Skip to content

Latest commit

 

History

History
89 lines (73 loc) · 3.32 KB

README.md

File metadata and controls

89 lines (73 loc) · 3.32 KB

bdldr

bdldr is an unofficial engine loader for Bitdefender ® for Linux.

The source code of this project was written by reverse engineering the Bitdefender ® core for research purposes.

Only basic loading and file scanning with the engine is implemented for the Linux version (easily portable to Windows). It can be used to fuzz, trace or debug the antivirus core.

The initial reason for writing this was Bitdefender ® for Linux is not daemonized, so everytime it scans a file the entire engine has to be loaded, which is a waste of resources and makes fuzzing really slow (unfeasible).

pin/

In addition to this, in the pin/ directory you will find a PIN tool to study the code coverage of a given template in the scanning engine. It works at basic block level and will report the total and unique basic blocks reached during the scan, ignoring the process of signatures loading and other irrelevant code.

How to use this? That's up to you :)

Example scanning a NSIS executable:

root@c170c568a803:~/pin-2.14-71313-gcc.4.4.7-linux# ./pin.sh -ifeellucky -t source/tools/MyPinTool/obj-intel64/MyPinTool.so -- /root/bdldr/bdldr_cli /root/clamav_test/split.clam-nsis.exeaa 
Initializing BD core ...
Initializing BD core instance ...
Setting up instance ...
Scanning file ...
Deleting BD core instance ...
Deleting BD core ...
root@c170c568a803:~/pin-2.14-71313-gcc.4.4.7-linux# cat bbcount.json 
{"uniq_bb_count": 25591, "total_bb_count": 35650212}

Also with an UPX binary:

root@c170c568a803:~/pin-2.14-71313-gcc.4.4.7-linux# ./pin.sh -ifeellucky -t source/tools/MyPinTool/obj-intel64/MyPinTool.so -- /root/bdldr/bdldr_cli /root/clamav_test/split.clam-upx.exeaa 
Initializing BD core ...
Initializing BD core instance ...
Setting up instance ...
Scanning file ...
Deleting BD core instance ...
Deleting BD core ...
root@c170c568a803:~/pin-2.14-71313-gcc.4.4.7-linux# cat bbcount.json 
{"uniq_bb_count": 23326, "total_bb_count": 963045}

Or even a PPT file:

root@c170c568a803:~/pin-2.14-71313-gcc.4.4.7-linux# ./pin.sh -ifeellucky -t source/tools/MyPinTool/obj-intel64/MyPinTool.so -- /root/bdldr/bdldr_cli /root/clamav_test/split.clam.pptaa 
Initializing BD core ...
Initializing BD core instance ...
Setting up instance ...
Scanning file ...
Deleting BD core instance ...
Deleting BD core ...
root@c170c568a803:~/pin-2.14-71313-gcc.4.4.7-linux# cat bbcount.json 
{"uniq_bb_count": 4349, "total_bb_count": 62690}

Piracy disclaimer

There is no piracy involved in this project directly or indirectly. This code can only load the engine, set it up for scanning and scan a file. There's no way to clean an infected file or get the scanning results back, as this functionality is not implemented.

Examples

cli scanning

$ ./bdldr_cli example.exe
Initializing BD core ...
Initializing BD core instance ...
Setting up instance ...
Scanning file ...
Deleting BD core instance ...
Deleting BD core ...

daemon scanning

$ ./bdldr_daemon 
Initializing BD core ...
Initializing BD core instance ...
Setting up instance ...
Waiting for connections at /tmp/bdldr.sock
[13173] Scanning /tmp/example.exe ...
[13173] Scanning /tmp/example2.exe ...
$ echo 'SCAN /tmp/example.exe' | socat -T 90 -t 90 - UNIX-CONNECT:/tmp/bdldr.sock
OUTPUT OK
$ echo 'SCAN /tmp/example2.exe' | socat -T 90 -t 90 - UNIX-CONNECT:/tmp/bdldr.sock
OUTPUT OK