Skip to content

Latest commit

 

History

History
121 lines (94 loc) · 3.13 KB

README.md

File metadata and controls

121 lines (94 loc) · 3.13 KB

How to use

Table of Contents

  1. Tested Environment
  2. Install dependencies
  3. Clone this repo & change kernel to 6.0.0-nyx+
  4. Build the Windows VM Template
  5. Import the template into Vagrant
  6. Import into libvirt
  7. Run Fuzz

0. Tested Environment 

CPU : Intel i-7 12700K
RAM : 84G
GPU : Nvidia Geforce 1060 super
OS : Ubuntu 20.04.6 LTS, Ubuntu 22.04.6 LTS

1. Install dependencies 

sudo apt-get update -y
sudo apt-get install gcc git make curl vim python3 python3-venv -y

2. Clone this repo & change kernel to 6.0.0-nyx+ 

cd ~
git clone https://github.com/0dayResearchLab/msFuzz.git kAFL
cd kAFL
make deploy
reboot

3. Build the Windows VM Template 

cd ~/kAFL
make deploy -- --tags examples,examples-template-windows
cd ./kafl/examples/templates/windows
make build

4. Import the template into Vagrant 

make import

5. Import into libvirt 

cd ../../windows_x86_64
make init

6. Run Fuzz 

cd ~/kAFL
make env
cd kafl/examples/windows_x86_64/
mkdir -p bin/driver 
cp ../../fuzzer/Utils/Harness_for_nyx.sys ./bin/driver


1. vi src/driver/vuln_test.c -> Change Symbolic Link Name / target sys (Target Driver Name)

2. Qemu Booting
-> vagrant up --no-provision

3. Make Qemu Snapshot named 'ready_provision'
-> vagrant snapshot save --force 'ready_provision'

4. Select one of the following targets to push and load the driver and/or harness into the guest VM via WinRM:
   - make target
     Automatically copies **both** the test driver (`bin/driver/target.sys`) and the harness executable (`bin/driver/vuln_test.exe`) into the VM and loads them.

   - make no_target
     Copies **only** the harness executable (`vuln_test.exe`) into the VM and loads it, no test driver is deployed.

   - make environment
     Skips the built‑in WinRM scripts. Use this if you prefer to configure the QEMU/WinRM environment manually.


6. mkdir -p ./seed

7. ./run.sh
    you can get the result.json file at angrPT(https://github.com/0dayResearchLab/angrPT)
    And result.json have the information about the each IoControl Constraint and Global Variable dependencies.

8. Show GUI
cd ~/kAFL
make env
cd kafl/examples/windows_x86_64/
kafl gui -w work

9. make revoke -> Revoke the Snapshot from fuzzed to Stage #3 ('ready_provison')

7. How to reproduce bugs

kAFL includes a replay utility to rerun a specific payload against your driver:

# Build and run the replay tool
cd $kAFL/docs/installation
[you compiler] replay.cpp -o replay

# Usage:
./replay <SymbolicLinkName> <PayloadFile>

Fuzz Success