一、逆向分析程序,找到适合fuzz的函数
二、对函数偏移进行debug测试
drrun.exe -verbose -c winafl.dll -debug -t 900000 -m none -coverage_module photoview.dll -target_module photoview.dll -target_offset xx -call_convention thiscall -nargs 2 -fuzz_iterations 10 -- wpsphoto+.exe xx.jpg
三、精简样本
python winafl-cmin.py -i E:samples -o E:sampleout -t 1000000 -D E:fuzztoolsdynbuild32bin32 -coverage_module photoview.dll -target_module photoview.dll -target_offset xx -nargs 2 -- wpsphoto+.exe @@
四、开始fuzz
afl-fuzz.exe -i in -o out -t 90000 -m none -D E:fuzz_targettoolsfuzztoolsdynbuild32bin32 -- -call_convention thiscall -coverage_module photoview.dll -target_module photoview.dll -target_offset xx -fuzz_iterations 50000 -nargs 2 -- wpsphoto+.exe @@
五、并行fuzz
0:000> kv
ChildEBP RetAddr Args to Child
0044c4b8 77235e4c 753dc4fa 000005f4 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0044c4bc 753dc4fa 000005f4 00000000 00000000 ntdll!NtReadFile+0xc (FPO: [9,0,0])
0044c520 763a9e12 000005f4 035b0000 00000200 KERNELBASE!ReadFile+0x118 (FPO: [Non-Fpo])
0044c568 7018abd5 000005f4 035b0000 00000200 kernel32!ReadFileImplementation+0xf0 (FPO: [Non-Fpo])
0044c5ac 7018aca0 00000003 035b0000 00000200 MSVCR100!_read_nolock+0x1fa (FPO: [Non-Fpo]) (CONV: cdecl) [f:ddvctoolscrt_bldself_x86crtsrcread.c @ 230]
0044c5f0 7018cdd1 00000003 035b0000 00000200 MSVCR100!_read+0xb7 (FPO: [Non-Fpo]) (CONV: cdecl) [f:ddvctoolscrt_bldself_x86crtsrcread.c @ 92]
0044c608 701930b3 70223068 034382bc 00000000 MSVCR100!_filbuf+0x72 (FPO: [Non-Fpo]) (CONV: cdecl) [f:ddvctoolscrt_bldself_x86crtsrc_filbuf.c @ 136]
0044c630 70192be7 0044c888 ffffffff 00000001 MSVCR100!_fread_nolock_s+0x150 (FPO: [Non-Fpo]) (CONV: cdecl) [f:ddvctoolscrt_bldself_x86crtsrcfread.c @ 268]
0044c678 70192c3c 0044c888 ffffffff 00000001 MSVCR100!fread_s+0x6d (FPO: [Non-Fpo]) (CONV: cdecl) [f:ddvctoolscrt_bldself_x86crtsrcfread.c @ 109]
0044c694 0f930ee3 0044c888 00000001 00000008 MSVCR100!fread+0x18 (FPO: [Non-Fpo]) (CONV: cdecl) [f:ddvctoolscrt_bldself_x86crtsrcfread.c @ 303]
WARNING: Stack unwind information not available. Following frames may be wrong.
0044c6e0 0f969fbc 0044c888 00000008 71fb1f43 photo!IKAuthorizationHandler::operator=+0x2f53
0044c8a0 0f7725a6 71fb1ebb 0212482c 020a68f0 photo!ImageWrapper::saveIndex+0x3207c
0044c958 0f772f07 0044c984 71fb1e77 0212482c photo!ImageWrapper::getExifData+0x1d6
0044c994 0f77f020 035dfaa0 0338ca10 0044c9dc photo!ImageWrapper::init+0x87
0044c9fc 0f77f273 0044ca30 0044ca2c 71fb1dab photo!ImageWrapper::load+0xc010
0044ca48 0f77d2dc 035e1d00 020a6160 0044ca6c photo!ImageWrapper::load+0xc263
0044ca58 0f82bce3 035e1db4 020a6160 0044cb14 photo!ImageWrapper::load+0xa2cc
0044ca6c 0f7566f5 035e1db4 0000001d 020a6160 photo!ImageView::resizeEvent+0x2973
0044ca84 66ea3cdc 00000000 00000019 0044cb14 photo!FullScreenView::metaObject+0x9e5
0044ca98 66ec240b 020a6160 00000000 0000001d QtCore4!QMetaObject::metacall+0x3c
0044cafc 0f74b6e5 020de240 01bbd7e8 02090238 QtCore4!QMetaObject::activate+0x2ab
0044cb1c 0f753bcd 035e1db4 0000000c 020de240 photo!PhotoMainWindow::signals_resizeWindow+0x275
0044cb3c 66ea3cdc 00000000 0000000c 0044cbcc photo!PhotoMainWindow::qt_metacall+0x34d
······
int __thiscall sub_10210CA0(_DWORD *this, int a2, int a3, int a4)
{
int v4; // esi
_DWORD *v5; // edi
int v6; // eax
v4 = 0;
v5 = this;
if ( a4 )
{
if ( a4 == 1 )
{
v4 = 1;
}
else if ( a4 == 2 )
{
v4 = 2;
}
}
else
{
v4 = 0;
}
v6 = this[1];
if ( *(_DWORD *)(v6 + 0x5C) != 2 )
{
*(_DWORD *)(v6 + 0x5C) = 2;
fseek(*(FILE **)(v6 + 88), 0, 1);
}
return fseek(*(FILE **)(v5[1] + 88), a2, v4);
}
- End -
精彩推荐
强网杯部分pwn题writeup
物联网安全之MQTT渗透实战
FireWalker:一种绕过用户空间EDR Hooking的新方法
一例APT28(Fancybear)样本详细分析
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论