Special thanks to:<\/strong><\/h4>\n\n- Peter Van Eeckhoutte, and members of Corelan Security <\/li>\n
- Offensive Security Exploit Database <\/li>\n
- dookie2000ca for all the feedback <\/li>\n<\/ul>\n
Requirements\/Setup:<\/strong><\/h4>\nIn order to use these tools, you should have:<\/p>\n
\n- Windows XP SP2 or SP3 (not tested on SP1), or newer <\/li>\n
- IDA 4.9, or pvefindaddr. The difference is pvefindaddr is more automatic, IDA isn't. IDA, however, will find all\/more functions though <\/li>\n
- Python 2.5.0 (installed from Immunity Debugger) <\/li>\n
- Pydasm: http:\/\/therning.org\/magnus\/archive\/278<\/a> <\/li>\n
- Paimei: http:\/\/www.openrce.org\/downloads\/details\/208\/PaiMei<\/a> <\/li>\n<\/ul>\n
Pydbg is probably the trickiest to install so we'll go throughly the steps briefly:<\/p>\n
\n- Install Python 2.5. The one I tested was Python 2.5 (r25:51908, Sep 19 2006) <\/li>\n
- Download Pydasm (for Python 2.5) from the URL above. <\/li>\n
- Download Paimei. Extract the package, go to the "installers" folder, and run the installer. <\/li>\n
- Remove C:\\Python25\\Lib\\site-packages\\pydbg\\pydasm.pyd <\/li>\n
- Now you're ready to test out Pydbg. Open command prompt, and type the following. If you no errors after importing Pydbg, that means your system now supports Pydbg: <\/li>\n<\/ol>\n
![\"import_pydbg\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/10\/import_pydbg_thumb.png\")
<\/a><\/p>\nTracer.py: How It Works<\/h3>\n
As I previously mentioned, in order to deploy an in memory fuzzer, you must go through a good amount of analysis to identify all the functions that process your input, and log the function entry address, RETN addresses, and the argument you want to fuzz. This makes fuzzing very time consuming, simply not something that can be done in minutes. The purpose of Tracer.py is to ease off this process, allowing the user to track the control flow and user input at real time.<\/p>\n
This is done by first searching all the function addresses in the application, put a hook point in every one of them, and then start monitoring. If a hooked function is detected, we log the function and the argument, and keep monitoring. Since this happens at real time, even with the most basic tool like this can still see some kind of pattern in the log, which gives us an idea where to fuzz.<\/p>\n
The following example shows how to recognize this pattern in Tracer.py:<\/p>\n
![\"tracer_screenshot\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/10\/tracer_screenshot_thumb.png\")
<\/a><\/p>\nTracer.py: How To<\/h3>\n
First<\/span>, open IDA. If you're using IDA 4.9 ( see image):<\/p>\n\n- Click on the Functions tab <\/li>\n
- Select all the functions (click the first function -> hold [shift] -> select last function) <\/li>\n
- Right click -> copy -> paste on notepad. Save it as "functions.txt<\/strong>" under the same directory as the script. <\/li>\n<\/ol>\n
![\"ida49_functions_enum\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/10\/ida49_functions_enum_thumb.png\")
<\/a><\/p>\nIf you're using IDA Pro 5.5 or higher, the Functions table should be on the left of the the pretty graph. You can do the same thing (right click -> copy and paste) to obtain all your functions that way.<\/p>\n
Second<\/span>, open the application you want to fuzz. You must do this before running the script because it needs to attach to the process first.<\/p>\nThird<\/span>, now that you have a function list (functions.txt). Go to command prompt, and type of the following (assuming you saved Tracer.py in C:\\):<\/p>\n\nC:>C:\\Python25\\python.exe Tracer.py<\/p>\n<\/blockquote>\n
Fourth<\/span>, the script should find the function list file without problems. Give it a pattern (user input) to look for, select the process you want to monitor, and the fun begins. Note that a file named "new_functions_addrs.txt<\/strong>" will be created -- this file contains the same function addresses, and the correct RETN addresses. You can use this as a reference later for InMemoryFuzzer.py.<\/p>\nFifth<\/span>, now Tracer.py should be monitoring. Go back to the application, feed it the same pattern, and then you'll see which functions get triggered. Press [CTRL]+[C]<\/strong> to terminate the script.<\/p>\nInMemoryFuzzer.py: How It Works<\/h3>\n
The idea of how the fuzzer works is simple. Say you have a vulnerable routine at entry 0x1001BEEF (aka snapshot point), which takes the user input as [ESP+4] at the beginning of the prologue, and that function ends at address 0x1001BFEA (restore point). We can put a breakpoint at 0x1001BEEF, another at 0x1001BFEA, and let the application run, as the following diagram demonstrates:<\/p>\n
![\"flow_1\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/10\/flow_1_thumb.png\")
<\/a><\/p>\nWehen the execution flow hits our first breakpoint (entry) for the first time, we take a snapshot of the state (threads, stack, registers, flags, etc), modify the user input in [ESP+4], and resume execution to let the function to process our data, and hope something crashes. If an exception is thrown somewhere in the code, we log that, restore the function state, and redirect the execution flow back to the entry (0x1001BEEF), and fuzz again with a new input, like this diagram:<\/p>\n
![\"flow_2\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/10\/flow_2_thumb.png\")
<\/a><\/p>\nOr, no exception is triggered, we end up hitting the second breakpoint, then all we have to do is restore the state, rewind, and fuzz again:<\/p>\n
![\"flow_3\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/10\/flow_3_thumb.png\")
<\/a><\/p>\nInMemoryFuzzer.py: How To<\/h3>\n
Before you use the fuzzer, you should already know the following:<\/p>\n
\n- Which process\/dll to fuzz <\/li>\n
- The function entry address(s) (aka your snapshot points) <\/li>\n
- The restore point(s) (typically a RETN address) <\/li>\n
- Which function argument(s) to fuzz <\/li>\n<\/ul>\n
First thing, open the application you want to fuzz again. And if needed, change how many times you want to fuzz by editing the "maxFuzzCount" global variable in the source code. Please note that InMemoryFuzzer.py has two modes for fuzzing: Single routine<\/strong>, or multiple<\/strong>. Single routine mode<\/strong> allows the user to put every required information (function entry, restore point, argument) in one line:<\/p>\n\nC:>C:\\python25\\python.exe InMemoryFuzzer.py <Snapshot point> <Restore point> <Argument><\/p>\n<\/blockquote>\n
So if we were to reuse the same example in the "How it works" section, we would be feeding the fuzzer with the following:<\/p>\n
\nC:>C:\\python25\\python.exe InMemoryFuzzer.py 0x1001BEEF 0x1001BFEA ESP+4<\/p>\n<\/blockquote>\n
Multiple-Routine mode<\/strong>, which is my favorite mode, does not have to called from the command line. All you must do is prepare breakpoints.txt<\/strong>, which contains information such as the snapshot point\/restore point\/argument with the same format: <snapshot point> <restore point> <argument>. Example:<\/p>\n
Requirements\/Setup:<\/strong><\/h4>\nIn order to use these tools, you should have:<\/p>\n
\n- Windows XP SP2 or SP3 (not tested on SP1), or newer <\/li>\n
- IDA 4.9, or pvefindaddr. The difference is pvefindaddr is more automatic, IDA isn't. IDA, however, will find all\/more functions though <\/li>\n
- Python 2.5.0 (installed from Immunity Debugger) <\/li>\n
- Pydasm: http:\/\/therning.org\/magnus\/archive\/278<\/a> <\/li>\n
- Paimei: http:\/\/www.openrce.org\/downloads\/details\/208\/PaiMei<\/a> <\/li>\n<\/ul>\n
Pydbg is probably the trickiest to install so we'll go throughly the steps briefly:<\/p>\n
\n- Install Python 2.5. The one I tested was Python 2.5 (r25:51908, Sep 19 2006) <\/li>\n
- Download Pydasm (for Python 2.5) from the URL above. <\/li>\n
- Download Paimei. Extract the package, go to the "installers" folder, and run the installer. <\/li>\n
- Remove C:\\Python25\\Lib\\site-packages\\pydbg\\pydasm.pyd <\/li>\n
- Now you're ready to test out Pydbg. Open command prompt, and type the following. If you no errors after importing Pydbg, that means your system now supports Pydbg: <\/li>\n<\/ol>\n
<\/a><\/p>\nTracer.py: How It Works<\/h3>\n
As I previously mentioned, in order to deploy an in memory fuzzer, you must go through a good amount of analysis to identify all the functions that process your input, and log the function entry address, RETN addresses, and the argument you want to fuzz. This makes fuzzing very time consuming, simply not something that can be done in minutes. The purpose of Tracer.py is to ease off this process, allowing the user to track the control flow and user input at real time.<\/p>\n
This is done by first searching all the function addresses in the application, put a hook point in every one of them, and then start monitoring. If a hooked function is detected, we log the function and the argument, and keep monitoring. Since this happens at real time, even with the most basic tool like this can still see some kind of pattern in the log, which gives us an idea where to fuzz.<\/p>\n
The following example shows how to recognize this pattern in Tracer.py:<\/p>\n
<\/a><\/p>\nTracer.py: How To<\/h3>\n
First<\/span>, open IDA. If you're using IDA 4.9 ( see image):<\/p>\n\n- Click on the Functions tab <\/li>\n
- Select all the functions (click the first function -> hold [shift] -> select last function) <\/li>\n
- Right click -> copy -> paste on notepad. Save it as "functions.txt<\/strong>" under the same directory as the script. <\/li>\n<\/ol>\n
<\/a><\/p>\nIf you're using IDA Pro 5.5 or higher, the Functions table should be on the left of the the pretty graph. You can do the same thing (right click -> copy and paste) to obtain all your functions that way.<\/p>\n
Second<\/span>, open the application you want to fuzz. You must do this before running the script because it needs to attach to the process first.<\/p>\nThird<\/span>, now that you have a function list (functions.txt). Go to command prompt, and type of the following (assuming you saved Tracer.py in C:\\):<\/p>\n\nC:>C:\\Python25\\python.exe Tracer.py<\/p>\n<\/blockquote>\n
Fourth<\/span>, the script should find the function list file without problems. Give it a pattern (user input) to look for, select the process you want to monitor, and the fun begins. Note that a file named "new_functions_addrs.txt<\/strong>" will be created -- this file contains the same function addresses, and the correct RETN addresses. You can use this as a reference later for InMemoryFuzzer.py.<\/p>\nFifth<\/span>, now Tracer.py should be monitoring. Go back to the application, feed it the same pattern, and then you'll see which functions get triggered. Press [CTRL]+[C]<\/strong> to terminate the script.<\/p>\nInMemoryFuzzer.py: How It Works<\/h3>\n
The idea of how the fuzzer works is simple. Say you have a vulnerable routine at entry 0x1001BEEF (aka snapshot point), which takes the user input as [ESP+4] at the beginning of the prologue, and that function ends at address 0x1001BFEA (restore point). We can put a breakpoint at 0x1001BEEF, another at 0x1001BFEA, and let the application run, as the following diagram demonstrates:<\/p>\n
<\/a><\/p>\nWehen the execution flow hits our first breakpoint (entry) for the first time, we take a snapshot of the state (threads, stack, registers, flags, etc), modify the user input in [ESP+4], and resume execution to let the function to process our data, and hope something crashes. If an exception is thrown somewhere in the code, we log that, restore the function state, and redirect the execution flow back to the entry (0x1001BEEF), and fuzz again with a new input, like this diagram:<\/p>\n
<\/a><\/p>\nOr, no exception is triggered, we end up hitting the second breakpoint, then all we have to do is restore the state, rewind, and fuzz again:<\/p>\n
<\/a><\/p>\nInMemoryFuzzer.py: How To<\/h3>\n
Before you use the fuzzer, you should already know the following:<\/p>\n
\n- Which process\/dll to fuzz <\/li>\n
- The function entry address(s) (aka your snapshot points) <\/li>\n
- The restore point(s) (typically a RETN address) <\/li>\n
- Which function argument(s) to fuzz <\/li>\n<\/ul>\n
First thing, open the application you want to fuzz again. And if needed, change how many times you want to fuzz by editing the "maxFuzzCount" global variable in the source code. Please note that InMemoryFuzzer.py has two modes for fuzzing: Single routine<\/strong>, or multiple<\/strong>. Single routine mode<\/strong> allows the user to put every required information (function entry, restore point, argument) in one line:<\/p>\n\nC:>C:\\python25\\python.exe InMemoryFuzzer.py <Snapshot point> <Restore point> <Argument><\/p>\n<\/blockquote>\n
So if we were to reuse the same example in the "How it works" section, we would be feeding the fuzzer with the following:<\/p>\n
\nC:>C:\\python25\\python.exe InMemoryFuzzer.py 0x1001BEEF 0x1001BFEA ESP+4<\/p>\n<\/blockquote>\n
Multiple-Routine mode<\/strong>, which is my favorite mode, does not have to called from the command line. All you must do is prepare breakpoints.txt<\/strong>, which contains information such as the snapshot point\/restore point\/argument with the same format: <snapshot point> <restore point> <argument>. Example:<\/p>\n
Pydbg is probably the trickiest to install so we'll go throughly the steps briefly:<\/p>\n
- \n
- Install Python 2.5. The one I tested was Python 2.5 (r25:51908, Sep 19 2006) <\/li>\n
- Download Pydasm (for Python 2.5) from the URL above. <\/li>\n
- Download Paimei. Extract the package, go to the "installers" folder, and run the installer. <\/li>\n
- Remove C:\\Python25\\Lib\\site-packages\\pydbg\\pydasm.pyd <\/li>\n
- Now you're ready to test out Pydbg. Open command prompt, and type the following. If you no errors after importing Pydbg, that means your system now supports Pydbg: <\/li>\n<\/ol>\n<\/a><\/p>\n
Tracer.py: How It Works<\/h3>\n
As I previously mentioned, in order to deploy an in memory fuzzer, you must go through a good amount of analysis to identify all the functions that process your input, and log the function entry address, RETN addresses, and the argument you want to fuzz. This makes fuzzing very time consuming, simply not something that can be done in minutes. The purpose of Tracer.py is to ease off this process, allowing the user to track the control flow and user input at real time.<\/p>\n
This is done by first searching all the function addresses in the application, put a hook point in every one of them, and then start monitoring. If a hooked function is detected, we log the function and the argument, and keep monitoring. Since this happens at real time, even with the most basic tool like this can still see some kind of pattern in the log, which gives us an idea where to fuzz.<\/p>\n
The following example shows how to recognize this pattern in Tracer.py:<\/p>\n
<\/a><\/p>\nTracer.py: How To<\/h3>\n
First<\/span>, open IDA. If you're using IDA 4.9 ( see image):<\/p>\n
- \n
- Click on the Functions tab <\/li>\n
- Select all the functions (click the first function -> hold [shift] -> select last function) <\/li>\n
- Right click -> copy -> paste on notepad. Save it as "functions.txt<\/strong>" under the same directory as the script. <\/li>\n<\/ol>\n<\/a><\/p>\n
If you're using IDA Pro 5.5 or higher, the Functions table should be on the left of the the pretty graph. You can do the same thing (right click -> copy and paste) to obtain all your functions that way.<\/p>\n
Second<\/span>, open the application you want to fuzz. You must do this before running the script because it needs to attach to the process first.<\/p>\n
Third<\/span>, now that you have a function list (functions.txt). Go to command prompt, and type of the following (assuming you saved Tracer.py in C:\\):<\/p>\n
\n
C:>C:\\Python25\\python.exe Tracer.py<\/p>\n<\/blockquote>\n
Fourth<\/span>, the script should find the function list file without problems. Give it a pattern (user input) to look for, select the process you want to monitor, and the fun begins. Note that a file named "new_functions_addrs.txt<\/strong>" will be created -- this file contains the same function addresses, and the correct RETN addresses. You can use this as a reference later for InMemoryFuzzer.py.<\/p>\n
Fifth<\/span>, now Tracer.py should be monitoring. Go back to the application, feed it the same pattern, and then you'll see which functions get triggered. Press [CTRL]+[C]<\/strong> to terminate the script.<\/p>\n
InMemoryFuzzer.py: How It Works<\/h3>\n
The idea of how the fuzzer works is simple. Say you have a vulnerable routine at entry 0x1001BEEF (aka snapshot point), which takes the user input as [ESP+4] at the beginning of the prologue, and that function ends at address 0x1001BFEA (restore point). We can put a breakpoint at 0x1001BEEF, another at 0x1001BFEA, and let the application run, as the following diagram demonstrates:<\/p>\n
<\/a><\/p>\nWehen the execution flow hits our first breakpoint (entry) for the first time, we take a snapshot of the state (threads, stack, registers, flags, etc), modify the user input in [ESP+4], and resume execution to let the function to process our data, and hope something crashes. If an exception is thrown somewhere in the code, we log that, restore the function state, and redirect the execution flow back to the entry (0x1001BEEF), and fuzz again with a new input, like this diagram:<\/p>\n
<\/a><\/p>\nOr, no exception is triggered, we end up hitting the second breakpoint, then all we have to do is restore the state, rewind, and fuzz again:<\/p>\n
<\/a><\/p>\nInMemoryFuzzer.py: How To<\/h3>\n
Before you use the fuzzer, you should already know the following:<\/p>\n
- \n
- Which process\/dll to fuzz <\/li>\n
- The function entry address(s) (aka your snapshot points) <\/li>\n
- The restore point(s) (typically a RETN address) <\/li>\n
- Which function argument(s) to fuzz <\/li>\n<\/ul>\n
First thing, open the application you want to fuzz again. And if needed, change how many times you want to fuzz by editing the "maxFuzzCount" global variable in the source code. Please note that InMemoryFuzzer.py has two modes for fuzzing: Single routine<\/strong>, or multiple<\/strong>. Single routine mode<\/strong> allows the user to put every required information (function entry, restore point, argument) in one line:<\/p>\n
\n
C:>C:\\python25\\python.exe InMemoryFuzzer.py <Snapshot point> <Restore point> <Argument><\/p>\n<\/blockquote>\n
So if we were to reuse the same example in the "How it works" section, we would be feeding the fuzzer with the following:<\/p>\n
\n
C:>C:\\python25\\python.exe InMemoryFuzzer.py 0x1001BEEF 0x1001BFEA ESP+4<\/p>\n<\/blockquote>\n
Multiple-Routine mode<\/strong>, which is my favorite mode, does not have to called from the command line. All you must do is prepare breakpoints.txt<\/strong>, which contains information such as the snapshot point\/restore point\/argument with the same format: <snapshot point> <restore point> <argument>. Example:<\/p>\n
![\"breakpoints_file\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/10\/breakpoints_file_thumb.png\")
<\/a><\/p>\n![\"dump\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/10\/dump_thumb.png\")
<\/a><\/p>\n