Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
wmliang
wmliang support mpx
Latest commit b9de4e9 Feb 24, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
AFL
bin
demo
helper
lighthouse revert some files Feb 18, 2019
ordlookup
README.md
afl-cmin.py
clear_stub.py
disable_dse.bat
fix_checksum.py
ida_dumper.py
install_helper.bat
instrument.py
lighthouse_trace.py
pe-afl.py
pefile.py
remove_certificate.py

README.md

pe-afl combines static binary instrumentation on PE binary and WinAFL

so that it can fuzz on windows user-mode application and kernel-mode driver without source or full symbols or hardware support

details, benchmark and some kernel-mode case study can be found on slide and video, which is presented on BluehatIL 2019

it is not so reliable and dirty, but it works and high-performance

i reported bugs on office,gdiplus,jet,lnk,clfs,cng,hid by using this tool

the instrumentation part on PE can be reused on many purpose

ps. scripts run faster on non-windows

How-to instrument

example to instrument 2 NOP on entry point of calc.exe

ida.exe demo\calc.exe
# loading with pdb is more reliable if pdb is available

File->script file->ida_dump.py

python instrument.py -i"{0x1012d6c:'9090'}" demo\calc.exe demo\calc.exe.dump.txt
# 0x1012d6c is entry point address, you can instrument from command-line or from __main__ in instrument.py

How-to fuzz

you have to implement the wrapper/harness (AFL\test_XXX) depends on target

and add anything you want, such page heap, etc

instrument JetDB for fuzzing

ida.exe demo\msjet40.dll

File->script file->ida_dump.py

python pe-afl.py -m demo\msjet40.dll demo\msjet40.dll.dump.txt
# msjet40 is multi-thread, so -m is here

fuzz JetDB on win7

copy /Y msjet40.instrumented.dll C:\Windows\System32\msjet40.dll

bin\afl-showmap.exe -o NUL -p msjet40.dll -- bin\test_mdb.exe demo\mdb\normal.mdb
# make sure that capture is OK

bin\AFL.exe -i demo\mdb -o out -t 5000 -m none -p msjet40.dll -- bin\test_mdb.exe @@

instrument CLFS for fuzzing

ida.exe demo\clfs.sys
File->script file->ida_dump.py

python pe-afl.py demo\clfs.sys demo\clfs.sys.dump.txt

fuzz CLFS on win10

install_helper.bat
disable_dse.bat
copy /Y clfs.instrumented.sys C:\Windows\System32\drivers\clfs.sys
# reboot if necessary
	
bin\afl-showmap.exe -o NUL -p clfs.sys -- bin\test_clfs.exe demo\blf\normal.blf
# make sure that capture is OK
	
bin\AFL.exe -i demo\blf -o out -t 5000 -m none -p clfs.sys -- bin\test_clfs.exe @@

How-to trace

example to log driver execution trace and import into lighthouse

ida.exe demo\clfs.sys
File->script file->ida_dump.py

python pe-afl.py -cb demo\clfs.sys demo\clfs.sys.dump.txt
copy /Y clfs.instrumented.sys C:\Windows\System32\drivers\clfs.sys
# reboot if necessary

bin\afl-showmap.exe -o NUL -p clfs.sys -d -- bin\test_clfs.exe demo\blf\normal.blf
# output is trace.txt

python lighthouse_trace.py demo\clfs.sys demo\clfs.sys.mapping.txt trace.txt > trace2.txt

# install lighthouse
xcopy /y /e lighthouse [IDA folder]\plugins\

ida.exe demo\clfs.sys
File->Load File->Code coverage file->trace2.txt

TODO

support x64

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.