PDA

View Full Version : Dataflow-0.2.0 released. New: in memory fuzzing means


Blagodarenko
August 19th, 2010, 01:52
Dataflow-0.2.0 is now available

After month of development new features are available:
1. Moduleís functions recovering from binary code without any additional information;
2. Binary program test SDK creation;
3. Test loading to target binary programís address space. Test executing. An analyzed binary continues executing in same mode as before test loading.

Thus, Dataflow-0.2.0 version can be used for in memory fuzzing performing.

You can download utility, watch screenshots and release history from MaiWay project home page (http://ufoctf.ru/ufoblog/en/maiway-2/). Dataflow is MaiWay project part. The Dataflow tutorial (http://artem.ufoctf.ru/?p=164&lang=en) is also available. Enhanced features are described in The Dataflow tutorial. Part 2 (http://artem.ufoctf.ru/?p=339&lang=en). Please, feel free send bug reports, suggestions etc. to authors.

In short.

You can generate functions prototypes from binary module that looks like:

Code:
int ( __cdecl *functionstest2_sub_1120__)( void )
= ( int ( __cdecl * ) ( void) ) 0x401120;

inline int __cdecl functionstest2_sub_1120( int a )
{
__asm{
mov EBX, a
}
return functionstest2_sub_1120__( );
}


After that you can develope some tests ( may be fuzzing actions ):

Code:
#include "functionstest.h"
void StartTest( void )
{
functionstest_sub_10C0( 88, 77, 66, 55 );
functionstest_sub_1080( 33, 44, 55, 66 );
}

BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)

void StartTest( void )
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
StartTest();

case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}


Buid it and execute in analyzed program address space with one click ( 3 clicks in deed ).

http://artem.ufoctf.ru/wp-content/uploads/2010/08/pict2_4.jpg

Test executed, module's internal functions are fuzzed. After that program countinues its normal execution.

Thanks for attention

_genuine
August 19th, 2010, 07:10
This looks like an interesting little project, will take a look at it when i get home
That's all for now.


regards,
gen