forked from FSecureLABS/KernelFuzzer
-
Notifications
You must be signed in to change notification settings - Fork 0
/
bughunt_thread.h
330 lines (289 loc) · 10.5 KB
/
bughunt_thread.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
#ifndef BUGHUNT_THREAD_H
#define BUGHUNT_THREAD_H
#include <conio.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <windows.h>
#include "bughunt.h"
#include "handles_database.h"
#include "library_calls.h"
#include "hooking.h"
#ifdef _M_IX86
__declspec(noinline) DWORD __stdcall bughunt_syscall (
DWORD _syscall_uid,
DWORD _dw0x01,
DWORD _dw0x02,
DWORD _dw0x03,
DWORD _dw0x04,
DWORD _dw0x05,
DWORD _dw0x06,
DWORD _dw0x07,
DWORD _dw0x08,
DWORD _dw0x09,
DWORD _dw0x0A,
DWORD _dw0x0B,
DWORD _dw0x0C,
DWORD _dw0x0D,
DWORD _dw0x0E,
DWORD _dw0x0F,
DWORD _dw0x10,
DWORD _dw0x11,
DWORD _dw0x12,
DWORD _dw0x13,
DWORD _dw0x14,
DWORD _dw0x15,
DWORD _dw0x16,
DWORD _dw0x17,
DWORD _dw0x18,
DWORD _dw0x19,
DWORD _dw0x1A,
DWORD _dw0x1B,
DWORD _dw0x1C,
DWORD _dw0x1D,
DWORD _dw0x1E,
DWORD _dw0x1F,
DWORD _dw0x20
)
{
__asm
{
push _dw0x20
push _dw0x1F
push _dw0x1E
push _dw0x1D
push _dw0x1C
push _dw0x1B
push _dw0x1A
push _dw0x19
push _dw0x18
push _dw0x17
push _dw0x16
push _dw0x15
push _dw0x14
push _dw0x13
push _dw0x12
push _dw0x11
push _dw0x10
push _dw0x0F
push _dw0x0E
push _dw0x0D
push _dw0x0C
push _dw0x0B
push _dw0x0A
push _dw0x09
push _dw0x08
push _dw0x07
push _dw0x06
push _dw0x05
push _dw0x04
push _dw0x03
push _dw0x02
push _dw0x01
mov eax, _syscall_uid
mov edx, 7FFE0300h
call dword ptr [edx]
add esp, 0x80
}
}
#elif _M_IX64
extern DWORD __stdcall bughunt_syscall(
DWORD _syscall_uid,
QWORD _dw0x01,
QWORD _dw0x02,
QWORD _dw0x03,
QWORD _dw0x04,
QWORD _dw0x05,
QWORD _dw0x06,
QWORD _dw0x07,
QWORD _dw0x08,
QWORD _dw0x09,
QWORD _dw0x0A,
QWORD _dw0x0B,
QWORD _dw0x0C,
QWORD _dw0x0D,
QWORD _dw0x0E,
QWORD _dw0x0F,
QWORD _dw0x10,
QWORD _dw0x11,
QWORD _dw0x12,
QWORD _dw0x13,
QWORD _dw0x14,
QWORD _dw0x15,
QWORD _dw0x16,
QWORD _dw0x17,
QWORD _dw0x18,
QWORD _dw0x19,
QWORD _dw0x1A,
QWORD _dw0x1B,
QWORD _dw0x1C,
QWORD _dw0x1D,
QWORD _dw0x1E,
QWORD _dw0x1F,
QWORD _dw0x20
);
#endif
extern DWORD syscall_count;
DWORD bughunt_thread(unsigned int seed)
{
unsigned int syscall_idx = 0;
SYSCALL* syscall = NULL;
unsigned int syscall_argument_datatype_idx = 0;
unsigned int syscall_arguments[SYSCALL_ARGUMENT_N - 1]; // DWORD syscall_arguments[32];
FILE* stream; // For logging.
BH_Handle syscall_handle_argument;
// The syscall_log_string will hold the string to be logged before the syscall invocation.
char syscall_log_string[512];
memset(syscall_log_string, '\0', 512);
// It turns out rand() is thread-safe after all as its state is kept in a thread-local storage (TLS). This means we have to seed every single state on its own. In this case we choose to use a comination of time(NULL), current process ID, and current thread ID.
if (seed == 1)
{
seed = time(NULL) + GetCurrentProcessId() + GetCurrentThreadId();
logger("//[PRNG Seed] (0x%08X, 0x%08X, %u)", GetCurrentProcessId(), GetCurrentThreadId(), seed);
srand(seed);
}
else //we have been given a seed to use, so use that.
{
logger("//[PRNG Seed] (0x%08X, 0x%08X, %u)", GetCurrentProcessId(), GetCurrentThreadId(), seed);
srand(seed);
}
for (syscall_idx = 0; syscall_idx < syscall_count; syscall_idx += 1)
{
// Invoke one or more library calls.
while (TRUE) {
//fflush(NULL);
// To hook or not to hook? Hook functions at random.
if (rand() % 5 == 1) {
// Uncomment below for hooking.
// 1. Okay, we'll hook. Proceed with installing hook.
//BH_SetWindowsHookEx();
// 2. Make a library call.
(*random_LIBRARY_CALL())();
// 3. Uninstall the hook.
//BH_UnhookWindowsHookEx();
}
else {
(*random_LIBRARY_CALL())();
}
if (rand() % 2) {
break;
}
}
// Start cionstructing the syscall invocation log string little by little, i.e. argument by argument.
syscall = random_SYSCALL ();
syscall_argument_datatype_idx = 0;
sprintf(syscall_log_string, "bughunt_syscall(0x%08x,", syscall->uid);
while ((syscall_argument_datatype_idx < (SYSCALL_ARGUMENT_N - 1))
&& (syscall->argument_datatypes[syscall_argument_datatype_idx] != NIL))
{
//logger("//syscall_argument_datatype_idx = %d\n", syscall_argument_datatype_idx);
switch (syscall->argument_datatypes[syscall_argument_datatype_idx])
{
// Something to check is whether the 0x%08x format string specifier is okay in all cases, e.g. 64-bit.
case _BOOL:
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)get_fuzzed_bool());
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08x,", syscall_arguments[syscall_argument_datatype_idx]);
break;
case _CHAR8:
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)get_fuzzed_char8());
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08x,", syscall_arguments[syscall_argument_datatype_idx]);
break;
case _CHAR16:
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)get_fuzzed_char16());
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08x,", syscall_arguments[syscall_argument_datatype_idx]);
break;
case _INT8:
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)get_fuzzed_int8());
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08x,", syscall_arguments[syscall_argument_datatype_idx]);
break;
case _INT16:
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)get_fuzzed_int16());
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08x,", syscall_arguments[syscall_argument_datatype_idx]);
break;
case _INT32:
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)get_fuzzed_int32());
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08x,", syscall_arguments[syscall_argument_datatype_idx]);
break;
case _INT64:
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)get_fuzzed_int64());
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08x,", syscall_arguments[syscall_argument_datatype_idx]);
break;
case _UINT8:
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)get_fuzzed_uint8());
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08x,", syscall_arguments[syscall_argument_datatype_idx]);
break;
case _UINT16:
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)get_fuzzed_uint16());
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08x,", syscall_arguments[syscall_argument_datatype_idx]);
break;
case _UINT32:
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)get_fuzzed_uint32());
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08x,", syscall_arguments[syscall_argument_datatype_idx]);
break;
case _UINT64:
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)get_fuzzed_uint64());
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08x,", syscall_arguments[syscall_argument_datatype_idx]);
break;
case _REAL32:
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)get_fuzzed_real32());
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08x,", syscall_arguments[syscall_argument_datatype_idx]);
break;
case _REAL64:
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)get_fuzzed_real64());
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08x,", syscall_arguments[syscall_argument_datatype_idx]);
break;
case _HANDLE:
syscall_handle_argument = get_random_HANDLE();
syscall_arguments[syscall_argument_datatype_idx] = ((DWORD)syscall_handle_argument.value);
sprintf(syscall_log_string + strlen(syscall_log_string), "get_specific_HANDLE(%d),", syscall_handle_argument.index);
break;
} // Switch statement.
syscall_argument_datatype_idx += 1;
} // While loop.
for (; syscall_argument_datatype_idx < 32; ) {
//logger("//syscall_argument_datatype_idx = %d\n", syscall_argument_datatype_idx);
sprintf(syscall_log_string + strlen(syscall_log_string), "0x%08X,", 0x4142434445464748);
syscall_argument_datatype_idx += 1;
}
sprintf(syscall_log_string + strlen(syscall_log_string) - 1, ");");
logger(syscall_log_string);
/* INVOKE THE SYSCALL... */
bughunt_syscall (
syscall->uid,
syscall_arguments[0],
syscall_arguments[1],
syscall_arguments[2],
syscall_arguments[3],
syscall_arguments[4],
syscall_arguments[5],
syscall_arguments[6],
syscall_arguments[7],
syscall_arguments[8],
syscall_arguments[9],
syscall_arguments[10],
syscall_arguments[11],
syscall_arguments[12],
syscall_arguments[13],
syscall_arguments[14],
syscall_arguments[15],
syscall_arguments[16],
syscall_arguments[17],
syscall_arguments[18],
syscall_arguments[19],
syscall_arguments[20],
syscall_arguments[21],
syscall_arguments[22],
syscall_arguments[23],
syscall_arguments[24],
syscall_arguments[25],
syscall_arguments[26],
syscall_arguments[27],
syscall_arguments[28],
syscall_arguments[29],
syscall_arguments[30],
syscall_arguments[31]
);
} // For loop.
return (0);
}
#endif /* BUGHUNT_THREAD_H... */