Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Qira tracer support for Windows binaries #213

Open
Hamled opened this Issue Apr 11, 2019 · 0 comments

Comments

Projects
None yet
1 participant
@Hamled
Copy link

Hamled commented Apr 11, 2019

I'm not sure about the current state of Qira for analyzing Windows binaries, but it seems like it might only be (experimentally) supported for Windows hosts using the Pin tracer.

This issue is an ongoing place to discuss my work to extend Qira so that it supports analysis of Windows binaries while on a Linux host, and hopefully with less intrusive mechanisms than Pin/Valgrind (via Angr).

Currently there are two options that I'm considering:

  • Hangover - This is basically running QEMU ontop of WINE.
  • Drawbridge - This is a Library OS version of Windows (8.1, I believe) running entirely in user-mode on Linux, with an integrated Windows application.

The Hangover option is clearly the easiest to get started with -- WINE and QEMU are both open source and we've already got patches for QEMU to support generating Qira traces.

However, I think the Drawbridge approach is more promising long-term. It has much less "artificial" stuff in the way (recompiling with QEMU's TCG) and is actually running a minimally-modified Windows kernel rather than a complete emulation layer.

Drawbridge is, however, less accessible than the pieces involved in Hangover. Right now the technology is being used to power:

  • Windows Subsystem for Linux - not relevant as this is the inverse of what we want
  • Windows Sandbox - also not relevant because it's Windows on Windows
  • SQL Server for Linux - this is what we want

You can right now run SQL Server on Linux using the Drawbridge technology -- of course it's entirely closed source. This constitutes a pretty fun reversing challenge, but it's obviously going to take much longer than the QEMU approach.

Also of relevance to implementing the Drawbridge system, is the Graphene project. Basically they've taken the Drawbridge PAL (the bit that sits between the user-space kernel and the host OS) and modified it to allow unmodified Linux applications to run inside Intel SGX enclaves (or standard Linux host).
Mostly this seems like a good codebase to possibly start from when building our own PAL for the Drawbridge system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.