├── README.md ├── crashes ├── crash1-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdc670b03 ├── crash2-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdbba5fdf ├── crash3-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdc0a4acb ├── crash4-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdbb6e1e7 ├── crash5-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdc3d3b22 ├── crash6-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcf36b3c29 └── crash8-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdc0a517f ├── examples ├── POC_crash2_samdump.gif └── POC_crash2_webLink.gif ├── include ├── engineboot_kafl.h ├── nyx_api.h ├── openscan_kafl.h ├── scanreply_kafl.h └── streambuffer_kafl.h ├── jackalope_defender_harness_stream.c ├── mpclient_defender_harness_kafl.c ├── mpclient_defender_harness_withoutHypercalls.c └── mpengine ├── mpasbase.vdm ├── mpasdlta.vdm ├── mpavbase.vdm ├── mpavdlta.vdm └── mpengine.dll /README.md: -------------------------------------------------------------------------------- 1 | # Defender MpEngine Fuzzing and Unpatched DoS POCs 2 | 3 | This repository contains fuzzing harnesses for [kAFL](https://github.com/IntelLabs/kAFL) and [Jackalope](https://github.com/googleprojectzero/Jackalope) and results in `crashes` for Microsoft Defender's local scanning and emulation engine `mpengine.dll` (Microsoft Malware Portection Engine). The code is based on [mpclient.c](https://github.com/taviso/loadlibrary/blob/master/mpclient.c). 4 | 5 | For a detailed write-up of the research, fuzzing methodology, and bug analysis, please refer to the accompanying blog post: **[Attacking EDRs Part 4: Fuzzing Defender's Scanning and Emulation Engine (mpengine.dll)](https://labs.infoguard.ch/posts/attacking_edr_part4_fuzzing_defender_scanning_and_emulation_engine/)** 6 | 7 | 8 | Microsoft does not plan to address the identified bugs immediately: 9 | > After careful investigation, this case has been assessed as moderate severity and does not meet MSRC’s bar for immediate servicing. 10 | 11 | As of May 2025, most of the bugs to crash Defender (`MsMpEng.exe`) are unpatched and can be abused to execute otherwise blocked malicious actions. Some of them do not crash without PageHeap. Details are described on the [IG-Labs Blog](https://labs.infoguard.ch/posts/attacking_edr_part4_fuzzing_defender_scanning_and_emulation_engine/#results) 12 | 13 | > [!CAUTION] 14 | > The fuzzing was seeded with real Malware from VX-Underground. Therefore, the files in `Crashes` will contain parts of it and you should be careful. 15 | 16 | To test the harness without a fuzzer, `mpclient_defender_harness_withoutHypercalls.c` can be used to load the `mpengine.dll` and scan a file using `RSIG_SCAN_STREAMBUFFER`. Enable PageHeap for the binary before executing to catch the bugs. Crash1 does not trigger with this harness. Crash2 crashes defender in normal conditions without PageHeap. 17 | 18 | ## Example POCs 19 | Crash Defender by clicking a link that triggers a "PDF" download. This could be used in combination with a initial access payload: 20 | ![](examples/POC_crash2_webLink.gif) 21 | 22 | Crash defender by uploading a file via SMB before dumping credentials: 23 | ![](examples/POC_crash2_samdump.gif) 24 | -------------------------------------------------------------------------------- /crashes/crash1-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdc670b03: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/crashes/crash1-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdc670b03 -------------------------------------------------------------------------------- /crashes/crash2-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdbba5fdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/crashes/crash2-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdbba5fdf -------------------------------------------------------------------------------- /crashes/crash3-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdc0a4acb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/crashes/crash3-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdc0a4acb -------------------------------------------------------------------------------- /crashes/crash4-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdbb6e1e7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/crashes/crash4-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdbb6e1e7 -------------------------------------------------------------------------------- /crashes/crash5-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdc3d3b22: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/crashes/crash5-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdc3d3b22 -------------------------------------------------------------------------------- /crashes/crash6-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcf36b3c29: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/crashes/crash6-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcf36b3c29 -------------------------------------------------------------------------------- /crashes/crash8-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdc0a517f: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/crashes/crash8-EXCEPTION_ACCESS_VIOLATION_READ-0x7ffcdc0a517f -------------------------------------------------------------------------------- /examples/POC_crash2_samdump.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/examples/POC_crash2_samdump.gif -------------------------------------------------------------------------------- /examples/POC_crash2_webLink.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/examples/POC_crash2_webLink.gif -------------------------------------------------------------------------------- /include/engineboot_kafl.h: -------------------------------------------------------------------------------- 1 | #ifndef __ENGINEBOOT_H 2 | #define __ENGINEBOOT_H 3 | #pragma once 4 | #pragma pack(push, 1) 5 | typedef unsigned long long ulong; 6 | 7 | #define BOOTENGINE_PARAMS_VERSION 0xA400 8 | 9 | enum { 10 | BOOT_CACHEENABLED = 1 << 0, 11 | BOOT_NOFILECHANGES = 1 << 3, 12 | BOOT_ENABLECALLISTO = 1 << 6, 13 | BOOT_REALTIMESIGS = 1 << 8, 14 | BOOT_DISABLENOTIFICATION = 1 << 9, 15 | BOOT_CLOUDBHEAVIORBLOCK = 1 << 10, 16 | BOOT_ENABLELOGGING = 1 << 12, 17 | BOOT_ENABLEBETA = 1 << 16, 18 | BOOT_ENABLEIEV = 1 << 17, 19 | BOOT_ENABLEMANAGED = 1 << 19, 20 | }; 21 | 22 | enum { 23 | BOOT_ATTR_NORMAL = 1 << 0, 24 | BOOT_ATTR_ISXBAC = 1 << 2, 25 | }; 26 | 27 | enum { 28 | ENGINE_UNPACK = 1 << 1, 29 | ENGINE_HEURISTICS = 1 << 3, 30 | ENGINE_DISABLETHROTTLING = 1 << 11, 31 | ENGINE_PARANOID = 1 << 12, 32 | ENGINE_DISABLEANTISPYWARE = 1 << 15, 33 | ENGINE_DISABLEANTIVIRUS = 1 << 16, 34 | ENGINE_DISABLENETWORKDRIVES = 1 << 20, 35 | }; 36 | 37 | typedef struct _ENGINE_INFO { 38 | DWORD field_0; 39 | DWORD field_4; // Possibly Signature UNIX time? 40 | DWORD field_8; 41 | DWORD field_C; 42 | } ENGINE_INFO, *PENGINE_INFO; 43 | 44 | 45 | typedef struct _ENGINE_CONFIG { 46 | ULONG64 EngineFlags; 47 | PWCHAR Inclusions; // Example, "*.zip" 48 | PVOID Exceptions; 49 | PWCHAR UnknownString2; 50 | PWCHAR QuarantineLocation; 51 | DWORD field_14; 52 | DWORD field_18; 53 | DWORD field_1C; 54 | DWORD field_20; 55 | DWORD field_24; 56 | DWORD field_28; 57 | ULONG64 field_2C; // Setting this seems to cause packer to be reported. 58 | ULONG64 field_30; 59 | ULONG64 field_34; 60 | PCHAR UnknownAnsiString1; 61 | PCHAR UnknownAnsiString2; 62 | } ENGINE_CONFIG, *PENGINE_CONFIG; 63 | 64 | typedef struct _ENGINE_CONTEXT { 65 | DWORD field_0; 66 | } ENGINE_CONTEXT, *PENGINE_CONTEXT; 67 | 68 | /* 69 | BootParams.ClientVersion = BOOTENGINE_PARAMS_VERSION; 0xA400 70 | BootParams.SignatureLocation = wchar_t L"C:\\tmp";; 71 | BootParams.Attributes = BOOT_ATTR_NORMAL; 72 | BootParams.ProductName = ProductName; 73 | EngineConfig.QuarantineLocation = QurantineLocation; 74 | EngineConfig.Inclusions = Inclusions; 75 | EngineConfig.EngineFlags = 1 << 1; 76 | EngineConfig.UnknownAnsiString1 = NULL; 77 | EngineConfig.UnknownAnsiString2 = NULL; 78 | BootParams.EngineInfo = &EngineInfo; 79 | BootParams.EngineConfig = &EngineConfig;*/ 80 | typedef struct _BOOTENGINE_PARAMS { 81 | ULONG64 ClientVersion; 82 | PWCHAR SignatureLocation; 83 | PVOID SpynetSource; 84 | PENGINE_CONFIG EngineConfig; 85 | PENGINE_INFO EngineInfo; 86 | PWCHAR ScanReportLocation; 87 | DWORD BootFlags; 88 | PWCHAR LocalCopyDirectory; 89 | PWCHAR OfflineTargetOS; 90 | CHAR ProductString[16]; 91 | ULONG64 field_34; 92 | PVOID GlobalCallback; 93 | PENGINE_CONTEXT EngineContext; 94 | ULONG64 AvgCpuLoadFactor; 95 | CHAR field_44[16]; 96 | PWCHAR SpynetReportingGUID; 97 | PWCHAR SpynetVersion; 98 | PWCHAR NISEngineVersion; 99 | PWCHAR NISSignatureVersion; 100 | ULONG64 FlightingEnabled; 101 | DWORD FlightingLevel; 102 | PVOID DynamicConfig; 103 | DWORD AutoSampleSubmission; 104 | DWORD EnableThreatLogging; 105 | PWCHAR ProductName; 106 | DWORD PassiveMode; 107 | DWORD SenseEnabled; 108 | PWCHAR SenseOrgId; 109 | DWORD Attributes; 110 | DWORD BlockAtFirstSeen; 111 | DWORD PUAProtection; 112 | DWORD SideBySidePassiveMode; 113 | ULONG64 a; 114 | ULONG64 b; 115 | ULONG64 c; 116 | ULONG64 d; 117 | ULONG64 e; 118 | ULONG64 f; 119 | ULONG64 g; 120 | ULONG64 h; 121 | ULONG64 i; 122 | ULONG64 j; 123 | ULONG64 k; 124 | ULONG64 l; 125 | ULONG64 m; 126 | ULONG64 n; 127 | ULONG64 o; 128 | ULONG64 p; 129 | ULONG64 q; 130 | ULONG64 r; 131 | ULONG64 s; 132 | ULONG64 t; 133 | ULONG64 u; 134 | ULONG64 v; 135 | ULONG64 w; 136 | ULONG64 x; 137 | ULONG64 y; 138 | ULONG64 z; 139 | 140 | 141 | 142 | } BOOTENGINE_PARAMS, *PBOOTENGINE_PARAMS; 143 | 144 | #pragma pack(pop) 145 | #endif // __ENGINEBOOT_H 146 | -------------------------------------------------------------------------------- /include/nyx_api.h: -------------------------------------------------------------------------------- 1 | /* 2 | * kAFl/Nyx low-level interface definitions 3 | * 4 | * Copyright 2022 Sergej Schumilo, Cornelius Aschermann 5 | * Copyright 2022 Intel Corporation 6 | * 7 | * SPDX-License-Identifier: MIT 8 | */ 9 | 10 | #ifndef NYX_API_H 11 | #define NYX_API_H 12 | 13 | #ifndef __KERNEL__ 14 | // userspace 15 | # include 16 | # include 17 | 18 | # ifdef __MINGW64__ 19 | # ifndef uint64_t 20 | # define uint64_t UINT64 21 | # endif 22 | # ifndef int32_t 23 | # define int32_t INT32 24 | # endif 25 | # ifndef uint32_t 26 | # define uint32_t UINT32 27 | # endif 28 | # ifndef u_long 29 | # define u_long UINT64 30 | # endif 31 | # ifndef uint8_t 32 | # define uint8_t UINT8 33 | # endif 34 | # else 35 | # include 36 | # endif 37 | #else 38 | // Linux kernel 39 | # include 40 | # include 41 | #endif 42 | 43 | #define HYPERCALL_KAFL_RAX_ID 0x01f 44 | #define HYPERCALL_KAFL_ACQUIRE 0 45 | #define HYPERCALL_KAFL_GET_PAYLOAD 1 46 | #define HYPERCALL_KAFL_GET_PROGRAM 2 /* deprecated */ 47 | #define HYPERCALL_KAFL_GET_ARGV 3 /* deprecated */ 48 | #define HYPERCALL_KAFL_RELEASE 4 49 | #define HYPERCALL_KAFL_SUBMIT_CR3 5 50 | #define HYPERCALL_KAFL_SUBMIT_PANIC 6 51 | #define HYPERCALL_KAFL_SUBMIT_KASAN 7 52 | #define HYPERCALL_KAFL_PANIC 8 53 | #define HYPERCALL_KAFL_KASAN 9 54 | #define HYPERCALL_KAFL_LOCK 10 55 | #define HYPERCALL_KAFL_INFO 11 /* deprecated */ 56 | #define HYPERCALL_KAFL_NEXT_PAYLOAD 12 57 | #define HYPERCALL_KAFL_PRINTF 13 58 | #define HYPERCALL_KAFL_PRINTK_ADDR 14 /* deprecated */ 59 | #define HYPERCALL_KAFL_PRINTK 15 /* deprecated */ 60 | 61 | /* user space only hypercalls */ 62 | #define HYPERCALL_KAFL_USER_RANGE_ADVISE 16 63 | #define HYPERCALL_KAFL_USER_SUBMIT_MODE 17 64 | #define HYPERCALL_KAFL_USER_FAST_ACQUIRE 18 65 | /* 19 is already used for exit reason KVM_EXIT_KAFL_TOPA_MAIN_FULL */ 66 | #define HYPERCALL_KAFL_USER_ABORT 20 67 | #define HYPERCALL_KAFL_TIMEOUT 21 /* deprecated */ 68 | #define HYPERCALL_KAFL_RANGE_SUBMIT 29 69 | #define HYPERCALL_KAFL_REQ_STREAM_DATA 30 70 | #define HYPERCALL_KAFL_PANIC_EXTENDED 32 71 | 72 | #define HYPERCALL_KAFL_CREATE_TMP_SNAPSHOT 33 73 | #define HYPERCALL_KAFL_DEBUG_TMP_SNAPSHOT 34 /* hypercall for debugging / development purposes */ 74 | 75 | #define HYPERCALL_KAFL_GET_HOST_CONFIG 35 76 | #define HYPERCALL_KAFL_SET_AGENT_CONFIG 36 77 | 78 | #define HYPERCALL_KAFL_DUMP_FILE 37 79 | 80 | #define HYPERCALL_KAFL_REQ_STREAM_DATA_BULK 38 81 | #define HYPERCALL_KAFL_PERSIST_PAGE_PAST_SNAPSHOT 39 82 | 83 | /* hypertrash only hypercalls */ 84 | #define HYPERTRASH_HYPERCALL_MASK 0xAA000000 85 | 86 | #define HYPERCALL_KAFL_NESTED_PREPARE (0 | HYPERTRASH_HYPERCALL_MASK) 87 | #define HYPERCALL_KAFL_NESTED_CONFIG (1 | HYPERTRASH_HYPERCALL_MASK) 88 | #define HYPERCALL_KAFL_NESTED_ACQUIRE (2 | HYPERTRASH_HYPERCALL_MASK) 89 | #define HYPERCALL_KAFL_NESTED_RELEASE (3 | HYPERTRASH_HYPERCALL_MASK) 90 | #define HYPERCALL_KAFL_NESTED_HPRINTF (4 | HYPERTRASH_HYPERCALL_MASK) 91 | 92 | #define HPRINTF_MAX_SIZE 0x1000 /* up to 4KB hprintf strings */ 93 | 94 | #define KAFL_MODE_64 0 95 | #define KAFL_MODE_32 1 96 | #define KAFL_MODE_16 2 97 | 98 | typedef struct { 99 | int32_t size; 100 | uint8_t data[]; 101 | } kAFL_payload; 102 | 103 | typedef struct { 104 | uint64_t ip[4]; 105 | uint64_t size[4]; 106 | uint8_t enabled[4]; 107 | } kAFL_ranges; 108 | 109 | #if defined(__i386__) 110 | static inline uint32_t kAFL_hypercall(uint32_t p1, uint32_t p2) 111 | { 112 | uint32_t nr = HYPERCALL_KAFL_RAX_ID; 113 | asm volatile ("vmcall" 114 | : "=a" (nr) 115 | : "a"(nr), "b"(p1), "c"(p2)); 116 | return nr; 117 | } 118 | #elif defined(__x86_64__) 119 | static inline uint64_t kAFL_hypercall(uint64_t p1, uint64_t p2) 120 | { 121 | uint64_t nr = HYPERCALL_KAFL_RAX_ID; 122 | asm volatile ("vmcall" 123 | : "=a" (nr) 124 | : "a"(nr), "b"(p1), "c"(p2)); 125 | return nr; 126 | } 127 | #endif 128 | 129 | static void habort(char* msg) __attribute__ ((unused)); 130 | static void habort(char* msg){ 131 | kAFL_hypercall(HYPERCALL_KAFL_USER_ABORT, (uintptr_t)msg); 132 | } 133 | 134 | static void hprintf(const char * format, ...) __attribute__ ((unused)); 135 | static void hprintf(const char * format, ...){ 136 | static char hprintf_buffer[HPRINTF_MAX_SIZE] __attribute__((aligned(4096))); 137 | 138 | va_list args; 139 | va_start(args, format); 140 | vsnprintf((char*)hprintf_buffer, HPRINTF_MAX_SIZE, format, args); 141 | //printf("%s", hprintf_buffer); 142 | kAFL_hypercall(HYPERCALL_KAFL_PRINTF, (uintptr_t)hprintf_buffer); 143 | va_end(args); 144 | } 145 | 146 | #define NYX_HOST_MAGIC 0x4878794e 147 | #define NYX_AGENT_MAGIC 0x4178794e 148 | 149 | #define NYX_HOST_VERSION 2 150 | #define NYX_AGENT_VERSION 1 151 | 152 | typedef struct { 153 | uint32_t host_magic; 154 | uint32_t host_version; 155 | uint32_t bitmap_size; 156 | uint32_t ijon_bitmap_size; 157 | uint32_t payload_buffer_size; 158 | uint32_t worker_id; 159 | /* more to come */ 160 | } __attribute__((packed)) host_config_t; 161 | 162 | typedef struct { 163 | uint32_t agent_magic; 164 | uint32_t agent_version; 165 | uint8_t agent_timeout_detection; 166 | uint8_t agent_tracing; 167 | uint8_t agent_ijon_tracing; 168 | uint8_t agent_non_reload_mode; 169 | uint64_t trace_buffer_vaddr; 170 | uint64_t ijon_trace_buffer_vaddr; 171 | uint32_t coverage_bitmap_size; 172 | uint32_t input_buffer_size; 173 | uint8_t dump_payloads; /* set by hypervisor */ 174 | /* more to come */ 175 | } __attribute__((packed)) agent_config_t; 176 | 177 | typedef struct { 178 | uint64_t file_name_str_ptr; 179 | uint64_t data_ptr; 180 | uint64_t bytes; 181 | uint8_t append; 182 | } __attribute__((packed)) kafl_dump_file_t; 183 | 184 | typedef struct { 185 | char file_name[256]; 186 | uint64_t num_addresses; 187 | uint64_t addresses[479]; 188 | } __attribute__((packed)) req_data_bulk_t; 189 | 190 | #endif /* NYX_API_H */ 191 | -------------------------------------------------------------------------------- /include/openscan_kafl.h: -------------------------------------------------------------------------------- 1 | #ifndef __OPENSCAN_H 2 | #define __OPENSCAN_H 3 | #pragma once 4 | #pragma pack(push, 1) 5 | 6 | #define OPENSCAN_VERSION 0x2C6D 7 | 8 | enum { 9 | SCANSOURCE_NOTASOURCE = 0, 10 | SCANSOURCE_SCHEDULED = 1, 11 | SCANSOURCE_ONDEMAND = 2, 12 | SCANSOURCE_RTP = 3, 13 | SCANSOURCE_IOAV_WEB = 4, 14 | SCANSOURCE_IOAV_FILE = 5, 15 | SCANSOURCE_CLEAN = 6, 16 | SCANSOURCE_UCL = 7, 17 | SCANSOURCE_RTSIG = 8, 18 | SCANSOURCE_SPYNETREQUEST = 9, 19 | SCANSOURCE_INFECTIONRESCAN = 0x0A, 20 | SCANSOURCE_CACHE = 0x0B, 21 | SCANSOURCE_UNK_TELEMETRY = 0x0C, 22 | SCANSOURCE_IEPROTECT = 0x0D, 23 | SCANSOURCE_ELAM = 0x0E, 24 | SCANSOURCE_LOCAL_ATTESTATION = 0x0F, 25 | SCANSOURCE_REMOTE_ATTESTATION = 0x10, 26 | SCANSOURCE_HEARTBEAT = 0x11, 27 | SCANSOURCE_MAINTENANCE = 0x12, 28 | SCANSOURCE_MPUT = 0x13, 29 | SCANSOURCE_AMSI = 0x14, 30 | SCANSOURCE_STARTUP = 0x15, 31 | SCANSOURCE_ADDITIONAL_ACTIONS = 0x16, 32 | SCANSOURCE_AMSI_UAC = 0x17, 33 | SCANSOURCE_GENSTREAM = 0x18, 34 | SCANSOURCE_REPORTLOWFI = 0x19, 35 | SCANSOURCE_REPORTINTERNALDETECTION = 0x19, 36 | SCANSOURCE_SENSE = 0x1A, 37 | SCANSOURCE_XBAC = 0x1B, 38 | }; 39 | 40 | typedef struct _OPENSCAN_PARAMS { 41 | DWORD Version; 42 | DWORD ScanSource; 43 | DWORD Flags; 44 | DWORD field_C; 45 | DWORD field_10; 46 | DWORD field_14; 47 | DWORD field_18; 48 | DWORD field_1C; 49 | GUID ScanID; 50 | DWORD field_30; 51 | DWORD field_34; 52 | DWORD field_38; 53 | DWORD field_3C; 54 | DWORD field_40; 55 | DWORD field_44; 56 | } OPENSCAN_PARAMS, *POPENSCAN_PARAMS; 57 | 58 | #pragma pack(pop) 59 | #endif // __OPENSCAN_H 60 | -------------------------------------------------------------------------------- /include/scanreply_kafl.h: -------------------------------------------------------------------------------- 1 | #ifndef __SCANREPLY_H 2 | #define __SCANREPLY_H 3 | #pragma once 4 | #pragma pack(push, 1) 5 | 6 | // These are just guesses based on observed behaviour. 7 | enum { 8 | SCAN_FILENAME = 1 << 8, 9 | SCAN_ENCRYPTED = 1 << 6, 10 | SCAN_MEMBERNAME = 1 << 7, 11 | SCAN_FILETYPE = 1 << 9, 12 | SCAN_TOPLEVEL = 1 << 18, 13 | SCAN_PACKERSTART = 1 << 19, 14 | SCAN_PACKEREND = 1 << 12, 15 | SCAN_ISARCHIVE = 1 << 16, 16 | SCAN_VIRUSFOUND = 1 << 27, 17 | SCAN_CORRUPT = 1 << 13, 18 | SCAN_UNKNOWN = 1 << 15, // I dunno what this means 19 | }; 20 | 21 | typedef struct _SCANSTRUCT { 22 | DWORD field_0; 23 | DWORD Flags; 24 | PCHAR FileName; 25 | CHAR VirusName[28]; 26 | DWORD field_2C; 27 | DWORD field_30; 28 | DWORD field_34; 29 | DWORD field_38; 30 | DWORD field_3C; 31 | DWORD field_40; 32 | DWORD field_44; 33 | DWORD field_48; 34 | DWORD field_4C; 35 | ULONG64 FileSize; 36 | ULONG64 UserPtr; 37 | DWORD field_60; 38 | DWORD field_64; 39 | PCHAR MaybeFileName2; 40 | PWCHAR StreamName1; 41 | PWCHAR StreamName2; 42 | DWORD field_6C; 43 | DWORD ThreatId; // Can be passed back to GetThreatInfo 44 | } SCANSTRUCT, *PSCANSTRUCT; 45 | 46 | typedef struct _SCAN_REPLY { 47 | ULONG64 (*EngineScanCallback)(PSCANSTRUCT this); 48 | ULONG64 field_4; 49 | ULONG64 UserPtr; 50 | ULONG64 field_C; 51 | } SCAN_REPLY, *PSCAN_REPLY; 52 | 53 | #pragma pack(pop) 54 | #endif // __SCANREPLY_H 55 | 56 | -------------------------------------------------------------------------------- /include/streambuffer_kafl.h: -------------------------------------------------------------------------------- 1 | #ifndef __STREAMBUFFER_H 2 | #define __STREAMBUFFER_H 3 | #pragma once 4 | #pragma pack(push, 1) 5 | 6 | enum { 7 | STREAM_ATTRIBUTE_INVALID = 0, 8 | STREAM_ATTRIBUTE_SKIPBMNOTIFICATION = 1, 9 | STREAM_ATTRIBUTE_BMDATA = 2, 10 | STREAM_ATTRIBUTE_FILECOPYPERFHINT = 3, 11 | STREAM_ATTRIBUTE_FILECOPYSOURCEPATH = 4, 12 | STREAM_ATTRIBUTE_FILECHANGEPERFHINT = 5, 13 | STREAM_ATTRIBUTE_FILEOPPROCESSID = 6, 14 | STREAM_ATTRIBUTE_FILEBACKUPWRITEPERFHINT = 7, 15 | STREAM_ATTRIBUTE_DONOTCACHESCANRESULT = 8, 16 | STREAM_ATTRIBUTE_SCANREASON = 9, 17 | STREAM_ATTRIBUTE_FILEID = 10, 18 | STREAM_ATTRIBUTE_FILEVOLUMESERIALNUMBER = 11, 19 | STREAM_ATTRIBUTE_FILEUSN = 12, 20 | STREAM_ATTRIBUTE_SCRIPTTYPE = 13, 21 | STREAM_ATTRIBUTE_PRIVATE = 14, 22 | STREAM_ATTRIBUTE_URL = 15, 23 | STREAM_ATTRIBUTE_REFERRALURL = 16, 24 | STREAM_ATTRIBUTE_SCRIPTID = 17, 25 | STREAM_ATTRIBUTE_HOSTAPPVERSION = 18, 26 | STREAM_ATTRIBUTE_THREAT_ID = 19, 27 | STREAM_ATTRIBUTE_THREAT_STATUS = 21, 28 | STREAM_ATTRIBUTE_LOFI = 22, 29 | STREAM_ATTRIBUTE_THREAT_RESOURCES = 25, 30 | STREAM_ATTRIBUTE_LOFI_RESOURCES = 26, 31 | STREAM_ATTRIBUTE_VOLATILE = 29, 32 | STREAM_ATTRIBUTE_REFERRERURL = 30, 33 | STREAM_ATTRIBUTE_REQUESTORMODE = 31, 34 | STREAM_ATTRIBUTE_CI_EA = 33, 35 | STREAM_ATTRIBUTE_CURRENT_FILEUSN = 34, 36 | STREAM_ATTRIBUTE_AVAILABLE_DSS_THREADS = 35, 37 | STREAM_ATTRIBUTE_IO_STATUS_BLOCK_FOR_NEW_FILE = 36, 38 | STREAM_ATTRIBUTE_DESIRED_ACCESS = 37, 39 | STREAM_ATTRIBUTE_FILEOPPROCESSNAME = 38, 40 | STREAM_ATTRIBUTE_DETAILED_SCAN_NEEDED = 39, 41 | STREAM_ATTRIBUTE_URL_HAS_GOOD_REPUTATION = 40, 42 | STREAM_ATTRIBUTE_SITE_HAS_GOOD_REPUTATION = 41, 43 | STREAM_ATTRIBUTE_URL_ZONE = 42, 44 | STREAM_ATTRIBUTE_CONTROL_GUID = 43, 45 | STREAM_ATTRIBUTE_CONTROL_VERSION = 44, 46 | STREAM_ATTRIBUTE_CONTROL_PATH = 45, 47 | STREAM_ATTRIBUTE_CONTROL_HTML = 46, 48 | STREAM_ATTRIBUTE_PAGE_CONTEXT = 47, 49 | STREAM_ATTRIBUTE_FRAME_URL = 48, 50 | STREAM_ATTRIBUTE_FRAME_HTML = 49, 51 | STREAM_ATTRIBUTE_ACTION_IE_BLOCK_PAGE = 50, 52 | STREAM_ATTRIBUTE_ACTION_IE_BLOCK_CONTROL = 51, 53 | STREAM_ATTRIBUTE_SHARE_ACCESS = 52, 54 | STREAM_ATTRIBUTE_OPEN_OPTIONS = 53, 55 | STREAM_ATTRIBUTE_DEVICE_CHARACTERISTICS = 54, 56 | STREAM_ATTRIBUTE_FILE_ATTRIBUTES = 55, 57 | STREAM_ATTRIBUTE_HAS_MOTW_ADS = 56, 58 | STREAM_ATTRIBUTE_SE_SIGNING_LEVEL = 57, 59 | STREAM_ATTRIBUTE_SESSION_ID = 58, 60 | STREAM_ATTRIBUTE_AMSI_APP_ID = 59, 61 | STREAM_ATTRIBUTE_AMSI_SESSION_ID = 60, 62 | STREAM_ATTRIBUTE_FILE_OPERATION_PPID = 61, 63 | STREAM_ATTRIBUTE_SECTOR_NUMBER = 62, 64 | STREAM_ATTRIBUTE_AMSI_CONTENT_NAME = 63, 65 | STREAM_ATTRIBUTE_AMSI_UAC_REQUEST_CONTEXT = 64, 66 | STREAM_ATTRIBUTE_RESOURCE_CONTEXT = 65, 67 | STREAM_ATTRIBUTE_OPEN_CREATEPROCESS_HINT = 66, 68 | STREAM_ATTRIBUTE_GENSTREAM_APP_NAME = 67, 69 | STREAM_ATTRIBUTE_GENSTREAM_SESSION_ID = 68, 70 | STREAM_ATTRIBUTE_GENSTREAM_CONTENT_NAME = 69, 71 | STREAM_ATTRIBUTE_OPEN_ACCESS_STATE_FLAGS = 70, 72 | STREAM_ATTRIBUTE_GENSTREAM_EXTERN_GUID = 71, 73 | STREAM_ATTRIBUTE_IS_CONTAINER_FILE = 72, 74 | STREAM_ATTRIBUTE_AMSI_REDIRECT_CHAIN = 75, 75 | }; 76 | 77 | enum { 78 | SCANREASON_UNKNOWN = 0, 79 | SCANREASON_ONMOUNT = 1, 80 | SCANREASON_ONOPEN = 2, 81 | SCANREASON_ONFIRSTREAD = 3, 82 | SCANREASON_ONWRITE = 4, 83 | SCANREASON_ONMODIFIEDHANDLECLOSE = 5, 84 | SCANREASON_INMEMORY = 8, 85 | SCANREASON_VALIDATION_PRESCAN = 9, 86 | SCANREASON_VALIDATION_CONTENTSCAN = 0x0A, 87 | SCANREASON_ONVOLUMECLEANUP = 0x0B, 88 | SCANREASON_AMSI = 0x0C, 89 | SCANREASON_AMSI_UAC = 0x0D, 90 | SCANREASON_GENERICSTREAM = 0x0E, 91 | SCANREASON_IOAVSTREAM = 0x0F, 92 | }; 93 | 94 | typedef struct _STREAMBUFFER_DESCRIPTOR { 95 | FILE *UserPtr; 96 | ULONG64 (* Read)(FILE *fp, uint64_t Offset, PVOID Buffer, DWORD Size, PDWORD SizeRead); 97 | ULONG64 (* Write)(FILE *fp, uint64_t Offset, PVOID Buffer, DWORD Size, PDWORD TotalWritten); 98 | ULONG64 (* GetSize)(FILE *fp, uint64_t *FileSize); 99 | ULONG64 (* SetSize)(FILE *fp, uint64_t *FileSize); 100 | PWCHAR (* GetName)(FILE *fp); 101 | ULONG64 (* SetAttributes)(FILE *fp, DWORD Attribute, PVOID Data, DWORD DataSize); 102 | ULONG64 (* GetAttributes)(FILE *fp, DWORD Attribute, PVOID Data, DWORD DataSize, PDWORD DataSizeWritten); 103 | } STREAMBUFFER_DESCRIPTOR, *PSTREAMBUFFER_DESCRIPTOR; 104 | 105 | typedef struct _SCANSTREAM_PARAMS { 106 | PSTREAMBUFFER_DESCRIPTOR Descriptor; 107 | PSCAN_REPLY ScanReply; 108 | ULONG64 UnknownB; 109 | ULONG64 UnknownC; 110 | } SCANSTREAM_PARAMS, *PSCANSTREAM_PARAMS; 111 | 112 | #pragma pack(pop) 113 | #endif // __STREAMBUFFER_H 114 | -------------------------------------------------------------------------------- /jackalope_defender_harness_stream.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "include/engineboot_kafl.h" 7 | #include "include/openscan_kafl.h" 8 | #include "include/scanreply_kafl.h" 9 | #include "include/streambuffer_kafl.h" 10 | #define RSIG_BOOTENGINE 0x4036 11 | #define RSIG_SCAN_STREAMBUFFER 0x403D 12 | #define PE_CODE_SECTION_NAME ".text" 13 | 14 | //Max size of the shared memory region, note if the SHM_SIZE is larger than that specified by the 15 | //process which created the shared memory, you will not be able to open it! 16 | #define MAX_SAMPLE_SIZE 1000000 17 | #define SHM_SIZE (4 + MAX_SAMPLE_SIZE) 18 | 19 | //x86_64-w64-mingw32-gcc jackalope_defender_harness_stream.c -o jackalope_defender_harness_stream.exe 20 | 21 | unsigned char *shm_data; 22 | BYTE* fileContent = NULL; 23 | size_t inputSize = 0; 24 | 25 | 26 | typedef DWORD(*__rsignal)(DWORD Code, PVOID Params, DWORD Size); 27 | 28 | 29 | int setup_shared_memory(const char* name) { 30 | HANDLE map_file; 31 | 32 | map_file = OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, name); 33 | 34 | if (map_file == NULL) { 35 | printf("Error accessing shared memory\n"); 36 | return 0; 37 | } 38 | 39 | shm_data = (unsigned char*)MapViewOfFile(map_file, FILE_MAP_ALL_ACCESS, 0, 0, SHM_SIZE); 40 | 41 | if (shm_data == NULL) { 42 | printf("Error accessing shared memory\n"); 43 | return 0; 44 | } 45 | 46 | return 1; 47 | } 48 | 49 | static DWORD EngineScanCallback(PSCANSTRUCT Scan) 50 | { 51 | return 0; 52 | } 53 | 54 | 55 | static size_t ReadStream(PVOID this, size_t offset, BYTE* buffer, size_t size, size_t* nsize) 56 | { 57 | //printf(" ReadStream offset=%x, size=%d, inputSize=%d \n", offset, size, inputSize); 58 | if (offset >= inputSize) { 59 | *nsize = 0; 60 | return TRUE; 61 | } 62 | 63 | size_t remainingSize = inputSize - offset; 64 | size_t bytesToRead = (size < remainingSize) ? size : remainingSize; 65 | 66 | memcpy(buffer, fileContent + offset, bytesToRead); 67 | *nsize = bytesToRead; 68 | 69 | return TRUE; 70 | } 71 | 72 | static size_t GetStreamSize(PVOID this, size_t* size) 73 | { 74 | *size = inputSize; 75 | //printf(" GetStreamSize size=%d\n", inputSize); 76 | return 0; 77 | } 78 | 79 | void printLastError() { 80 | DWORD errorMessageID = GetLastError(); 81 | if(errorMessageID == 0) { 82 | printf("No error occurred.\n"); 83 | return; 84 | } 85 | 86 | LPSTR messageBuffer = NULL; 87 | size_t size = FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, 88 | NULL, errorMessageID, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPSTR)&messageBuffer, 0, NULL); 89 | if(size == 0) { 90 | printf("Failed to get error message string.\n"); 91 | return; 92 | } 93 | 94 | printf("Error: %s\n", messageBuffer); 95 | 96 | LocalFree(messageBuffer); 97 | } 98 | 99 | static const wchar_t* GetStreamName(PSTREAMBUFFER_DESCRIPTOR self) 100 | { 101 | wchar_t test[] = L"engine"; 102 | return test; 103 | } 104 | __rsignal prsignal; 105 | HMODULE hModule; 106 | 107 | 108 | __declspec(dllexport) 109 | void scanFile(){ 110 | //printf("called scanfile\n"); 111 | char *sample_bytes = NULL; 112 | 113 | SCANSTREAM_PARAMS ScanParams; 114 | STREAMBUFFER_DESCRIPTOR ScanDescriptor; 115 | SCAN_REPLY ScanReply; 116 | ZeroMemory(&ScanParams, sizeof ScanParams); 117 | ZeroMemory(&ScanDescriptor, sizeof ScanDescriptor); 118 | ZeroMemory(&ScanReply, sizeof ScanReply); 119 | 120 | ScanParams.Descriptor = &ScanDescriptor; 121 | ScanParams.ScanReply = &ScanReply; 122 | ScanReply.EngineScanCallback = EngineScanCallback; 123 | ScanReply.field_C = 0x7fffffff; 124 | ScanDescriptor.Read = ReadStream; 125 | ScanDescriptor.GetSize = GetStreamSize; 126 | ScanDescriptor.GetName = GetStreamName; 127 | //ScanDescriptor.filename = name; 128 | //char filename[] = "C:\\tmp\\a"; 129 | ScanDescriptor.UserPtr = NULL;//fopen(filename, "rb"); 130 | 131 | inputSize = *(uint32_t *)(shm_data); 132 | //printf("input size: %d \n", inputSize); 133 | 134 | sample_bytes = (char *)malloc(inputSize); 135 | memcpy(sample_bytes, shm_data + sizeof(uint32_t), inputSize); 136 | fileContent = sample_bytes; 137 | 138 | //start scanning 139 | int ret = prsignal(RSIG_SCAN_STREAMBUFFER, &ScanParams, sizeof(ScanParams)); 140 | 141 | if (ret != 0) { 142 | printf("rsignal failed %d\n",ret); 143 | } 144 | 145 | //printf("scan finished\n"); 146 | } 147 | 148 | 149 | int main(int argc, char** argv){ 150 | printf("setup shared mem %s\n", argv[1]); 151 | setup_shared_memory(argv[1]); 152 | 153 | HANDLE KernelHandle; 154 | BOOTENGINE_PARAMS BootParams; 155 | ENGINE_INFO EngineInfo; 156 | ENGINE_CONFIG EngineConfig; 157 | 158 | printf("[+] Starting... %s\n", argv[0]); 159 | 160 | 161 | ZeroMemory(&BootParams, sizeof BootParams); 162 | ZeroMemory(&EngineInfo, sizeof EngineInfo); 163 | ZeroMemory(&EngineConfig, sizeof EngineConfig); 164 | 165 | 166 | wchar_t SignatureLocation[] = L"C:\\tmp"; 167 | wchar_t ProductName[] = L"Legitimate Antivirus"; 168 | wchar_t QurantineLocation[] = L"quarantine"; 169 | wchar_t Inclusions[] = L"*.*"; 170 | 171 | BootParams.ClientVersion = BOOTENGINE_PARAMS_VERSION; 172 | BootParams.SignatureLocation = SignatureLocation; 173 | BootParams.Attributes = BOOT_ATTR_NORMAL; 174 | BootParams.ProductName = ProductName; 175 | EngineConfig.QuarantineLocation = QurantineLocation; 176 | EngineConfig.Inclusions = Inclusions; 177 | EngineConfig.EngineFlags = 1 << 1; 178 | EngineConfig.UnknownAnsiString1 = NULL; 179 | EngineConfig.UnknownAnsiString2 = NULL; 180 | BootParams.EngineInfo = &EngineInfo; 181 | BootParams.EngineConfig = &EngineConfig; 182 | KernelHandle = NULL; 183 | printf("[+++++++] NEW START!\n"); 184 | SetCurrentDirectoryA("C:\\tmp"); 185 | hModule = LoadLibraryA("C:\\tmp\\mpengine.dll"); 186 | if(hModule == NULL){ 187 | printf("load dll failed\n"); 188 | printLastError(); 189 | return 1; 190 | } 191 | printf("loaded dll\n"); 192 | 193 | prsignal = (__rsignal)GetProcAddress(hModule, "rsignal"); 194 | if(prsignal == NULL){ 195 | printf("GetProcAddress failed\n"); 196 | return 1; 197 | } 198 | printf("rsignal addr %x\n", prsignal); 199 | 200 | int status = prsignal(RSIG_BOOTENGINE, &BootParams, sizeof BootParams); // 201 | printf("status %d\n",status); 202 | if (status != 0) { 203 | printf("__rsignal(RSIG_BOOTENGINE) returned failure, missing definitions?"); 204 | printf("Make sure the VDM files and mpengine.dll are in the engine directory\n"); 205 | printLastError(); 206 | return 1; 207 | } 208 | 209 | printf("engine booted\n"); 210 | 211 | // if (!SetProcessWorkingSetSize((HANDLE)-1, 1 << 27 /* min: 64MB */, 1 << 33 /* max: 1GB */)) 212 | //{ 213 | // printf("[-] Err increasing min and max working sizes: %u\n", (UINT32)GetLastError()); 214 | //} 215 | 216 | 217 | BYTE* buffer = (BYTE*)malloc(1024*100); 218 | size_t buffer_size = 0x10; 219 | 220 | printf("call scan file\n"); 221 | scanFile(); 222 | printf("scanFile exited\n"); 223 | 224 | ExitProcess(0); 225 | return 0; 226 | } 227 | -------------------------------------------------------------------------------- /mpclient_defender_harness_kafl.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "include/nyx_api.h" 6 | #include "include/engineboot_kafl.h" 7 | #include "include/openscan_kafl.h" 8 | #include "include/scanreply_kafl.h" 9 | #include "include/streambuffer_kafl.h" 10 | #define RSIG_BOOTENGINE 0x4036 11 | #define RSIG_SCAN_STREAMBUFFER 0x403D 12 | #define PE_CODE_SECTION_NAME ".text" 13 | 14 | static uint8_t* fileContent = NULL; 15 | static int fileSize = 0; 16 | 17 | typedef DWORD(*__rsignal)(DWORD Code, PVOID Params, DWORD Size); 18 | 19 | 20 | LONG CALLBACK exception_handle(struct _EXCEPTION_POINTERS *ExceptionInfo) 21 | { 22 | PEXCEPTION_RECORD pExceptionRecord = ExceptionInfo->ExceptionRecord; 23 | DWORD exception_code = pExceptionRecord->ExceptionCode; 24 | 25 | if((exception_code == EXCEPTION_ACCESS_VIOLATION) || 26 | (exception_code == EXCEPTION_ILLEGAL_INSTRUCTION) || 27 | (exception_code == 0xc0000374) || 28 | (exception_code == EXCEPTION_STACK_OVERFLOW) || 29 | (exception_code == STATUS_STACK_BUFFER_OVERRUN) || 30 | (exception_code == STATUS_FATAL_APP_EXIT) || 31 | (exception_code == 0xC0000421)) 32 | 33 | { 34 | hprintf("Exception: 0x%lX\n", exception_code); 35 | hprintf(" Faulting instruction address: 0x%p\n", pExceptionRecord->ExceptionAddress); 36 | // Print specific details for Access Violation 37 | if (exception_code == EXCEPTION_ACCESS_VIOLATION) 38 | { 39 | ULONG_PTR violation_type = pExceptionRecord->ExceptionInformation[0]; 40 | ULONG_PTR violation_address = pExceptionRecord->ExceptionInformation[1]; 41 | 42 | if (violation_type == 0) { 43 | hprintf(" c005 Violation Type: Attempted to READ from address\n"); 44 | } else if (violation_type == 1) { 45 | hprintf(" c005 Violation Type: Attempted to WRITE to address\n"); 46 | } else if (violation_type == 8) { 47 | hprintf(" c005 Violation Type: Data Execution Prevention (DEP) violation at address\n"); 48 | } else { 49 | hprintf(" c005 Violation Type: Unknown type (%p)\n", (void*)violation_type); 50 | } 51 | 52 | hprintf(" c005 Violated Address: 0x%p\n", (void*)violation_address); 53 | hprintf(" input size: %d", fileSize); 54 | } 55 | kAFL_hypercall(HYPERCALL_KAFL_PANIC, (uintptr_t)0x1); 56 | while(1){}; /* halt */ 57 | 58 | } 59 | 60 | return EXCEPTION_CONTINUE_SEARCH; 61 | } 62 | 63 | static DWORD EngineScanCallback(PSCANSTRUCT Scan) 64 | { 65 | // if (Scan->Flags & SCAN_MEMBERNAME) { 66 | // //hprintf("Scanning archive member %s", Scan->VirusName); 67 | // } 68 | // if (Scan->Flags & SCAN_FILENAME) { 69 | // //hprintf("Scanning@@@@ %s", Scan->FileName); 70 | // } 71 | // if (Scan->Flags & SCAN_PACKERSTART) { 72 | // //hprintf("Packer %s identified.", Scan->VirusName); 73 | // } 74 | // if (Scan->Flags & SCAN_ENCRYPTED) { 75 | // //hprintf("File is encrypted."); 76 | // } 77 | // if (Scan->Flags & SCAN_CORRUPT) { 78 | // //hprintf("File may be corrupt."); 79 | // } 80 | // if (Scan->Flags & SCAN_FILETYPE) { 81 | // //hprintf("File %s is identified as %s", Scan->FileName, Scan->VirusName); 82 | // } 83 | // if (Scan->Flags & 0x08000022) { 84 | // //hprintf("Threat %s identified.", Scan->VirusName); 85 | // } 86 | // // This may indicate PUA. 87 | // if ((Scan->Flags & 0x40010000) == 0x40010000) { 88 | // //hprintf("Threat %s identified.", Scan->VirusName); 89 | // } 90 | 91 | return 0; 92 | } 93 | 94 | 95 | static size_t ReadStream(PVOID this, size_t offset, BYTE* buffer, size_t size, size_t* nsize) 96 | { 97 | if (offset >= fileSize) { 98 | *nsize = 0; 99 | return TRUE; 100 | } 101 | 102 | size_t remainingSize = fileSize - offset; 103 | size_t bytesToRead = (size < remainingSize) ? size : remainingSize; 104 | 105 | memcpy(buffer, fileContent + offset, bytesToRead); 106 | *nsize = bytesToRead; 107 | 108 | return TRUE; 109 | } 110 | 111 | static size_t GetStreamSize(PVOID this, size_t* size) 112 | { 113 | *size = fileSize; 114 | //hprintf(" GetStreamSize size-x=%x\n", fileSize); 115 | return 0; 116 | } 117 | 118 | void printLastError() { 119 | DWORD errorMessageID = GetLastError(); 120 | if(errorMessageID == 0) { 121 | printf("No error occurred.\n"); 122 | return; 123 | } 124 | 125 | LPSTR messageBuffer = NULL; 126 | size_t size = FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, 127 | NULL, errorMessageID, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPSTR)&messageBuffer, 0, NULL); 128 | if(size == 0) { 129 | printf("Failed to get error message string.\n"); 130 | return; 131 | } 132 | 133 | printf("Error: %s\n", messageBuffer); 134 | 135 | LocalFree(messageBuffer); 136 | } 137 | 138 | static const wchar_t* GetStreamName(PSTREAMBUFFER_DESCRIPTOR self) 139 | { 140 | wchar_t test[] = L"engine"; 141 | return test; 142 | } 143 | __rsignal prsignal; 144 | HMODULE hModule; 145 | 146 | void submit_ip_ranges() { 147 | // Get the module handle for the current process. 148 | if (hModule == NULL) { 149 | habort("Cannot get module handle\n"); 150 | } 151 | 152 | // Get the PE header of the current module. 153 | PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)( 154 | (PBYTE)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew); 155 | if (pNtHeaders->Signature != IMAGE_NT_SIGNATURE) { 156 | habort("Invalid PE signature\n"); 157 | } 158 | 159 | // Get the section headers. 160 | PIMAGE_SECTION_HEADER pSectionHeaders = (PIMAGE_SECTION_HEADER)((PBYTE)pNtHeaders + 161 | sizeof(IMAGE_NT_HEADERS)); 162 | for (WORD i = 0; i < pNtHeaders->FileHeader.NumberOfSections; ++i) { 163 | PIMAGE_SECTION_HEADER pSectionHeader = &pSectionHeaders[i]; 164 | 165 | // Check for the .text section 166 | if (memcmp((LPVOID)pSectionHeader->Name, PE_CODE_SECTION_NAME, strlen(PE_CODE_SECTION_NAME)) == 0) { 167 | DWORD_PTR codeStart = (DWORD_PTR)hModule + pSectionHeader->VirtualAddress; 168 | DWORD_PTR codeEnd = codeStart + pSectionHeader->Misc.VirtualSize; 169 | hprintf("[+] code start %llx...\n", (UINT64)codeStart); 170 | hprintf("[+] code end %llx...\n", (UINT64)codeEnd); 171 | // submit them to kAFL 172 | uint64_t buffer[3] = {0}; 173 | buffer[0] = codeStart; // low range 174 | buffer[1] = codeEnd; // high range 175 | buffer[2] = 0; // IP filter index [0-3] 176 | kAFL_hypercall(HYPERCALL_KAFL_RANGE_SUBMIT, (uint64_t)buffer); 177 | // ensure allways present in memory, avoid pagefaults for libxdc 178 | if (!VirtualLock((LPVOID)codeStart, pSectionHeader->Misc.VirtualSize)){ 179 | hprintf("Failed to lock .text section in resident memory\n"); 180 | DWORD err = GetLastError(); 181 | hprintf("VirtualLock failed with error: %lu\n", err); 182 | } 183 | return; 184 | } 185 | } 186 | habort("Couldn't locate .text section in PE image\n"); 187 | } 188 | 189 | kAFL_payload* kafl_agent_init(void) { 190 | // initial fuzzer handshake 191 | kAFL_hypercall(HYPERCALL_KAFL_ACQUIRE, 0); 192 | kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0); 193 | 194 | // submit mode 195 | kAFL_hypercall(HYPERCALL_KAFL_USER_SUBMIT_MODE, KAFL_MODE_64); 196 | 197 | // get host config 198 | host_config_t host_config = {0}; 199 | kAFL_hypercall(HYPERCALL_KAFL_GET_HOST_CONFIG, (uintptr_t)&host_config); 200 | hprintf("[host_config] bitmap sizes = <0x%x,0x%x>\n", host_config.bitmap_size, host_config.ijon_bitmap_size); 201 | hprintf("[host_config] payload size = %dKB\n", host_config.payload_buffer_size/1024); 202 | hprintf("[host_config] worker id = %02u\n", host_config.worker_id); 203 | 204 | // allocate buffer 205 | hprintf("[+] Allocating buffer for kAFL_payload struct\n"); 206 | kAFL_payload* payload_buffer = (kAFL_payload*)VirtualAlloc(0, host_config.payload_buffer_size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 207 | 208 | // ensure really present in resident pages 209 | if (!VirtualLock(payload_buffer, host_config.payload_buffer_size)){ 210 | hprintf("[+] WARNING: Virtuallock failed to lock payload buffer\n"); 211 | DWORD err = GetLastError(); 212 | hprintf("VirtualLock failed with error: %lu\n", err); 213 | } 214 | 215 | // submit buffer 216 | hprintf("[+] Submitting buffer address to hypervisor...\n"); 217 | kAFL_hypercall(HYPERCALL_KAFL_GET_PAYLOAD, (UINT64)payload_buffer); 218 | 219 | // filters 220 | kAFL_hypercall(HYPERCALL_KAFL_SUBMIT_CR3, 0); 221 | 222 | // submit agent config 223 | agent_config_t agent_config = { 224 | .agent_magic = NYX_AGENT_MAGIC, 225 | .agent_version = NYX_AGENT_VERSION, 226 | }; 227 | kAFL_hypercall(HYPERCALL_KAFL_SET_AGENT_CONFIG, (uintptr_t)&agent_config); 228 | 229 | return payload_buffer; 230 | } 231 | 232 | 233 | void scanFile(char filename[], kAFL_payload* payload_buffer){ 234 | SCANSTREAM_PARAMS ScanParams; 235 | STREAMBUFFER_DESCRIPTOR ScanDescriptor; 236 | SCAN_REPLY ScanReply; 237 | ZeroMemory(&ScanParams, sizeof ScanParams); 238 | ZeroMemory(&ScanDescriptor, sizeof ScanDescriptor); 239 | ZeroMemory(&ScanReply, sizeof ScanReply); 240 | 241 | ScanParams.Descriptor = &ScanDescriptor; 242 | ScanParams.ScanReply = &ScanReply; 243 | ScanReply.EngineScanCallback = EngineScanCallback; 244 | ScanReply.field_C = 0x7fffffff; 245 | ScanDescriptor.Read = ReadStream; 246 | ScanDescriptor.GetSize = GetStreamSize; 247 | ScanDescriptor.GetName = GetStreamName; 248 | //ScanDescriptor.filename = name; 249 | ScanDescriptor.UserPtr = fopen(filename, "rb"); 250 | //ScanDescriptor.filename_w = (wchar_t*)malloc((strlen(name) + 1) * sizeof(wchar_t)); 251 | if (ScanDescriptor.UserPtr == NULL) { 252 | hprintf("open failed\n"); 253 | //return; 254 | } 255 | 256 | hprintf("start scan\n"); 257 | 258 | fileContent = payload_buffer->data; 259 | fileSize = payload_buffer->size; 260 | 261 | //start scanning 262 | int ret = prsignal(RSIG_SCAN_STREAMBUFFER, &ScanParams, sizeof(ScanParams)); 263 | 264 | if (ret != 0) { 265 | hprintf("rsignal failed %d\n",ret); 266 | } 267 | 268 | hprintf("scan finished\n"); 269 | } 270 | 271 | int main(int argc, char** argv){ 272 | HANDLE KernelHandle; 273 | BOOTENGINE_PARAMS BootParams; 274 | ENGINE_INFO EngineInfo; 275 | ENGINE_CONFIG EngineConfig; 276 | 277 | 278 | printf("[+] Starting... %s\n", argv[0]); 279 | 280 | 281 | ZeroMemory(&BootParams, sizeof BootParams); 282 | ZeroMemory(&EngineInfo, sizeof EngineInfo); 283 | ZeroMemory(&EngineConfig, sizeof EngineConfig); 284 | 285 | wchar_t SignatureLocation[] = L"C:\\tmp"; 286 | wchar_t ProductName[] = L"Legitimate Antivirus"; 287 | wchar_t QurantineLocation[] = L"quarantine"; 288 | wchar_t Inclusions[] = L"*.*"; 289 | 290 | BootParams.ClientVersion = BOOTENGINE_PARAMS_VERSION; 291 | BootParams.SignatureLocation = SignatureLocation; 292 | BootParams.Attributes = BOOT_ATTR_NORMAL; 293 | BootParams.ProductName = ProductName; 294 | EngineConfig.QuarantineLocation = QurantineLocation; 295 | EngineConfig.Inclusions = Inclusions; 296 | EngineConfig.EngineFlags = 1 << 1; 297 | EngineConfig.UnknownAnsiString1 = NULL; 298 | EngineConfig.UnknownAnsiString2 = NULL; 299 | BootParams.EngineInfo = &EngineInfo; 300 | BootParams.EngineConfig = &EngineConfig; 301 | KernelHandle = NULL; 302 | 303 | hprintf("[+++++++] NEW START!\n"); 304 | SetCurrentDirectoryA("C:\\tmp"); 305 | hModule = LoadLibraryA("C:\\tmp\\mpengine.dll"); 306 | if(hModule == NULL){ 307 | hprintf("load dll failed\n"); 308 | printLastError(); 309 | return 1; 310 | } 311 | hprintf("loaded dll\n"); 312 | 313 | prsignal = (__rsignal)GetProcAddress(hModule, "rsignal"); 314 | if(prsignal == NULL){ 315 | hprintf("GetProcAddress failed\n"); 316 | return 1; 317 | } 318 | hprintf("got rsignal addr %x\n", prsignal); 319 | 320 | hprintf("size BootParams: %x\n", sizeof BootParams); 321 | 322 | int status = prsignal(RSIG_BOOTENGINE, &BootParams, sizeof BootParams); // 323 | hprintf("status %d\n",status); 324 | if (status != 0) { 325 | hprintf("__rsignal(RSIG_BOOTENGINE) returned failure, missing definitions?"); 326 | hprintf("Make sure the VDM files and mpengine.dll are in the engine directory\n"); 327 | printLastError(); 328 | //return 1; 329 | } 330 | 331 | hprintf("engine booted\n"); 332 | 333 | if (AddVectoredExceptionHandler(1, exception_handle) == 0) 334 | { 335 | hprintf("[-] WARNING: Cannot add veh handler %u\n", (UINT32)GetLastError()); 336 | } 337 | 338 | if (!SetProcessWorkingSetSize((HANDLE)-1, 1 << 27 /* min: 64MB */, 1 << 30 /* max: 2GB */)) 339 | { 340 | hprintf("[-] Err increasing min and max working sizes: %u\n", (UINT32)GetLastError()); 341 | } 342 | 343 | kAFL_hypercall(HYPERCALL_KAFL_LOCK, 0); 344 | kAFL_payload* payload_buffer = kafl_agent_init(); 345 | submit_ip_ranges(); 346 | kAFL_hypercall(HYPERCALL_KAFL_NEXT_PAYLOAD, 0); 347 | kAFL_hypercall(HYPERCALL_KAFL_ACQUIRE, 0); 348 | 349 | char filename[] = "C:\\tmp\\a"; 350 | 351 | scanFile(filename, payload_buffer); 352 | kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0); 353 | 354 | exit(0); 355 | return 0; 356 | } 357 | -------------------------------------------------------------------------------- /mpclient_defender_harness_withoutHypercalls.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "include/engineboot_kafl.h" 6 | #include "include/openscan_kafl.h" 7 | #include "include/scanreply_kafl.h" 8 | #include "include/streambuffer_kafl.h" 9 | #define RSIG_BOOTENGINE 0x4036 10 | #define RSIG_SCAN_STREAMBUFFER 0x403D 11 | #define PE_CODE_SECTION_NAME ".text" 12 | 13 | //x86_64-w64-mingw32-gcc mpclient_defender_harness_withoutHypercalls.c -o bin/mpclient_defender_harness_withoutHypercalls.exe 14 | 15 | static BYTE* fileContent = NULL; 16 | static size_t fileSize = 0; 17 | 18 | typedef DWORD(*__rsignal)(DWORD Code, PVOID Params, DWORD Size); 19 | 20 | 21 | LONG CALLBACK exception_handle(struct _EXCEPTION_POINTERS *ExceptionInfo) 22 | { 23 | DWORD exception_code = ExceptionInfo->ExceptionRecord->ExceptionCode; 24 | 25 | printf("exception %x\n",exception_code); 26 | if((exception_code == EXCEPTION_ACCESS_VIOLATION) || 27 | (exception_code == EXCEPTION_ILLEGAL_INSTRUCTION) || 28 | (exception_code == 0xc0000374) || 29 | (exception_code == EXCEPTION_STACK_OVERFLOW) || 30 | (exception_code == STATUS_STACK_BUFFER_OVERRUN) || 31 | (exception_code == STATUS_FATAL_APP_EXIT) || 32 | (exception_code == 0xC0000421)) 33 | 34 | { 35 | ExitProcess(0); 36 | } 37 | 38 | return EXCEPTION_CONTINUE_SEARCH; 39 | } 40 | 41 | static DWORD EngineScanCallback(PSCANSTRUCT Scan) 42 | { 43 | return 0; 44 | } 45 | 46 | 47 | static size_t ReadStream(PVOID this, size_t offset, BYTE* buffer, size_t size, size_t* nsize) 48 | { 49 | if (offset >= fileSize) { 50 | *nsize = 0; 51 | return TRUE; 52 | } 53 | 54 | size_t remainingSize = fileSize - offset; 55 | size_t bytesToRead = (size < remainingSize) ? size : remainingSize; 56 | 57 | memcpy(buffer, fileContent + offset, bytesToRead); 58 | *nsize = bytesToRead; 59 | printf(" ReadStream offset-d=%x size-d=%x\n", offset,size); 60 | printf(" read nsize=%x\n", *nsize); 61 | 62 | return TRUE; 63 | } 64 | 65 | static size_t GetStreamSize(PVOID this, size_t* size) 66 | { 67 | *size = fileSize; 68 | printf(" GetStreamSize size=%x\n", fileSize); 69 | return 0; 70 | } 71 | 72 | void printLastError() { 73 | DWORD errorMessageID = GetLastError(); 74 | if(errorMessageID == 0) { 75 | printf("No error occurred.\n"); 76 | return; 77 | } 78 | 79 | LPSTR messageBuffer = NULL; 80 | size_t size = FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, 81 | NULL, errorMessageID, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPSTR)&messageBuffer, 0, NULL); 82 | if(size == 0) { 83 | printf("Failed to get error message string.\n"); 84 | return; 85 | } 86 | 87 | printf("Error: %s\n", messageBuffer); 88 | 89 | LocalFree(messageBuffer); 90 | } 91 | 92 | static const wchar_t* GetStreamName(PSTREAMBUFFER_DESCRIPTOR self) 93 | { 94 | wchar_t test[] = L"engine"; 95 | return test; 96 | } 97 | __rsignal prsignal; 98 | HMODULE hModule; 99 | 100 | 101 | void loadfile(char filename[]) { 102 | FILE* file = fopen(filename, "rb"); 103 | if (file == NULL) { 104 | printf("error opening file"); 105 | return; 106 | } 107 | 108 | fseek(file, 0, SEEK_END); 109 | fileSize = ftell(file); 110 | rewind(file); 111 | 112 | fileContent = (BYTE*)malloc(fileSize); 113 | if (fileContent == NULL) { 114 | printf("Handle memory allocation error"); 115 | fclose(file); 116 | return; 117 | } 118 | 119 | fread(fileContent, 1, fileSize, file); 120 | 121 | /*if (!VirtualLock(fileContent, fileSize)){ 122 | printf("[+] WARNING: Virtuallock failed to lock payload buffer\n"); 123 | DWORD err = GetLastError(); 124 | printf("VirtualLock failed with error: %lu\n", err); 125 | }else{ 126 | printf("locked paylaod buffer\n"); 127 | }*/ 128 | 129 | 130 | fclose(file); 131 | } 132 | 133 | void scanFile(char filename[]){ 134 | SCANSTREAM_PARAMS ScanParams; 135 | STREAMBUFFER_DESCRIPTOR ScanDescriptor; 136 | SCAN_REPLY ScanReply; 137 | ZeroMemory(&ScanParams, sizeof ScanParams); 138 | ZeroMemory(&ScanDescriptor, sizeof ScanDescriptor); 139 | ZeroMemory(&ScanReply, sizeof ScanReply); 140 | 141 | ScanParams.Descriptor = &ScanDescriptor; 142 | ScanParams.ScanReply = &ScanReply; 143 | ScanReply.EngineScanCallback = EngineScanCallback; 144 | ScanReply.field_C = 0x7fffffff; 145 | ScanDescriptor.Read = ReadStream; 146 | ScanDescriptor.GetSize = GetStreamSize; 147 | ScanDescriptor.GetName = GetStreamName; 148 | ScanDescriptor.UserPtr = fopen(filename, "rb"); 149 | if (ScanDescriptor.UserPtr == NULL) { 150 | printf("open failed\n"); 151 | return 1; 152 | } 153 | 154 | printf("start scan\n"); 155 | 156 | clock_t startc, endc; 157 | struct timeval startt, endt; 158 | double cpu_time_used, time_taken; 159 | 160 | //load file 161 | loadfile(filename); 162 | 163 | //start scanning 164 | startc = clock(); 165 | gettimeofday(&startt, NULL); 166 | int ret = prsignal(RSIG_SCAN_STREAMBUFFER, &ScanParams, sizeof(ScanParams)); 167 | endc = clock(); 168 | gettimeofday(&endt, NULL); 169 | cpu_time_used = ((double) (endc - startc)) / CLOCKS_PER_SEC; 170 | time_taken = (endt.tv_sec - startt.tv_sec) + (endt.tv_usec - startt.tv_usec) / 1e6; 171 | printf("Time taken: %f seconds\n", time_taken); 172 | printf("Clock-Time: %f seconds\n", cpu_time_used); 173 | if (ret != 0) { 174 | printf("rsignal failed %d\n",ret); 175 | } 176 | 177 | printf("scan finished\n"); 178 | } 179 | 180 | void submit_ip_ranges_nokafl() { 181 | // Get the module handle for the current process. 182 | if (hModule == NULL) { 183 | printf("Cannot get module handle\n"); 184 | } 185 | 186 | // Get the PE header of the current module. 187 | PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)( 188 | (PBYTE)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew); 189 | if (pNtHeaders->Signature != IMAGE_NT_SIGNATURE) { 190 | printf("Invalid PE signature\n"); 191 | } 192 | 193 | // Get the section headers. 194 | PIMAGE_SECTION_HEADER pSectionHeaders = (PIMAGE_SECTION_HEADER)((PBYTE)pNtHeaders + 195 | sizeof(IMAGE_NT_HEADERS)); 196 | for (WORD i = 0; i < pNtHeaders->FileHeader.NumberOfSections; ++i) { 197 | PIMAGE_SECTION_HEADER pSectionHeader = &pSectionHeaders[i]; 198 | 199 | // Check for the .text section 200 | if (memcmp((LPVOID)pSectionHeader->Name, PE_CODE_SECTION_NAME, strlen(PE_CODE_SECTION_NAME)) == 0) { 201 | DWORD_PTR codeStart = (DWORD_PTR)hModule + pSectionHeader->VirtualAddress; 202 | DWORD_PTR codeEnd = codeStart + pSectionHeader->Misc.VirtualSize; 203 | printf("[+] code start %llx...\n", (UINT64)codeStart); 204 | printf("[+] code end %llx...\n", (UINT64)codeEnd); 205 | // submit them to kAFL 206 | uint64_t buffer[3] = {0}; 207 | buffer[0] = codeStart; // low range 208 | buffer[1] = codeEnd; // high range 209 | buffer[2] = 0; // IP filter index [0-3] 210 | 211 | // ensure allways present in memory, avoid pagefaults for libxdc 212 | /*if (!VirtualLock((LPVOID)codeStart, pSectionHeader->Misc.VirtualSize)){ 213 | printf("Failed to lock .text section in resident memory\n"); 214 | DWORD err = GetLastError(); 215 | printf("VirtualLock failed with error: %lu\n", err); 216 | }else{ 217 | printf("locked code\n"); 218 | }*/ 219 | return; 220 | } 221 | } 222 | printf("Couldn't locate .text section in PE image\n"); 223 | } 224 | 225 | 226 | int main(int argc, char** argv){ 227 | HANDLE KernelHandle; 228 | BOOTENGINE_PARAMS BootParams; 229 | ENGINE_INFO EngineInfo; 230 | ENGINE_CONFIG EngineConfig; 231 | 232 | printf("[+] Starting... %s\n", argv[0]); 233 | 234 | ZeroMemory(&BootParams, sizeof BootParams); 235 | ZeroMemory(&EngineInfo, sizeof EngineInfo); 236 | ZeroMemory(&EngineConfig, sizeof EngineConfig); 237 | 238 | 239 | wchar_t SignatureLocation[] = L"C:\\tmp"; 240 | wchar_t ProductName[] = L"Legitimate Antivirus"; 241 | wchar_t QurantineLocation[] = L"quarantine"; 242 | wchar_t Inclusions[] = L"*.*"; 243 | 244 | BootParams.ClientVersion = BOOTENGINE_PARAMS_VERSION; 245 | BootParams.SignatureLocation = SignatureLocation; 246 | BootParams.Attributes = BOOT_ATTR_NORMAL; 247 | BootParams.ProductName = ProductName; 248 | EngineConfig.QuarantineLocation = QurantineLocation; 249 | EngineConfig.Inclusions = Inclusions; 250 | EngineConfig.EngineFlags = 1 << 1; 251 | EngineConfig.UnknownAnsiString1 = NULL; 252 | EngineConfig.UnknownAnsiString2 = NULL; 253 | BootParams.EngineInfo = &EngineInfo; 254 | BootParams.EngineConfig = &EngineConfig; 255 | KernelHandle = NULL; 256 | printf("[+++++++] NEW START!\n"); 257 | SetCurrentDirectoryA("C:\\tmp"); 258 | hModule = LoadLibraryA("C:\\tmp\\mpengine.dll"); 259 | if(hModule == NULL){ 260 | printf("laod dll failed1\n"); 261 | printLastError(); 262 | return 1; 263 | } 264 | printf("laoded dll\n"); 265 | 266 | prsignal = (__rsignal)GetProcAddress(hModule, "rsignal"); 267 | if(prsignal == NULL){ 268 | printf("GetProcAddress failed\n"); 269 | return 1; 270 | } 271 | printf("got rsignal addr %x\n", prsignal); 272 | 273 | printf("size BootParams: %x\n", sizeof BootParams); 274 | 275 | int status = prsignal(RSIG_BOOTENGINE, &BootParams, sizeof BootParams); // 276 | printf("status %d\n",status); 277 | if (status != 0) { 278 | printf("__rsignal(RSIG_BOOTENGINE) returned failure, missing definitions?"); 279 | printf("Make sure the VDM files and mpengine.dll are in the engine directory\n"); 280 | printLastError(); 281 | //return 1; 282 | } 283 | 284 | printf("engine booted\n"); 285 | 286 | /* if (AddVectoredExceptionHandler(1, exception_handle) == 0) 287 | { 288 | printf("[-] WARNING: Cannot add veh handler %u\n", (UINT32)GetLastError()); 289 | }*/ 290 | 291 | //if (!SetProcessWorkingSetSize((HANDLE)-1, 1 << 27 /* min: 64MB */, 1 << 30 /* max: 1GB */)) 292 | /*{ 293 | printf("[-] Err increasing min and max working sizes: %u\n", (UINT32)GetLastError()); 294 | }*/ 295 | submit_ip_ranges_nokafl(); 296 | 297 | char filename[256]; 298 | strncpy(filename, argv[1], sizeof(filename) - 1); 299 | filename[sizeof(filename) - 1] = '\0'; // Ensure null-termination 300 | 301 | //pause(); 302 | scanFile(filename); 303 | 304 | ExitProcess(0); 305 | return 0; 306 | } 307 | -------------------------------------------------------------------------------- /mpengine/mpasbase.vdm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/mpengine/mpasbase.vdm -------------------------------------------------------------------------------- /mpengine/mpasdlta.vdm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/mpengine/mpasdlta.vdm -------------------------------------------------------------------------------- /mpengine/mpavbase.vdm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/mpengine/mpavbase.vdm -------------------------------------------------------------------------------- /mpengine/mpavdlta.vdm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/mpengine/mpavdlta.vdm -------------------------------------------------------------------------------- /mpengine/mpengine.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ig-labs/defender-mpengine-fuzzing/022740250849c45961b68079339c87858c7a6f87/mpengine/mpengine.dll --------------------------------------------------------------------------------