About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> artemblagodarenko's Blog

Created: Wednesday, August 18 2010 15:50.22 CDT Modified: Wednesday, August 18 2010 15:53.20 CDT
Printer Friendly ...
Dataflow-0.2.0 released. New: in memory fuzzing means
Author: artemblagodarenko # Views: 3436

Dataflow-0.2.0 is now available

After month of development new features are available:
1. Module’s functions recovering from binary code without any additional information;
2. Binary program test SDK creation;
3. Test loading to target binary program’s address space. Test executing. An analyzed binary continues executing in same mode as before test loading.

Thus, Dataflow-0.2.0 version can be used for in memory fuzzing performing.

You can download utility, watch screenshots  and release history from MaiWay project home page. Dataflow is MaiWay project part. The Dataflow tutorial is also available. Enhanced features are described in The Dataflow tutorial. Part 2. Please, feel free send bug reports, suggestions etc. to authors.

In short.

You can generate functions prototypes from binary module that looks like:

int ( __cdecl *functionstest2_sub_1120__)( void )
    = ( int ( __cdecl * ) ( void) ) 0x401120;

inline int __cdecl functionstest2_sub_1120( int a )
{
   __asm{
      mov EBX, a
   }
   return functionstest2_sub_1120__( );
}

After that you can develope some tests ( may be fuzzing actions ):

#include "functionstest.h"
void StartTest( void )
{
   functionstest_sub_10C0( 88, 77, 66, 55 );
   functionstest_sub_1080( 33, 44, 55, 66 );
}

BOOL APIENTRY DllMain( HMODULE hModule,
                                 DWORD  ul_reason_for_call,
                                 LPVOID lpReserved
)

void StartTest( void )
{
   switch (ul_reason_for_call)
   {
      case DLL_PROCESS_ATTACH:
         StartTest();

      case DLL_THREAD_ATTACH:
      case DLL_THREAD_DETACH:
      case DLL_PROCESS_DETACH:
      break;
  }
  return TRUE;
}

Buid it and execute in analyzed program address space with one click ( 3 clicks in deed :) ).



Test executed, module's internal functions are fuzzed. After that program countinues its normal execution.

Thanks for attention :)


Blog Comments
halsten Posted: Thursday, August 19 2010 22:10.48 CDT
Great work Artem, always waiting for more updates. Udachi! :)

--
halsten



Add New Comment
Comment:









There are 28,229 total registered users.


Recently Created Topics
Reverse Engineering ...
Jan/23
Career: DoD Agency I...
Jan/22
"Disappearing&q...
Jan/17
Career: Software Sec...
Jan/11
Where is the call st...
Jan/07
IDA Pro 6.1 Breakpoi...
Jan/01
How to create data s...
Dec/30
can i search all mod...
Dec/23
IDA symbol table exp...
Dec/20
An anti-attach trick
Dec/17


Recent Forum Posts
Reverse Engineering ...
NirIzr
"Disappearing&q...
NirIzr
Reverse Engineering ...
charlie
"Disappearing&q...
charlie
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
Looking for value in...
NirIzr


Recent Blog Entries
cmathieu
Feb/07
Hacker Carnival
waleedassar
Feb/06
OllyDbg v1.10 And Hardware ...
waleedassar
Jan/31
Yet Another Anti-Debug Trick
RolfRolles
Jan/22
Finding Bugs in VMs with a ...
waleedassar
Jan/13
An OllyDbg Bug Disables Sof...
More ...


Recent Blog Comments
waleedassar on:
Feb/07
OllyDbg v1.10 And Hardware ...
NirIzr on:
Feb/07
OllyDbg v1.10 And Hardware ...
NirIzr on:
Feb/05
Yet Another Anti-Debug Trick
trolotou on:
Feb/05
Doudoune Moncler -Pennies F...
waleedassar on:
Feb/01
Yet Another Anti-Debug Trick
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit