> For the complete documentation index, see [llms.txt](https://seg-fault.gitbook.io/researchs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://seg-fault.gitbook.io/researchs/windows-security-research/fuzzing/wtf.md). # WTF WTF is a snapshot based fuzzer implemented on bocshcpu/kvm/hyper-v by overclock. The project can be found here at [github](https://github.com/0vercl0k/wtf). ### How to use WTF The HowTos for using WTF are quite simple and already described in the github repo by overclock. In general, any WTF based fuzzer needs 3 things :- * Generator : This component is responsible for generating testcase that would be sent to the target for processing. We hope to generate some interesting testcase that could trigger some bugs in the target. * Interpreter : This component is responsible for processing the testcases created by generator. * Mutator : This component mutates the testcases that are created by generator. We mutate testcases with interesting values like integer overflows and send them to interpreter in hope of triggering something interesting. The `mutator` component can be either custom tailored to the target or a simple libfuzzer or HongFuzz. For targets that operates on custom structures, we might have to implement a custom `mutator` to deal with such cases. The last and final requirement is the system snapshot. The instructions on how to get one is already mention on the WTF github. ### Using WTF for Windows Targets This blog post describes approaches for windows targets since its the area of study for time being. There can be in general 2 types of targets for any VR target :- * A kernel target that processes data sent from user land in kernel only. There is no user land process involved in processing. Hence the `_EPROCESS` will remain same and there would be no CR3 changes. * A target that needs both user land and kernel land for processing data sent by user. Hence, there is no single `_EPROCESS` involved here and has CR3 switches. While the first one are generally simple to deal with, the challenge comes when dealing with the second kind of targets which are generally more difficult to fuzz. We will discuss some of the learning and challenges that I faced while fuzzing such component. #### Context Switching Kernel in windows performs various context switches to continue processing of various process. For instance, lets say a process called `XYZ` which is a user land process calls into kernel for some operation. This means then the process first switches context into kernel from user land. This would result a change in CR3 register. OS in general works via context switches. For instance a simple c++ code that does `WaitForSingleObject` would simply trigger context switches into other `_KTHREADS` unless specified N seconds have passed. This means that for N seconds, OS would continue context switches and execute other threads running on system. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://seg-fault.gitbook.io/researchs/windows-security-research/fuzzing/wtf.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.