On 17/04/2014 16:40 PM Bill Williams wrote:
> Oh. One other thing--if you're trying to analyze PE files on Linux,
> that's not presently going to work. It might be possible, if you have a
> Linux system with the necessary Windows headers present and you know of
> a replacement for the debug SDK, to coerce a Linux build of Symtab to
> speak PE.
Thanks. We are indeed trying to analyse PE files in Linux. I didn't realise that this wasn't supported. When you say the debug SDK, do you mean some kind of MS VS debugger?
> You could probably pull the text section out via objdump or
> similar and stuff it into a fake ELF file.
> We'll have to think about that, but it's certainly an option in the short term I guess. We are mostly looking at malware so symbols are mostly useless, but we probably will need to know about linkage, the entry point etc etc.
> I think I also have an
> memory-backed CodeSource implementation floating around somewhere that
> you could use as a starting point--as long as you can find the text
> section and either don't care about symbols or can find them without
> Windows headers, mocking up a CodeSource that speaks PE on Linux is a
> simple matter of engineering.
What do you mean by a memory-backed CodeSource? We would be interested in anything that can help, though obviously we may decide it's too big a task.
> It's engineering we haven't done because
> parsing PE on Linux is not of much use to Dyninst without a *very*
> full-featured cross-format Symtab backing it, such that we could rewrite
> PE files on Linux.
Fair enough... we are somewhat at odds with the goals of dyninst because we are doing static analysis and mostly use it for its control flow recovery which is very good, and to some extent for reading symbols too.
The obvious answer then is to use windows. Can the windows version of dyninst work over ELF binaries?
Thanks a lot,
Ed
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}