Unsupported architecture/OS pair: amd64 and windows

[JulienFarine]

Hello,

I'm trying to lift a Windows 64 bits PE from a Linux host (I use the trailofbits/mcsema:llvm900-ubuntu18.04-amd64 docker image). The recovery of the CFG file seems to work but when I try to use mcsema-lift-9.0 I obtain this :

mcsema-lift-9.0 --arch amd64 --os windows --cfg ./my_binary.cfg --output ./my_binary.bc --explicit_args --merge_segments                       
E20210106 14:03:16.212332    13 CFG.cpp:546] Calling convention of function 'main' is not supported: Unsupported architecture/OS pair: amd64 and windows
E20210106 14:03:16.217545    13 CFG.cpp:546] Calling convention of function 'exit' is not supported: Unsupported architecture/OS pair: amd64 and windows
E20210106 14:03:16.218438    13 CFG.cpp:546] Calling convention of function 'abort' is not supported: Unsupported architecture/OS pair: amd64 and windows
F20210106 14:03:16.280176    13 Callback.cpp:743] Calling convention of function 'delete_novarargs' is not supported: Unsupported architecture/OS pair: amd64 and windows
*** Check failure stack trace: ***
    @           0x85b1ec  google::LogMessageFatal::~LogMessageFatal()
    @           0x462946  mcsema::GetLiftedToNativeExitPoint()
    @           0x4653b5  mcsema::DefineLiftedFunctions()
    @           0x471aa1  mcsema::LiftCodeIntoModule()
    @           0x487016  main
    @     0x7f8aad718bf7  __libc_start_main
    @           0x43884a  _start
Aborted (core dumped)

Is McSema able to lift x64 PE ?

[pgoodman]

Agh! This is actually an issue in Anvill, where we haven't encoded the actual Win64 calling convention details. Are you familiar enough with the Win64 calling convention, as well as C++, to be willing to extend Anvill? I could provide technical support over chat if you are.