Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Win64 Calling Convention Semantics Support #129

Open
SaifRushdHadad opened this issue Mar 2, 2021 · 8 comments
Open

Win64 Calling Convention Semantics Support #129

SaifRushdHadad opened this issue Mar 2, 2021 · 8 comments
Labels
enhancement New feature or request

Comments

@SaifRushdHadad
Copy link

SaifRushdHadad commented Mar 2, 2021

It does not appear that Anvill supports x64 PE files according to this issue on the Mcsema repository: lifting-bits/mcsema#720

Is there any internal effort going on to provide support for the Win64 calling convention semantics?

@pgoodman
Copy link
Contributor

pgoodman commented Mar 4, 2021

Not yet, no. @SaifRushdHadad are you willing to work on this?

@SaifRushdHadad
Copy link
Author

Yes, I would be! I'm hesitant to start working on it because I cannot even uplift a skeleton x86 PE binary with MCSema lifting-bits/mcsema#740

@pgoodman
Copy link
Contributor

Do you have Binary Ninja or IDA Pro? If so, I'd recommend focusing on lifting just with Anvill, as we're underway on a big refactor and it'll help. In the case of IDA, @alessandrogario made a nice GUI interface to connecting Anvill and Rellic together.

@SaifRushdHadad
Copy link
Author

I have both of them and I'll give using Rellic a shot as an alternative for the meantime.
I was hoping to demonstrate MCSema to uplifting x86 PE files to LLVM-IR, apply a basic pass, and then compile down, at my job so I could work on it in earnest and not a side project.

@pgoodman
Copy link
Contributor

So the medium-term plan with McSema is to swap out most of it for Anvill, so that most of the actual lifting is being done by Anvill itself, and McSema is mostly about the various heuristics we apply to capture additional cross-references in our scripts, along with packaging up all that info into our CFG file format.

Either way, if you want to use McSema with Win64, you're going to need to help us with Anvill :trollface:

Note that anvill can generally lift machine code to bitcode. The rough usage is something like this in IDA Pro:

import json
sys.path.insert(0, "/path/to/anvill/python")
import anvill
p = anvill.get_program()
p.add_function_definition(here())
open("/tmp/spec.json", "w").write(json.dumps(p.proto()))

@alessandrogario
Copy link
Contributor

Do you have Binary Ninja or IDA Pro? If so, I'd recommend focusing on lifting just with Anvill, as we're underway on a big refactor and it'll help. In the case of IDA, @alessandrogario made a nice GUI interface to connecting Anvill and Rellic together.

We have the two following IDA plugins:

@xrkk
Copy link

xrkk commented Mar 24, 2021

underway on a big refactor

Do you mean IDAPython part? Or will there be any huge changes to the CFG protobuf format? I'm working on adding mcsema into my tool-chain and this really matters.
Thanks.

@pgoodman
Copy link
Contributor

In the short/medium term not much will change. In the long term we'll probably migrate away from that format, but always strive to have things as a single file. Thus, if your usage of mcsema relies on manually decoding the CFG yourself then this may present challenges. However, if your usage is more related to running the IDAPython scripts and then treating the file as an opaque blob that you copy around / pass to mcsema-lift then I don't anticipate issues.

@alessandrogario alessandrogario added the enhancement New feature or request label Mar 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants