A forum for reverse engineering, OS internals and malware analysis 

IOCTL Fuzzer

Forum for announcements and questions about tools and software.

IOCTL Fuzzer

 #4078  by Cr4sh
 Tue Dec 21, 2010 11:06 am
I released a new version of IOCTLFuzzer - tool, that has been designed to automate the task of searching vulnerabilities in Windows kernel drivers by performing fuzz tests on them. Also, it can be used for passive IOCTL's and exceptions monitoring.

The fuzzer’s own driver hooks nt!NtDeviceIoControlFile() in order to take control of all IOCTL requests throughout the system.

While processing IOCTLs, the fuzzer will spoof those IOCTLs conforming to conditions specified in the configuration file. A spoofed IOCTL is identical to the original IRP in all respects except the input data, which is changed to randomly generated fuzz.

Features:

- Windows 7 support
- Full support of 64-bit versions of Windows
- Exceptions monitoring
- "Fair Fuzzing" feature
- Different data generation modes
- Boot fuzzing (during OS initialization)


Exceptions monitoring based on nt!KiDispatchException() hooking.
IOCTLFuzzer obtains it's address from kernel PDB symbols, so, it can work on any version of Windows.

Program page:
http://code.google.com/p/ioctlfuzzer/

Readme:
http://code.google.com/p/ioctlfuzzer/so ... README.TXT

Download link:
http://ioctlfuzzer.googlecode.com/files ... er-1.2.zip

Re: IOCTL Fuzzer

 #4079  by Cr4sh
 Tue Dec 21, 2010 11:15 am
Also, here is some example of the vulnreability, that has been found with the IOCTLFuzzer.

Local privileges esacalation in current version of Trend Micro Titanium Maximum Security:
http://www.esagelab.com/files/TM_TmComm ... xploit.zip

Vulnreability allows code execution with CPL=0, but this is not a "true" privilleges escalation, 'cause Trend Micro driver's device can be opened only by 'Administrator' and 'SYSTEM' users.

Re: IOCTL Fuzzer

 #6749  by kmd
 Thu Jun 09, 2011 11:14 pm
could you be so kind to help me configure your tool?

i'm not sure if i'm doing all well.

i'm trying to fuzz some driver and using your ioctlfuzzer.xml as example (and finally passing it as ioctlfuzzer.exe --config ioctlfuzzer.xml).

in section
<!-- IOCTL request destination driver name. -->
<drivers>
</drivers>
here i put driver target name some.sys, correct?

next,
<!-- IOCTL request destination device name. -->
<devices>
\Device\somedevice
</devices>
assume what somedevice created by some.sys, correct? is \device\ requered?
<ioctls>
here i put some ioctls i want to fuzz, yes? are they must be in hex or it does not matter?

thanks for answers and such a great tool.
 Return to “Tools/Software”