WTF

This page describes on how to use WTF for fuzzing and when its a bad idea to use WTF.

WTF is a snapshot based fuzzer implemented on bocshcpu/kvm/hyper-v by overclock. The project can be found here at github.

How to use WTF

The HowTos for using WTF are quite simple and already described in the github repo by overclock. In general, any WTF based fuzzer needs 3 things :-

  • Generator : This component is responsible for generating testcase that would be sent to the target for processing. We hope to generate some interesting testcase that could trigger some bugs in the target.

  • Interpreter : This component is responsible for processing the testcases created by generator.

  • Mutator : This component mutates the testcases that are created by generator. We mutate testcases with interesting values like integer overflows and send them to interpreter in hope of triggering something interesting.

The mutator component can be either custom tailored to the target or a simple libfuzzer or HongFuzz. For targets that operates on custom structures, we might have to implement a custom mutator to deal with such cases.

The last and final requirement is the system snapshot. The instructions on how to get one is already mention on the WTF github.

Using WTF for Windows Targets

This blog post describes approaches for windows targets since its the area of study for time being.

There can be in general 2 types of targets for any VR target :-

  • A kernel target that processes data sent from user land in kernel only. There is no user land process involved in processing. Hence the _EPROCESS will remain same and there would be no CR3 changes.

  • A target that needs both user land and kernel land for processing data sent by user. Hence, there is no single _EPROCESS involved here and has CR3 switches.

While the first one are generally simple to deal with, the challenge comes when dealing with the second kind of targets which are generally more difficult to fuzz.

We will discuss some of the learning and challenges that I faced while fuzzing such component.

Context Switching

Kernel in windows performs various context switches to continue processing of various process. For instance, lets say a process called XYZ which is a user land process calls into kernel for some operation.

This means then the process first switches context into kernel from user land. This would result a change in CR3 register.

OS in general works via context switches. For instance a simple c++ code that does WaitForSingleObject would simply trigger context switches into other _KTHREADS unless specified N seconds have passed. This means that for N seconds, OS would continue context switches and execute other threads running on system.

PreviousFuzzingNextAbusing Netlify Functions

Last updated