Skip to content

Commit

Permalink
Fix static link compilation (#8)
Browse files Browse the repository at this point in the history
* Use C flags instead of CXX

* Fix warnings from MSVC

* Use target to set compilation flags

* Fix warnings

* Update CMakeLists to ignore warnings in libyara

* Fix last warnings
  • Loading branch information
atxr authored Jun 21, 2023
1 parent d3a863b commit 4002b51
Show file tree
Hide file tree
Showing 19 changed files with 129 additions and 103 deletions.
11 changes: 3 additions & 8 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,6 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON)
SET(EXECUTABLE_OUTPUT_PATH ${CMAKE_BINARY_DIR}/bin)
SET(LIBRARY_OUTPUT_PATH ${CMAKE_BINARY_DIR}/bin)

if (MSVC)
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT /WX")
set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} /MTd /WX")
endif(MSVC)

# Add cmake folder for
list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake")

Expand All @@ -32,15 +27,15 @@ if (WindbgPreview_INSTALL_PATH)
INSTALL_TTDREPLAY("${EXECUTABLE_OUTPUT_PATH}")
endif (WindbgPreview_INSTALL_PATH)

# The yara-ttd executable program
add_subdirectory(yara-ttd)

# Yara library
add_subdirectory(yara)

# The yarattd library
add_subdirectory(libyarattd)

# The yara-ttd executable program
add_subdirectory(yara-ttd)

# Tests
if(BUILD_TESTS)
add_subdirectory(tests)
Expand Down
10 changes: 6 additions & 4 deletions libyarattd/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,6 @@ set(libyarattd_INCLUDE
${libyarattd_STATIC_INCLUDE}/libyarattd_virtual_alloc.h
)

if(MSVC)
add_definitions(-DWIN32 -DUNICODE -D_UNICODE)
endif()

# Create static library
add_library(libyarattd STATIC ${libyarattd_SRC} ${libyarattd_INCLUDE})

Expand All @@ -45,6 +41,12 @@ target_include_directories(
)
target_link_libraries(libyarattd PUBLIC libyara)

if(MSVC)
add_definitions(-DWIN32 -DUNICODE -D_UNICODE)
target_compile_options(libyarattd PUBLIC "$<$<CONFIG:DEBUG>:/MTd>" "$<$<CONFIG:DEBUG>:/WX>")
target_compile_options(libyarattd PUBLIC "$<$<CONFIG:RELEASE>:/MT>" "$<$<CONFIG:RELEASE>:/WX>")
endif()

install(TARGETS libyarattd EXPORT yarattd LIBRARY DESTINATION lib ARCHIVE DESTINATION lib)
install(DIRECTORY ${libyarattd_SRC_PATH}/include DESTINATION include FILES_MATCHING PATTERN "*.h*")

Expand Down
2 changes: 1 addition & 1 deletion libyarattd/include/libyarattd_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ char* unicode_to_ansi(const wchar_t* str);
bool compile_files(YR_COMPILER* compiler, int argc, const wchar_t** argv);

int define_external_variables(
char** ext_vars,
wchar_t** ext_vars,
YR_RULES* rules,
YR_COMPILER* compiler);

Expand Down
6 changes: 3 additions & 3 deletions libyarattd/include/libyarattd_scheduler.h
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@ int scheduler_init(
YR_TTD_SCHEDULER** out,
const wchar_t* path,
YR_TTD_SCAN_MODE scan_mode,
char** cursors,
char** functions,
char* cache_file);
wchar_t** cursors,
wchar_t** functions,
wchar_t* cache_file);
int scheduler_add_cursor(
YR_TTD_SCHEDULER* scheduler,
Position* position,
Expand Down
2 changes: 1 addition & 1 deletion libyarattd/include/libyarattd_ttd.h
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ typedef unsigned int(__cdecl* PROC_Create)(
void* replay_engine_out,
BYTE* guid_version);

int init_ttd_engine(TTD_Replay_ReplayEngine** engine, wchar_t* filename);
int init_ttd_engine(TTD_Replay_ReplayEngine** engine, const wchar_t* filename);

char* base64_encode(
const unsigned char* data,
Expand Down
2 changes: 1 addition & 1 deletion libyarattd/include/libyarattd_types.h
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ typedef struct YR_TTD_VIRTUAL_ALLOC_MAP
typedef struct YR_TTD_SCHEDULER
{
// Scheduler arguments
wchar_t* path; // path of the trace file
const wchar_t* path; // path of the trace file
YR_TTD_SCAN_MODE scan_mode; // memory scan mode stategy that will be used

Vect* cursors; // cursors to scan
Expand Down
7 changes: 4 additions & 3 deletions libyarattd/src/libyarattd_common.c
Original file line number Diff line number Diff line change
Expand Up @@ -128,15 +128,16 @@ bool compile_files(YR_COMPILER* compiler, int argc, const wchar_t** argv)
}

int define_external_variables(
char** ext_vars,
wchar_t** ext_vars,
YR_RULES* rules,
YR_COMPILER* compiler)
{
int result = ERROR_SUCCESS;

for (int i = 0; ext_vars[i] != NULL; i++)
{
char* equal_sign = strchr(ext_vars[i], '=');
char* ext_var = unicode_to_ansi(ext_vars[i]);
char* equal_sign = strchr(ext_var, '=');

if (!equal_sign)
{
Expand All @@ -151,7 +152,7 @@ int define_external_variables(
*equal_sign = '\0';

char* value = equal_sign + 1;
char* identifier = ext_vars[i];
char* identifier = ext_var;

if (is_float(value))
{
Expand Down
11 changes: 6 additions & 5 deletions libyarattd/src/libyarattd_pe.c
Original file line number Diff line number Diff line change
Expand Up @@ -144,9 +144,9 @@ int resolve_function_address(YR_TTD_SCHEDULER* sch, YR_TTD_FUNCTION* function)
Position saved_position = *sch->cursor->ICursor->GetPosition(sch->cursor, 0);

// Search if the module is used by the process
unsigned int module_count =
sch->engine->IReplayEngine->GetModuleLoadedEventCount(sch->engine);
TTD_Replay_ModuleLoadedEvent* modules =
size_t module_count = sch->engine->IReplayEngine->GetModuleLoadedEventCount(
sch->engine);
const TTD_Replay_ModuleLoadedEvent* modules =
sch->engine->IReplayEngine->GetModuleLoadedEventList(sch->engine);

unsigned int i = 0;
Expand All @@ -161,7 +161,7 @@ int resolve_function_address(YR_TTD_SCHEDULER* sch, YR_TTD_FUNCTION* function)

buf = wcstok(buf, L".", NULL);

if (wcscmp(buf, function->module) == NULL)
if (wcscmp(buf, function->module) == 0)
break;

i++;
Expand All @@ -175,7 +175,8 @@ int resolve_function_address(YR_TTD_SCHEDULER* sch, YR_TTD_FUNCTION* function)
return ERROR_INTERNAL_FATAL_ERROR;
}

sch->cursor->ICursor->SetPosition(sch->cursor, &modules[i].pos);
Position pos = {modules[i].pos.major, modules[i].pos.minor};
sch->cursor->ICursor->SetPosition(sch->cursor, &pos);

UINT_PTR ui_library_address = (UINT_PTR) modules[i].info->base_addr;
UINT_PTR ui_address_array = 0;
Expand Down
1 change: 1 addition & 0 deletions libyarattd/src/libyarattd_scanner.c
Original file line number Diff line number Diff line change
Expand Up @@ -177,4 +177,5 @@ int yr_ttd_close_iterator(YR_MEMORY_BLOCK_ITERATOR* iterator)
vect_delete(ctx->memory_map);

yr_free(ctx);
return ERROR_SUCCESS;
}
41 changes: 25 additions & 16 deletions libyarattd/src/libyarattd_scheduler.c
Original file line number Diff line number Diff line change
Expand Up @@ -86,10 +86,10 @@ int init_scan_functions(YR_TTD_SCHEDULER* scheduler, wchar_t** scan_functions)
// Default scan mode
int init_scan_default(YR_TTD_SCHEDULER* scheduler)
{
unsigned int exception_count =
scheduler->engine->IReplayEngine->GetExceptionEventCount(
scheduler->engine);
TTD_Replay_ExceptionEvent* exceptions =
Position pos;
size_t exception_count = scheduler->engine->IReplayEngine
->GetExceptionEventCount(scheduler->engine);
const TTD_Replay_ExceptionEvent* exceptions =
scheduler->engine->IReplayEngine->GetExceptionEventList(
scheduler->engine);

Expand All @@ -106,20 +106,26 @@ int init_scan_default(YR_TTD_SCHEDULER* scheduler)
length + 1,
L"Exception raised with code 0x%x",
exceptions[i].info->ExceptionCode);
scheduler_add_cursor(scheduler, &exceptions[i].pos, source);

pos.major = exceptions[i].pos.major;
pos.minor = exceptions[i].pos.minor;
scheduler_add_cursor(scheduler, &pos, source);
}

unsigned int thread_created_count =
size_t thread_created_count =
scheduler->engine->IReplayEngine->GetThreadCreatedEventCount(
scheduler->engine);
TTD_Replay_ThreadCreatedEvent* threads_created =
const TTD_Replay_ThreadCreatedEvent* threads_created =
scheduler->engine->IReplayEngine->GetThreadCreatedEventList(
scheduler->engine);

for (unsigned int i = 0; i < thread_created_count; i++)
{
scheduler->cursor->ICursor->SetPosition(
scheduler->cursor, &threads_created[i].pos);
Position pos = {
threads_created[i].pos.major,
threads_created[i].pos.minor,
};
scheduler->cursor->ICursor->SetPosition(scheduler->cursor, &pos);
Position* current = scheduler->cursor->ICursor->GetPosition(
scheduler->cursor, 0);

Expand All @@ -132,20 +138,21 @@ int init_scan_default(YR_TTD_SCHEDULER* scheduler)
L"Thread 0x%x activated",
threads_created[i].info->threadid);

scheduler_add_cursor(scheduler, &threads_created[i].pos, source);
pos.major = exceptions[i].pos.major;
pos.minor = exceptions[i].pos.minor;
scheduler_add_cursor(scheduler, &pos, source);
}

unsigned int module_count =
scheduler->engine->IReplayEngine->GetModuleLoadedEventCount(
scheduler->engine);
TTD_Replay_ModuleLoadedEvent* modules =
size_t module_count = scheduler->engine->IReplayEngine
->GetModuleLoadedEventCount(scheduler->engine);
const TTD_Replay_ModuleLoadedEvent* modules =
scheduler->engine->IReplayEngine->GetModuleLoadedEventList(
scheduler->engine);

Position* first = scheduler->engine->IReplayEngine->GetFirstPosition(
scheduler->engine);

for (int i = 0; i < module_count; i++)
for (unsigned int i = 0; i < module_count; i++)
{
// If the module was loaded before the first cursor, skip it
if (modules[i].pos.major <= first->major)
Expand All @@ -155,7 +162,9 @@ int init_scan_default(YR_TTD_SCHEDULER* scheduler)
wchar_t* source = (wchar_t*) yr_calloc(length + 1, sizeof(wchar_t));
swprintf(source, length + 1, L"Module %s loaded", modules[i].info->path);

scheduler_add_cursor(scheduler, &modules[i].pos, source);
pos.major = exceptions[i].pos.major;
pos.minor = exceptions[i].pos.minor;
scheduler_add_cursor(scheduler, &pos, source);
}

return ERROR_SUCCESS;
Expand Down
6 changes: 4 additions & 2 deletions libyarattd/src/libyarattd_ttd.c
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

#include <yara/error.h>

#include "libyarattd_utils.h"
#include "libyarattd_crypto.h"
#include "libyarattd_ttd.h"

int init_ttd_engine(TTD_Replay_ReplayEngine** engine, wchar_t* filename)
int init_ttd_engine(TTD_Replay_ReplayEngine** engine, const wchar_t* filename)
{
HINSTANCE h_ttd_replay_library;
PROC_Initiate InitiateReplayEngineHandshake;
Expand Down Expand Up @@ -71,6 +71,8 @@ int init_ttd_engine(TTD_Replay_ReplayEngine** engine, wchar_t* filename)
fwprintf(stderr, L"Failed to generate index file\n");
return ERROR_INTERNAL_FATAL_ERROR;
}

return ERROR_SUCCESS;
}

char* base64_encode(
Expand Down
2 changes: 1 addition & 1 deletion libyarattd/src/libyarattd_utils.c
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ int check_idx_file(const wchar_t* filename)
{
// Assumes that the filename is the one of the trace file
// TODO use magic bytes instead of extension
unsigned int len = wcslen(filename);
size_t len = wcslen(filename);
if (len < 3)
return ERROR_COULD_NOT_OPEN_FILE;

Expand Down
30 changes: 15 additions & 15 deletions libyarattd/src/libyarattd_virtual_alloc.c
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ int build_virtual_alloc_map_from_cache(
return ERROR_FILE_NOT_FOUND;

int nread;
size_t size = GetFileSize(fd, NULL);
DWORD size = GetFileSize(fd, NULL);
wchar_t* buf = yr_calloc(size, sizeof(wchar_t));
if (!buf)
{
Expand Down Expand Up @@ -169,14 +169,15 @@ int build_virtual_alloc_map_from_cache(
Position* start = yr_malloc(sizeof(Position));
YR_TTD_EVENT* event = yr_malloc(sizeof(YR_TTD_EVENT));
YR_TTD_MEMORY_RANGE* range = yr_malloc(sizeof(YR_TTD_MEMORY_RANGE));
arg = wcstok(lines->elements[i], L",", &lines->elements[i]);
arg = wcstok(lines->elements[i], L",", (wchar_t**) &lines->elements[i]);
start->major = wcstoull(arg, NULL, 16);
arg = wcstok(lines->elements[i], L",", &lines->elements[i]);
arg = wcstok(lines->elements[i], L",", (wchar_t**) &lines->elements[i]);
start->minor = wcstoull(arg, NULL, 16);
arg = wcstok(lines->elements[i], L",", &lines->elements[i]);
arg = wcstok(lines->elements[i], L",", (wchar_t**) &lines->elements[i]);
range->start = wcstoull(arg, NULL, 16);
arg = wcstok(lines->elements[i], L",", &lines->elements[i]);
arg = wcstok(lines->elements[i], L",", (wchar_t**) &lines->elements[i]);
range->end = wcstoull(arg, NULL, 16);

event->start = start;
event->range = range;
vect_add_element(virtual_alloc_map->map, event);
Expand All @@ -195,14 +196,12 @@ int build_virtual_alloc_map(YR_TTD_SCHEDULER* scheduler)
Position* last = scheduler->engine->IReplayEngine->GetLastPosition(
scheduler->engine);

unsigned long long thread_created_count =
size_t thread_created_count =
scheduler->engine->IReplayEngine->GetThreadCreatedEventCount(
scheduler->engine);
TTD_Replay_ThreadCreatedEvent* threads_created =
(TTD_Replay_ThreadCreatedEvent*) yr_malloc(
thread_created_count * sizeof(TTD_Replay_ThreadInfo*));
threads_created = scheduler->engine->IReplayEngine->GetThreadCreatedEventList(
scheduler->engine);
const TTD_Replay_ThreadCreatedEvent* threads_created =
scheduler->engine->IReplayEngine->GetThreadCreatedEventList(
scheduler->engine);

// set callback
scheduler->cursor->ICursor->SetCallReturnCallback(
Expand All @@ -211,14 +210,15 @@ int build_virtual_alloc_map(YR_TTD_SCHEDULER* scheduler)
(unsigned long long) scheduler);

// loop through all the threads
Position* start;
Position start;
TTD_Replay_ICursorView_ReplayResult replayrez;
for (int i = 0; i < thread_created_count; i++)
{
start = &threads_created[i].pos;
start.major = threads_created[i].pos.major;
start.minor = threads_created[i].pos.minor;

// set cursor to thread start
scheduler->cursor->ICursor->SetPosition(scheduler->cursor, start);
scheduler->cursor->ICursor->SetPosition(scheduler->cursor, &start);

Position previous;
unsigned long long step_count;
Expand Down Expand Up @@ -249,7 +249,7 @@ int build_virtual_alloc_map(YR_TTD_SCHEDULER* scheduler)
scheduler->cursor->ICursor->SetCallReturnCallback(scheduler->cursor, 0, 0);

// Save virtual alloc map
int len = wcslen(scheduler->path);
size_t len = wcslen(scheduler->path);
wchar_t* cache_path = yr_calloc(len, sizeof(wchar_t));
wcscpy(cache_path, scheduler->path);
cache_path[len - 3] = L't';
Expand Down
12 changes: 8 additions & 4 deletions tests/CMakeLists.txt
Original file line number Diff line number Diff line change
@@ -1,11 +1,15 @@
set(yara_ttd_STATIC_SRC ${CMAKE_CURRENT_SOURCE_DIR}/src)
set(yara_ttd_STATIC_INCLUDE ${CMAKE_CURRENT_SOURCE_DIR}/include)

if(MSVC)
add_definitions(-DWIN32 -DUNICODE -D_UNICODE)
endif()

add_executable(test_shellcode
${CMAKE_CURRENT_SOURCE_DIR}/test_shellcode.c)
add_executable(test_upx
${CMAKE_CURRENT_SOURCE_DIR}/test_upx.c)

if(MSVC)
add_definitions(-DWIN32 -DUNICODE -D_UNICODE)
target_compile_options(test_upx PUBLIC "$<$<CONFIG:DEBUG>:/MTd>" "$<$<CONFIG:DEBUG>:/WX>")
target_compile_options(test_upx PUBLIC "$<$<CONFIG:RELEASE>:/MT>" "$<$<CONFIG:RELEASE>:/WX>")
target_compile_options(test_shellcode PUBLIC "$<$<CONFIG:DEBUG>:/MTd>" "$<$<CONFIG:DEBUG>:/WX>")
target_compile_options(test_shellcode PUBLIC "$<$<CONFIG:RELEASE>:/MT>" "$<$<CONFIG:RELEASE>:/WX>")
endif()
10 changes: 6 additions & 4 deletions yara-ttd/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,13 @@ set(yara_ttd_INCLUDE
${yara_ttd_STATIC_INCLUDE}/threading.h
)

if(MSVC)
add_definitions(-DWIN32 -DUNICODE -D_UNICODE)
endif()

add_executable(yara-ttd ${yara_ttd_SRC} ${yara_ttd_INCLUDE})
target_include_directories(yara-ttd PUBLIC ${yara_ttd_STATIC_INCLUDE})
target_link_libraries(yara-ttd PUBLIC libyara)
target_link_libraries(yara-ttd PUBLIC libyarattd)

if(MSVC)
add_definitions(-DWIN32 -DUNICODE -D_UNICODE)
target_compile_options(yara-ttd PUBLIC "$<$<CONFIG:DEBUG>:/MTd>" "$<$<CONFIG:DEBUG>:/WX>")
target_compile_options(yara-ttd PUBLIC "$<$<CONFIG:RELEASE>:/MT>" "$<$<CONFIG:RELEASE>:/WX>")
endif()
Loading

0 comments on commit 4002b51

Please sign in to comment.