Search system DLLs for hooking via VADs (not via PEB) #1258
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| pull_request: | |
| branches: [ main ] | |
| push: | |
| branches: [ main ] | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| init: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: | |
| - 'ubuntu-20.04' | |
| - 'ubuntu-latest' | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -q | |
| sudo apt-get install -y\ | |
| build-essential flex bison libjson-c-dev liblzo2-dev \ | |
| libglib2.0-dev meson ninja-build lld llvm clang | |
| - name: Get submodule hashes version | |
| id: get-hash | |
| run: | | |
| echo XEN_HASH=$(git submodule | grep xen | awk '{ print $1 }') >> $GITHUB_OUTPUT | |
| echo LIBVMI_HASH=$(git submodule | grep libvmi | awk '{ print $1 }') >> $GITHUB_OUTPUT | |
| - name: Cache Xen debball | |
| id: cache-xen | |
| uses: actions/cache@v3 | |
| with: | |
| path: xen/dist | |
| key: xen-${{ matrix.os }}-${{ steps.get-hash.outputs.XEN_HASH }} | |
| - name: Create Xen debball | |
| if: steps.cache-xen.outputs.cache-hit != 'true' | |
| run: | | |
| sudo apt-get install -y \ | |
| wget git bcc bin86 gawk bridge-utils iproute2 libcurl4-openssl-dev \ | |
| bzip2 libpci-dev libc6-dev linux-libc-dev zlib1g-dev libncurses5-dev \ | |
| patch libvncserver-dev libssl-dev iasl libbz2-dev e2fslibs-dev git-core \ | |
| uuid-dev ocaml libx11-dev bison flex ocaml-findlib xz-utils gettext \ | |
| libyajl-dev libpixman-1-dev libaio-dev libfdt-dev cabextract libfuse-dev \ | |
| liblzma-dev kpartx python3-dev python3-pip golang libsystemd-dev ninja-build | |
| rm -rfv xen | |
| git submodule update --init xen | |
| cd xen | |
| ./configure --enable-githttp --disable-pvshim --disable-stubdom --disable-docs | |
| make -j2 debball | |
| cd .. | |
| - name: Install Xen debball | |
| run: | | |
| sudo apt-get install -f ./xen/dist/xen-*.deb | |
| sudo ldconfig | |
| - name: Cache Libvmi files | |
| id: cache-libvmi | |
| uses: actions/cache@v3 | |
| with: | |
| path: libvmi/dist | |
| key: libvmi-${{ matrix.os }}-${{ steps.get-hash.outputs.LIBVMI_HASH }} | |
| - name: Build LibVMI | |
| if: steps.cache-libvmi.outputs.cache-hit != 'true' | |
| run: | | |
| rm -rfv libvmi | |
| sudo apt-get install -y build-essential autoconf-archive automake libtool flex bison libjson-c-dev debhelper | |
| git submodule update --init libvmi | |
| cd libvmi | |
| sed -i 's/--disable-kvm/--disable-kvm --disable-file --disable-bareflank --disable-examples --disable-vmifs/g' debian/rules | |
| dpkg-buildpackage -B | |
| mkdir dist | |
| mv ../*.deb dist/ | |
| - name: Install LibVMI | |
| run: | | |
| cd libvmi/dist | |
| sudo apt install -f ./*.deb | |
| sudo ldconfig | |
| cd ../.. | |
| outputs: | |
| XEN_HASH: ${{ steps.get-hash.outputs.XEN_HASH }} | |
| LIBVMI_HASH: ${{ steps.get-hash.outputs.LIBVMI_HASH }} | |
| compile: | |
| runs-on: ${{ matrix.os }} | |
| if: ${{ github.event_name == 'pull_request' }} | |
| needs: | |
| - init | |
| strategy: | |
| matrix: | |
| os: | |
| - 'ubuntu-20.04' | |
| - 'ubuntu-latest' | |
| flags: | |
| - '' | |
| - '-Dbuildtype=debug -Db_lto=false' | |
| - '-Dbuildtype=debug -Db_lto=false -Dplugin-syscalls=false' | |
| - '-Dbuildtype=debug -Db_lto=false -Db_sanitize=address,undefined' | |
| - '-Dbuildtype=debug -Db_lto=false -Drepl=true' | |
| - '-Dbuildtype=debug -Db_lto=false -Dthreadsafety=true' | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -q | |
| sudo apt-get install -y \ | |
| clang llvm lld build-essential flex bison \ | |
| libjson-c-dev liblzo2-dev libglib2.0-dev meson ninja-build | |
| sudo pip3 install ctypesgen ipython | |
| - name: Cache Xen debball | |
| uses: actions/cache@v3 | |
| with: | |
| path: xen/dist | |
| key: xen-${{ matrix.os }}-${{ needs.init.outputs.XEN_HASH }} | |
| - name: Cache Libvmi files | |
| uses: actions/cache@v3 | |
| with: | |
| path: libvmi/dist | |
| key: libvmi-${{ matrix.os }}-${{ needs.init.outputs.LIBVMI_HASH }} | |
| - name: Install Xen debball | |
| run: | | |
| sudo apt-get install -f ./xen/dist/xen-*.deb | |
| - name: Install LibVMI | |
| run: | | |
| cd libvmi/dist | |
| sudo apt install -f ./*.deb | |
| sudo ldconfig | |
| cd ../.. | |
| - name: Compile ${{ matrix.flags }} | |
| run: | | |
| meson setup build --native-file llvm.ini ${{ matrix.flags }} | |
| ninja -C build | |
| tarbuild: | |
| name: Build using autoconf tarball | |
| runs-on: ${{ matrix.os }} | |
| needs: | |
| - init | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: | |
| - 'ubuntu-20.04' | |
| - 'ubuntu-latest' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -q | |
| sudo apt-get install -y \ | |
| clang autoconf-archive automake \ | |
| libjson-c-dev liblzo2-dev libglib2.0-dev | |
| sudo pip3 install ctypesgen ipython | |
| - name: Cache Xen debball | |
| uses: actions/cache@v3 | |
| with: | |
| path: xen/dist | |
| key: xen-${{ matrix.os }}-${{ needs.init.outputs.XEN_HASH }} | |
| - name: Cache Libvmi files | |
| uses: actions/cache@v3 | |
| with: | |
| path: libvmi/dist | |
| key: libvmi-${{ matrix.os }}-${{ needs.init.outputs.LIBVMI_HASH }} | |
| - name: Install Xen debball | |
| run: | | |
| sudo apt-get install -f ./xen/dist/xen-*.deb | |
| - name: Install LibVMI | |
| run: | | |
| cd libvmi/dist | |
| sudo apt install -f ./*.deb | |
| sudo ldconfig | |
| cd ../.. | |
| - name: autoreconf | |
| run: autoreconf -vif | |
| - name: Compile from make dist tarball | |
| env: | |
| CC: clang | |
| CXX: clang++ | |
| run: | | |
| ./configure | |
| make -j2 dist | |
| mkdir build && cd build | |
| tar xvf ../drakvuf-*.tar.gz | |
| cd *drakvuf* | |
| ./autogen.sh | |
| ./configure | |
| make -j2 | |
| codeql-analyze: | |
| name: Code QL Analyze | |
| runs-on: ${{ matrix.os }} | |
| needs: | |
| - init | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: | |
| - 'ubuntu-20.04' | |
| - 'ubuntu-latest' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v2 | |
| with: | |
| languages: cpp | |
| queries: security-and-quality | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -q | |
| sudo apt-get install -y \ | |
| clang llvm lld build-essential libjson-c-dev \ | |
| liblzo2-dev libglib2.0-dev meson ninja-build | |
| - name: Cache Xen debball | |
| uses: actions/cache@v3 | |
| with: | |
| path: xen/dist | |
| key: xen-${{ matrix.os }}-${{ needs.init.outputs.XEN_HASH }} | |
| - name: Cache Libvmi files | |
| uses: actions/cache@v3 | |
| with: | |
| path: libvmi/dist | |
| key: libvmi-${{ matrix.os }}-${{ needs.init.outputs.LIBVMI_HASH }} | |
| - name: Install Xen debball | |
| run: | | |
| sudo apt-get install -f ./xen/dist/xen-*.deb | |
| - name: Install LibVMI | |
| run: | | |
| cd libvmi/dist | |
| sudo apt install -f ./*.deb | |
| sudo ldconfig | |
| cd ../.. | |
| - name: Compile and install DRAKVUF | |
| run: | | |
| meson setup build --native-file llvm.ini | |
| ninja -C build | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v2 | |
| scan-build: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - init | |
| if: ${{ github.event_name == 'pull_request' }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Install dependencies | |
| run: | | |
| # Install packages | |
| sudo apt-get update -q | |
| sudo apt-get install -y \ | |
| clang clang-tools-15 llvm lld \ | |
| libjson-c-dev meson ninja-build | |
| - name: Cache Xen debball | |
| uses: actions/cache@v3 | |
| with: | |
| path: xen/dist | |
| key: xen-ubuntu-latest-${{ needs.init.outputs.XEN_HASH }} | |
| - name: Cache Libvmi files | |
| uses: actions/cache@v3 | |
| with: | |
| path: libvmi/dist | |
| key: libvmi-ubuntu-latest-${{ needs.init.outputs.LIBVMI_HASH }} | |
| - name: Install Xen debball | |
| run: | | |
| sudo apt-get install -f ./xen/dist/xen-*.deb | |
| - name: Install LibVMI | |
| run: | | |
| cd libvmi/dist | |
| sudo apt install -f ./*.deb | |
| sudo ldconfig | |
| cd ../.. | |
| - name: Scan build | |
| run: | | |
| meson setup build --buildtype debug --native-file llvm.ini | |
| analyze-build-15 -v --cdb build/compile_commands.json \ | |
| --status-bugs \ | |
| --disable-checker deadcode.DeadStores | |
| cognitive-complexity: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - init | |
| if: ${{ github.event_name == 'pull_request' }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Install dependencies | |
| run: | | |
| # Install packages | |
| sudo apt-get update -q | |
| sudo apt-get install -y \ | |
| clang clang-tools clang-tidy llvm lld \ | |
| libjson-c-dev meson ninja-build | |
| - name: Cache Xen debball | |
| uses: actions/cache@v3 | |
| with: | |
| path: xen/dist | |
| key: xen-ubuntu-latest-${{ needs.init.outputs.XEN_HASH }} | |
| - name: Cache Libvmi files | |
| uses: actions/cache@v3 | |
| with: | |
| path: libvmi/dist | |
| key: libvmi-ubuntu-latest-${{ needs.init.outputs.LIBVMI_HASH }} | |
| - name: Install Xen debball | |
| run: | | |
| sudo apt-get install -f ./xen/dist/xen-*.deb | |
| - name: Install LibVMI | |
| run: | | |
| cd libvmi/dist | |
| sudo apt install -f ./*.deb | |
| sudo ldconfig | |
| cd ../.. | |
| - name: Calculate cognitive complexity for pr | |
| run: | | |
| cp scripts/complexity.sh /tmp | |
| /tmp/complexity.sh | |
| mv complexity.log /tmp/complexity.log | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: main | |
| - name: Calculate cognitive complexity for main | |
| run: /tmp/complexity.sh | |
| - name: compare complexity | |
| run: | | |
| FUNCTIONS=$(tail -2 complexity.log | head -1 | awk '{ print $2 }') | |
| THRESHOLD=$(tail -1 complexity.log | awk '{ print $2 }') | |
| CURRENT_FUNCTIONS=$(tail -2 /tmp/complexity.log | head -1 | awk '{ print $2 }') | |
| COMPLEXITY=$(tail -1 /tmp/complexity.log | awk '{ print $2 }') | |
| if [ $CURRENT_FUNCTIONS -gt $FUNCTIONS ] || [ $COMPLEXITY -gt $THRESHOLD ]; then | |
| echo "Please don't increase complexity of existing complex functions or introduce new ones" | |
| echo "Showing diff of main (<) and this PR (>)" | |
| diff complexity.log /tmp/complexity.log | egrep '>|<' | |
| exit 1 | |
| fi | |
| infer: | |
| env: | |
| CC: clang | |
| CXX: clang++ | |
| VERSION: 1.1.0 | |
| runs-on: ubuntu-latest | |
| needs: | |
| - init | |
| if: ${{ github.event_name == 'pull_request' }} | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| # Install packages | |
| sudo apt-get update -q | |
| sudo apt-get install -y clang libjson-c-dev meson ninja-build cmake llvm lld | |
| sudo apt-get install -y curl libc6-dev openjdk-11-jdk-headless sqlite3 xz-utils zlib1g-dev opam | |
| sudo apt-get clean | |
| sudo apt-get -y autoremove | |
| - name: free disk space | |
| run: | | |
| sudo systemd-run docker system prune --force --all --volumes | |
| sudo systemd-run rm -rf \ | |
| "$AGENT_TOOLSDIRECTORY" \ | |
| /opt/* \ | |
| /usr/local/* \ | |
| /usr/share/az* \ | |
| /usr/share/dotnet \ | |
| /usr/share/gradle* \ | |
| /usr/share/miniconda \ | |
| /usr/share/swift \ | |
| /var/lib/gems \ | |
| /var/lib/mysql \ | |
| /var/lib/snapd | |
| - name: Cache infer files | |
| uses: actions/cache@v3 | |
| id: infer | |
| with: | |
| path: infer.tar.xz | |
| key: infer | |
| - name: get infer | |
| if: steps.infer.outputs.cache-hit != 'true' | |
| run: | | |
| wget "https://github.com/facebook/infer/releases/download/v$VERSION/infer-linux64-v$VERSION.tar.xz" | |
| mv infer-linux64-v$VERSION.tar.xz infer.tar.xz | |
| - name: unpack infer | |
| run: | | |
| sudo tar -C /opt -xvf infer.tar.xz | |
| sudo -E ln -s "/opt/infer-linux64-v$VERSION/bin/infer" /usr/bin/infer | |
| mv infer.tar.xz /tmp | |
| - name: Cache Xen debball | |
| uses: actions/cache@v3 | |
| with: | |
| path: xen/dist | |
| key: xen-ubuntu-latest-${{ needs.init.outputs.XEN_HASH }} | |
| - name: Cache Libvmi files | |
| uses: actions/cache@v3 | |
| with: | |
| path: libvmi/dist | |
| key: libvmi-ubuntu-latest-${{ needs.init.outputs.LIBVMI_HASH }} | |
| - name: Install Xen debball | |
| run: | | |
| sudo apt-get install -f ./xen/dist/xen-*.deb | |
| - name: Install LibVMI | |
| run: | | |
| cd libvmi/dist | |
| sudo apt install -f ./*.deb | |
| sudo ldconfig | |
| cd ../.. | |
| - uses: actions/checkout@v3 | |
| - name: run infer on pr | |
| run: | | |
| export PATH=/opt/infer/usr/local/bin:/opt/infer/usr/local/lib/infer/infer/bin:$PATH | |
| printenv | |
| which infer | |
| git fetch origin | |
| meson setup build --buildtype debug --native-file llvm.ini | |
| cd build | |
| git diff --name-only HEAD..origin/main > /tmp/index.txt | |
| infer capture --compilation-database compile_commands.json | |
| infer analyze --cost --bufferoverrun --changed-files-index /tmp/index.txt | |
| mv infer-out /tmp | |
| cp /tmp/infer-out/report.json /tmp | |
| cp /tmp/infer-out/costs-report.json /tmp | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: main | |
| - name: run infer on main | |
| run: | | |
| export PATH=/opt/infer/usr/local/bin:/opt/infer/usr/local/lib/infer/infer/bin:$PATH | |
| meson setup build --buildtype debug --native-file llvm.ini | |
| cd build | |
| mv /tmp/infer-out . | |
| infer capture --reactive --compilation-database compile_commands.json | |
| infer analyze --reactive --cost --bufferoverrun --changed-files-index /tmp/index.txt | |
| - name: check report diffs | |
| run: | | |
| export PATH=/opt/infer/usr/local/bin:/opt/infer/usr/local/lib/infer/infer/bin:$PATH | |
| cd build | |
| infer reportdiff --report-current /tmp/report.json --report-previous infer-out/report.json | |
| jq '.' infer-out/differential/introduced.json | |
| infer reportdiff --costs-current /tmp/costs-report.json --costs-previous infer-out/costs-report.json | |
| jq '.' infer-out/differential/introduced.json | |
| - name: move infer to cache path | |
| run: mv /tmp/infer.tar.xz $GITHUB_WORKSPACE |