Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compatibility issues with .NET AoT-compiled binaries #2473

Open
Still34 opened this issue Oct 23, 2024 · 3 comments
Open

Compatibility issues with .NET AoT-compiled binaries #2473

Still34 opened this issue Oct 23, 2024 · 3 comments

Comments

@Still34
Copy link

Still34 commented Oct 23, 2024

Description

Using the now-latest commit d4d8567, feeding capa a .NET 8.0 Ahead-of-Time compiled binary causes multiple issues to crop up.

  • For the standalone version, vtrace complains about Unhandled Variant Type: 21, but the standalone version is still able to finish the analysis and display the results
Exception ignored on calling ctypes callback function: <bound method Win32SymbolParser.typeEnumCallback of
<vtrace.platforms.win32.Win32SymbolParser object at 0x000001E8F44232B0>>
Traceback (most recent call last):
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\vtrace\platforms\win32.py", line 2148, in
typeEnumCallback
    self._symTypeEnum(myname, sym.TypeIndex)
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\vtrace\platforms\win32.py", line 2063, in
_symTypeEnum
    kidval = self.symGetTypeValue(child)
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\vtrace\platforms\win32.py", line 2029, in
symGetTypeValue
    raise Exception('Unhandled Variant Type: %d' % v.vt)
Exception: Unhandled Variant Type: 21
  • For the IDA plugin (IDA 8.3), an issue with ida_bytes.bin_search shows up,
2024-10-23 14:54:36,270 ERROR:capa.ida.plugin.form:Failed to extract capabilities from database (error: cannot unpack non-iterable int object)
Traceback (most recent call last):
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\ida\plugin\form.py", line 772, in load_capa_results
    capabilities, counts = capa.capabilities.common.find_capabilities(
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\capabilities\common.py", line 75, in find_capabilities
    return find_static_capabilities(ruleset, extractor, disable_progress=disable_progress, **kwargs)
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\capabilities\static.py", line 206, in find_static_capabilities
    all_file_matches, feature_count = find_file_capabilities(ruleset, extractor, function_and_lower_features)
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\capabilities\common.py", line 25, in find_file_capabilities
    for feature, va in itertools.chain(extractor.extract_file_features(), extractor.extract_global_features()):
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\features\extractors\ida\extractor.py", line 51, in extract_file_features
    yield from capa.features.extractors.ida.file.extract_features()
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\features\extractors\ida\file.py", line 197, in extract_features
    for feature, addr in file_handler():
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\features\extractors\ida\file.py", line 82, in extract_file_embedded_pe
    for ea, _ in check_segment_for_pe(seg):
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\features\extractors\ida\file.py", line 48, in check_segment_for_pe
    for off in capa.features.extractors.ida.helpers.find_byte_sequence(seg.start_ea, seg.end_ea, mzx):
  File "C:\Users\<redacted>\AppData\Local\Programs\Python\Python310\lib\site-packages\capa\features\extractors\ida\helpers.py", line 44, in find_byte_sequence
    ea, _ = ida_bytes.bin_search(start, end, patterns, ida_bytes.BIN_SEARCH_FORWARD)
TypeError: cannot unpack non-iterable int object

Steps to Reproduce

  1. Create a .NET 8.0 project (dotnet new console)
  2. Compile the project as AoT (dotnet publish -c release -r win-x64 /p:PublishAot=true /p:PublishSingleFile=false)
  3. Feed the compiled project to capa as either the standalone or IDA version
  4. Both feature the errors above

Expected behavior:

Finish the analysis without errors

Actual behavior:

Errors show up

Versions

  • capa 7.4.0 (d4d8567)
  • Python 3.10
  • Windows 11 (Build 22635.4371)
  • IDA 8.3

Additional Information
@williballenthin
Copy link
Collaborator

@Still34 Do you happen to have a test binary available? If not, I can certainly reproduce it on my side, but it might take an extra 30 mins or more of effort.

@williballenthin
Copy link
Collaborator

Unhandled Variant Type: 21 seems to be a bug in vivisect's symbol/PDB parser. We can triage and report it upstream.

@Still34
Copy link
Author

Still34 commented Oct 23, 2024

@Still34 Do you happen to have a test binary available? If not, I can certainly reproduce it on my side, but it might take an extra 30 mins or more of effort.

native.zip
Sure, here is a simple Hello World.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@williballenthin @Still34