4.3 KiB
Fuzzing on Windows
This is a supplemental guide to fuzzing on windows platform.
Windows Subsystem for Linux(WSL) Ubuntu 20.04
Grab Ubuntu from Windows Store and install libFuzzer and afl. But don't forget to update or upgrade the database if you start with a 'blank' Ubuntu.
sudo apt update
sudo apt upgrade
Install clang and libFuzzer
Pick your clang version: 9, 10, or 11. In this example I'll use clang-10.
sudo apt install build-essential
sudo apt-get install clang-10 lldb-10 lld-10
sudo apt-get install libfuzzer-10-dev
Now copy the symlink in /usr/bin or whatever location of clang-10.
$> which clang-10
/usr/bin/clang-10 # this is the result of 'which clang-10'
$> sudo cp -P /usr/bin/clang-10 /usr/bin/clang
Install afl
git clone https://github.com/google/AFL
cd AFL
make
sudo make install
Now go back to Fuzzing instructions for Linux
Real Windows instructions
There are a lot of things you need to install on Windows.
Compiling with libFuzzer
You don't need to install all of the Visual Studio components, you only need to choose “Desktop development with C++”. That will be enough and only download less than 2GB instead of 4GB+. Perhaps you wonder why need to install two compiler? The answer is: libFuzzer does not work with MingW-GCC.
If you already prepare your test case, the instruction to build the binary is exactly the same with Linux version.
nim c -d:libFuzzer -d:release -d:chronicles_log_level=fatal --noMain --cc=clang --passC="-fsanitize=fuzzer" --passL="-fsanitize=fuzzer" testcase
Now go back to Starting the Fuzzer using libFuzzer
Compiling with winafl
We will use the same Visual Studio compiler like libFuzzer.
- Download and install Visual Studio 2019 here
Now open one of this terminal from VS 2019:
- Developer PowerShell for VS 2019
- x64 Native Tools Command Prompt for VS 2019
- x86 Native Tools Command Prompt for VS 2019
Download and build winafl
No need to install cmake, VS 2019 already included cmake in it's installation package.
git clone https://github.com/googleprojectzero/winafl
cd winafl
git submodule update --init --recursive
32/64 bit build using VS 2017
mkdir build32
cd build32
cmake -G"Visual Studio 15 2017" .. -DINTELPT=1
cmake --build . --config Release
mkdir build64
cd build64
cmake -G"Visual Studio 15 2017 Win64" .. -DINTELPT=1
cmake --build . --config Release
32/64 bit build using VS 2019
mkdir build32
cd build32
cmake -G"Visual Studio 16 2019" .. -DINTELPT=1 -Ax86
cmake --build . --config Release
mkdir build64
cd build64
cmake -G"Visual Studio 16 2019" .. -DINTELPT=1 -Ax64
cmake --build . --config Release
Either you use VS 2017 or VS 2019, you'll get the binary in:
winafl/build64/bin/Release or winafl/build32/bin/Release
If you only need to use it occasionally, you can use this command to add the winafl binary path to
you env PATH instead of polluting it system wide.
- PowerShell:
$env:path = ($pwd).path + "\bin\Release;" + $env:path - CMD Command Prompt:
set PATH=%CD%\bin\Release;%PATH%
Compiling testcase
Compiling the testcase is simpler than Linux version, you don't need to use afl-gcc or afl-clang, you can use clang, vcc, or mingw-gcc as you like.
nim c -d:afl -d:noSignalHandler -d:release -d:chronicles_log_level=fatal testcase
Starting the Fuzzer
Now run the command from Command Prompt terminal, the @@ will not work with PowerShell.
Winafl needs the input data to be read from a file, not from stdin, that's why the presence of @@.
afl-fuzz.exe -i inDir -o outDir -P -t 20000 -- -coverage_module testcase.exe -fuzz_iterations 20 -target_module testcase.exe -target_method AFLmain -nargs 2 -- testcase.exe @@
inDiris a directory containing a small but valid input file that makes sense to the program.outDirwill be the location of generated testcase corpus.- replace both
testcase.exewith your executable binary. -Pis Intel PT selector-ttimeout in msec