msFuzz icon indicating copy to clipboard operation
msFuzz copied to clipboard
verified publisher icon 0dayResearchLab

Harness used

Open 0xDivyanshu-new opened this issue 1 year ago • 3 comments

Hi,

I have been going through the repository and wanted to understand more about the harness that was used to capture the callstacks during a crash.

I see that the Harness inside the kafl.fuzzer Util's is using callbacks to capture the stack trace on KeBugCheck. I reversed the driver and so far it seems like the driver has been taken from https://github.com/SafeBreach-Labs/hAFL2/blob/main/drivers/CrashMonitoringDriver/CrashMonitoringDriver/main.c repository.

I wanted to know if there are couple of more additions that you did for the fuzzer to reliably capture the crash or this is all the code is really ?

Thanks

0xDivyanshu-new avatar Sep 12 '24 16:09 0xDivyanshu-new

You are correct. The Driver is from hAFL2.

As my best knowledge, I changed the hypercall used in hAFL2 for our framework and CallStack depth Log Level. Also, in our kafl.fuzzer, matching call stack with each payload for usability.

Best regards

5angjun avatar Sep 14 '24 03:09 5angjun

Hi @5angjun, Is it possible for you to share the code of the harness driver as part of the repo?

0xDivyanshu-new avatar Sep 23 '24 14:09 0xDivyanshu-new

I hope so. But unfotunately i cant. Because the code i wrote are in my former computer that i removed all data.

Why don't you to understand their Code? If you fully undetstand, you can figure out what to do for your work.

I modified their code in this way

  1. change the hypercall number for nyx qemu/kernel
  2. remove the code related to hyper-v's harness

5angjun avatar Sep 23 '24 17:09 5angjun

This issue will be closed due to prolonged inactivity.

If you have further questions or concerns, please feel free to reopen this issue.

Thank you for your understanding.

5angjun avatar Nov 17 '24 08:11 5angjun