Jump to content
Nytro

PE-AFL

Recommended Posts

pe-afl combines static binary instrumentation on PE binary and WinAFL

so that it can fuzz on windows user-mode application and kernel-mode driver without source or full symbols or hardware support

details, benchmark and some kernel-mode case study can be found on slide, which is presented on BluehatIL 2019

it is not so reliable and dirty, but it works and high-performance

i reported bugs on office,gdiplus,jet,clfs,cng,hid,... by using this tool

the instrumentation part on PE can be reused on many purpose

How-to instrument

instrument 2 NOP on entry point of calc.exe

ida.exe demo\calc.exe
# loading with pdb is more reliable if pdb is available

File->script file->ida_dump.py

python instrument.py -i"{0x1012d6c:'9090'}" demo\calc.exe demo\calc.exe.dump.txt
# 0x1012d6c is entry point address, you can instrument from command-line or from __main__ in instrument.py

instrument each basic block for fuzzing

ida.exe demo\msjet40.dll

File->script file->ida_dump.py

python pe-afl.py -m demo\msjet40.dll demo\msjet40.dll.dump.txt
# msjet40 is multi-thread, so -m is here
	
# see fuzz JetDB on win7

ps. instrument script run faster on non-windows

How-to fuzz

you have to implement the wrapper/harness (AFL\test_XXX) depends on target

and add anything you want, such page heap, etc

fuzz JetDB on win7

copy /Y msjet40.instrumented.dll C:\Windows\System32\msjet40.dll

bin\afl-showmap.exe -o NUL -p msjet40.dll -- bin\test_mdb.exe demo\mdb\normal.mdb
# make sure that capture is OK

bin\AFL.exe -i demo\mdb -o out -t 5000 -m none -p msjet40.dll -- bin\test_mdb.exe @@

fuzz CLFS on win10

install_helper.bat
disable_dse.bat
copy /Y clfs.instrumented.sys C:\Windows\System32\drivers\clfs.sys
# reboot if necessary
	
bin\afl-showmap.exe -o NUL -p clfs.sys -- bin\test_clfs.exe demo\blf\normal.blf
# make sure that capture is OK
	
bin\AFL.exe -i demo\blf -o out -t 5000 -m none -p clfs.sys -- bin\test_clfs.exe @@

How-to trace

import driver execution trace into lighthouse

ida.exe demo\clfs.sys
File->script file->ida_dump.py

python pe-afl.py -cb demo\clfs.sys demo\clfs.sys.dump.txt
copy /Y clfs.instrumented.sys C:\Windows\System32\drivers\clfs.sys
# reboot if necessary

bin\afl-showmap.exe -o NUL -p clfs.sys -d -- bin\test_clfs.exe demo\blf\normal.blf
# output is trace.txt

python lighthouse_trace.py demo\clfs.sys demo\clfs.sys.mapping.txt trace.txt > trace2.txt

# install lighthouse
xcopy /y /e lighthouse [IDA folder]\plugins\

ida.exe demo\clfs.sys
File->Load File->Code coverage file->trace2.txt

TODO

support x64

 

Sursa: https://github.com/wmliang/pe-afl

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...