/MatchHandler.cpp:36:39: error: ‘Node’ was not declared in this scope; did you mean ‘llvm::yaml::Node’?
36 | parents = Context->getParents(Node);
| ^~~~
| llvm::yaml::Node
In file included from /usr/include/llvm/Support/YAMLTraits.h:25,
from /usr/include/clang/Tooling/Inclusions/IncludeStyle.h:12,
from /usr/include/clang/Tooling/Inclusions/HeaderIncludes.h:14,
from /home/toto/MatchHandler.cpp:13:
/usr/include/llvm/Support/YAMLParser.h:119:7: note: ‘llvm::yaml::Node’ declared here
119 | class Node {
| ^~~~
/home/toto/MatchHandler.cpp:39:31: error: ‘parents’ was not declared in this scope; did you mean ‘parent’?
39 | for (const auto &parent : parents) {
| ^~~~~~~
| parent
/home/toto/MatchHandler.cpp:45:55: error: ‘Context’ was not declared in this scope
45 | return getNodeParents(NodeString, parent, Context, CurrentParents, ++Iterations);
| ^~~~~~~
/home/toto/MatchHandler.cpp:45:55: note: suggested alternatives:
In file included from /usr/include/clang/Frontend/ASTUnit.h:17,
from /usr/include/clang/Frontend/FrontendAction.h:23,
from /usr/include/clang/Tooling/Tooling.h:35,
from /home/toto/MatchHandler.h:16,
from /home/toto/MatchHandler.cpp:5:
/usr/include/clang/AST/ASTContext.h:142:7: note: ‘clang::Builtin::Context’
142 | class Context;
| ^~~~~~~
/usr/include/clang/AST/ASTContext.h:157:7: note: ‘clang::interp::Context’
157 | class Context;
| ^~~~~~~
/home/toto/MatchHandler.cpp:45:64: error: ‘CurrentParents’ was not declared in this scope
45 | return getNodeParents(NodeString, parent, Context, CurrentParents, ++Iterations);
| ^~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:45:82: error: ‘Iterations’ was not declared in this scope
45 | return getNodeParents(NodeString, parent, Context, CurrentParents, ++Iterations);
| ^~~~~~~~~~
/home/toto/MatchHandler.cpp:48:9: error: ‘CurrentParents’ was not declared in this scope
48 | CurrentParents.push_back(ParentNodeKind);
| ^~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:49:51: error: ‘Context’ was not declared in this scope
49 | return getNodeParents(NodeString, parent, Context, CurrentParents, ++Iterations);
| ^~~~~~~
/home/toto/MatchHandler.cpp:49:51: note: suggested alternatives:
In file included from /usr/include/clang/Frontend/ASTUnit.h:17,
from /usr/include/clang/Frontend/FrontendAction.h:23,
from /usr/include/clang/Tooling/Tooling.h:35,
from /home/toto/MatchHandler.h:16,
from /home/toto/MatchHandler.cpp:5:
/usr/include/clang/AST/ASTContext.h:142:7: note: ‘clang::Builtin::Context’
142 | class Context;
| ^~~~~~~
/usr/include/clang/AST/ASTContext.h:157:7: note: ‘clang::interp::Context’
157 | class Context;
| ^~~~~~~
/home/toto/MatchHandler.cpp:49:78: error: ‘Iterations’ was not declared in this scope
49 | return getNodeParents(NodeString, parent, Context, CurrentParents, ++Iterations);
| ^~~~~~~~~~
/home/toto/MatchHandler.cpp:52:12: error: ‘CurrentParents’ was not declared in this scope
52 | return CurrentParents;
| ^~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp: In member function ‘std::string MatchHandler::findStringType(const clang::StringLiteral&, clang::ASTContext*)’:
/home/toto/MatchHandler.cpp:58:17: error: ‘DynTypedNodeList’ is not a member of ‘clang::ASTContext’
58 | ASTContext::DynTypedNodeList parents = pContext->getParents(NodeString);;
| ^~~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:60:31: error: ‘parents’ was not declared in this scope; did you mean ‘parent’?
60 | for (const auto &parent : parents) {
| ^~~~~~~
| parent
/home/toto/MatchHandler.cpp:66:60: error: expected primary-expression before ‘>’ token
66 | StringType = parent.get<clang::ImplicitCastExpr>()->getType().getAsString();
| ^
/home/toto/MatchHandler.cpp:66:62: error: expected primary-expression before ‘)’ token
66 | StringType = parent.get<clang::ImplicitCastExpr>()->getType().getAsString();
| ^
/home/toto/MatchHandler.cpp: At global scope:
/home/toto/MatchHandler.cpp:77:78: error: ‘clang::ast_type_traits’ has not been declared
77 | MatchHandler::climbParentsIgnoreCast(const StringLiteral &NodeString, clang::ast_type_traits::DynTypedNode node,
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:77:108: error: expected ‘,’ or ‘...’ before ‘node’
77 | MatchHandler::climbParentsIgnoreCast(const StringLiteral &NodeString, clang::ast_type_traits::DynTypedNode node,
| ^~~~
/home/toto/MatchHandler.cpp: In member function ‘bool MatchHandler::climbParentsIgnoreCast(const clang::StringLiteral&, int)’:
/home/toto/MatchHandler.cpp:80:17: error: ‘DynTypedNodeList’ is not a member of ‘clang::ASTContext’
80 | ASTContext::DynTypedNodeList parents = pContext->getParents(NodeString);;
| ^~~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:82:9: error: ‘iterations’ was not declared in this scope
82 | if (iterations > 0) {
| ^~~~~~~~~~
/home/toto/MatchHandler.cpp:83:9: error: ‘parents’ was not declared in this scope
83 | parents = pContext->getParents(node);
| ^~~~~~~
/home/toto/MatchHandler.cpp:83:19: error: ‘pContext’ was not declared in this scope
83 | parents = pContext->getParents(node);
| ^~~~~~~~
/home/toto/MatchHandler.cpp:83:40: error: ‘node’ was not declared in this scope
83 | parents = pContext->getParents(node);
| ^~~~
/home/toto/MatchHandler.cpp:86:31: error: ‘parents’ was not declared in this scope; did you mean ‘parent’?
86 | for (const auto &parent : parents) {
| ^~~~~~~
| parent
/home/toto/MatchHandler.cpp:92:63: error: ‘pContext’ was not declared in this scope
92 | return climbParentsIgnoreCast(NodeString, parent, pContext, ++iterations, StringType);
| ^~~~~~~~
/home/toto/MatchHandler.cpp:92:75: error: ‘iterations’ was not declared in this scope
92 | return climbParentsIgnoreCast(NodeString, parent, pContext, ++iterations, StringType);
| ^~~~~~~~~~
/home/toto/MatchHandler.cpp:92:87: error: ‘StringType’ was not declared in this scope; did you mean ‘findStringType’?
92 | return climbParentsIgnoreCast(NodeString, parent, pContext, ++iterations, StringType);
| ^~~~~~~~~~
| findStringType
/home/toto/MatchHandler.cpp:95:44: error: ‘pContext’ was not declared in this scope
95 | handleStringInContext(&NodeString, pContext, parent, StringType);
| ^~~~~~~~
/home/toto/MatchHandler.cpp:95:62: error: ‘StringType’ was not declared in this scope; did you mean ‘findStringType’?
95 | handleStringInContext(&NodeString, pContext, parent, StringType);
| ^~~~~~~~~~
| findStringType
/home/toto/MatchHandler.cpp: In member function ‘virtual void MatchHandler::run(const MatchResult&)’:
/home/toto/MatchHandler.cpp:109:40: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses]
109 | if (!Decl->getBytes().str().size() > 4) {
| ^
/home/toto/MatchHandler.cpp:109:9: note: add parentheses around left hand side expression to silence this warning
109 | if (!Decl->getBytes().str().size() > 4) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| ( )
/home/toto/MatchHandler.cpp:109:40: warning: comparison of constant ‘4’ with boolean expression is always false [-Wbool-compare]
109 | if (!Decl->getBytes().str().size() > 4) {
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~
/home/toto/MatchHandler.cpp:115:42: error: ‘clang::ast_type_traits’ has not been declared
115 | climbParentsIgnoreCast(*Decl, clang::ast_type_traits::DynTypedNode(), Result.Context, 0, StringType);
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp: At global scope:
/home/toto/MatchHandler.cpp:120:55: error: ‘ast_type_traits’ in namespace ‘clang’ does not name a type
120 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:120:85: error: expected unqualified-id before ‘node’
120 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~
/home/toto/MatchHandler.cpp:120:84: error: expected ‘)’ before ‘node’
120 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~~
| )
/home/toto/MatchHandler.cpp:119:41: note: to match this ‘(’
119 | void MatchHandler::handleStringInContext(const clang::StringLiteral *pLiteral, clang::ASTContext *const pContext,
| ^
/home/toto/MatchHandler.cpp:120:85: error: expected initializer before ‘node’
120 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~
/home/toto/MatchHandler.cpp:137:48: error: ‘ast_type_traits’ in namespace ‘clang’ does not name a type
137 | const clang::ast_type_traits::DynTypedNode node, std::string StringType, std::string NewType) {
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:137:78: error: expected unqualified-id before ‘node’
137 | const clang::ast_type_traits::DynTypedNode node, std::string StringType, std::string NewType) {
| ^~~~
/home/toto/MatchHandler.cpp:137:77: error: expected ‘)’ before ‘node’
137 | const clang::ast_type_traits::DynTypedNode node, std::string StringType, std::string NewType) {
| ^~~~~
| )
/home/toto/MatchHandler.cpp:136:30: note: to match this ‘(’
136 | bool MatchHandler::handleExpr(const clang::StringLiteral *pLiteral, clang::ASTContext *const pContext,
| ^
/home/toto/MatchHandler.cpp:137:78: error: expected initializer before ‘node’
137 | const clang::ast_type_traits::DynTypedNode node, std::string StringType, std::string NewType) {
| ^~~~
/home/toto/MatchHandler.cpp:161:48: error: ‘ast_type_traits’ in namespace ‘clang’ does not name a type
161 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:161:78: error: expected unqualified-id before ‘node’
161 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~
/home/toto/MatchHandler.cpp:161:77: error: expected ‘)’ before ‘node’
161 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~~
| )
/home/toto/MatchHandler.cpp:160:34: note: to match this ‘(’
160 | void MatchHandler::handleCallExpr(const clang::StringLiteral *pLiteral, clang::ASTContext *const pContext,
| ^
/home/toto/MatchHandler.cpp:161:78: error: expected initializer before ‘node’
161 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~
/home/toto/MatchHandler.cpp:219:52: error: ‘ast_type_traits’ in namespace ‘clang’ does not name a type
219 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:219:82: error: expected unqualified-id before ‘node’
219 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~
/home/toto/MatchHandler.cpp:219:81: error: expected ‘)’ before ‘node’
219 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~~
| )
/home/toto/MatchHandler.cpp:218:38: note: to match this ‘(’
218 | void MatchHandler::handleInitListExpr(const clang::StringLiteral *pLiteral, clang::ASTContext *const pContext,
| ^
/home/toto/MatchHandler.cpp:219:82: error: expected initializer before ‘node’
219 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~
/home/toto/MatchHandler.cpp:226:52: error: ‘ast_type_traits’ in namespace ‘clang’ does not name a type
226 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:226:82: error: expected unqualified-id before ‘node’
226 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~
/home/toto/MatchHandler.cpp:226:81: error: expected ‘)’ before ‘node’
226 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~~
| )
/home/toto/MatchHandler.cpp:225:37: note: to match this ‘(’
225 | void MatchHandler::handleVarDeclExpr(const clang::StringLiteral *pLiteral, clang::ASTContext *const pContext,
| ^
/home/toto/MatchHandler.cpp:226:82: error: expected initializer before ‘node’
226 | const clang::ast_type_traits::DynTypedNode node, std::string StringType) {
| ^~~~
/home/toto/MatchHandler.cpp: In member function ‘bool MatchHandler::insertVariableDeclaration(const clang::StringLiteral*, clang::ASTContext*, clang::SourceRange, const string&, std::string)’:
/home/toto/MatchHandler.cpp:265:64: error: ‘clang::ast_type_traits’ has not been declared
265 | SourceRange FreeSpace = findInjectionSpot(pContext, clang::ast_type_traits::DynTypedNode(), *pLiteral,
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp: At global scope:
/home/toto/MatchHandler.cpp:311:74: error: ‘clang::ast_type_traits’ has not been declared
311 | MatchHandler::findInjectionSpot(clang::ASTContext *const Context, clang::ast_type_traits::DynTypedNode Parent,
| ^~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:311:104: error: expected ‘,’ or ‘...’ before ‘Parent’
311 | MatchHandler::findInjectionSpot(clang::ASTContext *const Context, clang::ast_type_traits::DynTypedNode Parent,
| ^~~~~~
/home/toto/MatchHandler.cpp: In static member function ‘static clang::SourceRange MatchHandler::findInjectionSpot(clang::ASTContext*, int)’:
/home/toto/MatchHandler.cpp:314:9: error: ‘Iterations’ was not declared in this scope
314 | if (Iterations > Globs::CLIMB_PARENTS_MAX_ITER)
| ^~~~~~~~~~
/home/toto/MatchHandler.cpp:317:17: error: ‘DynTypedNodeList’ is not a member of ‘clang::ASTContext’
317 | ASTContext::DynTypedNodeList parents = Context->getParents(Literal);;
| ^~~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp:319:9: error: ‘Iterations’ was not declared in this scope
319 | if (Iterations > 0) {
| ^~~~~~~~~~
/home/toto/MatchHandler.cpp:320:9: error: ‘parents’ was not declared in this scope
320 | parents = Context->getParents(Parent);
| ^~~~~~~
/home/toto/MatchHandler.cpp:320:39: error: ‘Parent’ was not declared in this scope
320 | parents = Context->getParents(Parent);
| ^~~~~~
/home/toto/MatchHandler.cpp:323:31: error: ‘parents’ was not declared in this scope; did you mean ‘parent’?
323 | for (const auto &parent : parents) {
| ^~~~~~~
| parent
/home/toto/MatchHandler.cpp:328:58: error: expected primary-expression before ‘>’ token
328 | auto FunDecl = parent.get<clang::FunctionDecl>();
| ^
/home/toto/MatchHandler.cpp:328:60: error: expected primary-expression before ‘)’ token
328 | auto FunDecl = parent.get<clang::FunctionDecl>();
| ^
/home/toto/MatchHandler.cpp:331:68: error: could not convert ‘{<expression error>, <expression error>}’ from ‘<brace-enclosed initializer list>’ to ‘clang::SourceRange’
331 | return {FirstChild->getBeginLoc(), FunDecl->getEndLoc()};
| ^
| |
| <brace-enclosed initializer list>
/home/toto/MatchHandler.cpp:335:17: error: ‘IsGlobal’ was not declared in this scope
335 | if (IsGlobal) {
| ^~~~~~~~
/home/toto/MatchHandler.cpp:336:49: error: expected primary-expression before ‘>’ token
336 | return parent.get<clang::VarDecl>()->getSourceRange();
| ^
/home/toto/MatchHandler.cpp:336:51: error: expected primary-expression before ‘)’ token
336 | return parent.get<clang::VarDecl>()->getSourceRange();
| ^
/home/toto/MatchHandler.cpp:340:51: error: ‘Literal’ was not declared in this scope
340 | return findInjectionSpot(Context, parent, Literal, IsGlobal, ++Iterations);
| ^~~~~~~
/home/toto/MatchHandler.cpp:340:60: error: ‘IsGlobal’ was not declared in this scope
340 | return findInjectionSpot(Context, parent, Literal, IsGlobal, ++Iterations);
| ^~~~~~~~
/home/toto/MatchHandler.cpp:340:72: error: ‘Iterations’ was not declared in this scope
340 | return findInjectionSpot(Context, parent, Literal, IsGlobal, ++Iterations);
| ^~~~~~~~~~
/home/toto/MatchHandler.cpp: In static member function ‘static bool MatchHandler::isBlacklistedFunction(const clang::CallExpr*)’:
/home/toto/MatchHandler.cpp:358:38: error: conversion from ‘llvm::StringRef’ to non-scalar type ‘std::string’ {aka ‘std::__cxx11::basic_string<char>’} requested
358 | std::string ApiName = II->getName();
| ~~~~~~~~~~~^~
/home/toto/MatchHandler.cpp: In static member function ‘static bool MatchHandler::isStringLiteralInGlobal(clang::ASTContext*, const clang::StringLiteral&)’:
/home/toto/MatchHandler.cpp:366:36: error: ‘clang::ast_type_traits’ has not been declared
366 | getNodeParents(Literal, clang::ast_type_traits::DynTypedNode(), Context, Parents, 0);
| ^~~~~~~~~~~~~~~
make[2]: *** [CMakeFiles/avcleaner.bin.dir/build.make:76: CMakeFiles/avcleaner.bin.dir/main.cpp.o] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: *** [CMakeFiles/avcleaner.bin.dir/build.make:90: CMakeFiles/avcleaner.bin.dir/MatchHandler.cpp.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:87: CMakeFiles/avcleaner.bin.dir/all] Error 2
make: *** [Makefile:91: all] Error 2
Could you investigate this issue?
Thank you for the project 👍
Unhandled context errors
I have been able to build the docker container and the avcleaner.bin. Had a hard time setting up the includes from winsdk and I am still unable to get the strings_test.c working, no matter how hard I try, it keeps complaining about a header which was used but that doesn't seem to be part of the project. (I tried to use a winsdk version and MSVC build tool version as close as possible as the ones used in the example to avoid any friction when running the example/test files):
#include "common/base.h"
The only header with a name like this on my machine is:
winsdk/include/10.0.17134.0/cppwinrt/winrt/base.h
I cannot find it anywhere in here:
"-I" "/usr/lib/clang/10.0.0/include/" \
"-I" "/mnt/winsdk-insensitive/winsdk/include/10.0.17134.0/shared"\
"-I" "/mnt/winsdk-insensitive/winsdk/include/10.0.17134.0/ucrt" \
"-I" "/mnt/winsdk-insensitive/winsdk/include/10.0.17134.0/um" \
"-I" "/mnt/winsdk-insensitive/winsdk/include/10.0.17134.0/winrt" \
"-I" "/mnt/winsdk-insensitive/build-tools/vc/tools/msvc/14.16.27023/include" \
So my guess is that it was removed from the project. Anyhow, no big deal, I tried it on this:
#include <iostream>
int main() {
char* foo = "Thuglife !";
std::cout << "Hello World!";
return 0;
}
But I didn't get any bacon :-(
[toto@4fc2d6bdebea share]$ ./run_example.sh test/hello.c
Don't forget to update the path to your local winsdk
clang version 10.0.0
Target: x86_64-pc-windows-msvc14.16.27023
Thread model: posix
InstalledDir:
clang version 10.0.0
Target: x86_64-pc-windows-msvc14.16.27023
Thread model: posix
InstalledDir: /mnt/share/avcleaner
clang Invocation:
"/mnt/share/avcleaner/clang-tool" "-cc1" "-triple" "x86_64-pc-windows-msvc19.0.0" "-fsyntax-only" "-disable-free" "-disable-llvm-verifier" "-discard-value-names" "-main-file-name" "hello.c" "-mrelocation-model" "pic" "-pic-level" "2" "-mthread-model" "posix" "-mframe-pointer=none" "-fmath-errno" "-fno-rounding-math" "-masm-verbose" "-mconstructor-aliases" "-munwind-tables" "-target-cpu" "x86-64" "-dwarf-column-info" "-v" "-resource-dir" "/mnt/share/lib/clang/10.0.0" "-D" "_WIN64" "-D" "_UNICODE" "-D" "UNICODE" "-D" "_WINSOCK_DEPRECATED_NO_WARNINGS" "-I" "/usr/lib/clang/10.0.0/include/" "-I" "/mnt/winsdk-insensitive/winsdk/include/10.0.17134.0/shared" "-I" "/mnt/winsdk-insensitive/winsdk/include/10.0.17134.0/ucrt" "-I" "/mnt/winsdk-insensitive/winsdk/include/10.0.17134.0/um" "-I" "/mnt/winsdk-insensitive/winsdk/include/10.0.17134.0/winrt" "-I" "/mnt/winsdk-insensitive/build-tools/vc/tools/msvc/14.16.27023/include" "-internal-isystem" "/mnt/share/lib/clang/10.0.0/include" "-w" "-std=c++14" "-fdeprecated-macro" "-fdebug-compilation-dir" "-fno-use-cxa-atexit" "-ferror-limit" "1900" "-fmessage-length" "0" "-fno-use-cxa-atexit" "-fms-extensions" "-fms-compatibility" "-fms-compatibility-version=19.0" "-fdelayed-template-parsing" "-fobjc-runtime=gcc" "-fcxx-exceptions" "-fexceptions" "-fdiagnostics-show-option" "-fcolor-diagnostics" "-faddrsig" "-x" "c++" "/mnt/share/test/hello.c"
clang -cc1 version 10.0.0 based upon LLVM 10.0.0 default target x86_64-pc-linux-gnu
ignoring nonexistent directory "/mnt/share/lib/clang/10.0.0/include"
#include "..." search starts here:
#include <...> search starts here:
/usr/lib/clang/10.0.0/include
/mnt/winsdk-insensitive/winsdk/include/10.0.17134.0/shared
/mnt/winsdk-insensitive/winsdk/include/10.0.17134.0/ucrt
/mnt/winsdk-insensitive/winsdk/include/10.0.17134.0/um
/mnt/winsdk-insensitive/winsdk/include/10.0.17134.0/winrt
/mnt/winsdk-insensitive/build-tools/vc/tools/msvc/14.16.27023/include
End of search list.
Processing file
Running new consumer...
[StringEncryption] Registering ASTMatcher...
Unhandled context VarDecl for string Thuglife !
Unhandled context CXXConstructExpr for string ILoveTurtles !
** EndSourceFileAction for: /mnt/share/test/hello.c
Here is the edited source file :
Got main file id
Got Rewrite buffer
File was not modified
Can someone point me in the right direction here ? I got no issues compiling avcleaner.bin...I have the awkward feeling that I screwed something up and that this is actually not an issue. I was expecting the ILoveTurtles ! string to get obfuscated.
The idea is awesome though ! Was this a "point and run" on the "metasploit-payloads" repository or did you do things very selectively (identifying files that contain known AV signatures and working only those files) when transforming the codebase ?
New visual studio behaviour?
Hi,
i just tried compiling some code with your technique to hide API imports. The following code was compiled successfully 1-2 weeks ago but now visual studio returns Cannot resolve external symbol I_NetAut2. Did you face the same problem?
typedef NTSTATUS(__stdcall* _I_NetAut2)(
IN LOGONSRV_HANDLE PrimaryName,
IN wchar_t* AccountName,
IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType,
IN wchar_t* ComputerName,
IN PNETLOGON_CREDENTIAL ClientCredential,
OUT PNETLOGON_CREDENTIAL ServerCredential,
IN OUT ULONG* NegotiateFlags
);
char hid_NetapiLIB_02zmsserLCHt[] = { 'n','e','t','a','p','i','3','2','.','D','L','L',0 };
char hid_I_NetAut2_BZxlW5ZBUAAe[] = { 'I','_','N','e','t','S','e','r','v','e','r','A','u','t','h','e','n','t','i','c','a','t','e','2',0 };
HANDLE hhid_NetapiLIB_wwsasdad = LoadLibrary(hid_NetapiLIB_02zmsserLCHt);
_I_NetAut2 ffI_NetAut2 = (_I_NetAut2)GetProcAddress(hhid_NetapiLIB_wwsasdad, hid_I_NetAut2_BZxlW5ZBUAAe);
status = ffI_NetAut2((LOGONSRV_HANDLE) szDc, (wchar_t *) szUser, ServerSecureChannel, (wchar_t *) szComputer, &ClientCredential, &ServerCredential, &NegotiateFlags);
Greetings
Docker install
Tried dockef install all fine until
make j2 command!
Output from terminal
l&, bool, uint64_t)’:
/home/toto/MatchHandler.cpp:342:1: warning: control reaches
end of non-void function [-Wreturn-type]
342 | }
| ^
make[1]: *** [CMakeFiles/Makefile2:191: CMakeFiles/avcleaner
.bin.dir/all] Error 2
make: *** [Makefile:91: all] Error 2
[toto@17e9dd64fc07 CMakeBuild]$ ls
CMakeCache.txt CMakeFiles cmake_install.cmake Makefile
[toto@17e9dd64fc07 CMakeBuild]$
Error in make -j 2
- Looking for os_signpost_interval_begin
-- Looking for os_signpost_interval_begin - not found
-- Configuring done
-- Generating done
-- Build files have been written to: /home/toto/makes
[toto@e5914e876314 makes]$ make
Scanning dependencies of target avcleaner.bin
[ 16%] Building CXX object CMakeFiles/avcleaner.bin.dir/main.cpp.o
[ 33%] Building CXX object CMakeFiles/avcleaner.bin.dir/MatchHandler.cpp.o
[ 50%] Building CXX object CMakeFiles/avcleaner.bin.dir/Globals.cpp.o
[ 66%] Building CXX object CMakeFiles/avcleaner.bin.dir/ApiMatchHandler.cpp.o
[ 83%] Building CXX object CMakeFiles/avcleaner.bin.dir/Utils.cpp.o
[100%] Linking CXX executable avcleaner.bin
/usr/sbin/ld: cannot find -lclangTooling
/usr/sbin/ld: cannot find -lclangToolingInclusions
/usr/sbin/ld: cannot find -lclangLex
/usr/sbin/ld: cannot find -lclangToolingCore
/usr/sbin/ld: cannot find -lclangAST
/usr/sbin/ld: cannot find -lclangASTMatchers
/usr/sbin/ld: cannot find -lclangBasic
/usr/sbin/ld: cannot find -lclangFrontend
/usr/sbin/ld: cannot find -lclangFrontendTool
/usr/sbin/ld: cannot find -lclangRewrite
/usr/sbin/ld: cannot find -lclangRewriteFrontend
/usr/sbin/ld: cannot find -lclangSerialization
collect2: error: ld returned 1 exit status
make[2]: *** [CMakeFiles/avcleaner.bin.dir/build.make:205: avcleaner.bin] Error 1
make[1]: *** [CMakeFiles/Makefile2:97: CMakeFiles/avcleaner.bin.dir/all] Error 2
make: *** [Makefile:103: all] Error 2
Feature Request - multiline char/byte array obfuscation
Hey,
it would be nice to also have support for multiline char or byte array obfuscation. E.g. Shellcode bytes in the source are not obfuscated at the moment.
In addition, the strings "hid_" could be used for signatures at the moment. Using random strings here instead would make the resulting code even less detectable.
Greetings
Macro expansion in your patched files
avcleaner/test/strings_simplest.c.patch
Line 63 in 568b789
The issue described in the blog article about macros occurs in the patched files in the repo.
handleVarDeclExpr
Could you explain how you intended to implement handleVarDeclExpr and what the problems were?
Error running avcleaner
LLVM inconsistency error
Hi,
i compiled the avcleaner successfully but get the following error everytime trying to use the binary:
CommandLine Error: Option 'non-global-value-max-name-size' registered more than once! LLVM ERROR: inconsistency in registered CommandLine options
Cmake Version 3.16.3
llvm Version 9.0.1
The winsdk paths are changed. Some idea how to get rid of this error?
Greetings
There is a problem when compiling
[toto@c15d0374c84e CMakeBuild]$ make
Scanning dependencies of target avcleaner.bin
[ 16%] Building CXX object CMakeFiles/avcleaner.bin.dir/main.cpp.o
/home/toto/avcleaner/main.cpp: In member function ‘virtual void AVObfuscator::Action::EndSourceFileAction()’:
/home/toto/avcleaner/main.cpp:136:85: error: conversion from ‘llvm::StringRef’ to non-scalar type ‘std::string’ {aka ‘std::__cxx11::basic_string’} requested
136 | std::string FileName = SM.getFileEntryForID(SM.getMainFileID())->getName();
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~
make[2]: *** [CMakeFiles/avcleaner.bin.dir/build.make:82: CMakeFiles/avcleaner.bin.dir/main.cpp.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:99: CMakeFiles/avcleaner.bin.dir/all] Error 2
make: *** [Makefile:103: all] Error 2
can not build avcleaner.bin
Hello, I got the following error when building avcleaner.bin with ubuntu20.04. Could you please give me some advice?
root@24c0b22321e9:/avcleaner/CMakeBuild# make
[ 16%] Building CXX object CMakeFiles/avcleaner.bin.dir/main.cpp.o
In file included from /avcleaner/Consumer.h:10,
from /avcleaner/main.cpp:17:
/avcleaner/MatchHandler.h:53:73: error: 'clang::DynTypedNode' has not been declared
53 | bool climbParentsIgnoreCast(const clang::StringLiteral &NodeString, clang::DynTypedNode node,
| ^~~~~
/avcleaner/MatchHandler.h:65:60: error: 'clang::DynTypedNode' has not been declared
65 | getNodeParents(const clang::StringLiteral &NodeString, clang::DynTypedNode Node,
| ^~~~~
/avcleaner/MatchHandler.h:75:32: error: 'clang::DynTypedNode' has not been declared
75 | clang::DynTypedNode node, std::string StringType);
| ^~~~~
/avcleaner/MatchHandler.h:84:25: error: 'clang::DynTypedNode' has not been declared
84 | clang::DynTypedNode node, std::string StringType);
| ^~~~~
/avcleaner/MatchHandler.h:96:51: error: 'clang::DynTypedNode' has not been declared
96 | findInjectionSpot(clang::ASTContext *Context, clang::DynTypedNode Parent,
| ^~~~~
/avcleaner/MatchHandler.h:107:29: error: 'clang::DynTypedNode' has not been declared
107 | clang::DynTypedNode node, std::string StringType);
| ^~~~~
/avcleaner/MatchHandler.h:123:21: error: 'clang::DynTypedNode' has not been declared
123 | clang::DynTypedNode node, std::string StringType="", std::string NewType="");
| ^~~~~
/avcleaner/MatchHandler.h:126:28: error: 'clang::DynTypedNode' has not been declared
126 | clang::DynTypedNode node, std::string StringType);
| ^~~~~
In file included from /avcleaner/main.cpp:19:
/avcleaner/ApiMatchHandler.h:67:83: error: 'clang::DynTypedNode' has not been declared
67 | static clang::SourceRange findInjectionSpot(clang::ASTContext *const Context, clang::DynTypedNode Parent,
| ^~~~~
/avcleaner/ApiMatchHandler.h:88:41: error: 'clang::DynTypedNode' has not been declared
88 | getParents(const clang::Expr &pExr, clang::DynTypedNode Node, clang::ASTContext *const Context,
| ^~~~~
/avcleaner/ApiMatchHandler.h:91:75: error: 'clang::DynTypedNode' has not been declared
91 | clang::SourceLocation findFirstFunctionDecl(const clang::Expr &pExpr, clang::DynTypedNode Node,
| ^~~~~
/avcleaner/main.cpp: In function 'int main(int, const char**)':
/avcleaner/main.cpp:214:78: error: no matching function for call to 'clang::tooling::CommonOptionsParser::create(int&, const char**&, llvm::cl::OptionCategory&)'
214 | auto option_parser = CommonOptionsParser::create(argc, argv, ToolCategory);
| ^
In file included from /avcleaner/main.cpp:8:
/usr/lib/llvm-10/include/clang/Tooling/CommonOptionsParser.h:97:3: note: candidate: 'static llvm::Expected<clang::tooling::CommonOptionsParser> clang::tooling::CommonOptionsParser::create(int&, const char**, llvm::cl::OptionCategory&, llvm::cl::NumOccurrencesFlag, const char*)'
97 | create(int &argc, const char **argv, llvm::cl::OptionCategory &Category,
| ^~~~~~
/usr/lib/llvm-10/include/clang/Tooling/CommonOptionsParser.h:97:3: note: candidate expects 5 arguments, 3 provided
make[2]: *** [CMakeFiles/avcleaner.bin.dir/build.make:63: CMakeFiles/avcleaner.bin.dir/main.cpp.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:78: CMakeFiles/avcleaner.bin.dir/all] Error 2
make: *** [Makefile:84: all] Error 2
My clang version:
root@24c0b22321e9:/avcleaner/CMakeBuild# clang -v
clang version 10.0.0-4ubuntu1
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/9
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/9
Selected GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/9
Candidate multilib: .;@m64
Selected multilib: .;@m64
In fact, I use clang12.0 and have the same error. I don't know what's the reason
Ubuntu clang version 12.0.0-3ubuntu1~20.04.5
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/9
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/9
Selected GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/9
Candidate multilib: .;@m64
Selected multilib: .;@m64
Docker image `archlinux/base` no longer exists.
Faced this error while compiling the project:
$ docker build . -t avcleaner
Sending build context to Docker daemon 108.3MB
Step 1/7 : FROM archlinux/base
pull access denied for archlinux/base, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
I think the Docker image archlinux/base no longer exists.
Licensing question
This is really cool! Thanks for the blog post and all the work you’ve put into it.
Do you have plans to license it under any sort of community license like LGPL or MIT or is it to stay proprietary?
Question: building the refactored meterpreter project
Thanks again for the awesome blog post and publishing this ! Great work !
I do have a few questions though. I have gone ahead and ran the transformations on many .c files in the metasploit-payloads project...However I am no longer able to build. For example, I get the following errors:
ClCompile:
C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\CL.exe /c /I..\..\source\ReflectiveDLLInjection\common /I..\..\source\ReflectiveDLLInjection\inject\src /I..\..\source\ReflectiveDLLInjection\dll\sr
c /I..\..\deps\openssl\include /Zi /nologo /W3 /WX /O1 /Ob1 /Os /Oy- /D WIN32 /D NDEBUG /D _LIB /D _USING_V110_SDK71_ /D _UNICODE /D UNICODE /GF /Gm- /EHsc /MT /GS- /Gy- /fp:precise /Zc:wchar_t /Zc:forScope
/Fo"Release\Win32\\" /Fd"Release\Win32\vc120.pdb" /Gd /TC /analyze- /errorReport:queue ..\..\source\DelayLoadMetSrv\DelayLoadMetSrv.c ..\..\source\ReflectiveDLLInjection\inject\src\GetProcAddressR.c ..\..\so
urce\ReflectiveDLLInjection\inject\src\LoadLibraryR.c ..\..\source\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c
DelayLoadMetSrv.c
..\..\source\DelayLoadMetSrv\DelayLoadMetSrv.c(60): error C2220: warning treated as error - no 'object' file generated [C:\Users\puss\Dev\msf-obfuscated\c\meterpreter\workspace\ReflectiveDLLInjection\Reflec
tiveDLLInjection.vcxproj]
..\..\source\DelayLoadMetSrv\DelayLoadMetSrv.c(60): warning C4133: 'function' : incompatible types - from 'TCHAR [11]' to 'const char *' [C:\Users\puss\Dev\msf-obfuscated\c\meterpreter\workspace\ReflectiveD
LLInjection\ReflectiveDLLInjection.vcxproj]
..\..\source\DelayLoadMetSrv\DelayLoadMetSrv.c(67): warning C4133: 'function' : incompatible types - from 'TCHAR [11]' to 'const char *' [C:\Users\puss\Dev\msf-obfuscated\c\meterpreter\workspace\ReflectiveD
LLInjection\ReflectiveDLLInjection.vcxproj]
GetProcAddressR.c
LoadLibraryR.c
ReflectiveLoader.c
Generating Code...
Done Building Project "C:\Users\puss\Dev\msf-obfuscated\c\meterpreter\workspace\ReflectiveDLLInjection\ReflectiveDLLInjection.vcxproj" (default targets) -- FAILED.
This is what the refactored file looks like:
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "DelayLoadMetSrv.h"
#include "GetProcAddressR.h"
// The handle to the injected metsrv.dll, needed for delay loading...
HMODULE hMetSrv = NULL;
// All server extensions must support delay loading of metsrv.dll because this dll can be injected
// via reflective dll injection, as such normal calls to LoadLibrary/GetModuleHandle/GetProcAddress
// to resolve exports in metsrv.dll will not work as metsrv.dll will be 'invisible' to the native
// windows kernel32 api's. Theirfore we delay load metsrv.dll and intercept loading and resolving of
// its exports and resolve them using our own GetProcAddressR() function.
//
// To enable all of this in a new extnesion:
// 1. Add metsrv.dll to the DELAYLOAD option in the projects properties (Configuration->Linker->Input).
// 2. Add in the include file #include "DelayLoadMetSrv.h".
// 3. Add the macro "EnableDelayLoadMetSrv();" after all your includes.
// 4. Add the line "hMetSrv = remote->hMetSrv;" in your InitServerExtension() function.
//===============================================================================================//
FARPROC WINAPI delayHook( unsigned dliNotify, PDelayLoadInfo pdli )
{
TCHAR hid_metsrv_8An2Apu2Kv1U[] = {'m','e','t','s','r','v','.','d','l','l',0};
switch( dliNotify )
{
case dliNotePreLoadLibrary:
// If we are trying to delay load metsrv.dll we can just return the
// HMODULE of the injected metsrv library (set in InitServerExtension).
if( strcmp( pdli->szDll, hid_metsrv_8An2Apu2Kv1U ) == 0 )
return (FARPROC)hMetSrv;
break;
case dliNotePreGetProcAddress:
// If we are trying to get the address of an exported function in the
// metsrv.dll we must use GetProcAddressR() in case the metsrv was loaded
// via reflective dll injection
if( strcmp( pdli->szDll, "metsrv.dll" ) == 0 )
return GetProcAddressR( pdli->hmodCur, pdli->dlp.szProcName );
break;
default:
return NULL;
}
return NULL;
}
//===============================================================================================//
Although it's kind of odd that in one case I got:
if( strcmp( pdli->szDll, hid_metsrv_8An2Apu2Kv1U ) == 0 )
and in another case:
if( strcmp( pdli->szDll, "metsrv.dll" ) == 0 )
Can you give me some insight into the challenges you faced with using this approach ? Was it a smooth process or was there a lot of manual adjustments required to make it build successfully after refactoring the source files using libclang ?
Compiling in linux
First of all thank you for your amazing work and effort. i'm having this issue compiling a c++ code in kali linux
i get this error:
# ./avcleaner.bin '/root/MalDev/cpp/C-Reverse-Shell/re.cpp' --strings=true --api=true -- -v
clang version 9.0.1-13
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir:
Found candidate GCC installation: /../lib/gcc/x86_64-linux-gnu/8
Found candidate GCC installation: /../lib/gcc/x86_64-linux-gnu/9
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/8
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/9
Selected GCC installation: /../lib/gcc/x86_64-linux-gnu/9
Candidate multilib: .;@m64
Selected multilib: .;@m64
clang version 9.0.1-13
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /root/MalDev/avcleaner/CMakeBuild
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/8
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/9
Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/9
Candidate multilib: .;@m64
Selected multilib: .;@m64
clang Invocation:
"/root/MalDev/avcleaner/CMakeBuild/clang-tool" "-cc1" "-triple" "x86_64-pc-linux-gnu" "-fsyntax-only" "-disable-free" "-disable-llvm-verifier" "-discard-value-names" "-main-file-name" "re.cpp" "-mrelocation-model" "static" "-mthread-model" "posix" "-mdisable-fp-elim" "-fmath-errno" "-masm-verbose" "-mconstructor-aliases" "-munwind-tables" "-fuse-init-array" "-target-cpu" "x86-64" "-dwarf-column-info" "-debugger-tuning=gdb" "-v" "-resource-dir" "/root/MalDev/avcleaner/lib/clang/9.0.1" "-internal-isystem" "/usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9" "-internal-isystem" "/usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/x86_64-linux-gnu/c++/9" "-internal-isystem" "/usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/x86_64-linux-gnu/c++/9" "-internal-isystem" "/usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/backward" "-internal-isystem" "/usr/local/include" "-internal-isystem" "/usr/include/clang/9.0.1/include/" "-internal-externc-isystem" "/usr/include/x86_64-linux-gnu" "-internal-externc-isystem" "/include" "-internal-externc-isystem" "/usr/include" "-fdeprecated-macro" "-fdebug-compilation-dir" "/root/MalDev/avcleaner/CMakeBuild" "-ferror-limit" "19" "-fmessage-length" "0" "-fobjc-runtime=gcc" "-fcxx-exceptions" "-fexceptions" "-fdiagnostics-show-option" "-fcolor-diagnostics" "-faddrsig" "-x" "c++" "/root/MalDev/cpp/C-Reverse-Shell/re.cpp"
clang -cc1 version 9.0.1 based upon LLVM 9.0.1 default target x86_64-pc-linux-gnu
ignoring nonexistent directory "/include"
ignoring duplicate directory "/usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/x86_64-linux-gnu/c++/9"
#include "..." search starts here:
#include <...> search starts here:
/usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9
/usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/x86_64-linux-gnu/c++/9
/usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/backward
/usr/local/include
/usr/include/clang/9.0.1/include
/usr/include/x86_64-linux-gnu
/usr/include
End of search list.
Processing file /root/MalDev/cpp/C-Reverse-Shell/re.cpp
/root/MalDev/cpp/C-Reverse-Shell/re.cpp:1:10: fatal error: 'windows.h' file not found
#include <windows.h>
^~~~~~~~~~~
Running new consumer...
is there a way to pick a certain compiler while running the bin file?
i usually usei686-w64-mingw32-g++ to compile c/c++ codes
Thanks
Cannot "make" a clean version of avcleaner
Hi,
I am using Kali Linux 5.10.0-kali9-amd64 and followed the steps through the installation step. I am getting a couple of error messages when building avcleaner.bin:
[ 33%] Building CXX object CMakeFiles/avcleaner.bin.dir/MatchHandler.cpp.o
[ 33%] Building CXX object CMakeFiles/avcleaner.bin.dir/main.cpp.o
/home/toto/MatchHandler.cpp: In member function ‘void MatchHandler::handleCallExpr(const clang::StringLiteral*, clang::ASTContext*, clang::DynTypedNode, std::string)’:
/home/toto/MatchHandler.cpp:196:18: warning: variable ‘Type’ set but not used [-Wunused-but-set-variable]
196 | auto Type = FunctionCall->getDirectCallee()->getParamDecl(i)->getType();
| ^~~~
/home/toto/MatchHandler.cpp: In function ‘int nbUniqChars(const std::string&)’:
/home/toto/MatchHandler.cpp:391:24: warning: comparison of integer expressions of different signedness: ‘int’ and ‘std::__cxx11::basic_string<char>::size_type’ {aka ‘long unsigned int’} [-Wsign-compare]
391 | for (auto i = 0; i < text.length(); i++) {
| ~~^~~~~~~~~~~~~~~
/home/toto/MatchHandler.cpp: In static member function ‘static clang::SourceRange MatchHandler::findInjectionSpot(clang::ASTContext*, clang::DynTypedNode, const clang::StringLiteral&, bool, uint64_t)’:
/home/toto/MatchHandler.cpp:343:1: warning: control reaches end of non-void function [-Wreturn-type]
343 | }
| ^
[ 50%] Building CXX object CMakeFiles/avcleaner.bin.dir/Globals.cpp.o
[ 66%] Building CXX object CMakeFiles/avcleaner.bin.dir/ApiMatchHandler.cpp.o
[ 83%] Building CXX object CMakeFiles/avcleaner.bin.dir/Utils.cpp.o
/home/toto/ApiMatchHandler.cpp: In static member function ‘static clang::SourceRange ApiMatchHandler::findInjectionSpot(clang::ASTContext*, clang::DynTypedNode, const clang::CallExpr&, uint64_t)’:
/home/toto/ApiMatchHandler.cpp:130:1: warning: control reaches end of non-void function [-Wreturn-type]
130 | }
| ^
/home/toto/ApiMatchHandler.cpp: In member function ‘bool ApiMatchHandler::isInsideIfCondition(const clang::CallExpr*, clang::ASTContext*)’:
/home/toto/ApiMatchHandler.cpp:381:1: warning: control reaches end of non-void function [-Wreturn-type]
381 | }
| ^
[100%] Linking CXX executable avcleaner.bin
[100%] Built target avcleaner.bin
I cannot run avcleaner.bin successfully:
[toto@7600c3d5dab1 CMakeBuild]$ ./avcleaner.bin ../test/strings_test.c --strings=true --
Processing file /home/toto/CMakeBuild/../test/strings_test.c
/home/toto/CMakeBuild/../test/strings_test.c:1:10: fatal error: 'windows.h' file not found
#include <windows.h>
^~~~~~~~~~~
Running new consumer...
[StringEncryption] Registering ASTMatcher...
** EndSourceFileAction for: /home/toto/CMakeBuild/../test/strings_test.c
File was not modified
1 error generated.
Error while processing /home/toto/CMakeBuild/../test/strings_test.c.
When including the headers, I get the error:
[toto@a6242ac6010f CMakeBuild]$ sudo ./avcleaner.bin ../test/strings_simplest.c -I ../include
avcleaner.bin: /usr/include/llvm/Support/Error.h:671: llvm::Expected<T>::storage_type* llvm::Expected<T>::getStorage() [with T = clang::tooling::CommonOptionsParser; storage_type = clang::tooling::CommonOptionsParser]: Assertion `!HasError && "Cannot get value when an error exists!"' failed.
Aborted
My clang version:
[toto@a6242ac6010f CMakeBuild]$ clang --version
clang version 14.0.6
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/sbin
If you need further informations, let me know.
docker install error
==> Leaving fakeroot environment.
==> Finished making: yay 10.0.2-1 (Sat 18 Jul 2020 11:28:32 AM UTC)
error: '/tmp/yay/yay*.pkg.tar.xz': could not find or read package
loading packages...
The command '/bin/sh -c cd /tmp && git clone https://aur.archlinux.org/yay.git && cd yay && chown -R toto. /tmp/yay/ && sudo -u toto makepkg -s && pacman --noconfirm -U /tmp/yay/yay*.pkg.tar.xz' returned a non-zero code: 1
issues when running "cmake.."
make[2]: *** [CMakeFiles/avcleaner.bin.dir/build.make:76: CMakeFiles/avcleaner.bin.dir/main.cpp.o] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: *** [CMakeFiles/avcleaner.bin.dir/build.make:90: CMakeFiles/avcleaner.bin.dir/MatchHandler.cpp.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:87: CMakeFiles/avcleaner.bin.dir/all] Error 2
make: *** [Makefile:91: all] Error 2
issues when running "cmake.."
[toto@fcc278aee3d3 CMakeBuild]$ sudo cmake ..
-- Found LLVM 11.0.0
-- Using LLVMConfig.cmake in: /usr/lib/cmake/llvm
-- Using ClangConfig.cmake in: /usr/lib/cmake/clang
-- Building with -fPIC
-- Configuring done
CMake Error at CMakeLists.txt:20 (add_executable):
Cannot find source file:
main.cpp
Tried extensions .c .C .c++ .cc .cpp .cxx .cu .m .M .mm .h .hh .h++ .hm
.hpp .hxx .in .txx .f .F .for .f77 .f90 .f95 .f03 .ispc
CMake Error at CMakeLists.txt:20 (add_executable):
No SOURCES given to target: avcleaner.bin
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.