Closed tpetersonkth closed 5 years ago
No, the limitation you might have been suspecting is real: at the moment ELF is only binary format that FuzzBALL has any knowledge of.
FuzzBALL's knowledge of ELF is mostly found in execution/linux_loader.ml, which is about 650 lines of code; it also knows a bit about Linux process startup. A roughly similar amount of new code would be needed to support Windows/PE binary loading.
If all you really care about is loading the code and static data from a binary into FuzzBALL's simulated memory, another approach might be to dump the state of a loaded process using some other tool, and then convert it to the TEMU state format taken by FuzzBALL's "-state" format. However this probably wouldn't be much easier overall.
The other thing that lets FuzzBALL symbolically execute Linux (x86-32, x86-64, ARM-32) binaries is that FuzzBALL knows how to simulate many common system calls: this is execution/linux_syscalls.ml. At more like 5400 lines of code, this would be a larger investment in reimplementing for Windows.
Thanks for the information! :)
Can this tool support other formats than the ELF format? More specifically, can it handle the microsoft PE format?
I looked into the README.options but haven't been able to find any option to interpret a binary as using the PE format. And when simply feeding fuzzball with an exe file it complains that it is not an elf binary..
Any ideas?