Fuzzball: Support for the PE format?
31 views
Skip to first unread message
Thomas Peterson
Aug 13, 2019, 8:13:42 AM8/13/19
to BitBlaze User Discussion group
Can this tool support other formats than the ELF format? More specifically, can it handle the microsoft PE format?
I looked into the README.options but haven't been able to find any option to interpret a binary as using the PE format. And when simply feeding fuzzball with an exe file it complains that it is not an elf binary..
Any ideas?
Stephen McCamant
Aug 26, 2019, 4:44:51 PM8/26/19
to bitblaz...@googlegroups.com
>>>>> "TP" == Thomas Peterson <pythonps...@gmail.com> writes:
TP> Can this tool support other formats than the ELF format? More
TP> specifically, can it handle the microsoft PE format?
TP> I looked into the README.options but haven't been able to find any
TP> option to interpret a binary as using the PE format. And when
TP> simply feeding fuzzball with an exe file it complains that it is
TP> not an elf binary..
[Also answered as a GitHub issue]
No, the limitation you might have been suspecting is real: at the
moment ELF is only binary format that FuzzBALL has any knowledge of.
FuzzBALL's knowledge of ELF is mostly found in
execution/linux_loader.ml, which is about 650 lines of code; it also
knows a bit about Linux process startup. A roughly similar amount of
new code would be needed to support Windows/PE binary loading.
If all you really care about is loading the code and static data from
a binary into FuzzBALL's simulated memory, another approach might be
to dump the state of a loaded process using some other tool, and then
convert it to the TEMU state format taken by FuzzBALL's "-state"
format. However this probably wouldn't be much easier overall.
The other thing that lets FuzzBALL symbolically execute Linux (x86-32,
x86-64, ARM-32) binaries is that FuzzBALL knows how to simulate many
common system calls: this is execution/linux_syscalls.ml. At more like
5400 lines of code, this would be a larger investment in
reimplementing for Windows.
Hope this helps,
-- Stephen
TP> Can this tool support other formats than the ELF format? More
TP> specifically, can it handle the microsoft PE format?
TP> I looked into the README.options but haven't been able to find any
TP> option to interpret a binary as using the PE format. And when
TP> simply feeding fuzzball with an exe file it complains that it is
TP> not an elf binary..
[Also answered as a GitHub issue]
No, the limitation you might have been suspecting is real: at the
moment ELF is only binary format that FuzzBALL has any knowledge of.
FuzzBALL's knowledge of ELF is mostly found in
execution/linux_loader.ml, which is about 650 lines of code; it also
knows a bit about Linux process startup. A roughly similar amount of
new code would be needed to support Windows/PE binary loading.
If all you really care about is loading the code and static data from
a binary into FuzzBALL's simulated memory, another approach might be
to dump the state of a loaded process using some other tool, and then
convert it to the TEMU state format taken by FuzzBALL's "-state"
format. However this probably wouldn't be much easier overall.
The other thing that lets FuzzBALL symbolically execute Linux (x86-32,
x86-64, ARM-32) binaries is that FuzzBALL knows how to simulate many
common system calls: this is execution/linux_syscalls.ml. At more like
5400 lines of code, this would be a larger investment in
reimplementing for Windows.
Hope this helps,
-- Stephen
Reply all
Reply to author
Forward
0 new messages