A coverage-guided and memory-detection enabled fuzzer for windows applications.

Overview

WDFuzzer Manual

中文手册见 README_CN.md

WDFuzzer:winafl + drmemory

WDFuzzer is an A coverage-guided and memory detection abled fuzzer for for windows software. It's combined with winafl and drmemory.

Difference from other fuzzers
  • Application-level Fuzzing: Most fuzzers on windows are function-level tools, which require users to read the source code of target software or conduct a reverse analysis. As WDFuzzer aims at application-level fuzzing, it doesn't require users to understand the target software.
  • Memory Checking: WDFuzzer implement drmemory to conduct a runtime memory checking. This is a optional function as memory checking is time-consuming.
Shortcomings

If you want to enable memory checking when fuzzing, you may meet following difficulties:

  • Target software's debug information is needed. Drmemory only works on software with debug information. Please follow drmemory's instructions to build your target program or prepare its pdb file previously.
  • There might be some false positive when conduct memory check to GUI programs with drmemory. This is a shortcoming of drmemory.

Quick Start

You can download the release file to start fuzzing directly. A quick start guide is provided in the release file. The quick start guide explains the usage of WDFuzzer by fuzzing a demo.

Compile WDFuzzer

You can directly use the release binary of this repo.

WDFuzzer is a combination of winafl and drmemory. The compiling process of WDFuzzer is actually the process of compiling winafl and drmemory. For the detailed compiling instructions, please read their official docs. Only brief and necessary introductions are given here.

Environment
  • Install MS Visual Studio 2017.
  • Clone this repo.
Compile drmemory

In the x86 command shell of MS Visual Studio 2017, run following commands:

cd drmemory
mkdir build32
cd build32
cmake ..
cmake  --build . --config RelWithDebInfo

After compiling drmemory, the root directory of dynamorio will be drmemory\build32\dynamorio.

Compile winafl
cd winafl
mkdir build32
cd build32
cmake -G"Visual Studio 15 2017" .. -DDynamoRIO_DIR=[directory of Dynamorio]\cmake
cmake --build . --config Release
Notice
  • The compiling process of drmemory takes a long time, and some warnings and errors may occur. This is normal and will not infect the result. Just be patient.
  • If everything goes well, you can get afl-fuzz.exe and winafl.dll in winafl\build32\bin\Release,drmemory.exe in winfuzz\drmemory\build32\bin.

Using WDFuzzer

Command

afl-fuzz.exe [afl options] -- [drmemory options] -- [target command line]
Afl options

(options with- must be specified,options with- are optional)

 -i [dir]        	- input directory with test cases
 -o [dir]			- output directory for fuzzer findings
 -t [msec]			- timeout for each run
 -D [dir]			- directory containing DynamoRIO binaries
 -R [dir]			+ directory containing drmemory binaries
 					if specified, drmemory will be used to conduct runtime memory check
 -O [dir]			+ output directory for target program
 					if target program create files at each run, specify '-O' to clean the output directory
 -N					+ if target program will not stop automatically, '-N' must be used

More afl options can be found at winafl github.

Drmemory options

(options with- must be specified,options with- are optional)

-coverage_mode [edge|bb]		- coverage calculation mode, edge mode or basic block mode.
-coverage_module [module]		- which modules are concerned, mutiple usage of this options is supported to select mutiple modules.
-no_check_uninitialized 		- donot check uninitialzed errors
								false positive may occur when uninitialzed check is enabled
Target command line

In target command line, replace the input file with @@. If target program creates output files at each run, and the output files should be cleaned. To clean the output directory at each run, please use -O option.

Notice

When drmemory starts, it may load the symbol files of system. To guarantee the correctness of fuzzing process, please run target program with drmemory previously and confirm it works. To check run target program with drmemory alone, see Example for details.

Example

Directory structure:

-WDFuzzer
	-winafl
		-build32\bin\Release\afl-fuzz.exe
	-drmemory
		-build32\bin\drmemory.exe
		-dynamorio\bin32
	-test
		-in
		-out
		-target_out
		-target.exe

Fuzz command:

cd WDFuzzer\test

..\winafl\build32\bin\Release\afl-fuzz.exe -i in -o out -t 10000 -D ..\drmemory\build32\dynamorio\bin32 -R ..\drmemory\build32\bin -O target_out -N -- -coverage_module target.exe -coverage_module target_1.dll -coverage_mode edge -- target.exe -out target_out @@

If memory checking is not needed in fuzzing process, do not use -R and drmemory options:

..\winafl\build32\bin\Release\afl-fuzz.exe -i in -o out -t 10000 -D [binary directory of Dynamorio] -O target_out -N -- -- target.exe -out target_out @@

Run target program with drmemory alone:

..\drmemory\build32\bin\drmemory.exe -batch -fuzzer_id any -coverage_module target_1.dll -coverage_mode edge -single -- target.exe -out target_out

In this command, -single must be used to tell drmemory it is running alone. In order to get system symbols in this step,don't use -ignore_kernel. Options must be the same as options used in fuzzing process except -batch -fuzzer_id any.

Implementation

uml

Issues
  • No instrumentation detected

    No instrumentation detected

    I have used the release of WDFuzzer to fuzz my target application and getting the following error. PROGRAM ABORT : No instrumentation detected Location : perform_dry_run(), D:\code\WDFuzzer\winafl\afl-fuzz.c:3044 Earlier, too i got the same error, it pointed that debug folder was missing, so i renamed release folder as debug, in which dynamorio.dll is present, but the issue remains the same.

    opened by alimubasshira 7
Releases(1.0)
Owner
Jingyi Shi
Jingyi Shi
nvidia nvmpi encoder for streamFX and obs-studio (e.g. for nvidia jetson. Requires nvmpi enabled ffmpeg / libavcodec)

nvmpi-streamFX-obs nvidia nvmpi encoder for streamFX and obs-studio (e.g. for nvidia jetson. Requires nvmpi enabled ffmpeg / libavcodec) Purpose This

null 16 Jun 25, 2022
GPU Cloth TOP in TouchDesigner using CUDA-enabled NVIDIA Flex

This project demonstrates how to use NVIDIA FleX for GPU cloth simulation in a TouchDesigner Custom Operator. It also shows how to render dynamic meshes from the texture data using custom PBR GLSL material shaders inside TouchDesigner.

Vinícius Ginja 37 Jul 27, 2022
GPU PyTorch TOP in TouchDesigner with CUDA-enabled OpenCV

PyTorchTOP This project demonstrates how to use OpenCV with CUDA modules and PyTorch/LibTorch in a TouchDesigner Custom Operator. Building this projec

David 65 Jun 15, 2022
Repository for material related to the Programming Languages Virtual Meetup coverage of the Category Theory for Programmers book.

CTfP-2021 This is the material (code and presentation slide decks) that correspond to the Programming Languages Virtual Meetup course that is covering

Conor Hoekstra 108 Aug 3, 2022
Frog is an integration of memory-based natural language processing (NLP) modules developed for Dutch. All NLP modules are based on Timbl, the Tilburg memory-based learning software package.

Frog - A Tagger-Lemmatizer-Morphological-Analyzer-Dependency-Parser for Dutch Copyright 2006-2020 Ko van der Sloot, Maarten van Gompel, Antal van den

Language Machines 69 Jun 20, 2022
Training and fine-tuning YOLOv4 Tiny on custom object detection dataset for Taiwanese traffic

Object Detection on Taiwanese Traffic using YOLOv4 Tiny Exploration of YOLOv4 Tiny on custom Taiwanese traffic dataset Trained and tested AlexeyAB's D

Andrew Chen 3 Mar 7, 2022
OpenPose: Real-time multi-person keypoint detection library for body, face, hands, and foot estimation

Build Type Linux MacOS Windows Build Status OpenPose has represented the first real-time multi-person system to jointly detect human body, hand, facia

null 24.7k Aug 13, 2022
The SCRFD face detection, depends on ncnn library and opencv

The SCRFD face detection, depends on ncnn library and opencv

null 141 Jul 12, 2022
Deploy SCRFD, an efficient high accuracy face detection approach, in your web browser with ncnn and webassembly

ncnn-webassembly-scrfd open https://nihui.github.io/ncnn-webassembly-scrfd and enjoy build and deploy Install emscripten

null 38 Jul 21, 2022
Real-time object detection with YOLOv5 and TensorRT

YOLOv5-TensorRT The goal of this library is to provide an accessible and robust method for performing efficient, real-time inference with YOLOv5 using

Noah van der Meer 19 Jun 26, 2022
CUDA-accelerated Apriltag detection and pose estimation.

Isaac ROS Apriltag Overview This ROS2 node uses the NVIDIA GPU-accelerated AprilTags library to detect AprilTags in images and publishes their poses,

NVIDIA Isaac ROS 40 Aug 3, 2022
A C++ implementation of Yolov5 helmet detection in Jetson Xavier nx and Jetson nano

A C++ implementation of Yolov5 to detect head or helmet in the wild in Jetson Xavier nx and Jetson nano This repository uses yolov5 to detect humnan h

null 10 Jul 27, 2022
Implementation of Sift feature detection and matching in C + +

Sift-In-CPP This is SIFT feature detection and matching implemented in C + + Environment version information: VS2017、Opencv3.4.3 Reference link: 1.htt

null 1 Nov 19, 2021
Anomaly Detection on Dynamic (time-evolving) Graphs in Real-time and Streaming manner

Anomaly Detection on Dynamic (time-evolving) Graphs in Real-time and Streaming manner. Detecting intrusions (DoS and DDoS attacks), frauds, fake rating anomalies.

Stream-AD 681 Aug 3, 2022
General broad-phase collision detection framework using BVH and BVTT front tracking.

This is the collision detection package by littlemine (Xinlei Wang). Configuration Instructions This project is developed using Visual Studio 2015 and

Xinlei Wang 46 Jul 4, 2022
YOLOV4 tiny + lane detection on Android with 8 FPS!

YOLOV4 Tiny + Ultra fast lane detection on Android with 8 FPS! Tested with HONOR 20PRO Kirin 980

yq-pan 12 May 11, 2022
Official PyTorch Code of GrooMeD-NMS: Grouped Mathematically Differentiable NMS for Monocular 3D Object Detection (CVPR 2021)

GrooMeD-NMS: Grouped Mathematically Differentiable NMS for Monocular 3D Object Detection GrooMeD-NMS: Grouped Mathematically Differentiable NMS for Mo

Abhinav Kumar 75 Jul 31, 2022
UAV images dataset for moving object detection

PESMOD PESMOD (PExels Small Moving Object Detection) dataset consists of high resolution aerial images in which moving objects are labelled manually.

İbrahim Delibaşoğlu 32 Jul 23, 2022
C++ trainable detection library based on libtorch (or pytorch c++). Yolov4 tiny provided now.

C++ Library with Neural Networks for Object Detection Based on LibTorch. ?? Libtorch Tutorials ?? Visit Libtorch Tutorials Project if you want to know

null 48 Aug 11, 2022