├── COMP_fuzzer.py ├── COMP_fuzzer.pyc ├── DOC_fuzzer.py ├── DOC_fuzzer.pyc ├── ETC_fuzzer.py ├── Main.py ├── Main_alyac.py ├── Main_debugger.py ├── Mut_Rada.py ├── Mut_Rada.pyc ├── OLE_fuzzer.py ├── PE_fuzzer.py ├── PE_fuzzer.pyc ├── README.md ├── ZIP_fuzz.py ├── ZIP_fuzz.pyc ├── fuzz_utils.py ├── fuzz_utils.pyc ├── ioctl_dump.py ├── ioctl_fuzzer.py ├── pyZZUF.py ├── pyZZUF.pyc ├── radamsa ├── 64비트 │ ├── cygwin1.dll │ ├── install_rada.bat │ ├── radamsa.dll │ └── radamsa.exe ├── cyggcc_s-1.dll ├── cygwin1.dll ├── install_rada.bat ├── radamsa.dll └── radamsa.exe ├── rename.py ├── rename_slice.py ├── seed ├── comp_seed │ ├── clam.7z │ ├── clam.arj │ ├── clam.bin-be.cpio │ ├── clam.bin-le.cpio │ ├── clam.cab │ ├── clam.d64.zip │ ├── clam.exe.szdd │ ├── clam.impl.zip │ ├── clam.newc.cpio │ ├── clam.odc.cpio │ ├── dis.7z │ ├── dis.rar │ ├── dis.tar.gz │ ├── dis.zip │ ├── small_archive.Z │ ├── small_archive.arj │ ├── small_archive.bz2 │ ├── small_archive.cab │ ├── small_archive.cpio │ ├── small_archive.gz │ ├── small_archive.lha │ ├── small_archive.lz │ ├── small_archive.lzma │ ├── small_archive.rar │ ├── small_archive.tar │ ├── small_archive.xz │ ├── small_archive.zip │ └── small_archive.zoo ├── ole_seed │ ├── clam.chm │ ├── clam.pdf │ ├── clam.ppt │ ├── clam_ole.doc │ ├── doc_seed.doc │ ├── embed_ole.hwp │ ├── hwp_seed.hwp │ ├── ole_native.doc │ ├── ppt_seed.ppt │ ├── small.pdf │ ├── small_document.rtf │ ├── test.hwp │ └── xls_seed.xls └── packed_seed │ ├── clam.exe │ ├── clam.exe.binhex │ ├── clam.exe.html │ ├── clam.exe.rtf │ ├── seed_exe_packed_aspack.exe │ ├── seed_exe_packed_aspack_y0da.exe │ ├── seed_exe_packed_fsg13.exe │ ├── seed_exe_packed_fsg13_y0da.exe │ ├── seed_exe_packed_fsg20.exe │ ├── seed_exe_packed_fsg20_y0da.exe │ ├── seed_exe_packed_mew.exe │ ├── seed_exe_packed_mew_y0da.exe │ ├── seed_exe_packed_upx.exe │ ├── seed_exe_packed_upx_y0da.exe │ ├── seed_exe_y0da.exe │ ├── seedclam.exe │ ├── seedclam_aspack.exe │ ├── seedclam_fsg.exe │ ├── seedclam_mew.exe │ ├── seedclam_nsis.exe │ ├── seedclam_pespin.exe │ ├── seedclam_petite.exe │ ├── seedclam_upack.exe │ ├── seedclam_upx.exe │ ├── seedclam_wwpack.exe │ ├── seedclam_yc.exe │ └── small_exec.elf ├── setting_bat ├── Start_fuzzer.bat ├── comp_seed.bat ├── git-setting.bat ├── install_pygdb.bat ├── ole_seed.bat ├── packed_seed.bat ├── reset.bat ├── scan.bat └── start_FFV3.bat └── v3_ff.py /COMP_fuzzer.py: -------------------------------------------------------------------------------- 1 | from pyZZUF import * 2 | import os 3 | import ZIP_fuzz 4 | import zlib 5 | from Mut_Rada import * 6 | # import fuzz_utils 7 | 8 | 9 | class COMP_FUZZ: 10 | 11 | def __init__(self, seed_dir, out_dir, filename): 12 | 13 | self.SEED_DIR = seed_dir 14 | self.OUT_DIR = out_dir 15 | self.FILENAME = filename 16 | self.INPUT = "" 17 | self.new_data = "" 18 | f = open(self.SEED_DIR + self.FILENAME, "rb") 19 | self.INPUT = f.read() 20 | 21 | def Mutation(self): 22 | 23 | ext = self.FILENAME.split(".")[-1] 24 | 25 | if(ext == "zip"): 26 | self.new_data = self.zip_fuzz() 27 | 28 | elif(ext == "gz"): 29 | self.new_data = self.gzip_fuzz() 30 | 31 | elif(ext == "7z"): 32 | self.new_data = self.sevenzip_fuzz() 33 | 34 | elif(ext == "rar"): 35 | self.new_data = self.rar_fuzz() 36 | 37 | elif(ext == "arj"): 38 | self.new_data = self.arj_fuzz() 39 | 40 | elif(ext == "cab"): 41 | self.new_data = self.arj_fuzz() 42 | 43 | else: 44 | self.new_data = None 45 | 46 | if(self.new_data != None): 47 | f = open(self.OUT_DIR + self.FILENAME, "wb") 48 | f.write(self.new_data) 49 | 50 | def zip_FIRST_HEADER(self, data): 51 | 52 | SIGN = data[:4] 53 | 54 | rdata = "" 55 | rdata += SIGN 56 | rdata += radamsa(data[4:]).mutate() #frversion & flags 57 | 58 | return rdata 59 | 60 | def zip_SECOND_HEADER(self,data): 61 | 62 | SIGN = data[:4] 63 | 64 | rdata = "" 65 | rdata += SIGN 66 | rdata += radamsa(data[4:]).mutate() 67 | 68 | return rdata 69 | 70 | def zip_THIRD_HEADER(self, data): 71 | 72 | SIGN = data[:4] 73 | 74 | rdata = "" 75 | rdata += SIGN 76 | rdata += data[4:6] 77 | rdata += radamsa(data[6:]).mutate() 78 | 79 | return rdata 80 | 81 | def zip_fuzz(self): 82 | 83 | length = len(self.INPUT) 84 | 85 | FIRST_SIGN = chr(0x50) + chr(0x4b) + chr(0x03) + chr(0x04) 86 | SECOND_SIGN = chr(0x50) + chr(0x4b) + chr(0x01) + chr(0x02) 87 | THIRD_SIGN = chr(0x50) + chr(0x4b) + chr(0x05) + chr(0x06) 88 | 89 | FIRST_SECTION = self.INPUT[:self.INPUT.find(SECOND_SIGN)] 90 | SECOND_SECTION = self.INPUT[self.INPUT.find(SECOND_SIGN) : self.INPUT.find(THIRD_SIGN)] 91 | THIRD_SECTION = self.INPUT[self.INPUT.find(THIRD_SIGN):] 92 | 93 | fileCNT = FIRST_SECTION.count(FIRST_SIGN) 94 | 95 | rdata = "" 96 | 97 | for i in range(fileCNT): 98 | rdata += self.zip_FIRST_HEADER(FIRST_SIGN + FIRST_SECTION.split(FIRST_SIGN)[i+1]) 99 | 100 | for j in range(fileCNT): 101 | rdata += self.zip_SECOND_HEADER(SECOND_SIGN + SECOND_SECTION.split(SECOND_SIGN)[j+1]) 102 | 103 | rdata += self.zip_THIRD_HEADER(THIRD_SECTION) 104 | 105 | return rdata 106 | 107 | def gzip_fuzz(self): 108 | 109 | length = len(self.INPUT) 110 | 111 | SIGN = self.INPUT[:2] 112 | 113 | rdata = "" 114 | rdata += SIGN 115 | rdata += radamsa(self.INPUT[2:]).mutate() 116 | 117 | return rdata 118 | 119 | def sevenzip_fuzz(self): 120 | 121 | SIGN = self.INPUT[:6] 122 | 123 | zzbuf = radamsa(self.INPUT[6:]) 124 | 125 | rdata = "" 126 | rdata += SIGN 127 | rdata += zzbuf.mutate() 128 | 129 | return rdata 130 | 131 | 132 | def rar_fuzz(self): 133 | 134 | FIRST_HEADER = self.INPUT[:0x7] 135 | 136 | rdata = "" 137 | rdata += FIRST_HEADER 138 | rdata += radamsa(self.INPUT[7:]).mutate() 139 | 140 | return rdata 141 | 142 | def arj_fuzz(self): 143 | 144 | FIRST_HEADER = self.INPUT[:2] 145 | 146 | rdata = "" 147 | rdata += FIRST_HEADER 148 | rdata += radamsa(self.INPUT[2:]).mutate() 149 | 150 | return rdata 151 | 152 | def cab_fuzz(self): 153 | FIRST_HEADER = self.INPUT[:4] 154 | rdata = "" 155 | rdata = FIRST_HEADER 156 | rdata += radamsa(self.INPUT[4:]).mutate() 157 | 158 | return rdata 159 | 160 | 161 | -------------------------------------------------------------------------------- /COMP_fuzzer.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/COMP_fuzzer.pyc -------------------------------------------------------------------------------- /DOC_fuzzer.py: -------------------------------------------------------------------------------- 1 | # -*- coding:utf-8 -*- 2 | # Module : DOC_fuzzer.py 3 | 4 | #------------------------------------------------------------ 5 | # 설명 : Document 파일을 뮤테이션시킨다. 6 | #------------------------------------------------------------ 7 | from Mut_Rada import * 8 | import os 9 | from pyZZUF import * 10 | from random import choice 11 | import shutil 12 | 13 | class DOC_FUZZ: 14 | 15 | def __init__(self, seed_dir, out_dir, filename): 16 | self.SEED_DIR = seed_dir 17 | self.OUT_DIR = out_dir 18 | self.FILENAME = filename 19 | self.new_data = "" 20 | self.fp = open(self.SEED_DIR + self.FILENAME, "rb") 21 | 22 | #------------------------------------------------------------ 23 | # 함수명 : Mutation 24 | # 설 명 : DOC 파일을 뮤테이션시킨 후 파일에 쓴다. 25 | #------------------------------------------------------------ 26 | def Mutation(self): 27 | 28 | data = self.fp.read() 29 | 30 | # 확장자 확인하기 31 | ext = self.FILENAME.split(".")[1] 32 | #print "file extension : %s" % ext 33 | 34 | # ole 구조 가지는 파일 확장자별로 맞춤형 mutation하기 35 | if ext == "hwp" or ext == "xls": 36 | self.new_data = self.ole_fuzz_without_sub_header(data) 37 | elif ext == "doc" or ext == "ppt": 38 | self.new_data = self.ole_fuzz_with_sub_header(data) 39 | # ole 구조가 아닌 doc 확장자별로 맞춤형 mutation하기 40 | elif ext == "pdf": 41 | self.new_data = self.pdf_fuzz(data) 42 | elif ext == "chm": 43 | self.new_data = self.chm_fuzz(data) 44 | elif ext == "rtf": 45 | self.new_data = self.rtf_fuzz(data) 46 | else: 47 | self.new_data = None 48 | 49 | # mutation된 값을 파일에 쓰기 50 | if self.new_data != None: 51 | fp = open(self.OUT_DIR + self.FILENAME, "wb") 52 | fp.write(self.new_data) 53 | 54 | #------------------------------------------------------------ 55 | # 함수명 : ole_fuzz_without_sub_header 56 | # 설 명 : V3에서 sub_header를 검사하지 않는 OLE 구조를 가지는 파일을 뮤테이션시킨다. 57 | # 인자값 : data : 뮤테이션시킬 데이터 58 | # 반환값 : rdata : 뮤테이션시킨 데이터 59 | #------------------------------------------------------------ 60 | def ole_fuzz_without_sub_header(self, data): 61 | 62 | signature = data[0:8] 63 | 64 | rdata = "" 65 | rdata += signature 66 | rdata += radamsa(data[8:]).mutate() 67 | 68 | return rdata 69 | 70 | #------------------------------------------------------------ 71 | # 함수명 : ole_fuzz_with_sub_header 72 | # 설 명 : V3에서 sub_header를 검사하는 OLE 구조 가지는 파일을 뮤테이션시킨다. 73 | # 인자값 : data : 뮤테이션시킬 데이터 74 | # 반환값 : rdata : 뮤테이션시킨 데이터 75 | #------------------------------------------------------------ 76 | def ole_fuzz_with_sub_header(self, data): 77 | 78 | signature = data[0:8] 79 | 80 | rdata = "" 81 | rdata += signature 82 | rdata += radamsa(data[8:512]).mutate() 83 | 84 | sub_signature = data[512:516] 85 | rdata = rdata[:512] 86 | rdata += sub_signature 87 | rdata += radamsa(data[516:]).mutate() 88 | 89 | return rdata 90 | 91 | #------------------------------------------------------------ 92 | # 함수명 : pdf_fuzz 93 | # 설 명 : pdf 파일을 뮤테이션시킨다. 94 | # 인자값 : data : 뮤테이션시킬 데이터 95 | # 반환값 : rdata : 뮤테이션시킨 데이터 96 | #------------------------------------------------------------ 97 | def pdf_fuzz(self, data): 98 | 99 | signature = data[0:4] 100 | 101 | rdata = "" 102 | rdata += signature 103 | rdata += radamsa(data[4:]).mutate() 104 | 105 | return rdata 106 | 107 | #------------------------------------------------------------ 108 | # 함수명 : chm_fuzz 109 | # 설 명 : chm 파일을 뮤테이션시킨다. 110 | # 인자값 : data : 뮤테이션시킬 데이터 111 | # 반환값 : rdata : 뮤테이션시킨 데이터 112 | #------------------------------------------------------------ 113 | def chm_fuzz(self, data): 114 | 115 | signature = data[0:4] 116 | 117 | rdata = "" 118 | rdata += signature 119 | rdata += radamsa(data[4:]).mutate() 120 | 121 | return rdata 122 | 123 | #------------------------------------------------------------ 124 | # 함수명 : rtf_fuzz 125 | # 설 명 : rtf 파일을 뮤테이션시킨다. 126 | # 인자값 : data : 뮤테이션시킬 데이터 127 | # 반환값 : rdata : 뮤테이션시킨 데이터 128 | #------------------------------------------------------------ 129 | def rtf_fuzz(self, data): 130 | 131 | signature = data[0:6] 132 | 133 | rdata = "" 134 | rdata += signature 135 | rdata += radamsa(data[6:]).mutate() 136 | 137 | return rdata 138 | -------------------------------------------------------------------------------- /DOC_fuzzer.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/DOC_fuzzer.pyc -------------------------------------------------------------------------------- /ETC_fuzzer.py: -------------------------------------------------------------------------------- 1 | from pyZZUF import * 2 | from fuzz_utils import * 3 | from random import * 4 | from Mut_Rada import * 5 | 6 | 7 | class ETC_FUZZ: 8 | 9 | def __init__(self, seed_dir, out_dir, filename): 10 | 11 | self.SEED_DIR = seed_dir 12 | self.OUT_DIR = out_dir 13 | self.FILENAME = filename 14 | self.INPUT = "" 15 | self.new_data = "" 16 | f = open(self.SEED_DIR + self.FILENAME, "rb") 17 | self.INPUT = f.read() 18 | 19 | 20 | def Mutation(self): 21 | self.new_data = self.etc_fuzz() 22 | 23 | if(self.new_data != None): 24 | f = open(self.OUT_DIR + self.FILENAME, "wb") 25 | f.write(self.new_data) 26 | 27 | 28 | 29 | def etc_fuzz(self): 30 | rdata = "" 31 | rdata += radamsa(self.INPUT).mutate() 32 | 33 | return rdata 34 | -------------------------------------------------------------------------------- /Main.py: -------------------------------------------------------------------------------- 1 | #-*- coding: utf-8 -*- 2 | 3 | import utils 4 | import random 5 | import threading 6 | import os 7 | import shutil 8 | import time 9 | import sys 10 | import DOC_fuzzer 11 | import PE_fuzzer 12 | import COMP_fuzzer 13 | import ETC_fuzzer 14 | import subprocess 15 | import re 16 | import Mut_Rada 17 | 18 | 19 | class file_fuzzer: 20 | def __init__(self): 21 | self.mutate_count = 100 22 | self.mutate_list = [] 23 | self.selected_list = [] # 크래시 트래킹에 사용할 리스트 24 | self.eip_list = [] #크래시 중복체크 (EIP 기준) 25 | self.sample_file = None 26 | self.sample_dir = "C:\\fuzz\\in\\" 27 | self.numbering = None 28 | self.tmp_dir = "C:\\fuzz\\temp\\" 29 | self.count = 0 30 | self.max = 0 31 | 32 | def rename_filename(self): 33 | for name in os.listdir(self.sample_dir): 34 | name_r = name.replace("-", "_") 35 | os.rename(self.sample_dir + name, self.sample_dir + name_r) 36 | print "[*] Finish to rename." 37 | 38 | def wincmd(self, cmd): 39 | return subprocess.Popen(cmd, 40 | shell=True, 41 | stdin=subprocess.PIPE, 42 | stdout=subprocess.PIPE, 43 | stderr=subprocess.PIPE) 44 | 45 | def file_picker_setting(self): 46 | cmd = "dir " + self.sample_dir 47 | pipe = self.wincmd(cmd) 48 | output, errors = pipe.communicate() 49 | pipe.stdin.close() 50 | self.max = int(re.findall('\d+', output.split("\n")[-3])[0]) 51 | 52 | # 파일 선택 53 | def file_picker(self): 54 | file_list = os.listdir(self.sample_dir) 55 | file_num = self.count % self.max 56 | tmp_time = int(time.time() * 100) % 100000000 57 | if not os.path.isdir( self.tmp_dir + str(tmp_time / 10000) ): 58 | os.system( "mkdir " +self.tmp_dir + str(tmp_time / 10000) ) 59 | self.numbering = str(tmp_time / 10000) + "\\" + str(tmp_time % 10000) + "-" + str(file_num) + "-" 60 | self.tmp_file = file_list[file_num] 61 | self.sample_file = file_list[file_num] 62 | ## shutil.copy(self.sample_file, self.tmp_file) 63 | return 64 | 65 | def fuzz(self): 66 | 67 | self.file_picker_setting() 68 | while True: 69 | self.file_picker() 70 | self.mutate_file() 71 | 72 | def mutate_file( self ): 73 | DOC_list = ["hwp", "doc", "ppt", "xls", "pdf", "chm", "rtf"] 74 | PE_list = ["exe"] 75 | COMP_list = ["zip", "gz", "7z", "rar", "cab", "arj"] 76 | 77 | #print self.sample_dir 78 | #print self.tmp_dir + self.numbering 79 | #print self.sample_file 80 | 81 | print "[*] Selected file : %s" % self.sample_file 82 | ext = self.sample_file.split(".")[-1] 83 | 84 | if(ext in COMP_list): 85 | fuzzer = COMP_fuzzer.COMP_FUZZ(self.sample_dir, self.tmp_dir + self.numbering, self.sample_file) 86 | fuzzer.Mutation() 87 | elif(ext in PE_list): 88 | fuzzer = PE_fuzzer.PE_FUZZ(self.sample_dir, self.tmp_dir + self.numbering, self.sample_file) 89 | fuzzer.Mutation() 90 | elif(ext in DOC_list): 91 | fuzzer = DOC_fuzzer.DOC_FUZZ(self.sample_dir, self.tmp_dir + self.numbering, self.sample_file) 92 | fuzzer.Mutation() 93 | else: 94 | fuzzer = ETC_fuzzer.ETC_FUZZ(self.sample_dir, self.tmp_dir + self.numbering, self.sample_file) 95 | fuzzer.Mutation() 96 | print "[*] Fin Fuzz" 97 | 98 | self.count += 1 99 | return 100 | 101 | if __name__ == "__main__": 102 | os.system( "mkdir C:\\fuzz\\in C:\\fuzz\\temp C:\\fuzz\\temp" ) 103 | 104 | print "[*] Start File Fuzzer." 105 | fuzzer = file_fuzzer() 106 | fuzzer.rename_filename() 107 | fuzzer.fuzz() 108 | 109 | print "[*] Finish File Fuzzer." 110 | -------------------------------------------------------------------------------- /Main_alyac.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | from pydbg import * 3 | from pydbg.defines import * 4 | 5 | import utils 6 | import random 7 | import threading 8 | import os 9 | import shutil 10 | import time 11 | import sys 12 | import DOC_fuzzer 13 | import PE_fuzzer 14 | import COMP_fuzzer 15 | import subprocess 16 | import re 17 | 18 | 19 | 20 | class file_fuzzer: 21 | def __init__(self, exe_path): 22 | self.mutate_count = 100 23 | self.mutate_list = [] 24 | self.selected_list = [] # 크래시 트래킹에 사용할 리스트 25 | self.eip_list = [] #크래시 중복체크 (EIP 기준) 26 | self.exe_path = exe_path 27 | self.orig_file = None 28 | self.sample_dir = "C:\\fuzz\\in_alyac" 29 | self.tmp_file = None 30 | self.tmp_dir = "C:\\fuzz\\temp_alyac" 31 | self.count = 0 32 | self.max = 0 33 | self.crash = None 34 | self.crash_tracking = False # 크래시 추적 활성화 체크 35 | self.crash_count = None # 크래시 번호 저장 36 | self.tracking_count = 0 # 트래킹 카운트 저장(무한루프 방지) 37 | self.check = False 38 | self.pid = None 39 | self.in_accessv_handler = False 40 | self.dbg = None 41 | self.running = False 42 | self.filename = "" 43 | self.ord_ads = False 44 | self.pid_exe = None 45 | self.running_alyac = False 46 | self.running_aye = False 47 | self.running_cra = False 48 | self.pid_aye = None 49 | self.dbg_aye = None 50 | 51 | def wincmd(self, cmd): 52 | return subprocess.Popen(cmd, 53 | shell=True, 54 | stdin=subprocess.PIPE, 55 | stdout=subprocess.PIPE, 56 | stderr=subprocess.PIPE) 57 | 58 | def file_picker_setting(self): 59 | cmd = "dir " + self.sample_dir 60 | pipe = self.wincmd(cmd) 61 | output, errors = pipe.communicate() 62 | pipe.stdin.close() 63 | self.max = int(re.findall('\d+', output.split("\n")[-3])[0]) 64 | 65 | # 파일 선택 66 | def file_picker(self): 67 | file_list = os.listdir(self.sample_dir) 68 | file_num = self.count % self.max 69 | sel_file = str(time.time()).replace(".", "") + "-" + str(file_num) + "-" + file_list[file_num] 70 | self.tmp_file = self.tmp_dir + "\\" + sel_file 71 | self.orig_file = self.sample_dir + "\\" + file_list[file_num] 72 | ## shutil.copy(self.orig_file, self.tmp_file) 73 | return 74 | 75 | # 에러를 추적하고 정보를 저장하기 위한 접근 위반 핸들러 76 | def handler_access_violation(self, pydbg): 77 | 78 | self.running_cra = True 79 | 80 | print "\n[-] Access_violation Crash!!\n" 81 | print "[-] Woot! Handling an access violation!" 82 | print "[-] EIP : 0x%08x" % self.dbg_aye.context.Eip 83 | 84 | # eip 리스트에 추가 85 | self.eip_list.append(self.dbg_aye.context.Eip) 86 | 87 | # 트래킹 활성화 88 | # self.crash_tracking = True 89 | # self.in_accessv_handler = True 90 | 91 | crash_bin = utils.crash_binning.crash_binning() 92 | crash_bin.record_crash(self.dbg_aye) 93 | self.crash = crash_bin.crash_synopsis() 94 | 95 | # 크래시 일 때 카운트정보를 작성한다. 96 | self.crash_count = self.count 97 | 98 | # 크래시 정보 로깅 99 | crash_fd = open("C:\\fuzz\\crash_alyac\\" + self.tmp_file.split("\\")[-1] + "-%d.log" % self.count,"w") 100 | crash_fd.write(self.crash) 101 | crash_fd.close() 102 | 103 | # 원본 파일을 백업한다. 104 | shutil.copy(self.tmp_file, "C:\\fuzz\\crash_alyac\\" + self.tmp_file.split("\\")[-1].split(".")[0] + "-" + str(self.count) + "." + self.tmp_file.split(".")[-1] ) 105 | 106 | self.dbg_aye.terminate_process() 107 | self.dbg_aye.close_handle(self.dbg_aye.h_process) 108 | self.dbg_aye.detach() 109 | self.pid_aye = None 110 | self.running_aye = False 111 | 112 | print "[*] Restart AYRTSrv" 113 | 114 | self.running_aye = False 115 | restart_thread = threading.Thread(target=self.kill_AYRTSrv) 116 | restart_thread.setDaemon(0) 117 | restart_thread.start() 118 | 119 | while self.running_aye == False: 120 | while self.running_alyac == False: 121 | time.sleep(0.5) 122 | time.sleep(10) 123 | os.system("taskkill /F /IM ALYac.aye") 124 | time.sleep(2) 125 | 126 | pydbg_aye_thread = threading.Thread(target=self.start_AYRTSrv_debugger) 127 | pydbg_aye_thread.setDaemon(0) 128 | pydbg_aye_thread.start() 129 | 130 | print "[-]Fin save crash & restart AYRTSrv" 131 | 132 | self.running_cra = False 133 | self.running = False 134 | 135 | return DBG_EXCEPTION_NOT_HANDLED 136 | 137 | 138 | def fuzz(self): 139 | 140 | self.file_picker_setting() 141 | 142 | # adssvc.exe에 디버거 143 | debugger_thread = threading.Thread(target=self.start_AYRTSrv_debugger) 144 | debugger_thread.setDaemon(0) 145 | debugger_thread.start() 146 | print "started debugger" 147 | 148 | 149 | while self.pid_aye == None: 150 | time.sleep(0.5) 151 | while 1: 152 | self.count +=1 153 | 154 | while self.running or self.running_cra: 155 | time.sleep(1) 156 | 157 | self.running = True 158 | 159 | print "[*] Starting Antivirus for iteration: %d" % self.count 160 | 161 | # 크래시 추적 활성화 여부 체크 162 | if self.crash_tracking == False: 163 | # 먼저 변형을 가할 파일을 선택한다. 164 | self.file_picker() 165 | self.mutate_file() 166 | else: #크래시 추적이 활성화 되었으면 167 | print "[ * ] Crash Tracking Start !!!", self.orig_file 168 | # 크래시 난 파일 복사 169 | shutil.copy(self.orig_file, self.tmp_file) 170 | # 트래킹하는 뮤테이션 함수 호출 171 | self.mutate_track() 172 | 173 | # 실행파일 쓰레드 실행 174 | pydbg_thread = threading.Thread(target=self.start_exe) 175 | pydbg_thread.setDaemon(0) 176 | pydbg_thread.start() 177 | 178 | ''' 179 | # Attack AYRTSrv.exe 180 | if self.count == 5: 181 | attack_thread = threading.Thread(target=self.attack_debugger) 182 | attack_thread.setDaemon(0) 183 | attack_thread.start() 184 | ''' 185 | 186 | while self.running_cra: 187 | time.sleep(1) 188 | 189 | 190 | # 모니터링 쓰레드 실행 191 | monitor_thread = threading.Thread(target=self.monitor_exe) 192 | monitor_thread.setDaemon(0) 193 | monitor_thread.start() 194 | 195 | 196 | 197 | if (self.count % 100) == 99: 198 | time.sleep(5) 199 | 200 | print "[*] Restart AYRTSrv" 201 | 202 | self.running_aye = False 203 | restart_thread = threading.Thread(target=self.kill_AYRTSrv) 204 | restart_thread.setDaemon(0) 205 | restart_thread.start() 206 | 207 | while self.running_aye == False: 208 | while self.running_alyac == False: 209 | time.sleep(0.5) 210 | time.sleep(10) 211 | os.system("taskkill /F /IM ALYac.aye") 212 | time.sleep(2) 213 | 214 | pydbg_aye_thread = threading.Thread(target=self.start_AYRTSrv_debugger) 215 | pydbg_aye_thread.setDaemon(0) 216 | pydbg_aye_thread.start() 217 | 218 | 219 | 220 | def kill_AYRTSrv(self): 221 | print "[-] Start to kill process" 222 | while True: 223 | self.running_alyac = False 224 | os.system("taskkill /F /IM AYCon.exe") 225 | time.sleep(0.5) 226 | os.system("taskkill /F /IM AYRTSrv.aye") 227 | time.sleep(3) 228 | os.system("taskkill /F /IM ALYac.aye") 229 | time.sleep(3) 230 | self.running_alyac = True 231 | os.system( "\"C:\\Program Files\\ESTsoft\\Alyac\\ALYac.aye\"" ) 232 | cmd = "tasklist /FI \"IMAGENAME eq ALYac.aye\" /FO LIST" 233 | pipe = self.wincmd(cmd) 234 | output1, errors1 = pipe.communicate() 235 | pipe.stdin.close() 236 | cmd = "tasklist /FI \"IMAGENAME eq AYRTSrv.exe\" /FO LIST" 237 | pipe = self.wincmd(cmd) 238 | output2, errors2 = pipe.communicate() 239 | pipe.stdin.close() 240 | if output2.split("\n")[0].encode("hex") == "0d": 241 | self.running_aye = True 242 | break; 243 | 244 | 245 | # 대상 어플리케이션을 실행시키는 디버거 쓰레드 246 | def start_AYRTSrv_debugger(self): 247 | self.running_aye = True 248 | self.dbg_aye = pydbg() 249 | cmd = "tasklist /FI \"IMAGENAME eq AYRTSrv.aye\" /FO LIST" 250 | pipe = self.wincmd(cmd) 251 | output, errors = pipe.communicate() 252 | pipe.stdin.close() 253 | if output.find("PID") < 0: 254 | print "[-] Error on start" 255 | else: 256 | self.pid_aye = output.split("\n")[2].split(" ")[-1] 257 | print self.pid_aye 258 | self.dbg_aye.set_callback(EXCEPTION_ACCESS_VIOLATION, self.handler_access_violation ) 259 | self.dbg_aye.attach(int(self.pid_aye,10)) 260 | print "[+] Attach debugger to AYRTSrv : " + str(self.pid_aye) 261 | self.dbg_aye.run() 262 | 263 | def attack_debugger(self): 264 | print "[!] Start attack : " + str( self.dbg_aye.pid ) 265 | # self.dbg_aye.suspend_all_threads() 266 | for thread_id in self.dbg_aye.enumerate_threads(): 267 | thread_handle = self.dbg_aye.open_thread(thread_id) 268 | thread_context = self.dbg_aye.get_thread_context(thread_handle) 269 | # print "Eip = 0x%08x" % thread_context.Eip 270 | thread_context.Eip=0xdeadbeef 271 | self.dbg_aye.set_thread_context(thread_context,0,thread_id) 272 | thread_context = self.dbg_aye.get_thread_context(thread_handle) 273 | # print "new Eip = 0x%08x" % thread_context.Eip 274 | # self.dbg_aye.resume_all_threads() 275 | # pydbg.debug_event_loop(self.dbg_aye) 276 | print "[!] Fin attack : " 277 | 278 | # 대상 어플리케이션을 실행 279 | def start_exe(self): 280 | 281 | self.running = True 282 | 283 | print self.tmp_file 284 | while True : 285 | 286 | cmd = "\"" + self.exe_path + "\" -s " + self.tmp_file 287 | # print cmd 288 | 289 | pipe = self.wincmd(cmd) 290 | pipe.stdin.close() 291 | cmd = "tasklist /FI \"IMAGENAME eq AYCon.exe\" /FO LIST" 292 | pipe = self.wincmd(cmd) 293 | output, errors = pipe.communicate() 294 | pipe.stdin.close() 295 | if output.find("PID") > 0: 296 | self.pid_exe = output.split("\n")[2].split(" ")[-1] 297 | print "PID is " + self.pid_exe 298 | break 299 | else: 300 | print "no aycon" 301 | 302 | print "hello" 303 | 304 | # 어플레킹션을 몇 초 동안 실행 되게 한 다음 종료시키는 모니터링 쓰레드 305 | 306 | 307 | def monitor_exe(self): 308 | 309 | while self.pid_exe == None: 310 | time.sleep(0.5) 311 | 312 | ''' 313 | counter = 0 314 | print "[*] waiting ", 315 | while counter < 5 and self.pid_exe != None: 316 | time.sleep(1) 317 | print ".", 318 | counter += 1 319 | print "\n" 320 | 321 | #if self.in_accessv_handler != True: 322 | os.system("taskkill /F /IM AYCon.exe") 323 | #else: 324 | # while self.pid_exe != None: 325 | # time.sleep(0.5) 326 | ''' 327 | while(1): 328 | cmd = "tasklist /FI \"IMAGENAME eq AYCon.exe\" /FO LIST" 329 | pipe = self.wincmd(cmd) 330 | output, errors = pipe.communicate() 331 | pipe.stdin.close() 332 | if output.find("PID") > 0: 333 | continue 334 | else: 335 | break 336 | 337 | 338 | self.in_accessv_handler = False 339 | self.running = False 340 | 341 | 342 | def mutate_file( self ): 343 | DOC_list = ["hwp", "doc", "ppt", "xls", "pdf", "chm", "rtf"] 344 | PE_list = ["exe"] 345 | COMP_list = ["zip", "gz", "7z", "rar"] 346 | 347 | print "[*] Selected file : %s" % self.orig_file 348 | ext = self.orig_file.split(".")[-1] 349 | 350 | if(ext in COMP_list): 351 | #print self.sample_dir 352 | #print self.tmp_dir+ "\\" + self.tmp_file.split("\\")[-1].split("-")[0] 353 | #print self.tmp_file 354 | fuzzer = COMP_fuzzer.COMP_FUZZ(self.sample_dir + "\\", self.tmp_dir+ "\\" + self.tmp_file.split("\\")[-1].split("-")[0] + "-" + self.tmp_file.split("\\")[-1].split("-")[1] + "-" , self.tmp_file.split("-")[-1]) 355 | fuzzer.Mutation() 356 | 357 | if(ext in PE_list): 358 | #print self.sample_dir 359 | #print self.tmp_dir 360 | #print self.orig_filee 361 | #print self.tmp_file 362 | fuzzer = PE_fuzzer.PE_FUZZ(self.sample_dir + "\\", self.tmp_dir+ "\\" + self.tmp_file.split("\\")[-1].split("-")[0] + "-" + self.tmp_file.split("\\")[-1].split("-")[1] + "-", self.tmp_file.split("-")[-1]) 363 | fuzzer.Mutation() 364 | 365 | if(ext in DOC_list): 366 | #print self.sample_dir 367 | #print self.tmp_dir 368 | #print self.orig_file 369 | fuzzer = DOC_fuzzer.DOC_FUZZ(self.sample_dir + "\\", self.tmp_dir+ "\\" + self.tmp_file.split("\\")[-1].split("-")[0] + "-" + self.tmp_file.split("\\")[-1].split("-")[1] + "-", self.tmp_file.split("-")[-1]) 370 | fuzzer.Mutation() 371 | print "[*] Fin Fuzz" 372 | 373 | return 374 | 375 | 376 | if __name__ == "__main__": 377 | 378 | os.system( "mkdir C:\\fuzz\\in_alyac C:\\fuzz\\temp_alyac C:\\fuzz\\crash_alyac" ) 379 | 380 | print "[*] File Fuzzer." 381 | exe_path = ("C:\\Program Files\\ESTsoft\\Alyac\\AYCon.exe") 382 | 383 | if exe_path is not None: 384 | fuzzer = file_fuzzer( exe_path) 385 | fuzzer.fuzz() 386 | else: 387 | "[+] Error!" -------------------------------------------------------------------------------- /Main_debugger.py: -------------------------------------------------------------------------------- 1 | #-*- coding: utf-8 -*- 2 | from pydbg import * 3 | from pydbg.defines import * 4 | 5 | import utils 6 | import random 7 | import threading 8 | import os 9 | import shutil 10 | import time 11 | import sys 12 | import DOC_fuzzer 13 | import PE_fuzzer 14 | import COMP_fuzzer 15 | import ETC_fuzzer 16 | import subprocess 17 | import re 18 | import Mut_Rada 19 | 20 | 21 | class file_fuzzer: 22 | def __init__(self, exe_path): 23 | self.mutate_count = 100 24 | self.mutate_list = [] 25 | self.selected_list = [] # 크래시 트래킹에 사용할 리스트 26 | self.eip_list = [] #크래시 중복체크 (EIP 기준) 27 | self.exe_path = exe_path 28 | self.orig_file = None 29 | self.sample_dir = "C:\\fuzz\\in" 30 | self.tmp_file = None 31 | self.tmp_dir = "C:\\fuzz\\temp" 32 | self.count = 0 33 | self.max = 0 34 | self.crash = None 35 | self.crash_tracking = False # 크래시 추적 활성화 체크 36 | self.crash_count = None # 크래시 번호 저장 37 | self.tracking_count = 0 # 트래킹 카운트 저장(무한루프 방지) 38 | self.check = False 39 | self.pid = None 40 | self.in_accessv_handler = False 41 | self.dbg = None 42 | self.running = False 43 | self.filename = "" 44 | self.ord_ads = False 45 | self.pid_exe = None 46 | self.running_v3 = False 47 | self.running_ads = False 48 | self.running_cra = False 49 | self.pid_ads = None 50 | self.dbg_ads = None 51 | 52 | def wincmd(self, cmd): 53 | return subprocess.Popen(cmd, 54 | shell=True, 55 | stdin=subprocess.PIPE, 56 | stdout=subprocess.PIPE, 57 | stderr=subprocess.PIPE) 58 | 59 | def file_picker_setting(self): 60 | cmd = "dir " + self.sample_dir 61 | pipe = self.wincmd(cmd) 62 | output, errors = pipe.communicate() 63 | pipe.stdin.close() 64 | self.max = int(re.findall('\d+', output.split("\n")[-3])[0]) 65 | 66 | # 파일 선택 67 | def file_picker(self): 68 | file_list = os.listdir(self.sample_dir) 69 | file_num = self.count % self.max 70 | sel_file = str(time.time()).replace(".", "") + "-" + str(file_num) + "-" + file_list[file_num] 71 | self.tmp_file = self.tmp_dir + "\\" + sel_file 72 | self.orig_file = self.sample_dir + "\\" + file_list[file_num] 73 | ## shutil.copy(self.orig_file, self.tmp_file) 74 | return 75 | 76 | # 에러를 추적하고 정보를 저장하기 위한 접근 위반 핸들러 77 | def handler_access_violation(self, pydbg): 78 | 79 | self.running_cra = True 80 | 81 | print "\n[-] Access_violation Crash!!\n" 82 | print "[-] Woot! Handling an access violation!" 83 | print "[-] EIP : 0x%08x" % self.dbg_ads.context.Eip 84 | 85 | # eip 리스트에 추가 86 | self.eip_list.append(self.dbg_ads.context.Eip) 87 | 88 | # 트래킹 활성화 89 | # self.crash_tracking = True 90 | # self.in_accessv_handler = True 91 | 92 | crash_bin = utils.crash_binning.crash_binning() 93 | crash_bin.record_crash(self.dbg_ads) 94 | self.crash = crash_bin.crash_synopsis() 95 | 96 | # 크래시 일 때 카운트정보를 작성한다. 97 | self.crash_count = self.count 98 | 99 | # 크래시 정보 로깅 100 | crash_fd = open("C:\\fuzz\\crash\\" + self.tmp_file.split("\\")[-1] + "-%d.log" % self.count,"w") 101 | crash_fd.write(self.crash) 102 | crash_fd.close() 103 | 104 | # 원본 파일을 백업한다. 105 | shutil.copy(self.tmp_file, "C:\\fuzz\\crash\\" + self.tmp_file.split("\\")[-1].split(".")[0] + "-" + str(self.count) + "." + self.tmp_file.split(".")[-1] ) 106 | 107 | self.dbg_ads.terminate_process() 108 | self.dbg_ads.close_handle(self.dbg_ads.h_process) 109 | self.dbg_ads.detach() 110 | self.pid_ads = None 111 | self.running_ads = False 112 | 113 | print "[*] Restart ASDsvc" 114 | 115 | self.running_ads = False 116 | restart_thread = threading.Thread(target=self.kill_ASDsvc) 117 | restart_thread.setDaemon(0) 118 | restart_thread.start() 119 | 120 | while self.running_ads == False: 121 | while self.running_v3 == False: 122 | time.sleep(0.5) 123 | time.sleep(10) 124 | print "kill v3" 125 | os.system("taskkill /F /IM v3lite.exe") 126 | time.sleep(2) 127 | print "finzzzz" 128 | 129 | pydbg_ads_thread = threading.Thread(target=self.start_ASDsvc_debugger) 130 | pydbg_ads_thread.setDaemon(0) 131 | pydbg_ads_thread.start() 132 | 133 | print "[-]Fin save crash & restart ASDsvc" 134 | 135 | self.running_cra = False 136 | self.running = False 137 | 138 | return DBG_EXCEPTION_NOT_HANDLED 139 | 140 | 141 | def fuzz(self): 142 | 143 | self.file_picker_setting() 144 | 145 | # adssvc.exe에 디버거 146 | debugger_thread = threading.Thread(target=self.start_ASDsvc_debugger) 147 | debugger_thread.setDaemon(0) 148 | debugger_thread.start() 149 | 150 | 151 | 152 | while self.pid_ads == None: 153 | time.sleep(0.5) 154 | while 1: 155 | self.count +=1 156 | 157 | while self.running or self.running_cra: 158 | time.sleep(1) 159 | 160 | self.running = True 161 | 162 | print "[*] Starting Antivirus for iteration: %d" % self.count 163 | 164 | # 크래시 추적 활성화 여부 체크 165 | if self.crash_tracking == False: 166 | # 먼저 변형을 가할 파일을 선택한다. 167 | self.file_picker() 168 | self.mutate_file() 169 | else: #크래시 추적이 활성화 되었으면 170 | print "[ * ] Crash Tracking Start !!!", self.orig_file 171 | # 크래시 난 파일 복사 172 | shutil.copy(self.orig_file, self.tmp_file) 173 | # 트래킹하는 뮤테이션 함수 호출 174 | self.mutate_track() 175 | 176 | # 실행파일 쓰레드 실행 177 | pydbg_thread = threading.Thread(target=self.start_exe) 178 | pydbg_thread.setDaemon(0) 179 | pydbg_thread.start() 180 | 181 | ''' 182 | # Attack ASDsvc.exe 183 | if self.count == 5: 184 | attack_thread = threading.Thread(target=self.attack_debugger) 185 | attack_thread.setDaemon(0) 186 | attack_thread.start() 187 | ''' 188 | 189 | while self.running_cra: 190 | time.sleep(1) 191 | 192 | # 모니터링 쓰레드 실행 193 | monitor_thread = threading.Thread(target=self.monitor_exe) 194 | monitor_thread.setDaemon(0) 195 | monitor_thread.start() 196 | 197 | if (self.count % 100) == 99: 198 | time.sleep(5) 199 | 200 | print "[*] Restart ASDsvc" 201 | 202 | self.running_ads = False 203 | restart_thread = threading.Thread(target=self.kill_ASDsvc) 204 | restart_thread.setDaemon(0) 205 | restart_thread.start() 206 | 207 | while self.running_ads == False: 208 | while self.running_v3 == False: 209 | time.sleep(0.5) 210 | time.sleep(10) 211 | os.system("taskkill /F /IM v3lite.exe") 212 | time.sleep(2) 213 | 214 | pydbg_ads_thread = threading.Thread(target=self.start_ASDsvc_debugger) 215 | pydbg_ads_thread.setDaemon(0) 216 | pydbg_ads_thread.start() 217 | 218 | 219 | 220 | def kill_ASDsvc(self): 221 | print "[-] Start to kill process" 222 | while True: 223 | self.running_v3 = False 224 | os.system("taskkill /F /IM v3lmedic.exe") 225 | time.sleep(0.5) 226 | os.system("taskkill /F /IM asdsvc.exe") 227 | time.sleep(0.5) 228 | os.system("taskkill /F /IM v3lite.exe") 229 | time.sleep(3) 230 | self.running_v3 = True 231 | os.system( "\"C:\\Program Files\\AhnLab\\V3Lite30\\V3Lite.exe\"" ) 232 | cmd = "tasklist /FI \"IMAGENAME eq v3lite.exe\" /FO LIST" 233 | pipe = self.wincmd(cmd) 234 | output1, errors1 = pipe.communicate() 235 | pipe.stdin.close() 236 | cmd = "tasklist /FI \"IMAGENAME eq asdsvc.exe\" /FO LIST" 237 | pipe = self.wincmd(cmd) 238 | output2, errors2 = pipe.communicate() 239 | pipe.stdin.close() 240 | if output2.split("\n")[0].encode("hex") == "0d": 241 | self.running_ads = True 242 | break; 243 | 244 | 245 | # 대상 어플리케이션을 실행시키는 디버거 쓰레드 246 | def start_ASDsvc_debugger(self): 247 | self.running_ads = True 248 | self.dbg_ads = pydbg() 249 | cmd = "tasklist /FI \"IMAGENAME eq asdsvc.exe\" /FO LIST" 250 | pipe = self.wincmd(cmd) 251 | output, errors = pipe.communicate() 252 | pipe.stdin.close() 253 | if errors != "": 254 | print "[-] Error on start" 255 | else: 256 | self.pid_ads = output.split("\n")[2].split(" ")[-1] 257 | self.dbg_ads.set_callback(EXCEPTION_ACCESS_VIOLATION, self.handler_access_violation ) 258 | self.dbg_ads.attach(int(self.pid_ads,10)) 259 | print "[+] Attach debugger to ASDsvc : " + str(self.pid_ads) 260 | self.dbg_ads.run() 261 | 262 | def attack_debugger(self): 263 | print "[!] Start attack : " + str( self.dbg_ads.pid ) 264 | # self.dbg_ads.suspend_all_threads() 265 | for thread_id in self.dbg_ads.enumerate_threads(): 266 | thread_handle = self.dbg_ads.open_thread(thread_id) 267 | thread_context = self.dbg_ads.get_thread_context(thread_handle) 268 | # print "Eip = 0x%08x" % thread_context.Eip 269 | thread_context.Eip=0xdeadbeef 270 | self.dbg_ads.set_thread_context(thread_context,0,thread_id) 271 | thread_context = self.dbg_ads.get_thread_context(thread_handle) 272 | # print "new Eip = 0x%08x" % thread_context.Eip 273 | # self.dbg_ads.resume_all_threads() 274 | # pydbg.debug_event_loop(self.dbg_ads) 275 | print "[!] Fin attack : " 276 | 277 | # 대상 어플리케이션을 실행 278 | def start_exe(self): 279 | 280 | self.running = True 281 | 282 | while True : 283 | cmd = "\"" + self.exe_path + "\" /manual_scan /target:" + self.tmp_file 284 | # print cmd 285 | pipe = self.wincmd(cmd) 286 | pipe.stdin.close() 287 | cmd = "tasklist /FI \"IMAGENAME eq v3lmedic.exe\" /FO LIST" 288 | pipe = self.wincmd(cmd) 289 | output, errors = pipe.communicate() 290 | pipe.stdin.close() 291 | if errors == "": 292 | self.pid_exe = output.split("\n")[2].split(" ")[-1] 293 | break 294 | else: 295 | print "no medic" 296 | 297 | 298 | # 어플레킹션을 몇 초 동안 실행 되게 한 다음 종료시키는 모니터링 쓰레드 299 | def monitor_exe(self): 300 | 301 | while self.pid_exe == None: 302 | time.sleep(0.5) 303 | 304 | counter = 0 305 | print "[*] waiting ", 306 | while counter < 3 and self.pid_exe != None: 307 | time.sleep(1) 308 | print ".", 309 | counter += 1 310 | print "\n" 311 | 312 | #if self.in_accessv_handler != True: 313 | os.system("taskkill /F /IM v3lmedic.exe") 314 | #else: 315 | # while self.pid_exe != None: 316 | # time.sleep(0.5) 317 | 318 | self.in_accessv_handler = False 319 | self.running = False 320 | 321 | def mutate_file( self ): 322 | DOC_list = ["hwp", "doc", "ppt", "xls", "pdf", "chm", "rtf"] 323 | PE_list = ["exe"] 324 | COMP_list = ["zip", "gz", "7z", "rar", "cab", "arj"] 325 | 326 | print "[*] Selected file : %s" % self.orig_file 327 | ext = self.orig_file.split(".")[-1] 328 | 329 | if(ext in COMP_list): 330 | #print self.sample_dir 331 | #print self.tmp_dir+ "\\" + self.tmp_file.split("\\")[-1].split("-")[0] 332 | #print self.tmp_file 333 | fuzzer = COMP_fuzzer.COMP_FUZZ(self.sample_dir + "\\", self.tmp_dir+ "\\" + self.tmp_file.split("\\")[-1].split("-")[0] + "-" + self.tmp_file.split("\\")[-1].split("-")[1] + "-" , self.tmp_file.split("-")[-1]) 334 | fuzzer.Mutation() 335 | elif(ext in PE_list): 336 | #print self.sample_dir 337 | #print self.tmp_dir 338 | #print self.orig_filee 339 | #print self.tmp_file 340 | fuzzer = PE_fuzzer.PE_FUZZ(self.sample_dir + "\\", self.tmp_dir+ "\\" + self.tmp_file.split("\\")[-1].split("-")[0] + "-" + self.tmp_file.split("\\")[-1].split("-")[1] + "-", self.tmp_file.split("-")[-1]) 341 | fuzzer.Mutation() 342 | elif(ext in DOC_list): 343 | #print self.sample_dir 344 | #print self.tmp_dir 345 | #print self.orig_file 346 | fuzzer = DOC_fuzzer.DOC_FUZZ(self.sample_dir + "\\", self.tmp_dir+ "\\" + self.tmp_file.split("\\")[-1].split("-")[0] + "-" + self.tmp_file.split("\\")[-1].split("-")[1] + "-", self.tmp_file.split("-")[-1]) 347 | fuzzer.Mutation() 348 | else: 349 | fuzzer = ETC_fuzzer.ETC_FUZZ(self.sample_dir + "\\", self.tmp_dir+ "\\" + self.tmp_file.split("\\")[-1].split("-")[0] + "-" + self.tmp_file.split("\\")[-1].split("-")[1] + "-" , self.tmp_file.split("-")[-1]) 350 | fuzzer.Mutation() 351 | print "[*] Fin Fuzz" 352 | return 353 | 354 | if __name__ == "__main__": 355 | 356 | os.system( "mkdir C:\\fuzz\\in C:\\fuzz\\temp C:\\fuzz\\crash" ) 357 | 358 | print "[*] File Fuzzer." 359 | exe_path = ("C:\\Program Files\\AhnLab\\V3Lite30\\V3LMedic.exe") 360 | 361 | if exe_path is not None: 362 | fuzzer = file_fuzzer( exe_path) 363 | fuzzer.fuzz() 364 | else: 365 | "[+] Error!" 366 | -------------------------------------------------------------------------------- /Mut_Rada.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import utils 3 | import threading 4 | import os 5 | import sys 6 | import subprocess 7 | 8 | def wincmd(cmd): 9 | return subprocess.Popen(cmd, 10 | shell=True, 11 | stdin=subprocess.PIPE, 12 | stdout=subprocess.PIPE, 13 | stderr=subprocess.PIPE) 14 | 15 | class radamsa(object): 16 | def __init__(self, data): 17 | self.data = data 18 | f = open("temp", "wb") 19 | f.write(self.data) 20 | f.close() 21 | 22 | def mutate(self): 23 | cmd ="radamsa temp" 24 | # print cmd 25 | pipe = wincmd(cmd) 26 | output, errors = pipe.communicate() 27 | pipe.stdin.close() 28 | # print output 29 | return output 30 | -------------------------------------------------------------------------------- /Mut_Rada.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/Mut_Rada.pyc -------------------------------------------------------------------------------- /OLE_fuzzer.py: -------------------------------------------------------------------------------- 1 | # -*- coding:utf-8 -*- 2 | # Module : OLE_fuzzer.py 3 | 4 | #------------------------------------------------------------ 5 | # 설명 : OLE 구조를 가지는 hwp, doc, ppt, xls 확장자를 가진 파일을 뮤테이션시킨다. 6 | #------------------------------------------------------------ 7 | import os 8 | from pyZZUF import * 9 | from random import choice 10 | import shutil 11 | 12 | class OLE_FUZZ: 13 | 14 | def __init__(self, seed_dir, out_dir, filename): 15 | self.SEED_DIR = seed_dir 16 | self.OUT_DIR = out_dir 17 | self.FILENAME = filename 18 | self.new_data = "" 19 | self.fp = open(self.SEED_DIR + self.FILENAME, "rb") 20 | 21 | #------------------------------------------------------------ 22 | # 함수명 : Mutation 23 | # 설 명 : OLE 구조를 가지는 파일을 뮤테이션시킨 후 파일에 쓴다. 24 | #------------------------------------------------------------ 25 | def Mutation(self): 26 | 27 | data = self.fp.read() 28 | 29 | # 확장자 확인하기 30 | ext = self.FILENAME.split(".")[1] 31 | #print "file extension : %s" % ext 32 | 33 | # 확장자별로 맞춤형 mutation하기 34 | if ext == "hwp" or ext == "xls": 35 | self.new_data = self.fuzz_without_sub_header(data) 36 | elif ext == "doc" or ext == "ppt": 37 | self.new_data = self.fuzz_with_sub_header(data) 38 | else: 39 | self.new_data = None 40 | 41 | # mutation된 값을 파일에 쓰기 42 | if self.new_data != None: 43 | fp = open(self.OUT_DIR + self.FILENAME, "wb") 44 | fp.write(self.new_data) 45 | 46 | #------------------------------------------------------------ 47 | # 함수명 : fuzz_without_sub_header 48 | # 설 명 : V3에서 sub_header를 검사하지 않는 파일을 뮤테이션시킨다. 49 | # 인자값 : data : 뮤테이션시킬 데이터 50 | # 반환값 : rdata : 뮤테이션시킨 데이터 51 | #------------------------------------------------------------ 52 | def fuzz_without_sub_header(self, data): 53 | 54 | signature = data[0:8] 55 | 56 | rdata = "" 57 | rdata += signature 58 | rdata += radamsa(data[8:]).mutate() 59 | 60 | return rdata 61 | 62 | #------------------------------------------------------------ 63 | # 함수명 : fuzz_with_sub_header 64 | # 설 명 : V3에서 sub_header를 검사하는 파일을 뮤테이션시킨다. 65 | # 인자값 : data : 뮤테이션시킬 데이터 66 | # 반환값 : rdata : 뮤테이션시킨 데이터 67 | #------------------------------------------------------------ 68 | def fuzz_with_sub_header(self, data): 69 | 70 | signature = data[0:8] 71 | 72 | rdata = "" 73 | rdata += signature 74 | rdata += radamsa(data[8:512]).mutate()[:505] 75 | 76 | sub_signature = data[512:516] 77 | 78 | rdata += sub_signature 79 | rdata += radamsa(data[516:]).mutate() 80 | return rdata 81 | -------------------------------------------------------------------------------- /PE_fuzzer.py: -------------------------------------------------------------------------------- 1 | from pyZZUF import * 2 | from fuzz_utils import * 3 | from random import * 4 | from Mut_Rada import * 5 | 6 | class PE_FUZZ: 7 | 8 | def __init__(self, seed_dir, out_dir, filename): 9 | 10 | self.PATH = seed_dir + filename 11 | self.TARGET = out_dir + filename 12 | self.FILENAME = filename 13 | self.DATA = None 14 | self.IsPacked() 15 | print "IS_PACKED : %d"%self.IS_PACKED 16 | 17 | def Mutation(self): 18 | 19 | self.ParsePE() 20 | rdata = self.DoMute() 21 | f = open(self.TARGET,'wb') 22 | f.write(rdata) 23 | def DoMute(self): 24 | rdata = self.DATA[ : self.e_lfanew+0x38] 25 | rdata += radamsa(self.DATA[self.e_lfanew + 0x18 + 0x20 : self.e_lfanew + 0x18 + self.size_of_op_header]).mutate()[:self.size_of_op_header - 0x20] 26 | rdata += radamsa(self.DATA[len(rdata):]).mutate() 27 | return rdata 28 | def ParsePE(self): 29 | 30 | with open(self.PATH,'rb') as f: 31 | data = f.read() 32 | print len(data) 33 | self.e_lfanew = toDWORD(data[0x3C:0x40]) 34 | self.number_of_section = toWORD(data[self.e_lfanew : self.e_lfanew + 2]) 35 | self.size_of_op_header = toWORD(data[self.e_lfanew + 0x14 : self.e_lfanew + 0x16]) 36 | self.DATA = data 37 | 38 | def IsPacked(self): 39 | if not self.FILENAME.find("packed") == -1: 40 | self.IS_PACKED = True 41 | else: 42 | self.IS_PACKED = False 43 | 44 | #p = PE_FUZZ('C:\\radamsa\\test\\', 'C:\\radamsa\\test1\\', '1.exe' ) // test 45 | #p.Mutation() 46 | -------------------------------------------------------------------------------- /PE_fuzzer.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/PE_fuzzer.pyc -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Fuzzer 2 | 3 | ## IOCTL Fuzzer 4 | 1. Load target driver on Immunity debugger. 5 | 2. Issue ` !ioctl_dump` PyCommand. (pickle file will be saved in Immunity debugger directory.) 6 | 3. `python ioctl_fuzzer.py [pickle filename]` 7 | 8 | 9 | ## File Fuzzer 10 | 1. Make `examples` and `crashes` directories in the parent directory of the script. 11 | 2. Make seed files (suitable for fuzzee) in the `examples` directory. 12 | 3. Update `lib/site-packages/pygdb/pygdb.py`. 13 | ``` 14 | [-] if mbi.State != MEM_COMMIT or mbi.Type == MEM_IMAGE: 15 | [+] if mbi.State != MEM_COMMIT: 16 | ``` 17 | 4. `python file_fuzzer.py -e [fuzzee path] -x .[extension for seed files]` 18 | 19 | 20 | 21 | ## command lines for each file parsing engine 22 | ### V3 23 | `"C:\Program Files\AhnLab\V3Lite30\V3LMedic.exe" /manual_scan /target:` 24 | ### ALYAC 25 | `"C:\Program Files\ESTsoft\Alyac\AYCon.exe" -s [target_path]` 26 | -------------------------------------------------------------------------------- /ZIP_fuzz.py: -------------------------------------------------------------------------------- 1 | from struct import * 2 | from optparse import OptionParser 3 | import random 4 | import sys 5 | 6 | class Crand: 7 | 8 | @staticmethod 9 | def randomBytes(n): 10 | return bytearray(random.getrandbits(8) for i in range(n)) 11 | 12 | @staticmethod 13 | def random_localFileHeader(val, length): 14 | random_index = [] 15 | for i in range(0,length): 16 | index = random.randrange(0,len(val)) 17 | if index not in random_index: 18 | random_index.append(index) 19 | return random_index 20 | 21 | @staticmethod 22 | def getRandNumber(structLen): 23 | return random.randrange(0,len(structLen)) 24 | 25 | @staticmethod 26 | def getSeed(): 27 | return random.randrange(0, 9223372036854775807) 28 | 29 | class Cpack: 30 | 31 | def __init__(self, valDict, valLoc): 32 | self.valDict = valDict 33 | self.valLoc = valLoc 34 | 35 | def packHeader4byte(self, index): 36 | global content 37 | if index in self.valLoc: 38 | f, s, t, q = Crand().randomBytes(4) 39 | content += pack('4B', f, s, t, q) 40 | else: 41 | content += pack('I', self.valDict[index]) 42 | 43 | def packHeaderHbyte(self, index): 44 | global content 45 | if index in self.valLoc: 46 | f, s = Crand().randomBytes(2) 47 | content += pack('2B', f, s) 48 | else: 49 | content += pack('H', self.valDict[index]) 50 | 51 | def packHeader2byte(self, index): 52 | global content 53 | if index in self.valLoc: 54 | f, s = Crand().randomBytes(2) 55 | content += pack('2B', f, s) 56 | else: 57 | content += pack('2B', *self.valDict[index]) 58 | 59 | def packHeadernbyte(self, index, len): 60 | global content 61 | if index in self.valLoc: 62 | lst = [] 63 | len = random.randrange(0, 255) 64 | lst = Crand().randomBytes(len) 65 | sub = tuple(lst) 66 | content += pack(str(len) + 'B', *sub) 67 | else: 68 | content += pack(str(len) + 'B', *self.valDict[index]) 69 | 70 | class ClocalHeader: 71 | 72 | def __init__(self, dictLocalFileHeader, locFileHeadList): 73 | self.dictLocalFileHeader = dictLocalFileHeader 74 | self.locFileHeadList = locFileHeadList 75 | 76 | def fuzzLocalHeader(self, signature): 77 | global content 78 | 79 | content += pack('4B', *signature) 80 | 81 | packElem = Cpack(self.dictLocalFileHeader, self.locFileHeadList) 82 | 83 | [packElem.packHeader2byte(i) for i in range(0, 4)] 84 | [packElem.packHeader4byte(i) for i in range(5, 7)] 85 | [packElem.packHeaderHbyte(i) for i in range(8, 9)] 86 | 87 | packElem.packHeadernbyte(10, len(self.dictLocalFileHeader[10])) 88 | packElem.packHeadernbyte(11, len(self.dictLocalFileHeader[11])) 89 | packElem.packHeadernbyte(12, len(self.dictLocalFileHeader[12])) 90 | 91 | class CcentralDir: 92 | 93 | def __init__(self, dictCentralDir, centrDirList): 94 | self.dictCentralDir = dictCentralDir 95 | self.centrDirList = centrDirList 96 | 97 | def fuzzCentralDir(self, signature): 98 | global content 99 | 100 | content += pack('4B', *signature) 101 | 102 | packElem = Cpack(self.dictCentralDir, self.centrDirList) 103 | 104 | [packElem.packHeader2byte(i) for i in range(0, 5)] 105 | [packElem.packHeader4byte(i) for i in range(6, 8)] 106 | [packElem.packHeaderHbyte(i) for i in range(9, 11)] 107 | [packElem.packHeader2byte(i) for i in range(12, 13)] 108 | [packElem.packHeader4byte(i) for i in range(14, 15)] 109 | 110 | packElem.packHeadernbyte(16, len(self.dictCentralDir[16])) 111 | packElem.packHeadernbyte(17, len(self.dictCentralDir[17])) 112 | packElem.packHeadernbyte(18, len(self.dictCentralDir[18])) 113 | 114 | class CendOfCentralDir: 115 | 116 | def __init__(self, dictEndOfCentralDir, endOfcentrDirList): 117 | self.dictEndOfCentralDir = dictEndOfCentralDir 118 | self.endOfcentrDirList = endOfcentrDirList 119 | 120 | def fuzzendOfCentralDir(self, endOfCentralDirSig): 121 | global content 122 | 123 | content += pack('4B', *endOfCentralDirSig) 124 | 125 | packElem = Cpack(self.dictEndOfCentralDir, self.endOfcentrDirList) 126 | 127 | [packElem.packHeader2byte(i) for i in range(0, 3)] 128 | [packElem.packHeader4byte(i) for i in range(4, 5)] 129 | 130 | packElem.packHeaderHbyte(6) 131 | packElem.packHeadernbyte(7, len(self.dictEndOfCentralDir[7])) 132 | 133 | class CfileManag: 134 | 135 | def setInputFilename(self, fileName): 136 | self.fileName = fileName 137 | 138 | def getInputFileName(self): 139 | return self.fileName 140 | 141 | def createFile(self, fileNameOut): 142 | with open(fileNameOut, mode='wb') as file: 143 | writeContent = file.write(content) 144 | 145 | def main(seed_dir, out_dir, Filename): 146 | 147 | fileElem = CfileManag() 148 | fileElem.setInputFilename(Filename) 149 | 150 | seed = Crand().getSeed() 151 | 152 | fileName = fileElem.getInputFileName() 153 | 154 | random.seed(seed) 155 | 156 | with open(seed_dir + fileName, mode='rb') as file: 157 | fileContent = file.read() 158 | 159 | # local header 160 | signature = unpack('4B', fileContent[0:4]) 161 | version = unpack('2B', fileContent[4:6]) 162 | flags = unpack('2B', fileContent[6:8]) 163 | compression = unpack('2B', fileContent[8:10]) 164 | modTime = unpack('2B', fileContent[10:12]) 165 | modDate = unpack('2B', fileContent[12:14]) 166 | crc32 = unpack('I', fileContent[14:18])[0] 167 | compressSize = unpack('I', fileContent[18:22])[0] 168 | uncompressSize = unpack('I', fileContent[22:26])[0] 169 | fileNameLen = unpack('H', fileContent[26:28])[0] 170 | extraFieldLen = unpack('H', fileContent[28:30])[0] 171 | endFileName = 30 + fileNameLen 172 | endExtraField = endFileName + extraFieldLen 173 | fileName = unpack(str(fileNameLen)+'B', fileContent[30:endFileName]) 174 | extraField = unpack(str(extraFieldLen)+'B', fileContent[endFileName:endExtraField]) 175 | 176 | # file data 177 | if (compressSize!=0): 178 | endCompSize = endExtraField + compressSize 179 | data = unpack(str(compressSize)+'B', fileContent[endExtraField:endCompSize]) 180 | 181 | else: 182 | return "incorrect case" 183 | # no data descriptor 184 | 185 | # Central directory structure 186 | centralDirectorySig = fileContent.find('\x50\x4b\x01\x02') 187 | if (centralDirectorySig != -1): 188 | endCentrDir = centralDirectorySig + 4 189 | CDsignature = unpack('4B', fileContent[centralDirectorySig:endCentrDir]) 190 | endCDversion = endCentrDir + 2 191 | CDversion = unpack('2B', fileContent[endCentrDir:endCDversion]) 192 | endCDversionNeed = endCDversion + 2 193 | CDversionNeed = unpack('2B', fileContent[endCDversion:endCDversionNeed]) 194 | endCDbitFlag = endCDversionNeed + 2 195 | CDbitFlag = unpack('2B', fileContent[endCDversionNeed:endCDbitFlag]) 196 | endCDcompression = endCDbitFlag + 2 197 | CDcompression = unpack('2B', fileContent[endCDbitFlag:endCDcompression]) 198 | endCDmodTime = endCDcompression + 2 199 | CDmodTime = unpack('2B', fileContent[endCDcompression:endCDmodTime]) 200 | endCDmodDate = endCDmodTime + 2 201 | CDmodDate = unpack('2B', fileContent[endCDmodTime:endCDmodDate]) 202 | endCDcrc32 = endCDmodDate + 4 203 | CDcrc32 = unpack('I', fileContent[endCDmodDate:endCDcrc32])[0] 204 | endCDcompressSize = endCDcrc32 + 4 205 | CDcompressSize = unpack('I', fileContent[endCDcrc32:endCDcompressSize])[0] 206 | endCDuncompressSize = endCDcompressSize + 4 207 | CDuncompressSize = unpack('I', fileContent[endCDcompressSize:endCDuncompressSize])[0] 208 | endCDfileNameLen = endCDuncompressSize + 2 209 | CDfileNameLen = unpack('H', fileContent[endCDuncompressSize:endCDfileNameLen])[0] 210 | endCDextraFieldLen = endCDfileNameLen + 2 211 | CDextraFieldLen = unpack('H', fileContent[endCDfileNameLen:endCDextraFieldLen])[0] 212 | endCDfileCommLen = endCDextraFieldLen + 2 213 | CDfileCommLen = unpack('H', fileContent[endCDextraFieldLen:endCDfileCommLen])[0] 214 | endCDdiskNumStart = endCDfileCommLen + 2 215 | CDdiskNumStart = unpack('2B', fileContent[endCDfileCommLen:endCDdiskNumStart]) 216 | endCDintFileAttr = endCDdiskNumStart + 2 217 | CDintFileAttr = unpack('2B', fileContent[endCDdiskNumStart:endCDintFileAttr]) 218 | endCDextFileAttr = endCDintFileAttr + 4 219 | CDextFileAttr = unpack('I', fileContent[endCDintFileAttr:endCDextFileAttr])[0] 220 | endCDrelOffset = endCDextFileAttr + 4 221 | CDrelOffset = unpack('I', fileContent[endCDextFileAttr:endCDrelOffset])[0] 222 | endCDFileName = endCDrelOffset + CDfileNameLen 223 | CDFileName = unpack(str(CDfileNameLen) + 'B', fileContent[endCDrelOffset:endCDFileName]) 224 | endCDExtraField = endCDFileName + CDextraFieldLen 225 | CDExtraField = unpack(str(CDextraFieldLen) + 'B', fileContent[endCDFileName:endCDExtraField]) 226 | endCDFileComment = endCDExtraField + CDfileCommLen 227 | CDFileComment = unpack(str(CDfileCommLen) + 'B', fileContent[endCDExtraField:endCDFileComment]) 228 | 229 | # end of central directory structure 230 | endOfCentralDirSig = fileContent.find('\x50\x4b\x05\x06') 231 | 232 | if (endOfCentralDirSig != -1): 233 | endECD = endOfCentralDirSig + 4 234 | EDCsignature = unpack('4B', fileContent[endOfCentralDirSig:endECD]) 235 | endECDdiskNumber = endECD + 2 236 | ECDdiskNumber = unpack('2B', fileContent[endECD:endECDdiskNumber]) 237 | endECDcentDirStartDisk = endECDdiskNumber + 2 238 | ECDcentDirStartDisk = unpack('2B', fileContent[endECDdiskNumber:endECDcentDirStartDisk]) 239 | endECDcentDirStartDiskOff = endECDcentDirStartDisk + 2 240 | ECDcentDirStartDiskOff = unpack('2B', fileContent[endECDcentDirStartDisk:endECDcentDirStartDiskOff]) 241 | endECDnumEntry = endECDcentDirStartDiskOff + 2 242 | ECDnumEntry = unpack('2B', fileContent[endECDcentDirStartDiskOff:endECDnumEntry]) 243 | endECDcentrDirSize = endECDnumEntry + 4 244 | ECDcentrDirSize = unpack('I', fileContent[endECDnumEntry:endECDcentrDirSize])[0] 245 | endECDcentrDirOff = endECDcentrDirSize + 4 246 | ECDcentrDirOff = unpack('I', fileContent[endECDcentrDirSize:endECDcentrDirOff])[0] 247 | endECDcommLen = endECDcentrDirOff + 2 248 | ECDcommLen = unpack('H', fileContent[endECDcentrDirOff:endECDcommLen])[0] 249 | endECDzipComment = endECDcommLen + ECDcommLen 250 | ECDzipComment = unpack(str(ECDcommLen) + 'B', fileContent[endECDcommLen:endECDzipComment]) 251 | 252 | 253 | localFileHeader = [version, flags, compression, modTime, modDate, crc32, compressSize, uncompressSize, fileNameLen, extraFieldLen, fileName, extraField, data] 254 | centralDirectoryStruct = [CDversion, CDversionNeed, CDbitFlag, CDcompression, CDmodTime, CDmodDate, CDcrc32, CDcompressSize, CDuncompressSize, CDfileNameLen, CDextraFieldLen, CDfileCommLen, CDdiskNumStart, CDintFileAttr, CDextFileAttr, CDrelOffset, CDFileName, CDExtraField, CDFileComment] 255 | endOfCentralDirectoyStruct = [ECDdiskNumber, ECDcentDirStartDisk, ECDcentDirStartDiskOff, ECDnumEntry, ECDcentrDirSize, ECDcentrDirOff, ECDcommLen, ECDzipComment] 256 | 257 | locFileHeadList = Crand().random_localFileHeader(localFileHeader, Crand().getRandNumber(localFileHeader)) 258 | centrDirList = Crand().random_localFileHeader(centralDirectoryStruct, Crand().getRandNumber(centralDirectoryStruct)) 259 | endOfcentrDirList = Crand().random_localFileHeader(endOfCentralDirectoyStruct, Crand().getRandNumber(endOfCentralDirectoyStruct)) 260 | 261 | dictLocalFileHeader = { 0 : version, 262 | 1 : flags, 263 | 2 : compression, 264 | 3 : modTime, 265 | 4 : modDate, 266 | 5 : crc32, 267 | 6 : compressSize, 268 | 7 : uncompressSize, 269 | 8 : fileNameLen, 270 | 9 : extraFieldLen, 271 | 10 : fileName, 272 | 11 : extraField, 273 | 12 : data 274 | } 275 | 276 | dictCentralDir = { 0 : CDversion, 277 | 1 : CDversionNeed, 278 | 2 : CDbitFlag, 279 | 3 : CDcompression, 280 | 4 : CDmodTime, 281 | 5 : CDmodDate, 282 | 6 : CDcrc32, 283 | 7 : CDcompressSize, 284 | 8 : CDuncompressSize, 285 | 9 : CDfileNameLen, 286 | 10 : CDextraFieldLen, 287 | 11 : CDfileCommLen, 288 | 12 : CDdiskNumStart, 289 | 13 : CDintFileAttr, 290 | 14 : CDextFileAttr, 291 | 15 : CDrelOffset, 292 | 16 : CDFileName, 293 | 17 : CDExtraField, 294 | 18 : CDFileComment 295 | } 296 | 297 | dictEndOfCentralDir = { 0 : ECDdiskNumber, 298 | 1 : ECDcentDirStartDisk, 299 | 2 : ECDcentDirStartDiskOff, 300 | 3 : ECDnumEntry, 301 | 4 : ECDcentrDirSize, 302 | 5 : ECDcentrDirOff, 303 | 6 : ECDcommLen, 304 | 7 : ECDzipComment 305 | } 306 | 307 | global content 308 | content = '' 309 | 310 | callLocHead = ClocalHeader(dictLocalFileHeader, locFileHeadList) 311 | callLocHead.fuzzLocalHeader(signature) 312 | 313 | callCentrDir = CcentralDir(dictCentralDir, centrDirList) 314 | callCentrDir.fuzzCentralDir(CDsignature) 315 | 316 | callEndOfCentrDir = CendOfCentralDir(dictEndOfCentralDir, endOfcentrDirList) 317 | callEndOfCentrDir.fuzzendOfCentralDir(EDCsignature) 318 | 319 | fileElem.createFile(out_dir + Filename) 320 | 321 | if __name__ == "__main__": 322 | main() 323 | -------------------------------------------------------------------------------- /ZIP_fuzz.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/ZIP_fuzz.pyc -------------------------------------------------------------------------------- /fuzz_utils.py: -------------------------------------------------------------------------------- 1 | import struct 2 | 3 | def toBYTE(x): return struct.unpack(' (default 0) 111 | print _seed 112 | _ratio = DEFAULT_RATIO # bit fuzzing ratio (default 0.004) 113 | 114 | # Offsets 115 | _offset = DEFAULT_OFFSET # only fuzz bytes start with 116 | _fuzz_bytes = None # only fuzz bytes at offsets within (dynamic offsets) 117 | 118 | # Extra variables 119 | _protected = None # protect bytes and characters in 120 | _refused = None # refuse bytes and characters in 121 | _permitted = None # permit bytes and characters in 122 | 123 | # Modes 124 | _fuzz_mode = FUZZ_MODE_XOR # use fuzzing mode ([xor] set unset) 125 | 126 | # Internal variables 127 | _pos = DEFAULT_OFFSET 128 | _ctx = DEFAULT_CTX 129 | _iter = 0 130 | 131 | def __init__(self, buf, seed=None, ratio=None, offset=None): 132 | super(pyZZUF, self).__init__() 133 | self.set_buffer(buf) 134 | self.set_seed(int(str(time.time()).replace(".", ""))) 135 | if seed is not None: 136 | self.set_seed(_seed) 137 | if ratio is not None: 138 | self.set_ratio(ratio) 139 | if offset is not None: 140 | self.set_offset(offset) 141 | 142 | def set_buffer(self, buf): 143 | self._buf = buf if isinstance(buf, array) else array('B', buf) 144 | self._buf_length = len(buf) 145 | 146 | def set_seed(self, seed): 147 | if not isinstance(seed, integer_types): 148 | raise TypeError(' must be int') 149 | 150 | self._seed = uint32(seed) 151 | 152 | def set_ratio(self, ratio): 153 | if not isinstance(ratio, float): 154 | raise TypeError(' must be float') 155 | 156 | ratio = double(ratio) 157 | if ratio > MAX_RATIO: ratio = MAX_RATIO 158 | elif ratio < MIN_RATIO: ratio = MIN_RATIO 159 | self._ratio = ratio 160 | 161 | def set_fuzz_mode(self, mode): 162 | if mode not in [FUZZ_MODE_XOR, FUZZ_MODE_SET, FUZZ_MODE_UNSET]: 163 | raise TypeError('bad (must be one of FUZZ_MODE_XOR, FUZZ_MODE_SET, FUZZ_MODE_UNSET)') 164 | 165 | self._fuzz_mode = mode 166 | 167 | def set_offset(self, offset): 168 | if not isinstance(offset, int): 169 | raise TypeError(' must be int') 170 | 171 | self._offset = uint32(offset) 172 | 173 | # offset will be rewrited 174 | def set_fuzz_bytes(self, fbytes): 175 | if not isinstance(fbytes, list): 176 | raise TypeError(' must be list') 177 | 178 | self._fuzz_bytes = [] 179 | for _zz_r in fbytes: 180 | if isinstance(_zz_r, list) and len(_zz_r) == 2: 181 | start, stop = _zz_r 182 | if isinstance(start, int): 183 | self._fuzz_bytes.append((start, self._buf_length if stop is None else stop)) 184 | elif isinstance(_zz_r, int): 185 | self._fuzz_bytes.append((_zz_r, _zz_r)) 186 | else: 187 | raise TypeError(' must be list') 188 | 189 | def set_protected(self, protected_bytes, append=False): 190 | self._zz_arrbytes(protected_bytes, 'protected_bytes', '_protected', append) 191 | 192 | def set_refused(self, refused_bytes, append=False): 193 | self._zz_arrbytes(refused_bytes, 'refused_bytes', '_refused', append) 194 | 195 | def set_permitted(self, permitted_bytes, append=False): 196 | self._zz_arrbytes(permitted_bytes, 'permitted_bytes', '_permitted', append) 197 | 198 | def _zz_arrbytes(self, arr, attr_name, _attr, append): 199 | if type(arr) not in [list, str]: 200 | raise TypeError('<%s> must be list of int or str' % attr_name) 201 | 202 | if not append or getattr(self, _attr) is None: 203 | self.__dict__[_attr] = array('B') 204 | self.__dict__[_attr].fromlist(arr) if isinstance(arr, list) else self.__dict__[_attr].fromstring(arr) 205 | 206 | def _zz_isinrange(self, index): 207 | for start, stop in self._fuzz_bytes: 208 | if index >= start and (start == stop or index < stop): 209 | return True 210 | return False 211 | 212 | def _zz_srand(self, seed): 213 | self._ctx = seed ^ ZZUF_MAGIC0 214 | 215 | # Could be better, but do we care? 216 | def _zz_rand(self, maxv): 217 | hi, lo = self._ctx // 12773, self._ctx % 12773 218 | x = 16807 * lo - 2836 * hi 219 | if x <= 0: 220 | x += 0x7fffffff 221 | self._ctx = x 222 | return uint32(self._ctx % maxv) 223 | 224 | def mutate(self): 225 | i = 0 226 | for _ in xrange(0, self._buf_length, CHUNKBYTES): 227 | chunkseed = i 228 | chunkseed ^= ZZUF_MAGIC2 229 | chunkseed += uint32(self._ratio * ZZUF_MAGIC1) 230 | chunkseed ^= self._seed 231 | chunkseed += uint32(i * ZZUF_MAGIC3) 232 | chunkseed = uint32(chunkseed) 233 | self._zz_srand(chunkseed) 234 | 235 | fuzz_data = bytearray(CHUNKBYTES) 236 | 237 | # Add some random dithering to handle ratio < 1.0/CHUNKBYTES 238 | loop_bits = uint32((self._ratio * (8 * CHUNKBYTES) * 1000000.0 + self._zz_rand(1000000)) / 1000000.0) 239 | 240 | while(loop_bits > 0): 241 | idx = self._zz_rand(CHUNKBYTES) 242 | if(idx > (CHUNKBYTES -16)): 243 | continue 244 | idx2 = self._zz_rand(12) 245 | #bit = 1 << self._zz_rand(8) 246 | if(loop_bits > 16): 247 | fuzz_data[idx:idx+16] = value[idx2]*4 248 | loop_bits -= 16 249 | else: 250 | fuzz_data[idx:idx+loop_bits] = value[idx2] * (loop_bits / 4) + value[idx2][:(loop_bits % 4)] 251 | break 252 | 253 | 254 | start = i * CHUNKBYTES if i * CHUNKBYTES > self._pos else self._pos 255 | stop = (i + 16) * CHUNKBYTES if (i + 16) * CHUNKBYTES < self._pos + self._buf_length else self._pos + self._buf_length 256 | 257 | for j in xrange(start, stop, 16): 258 | 259 | if self._fuzz_bytes is not None and not self._zz_isinrange(j): # not in one of the ranges skip byte 260 | continue 261 | elif self._offset > 0 and j < self._offset: # if index of byte in offset-range then skip it 262 | continue 263 | 264 | #byte = self._buf[j:j+4] 265 | 266 | # if byte is protected, then skip it 267 | if self._protected is not None and byte in self._protected: 268 | continue 269 | 270 | IDX = j % CHUNKBYTES 271 | 272 | if(IDX > (CHUNKBYTES -16)): 273 | fuzz_str = fuzz_data[IDX : CHUNKBYTES] 274 | else: 275 | fuzz_str = fuzz_data[IDX : IDX+16] 276 | 277 | ''' 278 | # skip nulled 279 | if not fuzz_byte: 280 | continue 281 | 282 | 283 | if self._fuzz_mode == FUZZ_MODE_SET: 284 | byte = fuzz_byte 285 | elif self._fuzz_mode == FUZZ_MODE_UNSET: 286 | byte = fuzz_byte 287 | else: 288 | byte = fuzz_byte 289 | ''' 290 | 291 | # if byte is not permitted, then skip it 292 | if self._permitted is not None and byte not in self._permitted: 293 | continue 294 | 295 | # if byte is refused, then skip it 296 | if self._refused is not None and byte in self._refused: 297 | continue 298 | for i in range(min((stop-j), len(fuzz_str))): 299 | self._buf[j+i] = fuzz_str[i] 300 | 301 | 302 | i += 16 303 | 304 | return pyZZUFArray('B', self._buf).set_state(self._seed, self._ratio, self._iter) 305 | 306 | def _zz_frange(self, start, stop, step): 307 | while start <= stop: 308 | next_state = (yield start) 309 | start = double(start + step) 310 | if next_state: 311 | start = double(next_state) 312 | 313 | def mutagen(self, start=DEFAULT_RATIO, stop=MAX_RATIO, step=DEFAULT_RATIO_STEP, inheritance=False, rand_seed=False): 314 | self._iter = 0 315 | start, stop, step = map(lambda f: double(f), [start, stop, step]) 316 | buf = self._buf 317 | while start <= stop: 318 | if not inheritance: 319 | self.set_buffer(buf[:]) 320 | self.set_seed(randint(0, MAX_UINT32) if rand_seed else self._iter) 321 | self.set_ratio(start) 322 | next_state = (yield self.mutate()) 323 | start = double(start + step) 324 | self._iter += 1 325 | if next_state: 326 | self._iter, start = next_state 327 | -------------------------------------------------------------------------------- /pyZZUF.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/pyZZUF.pyc -------------------------------------------------------------------------------- /radamsa/64비트/cygwin1.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/radamsa/64비트/cygwin1.dll -------------------------------------------------------------------------------- /radamsa/64비트/install_rada.bat: -------------------------------------------------------------------------------- 1 | @echo on 2 | copy * C:\Windows\System32 3 | 4 | pause -------------------------------------------------------------------------------- /radamsa/64비트/radamsa.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/radamsa/64비트/radamsa.dll -------------------------------------------------------------------------------- /radamsa/64비트/radamsa.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/radamsa/64비트/radamsa.exe -------------------------------------------------------------------------------- /radamsa/cyggcc_s-1.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/radamsa/cyggcc_s-1.dll -------------------------------------------------------------------------------- /radamsa/cygwin1.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/radamsa/cygwin1.dll -------------------------------------------------------------------------------- /radamsa/install_rada.bat: -------------------------------------------------------------------------------- 1 | @echo on 2 | copy * C:\Windows\System32 3 | 4 | pause -------------------------------------------------------------------------------- /radamsa/radamsa.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/radamsa/radamsa.dll -------------------------------------------------------------------------------- /radamsa/radamsa.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/radamsa/radamsa.exe -------------------------------------------------------------------------------- /rename.py: -------------------------------------------------------------------------------- 1 | import os 2 | fpath = "C:\\fuzz\\in\\" 3 | 4 | for name in os.listdir(fpath): 5 | name_r = name.replace("-", "_") 6 | os.rename(fpath + name, fpath + name_r) 7 | print name + " >> " + name_r -------------------------------------------------------------------------------- /rename_slice.py: -------------------------------------------------------------------------------- 1 | import os 2 | fpath = "C:\\fuzz\\in\\" 3 | 4 | for name in os.listdir(fpath): 5 | name_r = name.split("seed")[-1] 6 | os.rename(fpath + name, fpath + "seed" + name_r) 7 | print name + " >> " + name_r -------------------------------------------------------------------------------- /seed/comp_seed/clam.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/clam.7z -------------------------------------------------------------------------------- /seed/comp_seed/clam.arj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/clam.arj -------------------------------------------------------------------------------- /seed/comp_seed/clam.bin-be.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/clam.bin-be.cpio -------------------------------------------------------------------------------- /seed/comp_seed/clam.bin-le.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/clam.bin-le.cpio -------------------------------------------------------------------------------- /seed/comp_seed/clam.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/clam.cab -------------------------------------------------------------------------------- /seed/comp_seed/clam.d64.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/clam.d64.zip -------------------------------------------------------------------------------- /seed/comp_seed/clam.exe.szdd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/clam.exe.szdd -------------------------------------------------------------------------------- /seed/comp_seed/clam.impl.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/clam.impl.zip -------------------------------------------------------------------------------- /seed/comp_seed/clam.newc.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/clam.newc.cpio -------------------------------------------------------------------------------- /seed/comp_seed/clam.odc.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/clam.odc.cpio -------------------------------------------------------------------------------- /seed/comp_seed/dis.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/dis.7z -------------------------------------------------------------------------------- /seed/comp_seed/dis.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/dis.rar -------------------------------------------------------------------------------- /seed/comp_seed/dis.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/dis.tar.gz -------------------------------------------------------------------------------- /seed/comp_seed/dis.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/dis.zip -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.Z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/small_archive.Z -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.arj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/small_archive.arj -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.bz2: -------------------------------------------------------------------------------- 1 | BZh0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/small_archive.cab -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/small_archive.cpio -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/small_archive.gz -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.lha: -------------------------------------------------------------------------------- 1 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.lz: -------------------------------------------------------------------------------- 1 | L000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.lzma: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/small_archive.lzma -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.rar: -------------------------------------------------------------------------------- 1 | Rar!00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.tar: -------------------------------------------------------------------------------- 1 | limerick000064000007640000764000000002771242700346001246000ustar lcamtuflcamtufT0000 000 0 00000 000 0rom J0000 2 | W0000 000000000 00000 00000 00000 3 | W000 00000 000 0000 0000 4 | H0 0000000 0I000 0000000 5 | I 000000 000 00 0000 00 0000 00000 0000 000 0000 0000 00 I 00000000 00000 6 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.xz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/small_archive.xz -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/comp_seed/small_archive.zip -------------------------------------------------------------------------------- /seed/comp_seed/small_archive.zoo: -------------------------------------------------------------------------------- 1 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -------------------------------------------------------------------------------- /seed/ole_seed/clam.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/ole_seed/clam.chm -------------------------------------------------------------------------------- /seed/ole_seed/clam.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/ole_seed/clam.pdf -------------------------------------------------------------------------------- /seed/ole_seed/clam.ppt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/ole_seed/clam.ppt -------------------------------------------------------------------------------- /seed/ole_seed/clam_ole.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/ole_seed/clam_ole.doc -------------------------------------------------------------------------------- /seed/ole_seed/doc_seed.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/ole_seed/doc_seed.doc -------------------------------------------------------------------------------- /seed/ole_seed/embed_ole.hwp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/ole_seed/embed_ole.hwp -------------------------------------------------------------------------------- /seed/ole_seed/hwp_seed.hwp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/ole_seed/hwp_seed.hwp -------------------------------------------------------------------------------- /seed/ole_seed/ole_native.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/ole_seed/ole_native.doc -------------------------------------------------------------------------------- /seed/ole_seed/ppt_seed.ppt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/ole_seed/ppt_seed.ppt -------------------------------------------------------------------------------- /seed/ole_seed/small.pdf: -------------------------------------------------------------------------------- 1 | %PDF-1.0 obj<>endobj00 0 obj<>endobj00 0 obj<>endobj 00000 -------------------------------------------------------------------------------- /seed/ole_seed/small_document.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\rd 0000\par} -------------------------------------------------------------------------------- /seed/ole_seed/test.hwp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/ole_seed/test.hwp -------------------------------------------------------------------------------- /seed/ole_seed/xls_seed.xls: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/ole_seed/xls_seed.xls -------------------------------------------------------------------------------- /seed/packed_seed/clam.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/clam.exe -------------------------------------------------------------------------------- /seed/packed_seed/clam.exe.binhex: -------------------------------------------------------------------------------- 1 | (This file must be converted with BinHex 4.0) 2 | :#0000000000000000000000000!!!!)J!!!!!E0069T0!!)0000000000000000000000000000000000000000000000000000000000000000000000000!!%!!000000000000000000000000000000000000000000000000000000000000000000000S"!R000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d950000000000000000000000000f9cF`000d95000000000000000PFh0KCf90000000000000000000000e" 3 | &!!"-!3%!0000000000000000i!#0J0X"!K0000000!B!!!!!!!"0%!!!0000000 4 | 000000000!"!!!!!#!!!000000000000000000000000000!0!!!000!!!J!0000 5 | 000000000000000000000000000000000000000000000000000000000!!!!!00 6 | 0000000000000000000000000000000000000000000000000000000000000000 7 | 0000000000000000000000000000000000000000000000000000000000000000 8 | 00000000000000000000000000"!!!!!#!!!0!!!!00000000000000000000000 9 | 00000: -------------------------------------------------------------------------------- /seed/packed_seed/clam.exe.html: -------------------------------------------------------------------------------- 1 | 0<00> 2 | -------------------------------------------------------------------------------- /seed/packed_seed/clam.exe.rtf: -------------------------------------------------------------------------------- 1 | {\rtf0\ans0\ansicp00000\u00\def00\stshfdbc00\stshfloc00\stshfhic00\stshfb00\deflan00000\deflangf00000{\fonttb0{\f0\froma0\fcharse00\fpr00{00\panos0 00000000000000000000}0000000000000000}{\f00\froma0\fcharse0000\fpr00 0000000000000000000}00{\f00\froma0\fcharse0000\fpr00 00000000000000000000}{\f00\froma0\fcharset000\fprq0 0000000000000000000000}{\f00\froman\fcharset000\fprq0 00000000000000000000}{\f00\froman\fcharset000\fprq0 0000000000000000000000000}00{\f00\froman\fcharset000\fprq0 0000000000000000000000000}{\f00\froman\fcharset000\fprq0 00000000000000000000000}{\f00\froman\fcharset000\fprq0 00000000000000000000000000000}}{\colortbl;\red0\green0\blue0;\red0\green0\blue000;\red0\green000\blue00000 2 | \red0\green000\blue0;\red000\green0\blue000;\red000\green0\blue0;\red000\green000\blue0;\red000\green000\blue000;\red0\green0\blue000;\red0\green000\blue000;\red0\green000\blue0;\red000\green0\blue000;\red000\green0\blue0;\red000\green000\blue000 3 | \red000\green000\blue000;\red000\green000\blue000;}{\stylesheet{\ql0\li0\ri0\widctlpar\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \fs00\lang0000\langfe0000\cgrid\langnp0000\langfenp0000 \snext0 0000000}{00\cs00 \additive0\ssemihidden00 4 | 00000000000000000000000}{00\ts00\tsrowd\trftsWidth00\trpaddl000\trpaddr000\trpaddfl0\trpaddft0\trpaddfb0\trpaddfr0\trcbpat0\trcfpat0\tscellwidthfts0\tsvertalt\tsbrdrt\tsbrdrl\tsbrdrb\tsbrdrr\tsbrdrdgl\tsbrdrdgr\tsbrdrh\tsbrdrv 00\ql0\li0\ri0\widctlpar\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \fs00\lang0000\langfe0000\cgrid\langnp0000\langfenp0000 \snext00 \ssemihidden 0000000000000}}{00\latentstyles\lsdstimax000\lsdlockeddef0}{\0\rsidtbl0\rsid00000000}{\0\generator 000000000000000000000000000}{\info{\title 0}{\author 00000}{\operator 00000}{\creatim\yr0000\mo00\dy00\hr00\min00}{\revtim\yr0000\mo00\dy00\hr00\min00}{\version0}{\edmins0}{\nofpages0}{\nofwords0}{\nofchars00}{\0\company 0}{\nofcharsws00}{\vern00000}}00\widowctrl\ftnbj\aenddoc\noxlattoyen\expshrtn\noultrlspc\dntblnsbdb\nospaceforul\formshade\horzdoc\dgmargin\dghspace000\dgvspace000\dghorigin0000\dgvorigin0000\dghshow0\dgvshow0 0\jexpand\viewkind0\viewscale000\pgbrdrhead\pgbrdrfoot\splytwnine\ftnlytwnine\htmautsp\nolnhtadjtbl\useltbaln\alntblind\lytcalctblwd\lyttblrtgr\lnbrkrule\nobrkwrptbl\snaptogridincell\allowfieldendsel\wrppunct 0\asianbrkrule\rsidroot00000000\newtblstyruls\nogrowautofit0\fet0\sectd0\linex0\endnhere\sectlinegrid000\sectdefaultcl\sftnbj {\0\pnseclvl0\pnucrm\pnstart1\pnindent000\pnhang {\pntxta 0}}{\0\pnseclvl0\pnucltr\pnstart0\pnindent000\pnhang {\pntxta 0}}00{\0\pnseclvl0\pndec\pnstart0\pnindent000\pnhang {\pntxta 0}}{\0\pnseclvl0\pnlcltr\pnstart0\pnindent000\pnhang {\pntxta 0}}{\0\pnseclvl0\pndec\pnstart0\pnindent000\pnhang {\pntxtb 0}{\pntxta 0}}{\0\pnseclvl0\pnlcltr\pnstart0\pnindent000\pnhang {\pntxtb 0}00{\pntxta 0}}{\0\pnseclvl0\pnlcrm\pnstart0\pnindent000\pnhang {\pntxtb 0}{\pntxta 0}}{\0\pnseclvl0\pnlcltr\pnstart0\pnindent000\pnhang {\pntxtb 0}{\pntxta 0}}{\0\pnseclvl0\pnlcrm\pnstart0\pnindent000\pnhang {\pntxtb 0}{\pntxta 0}}\pard\plain 00\ql \li0\ri0\widctlpar\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \fs00\lang0000\langfe0000\cgrid\langnp0000\langfenp0000 {\pard\plain \ql \li0\ri0\widctlpar\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 00\fs00\lang0000\langfe0000\cgrid\langnp0000\langfenp0000\insrsid00000000 {\object\objemb\objw000\objh000{\0\objclass 0000000}0\0\objdata 000000000000000008000000000000000000000000000000000000007f020000 5 | 0000030c010d0e05080500030a0c040f03050d050e300c050407600e0c0405030b040f700c030c010d0e600805000000000000000000030a0c040f03050d050e010c050407600e0c0405030b040f700c030c010d0e05080500200200004d5a00000200000000000000000000000000000000000000000000000000000000 6 | 000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000 7 | 00000000000000000000000000000000000000000000000000000000000000000000455200000000000000000000000000000000000000657373000000455200000000000000000000006573736167650000000000000000000000000000000000504500004c010100000000000000000000000000e00000000000020000 8 | 000000000600000000000040100000000000000000000000000000001000000002000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 9 | 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000000000000000100000001000000002000000000000000000000000000000 10 | 00000000000000000000000000000000000d0000000000000000000000000000000000000000000000007c0e00000000000000000000 11 | 000000000000000700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 12 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 13 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 14 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 15 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 16 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 17 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 18 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 19 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 20 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 21 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 22 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 23 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 24 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 25 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 26 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 27 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 28 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 29 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 30 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 31 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 32 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 33 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 34 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 35 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 36 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 37 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 38 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 39 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 40 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000}{\result {\insrsid00000000 {\pict{\0\picprop\shplid0000{\sp{\sn 000000000}{\sv 00}}{\sp{\sn 000000}{\sv 0}}00{\sp{\sn 000000}{\sv 0}0{\sp{\sn 00000}{\sv 0}0{\sp{\sn 0000000000000}{\sv 0}0}\picscalex000\picscaley000\piccropl0\piccropr0\piccropt0\piccropb0 0\picw0000\pich0000\picwgoal000\pichgoal000\wmetafile0\bliptag-000000000\blipupi00{\0\blipuid 00000000000000000000000000000000}0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000}0\sid0 -------------------------------------------------------------------------------- /seed/packed_seed/seed_exe_packed_aspack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seed_exe_packed_aspack.exe -------------------------------------------------------------------------------- /seed/packed_seed/seed_exe_packed_aspack_y0da.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seed_exe_packed_aspack_y0da.exe -------------------------------------------------------------------------------- /seed/packed_seed/seed_exe_packed_fsg13.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seed_exe_packed_fsg13.exe -------------------------------------------------------------------------------- /seed/packed_seed/seed_exe_packed_fsg13_y0da.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seed_exe_packed_fsg13_y0da.exe -------------------------------------------------------------------------------- /seed/packed_seed/seed_exe_packed_fsg20.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seed_exe_packed_fsg20.exe -------------------------------------------------------------------------------- /seed/packed_seed/seed_exe_packed_fsg20_y0da.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seed_exe_packed_fsg20_y0da.exe -------------------------------------------------------------------------------- /seed/packed_seed/seed_exe_packed_mew.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seed_exe_packed_mew.exe -------------------------------------------------------------------------------- /seed/packed_seed/seed_exe_packed_mew_y0da.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seed_exe_packed_mew_y0da.exe -------------------------------------------------------------------------------- /seed/packed_seed/seed_exe_packed_upx.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seed_exe_packed_upx.exe -------------------------------------------------------------------------------- /seed/packed_seed/seed_exe_packed_upx_y0da.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seed_exe_packed_upx_y0da.exe -------------------------------------------------------------------------------- /seed/packed_seed/seed_exe_y0da.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seed_exe_y0da.exe -------------------------------------------------------------------------------- /seed/packed_seed/seedclam.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seedclam.exe -------------------------------------------------------------------------------- /seed/packed_seed/seedclam_aspack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seedclam_aspack.exe -------------------------------------------------------------------------------- /seed/packed_seed/seedclam_fsg.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seedclam_fsg.exe -------------------------------------------------------------------------------- /seed/packed_seed/seedclam_mew.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seedclam_mew.exe -------------------------------------------------------------------------------- /seed/packed_seed/seedclam_nsis.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seedclam_nsis.exe -------------------------------------------------------------------------------- /seed/packed_seed/seedclam_pespin.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seedclam_pespin.exe -------------------------------------------------------------------------------- /seed/packed_seed/seedclam_petite.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seedclam_petite.exe -------------------------------------------------------------------------------- /seed/packed_seed/seedclam_upack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seedclam_upack.exe -------------------------------------------------------------------------------- /seed/packed_seed/seedclam_upx.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seedclam_upx.exe -------------------------------------------------------------------------------- /seed/packed_seed/seedclam_wwpack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seedclam_wwpack.exe -------------------------------------------------------------------------------- /seed/packed_seed/seedclam_yc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/seedclam_yc.exe -------------------------------------------------------------------------------- /seed/packed_seed/small_exec.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ujin5/av_ioctlFuzzer/cce83e19e6869303883da89b6ad42398321bfd50/seed/packed_seed/small_exec.elf -------------------------------------------------------------------------------- /setting_bat/Start_fuzzer.bat: -------------------------------------------------------------------------------- 1 | @echo on 2 | python C:\fuzz\fuzzer\Main.py 3 | pause -------------------------------------------------------------------------------- /setting_bat/comp_seed.bat: -------------------------------------------------------------------------------- 1 | @echo on 2 | mkdir C:\fuzz\in 3 | copy C:\fuzz\fuzzer\av_ioctlFuzzer\seed\comp_seed\* C:\fuzz\in\* -------------------------------------------------------------------------------- /setting_bat/git-setting.bat: -------------------------------------------------------------------------------- 1 | @echo on 2 | mkdir C:\fuzz\fuzzer 3 | cd C:\fuzz\fuzzer 4 | rmdir /s /q C:\fuzz\fuzzer\av_ioctlFuzzer 5 | git clone https://github.com/pwn2expoit/av_ioctlFuzzer/ 6 | copy C:\fuzz\fuzzer\av_ioctlFuzzer\* C:\fuzz\fuzzer\* 7 | copy C:\fuzz\fuzzer\av_ioctlFuzzer\setting_bat\Start_fuzzer.bat %USERPROFILE%\Start_fuzzer.bat 8 | copy C:\fuzz\fuzzer\av_ioctlFuzzer\setting_bat\start_FFV3.bat %USERPROFILE%\start_FFV3.bat 9 | copy C:\fuzz\fuzzer\av_ioctlFuzzer\setting_bat\git-setting.bat %USERPROFILE%\git-setting2.bat 10 | pause -------------------------------------------------------------------------------- /setting_bat/install_pygdb.bat: -------------------------------------------------------------------------------- 1 | @echo on 2 | mkdir C:\fuzz\fuzzer 3 | cd C:\fuzz\fuzzer\av_ioctlFuzzer\setting_bat\Lib C:\Python27\Lib 4 | pause -------------------------------------------------------------------------------- /setting_bat/ole_seed.bat: -------------------------------------------------------------------------------- 1 | @echo on 2 | mkdir C:\fuzz\in 3 | copy C:\fuzz\fuzzer\av_ioctlFuzzer\seed\ole_seed\* C:\fuzz\in\* -------------------------------------------------------------------------------- /setting_bat/packed_seed.bat: -------------------------------------------------------------------------------- 1 | @echo on 2 | mkdir C:\fuzz\in 3 | copy C:\fuzz\fuzzer\av_ioctlFuzzer\seed\packed_seed\* C:\fuzz\in\* -------------------------------------------------------------------------------- /setting_bat/reset.bat: -------------------------------------------------------------------------------- 1 | @echo on 2 | taskkill /F /IM v3lite.exe 3 | taskkill /F /IM asdsvc.exe 4 | "C:\Program Files\AhnLab\V3Lite30\V3Lite.exe" -------------------------------------------------------------------------------- /setting_bat/scan.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | "C:\Program Files\AhnLab\V3Lite30\V3LMedic.exe" /manual_scan /target:C:\fuzz\temp\ 3 | pause -------------------------------------------------------------------------------- /setting_bat/start_FFV3.bat: -------------------------------------------------------------------------------- 1 | @echo on 2 | python C:\fuzz\fuzzer\v3_ff.py 3 | pause -------------------------------------------------------------------------------- /v3_ff.py: -------------------------------------------------------------------------------- 1 | #-*- coding: utf-8 -*- 2 | from pydbg import * 3 | from pydbg.defines import * 4 | 5 | import utils 6 | import random 7 | import threading 8 | import os 9 | import shutil 10 | import time 11 | import sys 12 | import DOC_fuzzer 13 | import PE_fuzzer 14 | import COMP_fuzzer 15 | import subprocess 16 | import re 17 | import Mut_Rada 18 | 19 | 20 | class file_fuzzer: 21 | def __init__(self, exe_path): 22 | self.mutate_count = 100 23 | self.mutate_list = [] 24 | self.selected_list = [] # 크래시 트래킹에 사용할 리스트 25 | self.eip_list = [] #크래시 중복체크 (EIP 기준) 26 | self.exe_path = exe_path 27 | self.orig_file = None 28 | self.sample_dir = "C:\\fuzz\\in" 29 | self.tmp_file = None 30 | self.tmp_dir = "C:\\fuzz\\temp" 31 | self.notmp_dir = "C:\\fuzz\\notemp" 32 | self.count = 0 33 | self.max = 0 34 | self.crash = None 35 | self.crash_tracking = False # 크래시 추적 활성화 체크 36 | self.crash_count = None # 크래시 번호 저장 37 | self.tracking_count = 0 # 트래킹 카운트 저장(무한루프 방지) 38 | self.check = False 39 | self.pid = None 40 | self.in_accessv_handler = False 41 | self.dbg = None 42 | self.running = False 43 | self.filename = "" 44 | self.ord_ads = False 45 | self.pid_exe = None 46 | self.running_v3 = False 47 | self.running_ads = False 48 | self.running_cra = False 49 | self.running_exe = False 50 | self.pid_ads = None 51 | self.dbg_ads = None 52 | self.ex_dbg = False 53 | self.ex_start_ASDsvc = False 54 | self.folder_list = None 55 | self.fcnt = 0 56 | 57 | def wincmd(self, cmd): 58 | return subprocess.Popen(cmd, 59 | shell=True, 60 | stdin=subprocess.PIPE, 61 | stdout=subprocess.PIPE, 62 | stderr=subprocess.PIPE) 63 | 64 | # 에러를 추적하고 정보를 저장하기 위한 접근 위반 핸들러 65 | def handler_access_violation(self, pydbg): 66 | 67 | self.running_cra = True 68 | 69 | print "\n[-] Access_violation Crash!!\n" 70 | print "[-] Woot! Handling an access violation!" 71 | print "[-] EIP : 0x%08x" % self.dbg_ads.context.Eip 72 | 73 | # eip 리스트에 추가 74 | self.eip_list.append(self.dbg_ads.context.Eip) 75 | 76 | # 크래시 정보 self.crash에 저장 77 | crash_bin = utils.crash_binning.crash_binning() 78 | crash_bin.record_crash(self.dbg_ads) 79 | self.crash = crash_bin.crash_synopsis() 80 | 81 | # 크래시 일 때 카운트정보를 작성한다. 82 | self.crash_count = self.count 83 | 84 | # 크래시 정보 로깅 85 | tmp_time = str(time.time()).replace(".", "") 86 | crash_fd = open("C:\\fuzz\\crash\\" + tmp_time + ".log","w") 87 | crash_fd.write(self.crash) 88 | crash_fd.close() 89 | 90 | # 크래시 파일을 탐색 91 | print "[*]Finding" 92 | while True: 93 | fnum = self.check_folder() 94 | time.sleep(0.5) 95 | if(fnum != -1): 96 | break 97 | 98 | # 디버거 종료` 99 | print "[-]Terminate Debugger" 100 | self.dbg_ads.terminate_process() 101 | self.dbg_ads.close_handle(self.dbg_ads.h_process) 102 | self.dbg_ads.detach() 103 | self.pid_ads = None 104 | 105 | 106 | pydbg_ads_thread = threading.Thread(target=self.start_ASDsvc) 107 | pydbg_ads_thread.setDaemon(0) 108 | pydbg_ads_thread.start() 109 | 110 | while self.ex_start_ASDsvc: 111 | time.sleep(1) 112 | self.running_exe = False 113 | while self.check_process("v3lite.exe") == False: 114 | time.sleep(1) 115 | os.system("taskkill /F /IM v3lite.exe") 116 | 117 | print "[-]Backuping Crash File" 118 | tnum = 0 119 | while tnum < fnum: 120 | try: 121 | shutil.rmtree(self.tmp_dir + "\\" + self.folder_list[tnum]) 122 | except: ## if failed, report it back to the user ## 123 | print "[-]Delete Error " + self.tmp_dir + "\\" + self.folder_list[tnum] 124 | tnum += 1 125 | shutil.move(self.tmp_dir + "\\" + self.folder_list[fnum], "C:\\fuzz\\crash\\" + tmp_time + self.folder_list[fnum]) 126 | 127 | print "[+]Fin to Exception handle" 128 | 129 | self.running_cra = False 130 | self.running = False 131 | 132 | return DBG_EXCEPTION_NOT_HANDLED 133 | 134 | 135 | def fuzz(self): 136 | 137 | ''' 138 | 디버거를 붙인다. 139 | temp폴더를 모두 검사한다. 140 | 크래시가 나면 폴더 이름을 바꾸면서 에러가 나는 폴더 탐색 후 탐색 된 폴더는 백업 후에 다시 처음으로 ㄱㄱ 141 | 142 | 143 | ''' 144 | while True: 145 | while self.running_cra: 146 | time.sleep(1) 147 | 148 | # adssvc.exe에 디버거 149 | debugger_thread = threading.Thread(target=self.start_ASDsvc_debugger) 150 | debugger_thread.setDaemon(0) 151 | debugger_thread.start() 152 | 153 | while self.ex_dbg: 154 | time.sleep(1) 155 | time.sleep(3) 156 | # asd에 디버거 붙었어 157 | 158 | # 탐색기 검사를 시작 159 | pydbg_thread = threading.Thread(target=self.start_exe) 160 | pydbg_thread.setDaemon(0) 161 | pydbg_thread.start() 162 | 163 | self.running_exe = True 164 | 165 | while self.running_exe: 166 | time.sleep(1) 167 | 168 | 169 | def start_ASDsvc(self): 170 | # asdsvc 살려 내기 171 | self.ex_start_ASDsvc = True 172 | self.running_exe = False 173 | os.system("taskkill /F /IM v3lmedic.exe") 174 | time.sleep(0.5) 175 | os.system("taskkill /F /IM asdsvc.exe") 176 | time.sleep(0.5) 177 | os.system("taskkill /F /IM v3lite.exe") 178 | time.sleep(0.5) 179 | self.ex_start_ASDsvc = False 180 | os.system( "\"C:\\Program Files\\AhnLab\\V3Lite30\\V3Lite.exe\"" ) 181 | 182 | def check_folder(self): 183 | #어떤 폴더 사용중인지 확인 함수 184 | self.folder_list = os.listdir(self.tmp_dir) 185 | folder_num = -1 186 | for folder in self.folder_list: 187 | folder_num += 1 188 | try: 189 | os.rename(self.tmp_dir +"\\"+ folder, self.tmp_dir + "\\"+ folder + str(folder_num)) 190 | except: 191 | print "[*]Crash is here in " + self.tmp_dir + "\\" + folder 192 | return folder_num 193 | os.rename(self.tmp_dir + "\\"+ folder + str(folder_num), self.tmp_dir +"\\"+ folder) 194 | 195 | return -1 196 | 197 | def check_process(self, id): 198 | # 입력 받은 프로세스가가 있는지 확인 199 | cmd = "tasklist /FI \"IMAGENAME eq " + id + "\" /FO LIST" 200 | pipe = self.wincmd(cmd) 201 | output, errors = pipe.communicate() 202 | if len(output) < 70: 203 | return False # 없으면 false 204 | else: 205 | return output.split("\n")[2].split(" ")[-1] # 잘실행 중이면 pid 반환 206 | pipe.stdin.close() 207 | 208 | # 대상 어플리케이션을 실행시키는 디버거 쓰레드 209 | def start_ASDsvc_debugger(self): 210 | self.ex_dbg = True 211 | self.dbg_ads = pydbg() 212 | # asdsvc가 있는지 확인 213 | while True: 214 | output = self.check_process("ASDsvc.exe") 215 | if not output: 216 | # asd죽어 있는거야 217 | print "[-] ASDsvc is dead, Starting ASDsvc" 218 | pydbg_ads_thread = threading.Thread(target=self.start_ASDsvc) 219 | pydbg_ads_thread.setDaemon(0) 220 | pydbg_ads_thread.start() 221 | while self.ex_start_ASDsvc: 222 | time.sleep(1) 223 | self.running_exe = False 224 | while self.check_process("v3lite.exe") == False: 225 | time.sleep(1) 226 | os.system("taskkill /F /IM v3lite.exe") 227 | continue 228 | else: 229 | # asd 잘 살아 있으면 230 | self.pid_ads = str(output) 231 | self.dbg_ads.set_callback(EXCEPTION_ACCESS_VIOLATION, self.handler_access_violation ) 232 | self.dbg_ads.attach(int(self.pid_ads, 10)) 233 | print "[+] Attach debugger to ASDsvc : " + str(self.pid_ads) 234 | self.ex_dbg = False 235 | self.dbg_ads.run() 236 | break 237 | 238 | 239 | # 대상 어플리케이션을 실행 240 | def start_exe(self): 241 | while True : 242 | cmd = "\"" + self.exe_path + "\" /manual_scan /target:" + self.tmp_dir 243 | pipe = self.wincmd(cmd) 244 | pipe.stdin.close() 245 | time.sleep(1) 246 | output = self.check_process("v3lmedic.exe") 247 | if output != False: 248 | self.running_exe == True 249 | self.pid_exe = output 250 | break 251 | else: 252 | print "[-]Restart medic" 253 | 254 | #남은 용량 확인함 255 | def check_spcae(self): 256 | cmd = "dir c:\\" 257 | pipe = fuzzer.wincmd(cmd) 258 | output, errors = pipe.communicate() 259 | pipe.stdin.close() 260 | 261 | if int(output.split("\n")[-2].split(" ")[-3].replace(",","")) < 10737418240: 262 | tmp = 0 263 | for dir_name in os.listdir(self.tmp_dir): 264 | tmp += 1 265 | try: 266 | shutil.rmtree(self.tmp_dir + "\\" + dir_name) 267 | except: ## if failed, report it back to the user ## 268 | print "[-]Delete Error " + self.tmp_dir + "\\" + self.folder_list[tnum] 269 | if tmp > 10: 270 | break 271 | 272 | 273 | if __name__ == "__main__": 274 | os.system( "mkdir C:\\fuzz\\in C:\\fuzz\\temp C:\\fuzz\\crash C:\\fuzz\\notemp" ) 275 | 276 | print "[*] File Fuzzer for V3." 277 | exe_path = ("C:\\Program Files\\AhnLab\\V3Lite30\\V3LMedic.exe") 278 | 279 | if exe_path is not None: 280 | fuzzer = file_fuzzer( exe_path) 281 | fuzzer.check_spcae() 282 | fuzzer.fuzz() 283 | else: 284 | "[+] Error!" --------------------------------------------------------------------------------