Tag: windows
[Fuzzing with WinAFL] Fuzzing a simple C program using WinAFL on windows
Fixing winappdbg to display symbols
I was coding a crash triage script which organises different crash samples i got from running fuzzer. i noticed that i was not able to see symbols in my output. i tried various things, read winappdbg documentation and used the functions which mentioned here in official documentation:
http://winappdbg.sourceforge.net/doc/v1.4/reference/winappdbg.system.SymbolOperations-class.html
But i was not successful. finally i decided to dig through the code myself and figure out the problem. on digging the code i landed at module.py file in /winappdbg/ folder. i found that following function was responsible for getting the symbol for a given address:
def get_symbol_at_address(self, address):
"""
Tries to find the closest matching symbol for the given address.
@type address: int
@param address: Memory address to query.
@rtype: None or tuple( str, int, int )
@return: Returns a tuple consisting of:
- Name
- Address
- Size (in bytes)
Returns C{None} if no symbol could be matched.
"""
found = None
for (SymbolName, SymbolAddress, SymbolSize) in self.iter_symbols():
if SymbolAddress > address:
continue
if SymbolAddress + SymbolSize > address:
if not found or found[1] < SymbolAddress:
found = (SymbolName, SymbolAddress, SymbolSize)
return found
above if you see the check if SymbolAddress + SymbolSize > address:
this check basically takes symbol address from the PDB file then adds size of symbol and compare it with the address we want to have symbols.
if that total size is grater then address then it means that the address falls in the symbol range and therefor this is the nearest symbol.
now here’s the problem. as per MSDN documentation sometime symbol size can be 0 which was my case. so the check become like this:
if SymbolAddress + 0 > address:
now here since my address is always grater than the symboladdress +0, this function will not be able to find the symbol. so i need to fix this.
now i noticed that symboladdress and symbol name was correctly coming, its just that symbol size was coming as 0 so i need a way to use this data.
after carefully analyzing all the symbols, dumping them to an xls file and checking i came up with the logic:
- get all the loaded symbols in a python dictionary and use SymbolAddress as the key.
- Sort this dictionary with keys in ascending order.
- iterate through this list and compare each symbolAddress with address we want to get symbol.
- if symboladdress < address then this might be the symboladdress we are looking for. store it.
- move to the next item in the dictionary and go to (4) above.
- do this until symboladdress > address this way in the the end we will be having the last symboladdress < address which would be the nearest symbol and thus we will start getting symbols.
so i coded a new function like this and commited to winappdbg:
def get_symbol_from_list(self,address):
found = None
SymList = {}
SortedSymList = {}
for (SymbolName, SymbolAddress, SymbolSize) in self.iter_symbols():
SymList[SymbolAddress] = SymbolName
SortedSymList = sorted(SymList.items())
for SymbolAddress,SymbolName in SortedSymList:
if SymbolAddress < address:
SymbolStartAddress = SymbolAddress
SymbolStartName = SymbolName
else:
continue
found = (SymbolStartName, SymbolStartAddress, 0)
return found
i have called this function when def get_symbol_at_address is not able to find the symbol and have found = None like this
if found == None:
found = self.get_symbol_from_list(address)
this solved my problem and was a good learning experience. hope its useful for someone.
pull request for this was here:
windows kernel debugging
you can use virtualKD if you want to enable windows kernel debugging. otherwise you need to do lot of manual configuration. this tool does that for you.
http://sysprogs.com/legacy/virtualkd/download/
Hardik05's Blog 