Tavis Ormandy (), a security researcher at Google, is developing the project , aimed at porting DLLs built for Windows for use in Linux applications. The project provides a layer library with which you can load a DLL file in PE / COFF format and call the functions defined in it. PE/COFF bootloader based on code . Project code licensed under GPLv2.
LoadLibrary takes care of loading the library into memory and importing existing symbols, providing a Linux application with a dlopen-style API. The included code can be debugged using gdb, ASAN and Valgrind. It is possible to correct the executable code at runtime by connecting hooks and applying patches (runtime patching). C++ exception handling and unwinding are supported.
The goal of the project is to organize scalable and efficient distributed fuzzing testing of DLLs in a Linux-based environment. On Windows, fuzzing and coverage testing is not very efficient and often requires running a separate virtualized instance of Windows, especially when trying to analyze complex products such as antivirus software that cover both kernel and user space. Using LoadLibrary, Google researchers are looking for vulnerabilities in video codecs, anti-virus scanners, data decompression libraries, image decoders, and so on.
For example, using LoadLibrary, we managed to port the Windows Defender anti-virus engine to run on Linux. The study of mpengine.dll, which is the basis of Windows Defender, made it possible to analyze a large number of sophisticated handlers of various formats, file system emulators and language interpreters, potentially providing vectors for .
LoadLibrary was also used in detection in the Avast antivirus package. When studying the DLL from this antivirus, it was revealed that the key privileged scanning process includes a full-fledged JavaScript interpreter used to emulate the execution of third-party JavaScript code. This process is not isolated in a sandbox environment, does not reset privileges, and analyzes unverified external data from the FS and intercepted network traffic. Since any vulnerability in this complicated and unprotected process could potentially lead to remote compromise of the entire system, a special shell was developed based on LoadLibrary for vulnerability analysis in the Avast antivirus scanner in a Linux-based environment.
Source: opennet.ru