Skip to content
This repository was archived by the owner on Jul 8, 2024. It is now read-only.

Fuzzing Windows

Jump to bottom
Tamas K Lengyel edited this page Mar 23, 2021 · 9 revisions

Generate json from Windows kernel debug info

  1. Download Volatility3 from https://github.com/volatilityfoundation/volatility3/releases/latest
  2. Build it: python3 setup.py build
  3. Boot your Windows VM
  4. Run vmi-win-guid name <vm_name> 
# vmi-win-guid name windows10
Windows Kernel found @ 0x3400000
	Version: 64-bit Windows 10
	PE GUID: d3f646971046000
	PDB GUID: 3fcc539ff307dd2d9c509206d352b9aa1
	Kernel filename: ntkrnlmp.pdb

Note the PDB GUID and Kernel filename

  1. Use Volatility3's pdbconv to grab the PDB and convert it to JSON:
python3 volatility3/volatility/framework/symbols/windows/pdbconv.py --guid 3fcc539ff307dd2d9c509206d352b9aa1 -p ntkrnlmp.pdb -o windows10.json

Fuzzing a kernel driver with source-access

When you have the ability to recompile your target you can use the standard cpuid harness to mark the beginning and end of the code you want to fuzz. Follow the setup steps from the official Microsoft documentation to set up the Visual Studio environment for WDK: Download the Windows Driver Kit (WDK). You can take a look at the testmodule_win sample driver that includes the cpuid harness you can compile into your target:

TITLE kfx harness

.code
;void harness(void);
harness PROC
	push rax
	push rbx
	push rcx
	push rdx
	mov rax,13371337h
	cpuid
	pop rdx
	pop rcx
	pop rbx
	pop rax
	ret
harness ENDP

;void harness_extended(int magic_mark, unsigned long long address, size_t size);
harness_extended PROC
	push rax
	push rbx
	push rcx
	push rdx

	mov r9,rdx
	shr rdx,32
	mov r10,rdx

	mov rax,rcx
	mov rcx,r8
	cpuid

	mov rax,r10
	mov rcx,r9
	cpuid

	pop rdx
	pop rcx
	pop rbx
	pop rax
	ret
harness_extended ENDP

END

The setup and fuzzing phase are the same as when fuzzing Linux. In order to override the default built-in Linux sink points, you can specify --sink on the kfx command line to specify the functions you want to report as crash. For example, in the following we'll report all calls to KiDispatchException as a crash to AFL:

AFL_KILL_SIGNAL=15 ./AFLplusplus/afl-fuzz -i input -o output -- \
    ./kfx --domain windows10 --json ~/windows10.json \
    --address 0xffffde8cd4144800 \
    --input-limit 69 \
    --input @@ --ptcov \
    --sink KiDispatchException
Clone this wiki locally