search

hasherezade / hollows_hunter

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
https://github.com/hasherezade/hollows_hunter/wiki
BSD 2-Clause "Simplified" License
1.99k stars 250 forks source link

Fedora 33 : I cannot build on this Linux distro. #8

Closed catafest closed 3 years ago

catafest commented 3 years ago

I try to use with Fedora 33 Linux distro. this is the result of build ... without Uses library: PE-sieve (the DLL version).

[ 96%] Building CXX object CMakeFiles/hollows_hunter.dir/util/suspend.cpp.obj
[ 97%] Building CXX object CMakeFiles/hollows_hunter.dir/util/util.cpp.obj
[ 98%] Building CXX object CMakeFiles/hollows_hunter.dir/util/process_privilege.cpp.obj
[100%] Linking CXX executable hollows_hunter
/bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32

/bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32

/bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32

/bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32

/bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32

/bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32

/bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32

/bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32

/bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32

/bin/x86_64-w64-mingw32-ar: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32

/usr/lib/gcc/x86_64-w64-mingw32/10.2.1/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lpsapi.lib
/usr/lib/gcc/x86_64-w64-mingw32/10.2.1/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lntdll.lib
/usr/lib/gcc/x86_64-w64-mingw32/10.2.1/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lpsapi.lib
/usr/lib/gcc/x86_64-w64-mingw32/10.2.1/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lntdll.lib
collect2: error: ld returned 1 exit status
make[2]: *** [CMakeFiles/hollows_hunter.dir/build.make:252: hollows_hunter] Error 1
make[1]: *** [CMakeFiles/Makefile2:135: CMakeFiles/hollows_hunter.dir/all] Error 2
make: *** [Makefile:160: all] Error 2
[mythcat@desk ~]$ cd _hollows_hunter/
[mythcat@desk _hollows_hunter]$ ls
CMakeCache.txt       CTestTestfile.cmake  hh_scanner.cpp  params_info    util
CMakeFiles       hh_params.cpp    hh_scanner.h    pe-sieve
cmake_install.cmake  hh_params.h      LICENSE     README.md
CMakeLists.txt       hh_report.cpp    main.cpp    term_util.cpp
color_scheme.h       hh_report.h      Makefile    term_util.h
hasherezade commented 3 years ago

how exactly do you build it? try using this script: buid_hh.sh

catafest commented 3 years ago

I used that bash script ... Does it need to build the PE-sieve?

hasherezade commented 3 years ago

yes, building PE-sieve is an indispensable requirement, you cannot build HollowsHunter without PE-sieve. If you are getting a linking problem, try to just re-run the script. Sometimes it happens that the required libraries are not found at first attempt.

Example:

1) on first run:

link_err1

2) on second run:

link_ok

catafest commented 3 years ago

The PE-sieve require libpeconv? The build of libpeconv ... using this commands:

[mythcat@desk libpeconv]$ cmake . \
>     -DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc \
>     -DCMAKE_CXX_COMPILER=x86_64-w64-mingw32-g++ \
>     -DCMAKE_SYSTEM_NAME=Windows-GNU \
>     -DPESIEVE_AS_STATIC_LIB=1 \
>     -DLINK_STATICALLY=1
-- The C compiler identification is GNU 10.2.1
-- The CXX compiler identification is GNU 10.2.1

-- Build files have been written to: /home/mythical/libpeconv 
[mythcat@desk libpeconv]$ make -j4
...

/bin/x86_64-w64-mingw32-ranlib: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32

/bin/x86_64-w64-mingw32-ranlib: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32

[ 57%] Built target libpeconv
make: *** [Makefile:160: all] Error 2

if I use just make command without arg -j :

[mythcat@desk libpeconv]$ make
...
/home/mythcat/libpeconv/run_pe/run_pe.cpp:83:16: error: 'Wow64SetThreadContext' was not declared in this scope; did you mean 'SetThreadContext'?
   83 |         return Wow64SetThreadContext(pi.hThread, &context);
      |                ^~~~~~~~~~~~~~~~~~~~~
      |                SetThreadContext
/home/mythcat/libpeconv/run_pe/run_pe.cpp: In function 'ULONGLONG get_remote_peb_addr(PROCESS_INFORMATION&, bool)':
/home/mythcat/libpeconv/run_pe/run_pe.cpp:111:14: error: 'Wow64GetThreadContext' was not declared in this scope; did you mean 'GetThreadContext'?
  111 |         if (!Wow64GetThreadContext(pi.hThread, &context)) {
      |              ^~~~~~~~~~~~~~~~~~~~~
      |              GetThreadContext
make[2]: *** [run_pe/CMakeFiles/run_pe.dir/build.make:97: run_pe/CMakeFiles/run_pe.dir/run_pe.cpp.obj] Error 1
make[1]: *** [CMakeFiles/Makefile2:333: run_pe/CMakeFiles/run_pe.dir/all] Error 2
make: *** [Makefile:160: all] Error 2
hasherezade commented 3 years ago

Yes, PE-sieve requires libpeconv. But, first of all you shouldn't build them separately. This script: buid_hh.sh will automatically download and build all needed components.

It seems that the environment is not configured properly on your side - the (valid) function Wow64GetThreadContext is not at all recognized...

Additionally, I see that you are getting an error:

/bin/x86_64-w64-mingw32-ranlib: /usr/bin/../bin/../lib/bfd-plugins/LLVMgold.so: wrong ELF class: ELFCLASS32

check details about this error i.e. here... Try troubleshooting your build environment first, I can't help much about it, I don't have access to your machine. There are some symptoms that something is not set up properly.

hasherezade commented 3 years ago

BTW if your goal is just to use hollows_hunter, you don't have to build it from the sources, just use ready-made builds available here: https://github.com/hasherezade/hollows_hunter/releases

hasherezade commented 3 years ago

This is the version that I build just right now on my Linux (Ubuntu) using MinGW and the script that I mentioned:

hollows_hunter.tar.gz

catafest commented 3 years ago

I download your archive and I try to run it:

[mythcat@desk ~]$ cd Downloads/
[mythcat@desk Downloads]$ ./hollows_hunter.exe 
bash: ./hollows_hunter.exe: cannot execute binary file: Exec format error
[mythcat@desk Downloads]$ ls -l hollows_hunter.exe 
-rwxrwxr-x 1 mythcat mythcat 1485824 Dec 29 16:26 hollows_hunter.exe

You can see after unarchiving the file has full permissions for execution.

hasherezade commented 3 years ago

Well, of course - it is a Windows app (PE file). Building it on Linux doesn't mean you can execute it on Linux - it is designed exclusively for Windows.

catafest commented 3 years ago

I have only Fedora Linux, sorry!

hasherezade commented 3 years ago

I understand - unfortunately this project is not dedicated to your OS.

hasherezade commented 3 years ago

I guess we can close this issue, yes?

catafest commented 3 years ago

If you want to do that.