bdldr is an unofficial engine loader for Bitdefender ® for Linux.
The source code of this project was written by reverse engineering the Bitdefender ® core for research purposes.
Only basic loading and file scanning with the engine is implemented for the Linux version (easily portable to Windows). It can be used to fuzz, trace or debug the antivirus core.
The initial reason for writing this was Bitdefender ® for Linux is not daemonized, so everytime it scans a file the entire engine has to be loaded, which is a waste of resources and makes fuzzing really slow (unfeasible).
In addition to this, in the pin/ directory you will find a PIN tool to study the code coverage of a given template in the scanning engine. It works at basic block level and will report the total and unique basic blocks reached during the scan, ignoring the process of signatures loading and other irrelevant code.
How to use this? That's up to you :)
Example scanning a NSIS executable:
root@c170c568a803:~/pin-2.14-71313-gcc.4.4.7-linux# ./pin.sh -ifeellucky -t source/tools/MyPinTool/obj-intel64/MyPinTool.so -- /root/bdldr/bdldr_cli /root/clamav_test/split.clam-nsis.exeaa
Initializing BD core ...
Initializing BD core instance ...
Setting up instance ...
Scanning file ...
Deleting BD core instance ...
Deleting BD core ...
root@c170c568a803:~/pin-2.14-71313-gcc.4.4.7-linux# cat bbcount.json
{"uniq_bb_count": 25591, "total_bb_count": 35650212}
Also with an UPX binary:
root@c170c568a803:~/pin-2.14-71313-gcc.4.4.7-linux# ./pin.sh -ifeellucky -t source/tools/MyPinTool/obj-intel64/MyPinTool.so -- /root/bdldr/bdldr_cli /root/clamav_test/split.clam-upx.exeaa
Initializing BD core ...
Initializing BD core instance ...
Setting up instance ...
Scanning file ...
Deleting BD core instance ...
Deleting BD core ...
root@c170c568a803:~/pin-2.14-71313-gcc.4.4.7-linux# cat bbcount.json
{"uniq_bb_count": 23326, "total_bb_count": 963045}
Or even a PPT file:
root@c170c568a803:~/pin-2.14-71313-gcc.4.4.7-linux# ./pin.sh -ifeellucky -t source/tools/MyPinTool/obj-intel64/MyPinTool.so -- /root/bdldr/bdldr_cli /root/clamav_test/split.clam.pptaa
Initializing BD core ...
Initializing BD core instance ...
Setting up instance ...
Scanning file ...
Deleting BD core instance ...
Deleting BD core ...
root@c170c568a803:~/pin-2.14-71313-gcc.4.4.7-linux# cat bbcount.json
{"uniq_bb_count": 4349, "total_bb_count": 62690}
There is no piracy involved in this project directly or indirectly. This code can only load the engine, set it up for scanning and scan a file. There's no way to clean an infected file or get the scanning results back, as this functionality is not implemented.
$ ./bdldr_cli example.exe
Initializing BD core ...
Initializing BD core instance ...
Setting up instance ...
Scanning file ...
Deleting BD core instance ...
Deleting BD core ...
$ ./bdldr_daemon
Initializing BD core ...
Initializing BD core instance ...
Setting up instance ...
Waiting for connections at /tmp/bdldr.sock
[13173] Scanning /tmp/example.exe ...
[13173] Scanning /tmp/example2.exe ...
$ echo 'SCAN /tmp/example.exe' | socat -T 90 -t 90 - UNIX-CONNECT:/tmp/bdldr.sock
OUTPUT OK
$ echo 'SCAN /tmp/example2.exe' | socat -T 90 -t 90 - UNIX-CONNECT:/tmp/bdldr.sock
OUTPUT OK