Skip to content

Latest commit

 

History

History
123 lines (92 loc) · 2.79 KB

README.md

File metadata and controls

123 lines (92 loc) · 2.79 KB

How to use

Table of Contents

  1. Tested Environment

  2. Install dependencies

  3. Enroll github SSH Keys

  4. Clone this repo & change kernel to 6.0.0-nyx+

  5. Build the Windows VM Template

  6. Import the template into Vagrant

  7. Import into libvirt

  8. Run Fuzz


0. Tested Environment


CPU : Intel i-7 12700K
RAM : 84G
GPU : Nvidia Geforce 1060 super
OS : Ubuntu 20.04.6 LTS

1. Install dependencies


sudo apt-get update -y
sudo apt-get install gcc git make curl vim python3 python3.8-venv -y

2. Enroll github SSH Keys


$ ssh-keygen -t rsa -C <[email protected]>

$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3Nz...

put this string to github -> profile -> settings -> SSH and GPG Keys -> New SSH key

3. Clone this repo & change kernel to 6.0.0-nyx+


cd ~
git clone [email protected]:0dayResearchLab/msFuzz.git kAFL
cd kAFL
make deploy
reboot

4. Build the Windows VM Template


cd ~/kAFL
make deploy -- --tags examples,examples-template-windows
cd ./kafl/examples/templates/windows
make build

5. Import the template into Vagrant


make import

6. Import into libvirt


cd ../../windows_x86_64
make init

7. Run Fuzz


cd ~/kAFL
make env
cd kafl/examples/windows_x86_64/
mkdir -p bin/driver 
cp ../../fuzzer/Utils/Harness_for_nyx.sys ./bin/driver


1. vi src/driver/vuln_test.c -> Change Symbolic Link Name / target sys ( Target Driver Name )

2. Qemu Booting
-> vagrant up --no-provision

3. Make Qemu Snapshot named 'ready_provision'
-> vagrant snapshot save --force 'ready_provision'

4.a
    make target -> automatic loading the Driver to Qemu that located in bin/driver/target.sys & bin/driver/vuln_test.exe
4.b
    make no_target -> automatic loading the Driver to Qemu that located in vuln_test.exe / call_stack.sys
4.c
    make environment yourself


6. mkdir -p ./seed

7. ./run.sh
    you can get the result.json file at angrPT(https://github.com/0dayResearchLab/angrPT)
    And result.json have the information about the each IoControl Constraint and Global Variable dependencies.

8. Show GUI
cd ~/kAFL
make env
cd kafl/examples/windows_x86_64/
kafl gui -w work

9. make revoke -> Revoke the Snapshot from fuzzed to Stage #3 ( 'ready_provison' )

Fuzz Success