상세 컨텐츠

본문 제목

[Fuzzing] WinAFL target function offset 자동으로 넣어주기

ANALYSIS/Fuzzing

by koharin 2022. 7. 8. 15:59

본문

728x90
반응형

Prerequisite

  • Windbg
  • IDA Pro

Windbg: target load

target은 HncAppShield.dll 라이브러리인데, 이 라이브러리를 사용하는 exe 파일을 로드한다.
HncAppShield.dll 라이브러리가 사용자에게 파일 내용 보여주기 전 악성 페이로드 등을 확인하는 기능을 하기 때문에, HwpViewer.exe에서 로드할 것이라고 생각하고 Windbg를 사용해서 HwpViewer.exe를 디버깅해보기로 했다.

File → Open Executable로 HwpViewer.exe를 로드한다.

Windbg: target dll base

lm m <dll name>
!lmi <dll name>

Windbg에서 두 명령어로 base를 구할 수 있는데, !lmi 명령어가 더 보기 쉽다.

target function offset

HncAppShield base 확인

0:000> g
ModLoad: 75dc0000 75de5000   C:\\Windows\\SysWOW64\\IMM32.DLL
ModLoad: 70910000 7095f000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncBM90.dll
DllMain() : DLL_PROCESS_ATTACH -  HncBaseMisc Start!
ModLoad: 708b0000 70907000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncBL90.dll
DllMain() : DLL_PROCESS_ATTACH -  HncBase Start!
ModLoad: 03650000 03652000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncBL90.KOR
ModLoad: 03650000 03652000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncBL90.KOR
ModLoad: 03670000 03672000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncBM90.KOR
ModLoad: 03670000 03672000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncBM90.KOR
ModLoad: 70810000 708ae000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\A3Dll32.dll
ModLoad: 76850000 7694a000   C:\\Windows\\SysWOW64\\CRYPT32.dll
ModLoad: 70680000 70808000   C:\\Windows\\SysWOW64\\dbghelp.dll
ModLoad: 70650000 70676000   C:\\Windows\\SysWOW64\\dbgcore.DLL
[bSyae] [+] Load 
ModLoad: 736d0000 73cdc000   C:\\Windows\\SysWOW64\\windows.storage.dll
ModLoad: 736a0000 736c4000   C:\\Windows\\SysWOW64\\Wldp.dll
ModLoad: 75880000 75907000   C:\\Windows\\SysWOW64\\SHCORE.dll
ModLoad: 71a50000 71bf8000   C:\\Windows\\SysWOW64\\urlmon.dll
ModLoad: 72890000 72abd000   C:\\Windows\\SysWOW64\\iertutil.dll
ModLoad: 73350000 7336d000   C:\\Windows\\SysWOW64\\srvcli.dll
[bSyae] [+] Protect 
ModLoad: 036b0000 036b7000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncProcessObject.dll
ModLoad: 71410000 71577000   C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1706_none_d94bc52be10975a7\\GdiPlus.dll
ModLoad: 70530000 7063c000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncBD90.dll
ModLoad: 70520000 70526000   C:\\Windows\\SysWOW64\\MSIMG32.dll
ModLoad: 70310000 7051c000   C:\\Windows\\SysWOW64\\DWrite.dll
ModLoad: 75d20000 75d7f000   C:\\Windows\\SysWOW64\\bcryptPrimitives.dll
DllMain() : DLL_PROCESS_ATTACH -  HncBaseDraw Start!
ModLoad: 03c50000 03c52000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncBD90.KOR
ModLoad: 1a000000 1a0a1000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncIMM90.dll
ModLoad: 040a0000 04141000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncIMM90.dll
DllMain() : DLL_PROCESS_ATTACH -  HncImm Start!
ModLoad: 04160000 04163000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncIMM90.KOR
ModLoad: 702c0000 7030f000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncVfs90.dll
ModLoad: 70280000 702b9000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncNetffice.dll
ModLoad: 71c90000 71cc2000   C:\\Windows\\SysWOW64\\IPHLPAPI.DLL
DllMain() : DLL_PROCESS_ATTACH -  Hnc Vfs Netffice Start!
ModLoad: 04190000 04192000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncNetffice.KOR
ModLoad: 74c30000 74c3f000   C:\\Windows\\SysWOW64\\kernel.appcore.dll
ModLoad: 74bb0000 74c24000   C:\\Windows\\SysWOW64\\uxtheme.dll
DllMain() : DLL_PROCESS_ATTACH -  HncVfs Start!
ModLoad: 041a0000 041a5000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncVfs90.KOR
ModLoad: 6fe80000 7027b000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncAtlExt90.dll
ModLoad: 74d10000 74d2a000   C:\\Windows\\SysWOW64\\MPR.dll
DllMain() : DLL_PROCESS_ATTACH -  HncAtlExt Start!
ModLoad: 042d0000 0442c000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncAtlExt90.KOR
ModLoad: 6fe70000 6fe7a000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncEO.dll
ModLoad: 04600000 04b9f000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HwpViewUR.KOR
ModLoad: 6fe40000 6fe67000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncImageIO.dll
ModLoad: 6f0c0000 6fe39000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncOfficeAction.dll
ModLoad: 75c30000 75c7c000   C:\\Windows\\SysWOW64\\WINTRUST.dll
ModLoad: 6f0b0000 6f0b8000   C:\\Windows\\SysWOW64\\WSOCK32.dll
ModLoad: 6eff0000 6f0a1000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncPdfSdk.dll
ModLoad: 6efe0000 6efed000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncOfficeEngine.dll
ModLoad: 71c60000 71c6e000   C:\\Windows\\SysWOW64\\MSASN1.dll
ModLoad: 04260000 04262000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncPdfSdk.KOR
ModLoad: 04d60000 0513a000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncOfficeAction.KOR
ModLoad: 04ba0000 04c74000   C:\\Windows\\SysWOW64\\MSCTF.dll
ModLoad: 6e710000 6efdd000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HwpVApp.dll
ModLoad: 6e6f0000 6e705000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncAppShieldForOOXML.dll
ModLoad: 6e650000 6e6e6000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\SDSerialize.dll
ModLoad: 6e540000 6e644000   C:\\Windows\\SysWOW64\\OPENGL32.dll
ModLoad: 6e500000 6e53f000   C:\\Windows\\SysWOW64\\GLU32.dll
ModLoad: 77300000 7735e000   C:\\Windows\\SysWOW64\\coml2.dll
ModLoad: 6e470000 6e4fa000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HNCXML90.dll
ModLoad: 6e2b0000 6e46d000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncXerCore9.dll
ModLoad: 6e0e0000 6e2a3000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncXalCore9.dll
ModLoad: 6e080000 6e0db000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncPtnCore9.dll
ModLoad: 04c90000 04d0a000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncXsecCore9.dll
ModLoad: 6df70000 6e072000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HNCLIBEAY9.dll
ModLoad: 6df60000 6df69000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncXalMesg9.dll
ModLoad: 04d20000 04d23000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HNCXML90.KOR
ModLoad: 05630000 0568f000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\MouseCursor.NEU
ModLoad: 73d40000 73d61000   C:\\Windows\\SysWOW64\\SspiCli.dll
ModLoad: 48000000 4801e000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HimCfgDlg90.dll
ModLoad: 05690000 056ae000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HimCfgDlg90.dll
ModLoad: 056c0000 05726000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HimCfgDlgUR90.KOR
ModLoad: 747a0000 74859000   C:\\Windows\\SysWOW64\\textinputframework.dll
ModLoad: 74520000 7479e000   C:\\Windows\\SysWOW64\\CoreUIComponents.dll
ModLoad: 74480000 7451b000   C:\\Windows\\SysWOW64\\CoreMessaging.dll
ModLoad: 74450000 74479000   C:\\Windows\\SysWOW64\\ntmarta.dll
ModLoad: 74370000 7444b000   C:\\Windows\\SysWOW64\\wintypes.dll
ModLoad: 4b100000 4b122000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\Him\\HncKor90.Him
ModLoad: 057b0000 057d2000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\Him\\HncKor90.Him
ModLoad: 741e0000 742a2000   C:\\Windows\\SysWOW64\\PROPSYS.dll
ModLoad: 75990000 75a0e000   C:\\Windows\\SysWOW64\\clbcatq.dll
ModLoad: 73680000 73698000   C:\\Windows\\SysWOW64\\profapi.dll
ModLoad: 75d80000 75dbb000   C:\\Windows\\SysWOW64\\CFGMGR32.dll
ModLoad: 735a0000 735bb000   C:\\Windows\\SysWOW64\\edputil.dll
ModLoad: 72c20000 72cb3000   C:\\Windows\\SysWOW64\\Windows.StateRepositoryPS.dll
ModLoad: 6dee0000 6df51000   C:\\Windows\\SysWOW64\\appresolver.dll
ModLoad: 726f0000 72738000   C:\\Windows\\SysWOW64\\Bcp47Langs.dll
ModLoad: 6dec0000 6dedf000   C:\\Windows\\SysWOW64\\SLC.dll
ModLoad: 6dea0000 6debc000   C:\\Windows\\SysWOW64\\sppc.dll
ModLoad: 6de60000 6de9d000   C:\\Windows\\SysWOW64\\OneCoreCommonProxyStub.dll
ModLoad: 6dab0000 6de51000   C:\\Windows\\SysWOW64\\OneCoreUAPCommonProxyStub.dll
ModLoad: 73270000 732a1000   C:\\Windows\\SysWOW64\\dataexchange.dll
ModLoad: 73090000 73270000   C:\\Windows\\SysWOW64\\d3d11.dll
ModLoad: 72e50000 72fb5000   C:\\Windows\\SysWOW64\\dcomp.dll
ModLoad: 72fc0000 73083000   C:\\Windows\\SysWOW64\\dxgi.dll
ModLoad: 72cc0000 72e4f000   C:\\Windows\\SysWOW64\\twinapi.appcore.dll
ModLoad: 6d900000 6daa9000   C:\\Windows\\SysWOW64\\explorerframe.dll
ModLoad: 6d2c0000 6d8fc000   C:\\Windows\\SysWOW64\\ieframe.dll
ModLoad: 71d30000 71df9000   C:\\Windows\\SysWOW64\\WINHTTP.dll
ModLoad: 74d30000 74f40000   C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\comctl32.dll
ModLoad: 6d270000 6d2b7000   C:\\Windows\\SysWOW64\\msIso.dll
ModLoad: 6c010000 6d263000   C:\\Windows\\SysWOW64\\mshtml.dll
ModLoad: 6bfc0000 6c004000   C:\\Windows\\SysWOW64\\powrprof.dll
ModLoad: 6bfb0000 6bfbd000   C:\\Windows\\SysWOW64\\UMPDC.dll
ModLoad: 6bf80000 6bfa5000   C:\\Windows\\SysWOW64\\srpapi.dll
ModLoad: 06590000 065a9000   C:\\Windows\\SysWOW64\\bcrypt.dll
ModLoad: 6bf40000 6bf74000   C:\\Windows\\SysWOW64\\mlang.dll
ModLoad: 06700000 06712000   C:\\Windows\\SysWOW64\\ondemandconnroutehelper.dll
ModLoad: 75810000 75817000   C:\\Windows\\SysWOW64\\NSI.dll
ModLoad: 71cd0000 71d22000   C:\\Windows\\SysWOW64\\mswsock.dll
ModLoad: 71c80000 71c88000   C:\\Windows\\SysWOW64\\WINNSI.DLL
ModLoad: 06c30000 06c37000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\DocFiltersRes.KOR
ModLoad: 6bec0000 6bf3e000   C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncAppShield.dll
eax=00000000 ebx=00800000 ecx=00000000 edx=00000000 esi=068f83b8 edi=068f9618
eip=77922c5c esp=06d886c8 ebp=06d8a560 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!NtMapViewOfSection+0xc:
77922c5c c22800          ret     28h

  • g 명령어는 다음 bp를 만날 때까지 프로그램을 실행하는 것으로, 위와 같이 로드되는 라이브러리를 확인할 수 있다.
  • 로드되는 라이브러리 중 target인 HncAppShield.dll도 확인할 수 있고, HncAppShield.dll의 base 주소가 6bec0000임을 알 수 있다.

AppShield_InspectMalware 심볼 확인

0:014> x *!AppShield_InspectMalware*
*** WARNING: Unable to verify checksum for C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\libEGL.dll
*** WARNING: Unable to verify checksum for C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\HncXsecCore9.dll
*** WARNING: Unable to verify checksum for C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\MouseCursor.NEU
*** WARNING: Unable to verify checksum for C:\\Program Files (x86)\\Hnc\\Office NEO\\HOfficeViewer96\\Bin\\libGLESv2.dll
6bec12d0          HncAppShield!AppShield_InspectMalware (<no parameter info>)
  • x *! -* 한 개 이상의 모듈 검색. **와일드 카드(*) 지원
  • 심볼 AppShield_InspectMalware가 어떤 모듈에 있는지 알 수 없는 경우 와일드 카드 사용하여 x *!AppShield_InspectMalware 와 같이 심볼 확인을 할 수 있다.
  • target dll base 주소: 6bec0000
  • target function(HncAppShield!AppShield_InspectMalware) 주소: 6bec12d0

⇒ target function offset: 0x12d0

targettest.exe base 확인

fuzz_hwp 심볼 확인

  • fuzz_hwp 함수 주소: 0x421040

⇒ fuzz_hwp 함수 offset: 0x1040

target 내 function 주소 구하기 #1

#include <stdio.h>
#include <windows.h>
#include <iostream>

typedef int(*TARGET)(wchar_t* filename);
TARGET target_function;

int main(int argc, char **argv){

    if(argc < 3){
        fprintf(stderr, "Usage: %s [target] [target function name]\\n", argv[0]);
        return 1;
    }

    HINSTANCE target = LoadLibraryA(argv[1]);

    if(target == NULL){
        fprintf(stderr, "Error: Unable to open target dll\\n");
        return 2;
    }

    target_function = (TARGET)GetProcAddress(target, argv[2]);

    printf("target: 0x%x\\n", target);
    printf("function ptr: 0x%x\\n", target_function);
}

target 경로, target 내 target function 이름을 줬을 때 target의 base 주소, target function의 주소를 구해주는 프로그램이다.

cmake_minimum_required(VERSION 3.0)

get_filename_component(ProjectId ${CMAKE_CURRENT_SOURCE_DIR} NAME)
string(REPLACE " " "_" ProjectId ${ProjectId})
project(${ProjectId})

set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)

file(GLOB SOURCES *.cpp)

add_executable(${PROJECT_NAME} ${SOURCES})

CMakeLists.txt를 사용하여 cmake로 32bit executable로 컴파일한다.

실행 결과

앞서 디버깅에서 확인한 오프셋을 function ptr에서 확인할 수 있다.

target 내 function 주소 구하기 #2

#include <stdio.h>
#include <windows.h>
#include <iostream>

typedef int(*TARGET)(wchar_t* filename);
TARGET target_function;

int main(int argc, char **argv){
    unsigned int target_base;
    unsigned int targetfunction_ptr;

    if(argc < 3){
        fprintf(stderr, "Usage: %s [target] [target function name]\\n", argv[0]);
        return 1;
    }

    HINSTANCE target = LoadLibraryA(argv[1]);

    if(target == NULL){
        fprintf(stderr, "Error: Unable to open target dll\\n");
        return 2;
    }

    target_function = (TARGET)GetProcAddress(target, argv[2])

    printf("0x%x\\n", (unsigned int)target_function - (unsigned int)target);

}

사용법

offset.exe [target path] [target method]

실행결과

target method 오프셋이 제대로 구해졌다.
이제 afl-fuzz.exe 실행 시 -target_offset 옵션에 이 오프셋을 넣어줄 수 있어야 한다.

afl-fuzz 시 -target_offset에 offset 넣어주기

원하는 건 offset.exe 결과로 구한 function 오프셋을 afl-fuzz.exe 실행 시 -target_offset 옵션에 값을 주는 것이다.

$ FOR /F %i IN ('offset.exe C:\\Users\\johan\\targettest\\build\\bin\\Release\\targettest.exe fuzz_hwp') DO set VARIABLE=%

일단 윈도우 쉘에서 명령어 실행 결과를 VARIABLE 변수에 넣어주도록 하는 방법을 생각했다. 변수를 설정하고, afl-fuzz.exe 시 -target_offset %VARIABLE% 이렇게 주면 되지 않을까?

DynamoRIO를 사용해서 테스트를 해보자.

10번의 테스트 모두 정상 실행된 것을 확인할 수 있다.

afl-fuzz.exe -i C:\\Users\\johan\\targettest\\mininput -o C:\\Users\\johan\\targettest\\out -D C:\\Users\\johan\\DynamoRIO-Windows-9.0.19174\\DynamoRIO-Windows-9.0.19174\\bin32 -t 10000 -- -coverage_module targettest.exe -target_module targettest.exe -target_offset %VARIABLE% -fuzz_iterations 5000 -nargs 1 -- "C:\\Users\\johan\\targettest\\build\\bin\\Release\\targettest.exe" @@

afl-fuzz로도 변수 값이 잘 들어가서 정상 실행된다.

자동화 스크립트 작성


batch 파일로 윈도우 cmd script 만들 수 있다.
문서에 따르면, FOR /F 명령어를 괄호 안에 명령어 결과를 파싱하는데 사용할 수 있다.

batch script - DynamoRIO 디버깅 테스트

ECHO OFF
SET arg1=%1
SET arg2=%2

FOR /F %%i IN ('C:\\Users\\johan\\code\\offset\\build\\bin\\Release\\offset.exe %arg1% %arg2%') DO set OFFSET=%%i
ECHO ON
C:\\Users\\johan\\DynamoRIO-Windows-9.0.19174\\DynamoRIO-Windows-9.0.19174\\bin32\\drrun.exe -c "C:\\Users\\johan\\winafl\\build32\\bin\\Release\\winafl.dll" -debug -target_module targettest.exe -coverage_module targettest.exe -target_offset %OFFSET% -fuzz_iterations 10 -nargs 1 -- "C:\\Users\\johan\\targettest\\build\\bin\\Release\\targettest.exe" "C:\\Users\\johan\\targettest\\input\\test.txt"

원하는 executable 파일 내 method 이름을 줬을 때 해당 method offset을 구하고, 이 offset을 DynamoRIO 퍼저 테스트 시 -target_offset으로 넣어주는 batch 스크립트

스크립트 실행 #1

C:\\Users\\johan\\code\\autooffset.bat "C:\\Users\\johan\\targettest\\build\\bin\\Release\\targettest.exe" fuzz_hwp

batch 스크립트 argument로 target 경로, target function 이름을 넘겨주고 스크립트 내에서 offset을 구해준 후, -target_offset에 이 offset 값을 잘 넘겨주어 정상 실행된 것을 확인할 수 있다.

자동화 스크립트 사용 결과

batch script - run fuzzer

ECHO OFF
SET arg1=%1
SET arg2=%2

FOR /F %%i IN ('C:\\Users\\johan\\code\\offset\\build\\bin\\Release\\offset.exe %arg1% %arg2%') DO set OFFSET=%%i
ECHO ON
C:\\Users\\johan\\winafl\\build32\\bin\\Release\\afl-fuzz.exe -i C:\\Users\\johan\\targettest\\input -o C:\\Users\\johan\\targettest\\out -D C:\\Users\\johan\\DynamoRIO-Windows-9.0.19174\\DynamoRIO-Windows-9.0.19174\\bin32 -t 1000 -- -coverage_module targettest.exe -fuzz_iterations 1000 -target_module targettest.exe -target_offset %OFFSET% -nargs 1 -- C:\\Users\\johan\\targettest\\build\\bin\\Release\\targettest.exe @@

batch 파일 인수로 준 target 파일 경로, target 함수 이름으로 target 함수 오프셋을 OFFSET 변수에 저장하고, afl-fuzz의 -target_offset 옵션에 OFFSET 값을 넣어주는 스크립트

사용법

autooffset.bat [target path] [target method name]

batch 스크립트 실행

C:\\Users\\johan\\code\\autooffset.bat "C:\\Users\\johan\\targettest\\build\\bin\\Release\\targettest.exe" fuzz_hwp

주의: afl-fuzz.exe가 있는 경로에서 실행

정상적으로 winAFL 퍼저가 실행되는걸 확인할 수 있다.

728x90
반응형
저작자표시 비영리 변경금지

'ANALYSIS > Fuzzing' 카테고리의 다른 글

[Fuzzing] WinAFL fuzzing HncAppShield  (0) 2022.07.08
[Fuzzing] WinAFL 환경구축 및 사용법  (0) 2022.07.08
[Fuzzing] AFL fuzzing dact  (0) 2022.06.28
[Fuzzing] AFL++ 설치  (0) 2022.06.28
[Fuzzing] AFL 설치  (0) 2022.06.28

관련글 더보기

티스토리툴바