Compatibility issues with .NET AoT-compiled binaries

Still34 commented 6 hours ago

Description

Using the now-latest commit d4d856767d89faf6e9ebae069671a9151c2c7f31, feeding capa a .NET 8.0 Ahead-of-Time compiled binary causes multiple issues to crop up.

For the standalone version, vtrace complains about Unhandled Variant Type: 21, but the standalone version is still able to finish the analysis and display the results

Exception ignored on calling ctypes callback function: <bound method Win32SymbolParser.typeEnumCallback of
<vtrace.platforms.win32.Win32SymbolParser object at 0x000001E8F44232B0>>
Traceback (most recent call last):
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\vtrace\platforms\win32.py", line 2148, in
typeEnumCallback
    self._symTypeEnum(myname, sym.TypeIndex)
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\vtrace\platforms\win32.py", line 2063, in
_symTypeEnum
    kidval = self.symGetTypeValue(child)
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\vtrace\platforms\win32.py", line 2029, in
symGetTypeValue
    raise Exception('Unhandled Variant Type: %d' % v.vt)
Exception: Unhandled Variant Type: 21

For the IDA plugin (IDA 8.3), an issue with ida_bytes.bin_search shows up,

2024-10-23 14:54:36,270 ERROR:capa.ida.plugin.form:Failed to extract capabilities from database (error: cannot unpack non-iterable int object)
Traceback (most recent call last):
File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\ida\plugin\form.py", line 772, in load_capa_results
capabilities, counts = capa.capabilities.common.find_capabilities(
File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\capabilities\common.py", line 75, in find_capabilities
return find_static_capabilities(ruleset, extractor, disable_progress=disable_progress, **kwargs)
File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\capabilities\static.py", line 206, in find_static_capabilities
all_file_matches, feature_count = find_file_capabilities(ruleset, extractor, function_and_lower_features)
File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\capabilities\common.py", line 25, in find_file_capabilities
for feature, va in itertools.chain(extractor.extract_file_features(), extractor.extract_global_features()):
File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\features\extractors\ida\extractor.py", line 51, in extract_file_features
yield from capa.features.extractors.ida.file.extract_features()
File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\features\extractors\ida\file.py", line 197, in extract_features
for feature, addr in file_handler():
File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\features\extractors\ida\file.py", line 82, in extract_file_embedded_pe
for ea, _ in check_segment_for_pe(seg):
File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\features\extractors\ida\file.py", line 48, in check_segment_for_pe
for off in capa.features.extractors.ida.helpers.find_byte_sequence(seg.start_ea, seg.end_ea, mzx):
File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\features\extractors\ida\helpers.py", line 44, in find_byte_sequence
ea, _ = ida_bytes.bin_search(start, end, patterns, ida_bytes.BIN_SEARCH_FORWARD)
TypeError: cannot unpack non-iterable int object

Steps to Reproduce

Create a .NET 8.0 project (dotnet new console)
Compile the project as AoT (dotnet publish -c release -r win-x64 /p:PublishAot=true /p:PublishSingleFile=false)
Feed the compiled project to capa as either the standalone or IDA version
Both feature the errors above

Expected behavior:

Finish the analysis without errors

Actual behavior:

Errors show up

Versions

capa 7.4.0 (d4d856767d89faf6e9ebae069671a9151c2c7f31)
Python 3.10
Windows 11 (Build 22635.4371)
IDA 8.3

Additional Information

williballenthin commented 6 hours ago

@Still34 Do you happen to have a test binary available? If not, I can certainly reproduce it on my side, but it might take an extra 30 mins or more of effort.

williballenthin commented 6 hours ago

Unhandled Variant Type: 21 seems to be a bug in vivisect's symbol/PDB parser. We can triage and report it upstream.

Still34 commented 6 hours ago

@Still34 Do you happen to have a test binary available? If not, I can certainly reproduce it on my side, but it might take an extra 30 mins or more of effort.

native.zip Sure, here is a simple Hello World.

mandiant / capa