OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Wednesday, August 18 2010 15:50.22 CDT Modified: Wednesday, August 18 2010 15:53.20 CDT

Printer Friendly ...

Dataflow-0.2.0 released. New: in memory fuzzing means

Author: artemblagodarenko

# Views: 4944

Dataflow-0.2.0 is now available

After month of development new features are available:
1. Module�s functions recovering from binary code without any additional information;
2. Binary program test SDK creation;
3. Test loading to target binary program�s address space. Test executing. An analyzed binary continues executing in same mode as before test loading.

Thus, Dataflow-0.2.0 version can be used for in memory fuzzing performing.

You can download utility, watch screenshots and release history from MaiWay project home page. Dataflow is MaiWay project part. The Dataflow tutorial is also available. Enhanced features are described in The Dataflow tutorial. Part 2. Please, feel free send bug reports, suggestions etc. to authors.

In short.

You can generate functions prototypes from binary module that looks like:

int ( __cdecl *functionstest2_sub_1120__)( void )

    = ( int ( __cdecl * ) ( void) ) 0x401120;



inline int __cdecl functionstest2_sub_1120( int a )

{

   __asm{

      mov EBX, a

   }

   return functionstest2_sub_1120__( );

}

After that you can develope some tests ( may be fuzzing actions ):

#include "functionstest.h"

void StartTest( void )

{

   functionstest_sub_10C0( 88, 77, 66, 55 );

   functionstest_sub_1080( 33, 44, 55, 66 );

}



BOOL APIENTRY DllMain( HMODULE hModule,

                                 DWORD  ul_reason_for_call,

                                 LPVOID lpReserved

)



void StartTest( void )

{

   switch (ul_reason_for_call)

   {

      case DLL_PROCESS_ATTACH:

         StartTest();



      case DLL_THREAD_ATTACH:

      case DLL_THREAD_DETACH:

      case DLL_PROCESS_DETACH:

      break;

  }

  return TRUE;

}

Buid it and execute in analyzed program address space with one click ( 3 clicks in deed :) ).

Test executed, module's internal functions are fuzzed. After that program countinues its normal execution.

Thanks for attention :)

Blog Comments

halsten	Posted: Thursday, August 19 2010 22:10.48 CDT
Great work Artem, always waiting for more updates. Udachi! :) -- halsten

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit