qira icon indicating copy to clipboard operation
qira copied to clipboard

Published 20 hours ago verified publisher icon geohot

Qira tracer support for Windows binaries

Open Hamled opened this issue 5 years ago • 0 comments

I'm not sure about the current state of Qira for analyzing Windows binaries, but it seems like it might only be (experimentally) supported for Windows hosts using the Pin tracer.

This issue is an ongoing place to discuss my work to extend Qira so that it supports analysis of Windows binaries while on a Linux host, and hopefully with less intrusive mechanisms than Pin/Valgrind (via Angr).

Currently there are two options that I'm considering:

  • Hangover - This is basically running QEMU ontop of WINE.
  • Drawbridge - This is a Library OS version of Windows (8.1, I believe) running entirely in user-mode on Linux, with an integrated Windows application.

The Hangover option is clearly the easiest to get started with -- WINE and QEMU are both open source and we've already got patches for QEMU to support generating Qira traces.

However, I think the Drawbridge approach is more promising long-term. It has much less "artificial" stuff in the way (recompiling with QEMU's TCG) and is actually running a minimally-modified Windows kernel rather than a complete emulation layer.

Drawbridge is, however, less accessible than the pieces involved in Hangover. Right now the technology is being used to power:

  • Windows Subsystem for Linux - not relevant as this is the inverse of what we want
  • Windows Sandbox - also not relevant because it's Windows on Windows
  • SQL Server for Linux - this is what we want

You can right now run SQL Server on Linux using the Drawbridge technology -- of course it's entirely closed source. This constitutes a pretty fun reversing challenge, but it's obviously going to take much longer than the QEMU approach.

Also of relevance to implementing the Drawbridge system, is the Graphene project. Basically they've taken the Drawbridge PAL (the bit that sits between the user-space kernel and the host OS) and modified it to allow unmodified Linux applications to run inside Intel SGX enclaves (or standard Linux host). Mostly this seems like a good codebase to possibly start from when building our own PAL for the Drawbridge system.

Hamled avatar Apr 11 '19 08:04 Hamled