-
Why NaFl?
- NaFl means sarcastically: "It is totally Not AFL"
- NOTE: when I say AFL, I mean AFL v.0.1 alpha ;)
-
What is it?
-
It is a prototype of a code coverage fuzzer. I wanted to have something like AFL to use in Windows. Unfortunately everything looked very *NIX centric (AFAIK) so I decided to implement the core principles from the ground up (and learned something on the way)
-
It leverages dynamic binary instrumentation (DBI) to measure code coverage in blackbox Windows binaries.
- "Fun" fact: adding support for Intel PIN to AFL was actually my original research project but mothran beat me to it, see his (her?) fantastic work here
- NaFl can be thought as this with some Python core implementing a simple fuzzing logic
-
-
Why does the code suck so much?
- Don't let physicists do computer science. Or anything else for that matter :)
NaFl is written in Python (Core) and C/C++ (the DBI core). Most of the installation is straightforward:
-
Clone the project
-
There are two major directories:
- NaFlCore: nothing to do here at installation time
- PinTool: contains a single file "MyPinTool.cpp"
- Compiling your own PinTool is kind of a pain so most of the people I know use this little trick:
- cd to Pin_directory\source\tools\MyPinTool
- Overwrite the MyPinTool.cpp file with yours
- Open the project in Visual Studio (I used VS Community 2013, very recommended to use this one)
- Build the project
- NOTE: if you get errors complaining about SafeSEH just deactivate it in the linker options.
- Right click -> Properties -> Configuration Properties -> Linker -> All Options
- Search for "Image Has Safe Exception Handlers" and set it to "NO (/SAFESEH: NO)"
- Move the resulting DLL to a directory of your choice (you can rename it as well)
-
That should do it.
These Python modules are part of the client's core:
- Winappdbg (pip install winappdbg)
- This is awesome sauce, check more here
- SQLAlchemy (pip install sqlalchemy)
The following Python modules are needed for the server:
- Tornado (pip install tornado)
- Twisted (pip install twisted)
Once currently installed, running is pretty straightforward.
-
Run the server for collecting information and crash files
- python server\xmlrpc-server.py
-
Edit the config file
- Location of PIN and the corresponding PinTool
- Location of the
victimbinary to analyze
-
Run the core
- python NaFlCore.py
SO MANY…
-
Plugin system
- Pre- & Post- processing of the mutation
- Unzip / Zip for formats like DOCX and alike
- Decrypt / Encrypt...
- etc.
-
Static analysis of the victim binary itself
- Cannibalize strings
- Check proximity to str(n)cmp and alike…
- Maybe implement in JARVIS?
-
Analysis of the samples
- Find high entropy regions (uninteresting)
- Find ASCII regions
- Compare samples to find fixed tokens (PNG, etc.)
-
Regularly evaluate the quality of mutations in the queue
- Remove ones not yielding anything interesting in a long time?
- Trim mutations?
This was done during my work time and therefore paid by my current employer, Siemens AG
Yes we do more than washing machines! ;)
Thanks for allowing this public release.