• This repository has been archived on 14/May/2022
  • Stars
    star
    148
  • Rank 249,983 (Top 5 %)
  • Language
    C
  • Created over 9 years ago
  • Updated over 9 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Automatically exported from code.google.com/p/ioctlfuzzer
  IOCTL Fuzzer ver. 1.3
  http://code.google.com/p/ioctlfuzzer/
  
  (c) 2009-2011 eSage lab
  http://www.esagelab.com/
  [email protected]
 
 
==============================================
  Overview
==============================================

 IOCTL Fuzzer is a tool designed to automate the task of searching vulnerabilities in Windows kernel drivers by performing fuzz tests on them.

Current OS support (x32 and x64): Windows XP, Vista, 2003 Server, 2008 Server, 7.

 The fuzzer’s own driver hooks nt!NtDeviceIoControlFile() in order to take control of all IOCTL requests throughout the system. 

 While processing IOCTLs, the fuzzer will spoof those IOCTLs conforming to conditions specified in the configuration file. A spoofed IOCTL is identical to the original IRP in all respects except the input data, which is changed to randomly generated fuzz.

 Besides the fuzzing functionality, monitoring mode is also available with the tool. The monitoring mode allows logging of IRPs, optionally including their HEX dumps, into a file and/or a console. 
 
 Also, since 1.2 version exceptions monitoring feature is available, that can be usefull while fuzzing not only a kernel drivers. Exception monitoring is working through unexported function nt!KiDispatchException() pathing, which address obtained from Windows kernel debug symbols (they are automatically downloading from Microsoft's PDB server, during fuzzer initialization).

 Specific IOCTLs which are to be logged or fuzzed by the tool are defined in the XML configuration file. IOCTLs may be filtered by the following parameters:

 * Path to executable file corresponding to a process from which an IOCTL request is sent.
 * IOCTL destination device name.
 * IOCTL destination driver name.
 * IOCTL Control Code.

 Since 1.3 version IOCTL Fuzzer dumps _all_ catched IOCTLs information in text file %SystemDrive%\ioctls.log
 Information from this file can be used for calculating requests count for each device/driver during the attack surface analysis (see below).


==============================================
  Command line options
==============================================

--config <path> - Specify path to the fuzzer XML configuration file. For more information about configuration file format see example in bin/ioctlfuzzer.xml. If '--config' option is not specified - application will start in IOCTLs monitoring mode.

--boot - Boot time fuzzing/monitoring. This option will run fuzzer with the next system reboot.

--exceptions - Enable exceptions monitoring. Notice: files dbgeng.dll, dbghelp.dll and symsrv.dll are required for exceptions monitoring and must be placed into the same directory, as IOCTL Fuzzer executable.

--noioctls - Disable IOCTLs monitoring, show exceptions only (this option valid if '--exceptions' has been specified).

--uninstall - Uninstall IOCTL Fuzzer kernel driver and exit.

--analyze - Attack surface analysis feature: prints list of all drivers, devices and their properties (security settings, number of catched IOCTL requests, driver file product/vendor information, opened handles for devices, etc.), see log file example in attack-surface-analysis_NT6.1_x86.log. 

--loadlog <path> - Load catched IOCTLs information for attack surface analysis from external log file. This option can be used only with '--analyze', as '<path>' parameter you can specify path to the catched IOCTLs log file (%SystemDrive%\ioctls.log), which is created automatically when IOCTL Fuzzer runs in IOCTLs fuzzing or monitoring mode.


Typical usage example (run IOCTL Fuzzer with XML config and enable exceptions monitoring):

 > ioctlfuzzer.exe --config ioctlfuzzer.xml --exceptions


==============================================
  Using the fuzzer
==============================================

General algorithm for fuzz-testing an application is as follows.

1. Install target application onto a virtual machine.

2. Attach a remote debugger to the virtual machine. Notice: how to configure WinDbg remote connection to VMware: http://silverstr.ufies.org/lotr0/windbg-vmware.html.

3. Run IOCTL Fuzzer in fuzzing mode on the guest OS.

4. Play around with target application unless an unhandled exception is displayed in the remotely attached debugger. Notice: normally, i.e. with no debugger attached, an unhandled exception will provoke a BSOD.  

5. Release code execution on the virtual machine (F5 in WinDbg) to allow guest OS generate a crash dump.

6. Analyze the crash dump. IOCTL which provoked the unhandled exception should be found at this step. 

7. If necessary, manual analysis of the application binary code may be performed.


==============================================
  Using the attack surface analysis feature
==============================================

Typical attack surface analysis usage scenario:
  
1. Enable boot time monitoring to collect information about the most frequently-used IOCTL requests: 

   > ioctlfuzzer.exe --config ioctlfuzzer.xml --boot
  
2. Reboot the box.
  
3. After reboot run attack surface analysis and pass to the IOCTL Fuzzer path of the log file, with all of the collected IOCTLs information: 

   > ioctlfuzzer.exe --analyze --loadlog %SystemDrive%\ioctls.log.


==============================================
  Using the fuzzer with 
  Kernel Debugger Communication Engine
==============================================
 
Integration with Kernel Debugger Communicatioin Engine allows the IOCTL Fuzzer to execute any commands in remote kernel debugger for IOCTL requests parameters, which were specified in the XML configuration file.
 

1. Before running fuzzer you need to load Kernel Debugger Communicatioin Engine extension in your remote kernel debugger by executing command ".load \path\to\ioctlfuzzer\binaries\dbgcb.dll".


2. Edit "dbgcb" nodes list in XML configuration file. For example, if you want to run "kb 40" command for each IOCTL request, that executed from the net.exe process context:

<dbgcb>
  <process val="net.exe"><![CDATA[kb 40]]></process>
</dbgcb>

Also, you can use "device" or "driver" nodes, for specifying device/driver name, and "ioctl" for I/O Control Code value:

<dbgcb>
  <device val="\Device\Ndis"><![CDATA[kb 40]]></device>
  <driver val="\Driver\NDIS"><![CDATA[kb 40]]></driver>
  <ioctl val="0x00170014"><![CDATA[kb 40]]></ioctl>
</dbgcb>

If command value is not specified -- fuzzer just breaks into debugger when catching request with the appropriate parameters:

<dbgcb>
  <process val="net.exe" />
</dbgcb>


3. Run fuzzer with XML configuration file:

   > ioctlfuzzer.exe --config ioctlfuzzer.xml
   

Note: Kernel Debugger Communication engine uses breakpoints for interaction between debugger extension and target system (https://github.com/Cr4sh/DbgCb/blob/master/dbgcb_scheme.png), so, you can use VirtualKD (http://virtualkd.sysprogs.org/) for better performance.

 
==============================================
  Building from sources
==============================================

1. Download and install Windows Driver Kit Version 7.1.0
http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff   
 
2. Run Windows Server 2003 x86 (or x64, to build 64-bit version) Free Build Environment (Start -> «Windows Driver Kits» -> «WDK 7600.16385.1» -> 
«Build Environments» -> «Windows Server 2003» -> «x86 Free Build Environment»).

3. Go to the directory ./src/ and execute .\build.bat (or .\build64.bat, to build 64-bit version) from the Build Environment.

More Repositories

1

ThinkPwn

Started as arbitrary System Management Mode code execution exploit for Lenovo ThinkPad model line, ended as exploit for industry-wide 0day vulnerability in machines of many vendors
C
641
star
2

s6_pcie_microblaze

PCI Express DIY hacking toolkit for Xilinx SP605. This repository is also home of Hyper-V Backdoor and Boot Backdoor, check readme for links and info
C
599
star
3

SmmBackdoor

First open source and publicly available System Management Mode backdoor for UEFI based platforms. Good as general purpose playground for various SMM experiments.
C
541
star
4

MicroBackdoor

Small and convenient C2 tool for Windows targets. [ Русский -- значит нахуй! ]
C++
497
star
5

openreil

Open source library that implements translator and tools for REIL (Reverse Engineering Intermediate Language)
C
482
star
6

WindowsRegistryRootkit

Kernel rootkit, that lives inside the Windows registry values data
C
464
star
7

KernelForge

A library to develop kernel level Windows payloads for post HVCI era
C++
310
star
8

fwexpl

PC firmware exploitation tool and library
C++
231
star
9

PeiBackdoor

PEI stage backdoor for UEFI compatible firmware
C
185
star
10

UEFI_boot_script_expl

CHIPSEC module that exploits UEFI boot script table vulnerability
Python
128
star
11

DrvHide-PoC

Hidden kernel mode code execution for bypassing modern anti-rootkits.
C++
75
star
12

IDA-VMware-GDB

Helper script for Windows kernel debugging with IDA Pro on VMware + GDB stub
Python
72
star
13

PTBypass-PoC

Bypassing code hooks detection in modern anti-rootkits via building faked PTE entries.
C++
68
star
14

smram_parse

System Management RAM analysis tool
Python
59
star
15

Code-coverage-analysis-tools

Code coverage analysis tools for the PIN Toolkit
C++
57
star
16

Aptiocalypsis

Arbitrary SMM code execution exploit for industry-wide 0day vulnerability in AMI Aptio based firmwares
Python
55
star
17

MsFontsFuzz

OpenType font file format fuzzer for Windows
C++
51
star
18

secretnet_expl

LPE exploits for Secret Net and Secret Net Studio
C++
48
star
19

qc_debug_monitor

Debug messages monitor for Qualcomm cellular modems
Python
44
star
20

zc_pcie_dma

DMA attacks over PCI Express based on Xilinx Zynq-7000 series SoC
Tcl
43
star
21

DbgCb

Engine for communication with remote kernel debugger (KD, WinDbg) from drivers and applications
C++
36
star
22

SimpleUnpacker

Simple tool for unpacking packed/protected malware executables.
C++
30
star
23

prl_guest_to_host

Guest to host VM escape exploit for Parallels Desktop
C++
28
star
24

IDA-UbiGraph

IDA Pro plug-in and tools for displaying 3D graphs of procedures using UbiGraph
C++
24
star
25

blog

Stuff for blog.cr4.sh website
4
star