Author Topic: Nomalua -- GMod/Lua malware scanner (v1.20)  (Read 6286 times)

0 Members and 1 Guest are viewing this topic.

Offline Buzzkill

  • Respected Community Member
  • Full Member
  • *****
  • Posts: 176
  • Karma: 58
    • View Profile
    • The Hundred Acre Bloodbath
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #15 on: February 24, 2016, 09:14:03 PM »
Thrilled that it found something for you.  That made it worth it, right there.  Unfortunately I've begun realizing that the flexibility of the lua lexicon is so bloody vast that trying to detect bad code smells, anti patterns and malevolent code automatically is a fool's errand, so I've kinda let this project die a natural death. 

Offline LuaTenshi

  • Hero Member
  • *****
  • Posts: 546
  • Karma: 46
  • Just your ordinary moon angel!
    • View Profile
    • Mirai.Red
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #16 on: February 25, 2016, 01:19:27 PM »
Why not change this into a sort of lua firewall? Catch all calls to external domains etc, etc... Also a net message firewall would be useful as many cheaters exploit net messages (Bridgehack).
I cry every time I see that I am not a respected member of this community.

Offline Buzzkill

  • Respected Community Member
  • Full Member
  • *****
  • Posts: 176
  • Karma: 58
    • View Profile
    • The Hundred Acre Bloodbath
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #17 on: March 28, 2016, 02:32:48 PM »
That's a good idea, though it would change the design pretty dramatically.  Right now this is an on-demand code scanner.  What you're suggesting would be more of a real-time intercept.  If I resurrect this thing at some point I may move in that direction though.  Code parsing was a bad idea.  :)

Offline WispySkies

  • Full Member
  • ***
  • Posts: 144
  • Karma: 0
  • I make random commands and Lua errors.
    • View Profile
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #18 on: March 31, 2016, 11:08:29 AM »
Sorry to bump this as nothing has been posted in a while, but can this be used to detect certain strings? In my start-up (singleplayer) when it says stuff like Pillpack loaded and all the ULX stuff is working & loaded (In the yellow text colour) I have one saying "fuckass". I would like to know if I can search my addons for the string "fuckass", because with some common sense that shouldn't be there. I haven't checked if any other of my addons have backdoors in them but this fuckass is more concerning to me than the rest of my addons.

EDIT: Someone told me I can use grep -R "fuckass" PATH and it found this.

Binary file /Users/NAME/Library/Application Support/Steam/steamapps/common/GarrysMod/garrysmod/addons/hyrule_warriors_-_midna_363147859.gma matches

P.S. Nothing wrong with midna, just a crappy
Code: Lua
  1. print("fuckass")
. Although I got a monstrous list of OBFUSC encrypted xD
« Last Edit: March 31, 2016, 02:57:13 PM by WispySkies »

Offline Buzzkill

  • Respected Community Member
  • Full Member
  • *****
  • Posts: 176
  • Karma: 58
    • View Profile
    • The Hundred Acre Bloodbath
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #19 on: April 01, 2016, 05:39:16 AM »
Quote
. Although I got a monstrous list of OBFUSC encrypted xD

If you're searching the GMA directly, then yes,  that's to be expected, as gma files are obfuscated and (somewhat) compressed.  'fuckass' appears because it's a string literal and survives tokenization. You can use something like gma extractor to look at the actual contents of the gma.

Midna had to do a fair amount of custom animation tweakingin Lua to get the PM to work, so I suspect the print may have been a leftover bit from a late night debugging session.  :)

To answer your original question, yes, a custom pattern could have been added to sv_nomalua_checkdef to detect this or any other string of interest.

HTH

Offline otomcold

  • Newbie
  • *
  • Posts: 5
  • Karma: 0
    • View Profile
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #20 on: December 01, 2016, 08:49:35 AM »
Sorry for the bump

when trying to initiate the scan this lua error appears on my server side console (dedicated server using SerenityServers as host)

[ERROR] addons/nomalua/lua/sv_nomalua_utils.lua:30: table index is nil
  1. AddLuaFiles - addons/nomalua/lua/sv_nomalua_utils.lua:30
   2. CheckFiles - addons/nomalua/lua/sv_nomalua.lua:62
    3. StartScan - addons/nomalua/lua/sv_nomalua.lua:95
     4. unknown - addons/nomalua/lua/sv_nomalua.lua:106
      5. unknown - lua/includes/modules/concommand.lua:54

Has anyone come across this issue before?  This occured the moment I tried to launch the scan.

This seems like a very useful addon and I would love to use it ;\

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 7521
  • Karma: 336
  • Sertafide Ulysses Jenius
    • View Profile
    • Team Ulysses [ULib/ULX, other fine releases]
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #21 on: December 01, 2016, 03:07:39 PM »
@otomcold - just to verify - you restarted your server after installing, yes?
The price one pays for pursuing any profession or calling is an intimate knowledge of its ugly side. - James Baldwin

Offline nex86

  • Newbie
  • *
  • Posts: 22
  • Karma: 0
    • View Profile
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #22 on: December 02, 2016, 11:31:21 AM »
it doesn't output anything in server console but dropping people off the server
is it supposed to show logs in console or seperate log file?

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 7521
  • Karma: 336
  • Sertafide Ulysses Jenius
    • View Profile
    • Team Ulysses [ULib/ULX, other fine releases]
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #23 on: December 02, 2016, 01:15:06 PM »
it doesn't output anything in server console but dropping people off the server
is it supposed to show logs in console or seperate log file?
This does not log.
Nor does this show disconnects. (Though players may time out, from the readme.txt included "Nomalua is rather resource-intensive, so it's not recommended that you run it when the server is particularly busy. ")
This does not run realtime. It's a one time per command scan.
When installed, you run a command from console, it scans, and then reports to console what it finds that may or may not be potential danger.
« Last Edit: December 02, 2016, 01:18:27 PM by JamminR »
The price one pays for pursuing any profession or calling is an intimate knowledge of its ugly side. - James Baldwin