Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Qira tracer support for Windows binaries #213
I'm not sure about the current state of Qira for analyzing Windows binaries, but it seems like it might only be (experimentally) supported for Windows hosts using the Pin tracer.
This issue is an ongoing place to discuss my work to extend Qira so that it supports analysis of Windows binaries while on a Linux host, and hopefully with less intrusive mechanisms than Pin/Valgrind (via Angr).
Currently there are two options that I'm considering:
The Hangover option is clearly the easiest to get started with -- WINE and QEMU are both open source and we've already got patches for QEMU to support generating Qira traces.
However, I think the Drawbridge approach is more promising long-term. It has much less "artificial" stuff in the way (recompiling with QEMU's TCG) and is actually running a minimally-modified Windows kernel rather than a complete emulation layer.
Drawbridge is, however, less accessible than the pieces involved in Hangover. Right now the technology is being used to power:
You can right now run SQL Server on Linux using the Drawbridge technology -- of course it's entirely closed source. This constitutes a pretty fun reversing challenge, but it's obviously going to take much longer than the QEMU approach.
Also of relevance to implementing the Drawbridge system, is the Graphene project. Basically they've taken the Drawbridge PAL (the bit that sits between the user-space kernel and the host OS) and modified it to allow unmodified Linux applications to run inside Intel SGX enclaves (or standard Linux host).