investigate feasibility of a BinExport2 backend

[williballenthin]

BinExport is an intermediate representation of disassembly produced by various tools, like IDA, Binary Ninja, Ghidra, etc. The data is stored in a ProtoBuf format: https://github.com/google/binexport/blob/main/binexport2.proto

It includes many of the things that capa needs:

• instructions
• operands
• functions, basic blocks
• strings

Some other things are missing:

• section names
• data references

Investigate the feasibility of building a backend that relies upon BinExport. Consider the tradeoffs of requiring the original file (such as for missing metadata, like sections, or data references) versus self-contained protobuf.

[williballenthin]

• instruction features
  • api ✓
  • number ✓
  • string and substring ✓
  • offset ✓
  • mnemonic ✓
  • operand ✓
  • namespace ?
  • class ?
  • property ?
  • bytes ✗ (but ✓ alongside PE/ELF)
• function features
  • function-name ✓
• file features
  • namespace ✓
  • class ✓
  • string and substring ✗ (but ✓ alongside PE/ELF)
  • export ✗ (but ✓ alongside PE/ELF)
  • import ✗ (but ✓ alongside PE/ELF)
  • section ✗ (but ✓ alongside PE/ELF)
• global features
  • arch ✓
  • os ✗ (but ✓ alongside PE/ELF)
  • characteristic
  • loop ✓
  • recursive call ✓
  • calls from ✓
  • calls to ✓
  • tight loop ✓
  • stack string ✓
  • nzxor ✓
  • peb access ✓
  • fs access ✓
  • gs access ✓
  • cross section flow ✓
  • indirect call ✓
  • call $+5 ✓
  • embedded pe ✗ (but ✓ alongside PE/ELF)
  • forwarded export ✗ (but ✓ alongside PE/ELF)
  • unmanaged call ✗
  • mixed mode ✗

[r0ny123]

Since the topic came up, maybe we consider this one https://github.com/quarkslab/quokka too?

[williballenthin]

Do you use Quokka or know of people that do? Seems very reasonable if so, though we don't want to maintain unused code.

[r0ny123]

Unfortunately, no. You're right that it's still in the early stages and not widely used at this moment.