📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> xz's Blog

Created: Monday, January 5 2009 14:14.36 CST  
Direct Link, View / Make / Edit Comments
simulating memory allocation failures
Author: xz # Views: 2203

I've written a debugger script that tests dlls for memory allocation failures by hooking ntdll.RtlAllocateHeap

full doc here:
http://www.bintest.com/m/malloc.html

Created: Saturday, December 16 2006 06:54.32 CST Modified: Saturday, December 16 2006 11:04.15 CST
Direct Link, View / Make / Edit Comments
API Fuzzing with PaiMei
Author: xz # Views: 11262

I keep myself idle lately coding an API Fuzzer.

The idea is simple:
      -init:
          -load program
          -set hooks
          -load fuzz testcases in address space
      -fuzzing loop:
        on api call entry:
          first pass
            -save process snapshot ( thread context, memory)
            -get arguments
            -monitor mem access
        on api call return
            -restore memory
            -restore thread context (=> eip on api entry)
            -fuzz api call arguments

e.g.:

main.cpp:
---------

extern "C" __declspec(dllimport) void myfun ( int * a,int b,int c);

void main(void)
{
int a = 6;
myfun(&a,7,10);
}


dll.cpp:
--------

#include <iostream>
using namespace std;
extern "C" __declspec(dllexport) void myfun(int * a,int b, int c)
{
  cout << "a: " << *a << " | b: " << b << " | c: " << c << "\n";
}


compile and link:

$ cl -LD dll.cpp && cl main.cpp /LINK dll.lib

$ ./main
a: 6 | b: 7 | c: 10


this is the testcase:
hook myfun when called from main and fuzz the arguments...


$ python fuzztest.py | grep a:  # grep to ommit debug prints
a: 6 | b: 7 | c: 10
a: 6 | b: 256 | c: 32
a: 6 | b: 4096 | c: 0
a: 6 | b: 64 | c: 16


great... as b and c are integers they are fuzzed in the 3 fuzzing loops.
To get some more interesting results we have to fuzz all the arguments, i.e. pointers. This appears to be more difficult than expected: I have to monitor which memory locations are
accessed, then fuzz those locations. I thought putting memory breakpoints on the stack would help do the trick but pydbg doesn't support stack memory breakpoints. I'm trying to work around this by setting PAGE_NOACCESS on the stack pages and an access violation callback but this isn't finished yet. I do have a start for a wxpython gui:


Archived Entries for xz
Subject # Views Created On
No archived blog entries found.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit