Analysis of Windows DLLs

This tutorial outlines how a Windows dynamic-link library (DLL) can be analyzed in S2E. As an example we will analyze the Beep function in kernel32.dll.

Preparing the test environment

As usual, use s2e-env to create your S2E environment. Build a Windows image using the image_build command. Note that when building a Windows image the --iso-dir option must be provided. E.g.

s2e image_build --iso-dir /path/to/windows/iso/dir windows-7sp1ent-x86_64

Once you have a suitable image, a DLL project can be created. E.g.

s2e new_project /path/to/kernel32.dll Beep 5000 1000

This will create the kernel32 project in your S2E environment. Note that when creating a DLL project the target DLL must have the .dll extension. Opening the script you can see that Windows’ rundll32 program will be used to execute the DLL and that the Beep function will be used as the entry point. The arguments 5000 and 1000 were also specified when creating the new project. These correspond to the frequency and duration of the sound, as specified in the Beep documentation.

rundll32 never terminates after launching, so we must modify s2e-config.lua to ensure that translation block coverage is recorded. To do so, we will enable periodic coverage updates for the TranslationBlockCoverage plugin. We can do this by modifying the TranslationBlockCoverage configuration as follows:

pluginsConfig.TranslationBlockCoverage = {
    writeCoverageOnStateKill = true,
    writeCoveragePeriod = 60,

Finally, start the analysis using the script. Let S2E run for approximately 2 minutes before stopping it (e.g. via killall -9 qemu-system-x86_64).

Generate basic block coverage

You can use s2e-env to generate basic block coverage to confirm that the Beep function was executed.

s2e coverage basic_block kernel32

This will generate projects/kernel32/s2e-last/basic_block_coverage.json. Running the install/bin/ script to highlight the basic block coverage should give a similar result to the following: