Extracting system calls from Portable Executable binaries

[Yzgast]

Hello everyone,

I am currently trying to extract system calls (name, arguments, return value) from PE binaries but the only thing I am able to extract is the name and thereturn value. I get an empty list from Angr for each system call.

Before trying to extract things from PE, I did the same for ELF binaries and everything seems to work well. For ELF what i do is something like this : arguments = path.next_run.artifacts['procedure'].cc.ARG_REGS

For PE, ARG_REGS is always empty. So I'm not sure if I missed something from calling conventions and if this is not implemented yet (from s_cc.py , the empty list seems to be hardcoded in SimCCxxWindowsxx classes). I tried to check on the stack too for the arguments but I did not found something really relevant.

Basically : Am I doing something wrong here or is there a way to retrieve the arguments and their type with Angr that I'm not aware of ?

Thanks and have a good day !

[schieb]

If the binary is 32 bit, then cc.ARG_REGS should be empty. Otherwise it should be populated and things like cc.arg(state, num) should work. (Read: "It works for me.")

Please post the binary and a simple script the reproduces the issue for additional support.

[schieb]

It just hit me that I assumed you were talking about a ntdll SimProcedure stubbed by ReturnUnconstrained, which would be handled by SimCCSystemVAMD64 by default. However, after revisiting your issue, it looks like you are actually trying to simulate an actual syscall instruction. The current Windows SimOS has a simulated syscall table with no defined syscall SimProcedures. In general, Windows is not very well supported at the moment.

Also, you are right that ARG_REGS is not correctly populated. I think it should be ['r10', 'r11'] (you should double check).

If that fixes your issue, feel free to submit a PR. You could probably check off the TODO as a result.