-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fuzzing for drivers that are loaded only when a particular process is running #224
Comments
Hi @hyjun0407 Thanks for your question and interest in kAFL. In fact, It was relying on However, the feature that you are referring to (the ability to take a pre-snapshot in a specific context) still exists thanks to The examples haven't been updated yet to highlight that feature. In the meantime, you can take the code from Loader.c, tweak it to your needs, and capture that pre-snapshot. If this fits your use case, please give my your feedback, i would be happy to integrate it into the examples and update the documentation accordingly. |
My use case is what I want to take snapshots after running a particular process that load driver. from what I understand, Lock Hypercall can do that (because the document says I can snapshot it when you want.. Please tell me if you misunderstood) If added to the project, it would be good. |
Yes the LOCK hypercall is the right feature here. It configures Otherwise, yes the LOCK hypecall is your friend ! cc @il-steffen, if you'd like to add anything |
Unfortunately, I've already tried everything using ansible playbook, but it's been excluded because it includes installation through gui. (I've already tried all automation through playbook) However, there is some confusion. After creating a Windows base image through 'make build', copy the base image and run qemu, call the LOCK hypercall after doing the desired action, and then position the snapshot with the --snapshot argument when start fuzzing? I didnt read some api and hypercall fully, so I could misunderstood :/ Thanks for your assistance |
And additionally, it would be very convenient if you could add a script that would automatically run qemu like the loader in kafl0.2, and allow users to save snapshots when they want (for those who are not familiar with ansible, or have elements to interact with users eg,.gui) |
I haven't thought through the combination of the LOCK hypercall with Vagrant's workflow and interface yet. but removing Vagrant, yes, you would first run your image with kafl fuzz until that LOCK hypercall, specifying the pre-snapshot The run it a second time to resume the execution this snapshot and fuzz your target from there. Again, I need to build a concrete example on top of this. |
I'm not familiar with kAFL 0.2, nor the loader. |
For example, if I want to fuzz a.sys of a Chrome, use the GUI installer to install Chrome(by launching qemu) by manually, and I would like to have a 1-click-program that saves the status as a snapshot after checking that sys is loaded. |
How do I fuzz for drivers that have dependencies between drivers (IofCallDriver) and work normally only when certain processes are running? In Kafl 0.2, I could run a specific process and execute Loader.exe and then take a snapshot, but in 0.7, I don't know if there's a similar way.
The text was updated successfully, but these errors were encountered: