anvill icon indicating copy to clipboard operation
anvill copied to clipboard

Published 20 hours ago verified publisher icon lifting-bits

Win64 Calling Convention Semantics Support

Open SaifRushdHadad opened this issue 3 years ago • 8 comments

It does not appear that Anvill supports x64 PE files according to this issue on the Mcsema repository: https://github.com/lifting-bits/mcsema/issues/720

Is there any internal effort going on to provide support for the Win64 calling convention semantics?

SaifRushdHadad avatar Mar 02 '21 16:03 SaifRushdHadad

Not yet, no. @SaifRushdHadad are you willing to work on this?

pgoodman avatar Mar 04 '21 17:03 pgoodman

Yes, I would be! I'm hesitant to start working on it because I cannot even uplift a skeleton x86 PE binary with MCSema https://github.com/lifting-bits/mcsema/issues/740

SaifRushdHadad avatar Mar 12 '21 21:03 SaifRushdHadad

Do you have Binary Ninja or IDA Pro? If so, I'd recommend focusing on lifting just with Anvill, as we're underway on a big refactor and it'll help. In the case of IDA, @alessandrogario made a nice GUI interface to connecting Anvill and Rellic together.

pgoodman avatar Mar 12 '21 21:03 pgoodman

I have both of them and I'll give using Rellic a shot as an alternative for the meantime. I was hoping to demonstrate MCSema to uplifting x86 PE files to LLVM-IR, apply a basic pass, and then compile down, at my job so I could work on it in earnest and not a side project.

SaifRushdHadad avatar Mar 12 '21 22:03 SaifRushdHadad

So the medium-term plan with McSema is to swap out most of it for Anvill, so that most of the actual lifting is being done by Anvill itself, and McSema is mostly about the various heuristics we apply to capture additional cross-references in our scripts, along with packaging up all that info into our CFG file format.

Either way, if you want to use McSema with Win64, you're going to need to help us with Anvill :trollface:

Note that anvill can generally lift machine code to bitcode. The rough usage is something like this in IDA Pro:

import json
sys.path.insert(0, "/path/to/anvill/python")
import anvill
p = anvill.get_program()
p.add_function_definition(here())
open("/tmp/spec.json", "w").write(json.dumps(p.proto()))

pgoodman avatar Mar 12 '21 22:03 pgoodman

Do you have Binary Ninja or IDA Pro? If so, I'd recommend focusing on lifting just with Anvill, as we're underway on a big refactor and it'll help. In the case of IDA, @alessandrogario made a nice GUI interface to connecting Anvill and Rellic together.

We have the two following IDA plugins:

  • anvill, to generate the spec file for one or all functions: https://github.com/lifting-bits/anvill/blob/master/anvill/plugins/ida/anvill.py
  • rellic, to generate the spec file and then automatically run the decompilation process: https://github.com/lifting-bits/rellic/blob/master/tools/plugins/ida-rellic.py

alessandrogario avatar Mar 12 '21 22:03 alessandrogario

underway on a big refactor

Do you mean IDAPython part? Or will there be any huge changes to the CFG protobuf format? I'm working on adding mcsema into my tool-chain and this really matters. Thanks.

xrkk avatar Mar 24 '21 08:03 xrkk

In the short/medium term not much will change. In the long term we'll probably migrate away from that format, but always strive to have things as a single file. Thus, if your usage of mcsema relies on manually decoding the CFG yourself then this may present challenges. However, if your usage is more related to running the IDAPython scripts and then treating the file as an opaque blob that you copy around / pass to mcsema-lift then I don't anticipate issues.

pgoodman avatar Mar 24 '21 20:03 pgoodman