Jump to content
Nytro

PE-AFL

By Nytro, in Programe hacking

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

pe-afl combines static binary instrumentation on PE binary and WinAFL

so that it can fuzz on windows user-mode application and kernel-mode driver without source or full symbols or hardware support

details, benchmark and some kernel-mode case study can be found on slide, which is presented on BluehatIL 2019

it is not so reliable and dirty, but it works and high-performance

i reported bugs on office,gdiplus,jet,clfs,cng,hid,... by using this tool

the instrumentation part on PE can be reused on many purpose

How-to instrument

instrument 2 NOP on entry point of calc.exe 

ida.exe demo\calc.exe
# loading with pdb is more reliable if pdb is available

File->script file->ida_dump.py

python instrument.py -i"{0x1012d6c:'9090'}" demo\calc.exe demo\calc.exe.dump.txt
# 0x1012d6c is entry point address, you can instrument from command-line or from __main__ in instrument.py

instrument each basic block for fuzzing 

ida.exe demo\msjet40.dll

File->script file->ida_dump.py

python pe-afl.py -m demo\msjet40.dll demo\msjet40.dll.dump.txt
# msjet40 is multi-thread, so -m is here
	
# see fuzz JetDB on win7

ps. instrument script run faster on non-windows

How-to fuzz

you have to implement the wrapper/harness (AFL\test_XXX) depends on target

and add anything you want, such page heap, etc

fuzz JetDB on win7 

copy /Y msjet40.instrumented.dll C:\Windows\System32\msjet40.dll

bin\afl-showmap.exe -o NUL -p msjet40.dll -- bin\test_mdb.exe demo\mdb\normal.mdb
# make sure that capture is OK

bin\AFL.exe -i demo\mdb -o out -t 5000 -m none -p msjet40.dll -- bin\test_mdb.exe @@

fuzz CLFS on win10 

install_helper.bat
disable_dse.bat
copy /Y clfs.instrumented.sys C:\Windows\System32\drivers\clfs.sys
# reboot if necessary
	
bin\afl-showmap.exe -o NUL -p clfs.sys -- bin\test_clfs.exe demo\blf\normal.blf
# make sure that capture is OK
	
bin\AFL.exe -i demo\blf -o out -t 5000 -m none -p clfs.sys -- bin\test_clfs.exe @@

How-to trace

import driver execution trace into lighthouse 

ida.exe demo\clfs.sys
File->script file->ida_dump.py

python pe-afl.py -cb demo\clfs.sys demo\clfs.sys.dump.txt
copy /Y clfs.instrumented.sys C:\Windows\System32\drivers\clfs.sys
# reboot if necessary

bin\afl-showmap.exe -o NUL -p clfs.sys -d -- bin\test_clfs.exe demo\blf\normal.blf
# output is trace.txt

python lighthouse_trace.py demo\clfs.sys demo\clfs.sys.mapping.txt trace.txt > trace2.txt

# install lighthouse
xcopy /y /e lighthouse [IDA folder]\plugins\

ida.exe demo\clfs.sys
File->Load File->Code coverage file->trace2.txt

TODO

support x64

 

Sursa: https://github.com/wmliang/pe-afl

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...