You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm not sure about the current state of Qira for analyzing Windows binaries, but it seems like it might only be (experimentally) supported for Windows hosts using the Pin tracer.
This issue is an ongoing place to discuss my work to extend Qira so that it supports analysis of Windows binaries while on a Linux host, and hopefully with less intrusive mechanisms than Pin/Valgrind (via Angr).
Currently there are two options that I'm considering:
Hangover - This is basically running QEMU ontop of WINE.
Drawbridge - This is a Library OS version of Windows (8.1, I believe) running entirely in user-mode on Linux, with an integrated Windows application.
The Hangover option is clearly the easiest to get started with -- WINE and QEMU are both open source and we've already got patches for QEMU to support generating Qira traces.
However, I think the Drawbridge approach is more promising long-term. It has much less "artificial" stuff in the way (recompiling with QEMU's TCG) and is actually running a minimally-modified Windows kernel rather than a complete emulation layer.
Drawbridge is, however, less accessible than the pieces involved in Hangover. Right now the technology is being used to power:
Windows Subsystem for Linux - not relevant as this is the inverse of what we want
Windows Sandbox - also not relevant because it's Windows on Windows
SQL Server for Linux - this is what we want
You can right now run SQL Server on Linux using the Drawbridge technology -- of course it's entirely closed source. This constitutes a pretty fun reversing challenge, but it's obviously going to take much longer than the QEMU approach.
Also of relevance to implementing the Drawbridge system, is the Graphene project. Basically they've taken the Drawbridge PAL (the bit that sits between the user-space kernel and the host OS) and modified it to allow unmodified Linux applications to run inside Intel SGX enclaves (or standard Linux host).
Mostly this seems like a good codebase to possibly start from when building our own PAL for the Drawbridge system.
The text was updated successfully, but these errors were encountered:
I'm not sure about the current state of Qira for analyzing Windows binaries, but it seems like it might only be (experimentally) supported for Windows hosts using the Pin tracer.
This issue is an ongoing place to discuss my work to extend Qira so that it supports analysis of Windows binaries while on a Linux host, and hopefully with less intrusive mechanisms than Pin/Valgrind (via Angr).
Currently there are two options that I'm considering:
The Hangover option is clearly the easiest to get started with -- WINE and QEMU are both open source and we've already got patches for QEMU to support generating Qira traces.
However, I think the Drawbridge approach is more promising long-term. It has much less "artificial" stuff in the way (recompiling with QEMU's TCG) and is actually running a minimally-modified Windows kernel rather than a complete emulation layer.
Drawbridge is, however, less accessible than the pieces involved in Hangover. Right now the technology is being used to power:
You can right now run SQL Server on Linux using the Drawbridge technology -- of course it's entirely closed source. This constitutes a pretty fun reversing challenge, but it's obviously going to take much longer than the QEMU approach.
Also of relevance to implementing the Drawbridge system, is the Graphene project. Basically they've taken the Drawbridge PAL (the bit that sits between the user-space kernel and the host OS) and modified it to allow unmodified Linux applications to run inside Intel SGX enclaves (or standard Linux host).
Mostly this seems like a good codebase to possibly start from when building our own PAL for the Drawbridge system.
The text was updated successfully, but these errors were encountered: