Win64 Calling Convention Semantics Support

[SaifRushdHadad]

It does not appear that Anvill supports x64 PE files according to this issue on the Mcsema repository: lifting-bits/mcsema#720

Is there any internal effort going on to provide support for the Win64 calling convention semantics?

[pgoodman]

Not yet, no. @SaifRushdHadad are you willing to work on this?

[SaifRushdHadad]

Yes, I would be! I'm hesitant to start working on it because I cannot even uplift a skeleton x86 PE binary with MCSema lifting-bits/mcsema#740

[pgoodman]

Do you have Binary Ninja or IDA Pro? If so, I'd recommend focusing on lifting just with Anvill, as we're underway on a big refactor and it'll help. In the case of IDA, @alessandrogario made a nice GUI interface to connecting Anvill and Rellic together.

[SaifRushdHadad]

I have both of them and I'll give using Rellic a shot as an alternative for the meantime.
I was hoping to demonstrate MCSema to uplifting x86 PE files to LLVM-IR, apply a basic pass, and then compile down, at my job so I could work on it in earnest and not a side project.

[pgoodman]

So the medium-term plan with McSema is to swap out most of it for Anvill, so that most of the actual lifting is being done by Anvill itself, and McSema is mostly about the various heuristics we apply to capture additional cross-references in our scripts, along with packaging up all that info into our CFG file format.

Either way, if you want to use McSema with Win64, you're going to need to help us with Anvill

Note that anvill can generally lift machine code to bitcode. The rough usage is something like this in IDA Pro:

import json
sys.path.insert(0, "/path/to/anvill/python")
import anvill
p = anvill.get_program()
p.add_function_definition(here())
open("/tmp/spec.json", "w").write(json.dumps(p.proto()))

[alessandrogario]

Do you have Binary Ninja or IDA Pro? If so, I'd recommend focusing on lifting just with Anvill, as we're underway on a big refactor and it'll help. In the case of IDA, @alessandrogario made a nice GUI interface to connecting Anvill and Rellic together.

We have the two following IDA plugins:

• anvill, to generate the spec file for one or all functions: https://github.com/lifting-bits/anvill/blob/master/anvill/plugins/ida/anvill.py
• rellic, to generate the spec file and then automatically run the decompilation process: https://github.com/lifting-bits/rellic/blob/master/tools/plugins/ida-rellic.py

[xrkk]

underway on a big refactor

Do you mean IDAPython part? Or will there be any huge changes to the CFG protobuf format? I'm working on adding mcsema into my tool-chain and this really matters.
Thanks.

[pgoodman]

In the short/medium term not much will change. In the long term we'll probably migrate away from that format, but always strive to have things as a single file. Thus, if your usage of mcsema relies on manually decoding the CFG yourself then this may present challenges. However, if your usage is more related to running the IDAPython scripts and then treating the file as an opaque blob that you copy around / pass to mcsema-lift then I don't anticipate issues.