Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cxx/VirusAnalysis.*xx has unfinished functions (static analysis, process executables.) Do this as cxx/ClassPortableExecutable.*xx #8

Open
SwuduSusuwu opened this issue Jun 16, 2024 · 4 comments
Open

cxx/VirusAnalysis.*xx has unfinished functions (static analysis, process executables.) Do this as cxx/ClassPortableExecutable.*xx #8

SwuduSusuwu opened this issue Jun 16, 2024 · 4 comments
Assignees
@SwuduSusuwu
Labels
good first issue Good for newcomers improve New feature or request todo unimplemented (but advertised) part of the tool
Milestone
Auto scan downloa...

Comments

@SwuduSusuwu
Copy link
Owner

SwuduSusuwu commented Jun 16, 2024
edited
Loading

cxx/VirusAnalysis.hxx#L42

/* Static analysis */
/* @throw bad_alloc */
const std::vector<std::string> importedFunctionsList(const PortableExecutable &); /* TODO */
...
/* Analysis sandbox */
const VirusAnalysisResult straceOutputsAnalysis(const FilePath &straceDumpPath); /* TODO: regex */

Lots to do. If you want this: respond that you wish more resources go to this, or contribute.
@SwuduSusuwu SwuduSusuwu added improve New feature or request good first issue Good for newcomers labels Jun 16, 2024
@SwuduSusuwu
Copy link
Owner Author

Can reuse LLVM's clang --analyze to do static analysis? llvm/llvm-project#86600 (comment)

@SwuduSusuwu
Copy link
Owner Author

SwuduSusuwu commented Sep 28, 2024
edited
Loading

Progress is just: this now loads executables from disk.
+PortableExecutableBytecode Initializes bytecode..@ef71ad0
?ClassPortableExecutableBytecode Load to string,@efe1d2c

@SwuduSusuwu SwuduSusuwu changed the title cxx/VirusAnalysis.hxx has unfinished functions (static analysis/parse executables.) Do this as cxx/ClassPortableExecutable cxx/VirusAnalysis.*xx has unfinished functions (static analysis, process executables.) Do this as cxx/ClassPortableExecutable.*xx Nov 15, 2024
@SwuduSusuwu SwuduSusuwu self-assigned this Nov 15, 2024
@SwuduSusuwu
Copy link
Owner Author

Miniscule progress (signatureAnalysis() "processes" executables):
?signatureAnalysis() If match, output sig+offset.@3d064ac
?virusAnalysisTests() False negative tests, cache@09bd2d3

SwuduSusuwu added a commit that referenced this issue Nov 24, 2024
@SwuduSusuwu
+classSysKernelSetHook(): for ?virusAnalysisHook
f69c1ee 
?`cxx/ClassSys.hxx`:
	+`classSysKernelSetHook()`: , usage is `classSysSetHook(func, callback);` effect is `%s/function(...)/classSysKernelCallback(...)/` /* `virusAnalysisHook()` will use this */
	+`classSysKernelCallback<Func, Callback>` /* returns `(callback(...) ? function(...) : decltype(function(...))())` */

?`cxx/VirusAnalysis.cxx`:
	-`lambdaScan`, +`virusAnalysisImpl`: C++11 does not allow to use lambda in new lambdas.
	+`lambdaScanExecv`, `+lambdaScanCreateProcessA`: operating system specific lambdas.
	?`virusAnalysisHook`: use `classSysKernelSetHook(*, lambdaScan*)` to scan files which you execute.

Is progress to issues #1, #8 (both about `VirusAnalysis.cxx`).
Is followup to: commit a8c9f9b ("?virusAnalysisHook `s/[] (/auto lambdaScan = [] (/`)").

?`posts/VirusAnalysis.md`: include all this.
@SwuduSusuwu SwuduSusuwu added the todo unimplemented (but advertised) part of the tool label Nov 25, 2024
SwuduSusuwu added a commit that referenced this issue Dec 16, 2024
@SwuduSusuwu
@posts/VirusAnalysis.md fixup, +Table of Contents
db3e415 
	. Fixes lots of [`Remark-lint` issues](https://github.com/SwuduSusuwu/SubStack/security/code-scanning?query=path%3Aposts%2FVirusAnalysis.md+branch%3Atrunk+tool%3A%22Remark-lint+%28reported+by+Codacy%29%22+).

English improved, now has some use to issue #8 (finish `cxx/VirusAnalysis.hxx` functions).
Comparison to assistants improved.
	Split "\[howto improve performance\]" from this, move to top.
_Erlang_ conversion section improved.
Most _English_ + _Markdown_ improved.
Is followup to: commit 0051480 (@`posts/AlbatrossCNS.md` fixup. +Table of Contents), as this commit does for `posts/VirusAnalysis.md` what that commit does for `posts/AlbatrossCNS.md`.
@SwuduSusuwu
Copy link
Owner Author

https://dl.acm.org/doi/full/10.1145/3546946 uses artificial neural tissue to disassemble executables; perhaps this has use for static analysis.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SwuduSusuwu SwuduSusuwu

Labels
good first issue Good for newcomers improve New feature or request todo unimplemented (but advertised) part of the tool
Projects
None yet
Milestone
Auto scan downloads/launches, manual ...
Development

No branches or pull requests
1 participant
@SwuduSusuwu