Mirror of forum.nim-lang.org

10194 :: Is there a way to tell the compiler to include/export unused functions

• hunterbr (orginal) [2023-05-12T21:58:33+02:00] view original

  In short words, I am working on a tool which can generate signatures (which can be used in a Disasm) for all Nim stdlib functions. The goal is to have binary signatures for Nim stdlib funcs/procs so a reverse engineer analysing a Nim malware binary can focus on the procedures written by the malware author. This means I need the function name and the compiled machine code (generated by different compiler flags). I can change the code under libpure e.g. in math.nim e.g. the 'binom' func from 'func binom*(n, k: int): int =' to 'func binom*(n, k: int): int {.stdcall,exportc,dynlib.} =' and compile it as staticlib or DLL. (the 2nd stage tool I am using can read object files in static libs or DLLs and can generate the signatures from there). Doing these changes manually, of course doesn't scale. It's more complex than I can describe in three sentences here, but hope that gives you some background about the question I have:

  So the question: Is there any way that I can tell the compiler to built code and symbols for all funcs/procs in a source file (e.g. math.nim) ? Resulting file should be either a static lib or a DLL which includes the symbols for all the function and the compiled machine code of all the function in the stdlibs e.g. math.nim etc.

  I am super new to Nim, but I guess there must be at least a method to produce DLLs for all the stdlibs, doesn't it ?

---

• Araq (orginal) [2023-05-12T22:28:12+02:00] view original

  You can compile "nimrtl.dll" but it's usually not done and the malware author is unlikely to use it. Now, to make matters worse or better if the malware cares about code size it was compiled with -d:release or -d:danger. If so then Nim optimized out unused functions whether in the standard library or elsewhere.

  To make matters even worse, the produced machine code for the standard library is different and depends on the used mm switch. Likely the malware defaults to mm:refc but it could also be any of arc, orc, none, markAndSweep. Then there is the used exception handling strategy and the nim c vs nim cpp switches. And which C++ compiler was used. That's roughly 5*2*3*2 = 60 different combinations, some more likely than others.

  Now, who am I to explain your job, but you should disassemble the malware and your detector should focus on Windows API calls as these will always end up doing the harmful work. os.nim and osproc.nim likely encapsulated these so you need to build a call graph and the functions which end up calling into os.nim might contain the harmful malware logic.

  Can you share a disassembling of the malware with us? Then I might be able to help you more effectively.

---

• shirleyquirk (orginal) [2023-05-13T10:31:56+02:00] view original

  What does it mean to export a generic proc? Do you instantiate it infinite times, once for every possible type?

---

• hunterbr (orginal) [2023-05-16T11:14:46+02:00] view original

  @Araq, let me give you some more background, you are right there is no way to pre-generate all signatures for all possible compiler(etc) combinations (it is even worse, to your 60 you can even add different Nim versions), that is why I need a quick way to automatically build static library(s) for the standard stuff like math.nim etc. on the fly depending on the flags the malware author used. Static libs can be parsed with IDA (interactive disassembler) tools and they can built signature files out of it. This is a common way to do this for external libs e.g. openssl. The same applies to them too, they can be compiled with "20" different compiler flags. It is done for years like that, I am trying to apply the same to Nim. There is also probably no way to cover all possible variants and functions, but if we can cover a majority of functions it makes the RE live already easier. BTW there is no specific malware I am analysing it is for all Nim based malware. Your idea of looking at syscalls or win32 API is nice and we do that if there is nothing else, but the main problem in reversing a malicious binary is to find the actual malware logic, if you follow up all API calls (which are often obfuscated btw) or syscalls you run into a rabbit hole, but if you can exclude all stdlib functions (of prg language x the malware is written in) you can much easier find the malware logic. (btw it is diccifult to describe all the details in a few sentences, just believe me, if we could built static libraries for all the common Nim libs which include all the code of all functions these libs provide, it would help a lot)

---

• hunterbr (orginal) [2023-05-16T11:19:59+02:00] view original

  If you are interested in to details, check out this blog post: https://blogs.blackberry.com/en/2019/07/flirting-with-ida-and-apt28

---

• nasl (orginal) [2023-05-16T11:23:35+02:00] view original

  Thank you for doing this. The easier it is to analyze malware written in Nim the less popular it will be to write malware code in Nim.

---

• hunterbr (orginal) [2023-05-16T11:25:24+02:00] view original

  @shirleyquirk what I need is an object file (.o) or a static lbrary(.lib) (which is nothing else than an archive of object files btw). These object files include the machine code of the functions and their symbols (function names in this case). The process is easy the function names are extracted and a signature is created for the machine code. This signature can identify the machine code of this function in a binary (executable) when you are analysing it and name the function in your dissassembler, so you know it is just a stdlib function e.g. 'echo' and not code the malware author worte.

---

• hunterbr (orginal) [2023-05-16T11:38:33+02:00] view original

  Long story short, my problem is that the Nim compiler doesn't inlcude the functions (of the common Nim libs like math.nim) if the function is not used in the code or it has the {.stdcall,exportc,dynlib.} pragma. Which makes totally sense to keep the binary smaller for normal compiler cases, but not for mine. If I built a lib for math.nim for example:

  nim c -d:release --opt:size --app:staticlib -o:".mathtest-rel-size.lib" math.nim

  it would not include the code and symbol for 'binom', because the binom function is not used anywhere and not defined with the {.stdcall,exportc,dynlib.} pragma.

  func binom*(n, k: int): int =

  I can manually change it to

  func binom*(n, k: int): int {.stdcall,exportc,dynlib.} =

  ... but as I mentioned earlier, doing this manually, doesn't scale for an automated process.

  if there would be a "global" pragma or compiler flag in Nim which I could use to tell the compiler to include all functions in the source code in the compiled binary, it would solve my problem.

---

• sls1005 (orginal) [2023-05-16T12:27:38+02:00] view original

  What @shirleyquirk tried to explain was that some procedures (especially those with generic parameters) cannot be instantiated without being used, because they're instantiated based on actual uses. echo, for example, can take non-fixed number of arguments of non-fixed types (and is probably not implemented with va_list), and thus not have a single signature.

---

• Araq (orginal) [2023-05-16T12:37:26+02:00] view original

  There is

  
    nim c -d:release lib/nimrtl.nim
  Run

  which builds nimrtl.dll but it has the same problem: Procs that are not annotated with rtl will be missing. But rtl does cover most things from os.nim so it is a starting point.

---

• hunterbr (orginal) [2023-05-16T13:18:11+02:00] view original

  thx I ll give it a try, btw kudos for Nim, the more I look into it the more I like it, will not be my last Nim project and btw I see we like the same Comics ;)

---

• shirleyquirk (orginal) [2023-05-18T00:17:16+02:00] view original

  Something I do to convince the compiler to export (non generic) procs is, as you mentioned, add {.dynlib.}

  Maybe you don't know, you can use the {.push.} pragma to apply a pragma to all following procedures. So

  {.push,dynlib.}
  proc foo()
  proc bar()
   ...
  #optional {.pop.}
  Run

  To instantiate generic procs you could use a macro that iterates over all methods in a file and instantiate them for your choice of type

---