An External Perspective To Extending Microsoftís Phoenix Framework

No ratings

Presented at BlueHat 2007 by

Matt Miller

An understanding of Microsoft's Phoenix framework will soon be a requirement for those involved in software analysis and optimization. Phoenix makes it possible to easily develop tools that can be used during the compilation or analysis of software. While Phoenix has been used for this purpose within Microsoft for quite some time, it has only within the last year seen broader third party use. The Cthulhu framework, built largely on top of Phoenix, is an example of a third-party tool in development. Cthulhu's purpose is to provide an abstraction layer that supports seamless and consistent representation of concrete software elements, such as a method, a data type, an instruction, and so on. This abstraction layer makes it possible to build tools that will be API compliant with different fundamental binary analysis frameworks, such as Phoenix. Using abstraction, it's possible to normalize information obtained with Phoenix to a database in a format that can be easily indexed later. Storing this information in a database can permit the analysis of much larger data sets than could reasonably be represented at once in physical memory. The purpose of this talk will be to illustrate one direction in which Phoenix can be extended and abstracted. This direction will be described in terms of the general architecture of Cthulhu as well as some of the more interesting features it supports. The reason for the direction's name should be obvious; after all, the only thing that could possibly contain and ultimately devour a Phoenix would be Cthulhu himself, right?