Sunday, September 27, 2009

IOCTL fuzzer parser

As written on esage lab, website of IOCTL fuzzer creators:
"IOCTL Fuzzer is a command line tool designed to automate searching vulnerabilities in Windows kernel drivers by performing fuzz tests on them."

When started without a configuration the tool starts in a useful monitor mode, that will log irps. From the log we can see driver, device, process and IOCTL in irp, these will be of interest to create a configuration for the fuzzer.

example of use: ioctl_fuzzer > log

Wandering through the log can take a little to find what we are looking for, that's where IOCTL filter comes in help.
It's a python script written to help organize IOCTL fuzzer logs better and find immediately what we need.

example of use: python -p process <> out

it takes the log from stdin and outputs to stdout, with -p, -e, -r options we can choose to filter only a process/device/driver respectively containing a word we are interested in.
In the example we are interested in all processes which name contains "process".

With informations retrieved, we can then build a configuration xml to fuzz the IRPs we are interested in.


No comments: