fuzz user seed

jxy-s · Sep 20, 2024 · 18020ca · 18020ca
1 parent 79fc16b
commit 18020ca
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 0 deletions.
diff --git a/vfdynf/dllmain.c b/vfdynf/dllmain.c
@@ -19,6 +19,7 @@ VFDYNF_PROPERTIES AVrfProperties =
     .EnableFaultMask = VFDYNF_FAULT_DEFAULT_MASK,
     .FaultProbability = 1000000,
     .FaultSeed = 0,
+    .FuzzSeed = 0,
     .FuzzCorruptionBlocks = 100,
     .FuzzChaosProbability = 250000,
     .FuzzSizeTruncateProbability = 250000,
@@ -102,6 +103,14 @@ static AVRF_PROPERTY_DESCRIPTOR AVrfpPropertyDescriptors[] =
         L"random seed.",
         NULL
     },
+    {
+        AVRF_PROPERTY_DWORD,
+        L"FuzzSeed",
+        &AVrfProperties.FuzzSeed,
+        sizeof(AVrfProperties.FuzzSeed),
+        L"Seed used for fuzz randomization. A value of zero will generate a "
+        L"random fuzzing vector.",
+    },
     {
         AVRF_PROPERTY_DWORD,
         L"FuzzCorruptionBlocks",

diff --git a/vfdynf/fuzz.c b/vfdynf/fuzz.c
@@ -34,6 +34,8 @@ typedef enum _VFDYNF_FUZZ_BUFFER_CLASS
 typedef struct _VFDYNF_FUZZ_CONTEXT
 {
     BOOLEAN Initialized;
+    ULONG ActiveSeed;
+    ULONG RtlRandomSeed;
     volatile LONG Index;
     BYTE Vector[0x4000];
     RTL_CRITICAL_SECTION CriticalSection;
@@ -48,6 +50,8 @@ static AVRF_RUN_ONCE AVrfpFuzzRunOnce = AVRF_RUN_ONCE_INIT;
 static VFDYNF_FUZZ_CONTEXT AVrfpFuzzContext =
 {
     .Initialized = FALSE,
+    .ActiveSeed = 0,
+    .RtlRandomSeed = 0,
     .Index = 0,
     .Vector = { 0 },
     .CriticalSection = { 0 },
@@ -150,6 +154,17 @@ ULONG AVrfFuzzRandom(
 {
     ULONG index;
 
+    if (AVrfProperties.FaultSeed)
+    {
+        //
+        // The user configured a specific seed to use with fuzzing, use
+        // RtlRandomEx instead of the vector we would normally generate.
+        //
+        // N.B. RtlRandomSeed is set to the FaultSeed to during initialization.
+        //
+        return RtlRandomEx(&AVrfpFuzzContext.RtlRandomSeed);
+    }
+
     if (!AVrfDelayLoadInitOnce() ||
         !AVrfRunOnce(&AVrfpFuzzRunOnce, AVrfpFuzzRunOnceRoutine, FALSE))
     {
@@ -666,6 +681,18 @@ BOOLEAN AVrfFuzzProcessAttach(
 {
     AVrfInitializeCriticalSection(&AVrfpFuzzContext.CriticalSection);
 
+    if (AVrfProperties.FuzzSeed)
+    {
+        //
+        // The user wants to use a specific seed for fuzzing instead of a
+        // completely random vector. Set ActiveSeed to record the seed that
+        // was specified by the user. RtlRandomSeed is then passed as the
+        // in/out parameter to RtlRandomEx.
+        //
+        AVrfpFuzzContext.ActiveSeed = AVrfProperties.FuzzSeed;
+        AVrfpFuzzContext.RtlRandomSeed = AVrfProperties.FuzzSeed;
+    }
+
     AVrfpFuzzContext.Initialized = TRUE;
 
     return TRUE;

diff --git a/vfdynf/vfdynf.h b/vfdynf/vfdynf.h
@@ -208,6 +208,7 @@ typedef struct _VFDYNF_PROPERTIES
     ULONG64 EnableFaultMask;
     ULONG FaultProbability;
     ULONG FaultSeed;
+    ULONG FuzzSeed;
     ULONG FuzzCorruptionBlocks;
     ULONG FuzzChaosProbability;
     ULONG FuzzSizeTruncateProbability;