How can I prevent loadstring from getting hooked like this - lua

Here I have a loadstring but attacker can just hook it and steal it's content like bellow. I want to make a anti hook so that it can be prevented.
-- Save copies of orignal functions
local o_load = _G["load"]
local o_loadstring = _G["loadstring"]
local o_unpack = _G["unpack"]
local o_pairs = _G["pairs"]
local o_writefile = _G["writefile"]
local o_print = _G["print"]
local o_tostring = _G["tostring"]
-- Dynamic function names
local load_name = tostring(_G["load"])
local loadstring_name = tostring(_G["loadstring"])
local tostring_name = tostring(_G["tostring"])
-- For multiple instances of loadstring or load being used
local files_loadstring = 1
local files_load = 1
-- Hide function names
_G["tostring"] = function(...)
local args = {...}
local arg = o_unpack(args)
if arg == _G["tostring"] then
return tostring_name
end
if arg == _G["loadstring"] then
return loadstring_name
end
if arg == _G["load"] then
return load_name
end
local ret = { o_tostring(o_unpack(args)) }
local value = o_unpack(ret)
return value
end
-- Hook loadstring
_G["loadstring"] = function(...)
local args = {...}
o_print("loadstring called")
local str = ""
for k, v in o_pairs(args) do
str = str .. o_tostring(v) .. " "
end
o_writefile("hook_loadstring"..o_tostring(files_loadstring)..".lua", str)
o_print("file written to hook_loadstring"..o_tostring(files_loadstring)..".lua")
files_loadstring = files_loadstring +1
local ret = { o_loadstring(o_unpack(args)) }
str = ""
for k, v in o_pairs(ret) do
str = str .. o_tostring(v) .. " "
end
return o_unpack(ret)
end
-- Hook load
_G["load"] = function(...)
local args = {...}
o_print("load called")
local str = ""
for k, v in o_pairs(args) do
str = str .. o_tostring(v) .. " "
end
o_writefile("hook_load"..o_tostring(files_load)..".lua", str)
o_print("file written to hook_load"..o_tostring(files_load)..".lua")
files_load = files_load +1
local ret = { o_load(o_unpack(args)) }
str = ""
for k, v in o_pairs(ret) do
str = str .. o_tostring(v) .. " "
end
return o_unpack(ret)
end
-- bellow is the loadstring function with a lua and all it's content is getting hooked and writen in a file
loadstring("local a = 1;")()`
I tried using tostring(loadstring) to compare the function name to check if it's real or fake but attacker can just hook tostring as well and give original function name so my anti hook won't work at all. Also I can't do writefile = nil or print = nil so attacker can't print or write the file since he saved a copy of these functions on top of the file so his code will work always. How can I prevent my loadstring from getting hooked like this. Please help.
I just want my content inside loadstring not to be stolen.

loadstring being hooked implies that the attacker's code runs before your code and in the same environment. This implies that all functions of the global environment may be hooked - from loadstring over tostring and including the debug library. Thus, the only thing you may rely on (and even that is uncertain, depending on which software is interpreting your Lua) are "hard-wired" (e.g. syntactical) Lua language features. You can take a look at the complete syntax of Lua. Notice that all these are basic constructs that won't help you at all; everything advanced in Lua uses function calls and the global environment, which may be hooked.
Whatever loads these scripts would need to be patched to either (1) load everything in a separate, clean environment (2) protect the global environment or at least a few selected functions, but even then the "loader" could be tampered with to remove these "protections".
In conclusion, you can't reliably prevent or detect loadstring being hooked. If you are providing someone with code for them to run, that code inevitably has to run at some point, and at that point they will be able to "steal" it. The "best" you can do is obfuscate your code so that there is little benefit from stealing it.
Bottom line: As long as your software runs "on-premise" (on their machines) rather than "as a service" (on your machines), they will always be able to steal and analyze your code; all you can do is make it harder e.g. through obfuscation or checks (which may be circumvented however).

Related

Lua process vararg in function process only 1st parameter

I'm trying to get a bit tricky logging, but can't get why ... processing only 1st parameter in a function called
I have this function
local logger = function (name, ...)
-- Expected table processing here, but no.
print("[" .. name .. "] log called with " .. ...)
end
return setmetatable({}, {__index = function(self, name)
local log = function(...)
return logger(name, ...)
end
self[name] = log
return log
end})
And how it's called
local testf = require "test_log"["TestA"]
testf("TestB", "TestC")
testf("TestC", "TestB")
But getting back this result
[TestA] log called with TestB
[TestA] log called with TestC
The problem I can't get 2nd (and further) parameters from testf function and can't get why.
Thanks in advance!
Your code uses only first parameter
local s = ''
for i=1,select('#',...) do s = s .. select(i, ...) end
print("[" .. name .. "] log called with " .. s)
Also, you can use s = table.concat({...}), but it will produce different results in cases where vararg contains nil values
You can't concatenate ... because it's not a value. Instead, Lua just takes the first value of the list.
If you want to concatenate more than one value, use table.concat first:
local concatenated = table.concat({...})
You could also do something like this instead if you're feeling particularly smart today:
local logger = function (...)
print(string.format("[%s] log called with"..string.rep(" %s", select("#")), ...))
end

Prevent a file being written to more than once without file:close()

I'm currently working on a logging system. My problems arise when using for loops and file writing. Here is a small example:
file = io.open("text.txt","a") --text.txt can be literally anything
for i=1,8 do
if x == true then
file:write("X is true.")
elseif y == true then
file:write("Y is true.")
end
end
Is there a way to stop the file from being written to multiple times without using file:close()? I have a huge number of different file:write sections, and adding file:close() after all of them would be a massive problem.
If file:close() every time is a massive problem, then this is the custom logic you need.
myFileMetatable = {} --implement all necessary file operations here
function myFileMetatable.write(self, str)
if not self.written then
self.written = true
self.f:write(str)
end
end
function myFileMetatable.close(self)
self.f:close()
end
myFile = {}
function myFile.open(filename, mode)
local t = {f = io.open(filename, mode)}
setmetatable(t, {__index = myFileMetatable})
return t
end
--now you can do
file = myFile.open("test", "w")
file:write("test")
file:write("hello")
file:write("world")
file:close() --and only "test" will be written
Note that this is probably much better than replacing file:write(str) with something file_write(file, str), since you need to store somewhere the fact that the file has already been written to, which you cannot store inside the FILE* object and using a global variable for that will break when using multiple files. That's why I wrap the FILE* object in a table and use myFileMetatable to implement my own methods that I will need.
However, if you need just one file at a time and don't mind the global variable then this is more efficient.
file_written = false
function file_write(file, str)
if not file_written then
file_written = true
file:write(str)
end
end
file = io.open("test", "w")
file_write(file, "test")
file_write(file, "hello")
file_write(file, "world")
file:close()
Mind that it's not as pretty as the first example and you might face a problem in the future, if you decide to expand beyond one file.
How Egor Skriptunoff already said, I'll recommend you to write your own writing function. I'm normally using sth. like this:
local function writeFile(filePath, str)
local outfile = io.open(filePath, 'w')
outfile:write(str)
outfile:close()
end
For appending to the file easily change the mode from w to a.
For my specific case, I've found a solution - since I just want a single option to print, and it's the last option (rather than the first, and I should've specified this), I can just set a variable to what I want my output to be and write that at the end.
log = ""
if x == 2 then
log = "X is 2."
elseif y == 2 then
log = "Y is 2."
end
file:write(log)
For the last option, I'd refer anyone to the accepted answer which should be perfect.

Lua Sandbox "hacking"

So I use a program where I script mods in lua, the lua is in a sandbox state, meaning most functions are blocked like IO and OS, I can't even use REQUIRE to add libs.
I need to have a function that unzips files in one of my mods and I don't seem to find a way.
Is there anyway to do it?
If it's not possible in an easy way, is it possible to hack the program .exe or dlls to re-enable those functions in the lua?
Thank you in advance, Regards
There are decompression librarys in pure Lua, you should be able to embed these in any environment that allows loading Lua scripts: http://lua-users.org/wiki/CompressionAndArchiving
If you can't access any files at all, you could try a simple packer:
#!/usr/bin/env lua
local files = arg
local w = io.write
local function pack(...) return {...} end
w("files = {\n")
for i, filename in ipairs(arg) do
w('\t["' ..filename .. '"] = "')
local file = assert(io.open(filename, "r"), "Can't open file!")
local data = file:read("*a")
data = data:gsub("\a", "\\a")
:gsub("\\", "\\\\")
:gsub("\f", "\\f")
:gsub("\n", "\\n")
:gsub("\r", "\\r")
:gsub("\t", "\\t")
:gsub("\v", "\\v")
:gsub('"', '\\"')
:gsub("'", "\\'")
w(data, '",\n')
end
w("}\n")
w([[
function require(path)
local data = assert(files[path..".lua"], "file not found")
local func = assert(loadstring(data))
local _, ret = assert(pcall(func))
return ret
end
]])
w('require("', arg[1]:match("^(.-)%.lua$"),'")\n')
This should create a script like this:
$ ./packer.lua init.lua
files = {
["init.lua"] = "for k,v in pairs(arg) do\n\tprint(k,v)\nend\n",
}
function require(path)
local data = assert(files[path..".lua"], "file not found")
local func = assert(loadstring(data))
local _, ret = assert(pcall(func))
return ret
end
require("init")

Get name of argument of function in lua

When call a lua function like
PrintMe(MyVariableName)
I would like to be able to actually print "MyVariableName" and not it's value(well, for demo purposes).
Obviously I could just pass the string but that requires extra quotes and I also would like to print it's value.
e.g.,
MyVariable = 4
PrintVariable(MyVariable)
Would print "MyVariable is 4" or whatever
I do not want to have to duplicate the name and variable like
PrintVariable(MyVariable, "MyVariable")
as this is unnecessary duplication.
Can lua handle it?
What I'm doing now is passing the variable name in quotes and using loadstring to get the value but I would like to just pass the variable directly without the extra unnecessary quotes(which I thought debug.getlocal did but it ends up returning the value instead of the name).
Here is mock example
function printme1(var, val)
print(var.." = "..val)
end
function printme2(v)
local r
loadstring("r = "..v)() -- equivalent to r = a but must be used since v is a string representing a and not the object a
print(v.." = "..tostring(r))
end
function printme3(v)
-- unknown
end
a = 3
printme1("a", a)
printme2("a")
printme3(a)
In this case all 3 should print the same thing. printme3 obviously is the most convenient.
You can't say PrintVariable(MyVariable), because Lua gives you no way of determining which variable (if any; a constant could have been used) was used to pass an argument to your function. However, you can say PrintVariable('MyVariable') then used the debug API to look for a local variable in the caller's scope which has that name:
function PrintVariable(name)
-- default to showing the global with that name, if any
local value = _G[name]
-- see if we can find a local in the caller's scope with that name
for i=1,math.huge do
local localname, localvalue = debug.getlocal(2,i,1)
if not localname then
break -- no more locals to check
elseif localname == name then
value = localvalue
end
end
if value then
print(string.format("%s = %s", name, tostring(value)))
else
print(string.format("No variable named '%s' found.", name))
end
end
Now you can say:
PrintVariable('MyVariable')
While in this case will print "MyVariable = 4".
Not, if you really want to do this without the quotes, you could check the caller's locals for variables that have a supplied value, but that's occasionally going to give you the wrong variable name if there is more than one variable in the caller's scope with a given value. With that said, here's how you'd do that:
function PrintVariable(value)
local name
-- see if we can find a local in the caller's scope with the given value
for i=1,math.huge do
local localname, localvalue = debug.getlocal(2,i,1)
if not localname then
break
elseif localvalue == value then
name = localname
end
end
-- if we couldn't find a local, check globals
if not name then
for globalname, globalvalue in pairs(_G) do
if globalvalue == value then
name = globalname
end
end
end
if name then
print(string.format("%s = %s", name, tostring(value)))
else
print(string.format("No variable found for the value '%s'.", tostring(value)))
end
end
Now you can say PrintVariable(MyVariable), but if there happened to be another variable in the caller's scope with the value 4, and it occurred before MyVariable, it's that variable name that will be printed.
you can do stuff like this with the debug library... something like this does what you seem to be looking for:
function a_func(arg1, asdf)
-- if this function doesn't use an argument... it shows up as (*temporary) in
-- calls to debug.getlocal() because they aren't used...
if arg1 == "10" then end
if asdf == 99 then end
-- does stuff with arg1 and asdf?
end
-- just a function to dump variables in a user-readable format
function myUnpack(tbl)
if type(tbl) ~= "table" then
return ""
end
local ret = ""
for k,v in pairs(tbl) do
if tostring(v) ~= "" then
ret = ret.. tostring(k).. "=".. tostring(v).. ", "
end
end
return string.gsub(ret, ", $", "")
end
function hook()
-- passing 2 to to debug.getinfo means 'give me info on the function that spawned
-- this call to this function'. level 1 is the C function that called the hook.
local info = debug.getinfo(2)
if info ~= nil and info.what == "Lua" then
local i, variables = 1, {""}
-- now run through all the local variables at this level of the lua stack
while true do
local name, value = debug.getlocal(2, i)
if name == nil then
break
end
-- this just skips unused variables
if name ~= "(*temporary)" then
variables[tostring(name)] = value
end
i = i + 1
end
-- this is what dumps info about a function thats been called
print((info.name or "unknown").. "(".. myUnpack(variables).. ")")
end
end
-- tell the debug library to call lua function 'hook 'every time a function call
-- is made...
debug.sethook(hook, "c")
-- call a function to try it out...
a_func("some string", 2012)
this results in the output:
a_func(asdf=2012, arg1=some string)
you can do fancier stuff to pretty this up, but this basically covers how to do what you're asking.
I have bad news, my friend. You can access function parameter names as they appear at the top of the function, but the data to access exactly what they were named in the calling function does not exist. See the following:
function PrintVariable(VariableToPrint)
--we can use debug.getinfo() to determine the name 'VariableToPrint'
--we cannot determine the name 'MyVariable' without some really convoluted stuff (see comment by VBRonPaulFan on his own answer)
print(VariableToPrint);
end
MyVariable = 4
PrintVariable(MyVariable)
To illustrate this, imagine if we had done:
x = 4
MyVariable = x
MyOtherVariable = x
x = nil
PrintVariable(MyVariable)
Now if you were Lua, what name would you attach in the metadata to the variable that ends up getting passed to the function? Yes, you could walk up the stack with debug.getint() looking for the variable that was passed in, but you may find several references.
Also consider:
PrintVariable("StringLiteral")
What would you call that variable? It has a value but no name.
You could just use this form:
local parms = { "MyVariable" }
local function PrintVariable(vars)
print(parms[1]..": "..vars[1])
end
local MyVariable = "bar"
PrintVariable{MyVariable}
Which gives:
MyVariable: bar
It isn't generic, but it is simple. You avoid the debug library and loadstring by doing it this way. If your editor is any good, you could write a macro to do it.
Another possible solution is add this facility your self.
The Lua C API and source is pretty simple and extendable.
I/we don't know the context of your project/work but if you ARE making/embedding your own Lua build you could extend the debug library with something to do this.
Lua passes it's values by reference, but unknown offhand if these contain a string name in them and if so if easily accessible.
In your example the value declaration is the same as:
_G["MyVariable"] = 4
Since it's global. If it were declared local then like others stated here you can enumerate those via debug.getlocal(). But again in the C context of the actual reference context it might not matter.
Implement a debug.getargumentinfo(...) that extends the argument table with name key, value pairs.
This is quite an old topic and I apologize for bringing it back to life.
In my experience with lua, the closest I know to what the OP asked for is something like this:
PrintVariable = {}
setmetatable(PrintVariable, {__index = function (self, k, v) return string.format('%s = %s', k, _G[k]) end})
VAR = 0
VAR2 = "Hello World"
print(PrintVariable.VAR, PrintVariable.VAR2)
-- Result: VAR = 0 VAR2 = Hello World
I do not give more explanation, because the code is quite readable, however:
What happens here is simple, you only set a metatable to the PrintVariable variable and add the __index metamethod that is called when the table is forced to search for a value in its index, thanks to this functionality you can achieve what you see in the example.
Reference: https://www.lua.org/manual/5.1/manual.html
I hope that future and new visitors will find this helpful.

Wireshark Dissector in Lua

First of all, I'm new to Lua altogether, and this is my first attempt at writing a wireshark dissector.
My protocol is straightforward - a 2 byte length field, followed by a string of that length.
When I run the code through the Lua console, everything works as expected.
When the code is added to the Wireshark plugins directory, I get the error
Lua Error: [string "C:\Users...\AppData\Roaming\Wireshark..."]:15: calling 'add' on bad self (number expected, got string)
Line 15 corresponds is the t:add(f_text... line.
Can anyone explain the discrepancy between the execution methods?
do
local p_multi = Proto("aggregator","Aggregator");
local f_len = ProtoField.int16("aggregator.length","Length",base.DEC)
local f_text = ProtoField.string("aggregator.text","Text")
p_multi.fields = { f_len, f_text }
local data_dis = Dissector.get("data")
function p_multi.dissector(buf,pkt,root)
pkt.cols.protocol = "Aggregator"
local len = buf(0,2):int()
local t = root:add(p_multi,buf(0,len+2))
t:add(f_len,buf(0,2),"Length: " .. buf(0,2):int())
t:add(f_text,buf(2,len),"Text: " .. buf(2,len):string())
end
local tcp_encap_table = DissectorTable.get("tcp.port")
tcp_encap_table:add(4321,p_multi)
end
Your dissector code is very close to correct, but you're doing extra work that the interface won't accept. If you change your dissector function like so,
function p_multi.dissector(buf,pkt,root)
pkt.cols.protocol = "Aggregator"
local len = buf(0,2):int()
local t = root:add(p_multi,buf(0,len+2))
t:add(f_len,buf(0,2)) --let Wireshark do the hard work
t:add(f_text,buf(2,len)) --you've already defined their labels etc.
end
you'll get the desired behavior. The labels "Text" and "Length" are already defined for your fields, so there is no need to provide them again on lines 15 and 16.

Resources