Giters

0vercl0k / wtf

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows and Linux user-mode (experimental!).

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Inserting a test-case in the SetBreakpoint() routine

Cloepe opened this issue · comments

commented

Hi,
I am currently facing an issue in the creation of my harness.

Due to the specificity of my target, I need to be able to dynamically insert the generated test-case in a hook.

The function I want to hook (MapViewOfFile()) should return the address of a buffer that contains the test-case.

For instance, here is a small snippet of my InsertTestcase() routine:

bool InsertTestcase(const uint8_t *Buffer, const size_t BufferSize) {
  
  // [...]
  void* ptr_buffer = (void*)VirtualAlloc(nullptr, var_size, MEM_COMMIT, PAGE_READWRITE);
  
  // [...]
  memcpy(ptr_buffer, Buffer, var_size);
  
  // specific manipulations on ptr_buffer
  if (!g_Backend->SetBreakpoint("kernel32!MapViewOfFile", [](Backend_t *Backend) {
  
        if (<some_condition>) {
            Backend->SimulateReturnFromFunction(ptr_buffer);
        } else {
            Backend->SimulateReturnFromFunction(0x0);
        }
        
      })) {
      
    DebugPrint("Failed to SetBreakpoint (1)\n");
    return false;
  }
  
  // [...]

This example is overly simplified to illustrate my issue.

When compiling and after a bit of digging, it seems that I cannot redirect any of the arguments of InsertTestcase() inside the SetBreakpoint() routine:

error C3493: 'ptr_buffer' cannot be implicitly captured because no default capture mode has been specified [C:\Users\user\Documents\wtf\wtf-main2\src\build\wtf.vcxproj]

The fact is that I cannot take my snapshot later on during the execution time, since the targeted MapViewOfFile() is called multiple times for the same targeted file (the one I want to fuzz). The only way to fix this is by hooking all MapViewOfFile() and checking if its handle is the one corresponding to my file target.

Also, I cannot directly use "Buffer" during the "Backend->SimulateReturnFromFunction()", since I have to make some modifications to the generated test-case before insertion.

I did not see any examples of a hook (SetBreakpoint()) being used in the InsertTestcase() routine, is it something event possible ?
If yes, how to best return my buffer from MapViewOfFile() without having this issue ?

Is there any example of how to perform such manipulations on hooked functions ?

Thanks :)

commented

Hi!

The way to achieve this, if I understand correctly, is by using a global variable. Global variables aren't part of the captures of the lambda so you should be able to do that; I've done it before. Everything is single threaded so there's no risk for a race or anything.

There's a similar example here: https://github.com/0vercl0k/wtf/blob/main/src/wtf/fuzzer_tlv_server.cc#L67 where the buffer is pushed into a global state, this should work for your use case.

Let me know if I misunderstood!

Cheers

commented

Thanks for your answer ! Solved the issue 🙏

commented