[Capstone2llvmir] Update to Capstone V5

CHANGELOG.md

@@ -7,7 +7,9 @@
 * New feature: Generate ELF (import) symbol-related hashes, including VirusTotal compatible `telfhash` ([#286](https://github.com/avast/retdec/issues/286), [#936](https://github.com/avast/retdec/pull/936)).
 * New Feature: `retdec-fileinfo` can be configured via JSON file. See `--fileinfo-config` option for more details.
 * New Feature: RetDec is now also a library ([#779](https://github.com/avast/retdec/pull/779). Related changes are the removal of `retdec-decompiler.py` (it is now a binary, e.g. `retdec-decompiler.exe` on Windows), `retdec-bin2llvmir`, `retdec-llvmir2hll`, and some other supportive functionality.
-* Enhancement: Use [Authenticode parser](https://github.com/avast/authenticode-parser) library instead of RetDec's own implementation ([#1027](https://github.com/avast/retdec/pull/1027), [regression-tests #110](https://github.com/avast/retdec-regression-tests/pull/110)). 
+* Enhancement: Add DLL name from export directory to output ([#1060](https://github.com/avast/retdec/pull/1060)).
+* Enhancement: Updated YARA to `v4.2.0-rc1` ([#1061](https://github.com/avast/retdec/pull/1061)).
+* Enhancement: Use [Authenticode parser](https://github.com/avast/authenticode-parser) library instead of RetDec's own implementation ([#1027](https://github.com/avast/retdec/pull/1027), [regression-tests #110](https://github.com/avast/retdec-regression-tests/pull/110)).
 * Enhancement: Remove `--backend-aggressive-opts` option and all the related code ([#1016](https://github.com/avast/retdec/issues/1016), [#1032](https://github.com/avast/retdec/pull/1032)).
 * Enhancement: Add `SECURITY.md` ([#1018](https://github.com/avast/retdec/issues/1018), [#1025](https://github.com/avast/retdec/pull/1025)).
 * Enhancement: Improve PE's .NET parsing - make it more aligned with parsing in YARA ([#997](https://github.com/avast/retdec/pull/997), [regression tests #106](https://github.com/avast/retdec-regression-tests/pull/106)).
@@ -28,8 +30,9 @@
 * Enhancement: Added support for new ELF UPX unpacking stubs (versions 3.93 - 3.96) ([#929](https://github.com/avast/retdec/pull/929)).
 * Enhancement: Improved YARA rules for detection of the SHA-512 algorithm ([#935](https://github.com/avast/retdec/pull/935)).
 * Enhancement: Improved PE Authenticode parsing ([#902](https://github.com/avast/retdec/pull/902), [#380](https://github.com/avast/retdec/issues/380)).
+* Fix: Disable memory-limiting capabilities on macOS because there is currently no working way of doing so ([#1074](https://github.com/avast/retdec/pull/1074), [#1045](https://github.com/avast/retdec/issues/1045), [#379](https://github.com/avast/retdec/issues/379)).
 * Fix: Add OpenSSL 3.0 support ([#1040](https://github.com/avast/retdec/issues/1040), [#1041](https://github.com/avast/retdec/pull/1041)).
-* Fix: `ImageLoader::Save()` properly saves PE's Rich Header and section data ([#1028](https://github.com/avast/retdec/issues/1028), [#1029](https://github.com/avast/retdec/pull/1029)).  
+* Fix: `ImageLoader::Save()` properly saves PE's Rich Header and section data ([#1028](https://github.com/avast/retdec/issues/1028), [#1029](https://github.com/avast/retdec/pull/1029)).
 * Fix: Check if data is not empty in .NET integer decoding functions ([#1030](https://github.com/avast/retdec/pull/1030)).
 * Fix: Stricter validation of PE signatures - they need to be outside of the image to be considered valid ([#972](https://github.com/avast/retdec/issues/972), [#986](https://github.com/avast/retdec/pull/986), [regression tests #108](https://github.com/avast/retdec-regression-tests/pull/108)).
 * Fix: Do not provide entry point offset in case it doesn't exist ([#962](https://github.com/avast/retdec/issues/962), [#975](https://github.com/avast/retdec/pull/975), [regression tests #101](https://github.com/avast/retdec-regression-tests/pull/101)).
@@ -45,7 +48,7 @@
 * Fix: Raise max length limit applied to PE symbol names ([#957](https://github.com/avast/retdec/issues/957), [#978](https://github.com/avast/retdec/pull/978), [regression tests #93](https://github.com/avast/retdec-regression-tests/pull/93)).
 * Fix: Fixed parsing of junk data from PE resource table's `type` entry ([#959](https://github.com/avast/retdec/issues/959), [#974](https://github.com/avast/retdec/pull/974)).
 * Fix: Fixed PE rich header analysis algorithm ([#973](https://github.com/avast/retdec/pull/973), [#960](https://github.com/avast/retdec/issues/960), [#965](https://github.com/avast/retdec/issues/965), [regression tests #91](https://github.com/avast/retdec-regression-tests/pull/91)).
-* Fix: Arithmetic shift is no longer converted to signed division as these operations provide different output with negative numbers. ([#724](https://github.com/avast/retdec/issues/724)).
+* Fix: Arithmetic shift is no longer converted to signed division as these operations provide different output with negative numbers ([#724](https://github.com/avast/retdec/issues/724)).
 * Fix: Fixed infinite looping during the copy-propagation optimization in `llvmir2hll` ([#876](https://github.com/avast/retdec/pull/876)).
 * Fix: Fixed analyzed calling convention on MIPS architecture. Register F0 is used for floating point function return ([#656](https://github.com/avast/retdec/issues/656)).
 * Fix: Fixed filtration to better handle functions with no arguments and therefore to reduce noise in output ([#155](https://github.com/avast/retdec/issues/155)).
@@ -54,6 +57,7 @@
 * Fix: Fixed runtime and memory use of `retdec-fileinfo` on PE samples having corrupted relocations ([#872](https://github.com/avast/retdec/issues/872), [#873](https://github.com/avast/retdec/pull/873)).
 * Fix: Fixed a corruption check for PE samples with invalid import thunks ([#897](https://github.com/avast/retdec/pull/897), [#917](https://github.com/avast/retdec/pull/917)).
 * Fix: Fixed recognition of very corrupted PE samples ([#921](https://github.com/avast/retdec/issues/921)).
+* Fix: Fixed the recognition of the "RVA of the import name is invalid" corruption in PE samples ([#1063](https://github.com/avast/retdec/pull/1063)).
 * Fix: Fixed parsing of corrupted resources in `retdec-fileinfo` ([#907](https://github.com/avast/retdec/pull/907), [#911](https://github.com/avast/retdec/issues/911)).
 * Fix: MPRESS unpacker will now correctly copy resources, exports and other non-packed sections correctly.
 * Fix: `retdec-fileinfo.py` is now usable even when decompiler is not installed.

Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:focal
+FROM ubuntu:focal AS builder
 
 RUN useradd -m retdec
 WORKDIR /home/retdec
@@ -31,4 +31,18 @@ RUN git clone https://github.com/avast/retdec && \
 	make -j$(nproc) && \
 	make install
 
-ENV PATH /home/retdec/retdec-install/bin:$PATH
+FROM ubuntu:focal
+
+RUN useradd -m retdec
+WORKDIR /home/retdec
+ENV HOME /home/retdec
+
+RUN apt-get update -y && \
+	DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    openssl graphviz upx python3
+
+USER retdec
+
+COPY --from=builder /home/retdec/retdec-install /retdec-install
+
+ENV PATH /retdec-install/bin:$PATH

LICENSE-THIRD-PARTY

@@ -19,6 +19,7 @@ RetDec uses the following third-party libraries or other resources:
 11) Eigen: http://eigen.tuxfamily.org/index.php?title=Main_Page
 12) cmake-modules: https://github.com/rpavlik/cmake-modules
 13) tlsh: https://github.com/trendmicro/tlsh
+13) stb: https://github.com/nothings/stb
 
 These third-party libraries or other resources are licensed under the
 following licenses:
@@ -710,7 +711,7 @@ DEALINGS IN THE SOFTWARE.
    TLSH is provided for use under two licenses: Apache OR BSD.
    Users may opt to use either license depending on the license
    restictions of the systems with which they plan to integrate
-   the TLSH code. 
+   the TLSH code.
 
 
 
@@ -960,16 +961,38 @@ DEALINGS IN THE SOFTWARE.
    Trend Micro (http://www.trendmicro.com/)
 
    Refer to the following publications for more information:
-   
+
      Jonathan Oliver, Chun Cheng and Yanggui Chen,
      "TLSH - A Locality Sensitive Hash"
      4th Cybercrime and Trustworthy Computing Workshop, Sydney, November 2013
      https://github.com/trendmicro/tlsh/blob/master/TLSH_CTC_final.pdf
-    
+
      Jonathan Oliver, Scott Forman and Chun Cheng,
      "Using Randomization to Attack Similarity Digests"
      Applications and Techniques in Information Security. Springer Berlin Heidelberg, 2014. 199-210.
      https://github.com/trendmicro/tlsh/blob/master/Attacking_LSH_and_Sim_Dig.pdf
 
      Jonathan Oliver and Jayson Pryde
      http://blog.trendmicro.com/trendlabs-security-intelligence/smart-whitelisting-using-locality-sensitive-hashing/
+
+===============================================================================
+12) stb
+===============================================================================
+
+MIT License
+Copyright (c) 2017 Sean Barrett
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,3 +1,11 @@
+### Project status
+
+The RetDec project is currently in a **limited maintenance mode** due to a lack of resources:
+* Pull Requests are welcomed. They are reviewed with priority, if possible without delays.
+* Issues are reacted on with delays up to one quarter. Issues are not actively solved unless they relate to a basic project maintenance.
+* The basic project maintenance continues.
+* Only a very limited development is carried on.
+
 # RetDec
 
 [![Travis CI build status](https://travis-ci.org/avast/retdec.svg?branch=master)](https://travis-ci.org/avast/retdec)

cmake/deps.cmake

@@ -1,10 +1,10 @@
 
 set(CAPSTONE_URL
-    "https://github.com/aquynh/capstone/archive/bc8a649b35188786754ea1b0bddd5cb48a039162.zip"
+    "https://github.com/aquynh/capstone/archive/f049e65f596bf8b1cbf5f2371067e34715ef1764.zip"
     CACHE STRING "URL of Capstone archive to use."
 )
 set(CAPSTONE_ARCHIVE_SHA256
-    "7d3075bce1f5622279c16a6f62fe8c548d4544bfc82292f6bf43907d0317fd10"
+    "87fe97225ee98220dcb5725bc470bc83a67819a6e75000075566c0423599437e"
     CACHE STRING ""
 )
 
@@ -36,20 +36,20 @@ set(LLVM_ARCHIVE_SHA256
 )
 
 set(YARA_URL
-    "https://github.com/VirusTotal/yara/archive/v4.0.1.zip"
+    "https://github.com/VirusTotal/yara/archive/v4.2.0-rc1.zip"
     CACHE STRING "URL of Yara archive to use."
 )
 set(YARA_ARCHIVE_SHA256
-    "4dcc6907b8537b67b52a61aa76f01196a4cc8e8e9f5fb6e4dd835692c2370e83"
+    "ae1adad2ae33106f4c296cef32ddba2c93867010ef853028d30cad42548d0474"
     CACHE STRING ""
 )
 
 set(YARAMOD_URL
-    "https://github.com/avast/yaramod/archive/94fc854153f48556087533616e3b0945d6f8023c.zip"
+    "https://github.com/avast/yaramod/archive/a367d910ae79698e64e99d8414695281723cd34b.zip"
     CACHE STRING "URL of YaraMod archive to use."
 )
 set(YARAMOD_ARCHIVE_SHA256
-    "f89546604a9617afb9c6cf8f241cb6dfb398e13b1c77a19f6193d037572b875c"
+    "2d2dc60890ad9b796fb908162bd3968b8ada693ab2b08e55cdd1c359c643b72b"
     CACHE STRING ""
 )
 

cmake/options.cmake

@@ -503,6 +503,9 @@ set_if_at_least_one_set(RETDEC_ENABLE_YARAMOD
 set_if_at_least_one_set(RETDEC_ENABLE_TLSH
 		RETDEC_ENABLE_FILEFORMAT)
 
+set_if_at_least_one_set(RETDEC_ENABLE_STB
+		RETDEC_ENABLE_FILEFORMAT)
+
 # Support
 
 set_if_at_least_one_set(RETDEC_ENABLE_SUPPORT_ORDINALS

deps/CMakeLists.txt

@@ -14,6 +14,7 @@ endif()
 set(MSVC_GE $<BOOL:${MSVC}>)
 set(MSVC_CONFIG $<${MSVC_GE}:$<CONFIG>/>)
 
+cond_add_subdirectory(stb RETDEC_ENABLE_STB)
 cond_add_subdirectory(authenticode-parser RETDEC_ENABLE_AUTHENTICODE_PARSER)
 cond_add_subdirectory(capstone RETDEC_ENABLE_CAPSTONE)
 cond_add_subdirectory(elfio RETDEC_ENABLE_ELFIO)

deps/authenticode-parser/include/authenticode-parser/authenticode.h

@@ -105,6 +105,7 @@ typedef struct {
     ByteArray sha256;         /* SHA256 of the DER representation of the cert */
     char* key_alg;            /* Name of the key algorithm */
     char* sig_alg;            /* Name of the signature algorithm */
+    char* sig_alg_oid;        /* OID of the signature algorithm */
     time_t not_before;        /* NotBefore validity */
     time_t not_after;         /* NotAfter validity */
     char* key;                /* PEM encoded public key */
@@ -154,6 +155,13 @@ typedef struct {
     size_t count;
 } AuthenticodeArray;
 
+/**
+ * @brief Initializes all globals OpenSSl objects we need for parsing, this is not thread-safe and
+ *        needs to be called only once, before any multithreading environment
+ *        https://github.com/openssl/openssl/issues/13524
+ */
+void initialize_authenticode_parser();
+
 /**
  * @brief Constructs AuthenticodeArray from PE file data. Authenticode can
  *        contains nested Authenticode signatures as its unsigned attribute,
@@ -166,7 +174,7 @@ typedef struct {
  * @param pe_len
  * @return AuthenticodeArray*
  */
-AuthenticodeArray* parse_authenticode(const uint8_t* pe_data, long pe_len);
+AuthenticodeArray* parse_authenticode(const uint8_t* pe_data, uint64_t pe_len);
 
 /**
  * @brief Constructs AuthenticodeArray from binary data containing Authenticode

deps/authenticode-parser/src/authenticode.c

@@ -273,8 +273,9 @@ static bool authenticode_verify(PKCS7* p7, PKCS7_SIGNER_INFO* si, X509* signCert
     return isValid;
 }
 
-/* Creates all the Authenticode objects so we can parse them with OpenSSL */
-static void initialize_openssl()
+/* Creates all the Authenticode objects so we can parse them with OpenSSL, is not thread-safe, needs
+ * to be called once before any multi-threading environmentt - https://github.com/openssl/openssl/issues/13524 */
+void initialize_authenticode_parser()
 {
     OBJ_create("1.3.6.1.4.1.311.2.1.12", "spcSpOpusInfo", "SPC_SP_OPUS_INFO_OBJID");
     OBJ_create("1.3.6.1.4.1.311.3.3.1", "spcMsCountersignature", "SPC_MICROSOFT_COUNTERSIGNATURE");
@@ -289,9 +290,6 @@ AuthenticodeArray* authenticode_new(const uint8_t* data, long len)
     if (!data || len == 0)
         return NULL;
 
-    /* We need to initialize all the custom objects for further parsing */
-    initialize_openssl();
-
     AuthenticodeArray* result = (AuthenticodeArray*)calloc(1, sizeof(*result));
     if (!result)
         return NULL;
@@ -304,8 +302,8 @@ AuthenticodeArray* authenticode_new(const uint8_t* data, long len)
 
     Authenticode* auth = (Authenticode*)calloc(1, sizeof(*auth));
     if (!auth) {
-        free(result);
         free(result->signatures);
+        free(result);
         return NULL;
     }
 
@@ -525,12 +523,17 @@ static int authenticode_digest(
     return 1;
 }
 
-AuthenticodeArray* parse_authenticode(const uint8_t* pe_data, long pe_len)
+AuthenticodeArray* parse_authenticode(const uint8_t* pe_data, uint64_t pe_len)
 {
-    const int dos_hdr_size = 0x40;
+    const uint64_t dos_hdr_size = 0x40;
     if (pe_len < dos_hdr_size)
         return NULL;
 
+    /* Check if it has DOS signature, so we don't parse random gibberish */
+    uint8_t dos_prefix[] = {0x4d, 0x5a};
+    if (memcmp(pe_data, dos_prefix, sizeof(dos_prefix)) != 0)
+        return NULL;
+
     /* offset to pointer in DOS header, that points to PE header */
     const int pe_hdr_ptr_offset = 0x3c;
     /* Read the PE offset */
@@ -553,18 +556,19 @@ AuthenticodeArray* parse_authenticode(const uint8_t* pe_data, long pe_len)
     if (pe_len < pe_cert_table_addr + 2 * sizeof(uint32_t))
         return NULL;
 
-    uint32_t cert_addr = letoh32(*(uint32_t*)(pe_data + pe_cert_table_addr));
-    uint32_t cert_len = letoh32(*(uint32_t*)(pe_data + pe_cert_table_addr + 4));
+    /* Use 64bit type due to the potential overflow in crafted binaries */
+    uint64_t cert_addr = letoh32(*(uint32_t*)(pe_data + pe_cert_table_addr));
+    uint64_t cert_len = letoh32(*(uint32_t*)(pe_data + pe_cert_table_addr + 4));
 
     /* we need atleast 8 bytes to read dwLength, revision and certType */
-    if (cert_len < 8 || pe_len < cert_addr + cert_len)
+    if (cert_len < 8 || pe_len < cert_addr + 8)
         return NULL;
 
     uint32_t dwLength = letoh32(*(uint32_t*)(pe_data + cert_addr));
     if (pe_len < cert_addr + dwLength)
         return NULL;
-
-    AuthenticodeArray* auth_array = authenticode_new(pe_data + cert_addr + 0x8, dwLength);
+    /* dwLength = offsetof(WIN_CERTIFICATE, bCertificate) + (size of the variable-length binary array contained within bCertificate) */
+    AuthenticodeArray* auth_array = authenticode_new(pe_data + cert_addr + 0x8, dwLength - 0x8);
     if (!auth_array)
         return NULL;