http://www.openrce.org/rss/feeds/blog OpenRCE: The Open Reverse Code Engineering Community Mon, 05 Jan 2009 14:14:36 -0600 https://www.openrce.org/blog/view/1337/simulating_memory_allocation_failures xz <email-suppressed@example.com> I've written a debugger script that tests dlls for memory allocation failures by hooking ntdll.RtlAllocateHeap<br /> <br /> full doc here: <br /> <a href="http://www.bintest.com/m/malloc.html">http://www.bintest.com/m/malloc.html</a><br /> Sat, 16 Dec 2006 06:54:32 -0600 https://www.openrce.org/blog/view/540/API_Fuzzing_with_PaiMei xz <email-suppressed@example.com> I keep myself idle lately coding an API Fuzzer. <br /> <br /> The idea is simple: <br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-init:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-load program<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-set hooks<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-load fuzz testcases in address space<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-fuzzing loop:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;on api call entry:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;first pass<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-save process snapshot ( thread context, memory)<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-get arguments <br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-monitor mem access<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;on api call return<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-restore memory<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-restore thread context (=&gt; eip on api entry)<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-fuzz api call arguments<br /> <br /> e.g.:<br /> <br /> main.cpp:<br /> ---------<br /> <code><br /> extern &quot;C&quot; __declspec(dllimport) void myfun ( int * a,int b,int c);<br /> <br /> void main(void)<br /> {<br /> int a = 6;<br /> myfun(&amp;a,7,10);<br /> }<br /> </code><br /> <br /> dll.cpp:<br /> --------<br /> <code><br /> #include &lt;iostream&gt;<br /> using namespace std;<br /> extern &quot;C&quot; __declspec(dllexport) void myfun(int * a,int b, int c)<br /> {<br /> &nbsp;&nbsp;cout &lt;&lt; &quot;a: &quot; &lt;&lt; *a &lt;&lt; &quot; | b: &quot; &lt;&lt; b &lt;&lt; &quot; | c: &quot; &lt;&lt; c &lt;&lt; &quot;\n&quot;;<br /> }<br /> </code><br /> <br /> compile and link:<br /> <code><br /> $ cl -LD dll.cpp &amp;&amp; cl main.cpp /LINK dll.lib<br /> <br /> $ ./main<br /> a: 6 | b: 7 | c: 10<br /> </code><br /> <br /> this is the testcase:<br /> hook myfun when called from main and fuzz the arguments...<br /> <br /> <code><br /> $ python fuzztest.py | grep a:&nbsp;&nbsp;# grep to ommit debug prints<br /> a: 6 | b: 7 | c: 10<br /> a: 6 | b: 256 | c: 32<br /> a: 6 | b: 4096 | c: 0<br /> a: 6 | b: 64 | c: 16<br /> </code><br /> <br /> great... as b and c are integers they are fuzzed in the 3 fuzzing loops.<br /> To get some more interesting results we have to fuzz all the arguments, i.e. pointers. This appears to be more difficult than expected: I have to monitor which memory locations are <br /> accessed, then fuzz those locations. I thought putting memory breakpoints on the stack would help do the trick but pydbg doesn't support stack memory breakpoints. I'm trying to work around this by setting PAGE_NOACCESS on the stack pages and an access violation callback but this isn't finished yet. I do have a start for a wxpython gui:<br /> <br /> <img src="http://img303.imageshack.us/img303/8839/fuzzer2xs1.jpg" border=0 align="">