[fuzzing] code coverage and execution graph
Michael Eddington
meddington at gmail.com
Wed Oct 14 23:37:14 UTC 2009
On windows, Phoenix Framework can also be used to write a quick basic
block finder who's output can be used then to set breakpoints, etc.
Currently a free download from MS Research.
https://connect.microsoft.com/Phoenix
Also, if doing the classic break point style code coverage is overly
slow, Phoenix Framework can be used to re-write the executable to add in
new code at each basic block for code coverage.
I have an example of the basic block findings code here:
http://peachfuzz.svn.sf.net/svnroot/peachfuzz/branches/Peach2.3/tools/minset/BasicBlocks
Another excellent use for code coverage with file fuzzing is to local a
minimum set of templates to use during fuzzing. A folder up shows a
simple python program for finding minsets of files.
mike
On 10/14/2009 6:55 AM, Sergio 'shadown' Alvarez wrote:
> gera uses pydasm and follows the jxx and calls to do the disassembly.,
> basically you load the the .exe instead of the .pida file.
>
> On Oct 14, 2009, at 3:45 PM, Charles Miller wrote:
>
>> Does this actually work? I've never used his module, but I tried
>> writing my own CPU aided basic block coverage tool a few years ago and
>> wasn't happy with the performance (I'm assuming this is what gera's
>> module does). Then again, I'm a sucky developer.
>>
>> Charlie
>>
>>>
>>> Actually with pydbg you can use the branch gera did :), and you don't
>>> need IDA.
>>> In vtrace you have symbols access for the imports and exports. For
>>> the not exported internal functions and basic blocks you can use
>>> gera's module also. You can also use a pida file to do the same thing
>>> you do with pydbg, except that with vtrace you can target more
>>> platforms. :)
>>> _______________________________________________
>>
>
More information about the fuzzing
mailing list